401 Cli 003 PDF

COMMAND LINE INTERFACE REFERENCE
A10 Thunder Series and AX Series

ACOS 4.0.1
13 May 2015
© 5/13/2015 A10 Networks, Inc. Confidential - All Rights Reserved
Information in this document is subject to change without notice.
Patents
A10 Network products including all AX Series products are protected by one or more of the following U.S. patents: 8977749, 8943577,
8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372, 8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199,
8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635,
7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286, 5931914, 5875185,
RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084, 6970933, 6473802, 6374300.
Trademarks
A10 Harmony, the A10 logo, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy Engine, Affinity, aFleX, aFlow, aGa-
laxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered
trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2. sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
Using the CLI ................................................................................................................................... 1

System Access...................................................................................................................................................... 1
Session Access Levels........................................................................................................................................ 1
User EXEC Level ....................................................................................................................................................................... 1
Privileged EXEC Level .......................................................................................................................................................... 2
Privileged EXEC Level - Config Mode ........................................................................................................................ 2
VRRP-A / aVCS Status in Command Prompt ............................................................................................. 2
IP Version Support ............................................................................................................................................. 4
Partition Name in Command Prompt ......................................................................................................... 4
CLI Quick Reference........................................................................................................................................... 4
Context-Sensitive Help ....................................................................................................................................................... 5
The no Command ................................................................................................................................................................. 6
Command History ................................................................................................................................................................. 6
Setting the Command History Buffer Size ..................................................................................................... 6
Recalling Commands .................................................................................................................................................. 7
Editing Features and Shortcuts ..................................................................................................................................... 7
Positioning the Cursor on the Command Line ........................................................................................... 8
Completing a Partial Command Name ........................................................................................................... 8
Deleting Command Entries .................................................................................................................................... 9
Editing Command Lines that Wrap .................................................................................................................... 9
Continuing Output at the --MORE-- Prompt ........................................................................................ 10
Redisplaying the Current Command Line .................................................................................................. 10
Editing Pre-Configured SLB Items .................................................................................................................... 10
Searching and Filtering CLI Output ......................................................................................................................... 11
Regular Expressions ........................................................................................................................................................... 12
Single-Character Patterns ..................................................................................................................................... 12
Special Character Support in Strings ...................................................................................................................... 12
Special Character Support in Password Strings ...................................................................................... 12
How To Enter Special Characters in the Password String .................................................................. 13
aVCS Device Numbers in Commands .......................................................................................................14
Device ID Syntax ......................................................................................................................................................... 14
aVCS Device Option for Configuration Commands ............................................................................. 15
page 1 | Document No.: 401-CLI-003 - 5/13/2015

A10 Thunder Series and AX Series—Command Line Interface Reference
Contents
aVCS Device Option for Show Commands ................................................................................................ 15

CLI Message for Commands That Affect Only the Local Device ................................................... 15
EXEC Commands .........................................................................................................................17

active-partition ......................................................................................................................................................................17
enable .........................................................................................................................................................................................17
exit .................................................................................................................................................................................................18
gen-server-persist-cookie ...............................................................................................................................................18
health-test ................................................................................................................................................................................19
help ...............................................................................................................................................................................................20
no ...................................................................................................................................................................................................20
ping ..............................................................................................................................................................................................20
show .............................................................................................................................................................................................22
ssh ..................................................................................................................................................................................................22
telnet ............................................................................................................................................................................................22
traceroute .................................................................................................................................................................................24
Privileged EXEC Commands ....................................................................................................25

active-partition ......................................................................................................................................................................25
axdebug .....................................................................................................................................................................................25
backup log ...............................................................................................................................................................................25
backup system .......................................................................................................................................................................27
clear ..............................................................................................................................................................................................28
clock .............................................................................................................................................................................................28
configure ...................................................................................................................................................................................29
debug ..........................................................................................................................................................................................29
diff ..................................................................................................................................................................................................29
disable .........................................................................................................................................................................................30
exit .................................................................................................................................................................................................30
export ..........................................................................................................................................................................................31
gen-server-persist-cookie ...............................................................................................................................................33
health-test ................................................................................................................................................................................33
help ...............................................................................................................................................................................................33
import .........................................................................................................................................................................................34
locale ............................................................................................................................................................................................36
no ...................................................................................................................................................................................................37
ping ..............................................................................................................................................................................................37
reboot .........................................................................................................................................................................................37
reload ..........................................................................................................................................................................................39
repeat ..........................................................................................................................................................................................40
show .............................................................................................................................................................................................40
shutdown ..................................................................................................................................................................................40
ssh ..................................................................................................................................................................................................41
telnet ............................................................................................................................................................................................41
terminal ......................................................................................................................................................................................41
traceroute .................................................................................................................................................................................43
vcs ..................................................................................................................................................................................................43
Document No.: 401-CLI-003 - 5/13/2015 | page 2

Contents
write .............................................................................................................................................................................................43
Config Commands: Global .......................................................................................................47

aam ...............................................................................................................................................................................................47
access-list (standard) ..........................................................................................................................................................48
access-list (extended) ........................................................................................................................................................50
accounting ...............................................................................................................................................................................54
admin ..........................................................................................................................................................................................56
admin-lockout .......................................................................................................................................................................59
admin-session clear ............................................................................................................................................................60
aflex ..............................................................................................................................................................................................60
aflex-scripts start ...................................................................................................................................................................61
arp ..................................................................................................................................................................................................61
arp-timeout .............................................................................................................................................................................61
audit .............................................................................................................................................................................................62
authentication console type .........................................................................................................................................63
authentication enable ......................................................................................................................................................63
authentication login privilege-mode ......................................................................................................................64
authentication mode ........................................................................................................................................................64
authentication type ............................................................................................................................................................65
authorization ..........................................................................................................................................................................66
backup-periodic ...................................................................................................................................................................67
backup store ...........................................................................................................................................................................68
banner .........................................................................................................................................................................................69
bfd .................................................................................................................................................................................................70
bgp extended-asn-cap .....................................................................................................................................................71
bgp nexthop-trigger ..........................................................................................................................................................71
big-buff-pool ..........................................................................................................................................................................72
block-abort ...............................................................................................................................................................................73
block-merge-end .................................................................................................................................................................73
block-merge-start ................................................................................................................................................................73
block-replace-end ...............................................................................................................................................................74
block-replace-start ..............................................................................................................................................................74
boot-block-fix .........................................................................................................................................................................74
bootimage ...............................................................................................................................................................................75
bpdu-fwd-group ..................................................................................................................................................................75
bridge-vlan-group ...............................................................................................................................................................76
class-list (for Aho-Corasick) ............................................................................................................................................77
class-list (for IP limiting) ....................................................................................................................................................78
class-list (for VIP-based DNS caching) .....................................................................................................................80
class-list (for many pools, non-LSN) .........................................................................................................................82
class-list (string) .....................................................................................................................................................................83
clock timezone ......................................................................................................................................................................83
configure sync .......................................................................................................................................................................84
copy ..............................................................................................................................................................................................84
debug ..........................................................................................................................................................................................86
delete ..........................................................................................................................................................................................86

Contents
disable reset statistics ........................................................................................................................................................87

disable slb .................................................................................................................................................................................87
disable-failsafe .......................................................................................................................................................................88
disable-management ........................................................................................................................................................88
dnssec .........................................................................................................................................................................................90
do ...................................................................................................................................................................................................90
enable-core ..............................................................................................................................................................................90
enable-management ........................................................................................................................................................91
enable-password ..................................................................................................................................................................93
end ................................................................................................................................................................................................93
erase .............................................................................................................................................................................................94
event ............................................................................................................................................................................................95
exit .................................................................................................................................................................................................95
export-periodic ......................................................................................................................................................................96
fail-safe ........................................................................................................................................................................................98
glid ................................................................................................................................................................................................99
gslb ............................................................................................................................................................................................101
hd-monitor enable ...........................................................................................................................................................101
health global ........................................................................................................................................................................102
health monitor ....................................................................................................................................................................103
health-test .............................................................................................................................................................................104
hostname ...............................................................................................................................................................................104
hsm ............................................................................................................................................................................................105
icmp-rate-limit ....................................................................................................................................................................105
icmpv6-rate-limit ...............................................................................................................................................................105
import ......................................................................................................................................................................................106
import-periodic ..................................................................................................................................................................107
interface ..................................................................................................................................................................................108
ip ..................................................................................................................................................................................................109
ip-list ..........................................................................................................................................................................................109
ipv6 ............................................................................................................................................................................................110
key ..............................................................................................................................................................................................110
lacp system-priority .........................................................................................................................................................110
lacp-passthrough ..............................................................................................................................................................111
lacp-trunk ...............................................................................................................................................................................111
ldap-server ............................................................................................................................................................................112
link ..............................................................................................................................................................................................114
lldp enable ............................................................................................................................................................................115
lldp management-address .........................................................................................................................................115
lldp notification interval ................................................................................................................................................116
lldp system-description ................................................................................................................................................116
lldp system-name .............................................................................................................................................................116
lldp tx interval ......................................................................................................................................................................116
lldp tx hold ............................................................................................................................................................................117
lldp tx reinit-delay .............................................................................................................................................................117
lldp tx fast-count ...............................................................................................................................................................117
lldp tx fast-interval ............................................................................................................................................................118

Contents
locale .........................................................................................................................................................................................118
logging target severity-level ......................................................................................................................................118
logging auditlog host ....................................................................................................................................................119
logging buffered ...............................................................................................................................................................120
logging disable-partition-name ..............................................................................................................................121
logging email buffer .......................................................................................................................................................122
logging email filter ...........................................................................................................................................................122
logging email-address ...................................................................................................................................................125
logging export ....................................................................................................................................................................125
logging facility ....................................................................................................................................................................126
logging host .........................................................................................................................................................................127
logging single-priority severity-level ....................................................................................................................127
mac-address .........................................................................................................................................................................128
mac-age-time ......................................................................................................................................................................129
maximum-paths ................................................................................................................................................................129
mirror-port .............................................................................................................................................................................129
monitor ...................................................................................................................................................................................131
multi-config ..........................................................................................................................................................................132
multi-ctrl-cpu .......................................................................................................................................................................132
netflow common max-packet-queue-time .....................................................................................................133
netflow monitor .................................................................................................................................................................134
no ................................................................................................................................................................................................135
ntp ..............................................................................................................................................................................................135
object-group network ...................................................................................................................................................137
object-group service .......................................................................................................................................................138
overlay-mgmt-info ...........................................................................................................................................................141
overlay-tunnel .....................................................................................................................................................................141
packet-handling ................................................................................................................................................................141
partition ..................................................................................................................................................................................141
partition-group ...................................................................................................................................................................141
ping ...........................................................................................................................................................................................141
pki copy-cert ........................................................................................................................................................................142
pki copy-key .........................................................................................................................................................................142
pki create ................................................................................................................................................................................143
pki delete ...............................................................................................................................................................................144
pki renew-self ......................................................................................................................................................................144
pki scep-cert .........................................................................................................................................................................145
poap ..........................................................................................................................................................................................145
radius-server .........................................................................................................................................................................146
raid .............................................................................................................................................................................................147
rba enable ..............................................................................................................................................................................147
rba disable .............................................................................................................................................................................147
rba group ...............................................................................................................................................................................148
rba role ....................................................................................................................................................................................148
rba user ....................................................................................................................................................................................149
restore ......................................................................................................................................................................................149
route-map .............................................................................................................................................................................151

Contents
router protocol ...................................................................................................................................................................155

router log file .......................................................................................................................................................................155
router log log-buffer .......................................................................................................................................................156
running-config display ..................................................................................................................................................157
session-filter ..........................................................................................................................................................................157
sflow ..........................................................................................................................................................................................158
slb ...............................................................................................................................................................................................160
smtp ..........................................................................................................................................................................................160
snmp-server community ..............................................................................................................................................161
snmp-server contact .......................................................................................................................................................162
snmp-server enable .........................................................................................................................................................162
snmp-server engineID ...................................................................................................................................................167
snmp-server group ..........................................................................................................................................................167
snmp-server host ..............................................................................................................................................................168
snmp-server location ......................................................................................................................................................168
snmp-server slb-data-cache-timeout ..................................................................................................................169
snmp-server user ...............................................................................................................................................................169
snmp-server view .............................................................................................................................................................170
so-counters ...........................................................................................................................................................................171
sshd ...........................................................................................................................................................................................172
syn-cookie .............................................................................................................................................................................173
system all-vlan-limit .........................................................................................................................................................174
system anomaly log ........................................................................................................................................................175
system attack log ..............................................................................................................................................................175
system cpu-load-sharing .............................................................................................................................................175
system ddos-attack ..........................................................................................................................................................176
system glid ............................................................................................................................................................................176
system ipsec .........................................................................................................................................................................177
system log-cpu-interval ................................................................................................................................................177
system module-ctrl-cpu ...............................................................................................................................................177
system per-vlan-limit ......................................................................................................................................................178
system promiscuous-mode .......................................................................................................................................179
system resource-usage .................................................................................................................................................179
system template ................................................................................................................................................................179
system ve-mac-scheme ................................................................................................................................................180
system-jumbo-global enable-jumbo ...................................................................................................................181
system-reset .........................................................................................................................................................................181
tacacs-server host .............................................................................................................................................................182
tacacs-server monitor ....................................................................................................................................................184
techreport ..............................................................................................................................................................................184
terminal ...................................................................................................................................................................................185
tftp blksize .............................................................................................................................................................................186
timezone ................................................................................................................................................................................187
tx-congestion-ctrl .............................................................................................................................................................188
upgrade ..................................................................................................................................................................................188
vcs ...............................................................................................................................................................................................189
ve-stats ....................................................................................................................................................................................189

Contents
vlan ............................................................................................................................................................................................189
vlan-global ............................................................................................................................................................................190
vrrp-a ........................................................................................................................................................................................190
waf ..............................................................................................................................................................................................191
web-category ......................................................................................................................................................................191
web-service ..........................................................................................................................................................................191
write ..........................................................................................................................................................................................192
write terminal ......................................................................................................................................................................192
Config Commands: Application Access Management ............................................... 193

AAM Configuration Commands............................................................................................................... 194
aam aaa-policy ....................................................................................................................................................................194
aam authentication account kerberos-spn ......................................................................................................195
aam authentication log enable ................................................................................................................................195
aam authentication log facility .................................................................................................................................196
aam authentication logon form-based ...............................................................................................................196
aam authentication logon http-authenticate ................................................................................................197
aam authentication portal default-portal ..........................................................................................................198
aam authentication relay form-based .................................................................................................................201
aam authentication relay http-basic .....................................................................................................................201
aam authentication relay kerberos ........................................................................................................................202
aam authentication relay ntlm .................................................................................................................................203
aam authentication relay ws-federation ............................................................................................................203
aam authentication saml identity-provider .....................................................................................................204
aam authentication saml service-provider .......................................................................................................204
aam authentication server ldap ...............................................................................................................................205
aam authentication server ocsp ..............................................................................................................................206
aam authentication server radius ...........................................................................................................................207
aam authentication server windows ....................................................................................................................207
aam authentication service-group ........................................................................................................................209
aam authentication template ...................................................................................................................................209
aam authorization policy .............................................................................................................................................211
clear aam authentication kcache ............................................................................................................................212
clear aam authentication service-group ............................................................................................................212
clear aam authentication session ...........................................................................................................................212
clear aam authentication statistics ........................................................................................................................213
AAM AAA Rule Configuration Commands ........................................................................................... 213
access-list ...............................................................................................................................................................................214
action ........................................................................................................................................................................................214
authentication-template ..............................................................................................................................................214
authorize-policy .................................................................................................................................................................215
domain-name .....................................................................................................................................................................215
match-encoded-uri .........................................................................................................................................................215
uri ................................................................................................................................................................................................216
AAM Show Commands................................................................................................................................ 216

Contents
show aam aaa-policy ......................................................................................................................................................216

show aam authentication account .......................................................................................................................217
show aam authentication default-portal ...........................................................................................................217
show aam authentication klist .................................................................................................................................217
show aam authentication logon .............................................................................................................................217
show aam authentication portal .............................................................................................................................217
show aam authentication portal-image .............................................................................................................218
show aam authentication relay ...............................................................................................................................218
show aam authentication saml ................................................................................................................................218
show aam authentication server ............................................................................................................................219
show aam authentication service-group ...........................................................................................................219
show aam authentication session ..........................................................................................................................220
show aam authentication statistics .......................................................................................................................220
show aam authentication template .....................................................................................................................227
show aam authorization policy ................................................................................................................................227
Config Commands: DNSSEC ................................................................................................. 229

DNSSEC Configuration Commands ........................................................................................................ 230
dnssec standalone ...........................................................................................................................................................230
dnssec template ................................................................................................................................................................230
DNSSEC Operational Commands ............................................................................................................ 231
dnssec dnskey delete .....................................................................................................................................................231
dnssec ds delete ................................................................................................................................................................232
dnssec key-rollover ..........................................................................................................................................................232
dnssec sign-zone-now ..................................................................................................................................................233
DNSSEC Show Commands......................................................................................................................... 233
show dnssec dnskey .......................................................................................................................................................233
show dnssec ds ..................................................................................................................................................................234
show dnssec statistics ....................................................................................................................................................234
show dnssec status ..........................................................................................................................................................234
show dnssec template ..................................................................................................................................................235
show dnssec thales-kmdata .......................................................................................................................................235
show dnssec thales-secworld ...................................................................................................................................235
Config Commands: Hardware Security Module ............................................................ 237

HSM Configuration Commands ............................................................................................................... 237
hsm template ......................................................................................................................................................................237
HSM Operational Commands ................................................................................................................... 238
hsm check key ....................................................................................................................................................................238
hsm delete key ...................................................................................................................................................................238
hsm import key ..................................................................................................................................................................239
hsm thales-kmdata delete ..........................................................................................................................................239
hsm thales-secworld .......................................................................................................................................................239
hsm zeroize ...........................................................................................................................................................................239

Contents
HSM Show Commands................................................................................................................................ 240

show hsm config ...............................................................................................................................................................240
show hsm config ...............................................................................................................................................................240
Config Commands: Interface ............................................................................................... 241

access-list ...............................................................................................................................................................................241
bfd ..............................................................................................................................................................................................242
cpu-process ..........................................................................................................................................................................243
disable ......................................................................................................................................................................................243
duplexity .................................................................................................................................................................................244
enable ......................................................................................................................................................................................245
flow-control ..........................................................................................................................................................................245
icmp-rate-limit ....................................................................................................................................................................245
icmpv6-rate-limit ...............................................................................................................................................................246
interface ..................................................................................................................................................................................247
ip address ...............................................................................................................................................................................248
ip address dhcp ..................................................................................................................................................................249
ip allow-promiscuous-vip ............................................................................................................................................249
ip cache-spoofing-port .................................................................................................................................................250
ip control-apps-use-mgmt-port ..............................................................................................................................250
ip default-gateway ...........................................................................................................................................................251
ip helper-address ..............................................................................................................................................................252
ip igmp ....................................................................................................................................................................................253
ip nat .........................................................................................................................................................................................255
ip rip authentication .......................................................................................................................................................256
ip rip receive version .......................................................................................................................................................256
ip rip receive-packet ........................................................................................................................................................257
ip rip send version ............................................................................................................................................................257
ip rip send-packet .............................................................................................................................................................257
ip rip split-horizon ............................................................................................................................................................257
{ip | ipv6} router isis ..........................................................................................................................................................258
ip slb-partition-redirect .................................................................................................................................................258
ip stateful-firewall .............................................................................................................................................................259
ipv6 (on management interface) ............................................................................................................................259
ipv6 access-list ....................................................................................................................................................................260
ipv6 address .........................................................................................................................................................................260
ipv6 enable ...........................................................................................................................................................................261
ipv6 nat inside .....................................................................................................................................................................261
ipv6 nat outside .................................................................................................................................................................261
ipv6 ndisc router-advertisement .............................................................................................................................262
ipv6 ospf cost ......................................................................................................................................................................264
ipv6 ospf dead-interval .................................................................................................................................................264
ipv6 ospf hello-interval ..................................................................................................................................................265
ipv6 ospf mtu-ignore ......................................................................................................................................................265
ipv6 ospf neighbor ...........................................................................................................................................................265
ipv6 ospf network .............................................................................................................................................................266
ipv6 ospf priority ...............................................................................................................................................................266

Contents
ipv6 ospf retransmit-interval ......................................................................................................................................267

ipv6 ospf transmit-delay ...............................................................................................................................................267
ipv6 rip split-horizon .......................................................................................................................................................267
ipv6 router isis .....................................................................................................................................................................268
ipv6 router ospf ..................................................................................................................................................................268
ipv6 router rip ......................................................................................................................................................................268
ipv6 stateful-firewall ........................................................................................................................................................269
isis authentication ............................................................................................................................................................269
isis bfd ......................................................................................................................................................................................270
isis circuit-type ....................................................................................................................................................................270
isis csnp-interval ................................................................................................................................................................271
isis hello ...................................................................................................................................................................................272
isis hello-interval ................................................................................................................................................................272
isis hello-interval-minimal ............................................................................................................................................273
isis hello-multiplier ...........................................................................................................................................................273
isis lsp-interval .....................................................................................................................................................................274
isis mesh-group .................................................................................................................................................................274
isis metric ...............................................................................................................................................................................275
isis network ...........................................................................................................................................................................275
isis password ........................................................................................................................................................................276
isis priority ..............................................................................................................................................................................276
isis restart-hello-interval ................................................................................................................................................277
isis retransmit-interval ....................................................................................................................................................277
isis wide-metric ..................................................................................................................................................................278
l3-vlan-fwd-disable ..........................................................................................................................................................278
lldp enable ............................................................................................................................................................................279
lldp notification ..................................................................................................................................................................279
lldp tx-dot1-tlvs ..................................................................................................................................................................279
lldp tx-tlvs ..............................................................................................................................................................................280
load-interval .........................................................................................................................................................................280
lw-4o6 ......................................................................................................................................................................................280
monitor ...................................................................................................................................................................................281
mtu ............................................................................................................................................................................................282
name .........................................................................................................................................................................................282
ports-threshold ..................................................................................................................................................................283
remove-vlan-tag ................................................................................................................................................................284
snmp-server .........................................................................................................................................................................284
trunk-group ..........................................................................................................................................................................285
Config Commands: VLAN ...................................................................................................... 287

name .........................................................................................................................................................................................287
router-interface ..................................................................................................................................................................288
tagged .....................................................................................................................................................................................289
untagged ...............................................................................................................................................................................289
Config Commands: IP ............................................................................................................. 291

ip access-list .........................................................................................................................................................................291

Contents
ip address ...............................................................................................................................................................................294
ip anomaly-drop ................................................................................................................................................................295
ip as-path ...............................................................................................................................................................................296
ip community-list ..............................................................................................................................................................296
ip default-gateway ...........................................................................................................................................................297
ip dns ........................................................................................................................................................................................297
ip extcommunity-list .......................................................................................................................................................298
ip frag buff .............................................................................................................................................................................298
ip frag max-reassembly-sessions ............................................................................................................................299
ip frag timeout ....................................................................................................................................................................299
ip icmp disable ...................................................................................................................................................................300
ip mgmt-traffic ...................................................................................................................................................................300
ip nat alg pptp ....................................................................................................................................................................301
ip nat icmp ............................................................................................................................................................................302
ip nat inside source ..........................................................................................................................................................303
ip nat pool .............................................................................................................................................................................304
ip nat pool-group .............................................................................................................................................................305
ip nat range-list ..................................................................................................................................................................306
ip nat template logging ................................................................................................................................................307
ip nat translation ...............................................................................................................................................................309
ip nat-global reset-idle-tcp-conn ............................................................................................................................311
ip prefix-list ...........................................................................................................................................................................311
ip route ....................................................................................................................................................................................313
ip tcp syn-cookie threshold ........................................................................................................................................314
Config Commands: IPv6 ......................................................................................................... 317

ipv6 access-list ....................................................................................................................................................................317
ipv6 address .........................................................................................................................................................................320
ipv6 default-gateway ......................................................................................................................................................320
ipv6 frag timeout ..............................................................................................................................................................321
ipv6 icmpv6 disable ........................................................................................................................................................322
ipv6 nat icmpv6 respond-to-ping ..........................................................................................................................322
ipv6 nat inside source list .............................................................................................................................................322
ipv6 nat pool ........................................................................................................................................................................323
ipv6 nat pool-group ........................................................................................................................................................323
ipv6 neighbor ......................................................................................................................................................................324
ipv6 ospf display ................................................................................................................................................................325
ipv6 prefix-list sequence-number ..........................................................................................................................325
ipv6 route ...............................................................................................................................................................................326
Config Commands: Router – RIP ......................................................................................... 329

Enabling RIP..................................................................................................................................................... 329
Interface-level RIP Commands ................................................................................................................. 330
IPv4 RIP Configuration Commands......................................................................................................... 330
cisco-metric-behavior ....................................................................................................................................................331
default-information originate ...................................................................................................................................331

Contents
default-metric .....................................................................................................................................................................331
distance ...................................................................................................................................................................................332
distribute-list ........................................................................................................................................................................332
maximum-prefix ................................................................................................................................................................334
neighbor .................................................................................................................................................................................334
network ...................................................................................................................................................................................335
offset-list .................................................................................................................................................................................335
passive-interface ................................................................................................................................................................336
recv-buffer-size ...................................................................................................................................................................336
redistribute ............................................................................................................................................................................337
route ..........................................................................................................................................................................................339
timers ........................................................................................................................................................................................340
version .....................................................................................................................................................................................340
IPv6 RIP Configuration Commands......................................................................................................... 341
aggregate-address ...........................................................................................................................................................341
cisco-metric-behavior ....................................................................................................................................................342
default-metric .....................................................................................................................................................................342
distribute-list ........................................................................................................................................................................343
neighbor .................................................................................................................................................................................344
offset-list .................................................................................................................................................................................344
recv-buffer-size ...................................................................................................................................................................345
redistribute ............................................................................................................................................................................347
route ..........................................................................................................................................................................................348
route-map .............................................................................................................................................................................349
timers ........................................................................................................................................................................................350
RIP Show Commands................................................................................................................................... 350
show ip rip database ......................................................................................................................................................350
show ipv6 rip database .................................................................................................................................................352
RIP Clear Commands.................................................................................................................................... 354
clear ip rip route .................................................................................................................................................................354
clear ipv6 rip route ...........................................................................................................................................................354
Config Commands: Router – OSPF ..................................................................................... 357

Enabling OSPF ................................................................................................................................................ 357
Configuration Commands Applicable to OSPFv2 or OSPFv3........................................................ 358
abr-type ...................................................................................................................................................................................358
area area-id default-cost ...............................................................................................................................................359
area area-id range .............................................................................................................................................................359
area area-id stub ................................................................................................................................................................360
area area-id virtual-link ..................................................................................................................................................360
auto-cost reference bandwidth ...............................................................................................................................361
bfd ..............................................................................................................................................................................................361
clear ...........................................................................................................................................................................................362

Contents
default-metric .....................................................................................................................................................................363
distribute-internal .............................................................................................................................................................363
ha-standby-extra-cost ....................................................................................................................................................365
log-adjacency-changes .................................................................................................................................................365
max-concurrent-dd .........................................................................................................................................................366
redistribute ............................................................................................................................................................................366
router-id ..................................................................................................................................................................................370
timers spf exp ......................................................................................................................................................................370
Configuration Commands Applicable to OSPFv2 Only ................................................................... 371
area area-id authentication ........................................................................................................................................371
area area-id filter-list ........................................................................................................................................................371
area area-id multi-area-adjacency ..........................................................................................................................372
area area-id nssa ................................................................................................................................................................372
area area-id shortcut .......................................................................................................................................................373
compatible rfc1583 .........................................................................................................................................................373
distance ...................................................................................................................................................................................374
distribute-list ........................................................................................................................................................................375
host ipaddr area .................................................................................................................................................................376
maximum-area ...................................................................................................................................................................377
neighbor .................................................................................................................................................................................378
network ...................................................................................................................................................................................378
ospf abr-type .......................................................................................................................................................................379
ospf router-id .......................................................................................................................................................................379
overflow database ............................................................................................................................................................380
summary-address .............................................................................................................................................................380
Configuration Commands Applicable to OSPFv3 Only ................................................................... 381
OSPF Show Commands............................................................................................................................... 381
show {ip | ipv6} ospf ........................................................................................................................................................381
show ip ospf border-routers ......................................................................................................................................382
show ip ospf database ...................................................................................................................................................383
show ipv6 ospf database .............................................................................................................................................385
show {ip | ipv6} ospf interface ...................................................................................................................................386
show {ip | ipv6} ospf neighbor ..................................................................................................................................387
show ip ospf redistributed ..........................................................................................................................................388
show {ip | ipv6} ospf route ...........................................................................................................................................390
show ipv6 ospf topology .............................................................................................................................................391
show {ip | ipv6} ospf virtual-links .............................................................................................................................391
Config Commands: Router – IS-IS ....................................................................................... 393

address-family .....................................................................................................................................................................394
adjacency-check ................................................................................................................................................................395
area-password ....................................................................................................................................................................395
authentication ....................................................................................................................................................................396

Contents
bfd ..............................................................................................................................................................................................397
distance ...................................................................................................................................................................................397
domain-password ............................................................................................................................................................398
ha-standby-extra-cost ....................................................................................................................................................398
ignore-lsp-errors ................................................................................................................................................................399
is-type .......................................................................................................................................................................................399
lsp-gen-interval ..................................................................................................................................................................400
lsp-refresh-interval ...........................................................................................................................................................400
max-lsp-lifetime .................................................................................................................................................................400
metric-style ...........................................................................................................................................................................401
net ..............................................................................................................................................................................................402
protocol-topology ............................................................................................................................................................404
redistribute ............................................................................................................................................................................404
set-overload-bit ..................................................................................................................................................................406
spf-interval-exp ..................................................................................................................................................................408
summary-address .............................................................................................................................................................408
IS-IS Show Commands................................................................................................................................. 409
show ip isis ............................................................................................................................................................................409
show ipv6 isis [tag] route .............................................................................................................................................409
show ipv6 isis [tag] topology ....................................................................................................................................410
show isis counter ..............................................................................................................................................................410
show isis [tag] database ................................................................................................................................................411
show isis interface ............................................................................................................................................................412
show isis [tag] topology ................................................................................................................................................414
Config Commands: Router – BGP ....................................................................................... 415

Enabling BGP................................................................................................................................................... 416
BGP Configuration Commands ................................................................................................................ 417
Commands at the Global Configuration Level .............................................................................................. 417
bgp extended-asn-cap ..................................................................................................................................................417
bgp nexthop-trigger .......................................................................................................................................................417
Commands at the BGP Router Configuration Level ................................................................................... 418
address-family .....................................................................................................................................................................418
aggregate-address ...........................................................................................................................................................420
auto-summary ....................................................................................................................................................................420
bgp always-compare-med .........................................................................................................................................420
bgp bestpath .......................................................................................................................................................................421
bgp dampening ................................................................................................................................................................422
bgp default ...........................................................................................................................................................................422
bgp deterministic-med .................................................................................................................................................423
bgp enforce-first-as .........................................................................................................................................................423
bgp fast-external-failover .............................................................................................................................................423

Contents
bgp log-neighbor-changes ........................................................................................................................................423

bgp nexthop-trigger-count .......................................................................................................................................424
bgp router-id .......................................................................................................................................................................424
bgp scan-time .....................................................................................................................................................................424
distance ...................................................................................................................................................................................425
maximum-paths ................................................................................................................................................................426
neighbor neighbor-id activate .................................................................................................................................426
neighbor neighbor-id advertisement-interval ...............................................................................................427
neighbor neighbor-id allowas-in ............................................................................................................................427
neighbor neighbor-id as-origination-interval .................................................................................................428
neighbor neighbor-id capability .............................................................................................................................429
neighbor neighbor-id collide-established ........................................................................................................429
neighbor neighbor-id default-originate .............................................................................................................430
neighbor neighbor-id description .........................................................................................................................430
neighbor neighbor-id disallow-infinite-holdtime ........................................................................................431
neighbor neighbor-id distribute-list .....................................................................................................................431
neighbor neighbor-id dont-capability-negotiate ........................................................................................432
neighbor neighbor-id ebgp-multihop ................................................................................................................432
neighbor neighbor-id enforce-multihop ...........................................................................................................432
neighbor neighbor-id fall-over .................................................................................................................................433
neighbor neighbor-id filter-list .................................................................................................................................433
neighbor neighbor-id maximum-prefix .............................................................................................................434
neighbor neighbor-id next-hop-self .....................................................................................................................434
neighbor neighbor-id override-capability ........................................................................................................435
neighbor neighbor-id passive ..................................................................................................................................435
neighbor neighbor-id password .............................................................................................................................436
neighbor neighbor-id peer-group .........................................................................................................................437
neighbor neighbor-id prefix-list ..............................................................................................................................437
neighbor neighbor-id remote-as ............................................................................................................................438
neighbor neighbor-id remove-private-as .........................................................................................................438
neighbor neighbor-id route-map ..........................................................................................................................439
neighbor neighbor-id send-community ...........................................................................................................439
neighbor neighbor-id shutdown ............................................................................................................................440
neighbor neighbor-id soft-reconfiguration .....................................................................................................440
neighbor neighbor-id strict-capability-match ................................................................................................441
neighbor neighbor-id timers .....................................................................................................................................441
neighbor neighbor-id unsuppress-map ............................................................................................................442
neighbor neighbor-id update-source .................................................................................................................442
neighbor neighbor-id weight ...................................................................................................................................443
network ...................................................................................................................................................................................443
redistribute ............................................................................................................................................................................444
synchronization ..................................................................................................................................................................446
timers ........................................................................................................................................................................................446
BGP Show Commands................................................................................................................................. 447
show ip bgp ipv4addr ....................................................................................................................................................447
show bgp ipv6addr .........................................................................................................................................................448

Contents
show [ip] bgp ipv4 {multicast | unicast} ..............................................................................................................448

show bgp ipv4 neighbors ...........................................................................................................................................450
show bgp ipv4 prefix-list ..............................................................................................................................................450
show bgp ipv4 quote-regexp ...................................................................................................................................450
show bgp ipv4 summary .............................................................................................................................................451
show bgp ipv6 ....................................................................................................................................................................451
show bgp nexthop-tracking ......................................................................................................................................452
show bgp nexthop-tree-details ...............................................................................................................................453
show ip bgp attribute-info ..........................................................................................................................................453
show ip bgp cidr-only ....................................................................................................................................................453
show [ip] bgp community ..........................................................................................................................................453
show ip bgp community-info ...................................................................................................................................453
show [ip] bgp community-list ..................................................................................................................................454
show [ip] bgp dampening ..........................................................................................................................................454
show [ip] bgp filter-list ...................................................................................................................................................454
show [ip] bgp inconsistent-as ...................................................................................................................................454
show [ip] bgp neighbors ..............................................................................................................................................455
show bgp nexthop-tracking ......................................................................................................................................456
show bgp nexthop-tree-details ...............................................................................................................................456
show [ip] bgp paths ........................................................................................................................................................456
show [ip] bgp prefix-list ................................................................................................................................................456
show [ip] bgp quote-regexp .....................................................................................................................................457
show [ip] bgp regexp .....................................................................................................................................................457
show [ip] bgp route-map ............................................................................................................................................457
show ip bgp scan ..............................................................................................................................................................457
show [ip] bgp summary ...............................................................................................................................................458
show ip bgp view .............................................................................................................................................................458
BGP Clear Commands.................................................................................................................................. 458
clear [ip] bgp {* | AS-num} ...........................................................................................................................................459
clear [ip] bgp ipv4addr ..................................................................................................................................................459
clear [ip] bgp ipv6addr ..................................................................................................................................................460
clear [ip] bgp external ....................................................................................................................................................460
clear [ip] bgp ipv4 .............................................................................................................................................................461
clear [ip] bgp ipv6 .............................................................................................................................................................461
clear [ip] bgp peer-group ............................................................................................................................................463
clear [ip] bgp view ............................................................................................................................................................463
fConfig Commands: Overlay Tunnels ................................................................................ 465

Commands for the Underlay/Provider Network ................................................................................ 465
overlay-tunnel .....................................................................................................................................................................466
overlay-mgmt-info ...........................................................................................................................................................467
encap ........................................................................................................................................................................................468
source-ip-address .............................................................................................................................................................468
vni ...............................................................................................................................................................................................468
destination-ip-address ...................................................................................................................................................470
host ............................................................................................................................................................................................471

Contents
Commands for the Overlay/Tenant Network ...................................................................................... 472

interface lif .............................................................................................................................................................................472
untagged lif ..........................................................................................................................................................................472
Monitoring Commands............................................................................................................................... 473
show interfaces brief .......................................................................................................................................................473
show running-config overlay-mgmt-info .........................................................................................................474
show running-config overlay-tunnel ...................................................................................................................475
show statistics interface ................................................................................................................................................475
show vlans .............................................................................................................................................................................476
debug packet ......................................................................................................................................................................477
Config Commands: Scale Out .............................................................................................. 479

Scale Out Global Configuration Commands ....................................................................................... 480
scaleout ...................................................................................................................................................................................480
Scale Out Configuration Commands...................................................................................................... 480
cluster-devices ....................................................................................................................................................................481
device-groups .....................................................................................................................................................................481
follow-vcs ...............................................................................................................................................................................482
local-device ...........................................................................................................................................................................482
service-config ......................................................................................................................................................................482
Scale Out Local Device Configuration Commands ........................................................................... 483
id ..................................................................................................................................................................................................483
priority ......................................................................................................................................................................................484
Scale Out show Commands....................................................................................................................... 484
show scaleout .....................................................................................................................................................................484
Config Commands: Server Load Balancing ..................................................................... 487

Global Configuration Mode SLB Commands ...................................................................................... 488
slb common .........................................................................................................................................................................488
slb resource-usage ...........................................................................................................................................................489
slb server ................................................................................................................................................................................490
slb service-group ...............................................................................................................................................................491
slb ssl-expire-check email-address .........................................................................................................................492
slb ssl-expire-check exception ..................................................................................................................................492
slb ssl-module .....................................................................................................................................................................493
slb template .........................................................................................................................................................................493
slb transparent-acl-template .....................................................................................................................................494
slb transparent-tcp-template ....................................................................................................................................494
slb virtual-server .................................................................................................................................................................495
SLB Common Configuration Mode Commands................................................................................. 498
buff-thresh ............................................................................................................................................................................498
compress-block-size .......................................................................................................................................................498
conn-rate-limit src-ip ......................................................................................................................................................499

Contents
disable-server-auto-reselect .......................................................................................................................................500
dns-cache-age ....................................................................................................................................................................500
dns-cache-enable .............................................................................................................................................................501
dns-cache-entry-size .......................................................................................................................................................502
drop-icmp-to-vip-when-vip-down ........................................................................................................................502
dsr-health-check-enable ..............................................................................................................................................502
enable-l7-req-acct ............................................................................................................................................................503
extended-stats ....................................................................................................................................................................504
fast-path-disable ................................................................................................................................................................504
gateway-health-check ...................................................................................................................................................505
graceful-shutdown ..........................................................................................................................................................506
http-fast-enable .................................................................................................................................................................506
hw-compression ...............................................................................................................................................................507
hw-syn-rr ................................................................................................................................................................................507
l2l3-trunk-lb-disable ........................................................................................................................................................508
max-buff-queued-per-conn .......................................................................................................................................508
max-http-header-count ................................................................................................................................................509
msl-time ..................................................................................................................................................................................509
mss-table ................................................................................................................................................................................510
no-auto-up-on-aflex ........................................................................................................................................................510
rate-limit-logging ..............................................................................................................................................................511
reset-stale-session ............................................................................................................................................................512
scale-out .................................................................................................................................................................................512
snat-gwy-for-l3 ...................................................................................................................................................................512
snat-on-vip ............................................................................................................................................................................513
sort-res .....................................................................................................................................................................................513
stats-data-disable ..............................................................................................................................................................515
use-mss-tab ..........................................................................................................................................................................515
Config Commands: SLB Templates .................................................................................... 517

slb template cache ..........................................................................................................................................................517
slb template cipher ..........................................................................................................................................................520
slb template client-ssl ....................................................................................................................................................522
slb template connection-reuse ................................................................................................................................527
slb template dblb .............................................................................................................................................................529
slb template diameter ...................................................................................................................................................529
slb template dns ................................................................................................................................................................532
slb template external-service ....................................................................................................................................534
slb template fix ...................................................................................................................................................................536
slb template ftp ..................................................................................................................................................................537
slb template http ..............................................................................................................................................................538
slb template http-policy ...............................................................................................................................................546
slb template logging ......................................................................................................................................................548
slb template monitor ......................................................................................................................................................549
slb template persist cookie .........................................................................................................................................550
slb template persist destination-ip ........................................................................................................................553
slb template persist source-ip ...................................................................................................................................555

Contents
slb template persist ssl-sid ..........................................................................................................................................558

slb template policy ..........................................................................................................................................................559
slb template port ..............................................................................................................................................................563
slb template server ..........................................................................................................................................................569
slb template server-ssl ...................................................................................................................................................573
slb template sip (SIP over UDP) ................................................................................................................................575
slb template sip (SIP over TCP/TLS) .......................................................................................................................577
slb template smpp ...........................................................................................................................................................580
slb template smtp ............................................................................................................................................................581
slb template tcp .................................................................................................................................................................584
slb template tcp-proxy ..................................................................................................................................................587
slb template udp ...............................................................................................................................................................592
slb template virtual-port ...............................................................................................................................................594
slb template virtual-server ...........................................................................................................................................598
Config Commands: SLB Servers .......................................................................................... 603

alternate ..................................................................................................................................................................................603
conn-limit ..............................................................................................................................................................................604
conn-resume .......................................................................................................................................................................604
disable ......................................................................................................................................................................................605
disable-with-health-check ..........................................................................................................................................605
enable ......................................................................................................................................................................................606
extended-stats ....................................................................................................................................................................606
external-ip .............................................................................................................................................................................607
health-check ........................................................................................................................................................................607
health-check-disable ......................................................................................................................................................607
ipv6 ............................................................................................................................................................................................608
port ............................................................................................................................................................................................608
slow-start ................................................................................................................................................................................611
spoofing-cache ..................................................................................................................................................................612
stats-data-enable ..............................................................................................................................................................613
template server ..................................................................................................................................................................613
weight ......................................................................................................................................................................................613
Config Commands: SLB Service Groups ........................................................................... 615

backup-server-event-log ..............................................................................................................................................615
extended-stats ....................................................................................................................................................................617
health-check ........................................................................................................................................................................617
health-check-disable ......................................................................................................................................................618
member ..................................................................................................................................................................................618
method ...................................................................................................................................................................................620
min-active-member ........................................................................................................................................................625
priority ......................................................................................................................................................................................626
priority-affinity .....................................................................................................................................................................628
reset auto-switch ..............................................................................................................................................................628
reset-on-server-selection-fail .....................................................................................................................................629

Contents
sample-rsp-time ................................................................................................................................................................629
template .................................................................................................................................................................................630
traffic-replication-type ...................................................................................................................................................631
Config Commands: SLB Virtual Servers ............................................................................ 633

arp-disable .............................................................................................................................................................................633
description ............................................................................................................................................................................634
disable ......................................................................................................................................................................................634
disable-when-all-ports-down ...................................................................................................................................634
disable-when-any-port-down ..................................................................................................................................635
enable ......................................................................................................................................................................................635
extended-stats ....................................................................................................................................................................635
port ............................................................................................................................................................................................636
redistribution-flagged ....................................................................................................................................................637
template logging ..............................................................................................................................................................638
template policy ..................................................................................................................................................................638
template scaleout .............................................................................................................................................................638
template virtual-server ..................................................................................................................................................639
vrid .............................................................................................................................................................................................639
Config Commands: SLB Virtual Server Ports ................................................................... 641

aaa-policy ...............................................................................................................................................................................641
access-list ...............................................................................................................................................................................641
aflex ...........................................................................................................................................................................................643
alternate ..................................................................................................................................................................................643
bucket-count .......................................................................................................................................................................644
clientip-sticky-nat .............................................................................................................................................................644
conn-limit ..............................................................................................................................................................................645
def-selection-if-pref-failed ...........................................................................................................................................645
def-selection-if-pref-failed-disable .........................................................................................................................647
disable ......................................................................................................................................................................................647
enable ......................................................................................................................................................................................647
extended-stats ....................................................................................................................................................................647
force-routing-mode ........................................................................................................................................................648
ipinip .........................................................................................................................................................................................648
message-switching ..........................................................................................................................................................648
name .........................................................................................................................................................................................648
no-auto-up-on-aflex ........................................................................................................................................................649
no-dest-nat ...........................................................................................................................................................................649
redirect-to-https ................................................................................................................................................................650
reset-on-server-selection-fail .....................................................................................................................................650
rtp-sip-call-id-match .......................................................................................................................................................650
service-group ......................................................................................................................................................................651

Contents
skip-rev-hash ........................................................................................................................................................................652
snat-on-vip ............................................................................................................................................................................652
source-nat auto ..................................................................................................................................................................653
source-nat pool ..................................................................................................................................................................653
syn-cookie .............................................................................................................................................................................655
template .................................................................................................................................................................................656
template virtual-port ......................................................................................................................................................656
use-default-if-no-server .................................................................................................................................................657
use-rcv-hop-for-resp .......................................................................................................................................................657
Config Commands: Web Category ..................................................................................... 659

web-category ......................................................................................................................................................................659
show web-category ........................................................................................................................................................661
Config Commands: Health Monitors ................................................................................. 665

disable-after-down ...........................................................................................................................................................665
interval .....................................................................................................................................................................................666
method ...................................................................................................................................................................................666
override-ipv4 ........................................................................................................................................................................675
override-ipv6 ........................................................................................................................................................................676
override-port ........................................................................................................................................................................676
passive .....................................................................................................................................................................................676
retry ...........................................................................................................................................................................................678
strictly-retry-on-server-error-response ................................................................................................................678
up-retry ....................................................................................................................................................................................679
Show Commands ..................................................................................................................... 681

show aam ..............................................................................................................................................................................681
show access-list .................................................................................................................................................................681
show active-partition .....................................................................................................................................................681
show admin ..........................................................................................................................................................................682
show aflex ..............................................................................................................................................................................685
show arp .................................................................................................................................................................................686
show audit .............................................................................................................................................................................687
show axdebug capture .................................................................................................................................................688
show axdebug config ....................................................................................................................................................688
show axdebug config-file ............................................................................................................................................688
show axdebug file ............................................................................................................................................................689
show axdebug filter .........................................................................................................................................................690
show axdebug status .....................................................................................................................................................690
show backup .......................................................................................................................................................................690
show bfd ................................................................................................................................................................................691
show bgp ...............................................................................................................................................................................696
show bootimage ...............................................................................................................................................................696

Contents
show bpdu-fwd-group .................................................................................................................................................697

show bridge-vlan-group ..............................................................................................................................................697
show bw-list .........................................................................................................................................................................697
show class-list ......................................................................................................................................................................698
show clns ...............................................................................................................................................................................700
show clock ............................................................................................................................................................................700
show config ..........................................................................................................................................................................701
show config-block ............................................................................................................................................................701
show context .......................................................................................................................................................................701
show core ..............................................................................................................................................................................703
show cpu ................................................................................................................................................................................703
show debug .........................................................................................................................................................................705
show default-running-config ....................................................................................................................................706
show disk ...............................................................................................................................................................................706
show dns cache .................................................................................................................................................................707
show dns statistics ...........................................................................................................................................................709
show dnssec ........................................................................................................................................................................710
show dumpthread ...........................................................................................................................................................710
show environment ..........................................................................................................................................................710
show event-action ...........................................................................................................................................................711
show fail-safe .......................................................................................................................................................................712
show glid ................................................................................................................................................................................714
show gslb ...............................................................................................................................................................................715
show hardware ...................................................................................................................................................................715
show health ..........................................................................................................................................................................716
show history .........................................................................................................................................................................719
show hsm ..............................................................................................................................................................................720
show icmp .............................................................................................................................................................................720
show icmpv6 .......................................................................................................................................................................720
show interfaces ..................................................................................................................................................................721
show interfaces media ..................................................................................................................................................723
show interfaces statistics ..............................................................................................................................................724
show ip ....................................................................................................................................................................................724
show ip active-vrid ...........................................................................................................................................................725
show ip anomaly-drop statistics .............................................................................................................................727
show ip bgp .........................................................................................................................................................................727
show ip dns ..........................................................................................................................................................................727
show {ip | ipv6} fib ............................................................................................................................................................728
show {ip | ipv6 | ipv4-in-ipv6 | ipv6-in-ipv4} fragmentation statistics ...............................................728
show ip helper-address .................................................................................................................................................731
show {ip | ipv6} interfaces ............................................................................................................................................734
show ip nat alg pptp ......................................................................................................................................................735
show ip nat interfaces ....................................................................................................................................................736
show ip nat pool ...............................................................................................................................................................737
show ip nat pool-group ................................................................................................................................................738
show ip nat range-list .....................................................................................................................................................738
show ip nat static-binding ..........................................................................................................................................739

Contents
show ip nat statistics .......................................................................................................................................................740

show ip nat template logging ..................................................................................................................................741
show ip nat timeouts .....................................................................................................................................................741
show ip nat translations ................................................................................................................................................741
show ip-list ............................................................................................................................................................................742
show ipv6 nat interfaces ..............................................................................................................................................743
show ipv6 nat pool ..........................................................................................................................................................743
show ipv6 nat pool-group ..........................................................................................................................................743
show ipv6 ndisc .................................................................................................................................................................743
show ipv6 neighbor ........................................................................................................................................................744
show {ip | ipv6} ospf ........................................................................................................................................................745
show {ip | ipv6} prefix-list .............................................................................................................................................745
show {ip|ipv6} protocols ...............................................................................................................................................745
show {ip | ipv6} rip ............................................................................................................................................................745
show ip route ......................................................................................................................................................................745
show ipv6 route .................................................................................................................................................................746
show {ip|ipv6} stats ..........................................................................................................................................................746
show ipv6 traffic ................................................................................................................................................................747
show isis ..................................................................................................................................................................................747
show json-config ...............................................................................................................................................................747
show json-config-detail ................................................................................................................................................748
show json-config-with-default .................................................................................................................................749
show key-chain ..................................................................................................................................................................750
show lacp ...............................................................................................................................................................................751
show lacp-passthrough ................................................................................................................................................752
show license .........................................................................................................................................................................752
show license-manager ..................................................................................................................................................753
show lldp neighbor statistics .....................................................................................................................................753
show lldp statistics ...........................................................................................................................................................753
show local-uri-file ..............................................................................................................................................................753
show locale ...........................................................................................................................................................................753
show log .................................................................................................................................................................................754
show mac-address-table ..............................................................................................................................................755
show management .........................................................................................................................................................756
show memory .....................................................................................................................................................................757
show mirror ..........................................................................................................................................................................758
show monitor ......................................................................................................................................................................759
show netflow .......................................................................................................................................................................760
show ntp ................................................................................................................................................................................761
show object-group ..........................................................................................................................................................762
show overlay-mgmt-info .............................................................................................................................................762
show overlay-tunnel .......................................................................................................................................................762
show partition .....................................................................................................................................................................762
show partition-group .....................................................................................................................................................762
show pbslb ...........................................................................................................................................................................762
show pki .................................................................................................................................................................................764
show poap ............................................................................................................................................................................766

Contents
show process system .....................................................................................................................................................766

show radius-server ...........................................................................................................................................................767
show reboot .........................................................................................................................................................................767
show route-map ................................................................................................................................................................768
show router log file ..........................................................................................................................................................768
show running-config ......................................................................................................................................................769
show session ........................................................................................................................................................................769
show sflow ............................................................................................................................................................................777
show shutdown .................................................................................................................................................................778
show slb ..................................................................................................................................................................................778
show smtp ............................................................................................................................................................................778
show snmp ...........................................................................................................................................................................778
show snmp-stats all .........................................................................................................................................................781
show startup-config ........................................................................................................................................................782
show statistics .....................................................................................................................................................................784
show store .............................................................................................................................................................................785
show switch .........................................................................................................................................................................785
show system cpu-load-sharing ................................................................................................................................786
show system platform ...................................................................................................................................................786
show system resource-usage ....................................................................................................................................787
show tacacs-server ...........................................................................................................................................................788
show techsupport ............................................................................................................................................................789
show terminal .....................................................................................................................................................................790
show tftp ................................................................................................................................................................................791
show trunk ............................................................................................................................................................................791
show vcs .................................................................................................................................................................................792
show version ........................................................................................................................................................................792
show vlans .............................................................................................................................................................................793
show vrrp-a ...........................................................................................................................................................................794
show waf ................................................................................................................................................................................794
SLB Show Commands ............................................................................................................. 795

show slb aflow ....................................................................................................................................................................796
show slb attack-prevention ........................................................................................................................................796
show slb cache ...................................................................................................................................................................797
show slb compression ...................................................................................................................................................802
show slb connection-reuse ........................................................................................................................................802
show slb conn-rate-limit ..............................................................................................................................................804
show slb diameter ............................................................................................................................................................805
show slb fast-http-proxy ..............................................................................................................................................807
show slb fix ...........................................................................................................................................................................809
show slb ftp ..........................................................................................................................................................................810
show slb ftp-proxy ...........................................................................................................................................................811
show slb generic-proxy .................................................................................................................................................811
show slb geo-location ...................................................................................................................................................812
show slb http-proxy ........................................................................................................................................................812
show slb hw-compression ..........................................................................................................................................815

Contents
show slb l4 ............................................................................................................................................................................816

show slb mssql ...................................................................................................................................................................824
show slb mysql ...................................................................................................................................................................825
show slb passthrough ....................................................................................................................................................827
show slb performance ...................................................................................................................................................827
show slb persist ..................................................................................................................................................................828
show slb rate-limit-logging ........................................................................................................................................830
show slb resource-usage .............................................................................................................................................831
show slb server ...................................................................................................................................................................832
show slb service-group .................................................................................................................................................843
show slb sip ..........................................................................................................................................................................847
show slb smpp ...................................................................................................................................................................849
show slb smtp .....................................................................................................................................................................853
show slb spdy-proxy .......................................................................................................................................................855
show slb ssl stats ...............................................................................................................................................................855
show slb ssl-expire-check ............................................................................................................................................857
show slb ssl-forward-proxy-cert ..............................................................................................................................858
show slb switch ..................................................................................................................................................................858
show slb syn-cookie-buffer .........................................................................................................................................862
show slb tcp stack ............................................................................................................................................................863
show slb template ............................................................................................................................................................864
show slb virtual-server ...................................................................................................................................................865
AX Debug Commands ............................................................................................................ 875

apply-config .........................................................................................................................................................................876
capture ....................................................................................................................................................................................876
count ........................................................................................................................................................................................878
delete .......................................................................................................................................................................................879
filter ............................................................................................................................................................................................879
incoming | outgoing .......................................................................................................................................................881
length .......................................................................................................................................................................................881
maxfile .....................................................................................................................................................................................881
outgoing .................................................................................................................................................................................882
save-config ............................................................................................................................................................................882
timeout ....................................................................................................................................................................................882
Up and Down Causes for the show health stat Command ....................................... 885
Up Causes......................................................................................................................................................... 885
Down Causes................................................................................................................................................... 886

Contents

Using the CLI
This chapter describes how to use the Command Line Interface (CLI) for the Thunder Series from A10 Networks. The com-
mands and their options are described in the other chapters.
System Access
You can access the CLI through a console connection, an SSH session, or a Telnet session. Regardless of which connection
method is used, access to the A10 Advanced Core Operating System (ACOS) CLI generally is referred to as an EXEC session or
simply a CLI session.
NOTE: By default, Telnet access is disabled on all interfaces, including the management inter-
face. SSH, HTTP, HTTPS, and SNMP access are enabled by default on the management
interface only, and disabled by default on all data interfaces.
Session Access Levels

As a security feature, the Thunder Series operating system separates EXEC sessions into two different access levels – “User
EXEC” level and “Privileged EXEC” level. User EXEC level allows you to access only a limited set of basic monitoring com-
mands. The privileged EXEC level allows you to access all Thunder Series commands (configuration mode, configuration sub-
modes and management mode) and can be password protected to allow only authorized users the ability to configure or
maintain the system.
User EXEC Level

The User EXEC level can be identified by the following CLI prompt:
ACOS>
This is the first level entered when a CLI session begins. At this level, users can view basic system information but cannot con-
figure system or port parameters.
• A10 Thunder Series models contain “ACOS” plus the model number in the prompt. For example, when an EXEC ses-
sion is started, the A10 Thunder Series 6430 will display the following prompt:
ACOS6430>
• AX Series models contain “AX” plus the model number in the prompt. For example, when an EXEC session is started,
the AX Series 5630 will display the following prompt:
AX5630>

VRRP-A / aVCS Status in Command Prompt
The right arrow (>) in the prompt indicates that the system is at the “User EXEC” level. The User EXEC level does not contain
any commands that might control (for example, reload or configure) the operation of the ACOS device. To list the commands
available at the User EXEC level, type a question mark (?) then press Enter at the prompt; for example, ACOS>?.
NOTE: For simplicity, this document uses “ACOS” in CLI prompts, unless referring to a specific
model. Likewise, A10 Thunder Series or AX Series devices are referred to as “ACOS
devices”, since they both run ACOS software.
Privileged EXEC Level

The Privileged EXEC level can be identified by the following CLI prompt:
ACOS#
This level is also called the “enable” level because the enable command is used to gain access. Privileged EXEC level can
be password secured. The “privileged” user can perform tasks such as manage files in the flash module, save the system con-
figuration to flash, and clear caches at this level.
Critical commands (configuration and management) require that the user be at the “Privileged EXEC” level. To change to the
Privileged EXEC level, type enable then press Enter at the ACOS> prompt. If an “enable” password is configured, the Thun-
der Series will then prompt for that password. When the correct password is entered, the Thunder Series prompt will change
from ACOS> to ACOS# to indicate that the user is now at the “Privileged EXEC” level. To switch back to the “User EXEC” level,
type disable at the ACOS# prompt. Typing a question mark (?) at the Privileged EXEC level will now reveal many more
command options than those available at the User EXEC level.
Privileged EXEC Level - Config Mode

The Privileged EXEC level’s configuration mode can be identified by the following CLI prompt:
ACOS(config)#
The Privileged EXEC level’s configuration mode is used to configure the system IP address and to configure switching and
routing features. To access the configuration mode, you must first be logged into the Privileged EXEC level.
From the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode:
ACOS>enable
To access the configuration level of the CLI, enter the config command:
ACOS#config
The prompt changes to include “(config)”:

ACOS(config)#

You can configure the following information to be included in the CLI prompt:

• VRRP-A status of the ACOS device: Active, Standby, or ForcedStandby
• Hostname of the ACOS device
• aVCS status (vMaster or vBlade), virtual chassis ID, and device ID
Below is an example of a CLI prompt that shows all these information items:
ACOS-Active-vMaster[1/1]>
Table 1 identifies and describes the major components of this prompt:
TABLE 1 CLI Prompt Description

Prompt Component Description
ACOS This is the host name of the ACOS device.
Active This indicates that the ACOS device is a member of a VRRP-A set, and is currently the
active device for at least one virtual port.
vMaster[1/1] This indicates that the ACOS device is currently acting as the vMaster for virtual chassis 1,
and is device ID 1 within that virtual chassis.
By default, all these information items are included in the CLI prompt. You can customize the CLI prompt by explicitly
enabling the individual information items to be displayed.
Using the CLI
To explicitly enable display of information items in the CLI prompt, use the following command at the global configuration
level of the CLI:
terminal prompt info-item-list
The info-item-list can contain on or more of the following values:
• vcs-status [chassis-device-id] – Enables display of the aVCS status of the device.

The chassis-device-id option enables display of the virtual chassis ID and device ID.
• hostname – Enables display of the ACOS hostname.
• chassis-device-id – Display aVCS device id in the prompt. For example, this can be 7/1, where the number 7
indicates the chassis ID and 1 indicates the device ID within the aVCS set.
NOTE: The aVCS Chassis ID and the aVCS Device ID are configurable as part of the prompt if
aVCS is running. The prompt that you specify will be synchronized and reflected on all
the other devices in the aVCS set.
Restoring the Default Prompt Display
To re-enable display of all the information items, use the following command at the global configuration level of the CLI:
no terminal prompt

IP Version Support
The following command disables display of the aVCS status and hostname in the CLI prompt:
ACOS2-Active-vMaster[1/1](config)#terminal prompt ha-status

Active(config)#
The following command re-enables display of all the information items:
Active(config)#no terminal prompt

ACOS2-Active-vMaster[1/1](config)#
IP Version Support
Unless otherwise noted, where “ipaddr” is shown as a command option, an IPv4 or IPv6 address can be specified.
Partition Name in Command Prompt

Application Delivery Partitioning (ADP) allows resources on the ACOS device to be allocated to independent application
delivery partitions. Depending on the access privileges allowed to an admin, the active partition for a CLI session is either the
shared partition or a private partition.
If the CLI session is on a private partition, the partition name is included in the CLI prompt. For example, for private partition
“corpa”, the prompt for the global configuration level of the CLI looks like the following:
ACOS[corpa](config)#
In this example, the partition name is shown in bold type. This example assumes that the hostname of the device is “ACOS”.
If the partition is the shared partition and not a private partition, the CLI prompt is as shown without a partition name.
CLI Quick Reference

Entering the help command (available at any command level) returns the CLI Quick Reference, as follows:
ACOS>help
CLI Quick Reference
===============
1. Online Help
Enter “?” at a command prompt to list the commands available at that CLI level.
Enter "?" at any point within a command to list the available options.
Two types of help are provided:

1) When you are ready to enter a command option, type "?" to display each
possible option and its description. For example: show ?

CLI Quick Reference
2) If you enter part of an option followed by "?", each command or option that
matches the input is listed. For example: show us?
2. Word Completion
The CLI supports command completion, so you do not need to enter the entire
name of a command or option. As long as you enter enough characters of the
command or option name to avoid ambiguity with other commands or options, the
CLI can complete the command or option.
After entering enough characters to avoid ambiguity, press "tab" to
auto-complete the command or option.
ACOS>
Context-Sensitive Help
Enter a question mark (?) at the system prompt to display a list of available commands for each command mode. The con-
text-sensitive help feature provides a list of the arguments and keywords available for any command.
To view help specific to a command name, a command mode, a keyword, or an argument, enter any of the following com-
mands:
Prompt Command Purpose

ACOS> Help Displays the CLI Quick Reference
abbreviated-command-help? Lists all commands beginning with abbreviation before
or the (?). If the abbreviation is not found, the Thunder
Series returns:
% Ambiguous command
ACOS#
abbreviated-command-complete<Tab> Completes a partial command name if unambiguous.
or
? Lists all valid commands available at the current level
command ? Lists the available syntax options (arguments and key-
(config)# words) for the entered command.
command keyword ? Lists the next available syntax option for the command.
A space (or lack of a space) before the question mark (?) is significant when using context-sensitive help. To determine which
commands begin with a specific character sequence, type in those characters followed directly by the question mark; e.g.
ACOS#te?. Do not include a space. This help form is called “word help”, because it completes the word for you.
To list arguments or keywords, enter a question mark (?) in place of the argument or the keyword. Include a space before the
(?); e.g. ACOS# terminal ?. This form of help is called “command syntax help”, because it shows you which keywords or
arguments are available based on the command, keywords, and arguments that you already entered.
Users can abbreviate commands and keywords to the minimum number of characters that constitute a unique abbreviation.
For example, you can abbreviate the config terminal command to conf t. If the abbreviated form of the command is
unique, then the Thunder Series accepts the abbreviated form and executes the command.

CLI Quick Reference
Context Sensitive Help Examples
The following example illustrates how the context-sensitive help feature enables you to create an access list from configura-
tion mode.
Enter the letters co at the system prompt followed by a question mark (?). Do not leave a space between the last letter and
the question mark. The system provides the commands that begin with co.
ACOS#co?
configure Entering config mode
ACOS#co
Enter the configure command followed by a space and a question mark to list the keywords for the command and a brief
explanation:
ACOS#configure ?
terminal Config from the terminal
<cr>
ACOS#configure
The <cr> symbol (“cr” stands for carriage return) appears in the list to indicate that one of your options is to press the Return
or Enter key to execute the command, without adding any additional keywords.
In this example, the output indicates that your only option for the configure command is configure terminal (config-
ure manually from the terminal connection).
The no Command
Most configuration commands have a no form. Typically, you use the no form to disable a feature or function. The command
without the no keyword is used to re-enable a disabled feature or to enable a feature that is disabled by default; for example,
if the terminal auto-size has been enabled previously. To disable terminal auto-size, use the no terminal auto-size form
of the terminal auto-size command. To re-enable it, use the terminal auto-size form. This document describes
the function of the no form of the command whenever a no form is available.
Command History
The CLI provides a history or record of commands that you have entered. This feature is particularly useful for recalling long
or complex commands or entries, including access lists. To use the command history feature, perform any of the tasks
described in the following sections:
• Setting the command history buffer size

• Recalling commands
• Disabling the command history feature
Setting the Command History Buffer Size

ACOS records ten command lines in its history buffer, by default. To change the number of command lines that the system
will record during the current terminal session, use the following command in EXEC mode:

CLI Quick Reference
Convention Description
ACOS#terminal history Enables the command history feature for the current terminal
[size number-of-lines] session.
ACOS#no terminal history size Resets the number of commands saved in the history buffer to
the default of 256 commands.
ACOS(config)#terminal history Enables the command history feature for the all the configura-
[size number-of-lines] tion sessions.
Recalling Commands
To recall commands from the history buffer, use one of the following commands or key combinations:
Command or Key Combination Description

Ctrl+P or Up Arrow key. * Recalls commands in the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Ctrl+N or Down Arrow key. *. Returns to more recent commands in the history buffer after recalling commands
with Ctrl+P or the Up arrow key. Repeat the key sequence to recall successively
more recent commands.
ACOS> show history While in EXEC mode, lists the most recent commands entered.
*. The arrow keys function only on ANSI-compatible terminals.
Editing Features and Shortcuts

A variety of shortcuts and editing features are enabled for the Thunder Series CLI. The following subsections describe these
features:
• Positioning the cursor on the command line
• Completing a partial command name
• Recalling deleted entries
• Editing command lines that wrap
• Deleting entries
• Continuing output at the --MORE-- prompt
• Re-displaying the current command line
• Editing Pre-configured SLB Items

CLI Quick Reference
Positioning the Cursor on the Command Line

The table below lists key combinations used to position the cursor on the command line for making corrections or changes.
The Control key (ctrl) must be pressed simultaneously with the associated letter key. The Escape key (esc) must be pressed
first, followed by its associated letter key. The letters are not case sensitive. Many letters used for CLI navigation and editing
were chosen to simplify remembering their functions. In the following table, characters bolded in the Function Summary
column indicate the relation between the letter used and the function.
Keystrokes Function Summary Function Details

Left Arrow or Back character Moves the cursor left one character. When entering a command that
ctrl+B extends beyond a single line, press the Left Arrow or Ctrl+B keys repeatedly
to move back toward the system prompt to verify the beginning of the com-
mand entry, or you can also press Ctrl+A.
Right Arrow or Forward character Moves the cursor right one character.
ctrl+F
ctrl+A Beginning of line Moves the cursor to the very beginning of the command line.
ctrl+E End of line Moves the cursor to the very end of the line.
Completing a Partial Command Name

If you do not remember a full command name, or just to reduce the amount of typing you have to do, enter the first few let-
ters of a command, then press tab. The CLI parser then completes the command if the string entered is unique to the com-
mand mode. If the keyboard has no tab key, you can also press ctrl+I.
The CLI will recognize a command once you enter enough text to make the command unique. For example, if you enter
conf while in the privileged EXEC mode, the CLI will associate your entry with the config command, because only the config
command begins with conf.
In the next example, the CLI recognizes the unique string conf for privileged EXEC mode of config after pressing the tab
key:
ACOS#conf<tab>
ACOS#configure
When using the command completion feature, the CLI displays the full command name. Commands are not executed until
the Enter key is pressed. This way you can modify the command if the derived command is not what you expected from the
abbreviation. Entering a string of characters that indicate more than one possible command (for example, te) results in the
following response from the CLI:
ACOS#te
% Ambiguous command

CLI Quick Reference
ACOS#
If the CLI can not complete the command, enter a question mark (?) to obtain a list of commands that begin with the char-
acter set entered. Do not leave a space between the last letter you enter and the question mark (?).
In the example above, te is ambiguous. It is the beginning of both the telnet and terminal commands, as shown in the fol-
lowing example:
ACOS#te?
telnet Open a telnet connection
terminal Set Terminal Parameters, only for current terminal
ACOS#te
The letters entered before the question mark (te) are reprinted to the screen to allow continuation of command entry from
where you left off.
Deleting Command Entries

If you make a mistake or change your mind, you can use the following keys or key combinations to delete command entries:
Keystrokes Purpose
backspace The character immediately left of the cursor is deleted.
delete or ctrl+D The character that the cursor is currently on is deleted.
ctrl+K All characters from the cursor to the end of the command line are deleted.
ctrl+U or ctrl+X All characters from the cursor to the beginning of the command line are deleted.
ctrl+W The word to the left of the cursor is deleted.
Editing Command Lines that Wrap

The CLI provides a wrap-around feature for commands extending beyond a single line on the display.
When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten charac-
ters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back, press ctrl+B
or the left arrow key repeatedly until you scroll back to the command entry, or press ctrl+A to return directly to the begin-
ning of the line.
The Thunder Series software assumes you have a terminal screen that is 80 columns wide. If you have a different screen-
width, use the terminal width EXEC command to set the width of the terminal.
Use line wrapping in conjunction with the command history feature to recall and modify previous complex command
entries. See the Recalling Commands section in this chapter for information about recalling previous command entries.

CLI Quick Reference
Continuing Output at the --MORE-- Prompt

When working with the CLI, output often extends beyond the visible screen length. For cases where output continues
beyond the bottom of the screen, such as with the output of many ?, show, or more commands, the output is paused and a
--MORE-- prompt is displayed at the bottom of the screen.
To proceed, press the Enter key to scroll down one line, or press the spacebar to display the next full screen of output.
Redisplaying the Current Command Line

If you are entering a command and the system suddenly sends a message to your screen, you can easily recall your current
command line entry. To redisplay the current command line (refresh the screen), use either of the following key combina-
tions:
Keystrokes Purpose
ctrl+L or ctrl+R Re-displays the current command line
Editing Pre-Configured SLB Items

You can display a list of SLB items that have been configured on the ACOS device by entering the partial command, followed
by the ‘?’ character. Previous releases required you to know the exact name of the real server or other item you wanted to
modify, but this feature enables you to display the items that are already configured without having to remember the exact
name.
The following SLB items can be viewed in this manner:
• slb server
• slb service-group
• slb virtual-server
• member (at service-group configuration level)
• service-group (at virtual-port configuration level)
The following example displays the names of real servers that are already configured on the ACOS device. All options dis-
played in the output except “NAME” are real servers.
ACOS(config)#slb server ?
NAME<length:1-63> Server Name
a1
a2
ddd
rs1
rs1-a1
rs1-a2

CLI Quick Reference
rs1-a3
ACOS2-Active(config)#slb server
You can further refine the list that appears by entering part of the name. For example:
ACOS2-Active(config)#slb server a?
NAME<length:1-63> Server Name
a1
a2
In the same manner that commands can be auto-completed by partially entering the command name and pressing <TAB>,
the ACOS device supports the ability to auto-complete the names of configured items. For example:
ACOS(config)#slb server d<TAB>

ACOS(config)#slb server ddd
Searching and Filtering CLI Output

The CLI permits searching through large amounts of command output by filtering the output to exclude information that
you do not need. The show command supports the following output filtering options:
• begin string – Begins the output with the line containing the specified string
• include string – Displays only the output lines that contain the specified string
• exclude string – Displays only the output lines that do not contain the specified string
• section string – Displays only the lines for the specified section (for example, “slb server”, “virtual-server”, or “log-
ging”). To display all server-related configuration lines, you can enter “server”.
Use “ | ” as a delimiter between the show command and the display filter.
You can use regular expressions in the filter string, as shown in this example:
ACOS(config)#show arp | include 192.168.1.3*
192.168.1.3 001d.4608.1e40 Dynamic ethernet4
192.168.1.33 0019.d165.c2ab Dynamic ethernet4
The output filter in this example displays only the ARP entries that contain IP addresses that match “192.168.1.3” and any
value following “3”. The asterisk ( * ) matches on any pattern following the “3”. (See “Regular Expressions” on page 12.)
The following example displays the startup-config lines for “logging”:

ACOS(config)#show startup-config | section logging
logging console error
logging buffered debugging
logging monitor debugging
logging buffered 30000
logging facility local0

CLI Quick Reference
Regular Expressions
Regular expressions are patterns (e.g. a phrase, number, or more complex pattern) used by the CLI string search feature to
match against show or more command output. Regular expressions are case sensitive and allow for complex matching
requirements. A simple regular expression can be an entry like Serial, misses, or 138. Complex regular expressions can be an
entry like 00210... , ( is ), or [Oo]utput.
A regular expression can be a single-character pattern or a multiple-character pattern. This means that a regular expression
can be a single character that matches the same single character in the command output or multiple characters that match
the same multiple characters in the command output. The pattern in the command output is referred to as a string. This
section describes creating single-character patterns.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in the command output. You
can use any letter (A–Z, a–z) or digit (0–9) as a single-character pattern. You can also use other keyboard characters (such as !
or ~) as single-character patterns, but certain keyboard characters have special meaning when used in regular expressions.
The following table lists the keyboard characters that have special meaning.
Character Meaning
. Matches any single character, including white space
* Matchers 0 or more sequences of the pattern
+ Matches 1 or more sequences of the pattern
? Matches 0 or 1 occurrences of the pattern
^ Matches the beginning of the string
$ Matches the end of the string
_ (underscore) Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right parenthesis ( ) ), the
beginning of the string, the end of the string, or a space.
Special Character Support in Strings

Special characters are supported in password strings and various other strings. To use special characters in a string, enclose
the entire string in double quotation marks.
Special Character Support in Password Strings

The following subsections list the special characters supported for each type of password you can enter in the CLI.
For information about the supported password length, see the CLI help or the command entry in this document.

CLI Quick Reference
Admin and Enable Passwords
Admin and enable passwords can contain any ASCII characters in the following ranges: 0x20-0x7e and 0x80-0xFF.
ACOS Device Hostname
The device hostname can contain any ASCII characters in the following ranges: a-z A-Z 0-9 - . ( )
RADIUS Shared Secrets
Same as admin and enable passwords.
MD5 Passwords for OSPF or BGP
MD5 passwords can be up to 16 characters long. A password string can contain any ASCII characters in the range 0x20-0x7e.
The password string can not begin with a blank space, and can not contain any of the following special characters: ' " < >
& \ / ?
SNMPv3 user authentication passwords
Same as admin and enable passwords.
Passwords used for file import / export
All of the characters in the following range are supported: 0x20-0x7E.
Passwords used for server access in health monitors
Most of the characters in the following range are supported: 0x20-0x7E. However, the following characters are not supported
in the current release:
' " < > & \ / ?
SSL certificate passwords
Most of the characters in the following ranges are supported: 0x20-0x7E and 0x80-0xFF. However, the following characters
are not supported in the current release:
' " < > & \ / ?
SMTP passwords
Same as SSL certificate passwords.
How To Enter Special Characters in the Password String

You can use an opening single-or double-quotation mark without an ending one. In this case, '" becomes ", and "'
becomes '.

aVCS Device Numbers in Commands
Escape sequences are required for a few of the special characters:
• " – To use a double-quotation mark in a string, enter the following: \"
• ? – To use a question mark in a string, enter the following sequence: \077
• \ – To use a back slash in a string, enter another back slash in front of it: \\
For example, to use the string a"b?c\d, enter the following: "a\"b\077c\\d"
The \ character will be interpreted as the start of an escape sequence only if it is enclosed in double quotation marks. (The
ending double quotation mark can be omitted.) If the following characters do not qualify as an escape sequence, they are
take verbatim; for example, \ is taken as \, "\x41" is taken as A (hexadecimal escape), "\101" is taken as A (octal escape),
and "\10" is taken as \10.
NOTE: To use a double-quotation mark as the entire string, "\"". If you enter \", the result is \.
(Using a single character as a password is not recommended.)
NOTE: It is recommended not to use i18n characters. The character encoding used on the ter-
minal during password change might differ from the character encoding on the termi-
nal used during login.

Some commands either include or support an ACOS Virtual Chassis System (aVCS) device ID. The device ID indicates the
device to which the command applies.
Device ID Syntax
In an aVCS virtual chassis, configuration items that are device-specific include the device ID. For these items, use the follow-
ing syntax:
• interface ethernet DeviceID/Portnum

• interface ve DeviceID/Portnum
• interface loopback DeviceID/Loopbacknum
• trunk DeviceID/Trunknum
• vlan DeviceID/VLAN-ID
• bpdu-fwd-group DeviceID/VLAN-ID
• bridge-vlan-group DeviceID/VLAN-ID
This format also appears in the running-config and startup-config.
To determine whether a command supports the DeviceID/ syntax, use the CLI help.
The following command accesses the configuration level for Ethernet data port 5 on device 4:

ACOS(config)#interface ethernet 4/5

ACOS(config-if:ethernet:4/5)#
aVCS Device Option for Configuration Commands

To configure commands for a specific aVCS device, use the device-context command.
device-context DeviceID
For example, to change the hostname for device 3 in the virtual chassis:
ACOS(config)#device-context 3
ACOS(config)#hostname ACOS3
ACOS3(config)#
aVCS Device Option for Show Commands

To view show output for a specific device in an aVCS cluster, you must use the vcs admin-session-connect command
to connect to the device, then run the desired show command. For example:
For example, the following command shows how to connect to device 2 in a virtual chassis, then view the MAC address table
on that device:
ACOS-device1(config)#vcs admin-session-connect device 2

spawn ssh -l admin 192.168.100.126
The authenticity of host '192.168.100.126 (192.168.100.126)' can't be established.
RSA key fingerprint is ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.126' (RSA) to the list of known hosts.
Password:***
Last login: Thu Jul 22 21:06:46 2010 from 192.168.3.77
ACOS-device2#show mac-address-table
MAC-Address Port Type Index Vlan Age
---------------------------------------------------------
0013.72E3.C773 1 Dynamic 13 2 88
0013.72E3.C775 2 Dynamic 16 10 90
Total active entries: 2 Age time: 300 secs
CLI Message for Commands That Affect Only the Local Device
You can display a message when entering a configuration command that applies to only the local device. When this option
is enabled, a message is displayed if you enter a configuration command that affects only the local device, and the com-
mand does not explicitly indicate the device.
This enhancement is enabled by default and can not be disabled.

Local Device
The “local device” is the device your CLI session is on.
• If you log directly onto one of the devices in the virtual chassis, that device is the local device. For example, if you log
on through the management IP address of a vBlade, that vBlade is the local device.
• If you change the device context or router content to another ACOS device, that device becomes the local device.
• If you log onto the virtual chassis’ floating IP address, the vMaster is the local device.
Message Example
The following command configures a static MAC address:
ACOS(config)#mac-age-time 444
This operation applied to device 1
This type of configuration change is device-specific. However, the command does not specify the device ID to which to
apply the configuration change. Therefore, the change is applied to the local device. In this example, the local device is
device 1 in the aVCS virtual chassis.
The message is not necessary if you explicitly specify the device, and therefore is not displayed:
ACOS(config)#device-context 2
ACOS(config)#mac-age-time 444 device 2
For commands that access the configuration level for a specific configuration item, the message is displayed only for the
command that accesses the configuration level. For example:
ACOS(config)#interface ethernet 2
This operation applied to device 1
ACOS(config-if:ethernet:2/1)#ip address 1.1.1.1 /24
ACOS(config-if:ethernet:2/1)#
The message is not displayed after the ip address command is entered, because the message is already displayed after
the interface ethernet 2 command is entered.
The same is true for commands at the configuration level for a routing protocol. The message is displayed only for the com-
mand that accesses the configuration level for the protocol.
• In most cases, the message also is displayed following clear commands for device-specific items. An exception is
clear commands for routing information. The message is not displayed following these commands.
• The message is not displayed after show commands.

EXEC Commands
The EXEC commands (sometimes referred to as the User EXEC commands) are available at the CLI level that is presented
when you log into the CLI.
The EXEC level command prompt ends with >, as in the following example:
ACOS>
active-partition
Description CLI commands related to ADPs are located in Configuring Application Delivery Partitions.
enable
Description Enter privileged EXEC mode, or any other security level set by a system administrator.
Syntax enable
Mode EXEC
Usage Entering privileged EXEC mode enables the use of privileged commands. Because many of
the privileged commands set operating parameters, privileged access should be password-
protected to prevent unauthorized use. If the system administrator has set a password with
the enable password global configuration command, you are prompted to enter it before
being allowed access to privileged EXEC mode. The password is case sensitive.
The user will enter the default mode of privileged EXEC.
Example In the following example, the user enters privileged EXEC mode using the enable com-
mand. The system prompts the user for a password before allowing access to the privileged
EXEC mode. The password is not printed to the screen. The user then exits back to user EXEC
mode using the disable command. Note that the prompt for user EXEC mode is >, and the
prompt for privileged EXEC mode is #.
ACOS>enable
Password: <letmein>
ACOS#disable
ACOS>

exit
Description Close an active terminal session by logging off the system.
Syntax exit
Mode EXEC
Usage Use the exit command in EXEC mode to exit the active session (log off the device).
Example In the following example, the exit (global) command is used to move from global configu-
ration mode to privileged EXEC mode, the disable command is used to move from privi-
leged EXEC mode to user EXEC mode, and the exit (EXEC) command is used to log off (exit
the active session):
ACOS(config)#exit
ACOS#disable
ACOS>exit
gen-server-persist-cookie
Description Generate a cookie for pass-through cookie-persistent SLB sessions.
Syntax gen-server-persist-cookie [cookie-name]

match-type
{
port vport-num rport-num {ipaddr | ipv6 ipv6addr} |
server {ipv4addr | ipv6 ipv6addr} |
service-group group-name vport-num rport-num
{ipv4addr | ipv6 ipv6addr}
}
Parameter Description
cookie-name Name of the cookie header.
match-type Specifies the values used to create the cookie and name the header containing it.
The port option creates a cookie based on the following format:
cookiename-vportnum-groupname=encoded-ip_encoded-rport
The server option creates a cookie based on the following format:
cookiename=encoded-ip
The service-group option creates a cookie based on the following format:
cookiename-vportnum-groupname=encoded-ip_encoded-rport

Default ACOS does not have a default pass-through cookie. When you configure one, the default
name is “sto-id”. There is no default match-type setting.
Mode EXEC and Privileged EXEC
Usage Additional configuration is required. The pass-thru option must be enabled in the cookie-
persistence template bound to the virtual port.
health-test
Description Test the status of a device using a configured health monitor.
Syntax health-test {ipaddr | ipv6 ipv6addr}

[count num] [monitorname monitor-name] [port portnum]
ipaddr Specifies the IPv4 address of the device to test.
ipv6 ipaddr Specifies the IPv6 address of the device to test.
count num Specifies the number of health checks to send to the
device. You can specify a number 1 - 65535.
The default count is 1.
monitor monitor-name Specifies the name of the health monitor you want to use,
1-29 characters. The health monitor must already be con-
figured.
See “Config Commands: Health Monitors” on page 665 for
more information about configuring a health monitor.
The default monitor is ICMP ping, which is the default
Layer 3 health check.
port port-num Specifies the protocol port to test. You can specify any
port 1 - 65535.
The default is the override port number set in the health
monitor configuration. If none is set there, then this option
is not set by default.
Default See descriptions.
Mode EXEC, Privileged EXEC, and global config
Usage If an override IP address and protocol port are set in the health monitor configuration, the
ACOS device will use the override address and port, even if you specify an address and port
with the health-test command.
Example The following command tests port 80 on server 192.168.1.66, using configured health moni-
tor hm80:
ACOS#health-test 192.168.1.66 monitorname hm80

node status UP.

help
Description Display a description of the interactive help system of the CLI.
Syntax help
Example (See “CLI Quick Reference” on page 4.)
no
Description See “no” on page 37. This command is not used at this level.
ping
Description Send an ICMP echo packet to test network connectivity.
Syntax ping [ipv6] {hostname | ipaddr}

[data HEX-word]
[ds-lite {[source-ipv4 ipaddr] [source-ipv6 ipaddr] [ipaddr]}]
[flood]
[interface {ethernet port-num | ve ve-num}]
ipv6
[pmtu}
[repeat {count | unlimited}]
[size num]
[source {ipaddr | ethernet port-num | ve ve-num}]
[timeout secs]
[ttl num]
ipv6 {hostname | ipaddr} Send a ping to the specified IPv6 hostname or address.
{hostname | ipaddr} Send a ping to the specified IPv4 hostname or address.
data HEX-word Hexadecimal data pattern to send in the ping. The pattern can be 1-8 hexadecimal
characters long.
This is not set by default.
ds-lite { Send a DS-Lite ping.
[source-ipv4 ipaddr]
[source-ipv6 ipaddr]
ipaddr}
flood Send a continuous stream of ping packets, by sending a new packet as soon as a
reply to the previous packet is received.
This is disabled by default.
interface { Use the specified interface as the source of the ping. Use ethernet for ethernet
ethernet port-num interfaces, or ve for virtual ethernet interfaces.
ve ve-num}
By default, this is not set. The ACOS device looks up the route to the ping target in
the main route table and uses the interface associated with the route. (The manage-
ment interface is not used unless you specify the management IP address as the
source interface.)

pmtu Enable PMTU discovery.
repeat {count | unlimited} Number of times to send the ping. You can specify a number 1 - 10000000 (ten mil-
lion), or specify unlimited to ping continuously.
size num Specify the size of the datagram in bytes. You can specify a number from 1 - 10000.
The default size is 84 bytes.
source { Forces the ACOS device to give the specified IP address (ipaddr), or the IP address
ipaddr | configured on the specified interface (either ethernet port-num or
ethernet port-num | ve ve-num), as the source address of the ping.
ve ve-num}
timeout secs Number of seconds the ACOS device waits for a reply to a sent ping packet, 1-2100
seconds.
The default timeout value is 10 seconds.
ttl num Maximum number of hops the ping is allowed to traverse, 1-255.
The default is 1.
Usage The ping command sends an echo request packet to a remote address, and then awaits a
reply. Unless you use the flood option, the interval between sending of each ping packet is
1 second.
To terminate a ping session, type ctrl+c.
Example The following command sends a ping to IP address 192.168.3.116:
ACOS>ping 192.168.3.116
PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data
64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206 ms
--- 192.168.3.116 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms
Example The following command sends a ping to IP address 10.10.1.20, from ACOS Ethernet port 1.
The ping has data pattern “ffff”, is 1024 bytes long, and is sent 100 times.
ACOS>ping data ffff repeat 100 size 1024 source ethernet 1

10.10.1.20

show
Description Show system or configuration information.
Syntax show options
Default N/A
Usage For information about the show commands, see “Show Commands” on page 681 and “SLB
Show Commands” on page 795.
ssh
Description Establish a Secure Shell (SSH) connection from the ACOS device to a different device.
Syntax ssh [use-mgmt-port] {hostname | ipaddr} login-name [protocol-port]
use-mgmt-port Uses the management interface as the source interface for
the connection to the remote device. The management
route table is used to reach the device. By default, the
ACOS device attempts to use the data route table to reach
the remote device through a data interface.
{hostname | ipaddr} The hostname or IP address of the remote system.
login-name The user name used to log in to the remote system.
protocol-port TCP port number on which the remote system listens for
SSH client traffic. Specify a number 1 - 65535.
The default port is 22.
Default See description.
Usage SSH version 2 is supported. SSH version 1 is not supported.
telnet
Description Open a Telnet tunnel connection from the ACOS device to another device.

Syntax telnet [use-mgmt-port] {host-name | ipaddr) [protocol-port]
route table is used to reach the device. By default, the ACOS
device attempts to use the data route table to reach the
remote device through a data interface.
{hostname | ipaddr} The hostname or IP address of the remote system.
protocol-port TCP port number on which the remote system listens for
Telnet traffic. Specify a number 1 - 65535.
Example The following command opens a Telnet session from one ACOS device to another ACOS
device at IP address 10.10.4.55:
ACOS>telnet 10.10.4.55
Trying 10.10.4.55...
Connected to 10.10.4.55.
Escape character is '^]'.
Welcome to Thunder
ACOS login:

traceroute
Description Display the router hops through which a packet sent from the ACOS device can reach a
remote device.
Syntax traceroute [ipv6 | use-mgmt-port] {host-name | ipaddr}
ipv6 Indicates that the remote device is an IPv6 system.
use-mgmt-port Uses the management interface as the source interface. The
management route table is used to reach the device. By
default, the ACOS device attempts to use the data route
table to reach the remote device through a data interface.
{hostname | ipaddr} The hostname or IP address of the device at the remote end
of the route to be traced.
Default N/A
Usage If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the row for that hop.
Example The following command traces a route to 192.168.10.99:
ACOS>traceroute 192.168.10.99
traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte
packets
1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms
2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms
...

Privileged EXEC Commands
The Privileged EXEC mode commands are available at the CLI level that is presented when you enter the enable command
and a valid enable password from the EXEC level of the CLI.
The Privileged EXEC mode level command prompt ends with #, as in the following example:
ACOS#
active-partition
Description Change the partition on an ACOS device configured for Application Delivery Partitioning
(ADP). (See “active-partition” on page 17.)
axdebug
Description Enters the AX debug subsystem. (See “AX Debug Commands” on page 875.)
backup log
Description Configure log backup options and save a backup of the system log.
Syntax backup log

[expedite]
[period {all | day | month | week | days}]
[stats-data]
{profile-name | [use-mgmt-port] url}
expedite Allocates additional CPU to the backup process. This option allows up to 50% CPU utilization to
be devoted to the log backup process.
period Specifies the period of time whose data you want to back up:
• all - Backs up the log messages contained in the log buffer.
• day - Backs up the log messages generated during the most recent 24 hours.
• month - Backs up the log messages generated during the most recent 30 days.
• week - Backs up the log messages generated during the most recent 7 days.
• days - Backs up the log messages generated using days as the interval (for example, specify
5 to back up every 5 days).
The default period of time is one month.
stats-data Backs up statistical data from the GUI.

profile-name Profile name for the remote URL, 1-31 characters.
Profiles that can be used in place of the URL are configured with the backup store command.
use-mgmt-port Uses the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the ACOS
device attempts to use the data route table to reach the remote device through a data inter-
face.
url The url specifies the file transfer protocol, username (if required), and directory path to the loca-
tion where you want to save the backup file.
You can enter the entire URL on the command line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and a password is required, you will still be prompted
for the password. The password can be up to 255 characters long.
To enter the entire URL, use one of the following:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file
Mode Privileged EXEC, or global configuration mode
Usage The expedite option controls the percentage of CPU utilization allowed exclusively to the
log backup process. The actual CPU utilization during log backup may be higher, if other
management processes also are running at the same time.
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Example The following commands change the backup period to all, allow up to 50% CPU utilization
for the backup process, and back up the log:
ACOS#backup log period all

ACOS#backup log expedite
ACOS#backup log scp://192.168.20.161:/log.tgz
...
Example The following command backs up statistical data from the GUI:
ACOS#backup log stats-data scp://192.168.20.161:/log.tgz
NOTE: The log period and expedite settings also apply to backups of the GUI statistical
data.

backup system
Description Back up the system. The startup-config file, aFleX policy files, and SSL certificates and keys
will be backed up to a tar file.
NOTE: Backing up system from one hardware platform and restoring it to another is not
supported.
Syntax backup system {profile-name | [use-mgmt-port] url}
profile-name Profile name for the remote URL, 1-31 characters.
Profiles that can be used in place of the URL are configured
with the backup store command.
route table is used to reach the device. Without this option,
the ACOS device attempts to use the data route table to
reach the remote device through a data interface.
url The url specifies the file transfer protocol, username (if
required), and directory path to the location where you want
to save the backup file.
You can enter the entire URL on the command line or press
Enter to display a prompt for each part of the URL. If you enter
the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255
characters long.
To enter the entire URL, use one of the following:
Default N/A
Mode Privileged EXEC or Global configuration mode
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
Example The following command backs up the system:
ACOS#backup system tftp://1.1.1.1/back_file

clear
Description Clear statistics or reset functions. Sub-command parameters are required for specific sub-
commands.
Syntax clear sub-command parameter
Default N/A
Mode Privileged EXEC mode or global configuration mode
Usage To list the options available for a clear command, enter ? after the command name. For
example, to display the clear gslb options, enter the following command:
clear gslb ?
On some ACOS models, entering either the clear slb switch or clear slb l4
command clears all anomaly counters for both show slb switch and show slb l4. This
applies to the following AX models: AX 3200-12, AX 3400, and AX 3530.
Note on Clearing Sessions
After entering the clear session command, the ACOS device may remain in session-clear
mode for up to 10 seconds. During this time, any new connections are sent to the delete
queue for clearing.
Example The following command clears the counters on Ethernet interface 3:
ACOS#clear statistics interface ethernet 3
clock
Description Set the system time and date.
Syntax clock set time day month year
time Set the time, using 24-hour format hh:mm:ss.
day Set the day of the month (1-31).
month Set the month (January, February, March, and so on).
year Set the year (2013, 2014, and so on).
Mode Privileged EXEC mode
Usage Use this command to manually set the system time and date.

If the system clock is adjusted while OSPF or IS-IS is enabled, the routing protocols may stop
working properly. To work around this issue, disable OSPF and IS-IS before adjusting the
system clock.
Example Set the system clock to 5:51 p.m. and the date to February 22nd, 2015.
ACOS#clock set 17:51:00 22 February 2015
configure
Description Enter the configuration mode from the Privileged EXEC mode.
Syntax configure [terminal]
Example Enter configuration mode.
ACOS#configure
ACOS(config)#
debug
NOTE: It is recommended to use the AXdebug subsystem instead of these debug com-
mands. See “AX Debug Commands” on page 875.
diff
Description Display a side-by-side comparison of the commands in a pair of locally stored configurations.
Syntax diff {startup-config | profile-name} {running-config | profile-name}
Default N/A
Usage The following command compares the configuration profile that is currently linked to
“startup-config” with the running-config.
diff startup-config running-config
Similarly, the following command compares the configuration profile that is currently linked
to “startup-config” with the specified configuration profile:
diff startup-config profile-name
To compare a configuration profile other than the startup-config to the running-config,

enter the configuration profile name instead of startup-config.
To compare any two configuration profiles, enter their profile names instead of startup-
config or running-config.

In the CLI output, the commands in the first profile name you specify are listed on the left
side of the terminal screen. The commands in the other profile that differ from the
commands in the first profile are listed on the right side of the screen, across from the
commands they differ from. The following flags indicate how the two profiles differ:
• | – This command has different settings in the two profiles.

• > – This command is in the second profile but not in the first one.
• < – This command is in the first profile but not in the second one.
disable
Description Exit the Privileged EXEC mode and enter the EXEC mode.
Syntax disable
Example The following command exits Privileged EXEC mode.
ACOS#disable
ACOS>
NOTE: The prompt changes from # to >, indicating change to EXEC mode.
exit
Description Exit the Privileged EXEC mode and enter the EXEC Mode.
Syntax exit
Example In the following example, the exit command is used to exit the Privileged EXEC mode level
and return to the User EXEC level of the CLI:
ACOS#exit
ACOS>
NOTE: The prompt changes from # to >, indicating change to EXEC mode.

export
Description Put a file to a remote site using the specified transport method.
Syntax export
{
aflex |
auth-portal |
auth-portal-image |
auth-saml-idp |
axdebug |
bw-list |
cert |
cert-key |
class-list |
crl |
debug_monitor |
dnssec-dnskey |
dnssec-ds |
fixed-nat |
geo-location |
health-external |
key
local-uri-file |
lw-4o6 |
policy |
running-config |
startup-config |
syslog |
wsdl |
xml-schema |
profile-name
}
[use-mgmt-port] url
aflex Exports an aFleX file.
auth-portal Exports an authentication portal file for Application Access
Management (AAM).
auth-portal-image Exports the image file for the default portal.
auth-saml-idp Exports the SAML metadata of the identity provider.
axdebug Exports an AX debug capture file.
bw-list Exports a black/white list.
cert Exports an SSL cert file.
cert-key Exports a certificate and key together as a single file.
class-list Exports an IP class list.
crl Exports a certificate revocation list (CRL).
debug_monitor Exports a debug monitor file.
dnssec-dnskey Exports a DNSEC key-signing key (KSK) file.
dnssec-ds Exports a DNSSEC DS file.

fixed-nat Exports the fixed NAT port mapping file.
geo-location Export the geo-location CSV file.
health-external Export the external program from the system.
key Exports an SSL key file.
license Exports a license file, if applicable to your model.
local-uri-file Exports the specified image file for the “sorry” page served to
RAM Caching clients if all servers are down.
lw-4o6 Exports the LW-4over6 binding table File.
policy Exports a WAF policy file.
running-config Exports the running configuration to a file.
startup-config Exports the startup configuration.
syslog Exports the messages from the local log buffer.
wsdl Exports a Web Services Definition Language (WSDL) file.
xml-schema Exports an XML schema file.
profile-name Name of a startup-config profile to export.
use-mgmt-port Uses the management interface as the source interface for the
connection to the remote device. The management route
table is used to reach the device. By default, the ACOS device
attempts to use the data route table to reach the remote
device through a data interface.
url Protocol, user name (if required), and directory path you want
to use to send the file.
characters long.
To enter the entire URL:
• ftp://[user@]host[port:]/file
Usage If you omit the final forward slash in the url string, ACOS attempts to use the string after the
final slash as the filename. If you omit the extension, ACOS attempts to use the string after
the final slash as the base name of the file. However, this can lead to an error in some cases. If
you are exporting AXdebug output, make sure to use the final slash in the url string.
Due to a limitation in Windows, it is recommended to use names shorter than 255

characters. Windows allows a maximum of 256 characters for both the file name and the

directory path. If the combination of directory path and file name is too long, Windows will
not recognize the file. This limitation is not present on machines running Linux/Unix.
Example The following command exports an aFleX policy from the Thunder Series device to an FTP
server, to a directory named “backups”.
ACOS#export aflex aflex-01 ftp://192.168.1.101/backups/aflex-01
gen-server-persist-cookie
Description See “gen-server-persist-cookie” on page 18.
health-test
Description See “health-test” on page 19.
help
Description Display a description of the interactive help system of the ACOS device.
For more information, see “CLI Quick Reference” on page 4.
Syntax help

import
Description Get a file from a remote site.
Syntax import
aflex file |
auth-portal file |
auth-portal-image file |
auth-saml-idp file |
bw-list file |
ca-cert {[bulk] | file}
[certificate-type {pem | der | pfx | p7b}]
[csr-generate]
[pfx-password password] |
cert {[bulk] | file}
[csr-generate]
cert-key bulk |
class-list file |
crl file [csr-generate]
dnssec-dnskey file |
dnssec-ds file |
geo-location file |
health-external file [description text] |
health-postfile file |
ip-map-list file |
key {bulk | file} [csr-generate]
license file |
local-uri-file file |
lw-4o6 file |
policy file |
store file |
thales-secworld file |
web-category-license file |
wsdl file |
xml-schema file
}
[overwrite]
{[use-mgmt-port] url}
}
aflex Import an aFleX file.
auth-portal Import an authentication portal file for Application Access Management (AAM).
auth-portal-image Import an image file for the default authentication portal.
auth-saml-idp Import the SAML metadata of the identity provider.
bw-list Import a black/white list.
ca-cert Imports a CA cert file.
• Use the bulk option to import multiple files simultaneously as a .tgz archive.
• Use certificate-type to specify a certificate type.
• Use csr-generate to generate a CSR file.

cert Imports an SSL cert file.
cert-key bulk Imports a certificate and key together as a single file.
class-list Import an IP class list.
crl Import a certificate revocation list (CRL).
dnssec-dnskey Import a DNSEC key-signing key (KSK) file.
dnssec-ds Import a DNSSEC DS file.
geo-location Imports a geo-location data file for Global Server Load Balancing (GSLB).
health-external Address of the external script program. Use the description option to provide a brief
description (1-63 characters) of the program.
health-postfile Address of the HTTP Post data file.
ip-map-list Import an IP map list.
key Import the SSL key file.
license Import a license file, if applicable to your model.
local-uri-file Import the local URI files for HTTP responses.
lw-4o6 Import the LW-4over6 binding table file.
policy Import a WAF policy file.
store Import a store name for a remote URL.
• Use create to create an import store profile
• Use delete to delete an import store profile
thales-secworld Import a Thales security world file.
web-category- Import a web-category-license file, which is required if you wish to access the BrightCloud
license server and use the web-categorization feature.
wsdl Import a WSDL file.
xml-schema Import an XML schema file.

device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a data
interface.
url Protocol, user name (if required), and directory path you want to use to send the file.
You can enter the entire URL on the command line or press Enter to display a prompt for
each part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255 characters long.
Example The following command imports an aFleX policy onto the ACOS device from a TFTP server,
from its directory named “backups”:
ACOS#import aflex aflex-01 tftp://192.168.1.101/backups/aflex-01
locale
Description Set the locale for the current terminal session.
Syntax locale parameter
The following table shows valid values for parameter:
test Test the current terminal encodings for a specific locale.
en_US.UTF-8 English locale for the USA, encoding with UTF-8 (default)
zh_CN.UTF-8 Chinese locale for PRC, encoding with UTF-8
zh_CN.GB18030 Chinese locale for PRC, encoding with GB18030
zh_CN.GBK Chinese locale for PRC, encoding with GBK
zh_CN.GB2312 Chinese locale for PRC, encoding with GB2312
zh_TW.UTF-8 Chinese locale for Taiwan, encoding with UTF-8
zh_TW.BIG5 Chinese locale for Taiwan, encoding with BIG5
zh_TW.EUCTW Chinese locale for Taiwan, encoding with EUC-TW
ja_JP.UTF-8 Japanese locale for Japan, encoding with UTF-8
ja_JP.EUC-JP Japanese locale for Japan, encoding with EUC-JP

Default en_US.UTF-8
no
Description Negate a command or set it to its default setting.
Syntax no command
Mode All
Example The following command disables the terminal command history feature:
ACOS#no terminal history

ACOS#
ping
Description Test network connectivity. For syntax information, see “ping” on page 20.
reboot
Description Reboot the ACOS device.
Syntax reboot
[all |
text |
in hh:mm [text] |
at hh:mm [month day | day month] [text] |
cancel]
all Reboot all devices when VCS is enabled, or only this device itself if VCS
is not enabled.
text Reason for the reboot, 1-127 characters long.
in hh:mm Schedule a reboot to take effect in the specified hours and minutes.
The reboot must take place within approximately 24 hours.
at hh:mm Schedule a reboot to take place at the specified time (using a 24-hour
clock). If you specify the month and day, the reboot is scheduled to
take place at the specified time and date. If you do not specify the
month and day, the reboot takes place at the specified time on the
current day (if the specified time is later than the current time), or on
the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reboot for midnight.
month Name of the month, any number of characters in a unique string.

day Number of the day, 1-31.
cancel Cancel a scheduled reboot.
Usage The reboot command halts the system. If the system is set to restart on error, it reboots
itself. Use the reboot command after configuration information is entered into a file and
saved to the startup configuration.
You cannot reboot from a virtual terminal if the system is not set up for automatic booting.
This prevents the system from dropping to the ROM monitor and thereby taking the system
out of the remote user’s control.
If you modify your configuration file, the system will prompt you to save the configuration.
The at keyword can be used only if the system clock has been set on the Thunder Series
(either through NTP, the hardware calendar, or manually). The time is relative to the
configured time zone on the Thunder Series. To schedule reboots across several Thunder
Series to occur simultaneously, the time on each Thunder Series must be synchronized with
NTP. To display information about a scheduled reboot, use the show reboot command.
Example The following example immediately reboots the Thunder Series device:
ACOS(config)#reboot
System configuration has been modified. Save? [yes/no]:yes
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
Example The following example reboots the ACOS device in 10 minutes:
ACOS(config)# reboot in 00:10

ACOS(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 2014 (in
10 minutes)
Proceed with reboot? [yes/no]yes
ACOS(config)#
Example The following example reboots the ACOS device at 1:00 p.m. today:
ACOS(config)# reboot at 13:0013:00

ACOS(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 2014 (in
1 hour and 2 minutes)
ACOS(config)#
Example The following example reboots the ACOS device on Apr 20 at 4:20 p.m.:

ACOS(config)# reboot at 16:20 apr 20

ACOS(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2014 (in
38 hours and 9 minutes)
ACOS(config)#
Example The following example cancels a pending reboot:
ACOS(config)# reboot cancel

%Reboot cancelled.
***
*** --- REBOOT ABORTED ---
***
reload
Description Restart ACOS system processes and reload the startup-config, without rebooting.
Syntax reload [all | device device-id]
all When VCS is enabled, this parameter causes all devices in the virtual
chassis to be reloaded.
When VCS is disabled, this parameter causes only the device on which
this command is run to be reloaded.
device When VCS is enabled, this parameter causes only the specified device
device-id to be reloaded.
When VCS is disabled, this parameter will return an error message.
Usage The reload command restarts ACOS system processes and reloads the startup-config, with-
out reloading the system image. To also reload the system image, use the reboot command
instead. (See “reboot” on page 37.)
The ACOS device closes all sessions as part of the reload.
If the reload command is used without any optional parameters (see example below) then
only the device on which the command is run will be reloaded. This is the case for both VCS-
enabled and VCS-disabled devices.
Example Below is an example of the reload command:
ACOS(config)#reload
Reload ACOS ....Done.
ACOS(config)#

repeat
Description Periodically re-enter a show command.
Syntax repeat seconds show command-options
seconds Interval at which to re-enter the command. You can specify 1-
300 seconds.
command-options Options of the show command. See “Show Commands” on
page 681 and “SLB Show Commands” on page 795.
Usage The repeat command is especially useful when monitoring or troubleshooting the system.
The elapsed time indicates how much time has passed since you entered the repeat
command. To stop the command, press Ctrl+C.
show
Description Display system or configuration information. See “Show Commands” on page 681 and “SLB
Show Commands” on page 795.
shutdown
Description Schedule a system shutdown at a specified time or after a specified interval, or cancel a
scheduled system shutdown.
Syntax shutdown {at hh:mm | in hh:mm | cancel [text]}
at Shutdown at a specific time/date (hh:mm).
in Shutdown after time interval (mm or hh:mm).
cancel Cancel pending shutdown.
text Reason for shutdown (1-127 characters).
Example The following command schedules a system shutdown to occur at 11:59 p.m.:
ACOS#shutdown at 23:59
System configuration has been modified. Save? [yes/no]:yes

Building configuration...

[OK]
Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes) by admin on
192.168.1.102
Proceed with shutdown? [confirm]
ACOS#
Example The following command cancels a scheduled system shutdown:
ACOS#shutdown cancel
***
*** --- SHUTDOWN ABORTED ---
***
ssh
Description Establish a Secure Shell (SSH) connection from the ACOS device to another device. (See “ssh”
on page 22.)
telnet
Description Establish a Telnet connection from the ACOS device to another device. (See “telnet” on
page 22.)
terminal
Description Set terminal display parameters for the current session.
Syntax terminal
{
auto-size |
command-timestamp [unix]|
editing |
gslb-prompt options |
history [size number] |
length number |
monitor |
width lines
}
auto-size Enables the terminal length and width to automatically change to match the terminal win-
dow size.
This is enabled by default.
command-timestamp Include timestamp information in the show command output.
The unix option displays the timestamp in Unix format (sec.us) since Unix Epoch. For
example:
See the example below for more information.

editing Enables command-line editing.
gslb-prompt Enables the CLI prompt to display the role of the ACOS device within a GSLB group.
options
• disable - disables this feature so the CLI prompt does not display role information
• group-role - displays “Member” or “Master” in the CLI prompt. For example:
ACOS:Master(config)#
• symbol - displays “gslb” in the CLI prompt after the name of the ACOS device. For exam-
ple:
ACOS-gslb:Master(config)#
history [size] Enables and controls the command history function. The size option specifies the number of
command lines that will be held in the history buffer. You can specify 0-1000.
This is enabled by default, the default size is 256.
length num Sets the number of lines on a screen. You can specify 0-512. Specifying 0 disables pausing.
The default length is 24.
monitor Copies debug output to the current terminal.
width num Sets the width of the display terminal. You can specify 0-512. The setting 0 means “infinite”.
The default width is 80.
Usage This command affects only the current CLI session. The command is not added to the run-
ning-config and does not persist across reloads or reboots. To make persistent changes, use
the command at the global configuration level. (See “terminal” on page 185.)
Example The following command changes the terminal length to 40:
ACOS#terminal length 40
Example The following example shows the command-timestamp option. Note the “Command start
time” and “Command end time” lines added as the first and last lines of the output:
ACOS#terminal command-timestamp
ACOS#show config-block
Command start time : 1422647248.076561
!Block configuration: 24 bytes
!64-bit Advanced Core OS (ACOS) version 4.0.1, build 98 (Jan-29-
2015,15:55)
!
interface ethernet 1

!
!
end
!Configuration specified in merge mode
Command end time : 1422647248.077418
ACOS#
traceroute
Description Trace a route. See “traceroute” on page 24.
vcs
Description Enter operational commands for configuring ACOS Virtual Chassis System (aVCS).
For more information, refer to the CLI commands in Configuring ACOS Virtual Chassis
Systems.
write
Description Write the running-config to a configuration profile.
Syntax write {memory | force}

[primary | secondary | profile-name]
[all-partitions | partition {shared | private-partition-name}]
or
Syntax write terminal [all-partitions | partition {shared | partition-

name}]
memory Writes (saves) the running-config to a configuration profile.
force Forces the ACOS device to save the configuration regardless of
whether the system is ready.
terminal Displays the running-config on your terminal.
primary Replaces the configuration profile stored in the primary image area
with the running-config.
secondary Replaces the configuration profile stored in the secondary image area
with the running-config.
profile-name Replaces the commands in the specified configuration profile with the
running-config.
all-partitions Saves changes for all resources in all partitions.
partition {shared | partition-name} Saves changes only for the resources in the specified partition.

Default If you enter write memory without additional options, the command replaces the configu-
ration profile that is currently linked to by “startup-config” with the commands in the run-
ning-config. If startup-config is set to its default (linked to the configuration profile stored in
the image area that was used for the last reboot), then write memory replaces the configu-
ration profile in the image area with the running-config.
The all-partitions and partition partition-name options are applicable on

ACOS devices that are configured for Application Delivery Partitioning (ADP). If you omit
both options, only the resources in the shared partition are saved. (If ADP is not configured,
all resources are in the shared partition, so you can omit both options.)
The all-partitions option is applicable only to admins with Root, Read-write, or Read-
only privileges. (See “show admin” on page 682 for descriptions of the admin privilege
levels.)
Mode Configuration mode
CAUTION: Using the write force command can result in an incomplete or empty configu-
ration! A10 Networks recommends that you use this command only with the advice
of A10 Networks Technical Support.
Usage Unless you use the force option, the command checks for system readiness and saves the
configuration only if the system is ready.
After saving the configuration to the local image area, the CLI displays a prompt asking
whether you also want to save the same configuration to the other image area. This option is
helpful for keeping the configurations in sync between the two image areas, if that is your
enterprise’s policy.
Example The following command saves the running-config to the configuration profile stored in the
primary image area of the hard disk:
ACOS#write memory primary

Write configuration to primary default startup-config
Do you also want to write configuration to secondary default startup-config as well?
(y/n):y
[OK]
Example The following command saves the running-config to a configuration profile named "slbcon-
fig2":
ACOS#write memory slbconfig2
Example The following command attempts to save the running-config but the system is not ready:
ACOS#write memory
ACOS is not ready. Cannot save the configuration.

Example The following commands attempt to save the running-config on a system that is not ready,
then force the save operation to take place anyway:
ACOS#write memory
System is not ready. Cannot save the configuration.
ACOS#write force


Config Commands: Global
This chapter describes the commands for configuring global ACOS parameters.
To access this configuration level, use the configure command at the Privileged EXEC level.
To display global settings, use show commands. (See “Show Commands” on page 681.)
This CLI level also has the following commands, which are available at all configuration levels:
• active-partition – See “active-partition” on page 17.
• backup – See “backup system” on page 27 and “backup log” on page 25.
• clear – See “clear” on page 28.
• debug – See “debug” on page 29.
• diff – See “diff” on page 29.
• export – See “export” on page 31.
• health-test – See “health-test” on page 33.
• help – See “CLI Quick Reference” on page 4.
• import – See “import” on page 34.
• repeat – See “repeat” on page 40.
• show – See “Show Commands” on page 681.
• write – See “write terminal” on page 192.
aam
Description See “Config Commands: Application Access Management” on page 193.

access-list (standard)
Description Configure a standard Access Control List (ACL) to permit or deny source IP addresses.
Syntax [no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string}
{any | host host-ipaddr | src-ipaddr {filter-mask | /mask-length}}
[log [transparent-session-only]]
acl-num Standard ACL number (1-99).
seq-num Sequence number of this rule in the ACL. You can use this option to re-sequence the rules
in the ACL.
permit Allows traffic for ACLs applied to interfaces or used for management access.
For ACLS used for IP source NAT, this option is also used to specify the inside host addresses
to be translated into external addresses.
NOTE: If you are configuring an ACL for source NAT, use the permit action. For ACLs used
with source NAT, the deny action does not drop traffic, it simply does not use the denied
addresses for NAT translations.
deny Drops traffic for ACLs applied to interfaces or used for management access.
l3-vlan-fwd-disable Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.
remark string Adds a remark to the ACL. The remark appears at the top of the ACL when you display it in
the CLI.
NOTE: An ACL and its individual rules can have multiple remarks.
To use blank spaces in the remark, enclose the entire remark string in double quotes. The
ACL must already exist before you can configure a remark for it.
any Denies or permits traffic received from any source host.
host host-ipaddr Denies or permits traffic received from a specific, single host.
src-ipaddr Denies or permits traffic received from the specified host or subnet. The filter-mask speci-
{filter-mask | fies the portion of the address to filter:
/mask-length}
• Use 0 to match.
• Use 255 to ignore.
For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.
Alternatively, you can use /mask-length to specify the portion of the address to filter. For
example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.
log [transparent- Configures the ACOS device to generate log messages when traffic matches the ACL.
session-only]
The transparent-session-only option limits logging for an ACL rule to creation and
deletion of transparent sessions for traffic that matches the ACL rule.
Default No ACLs are configured by default. When you configure one, the log option is disabled by
default.

Usage An ACL can contain multiple rules. Each access-list command configures one rule. Rules
are added to the ACL in the order you configure them. The first rule you add appears at the
top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the
first rule, downward). The first rule that matches traffic is used to permit or deny that traffic.
After the first rule match, no additional rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a new sequence
number.
Access lists do not take effect until you apply them.
• To use an ACL to filter traffic on an interface, see “access-list” on page 241.

• To use an ACL to filter traffic on a virtual server port, see “access-list” on page 641.
• To use an ACL to control management access, see “disable-management” on page 88
and “enable-management” on page 91.
• To use an ACL with source NAT, see “ip nat inside source” on page 303.
The syntax shown in this section configures a standard ACL, which filters based on source IP
address. To filter on additional values such as destination address, IP protocol, or TCP/UDP
ports, configure an extended ACL. (See “access-list (extended)” on page 50.)
Support for Non-Contiguous Masks in IPv4 ACLs
A contiguous comparison mask is one that, when converted to its binary format, consists
entirely of ones. A non-contiguous mask, however, contains at least one zero. Table 3 shows
some examples of IPv4 addresses with each of the ACL mask types, a contiguous mask and a
non-contiguous mask. The addresses and masks are shown in both their decimal and binary
formats.
The “F” column indicates the format, decimal (D) or binary (B).
TABLE 2 IPv4 Address and Mask Examples

F Address Mask
D 10 10 10 0 0 255 255 255
B 00001010 00001010 00001010 00000000 00000000 11111111 11111111 11111111
D 10 10 10 0 0 255 0 255
B 00001010 00001010 00001010 00000000 00000000 11111111 00000000 11111111
D 172 0 3 0 0 255 255 255
B 10101100 00000000 00000010 00000000 00000000 11111111 11111111 11111111
D 172 0 3 0 0 255 0 255
B 10101100 00000000 00000010 00000000 00000000 11111111 00000000 11111111
The non-contiguous masks are shown in italics.
Example The following commands configure a standard ACL and use it to deny traffic sent from sub-
net 10.10.10.x, and apply the ACL to inbound traffic received on Ethernet interface 4:

ACOS(config)#access-list 1 deny 10.10.10.0 0.0.0.255

ACOS(config-if:ethernet:4)#access-list 1 in
Example The commands in this example configure an ACL that uses a non-contiguous mask, and
applies the ACLto a data interface:

Info: Configured a non-contiguous subnet mask.*
ACOS(config)#access-list 20 permit any
ACOS(config)#show access-list
access-list 3 4 deny 172.0.3.0 0.255.0.255 Data plane hits: 0
access-list 20 4 permit any Data plane hits: 0
Based on this configuration, attempts to ping or open an SSH session with destination IP
address 172.17.3.130 from source 172.16.3.131 are denied. However, attempts from
172.16.4.131 are permitted.
access-list (extended)
Description Configure an extended Access Control List (ACL) to permit or deny traffic based on source
and destination IP addresses, IP protocol, and TCP/UDP ports.
Syntax [no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string} ip
{any | host host-src-ipaddr | object-group src-group-name |

net-src-ipaddr {filter-mask | /mask-length}}
{any | host host-dst-ipaddr | object-group dst-group-name |

net-dst-ipaddr {filter-mask | /mask-length}}
[fragments] [vlan vlan-id] [dscp num]
or
[no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string} icmp
[type icmp-type [code icmp-code]]

*.
This message appears a maximum of 2 times within a given CLI session.


or

{permit | deny | l3-vlan-fwd-disable | remark string}
object-group svc-group-name


or

{permit | deny | l3-vlan-fwd-disable | remark string} {tcp | udp}
{any | host host-src-ipaddr | net-src-ipaddr

{filter-mask | /mask-length}}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
{any | host host-dst-ipaddr | net-dst-ipaddr

{filter-mask | /mask-length}}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]
[fragments] [vlan vlan-id] [dscp num][established]
acl-num Extended ACL number (100-199).
seq-num Sequence number of this rule in the ACL. You can use this option to re-sequence the
rules in the ACL.
permit Allows traffic that matches the ACL.
deny Drop the traffic that matches the ACL.
l3-vlan-fwd-disable Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.
remark string Adds a remark to the ACL. The remark appears at the top of the ACL when you display
it in the CLI.
NOTE: An ACL and its individual rules can have multiple remarks.
To use blank spaces in the remark, enclose the entire remark string in double quotes.
The ACL must already exist before you can configure a remark for it.

ip Filters on IP packets only.
icmp Filters on ICMP packets only.
tcp | udp Filters on TCP or UDP packets, as specified. These options also allow you to filter based
on protocol port numbers.
object-group Service object group name.
For more information, see “object-group service” on page 138.
type icmp-type This option is applicable if the protocol type is icmp. Matches based on the specified
ICMP type. You can specify one of the following. Enter the type name or the type num-
ber (for example, “dest-unreachable” or “3”).
• any-type – Matches on any ICMP type.
• dest-unreachable, or 3 – destination is unreachable.
• echo-reply, or 0 – echo reply.
• echo-request, or 8 – echo request.
• info-reply, or 16 – information reply.
• info-request, or 15 – information request.
• mask-reply, or 18 – address mask reply.
• mask-request, or 17 – address mask request.
• parameter-problem, or 12 – parameter problem.
• redirect, or 5 – redirect message.
• source-quench, or 4 – source quench.
• time-exceeded, or 11 – time exceeded.
• timestamp, or 14 – timestamp.
• timestamp-reply, or 13 – timestamp reply.
code icmp-code This option is applicable if the protocol type is icmp. Matches based on the specified
ICMP code.
Replace code-num with an ICMP code number (0-254), or specify any-code to match
on any ICMP code.
any | The source IP addresses to filter.
host host-src-ipaddr |
net-src-ipaddr { • any - the ACL matches on any source IP address.
filter-mask | • host host-src-ipaddr - the ACL matches only on the specified host IP address.
/mask-length} • net-src-ipaddr {filter-mask | /mask-length} - the ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the address to
filter:
• Use 0 to match.
Alternatively, you can use /mask-length to specify the portion of the address to fil-
ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.

eq src-port | The source protocol ports to filter for TCP and UDP:
gt src-port |
lt src-port | • eq src-port - The ACL matches on traffic from the specified source port.
range • gt src-port - The ACL matches on traffic from any source port with a higher
start-src-port number than the specified port.
end-src-port • lt src-port - The ACL matches on traffic from any source port with a lower num-
ber than the specified port.
• range start-src-port end-src-port - The ACL matches on traffic from any
source port within the specified range.
any | The destination IP addresses to filter.
host host-dst-ipaddr |
net-dst-ipaddr { • any - the ACL matches on any destination IP address.
filter-mask | • host host-dst-ipaddr - the ACL matches only on the specified host IP address.
/mask-length} • net-dst-ipaddr {filter-mask | /mask-length} - the ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the address to
filter:
• Use 0 to match.
Alternatively, you can use /mask-length to specify the portion of the address to fil-
ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.
eq dst-port | The destination protocol ports to filter for TCP and UDP:
gt dst-port |
lt dst-port | • eq src-port - The ACL matches on traffic from the specified destination port.
range • gt src-port - The ACL matches on traffic from any destination port with a higher
start-dst-port number than the specified port.
end-dst-port • lt src-port - The ACL matches on traffic from any destination port with a lower
number than the specified port.
• range start-src-port end-src-port - The ACL matches on traffic from any
destination port within the specified range.
fragments Matches on packets in which the More bit in the header is set (1) or has a non-zero off-
set.
vlan vlan-id Matches on the specified VLAN. VLAN matching occurs for incoming traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP header, 1-63.
established Matches on TCP packets in which the ACK or RST bit is set.
This option is useful for protecting against attacks from outside. Since a TCP connec-
tion from the outside does not have the ACK bit set (SYN only), the connection is
dropped. Similarly, a connection established from the inside always has the ACK bit set.
(The first packet to the network from outside is a SYN/ACK.)
log Configures the ACOS device to generate log messages when traffic matches the ACL.
[transparent-session-
only] The transparent-session-only option limits logging for an ACL rule to creation
and deletion of transparent sessions for traffic that matches the ACL rule.
Default No ACLs are configured by default. When you configure one, the log option is disabled by
default.

Usage An ACL can contain multiple rules. Each access-list command configures one rule. Rules
are added to the ACL in the order you configure them. The first rule you add appears at the
top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the
first, rule downward). The first rule that matches traffic is used to permit or deny that traffic.
After the first rule match, no additional rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a new sequence
number.
Access lists do not take effect until you apply them:
• To use an ACL to filter traffic on an interface, see “interface” on page 247.

• To use an ACL to filter traffic on a virtual server port, see “access-list” on page 641.
• To use an ACL with source NAT, see “ip nat inside source” on page 303.
accounting
Description Configure TACACS+ as the accounting method for recording information about user activi-
ties. The Thunder Series device supports the following types of accounting:
• EXEC accounting – provides information about EXEC terminal sessions (user shells) on
the ACOS device.
• Command accounting – provides information about the EXEC shell commands exe-
cuted under a specified privilege level. This command also allows you to specify the
debug level.
Syntax [no] accounting exec {start-stop | stop-only} {radius | tacplus}
[no] accounting commands cmd-level stop-only tacplus
[no] accounting debug debug-level
start-stop Sends an Accounting START packet to TACACS+ servers when a
user establishes a CLI session, and an Accounting STOP packet
when the user logs out or the session times out.
stop-only Only sends an Accounting STOP packet when the user logs out
or the session times out.
radius | tacplus Specifies the type of accounting server to use.

cmd-level Specifies which level of commands will be accounted:
• 15 (admin) - commands available to the admin (all com-
mands).
• 14 (config) - commands available in config mode (not includ-
ing the commands of the admin and those under the admin
mode).
• 1 (priv EXEC) - commands available in privileged EXEC mode.
• 0 (user EXEC) - commands available in user EXEC mode.
Command levels 2-13 as the same as command level 1.
debug-level Specifies the debug level for accounting. The debug level is set
as flag bits for different types of debug messages. The ACOS
device has the following types of debug messages:
• 0x1 - Common information such as “trying to connect with
TACACS+ servers”, “getting response from TACACS+ servers”;
they are recorded in syslog.
• 0x2 - Packet fields sent out and received by ACOS, not includ-
ing the length fields; they are printed out on the terminal.
• 0x4 - Length fields of the TACACS+ packets will also be
printed on the terminal.
• 0x8 - Information about the TACACS+ MD5 encryption is
recorded in syslog.
Default N/A
Usage The accounting server also must be configured. See “radius-server” on page 146 or “tacacs-
server host” on page 182.
Example The following command configures the ACOS device to send an Accounting START packet
to the previously defined TACACS+ servers when a user establishes a CLI session on the
device. The ACOS device also will send an Accounting STOP packet when a user logs out or
their session times out.
ACOS(config)#accounting exec start-stop tacplus
Example The following command configures the ACOS device to send an Accounting STOP packet
when a user logs out or a session times out.
ACOS(config)#accounting exec stop-only tacplus
Example The following command configures the ACOS device to send an Accounting STOP packet to
TACACS+ servers before a CLI command of level 14 is executed.
ACOS(config)#accounting commands 14 stop-only tacplus

Example The following command specifies debug level 15 for accounting.
ACOS(config)#accounting debug l5
admin
Description Configure an admin account for management access to the ACOS device.
Syntax [no] admin admin-username [password string]
Replace admin-username with the user name of an admin (1-31 characters).
This command changes the CLI to the configuration level for the specified admin account,
where the following admin-related commands are available:
Command Description
access {cli | web | axapi} Specifies the management interfaces through which the admin is allowed to
access the ACOS device.
By default, access is allowed through the CLI, GUI, and aXAPI.
disable Disables the admin account.
By default, admin accounts are enabled when they are added.
enable Enables the admin account.
By default, admin accounts are enabled when they are added.
password string Sets the password, 1-63 characters. Passwords are case sensitive and can con-
tain special characters. (For more information, see “Special Character Support
in Strings” on page 12.)
The default password is “a10”; this is the default for the “admin” account and
for any admin account you configure if you do not configure the password for
the account.

Command Description
privilege Sets the privilege level for the account:
{
read | • read – The admin can access the User EXEC and Privileged EXEC levels of
write | the CLI only.
partition-enable-disable • write – The admin can access all levels of the CLI.
pertition-name | • partition-read – The admin has read-only privileges within the L3V
partition-read partition to which the admin is assigned, and read-only privileges for the
partition-name | shared partition.
partition-write
• partition-write – The admin has read-write privileges within the L3V
partition-name
partition to which the admin is assigned. The admin has read-only privi-
}
leges for the shared partition.
• partition-enable-disable – The admin has read-only privileges for
real servers, with permission to view service port statistics and to disable or
re-enable the servers and their service ports. No other read-only or read-
write privileges are granted.
• partition-name – The name of the L3V partition to which the admin is
assigned. This option applies only to admins that have privilege level par-
tition-read, partition-write, or partition-enable-disable.
NOTE: L3V partitions are used in Application Delivery Partitioning (ADP). For
information, see the Configuring Application Delivery Partitions guide.
The default privilege is read.
ssh-pubkey options Manage public key authentication for the admin.
ssh-pubkey import url
Imports the public key onto the ACOS device.
The url specifies the file transfer protocol, username (if required), and direc-
tory path.
You can enter the entire URL on the command line or press Enter to display a
prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted for the password. The password can be up
to 255 characters long.
ssh-pubkey delete num
Deletes a public key. The num option specifies the key number on the ACOS
device. The key numbers are displayed along with the keys themselves by the
ssh-pubkey list command. (See below.)
ssh-pubkey list
Verifies installation of the public key.

Command Description
trusted-host { Specifies the host or subnet address from which the admin is allowed to log
ipaddr onto the ACOS device. The trusted host can be either a single host (specified
{subnet-mask | /mask-length} | with the IP address and subnet mask), or a configured access control list (ACL)
access-list acl-id} on your system.
The default trusted host is 0.0.0.0/0, which allows access from any host or sub-
net.
unlock Unlocks the account. Use this option if the admin has been locked out due to
too many login attempts with an incorrect password. (To configure lockout
parameters, see “admin-lockout” on page 59.)
Default The system has a default admin account, with username “admin” and password “a10”. The
default admin account has write privilege and can log on from any host or subnet address.
Other defaults are described in the descriptions above.
Usage An additional session is reserved for the “admin” account to ensure access. If the maximum
number of concurrent open sessions is reached, the “admin” admin can still log in using the
reserved session. This reserved session is available only to the “admin” account.
Example The following commands add admin “adminuser1” with password “1234”:
ACOS(config)#admin adminuser1
ACOS(config-admin:adminuser1)#password 1234
Example The following commands add admin “adminuser2” with password “12345678” and write
privilege:
ACOS(config-admin:adminuser2)#password 12345678
ACOS(config-admin:adminuser2)#write
Example The following commands add admin “adminuser3” with password “abcdefgh” and write priv-
ilege, and restrict login access to the 10.10.10.x subnet only:
ACOS(config-admin:adminuser3)#password abcdefgh
ACOS(config-admin:adminuser3)#write
ACOS(config-admin:adminuser3)#trusted-host 10.10.10.0 /24
Example The following commands configure an admin account for a private partition:
ACOS(config)#admin compAadmin password compApwd

ACOS(config-admin:compAadmin)#privilege partition-write companyA
Modify Admin User successful !

Example The following commands deny management access by admin “admin2” using the CLI or
aXAPI:
ACOS(config)#admin admin2
ACOS(config-admin:admin2)#no access cli
ACOS(config-admin:admin2)#no access axapi
Example The following commands add admin “admin4” with password “examplepassword” and
default privileges, and restricts login access as defined by access list 2. The show output con-
firms that “ACL 2” is the trusted host:
ACOS(config)#admin admin4 password examplepassword

ACOS(config-admin)#trusted-host access-list 2
Modify Admin User successful!
ACOS(config-admin)#show admin admin4 detail
User Name ...... admin4
Status ...... Enabled
Privilege ...... R
Partition ......
Access type ...... cli web axapi
GUI role ...... ReadOnlyAdmin
Trusted Host(Netmask) ...... ACL 2
Lock Status ...... No
Lock Time ......
Unlock Time ......
Password Type ...... Encrypted
Password ...... $1$492b642f$/XuVOTmSOUskpvZsds5Xy0
admin-lockout
Description Set lockout parameters for admin sessions.
Syntax [no] admin-lockout

{duration minutes | enable | reset-time minutes | threshold number}
duration minutes Number of minutes a lockout remains in effect. After the lock-
out times out, the admin can try again to log in. You can
specify 0-1440 minutes. To keep accounts locked until you or
another authorized administrator unlocks them, specify 0.
The default duration is 10 minutes.
enable Enables the admin lockout feature.
The lockout feature is disabled by default.

reset-time minutes Number of minutes the ACOS device remembers failed login
attempts. You can specify 1-1440 minutes.
The default reset time is 10 minutes.
threshold number Number of consecutive failed login attempts allowed before
an administrator is locked out. You can specify 1-10.
The default threshold is 5.
Example The following command enables admin lockout:
ACOS(config)#admin-lockout enable
admin-session clear
Description Terminate admin sessions.
Syntax admin-session clear {all | session-id}
all Clears all other admin sessions with the ACOS device except
yours.
session-id Clears only the admin session you specify.
To display a list of active admin sessions, including their ses-
sion IDs, use the show admin session command (see
show admin for more information).
Default N/A
aflex
Description Configure and manage aFleX policies.
For complete information and examples for configuring and managing aFleX policies, see
the aFleX Scripting Language Reference Guide.
Syntax aflex {
check name |
copy src-name dst-name |
create name |
delete name |
help |

rename src-name dst-name

}
check Check the syntax of the specified aFleX script.
copy Copy the src-name aFleX script to dst-name.
create Create an aFleX script with the specified name.
delete Delete the specified aFleX script.
help View aFleX help.
rename Rename an aFleX script from src-name to dst-name.
Mode Global configuration mode
aflex-scripts start
Description Begin a transaction to edit an aFleX script within the CLI. See the aFleX Scripting Language
Reference Guide.
arp
Description Create a static ARP entry or change the timeout for dynamic entries.
Syntax [no] arp ipaddr mac-address

[interface {ethernet port-num | trunk trunk-id} [vlan vlan-id]]
ipaddr IP address of the static entry.
mac-address MAC address of the static entry.
ethernet The number of the Ethernet data interface or trunk data interface.
port-num |
trunk trunk-id
vlan vlan-id If the ACOS device is deployed in transparent mode, and the
interface is a tagged member of multiple VLANs, use this option
to specify the VLAN for which to add the ARP entry.
Default The default timeout for learned entries is 300 seconds. Static entries do not time out.
arp-timeout
Description Change the aging timer for dynamic ARP entries.

Syntax [no] arp-timeout seconds
Replace seconds with the number of seconds a dynamic entry can remain unused before
being removed from the ARP table (60-86400).
Default 300 seconds (5 minutes)
audit
Description Configure command auditing.
Syntax [no] audit enable [privilege]
[no] audit size num-entries
enable Enabled command auditing for all configuration commands.
Command auditing is disabled by default.
privilege Enables the logging of privileged EXEC commands in addition
to configuration commands.
size num-entries Specifies the number of entries the audit log file can hold. You
can specify 1000-30000 entries. When the log is full, the oldest
entries are removed to make room for new entries.
The audit log holds 20000 entries by default.
Usage Command auditing logs the following types of system management events:
• Admin logins and logouts for CLI, GUI, and aXAPI sessions
• Unsuccessful admin login attempts
• Configuration changes. All attempts to change the configuration are logged, even if
they are unsuccessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled for this level)
The audit log is maintained in a separate file, apart from the system log. The audit log is ADP-
aware. The audit log messages that are displayed for an admin depend upon the admin’s role
(privilege level). Admins with Root, Read Write, or Read Only privileges who view the audit
log can view all the messages, for all system partitions.
Admins who have privileges only within a specific partition can view only the audit log
messages related to management of that partition. Partition Real Server Operator admins
can not view any audit log entries.

NOTE: Backups of the system log include the audit log.
authentication console type

Description Configure a console authentication type.
Syntax [no] authentication console type {ldap | local | radius | tacplus}
ldap Use LDAP for console authentication
local Use the ACOS configuration for console authentication.
radius Use RADIUS for console authentication.
tacplus Use TACACS+ for console authentication.
Usage You can specify as many options as needed.
Example The following example grants LDAP and local console authentication:
ACOS(config)#authentication console type ldap local
authentication enable
Description Configuration authentication of admin enable (Privileged mode) access.
Syntax [no] authentication enable {local [tacplus] | tacplus [local]}
local Uses the ACOS configuration for authentication of the enable password.
tacplus Uses TACACS+ for authentication of the enable password.
Default local
Usage The authentication enable command operates differently depending on the authen-
tication mode command setting:
• For authentication mode multiple, the ACOS device will attempt to authenti-
cate the admin with the first specified method. If the first method fails, the next speci-
fied method is used.
• For authentication mode single, the ACOS device will attempt to authenticate
the admin with the first specified method. If the method fails, the ACOS device will
return an error. By default, authentication mode single is selected.
See “authentication mode” on page 64.

authentication login privilege-mode

Description Places TACACS+-authenticated admins who log into the CLI at the Privileged EXEC level of
the CLI instead of at the User EXEC level.
Syntax [no] authentication login privilege-mode
Default Disabled
authentication mode
Description Enable tiered authentication.
Syntax [no] authentication mode {multiple | single}
multiple Enable “tiered” authentication, where the ACOS device will check the next method even if the primary
method does respond but authentication fails using that method.
For example, if the primary method is RADIUS and the next method is TACACS+, and RADIUS rejects
the admin, tiered authentication attempts to authenticate the admin using TACACS+.
This authentication behavior is summarized below:
1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
2. If no method1 servers reply or a method1 server denies access, try method2.
3. If no method2 servers reply or a method2 server denies access, try method3.
4. If no method3 servers reply or a method3 server denies access, try method4. If authentication suc-
ceeds, the admin is permitted. Otherwise, the admin is denied.
single Enable single authentication mode, where the backup authentication method will only be used if the
primary method does not respond. If the primary method does respond but denies access, then the
secondary method is simply not used. The admin is not granted access.
This authentication behavior is summarized below:
1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or deny access
based on the server reply.
3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or deny access
based on the server reply.
4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is permitted.
Otherwise, the admin is denied.
Default By default, single authentication mode is used.

authentication type
Description Set the authentication method used to authenticate administrative access to the ACOS
device.
Syntax [no] authentication console type auth-list
Syntax [no] authentication type auth-lists
console Applies the authentication settings only to access through the console (serial) port.
Without this option, the settings apply to all types of admin access.
type auth-list Uses the ACOS configuration for authentication. If the administrative username and
password match an entry in the configuration, the administrator is granted access.
The auth-list can contain one or more of the following:
• ldap – Uses an external LDAP server for authentication.
• local – Uses the ACOS configuration for authentication. If the administrative
username and password match an entry in the configuration, the administrator is
granted access.
• radius – Uses an external RADIUS server for authentication.
• tacplus – Uses an external TACACS+ server for authentication.
Default By default, only local authentication is used.
Usage The local database (local option) must be included as one of the authentication sources,
regardless of the order is which the sources are used. Authentication using only a remote
server is not supported.
To configure the external authentication server(s), see “radius-server” on page 146 or “tacacs-
Example The following commands configure a pair of RADIUS servers and configure the ACOS device
to try them first, before using the local database. Since 10.10.10.12 is added first, this server
will be used as the primary server. Server 10.10.10.13 will be used only if the primary server is
unavailable. The local database will be used only if both RADIUS servers are unavailable.
ACOS(config)#radius-server host 10.10.10.12 secret radp1

ACOS(config)#authentication type radius local

authorization
Description Configure authorization for controlling access to functions in the CLI. The ACOS device can
use TACACS+ for authorizing commands executed under a specified privilege level. This
command also allows the user to specify the level for authorization debugging.
Syntax [no] authorization commands cmd-level method {tacplus [none] | none}
[no] authorization debug debug-level
cmd-level Specifies the level of commands that will be authorized. The com-
mands are divided into the following levels:
• Privilege 0: Read-only
• Privilege 1: Read-write
• Privilege 2–4: Not-used
• Privilege 5–14: Reserved for ACOS-specific roles
• Privilege 15: Read-write
tacplus Specifies TACACS+ as the authorization method. (If you omit this
option, you must specify none as the method, in which case no
authorization will be performed.)
tacplus none If all the TACACS+ servers fail to respond, then no further authorization
will be performed and the command is allowed to execute.
none No authorization will be performed.
debug-level Specifies the debug level for authorization. The debug level is set as
flag bits for different types of debug messages. The Thunder Series has
the following types of debug messages:
• 0x1 – Common system events such as “trying to connect with
TACACS+ servers” and “getting response from TACACS+ servers”.
These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the Thunder Series
device, not including the length fields. These events are written to
the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be displayed
on the terminal.
• 0x8 – Information about TACACS+ MD5 encryption will be sent to
the syslog.
Default Not set
Usage The authorization server also must be configured. See “radius-server” on page 146 or “tacacs-
Example The following command specifies the authorization method for commands executed at
level 14: try TACACS+ first but if it fails to respond, then allow the command to execute with-
out authorization.

ACOS(config)#authorization commands 14 method tacplus none
The following command specifies debug level 15 for authorization:
ACOS(config)#authorization debug l5
backup-periodic
Description Schedule periodic backups.
CAUTION: After configuring this feature, make sure to save the configuration. If the device
resets before the configuration is saved, the backups will not occur.
Syntax [no] backup-periodic {target [...]}

{hour num | day num | week num}
target • Specify system to back up the following system files:
• Startup-config files
• Admin accounts and login and enable passwords
• aFleX scripts
• Class lists and black/white lists
• Scripts for external health monitors
• SSL certificates, keys, and certificate revocation lists
• If custom configuration profiles are mapped to the startup-config, they also are backed up.
• Specify log to back up the system log.
You can specify either option, or both options.
hour num | Specifies how often to perform the back ups. You can specify one of the following:
day num |
week num • hour num – Performs the backup each time the specified number of hours passes. For example,
specifying hour 3 causes the backup to occur every 3 hours. You can specify 1-65534 hours.
There is no default.
• day num – Performs the backup each time the specified number of days passes. For example,
specifying day 5 causes the backup to occur every 5 days. You can specify 1-199 days. There is no
default.
• week num – Performs the backup each time the specified number of weeks passes. For example,
specifying week 4 causes the backup to occur every 4 weeks. You can specify 1-199 weeks. There
is no default.

use-mgmt-port Uses the management interface as the source interface for the connection to the remote device.
The management route table is used to reach the device. Without this option, the ACOS device
attempts to use the data route table to reach the remote device through a data interface.
url Specifies the file transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to display a prompt for each part
of the URL. If you enter the entire URL and a password is required, you will still be prompted for the
password. The password can be up to 255 characters long.
Default Not set
Example The following commands schedule weekly backups of the entire system, verify the configu-
ration, and save the backup schedule to the startup-config:
ACOS(config)#backup periodically system week 1 ftp://admin2@10.10.10.4/weekly-sys-backup

Password []?<characters not shown>
Do you want to save the remote host information to a profile for later use?[yes/no]yes
Please provide a profile name to store remote url:wksysbackup
ACOS(config)#show backup
backup periodically system week 1 ftp://admin2@10.10.10.4//weekly-sys-backup
Next backup will occur at 14:37:00 PDT Thu Aug 19 2014
ACOS(config)#write memory
[OK]
backup store
Description Configure and save file access information for backup. When you back up system informa-
tion, you can save typing by specifying the name of the store instead of the options in the
store.

Syntax [no] backup store {create store-name url | delete store-name}
store-name Name of the store.
url File transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire URL
and a password is required, you will still be prompted for the pass-
word. The password can be up to 255 characters long.
Default None
For other backup options, see the following:
• “backup log” on page 25

• “backup system” on page 27
• “backup-periodic” on page 67
banner
Description Set the banners to be displayed when an admin logs onto the CLI or accesses the Privileged
EXEC mode.
Syntax [no] banner {exec | login} [multi-line end-marker] line
exec Configures the EXEC mode banner (1-128 characters).
login Configures the login banner (1-128 characters).

multi-line Hexadecimal number to indicate the end of a multi-line message. The
end-marker end marker is a simple string up to 2-characters long, each of the
which must be an ASCII character from the following range: 0x21-
0x7e.
The multi-line banner text starts from the first line and ends at the
marker. If the end marker is on a new line by itself, the last line of the
banner text will be empty. If you do not want the last line to be empty,
put the end marker at the end of the last non-empty line.
line Specifies the banner text.
Default The default login banner is “ACOS system is ready now.”
The default EXEC banner is “[type ? for help]”.
Example The following examples set the login banner to “welcome to login mode” and set the EXEC
banner to a multi-line greeting:
ACOS(config)#banner exec welcome to exec mode

ACOS(config)#banner login multi-line bb
Enter text message, end with string 'bb'.
Here is a multi-line
Greeting.
bb
ACOS(config)#
bfd
Description Enable and configure Bidirectional Forwarding Detection (BFD) on a global basis.
Syntax [no] bfd {echo | enable | interval ms min-rx ms multiplier value}
echo Globally enables the echo function. When the echo option is enabled, the detection interval,
(or the time that the ACOS device waits for a BFD control packet from a BFD neighbor), is set
automatically to 3200 ms.
BFD echo enables a device to test data path to the neighbor and back. When a device gener-
ates a BFD echo packet, the packet uses the routing link to the neighbor device to reach the
device. The neighbor device is expected to send the packet back over the same link.

enable Globally enable BFD packet processing.
interval ms Transmit interval between BFD packets.
min-rx ms
multiplier value • interval ms - Rate at which the ACOS device sends BFD control packets to its BFD neigh-
bors. You can specify 48-1000 milliseconds (ms). The default interval is 800 ms.
• min-rx ms - Minimum amount of time in milliseconds that the ACOS device waits to
receive a BFD control packet from a BFD neighbor. If a control packet is not received within
the specified time, the multiplier (below) is incremented by 1. You can specify 48-1000 ms.
The default is 800 ms.
• multiplier value - Maximum number of consecutive times the ACOS device will wait
for a BFD control packet from a neighbor. If the multiplier value is reached, the ACOS device
concludes that the routing process on the neighbor is down. You can specify 3-50. The
default multiplier is 4.
Default By default, BFD packet processing is disabled.
If you configure the interval timers on an individual interface, then the interface settings are
used instead of the global settings. Similarly, if the BFD timers have not been configured on
an interface, then the interface will use the global settings.
NOTE: BFD always uses the globally configured interval timer if it's for a BGP loopback
neighbor.
bgp extended-asn-cap
Description Enable the ACOS device to send 4-octet BGP Autonomous System Number (ASN) capabili-
ties.
Syntax [no] bgp extended-asn-cap
Default Disabled; 2-octet ASN capabilities are enabled instead.
Usage To configure other BGP parameters, see “Config Commands: Router – BGP” on page 415.
bgp nexthop-trigger
Description Configure BGP nexthop tracking.

Syntax [no] bgp nexthop-trigger delay seconds
[no] bgp nexthop-trigger enable
delay seconds Specifies the how long BGP waits before walking the full BGP table
to determine which prefixes are affected by the nexthop changes,
after receiving a trigger about nexthop changes. You can specify 1-
100 seconds.
By default, this feature is disabled. When enabled, the default is 5
seconds.
enable Enables nexthop tracking.
Usage To configure other BGP parameters, see “Config Commands: Router – BGP” on page 415.
big-buff-pool
Description On high-end models only, you can enable the big-buff-pool option to expand support
from 4 million to 8 million buffers and increase the buffer index from 22 to 24 bits.
NOTE: The AX 5200-11 requires 96 Gb of memory to support this feature. To check that
your system meets this requirement, use the show memory system CLI com-
mand.
Syntax [no] big-buff-pool
Default Disabled
Example The following commands enable a larger I/O buffer pool for an AX 5630:
ACOS(config)#no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Y

block-abort
Description Use this command to exit block-merge or block-replace mode without implementing the
new configurations made in block mode.
Syntax block-abort
Default N/A
Mode Block-merge or block-replace configuration mode
Usage Use this command to discard any changes you make while in block-merge or block-replace
mode. In order to exit block mode without committing the new configuration changes, use
block-abort. This command must be entered before block-merge-end or block-
replace-end in order for all block configuration changes to be deleted. This command
ends block configuration mode.
block-merge-end
Description Use this command to exit block-merge mode and integrate new configurations into the cur-
rent running config.
Syntax block-merge-end
Default N/A
Mode Block-merge configuration mode.
Usage This command exits block-merge configuration mode and merges all of your new configura-
tion with the existing running configuration. In the case of overlapping configurations, the
new configuration will be used. Any old configurations which are not replaced in block-
merge mode will remain in the running configuration after this command is entered. The
new configurations are merged into the running configuration without disturbing live traffic.
block-merge-start
Description Use this command to enter block-merge configuration mode.
Syntax block-merge-start
This command takes you to the Block-merge configuration level, where all configuration
commands are available.
Default Disabled.
Mode Global configuration mode.
Usage This command enters block-merge configuration mode but leaves the ACOS device up.
While in block-merge mode, new configurations will not be entered into the running config-
uration. At the block-merge configuration level, you can enter new configurations which you
want to merge into the running configuration. Any configuration that overlaps with the cur-
rent running configuration will be replaced when ending block-merge mode. Any configura-

tions in the running config which are not configured in block-merge mode will continue to
be included in the running configuration mode after exiting block-merge mode.
block-replace-end
Description Enter this command to end block-replace configuration mode and replace the current run-
ning configuration with the new configurations.
Syntax block-replace-end
Default N/A
Mode Block-replace configuration mode.
Usage This command exits block-replace configuration mode and replaces all of your existing con-
figuration with the new configuration. Any old configurations which are not replaced in
block-replace mode will be removed in the running configuration after this command is
entered. The new configurations become the running configuration without disturbing live
traffic.
block-replace-start
Description Use this command to enter block-replace configuration mode.
Syntax block-replace-start
This command takes you to the Block-replace configuration level, where all configuration
Default Disabled.
Mode Global configuration mode.
Usage This command enters block-replace configuration mode but leaves the ACOS device up.
While in block-replace mode, new configurations will not be entered into the running con-
figuration. At the block-replace configuration level, you can enter a new configuration which
you want to replace the running configuration. All of the running configuration will be
replaced when ending block-merge mode. If an object that exists in the running configura-
tion is not configured in block-replace, then all configurations for that object will be removed
upon ending block-replace mode.
boot-block-fix
Description Repair the master boot record (MBR) on the hard drive or compact flash.
Syntax boot-block-fix {cf | hd}
cf Repair the compact flash.
hd Repair the hard disk.

Default N/A
Usage The MBR is the boot sector located at the very beginning of a boot drive. Under advisement
from A10 Networks, you can use the command if your compact flash or hard drive cannot
boot. If this occurs, boot from the other drive, then use this command.
bootimage
Description Specify the boot image location from which to load the system image the next time the
Thunder Series is rebooted.
Syntax bootimage {cf | hd} {pri | sec}
cf | hd Boot medium. The Thunder Series device always tries to boot
using the hard disk (hd) first. The compact flash (cf ) is used only
if the hard disk is unavailable.
pri | sec Boot image location, primary or secondary.
Default The default location is primary, for both the hard disk and the compact flash.
Example The following command configures the Thunder Series to boot from the secondary image
area on the hard disk the next time the device is rebooted:
ACOS(config)#bootimage hd sec
bpdu-fwd-group
Description Configure a group of tagged Ethernet interfaces for forwarding Bridge Protocol Data Units
(BPDUs). BPDU forwarding groups enable you to use the ACOS device in a network that runs
Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will accept and
broadcast STP BPDUs among themselves. When an interface in a BPDU forwarding group
receives an STP BPDU (a packet addressed to MAC address 01-80-C2-00-00-00), the interface
broadcasts the BPDU to all the other interfaces in the group.
Syntax [no] bpdu-fwd-group group-num
Replace group-num with the BPDU forwarding group number (1-8).

If the ACOS device is a member of an aVCS virtual chassis, specify the group number as
follows: DeviceID/group-num
This command changes the CLI to the configuration level for the BPDU forwarding group,
where the following command is available.
[no] ethernet portnum [to portnum] [ethernet portnum]
This command enables you to specify the ethernet interfaces you want to add to the BPDU
forwarding group.
Default None
Usage This command is specifically for configuring VLAN-tagged interfaces to accept and forward
BPDUs.
Rules for trunk interfaces:
• BPDUs are broadcast only to the lead interface in the trunk.

• If a BPDU is received on an Ethernet interface that belongs to a trunk, the BPDU is not
broadcast to any other members of the same trunk.
Example The following commands create BPDU forwarding group 1 containing Ethernet ports 1-3,
and verify the configuration:
ACOS(config)#bpdu-fwd-group 1
ACOS(config-bpdu-fwd-group:1)#ethernet 1 to 3
ACOS(config-bpdu-fwd-group:1)#show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3
bridge-vlan-group
Description Configure a bridge VLAN group for VLAN-to-VLAN bridging.
Syntax [no] bridge-vlan-group group-num
Replace group-num with the bridge VLAN group number.
If the ACOS device is a member of an aVCS virtual chassis, specify the group number as
follows: DeviceID/group-num

This command changes the CLI to the configuration level for the specified bridge VLAN
group, where the following configuration commands are available:
Command Description
forward-all-traffic Configures the bridge VLAN group to be able to forward all kinds of
traffic.
forward-ip-traffic Configures the bridge VLAN group to be able to typical traffic
between hosts, such as ARP requests and responses.
This is the default setting.
[no] name string Specifies a name for the group. The string can be 1-63 characters
long. If the string contains blank spaces, use double quotation marks
around the entire string.
There is no default name set.
[no] router-interface ve num Adds a Virtual Ethernet (VE) interface to the group. This command is
applicable only on ACOS devices deployed in gateway mode. The VE
number must be the same as the lowest numbered VLAN in the
group.
By default this is not set.
[no] vlan vlan-id Adds VLANs to the group.
[vlan vlan-id ... | to vlan vlan-id]
By default this is not set.
Default By default, the configuration does not contain any bridge VLAN groups. When you create a
bridge VLAN group, it has the default settings described above.
Usage VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the network
either into the same VLAN, or into different IP subnets, is not desired or is impractical.
In bridge VLAN group configurations, the VE number must be the same as the lowest
numbered VLAN in the group.
Example For more information, including configuration notes and examples, see the “VLAN-to-VLAN
Bridging” chapter in the System Configuration and Administration Guide.
class-list (for Aho-Corasick)

Description Configure an Aho-Corasick class list. This type of class list can be used to match on Server
Name Indication (SNI) values.
Syntax [no] class-list list-name ac [file filename]
list-name Adds the list to the running-config.
ac Identifies this as an Aho-Corasick class list.
filename Saves the list to a standalone file on the ACOS device.

NOTE: A class list can be exported only if you use the file option.
This command changes the CLI to the configuration level for the specified class list, where
the following commands are available:
Command Description
[no] contains sni-string Matches if the specified string appears anywhere within the SNI value.
[no] ends-with sni-string Matches only if the SNI value ends with the specified string.
[no] equals sni-string Matches only if the SNI value completely matches the specified string.
[no] starts-with sni-string Matches only if the SNI value starts with the specified string.
(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 47.)
Default None
Usage The match options are always applied in the following order, regardless of the order in which
the rules appear in the configuration.
• Equals
• Starts-with
• Contains
• Ends-with
If a template has more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and an SNI value matches on more than one of them, the most-
specific match is always used.
If you delete a file-based class list (no class-list list-name), save the configuration
(“write” on page 43) to complete the deletion.
class-list (for IP limiting)

Description Configure an IP class list for use with the IP limiting feature.
Syntax [no] class-list list-name

[ac | dns | ipv4 | ipv6 | string | string-case-insensitive]
[file filename]
ac Identifies this as an Aho-Corasick class list.
dns Identifies this as a DNS class list.
ipv4 | ipv6 Identifies this as an IPv4 or IPv6 class list.
string Identifies this as a string class list.

string-case-insensitive Identifies this as a case-insensitive string class list.
file filename Saves the list to a standalone file on the ACOS device.
NOTE: A class list can be exported only if you use the file option.
the following command is available:
[no] {ipaddr/network-mask | ipv6-addr/prefix-length}

[glid num | lid num]
This command adds an entry to the class list.
ipaddr /network-mask Specifies the IPv4 host or subnet address of the client. The network-mask specifies
the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard address matches
on all addresses that do not match any entry in the class list.
ipv6-addr/subnet-length Specifies the IPv6 host or network address of the client.
glid num | lid num Specifies the ID of the IP limiting rule to use for matching clients. You can use a sys-
tem-wide (global) IP limiting rule or an IP limiting rule configured in a PBSLB policy
template.
• To use an IP limiting rule configured at the Configuration mode level, use the
glid num option.
• To use an IP limiting rule configured at the same level (in the same PBSLB policy
template) as the class list, use the lid num option.
To exclude a host or subnet from being limited, do not specify an IP limiting rule.
Default None
Usage Configure the GLIDs or LIDs before configuring the class list entries. To configure a GLID or
LID for IP limiting, see “glid” on page 99 or “slb template policy” on page 559.
As an alternative to configuring class entries on the ACOS device, you can configure the class
list using a text editor on another device, then import the class list onto the ACOS device. To
import a class list, see “import” on page 34.
NOTE: If you use a class-list file that is periodically re-imported, the age for class-list entries
added to the system from the file does not reset when the class-list file is re-
imported. Instead, the entries are allowed to continue aging normally. This is by
design.

For more information about IP limiting, see the Application Access Management and DDoS
Mitigation Guide.
Request Limiting and Request-Rate Limiting in Class Lists
If a LID or GLID in a class list contains settings for request limiting or request-rate limiting, the
settings apply only if the following conditions are true:
1. The LID or GLID is used within a policy template.

2. The policy template is bound to a virtual port.
In this case, the settings apply only to the virtual port. The settings do not apply in any of the
following cases:
• The policy template is applied to the virtual server, instead of the virtual port.
• The settings are in a system-wide GLID.
• The settings are in a system-wide policy template.
NOTE: This limitation does not apply to connection limiting or connection-rate limiting.
Those settings are valid in all the cases listed above.
Example The following commands configure class list “global”, which matches on all clients, and uses
IP limiting rule 1:
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1
class-list (for VIP-based DNS caching)

Description Configure an IP class list for use VIP-based DNS caching.
Syntax class-list list-name dns [file filename]
dns Identifies this list as a DNS class list.
file filename Saves the list to a file.
[no] dns match-option domain-string lid num

This command specifies the match conditions for domain strings and maps matching strings
to LIDs.
match-option Specifies the match criteria for the domain-string. The match-option
can be one of the following:
• dns contains – The entry matches if the DNS request is for a
domain name that contains the domain-string anywhere within
the requested domain name.
• dns starts-with – The entry matches if the DNS request is for
a domain name that begins with the domain-string.
• dns ends-with – The entry matches if the DNS request is for a
domain name that ends with the domain-string.
domain-string Specifies all or part of the domain name on which to match. You
can use the wildcard character * (asterisk) to match on any single
character.
For example, “www.example*.com” matches on all the following
domain names: www.example1.com, www.example2.com,
www.examplea.com, www.examplez.com, and so on.
For wildcard matching on more than one character, you can use the
dns contains, dns starts-with, and dns ends-with
options. For example, “dns ends-with example.com” matches on
both abc.example.com and www.example.com.
lid num Specifies a list ID (LID) in the DNS template. LIDs contain DNS cach-
ing policies. The ACOS device applies the DNS caching policy in the
specified LID to the domain-string.
Default None
Usage Configure the LIDs before configuring the class-list entries. LIDs for DNS caching can be con-
figured in DNS templates. (See “slb template dns” on page 532.)
Example See the “DNS Optimization and Security” chapter in the Application Delivery and Server Load
Balancing Guide.

class-list (for many pools, non-LSN)

Description Configure IP class lists for deployment that use a large number of NAT pools.
Syntax [no] class-list list-name [ipv4 | ipv6] [file filename]
ipv4 | ipv6 Identifies this list as an IPv4 or IPv6 class list.
the following commands are available.
[no] ipaddr /network-mask glid num
This command specifies the inside subnet that requires the NAT.
/network-mask Specify the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard
address matches on all addresses that do not match any entry in
the class list.
glid num Specify the global LID that refers to the pool.
Default None
Usage First configure the IP pools. Then configure the global LIDs. In each global LID, use the use-
nat-pool pool-name command to map clients to the pool. Then configure the class list
entries.
Example See the “Configuring Dynamic IP NAT with Many Pools” section in the “Network Address
Translation” chapter of the System Configuration and Administration Guide.

class-list (string)
Description Configure a class list that you can use to modify aFleX scripts, without he need to edit the
script files themselves.
Syntax [no] class-list list-name [file filename] [string]
string Identifies this as a string class list.
Usage A class list can be exported only if you use the file option.
For more information, see the aFleX Scripting Language Reference.
clock timezone
Description Set the clock timezone.
Syntax clock timezone timezone [nodst]
timezone Timezone to use.
To view the available timezones, enter the following command:
clock timezone ?
nodst Disables Daylight Savings Time.
Default Europe/Dublin (GMT)
Usage If you use the GUI or CLI to change the ACOS timezone or system time, the statistical data-
base is cleared. This database contains general system statistics (performance, and CPU,
memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed
on the Monitor > Overview page are cleared.
Example The following commands list the available timezones, then set the timezone to America/
Los_Angeles:
ACOS(config)#clock timezone ?
Pacific/Midway (GMT-11:00)Midway Island, Samoa
Pacific/Honolulu (GMT-10:00)Hawaii
America/Anchorage (GMT-09:00)Alaska

...
ACOS(config)#clock timezone America/Los_Angeles
configure sync
Description Synchronize the local running-config to a peer’s running-config.
Syntax [no] configure sync {running | all}

{
{all-partitions | partition name } | auto-authentication
}
dest-ipaddress
running Synchronize the local running-config to a peer’s running-config.
all Synchronize the local running-config to a peer’s running-config, and the local startup-con-
fig to the same peer’s startup-config.
all-partitions Synchronize all partition configurations.
partition name Synchronize the configuration for the specified partition only.
auto-authentication Authenticate using the local user name and password.
dest-ipaddress IP address of the peer to which you want to synchronize your configurations.
Default N/A
Example The following example synchronizes both the local running-config and startup-config for
the shared partition only to the peer at IP address 10.10.10.4:
ACOS(config)#configure sync all partition shared 10.10.10.4
copy
Description Copy a running-config or startup-config.
Syntax copy {running-config | startup-config | from-profile-name}

[use-mgmt-port]
{url | to-profile-name}
running-config Copies the commands in the running-config to the specified
URL or local profile name.
startup-config Copies the configuration profile that is currently linked to
“startup-config” and saves the copy under the specified URL or
local profile name.

connection to the remote device. The management route
table is used to reach the device. By default, the ACOS device
attempts to use the data route table to reach the remote
device through a data interface.
url Copies the running-config or configuration profile to a remote
device. The URL specifies the file transfer protocol, username,
and directory path.
characters long.
• disk:/remote-path
from-profile-name Configuration profile you are copying from.
to-profile-name Configuration profile you are copying to.
NOTE: You cannot use the profile name “default”. This name is reserved and always refers
to the configuration profile that is stored in the image area from which the ACOS
device most recently rebooted.
Default None
Usage If you are planning to configure a new ACOS device by loading the configuration from
another ACOS device:
1. On the configured ACOS device, use the copy startup-config url command to
save the startup-config to a remote server.
2. On the new ACOS device, use the copy url startup-config command to copy
the configured ACOS device’s startup-config from the remote server onto the new
ACOS device.
3. Use the reboot command (at the Privileged EXEC level) to reboot the new ACOS
device.
4. Modify parameters as needed (such as IP addresses).
If you attempt to copy the configuration by copying-and-pasting it from a CLI session on the
configured ACOS device, some essential parameters such as interface states will not be
copied.

Example The following command copies the configuration profile currently linked to “startup-config”
to a profile named “slbconfig3” and stores the profile locally on the ACOS device:
ACOS(config)#copy startup-config slbconfig3
debug
NOTE: A10 Networks Technical Support recommends using the AXdebug commands
instead of the debug command. (See “AX Debug Commands” on page 875.)
delete
Description Delete a locally stored file from the ACOS device.
Syntax delete file-type file-name
file-type Type of file to be deleted:
• auth-portal (portal file for HTTP authentication)
• auth-portal-image (image file for the default authentication portal)
• auth-saml-idp (SAML metadata of the identity provider)
• bw-list (blacklist or whitelist)
• cgnv6 fixed-nat (fixed-NAT port mapping file)
• debug-monitor (debug file)
• geo-location (geo-location file)
• geo-location-class-list (geo-location class-list file)
• health-external (external script program)
• health-postfile (HTTP POST data file)
• local-uri-file (local URI files for HTTP response)
• partition (hard delete an L3V partition)
• startup-config (startup configuration profile)
• web-category database (web-category database)
file-name Name of the file you want to delete.
NOTES:
• For the geo-location option, you can specify all instead of a specific file-name to delete all files.
• There is no file-name option for web-category database.
Default N/A
Usage The startup-config file type deletes the specified configuration profile linked to startup-
config. The command deletes only the specific profile file-name you specify.

If the configuration profile you specify is linked to startup-config, the startup-config is

automatically re-linked to the default configuration profile. (The default is the configuration
profile stored in the image area from which the ACOS device most recently rebooted.)
Example The following command deletes configuration profile “slbconfig2”:
ACOS(config)#delete startup-config slbconfig2
disable reset statistics

Description Prevents resetting (clearing) of statistics for the following resources: SLB servers, service
groups, virtual servers, and Ethernet interfaces.
Syntax disable reset statistics
Default Disabled (clearing of statistics is allowed)
Usage Admins with the following CLI roles are allowed to disable or re-enable clearing of SLB and
Ethernet statistics:
• write
• partition-write
Example The following command disables reset of SLB and Ethernet statistics:
ACOS(config)#disable reset statistics
disable slb
Description Disable real or virtual servers.
Syntax disable slb server [server-name] [port port-num]
disable slb virtual-server [server-name] [port port-num]
server-name Disables the specified real or virtual server.
port port-num Disables only the specified service port. If you omit the server-
name option, the port is disabled on all real or virtual servers. Oth-
erwise, the port is disabled only on the server you specify.
Default Enabled
Example The following command disables all virtual servers:
ACOS(config)#disable slb virtual-server

Example The following command disables port 80 on all real servers:
ACOS(config)#disable slb server port 80
Example The following command disables port 8080 on real server “rs1”:
ACOS(config)#disable slb server rs1 port 8080
disable-failsafe
Description Disable fail-safe monitoring for software-related errors.
Syntax [no] disable-failsafe

[all | io-buffer | session-memory | system-memory]
all Disables fail-safe monitoring for all the following types of software
errors.
io-buffer Disables fail-safe monitoring for IO-buffer errors.
session-memory Disables fail-safe monitoring for session-memory errors.
system-memory Disables fail-safe monitoring for system-memory errors.
Default Fail-safe monitoring and automatic recovery are disabled by default, for both hardware and
software errors.
disable-management
Description Disable management access to the Thunder Series device.
Syntax [no] disable-management

service
{all | ssh | telnet | http | https | snmp | ping | syslog |
snmp-trap}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or

Syntax [no] disable-management

service acl acl-num
{management | ethernet port-num [to port-num] |
all Disables access to all management services listed in Table 3.
ssh Disables SSH access to the CLI.
telnet Disables Telnet access to the CLI.
http Disables HTTP access to the management GUI.
https Disables HTTPS access to the management GUI.
snmp Disables SNMP access to the ACOS device’s SNMP agent.
ping Disables ping replies from ACOS. This option does not affect the
ACOS device’s ability to ping other devices.
syslog Disables transmission of syslog messages out the interface.
snmp-trap Disables transmission of SNMP notifications (traps) out the
interface.
acl acl-num Permits or denies management access based on permit or deny
rules in the ACL.
management | Specifies the interfaces for which you are configuring access
ethernet port-num control.
[to port-num] |
ve ve-num
[to ve-num]
NOTE: Disabling ping replies from being sent by the device does not affect the device’s
ability to ping other devices.
Default Table 3 lists the default settings for each management service.
TABLE 3Default Management Service Settings

Ethernet Management Ethernet and VE Data
Management Service Interface Interfaces
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled
Syslog Disabled Disabled
SNMP-trap Disabled Disabled
Usage If you disable the type of access you are using on the interface you are using at the time you
enter this command, your management session will end. If you accidentally lock yourself out

of the device altogether (for example, if you use the all option for all interfaces), you can
still access the CLI by connecting a PC to the ACOS device’s serial port.
To enable management access, see “enable-management” on page 91.
You can enable or disable management access, for individual access types and interfaces.
You also can use an Access Control List (ACL) to permit or deny management access through
the interface by specific hosts or subnets.
For more information, see “Access Based on Management Interface” in the Management
Access and Security Guide.
Example The following command disables HTTP access to the out-of-band management interface:
ACOS(config)#disable-management service http management

You may lose connection by disabling the http service.
Continue? [yes/no]:yes
dnssec
Description Configure and manage Domain Name System Security Extensions (DNSSEC). See “Config
Commands: DNSSEC” on page 229.
do
Description Run a Privileged EXEC level command from a configuration level prompt, without leaving
the configuration level.
Syntax do command
Default N/A
Usage For information about the Privileged EXEC commands, see “Privileged EXEC Commands” on
page 25.
Example The following command runs the traceroute command from the Configuration mode
level:
ACOS(config)#do traceroute 10.10.10.9
enable-core
Description Change the file size of core dumps.

Syntax [no] enable-core {a10 | system}
a10 Enable A10 core dump files.
system Enable system core dump files.
System core dump files are larger than A10 core dump files.
Default If VRRP-A is configured, system core dump files are enabled by default. If VRRP-A is not con-
figured, A10 core dump files are enabled by default.
Usage You can save this command to the startup-config on SSD or HD. However, ACOS does not
support saving the command to a configuration file stored on Compact Flash (CF). This is
because the CF does not have enough storage for large core files.
enable-management
Description Enable management access to the ACOS device.
Syntax [no] enable-management service

{
acl-v4 id |
acl-v6 id |
http |
https |
ping |
snmp |
ssh |
telnet
}
acl-v4 id Permits or denies management access based on permit or deny rules in
the ACL for IPv4 addresses.
acl-v6 id Permits or denies management access based on permit or deny rules in
the ACL for IPv6 addresses.
http Allows HTTP access to the management GUI.
https Allows HTTPS access to the management GUI.
ping Allows ping replies from ACOS interfaces. This option does not affect the
ACOS device’s ability to ping other devices.
snmp Allows SNMP access to the ACOS device’s SNMP agent.
ssh Allows SSH access to the CLI.
telnet Allows Telnet access to the CLI.

NOTE: The management interface supports only a single ACL.
NOTE: IPv6 ACLs are supported for management access through Ethernet data interfaces
and the management interface.
Default The following table lists the default settings for each management service.
Management Service Management Interface Data Interfaces

ACL Enabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
Ping Enabled Enabled
SNMP Enabled Disabled
SSH Enabled Disabled
Telnet Disabled Disabled
IPv6 ACLs are supported for management access through Ethernet data interfaces and the
management interface.
For more information, see “Access Based on Management Interface” in the Management
Access and Security Guide.
Example The following command enables Telnet access to Ethernet data interface 6:
ACOS(config)#enable-management service telnet ethernet 6
Example The following commands configure IPv6 traffic filtering on the management interface and
display the resulting configuration:
ACOS(config)#ipv6 access-list ipv6-acl1

ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config-access-list:ipv6-acl1)#interface management
ACOS(config-if:management)#ipv6 access-list ipv6-acl1 in
ACOS(config-if:management)#show running-config
ipv6 access-list ipv6-acl1
permit ipv6 any any
!
interface management
ip address 192.168.217.28 255.255.255.0
ipv6 address 2001:192:168:217::28/64
ipv6 access-list ipv6-acl1 in

Example The following commands configure an IPv6 ACL, then apply it to Ethernet data ports 5 and 6
to secure SSH access over IPv6:
ACOS(config)#ipv6 access-list ipv6-acl1

ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config)#enable-management service ssh acl name ipv6-acl1 ether-
net 5 to 6
enable-password
Description Set the enable password, which secures access to the Privileged EXEC level of the CLI.
Syntax [no] enable-password password-string
Replace password-string with the password string (1-63) characters.Passwords are case
sensitive and can contain special characters. (For more information, see “Special Character
Support in Strings” on page 12.)
Default By default, the password is blank. (Just press Enter.)
Example The following command sets the Privileged EXEC password to “execadmin”:
ACOS(config)#enable-password execadmin
end
Description Return to the Privileged EXEC level of the CLI.
Syntax end
Default N/A
Mode Config
Usage The end command is valid at all configuration levels of the CLI. From any configuration level,
the command returns directly to the Privileged EXEC level.
Example The following command returns from the Configuration mode level to the Privileged EXEC
level:
ACOS(config)#end
ACOS#

erase
Description Erase the startup-config file.
This command returns the device to its factory default configuration after the next reload or
reboot.
The following table summarizes that is removed or preserved on the system:
What is Erased What is Preserved

Saved configuration files Running configuration
Management IP address Audit log entries
Admin-configured admins System files, such as SSL certificates and keys, aFleX poli-
cies, black/white lists, and system logs
Enable password Inactive partitions
To remove imported files or inactive partitions, you must use the system-reset command.
(See “system-reset” on page 181.)
Syntax erase [preserve-management] [preserve-accounts] [reload]
preserve-management Keeps the configured management IP address and default
gateway, instead of erasing them and resetting them to their
factory defaults following reload or reboot.
preserve-accounts Keeps the configured admin accounts, instead of erasing
them. Likewise, this option keeps any modifications to the
“admin” account, and does not reset the account to its
defaults following reload or reboot.
reload Reloads ACOS after the configuration erasure is completed.
Default N/A
Usage The erasure of the startup-config occurs following the next reload or reboot. Until the next
reload or reboot, the ACOS device continues to run based on the running-config.
The management IP address is not erased. This is true even if you do not use the preserve-
management option. However, without this option, the default management gateway is
erased and reset to its factory default.
To recover the configuration, you can save the running-config or reload the configuration
from another copy of the startup-config file.
The preserve-management option has no effect on an enterprise’s organizational

structure. If it did, a caution would appear here discouraging its use.

Example The following command erases the startup-config file. The change takes place following the
next reload or reboot.
ACOS(config)#erase
Example The following command erases the startup-config file, except for management interface
access and admin accounts, and reloads to place the change into effect.
ACOS(config)#erase preserve-management preserve-accounts reload
Related Commands system-reset
event
Description Generate an event for the creation or deletion of an L3V partition.
Syntax [no] event partition {part-create | part-del}
part-create Generate an event when a partition is created.
part-del Generate an event when a partition is deleted.
Default N/A
Related Commands show event-action
exit
Description Return to the Privileged EXEC level of the CLI.
Syntax exit
Default N/A
Usage The exit command is valid at all CLI levels. At each level, the command returns to the previ-
ous CLI level. For example, from the server port level, the command returns to the server
level. From the Configuration mode level, the command returns to the Privileged EXEC level.
From the user EXEC level, the command terminates the CLI session.
From the Configuration mode level, you also can use the end command to return to the
Privileged EXEC level.
Example The following command returns from the Configuration mode level to the Privileged EXEC
level:

ACOS(config)#exit
ACOS#
export-periodic
Description Export file to a remote site periodically.
Syntax import-periodic
{
aflex file |
auth-portal file |
axdebug file |
bw-list file |
class-list file |
dnssec-ds file |
geo-location file |
ssl-cert {[bulk] | file}
[csr-generate]
ssl-cert-key bulk |
ssl-crl file [csr-generate] |
ssl-key {bulk | file} [csr-generate] |
syslog file |
wsdl file |
xml-schema file
}
period seconds
aflex Export an aFleX file.
auth-portal Export an authentication portal file for Application Access Management (AAM).
axdebug Export an AX Debug packet file.
bw-list Export a black/white list.
class-list Export an IP class list.
dnssec-dnskey Export a DNSEC key-signing key (KSK) file.
dnssec-ds Export a DNSSEC DS file.
geo-location Export a geo-location data file for Global Server Load Balancing (GSLB).
local-uri-file Export a local URI file.
ssl-cert [bulk] Export a certificate.
ssl-cert-key [bulk] Export a certificate and key together as a single file.
Specify bulk to import multiple files simultaneously as a .tgz archive

ssl-key [bulk] Export a certificate key.
ssl-crl Export a certificate revocation list (CRL).
syslog Export a syslog file.
wsdl Export a WSDL file.
xml-schema Export an XML schema file.
interface.
period seconds Enables automated updates of the file. You can specify 60 (one minute)-31536000 (one year)
seconds.
The period option simplifies update of imported files, especially files that are used by mul-
tiple ACOS devices. You can edit a single instance of the file, on the remote server, then con-
figure each of ACOS device to automatically update the file to import the latest changes.
When you use this option, the ACOS device periodically replaces the specified file with the
version that is currently on the remote server. If the file is in use in the running-config, the
updated version of the file is placed into memory.
The updated file affects only new sessions that begin after the update but does not affect
existing sessions. For example, when an aFleX script that is bound to a virtual port is
updated, the update affects new sessions that begin after the update, but does not affect
existing sessions that began before the update.
from its directory named “backups” every 30 days:
ACOS(config)#import-periodic aflex aflex-01 tftp://192.168.1.101/backups/aflex-01 period

2592000

fail-safe
Description Configure fail-safe automatic recovery.
Syntax [no] fail-safe

{
fpga-buff-recovery-threshold 256-buffer-units |
hw-error-monitor-disable
hw-error-monitor-enable |
hw-error-recovery-timeout minutes |
session-memory-recovery-threshold percentage |
sw-error-monitor-enable |
sw-error-recovery-timeout minutes |
total-memory-size-check Gb {kill | log}
}
fpga-buff-recovery-threshold Minimum required number of free (available) FPGA buffers. If the num-
256-buffer-units ber of free buffers remains below this value until the recovery timeout,
fail-safe software recovery is triggered.
You can specify 1-10 units. Each unit contains 256 buffers.
The default is 2 units (512 buffers).
hw-error-monitor-disable Disables fail-safe monitoring and recovery for hardware errors.
hw-error-monitor-enable Enables fail-safe monitoring and recovery for hardware errors.
hw-error-recovery-timeout minutes Number of minutes fail-safe waits after a hardware error occurs to
reboot the ACOS device. You can specify 1-1440 minutes.
The default is 0 (not set).
session-memory-recovery-threshold Minimum required percentage of system memory that must be free. If
percentage the amount of free memory remains below this value long enough for
the recovery timeout to occur, fail-safe software recovery is triggered.
You can specify 1-100 percent. The default is 30 percent.
sw-error-monitor-enable Enables fail-safe monitoring and recovery for software errors.

sw-error-recovery-timeout minutes Number of minutes (1-1440) the software error condition must remain
in effect before fail-safe occurs:
• If the system resource that is low becomes free again within the
recovery timeout period, fail-safe allows the ACOS device to continue
normal operation. Fail-safe recovery is not triggered.
• If the system resource does not become free, then fail-safe recovery is
triggered.
The default timeout is 3 minutes.
total-memory-size-check Gb Amount of memory the device must have after booting.
{kill | log}
• Gb - Minimum amount of memory required.
• kill – Stops data traffic and generates a message. However, the
management port remains accessible.
• log – Generates a log message but does not stop data traffic.
Default By default, fail-safe automatic recovery is enabled for hardware errors and disabled for soft-
ware errors. You can enable the feature for hardware errors, software errors, or both. When
you enable the feature, the other options have the default values described in the table
above.
Usage Fail-safe hardware recovery also can be triggered by a “PCI not ready” condition. This fail-safe
recovery option is enabled by default and can not be disabled.
glid
Description Configure a global set of IP limiting rules for system-wide IP limiting.
NOTE: This command configures a limit ID (LID) for use with the IP limiting feature. To con-
figure a LID for use with Large-Scale NAT (LSN) instead, see the IPv4-to-IPv6 Transi-
tion Solutions Guide.
Syntax [no] glid num
Replace num with the limit ID (1-1023).
This command changes the CLI to the configuration level for the specified global LID, where
the following command is available.

Command Description
[no] conn-limit num Specifies the maximum number of concurrent connections allowed for a client. You
can specify 0-1048575. Connection limit 0 immediately locks down matching cli-
ents.
There is no default value set for this parameter.
[no] conn-rate-limit num Specifies the maximum number of new connections allowed for a client within the
per num-of-100ms specified limit period. You can specify 1-4294967295 connections. The limit period
can be 100-6553500 milliseconds (ms), specified in increments of 100 ms.
There is no default value set for this parameter.
[no] dns options Configure settings for IPv4 DNS features.
[no] dns64 options Configure settings for IPv6 DNS features.
[no] over-limit-action Specifies the action to take when a client exceeds one or more of the limits. The
[forward | reset] command also configures lockout and enables logging. The action can be one of
[lockout minutes] the following:
[log minutes]
• drop – The ACOS device drops that traffic. If logging is enabled, the ACOS device
also generates a log message. (There is no drop keyword; this is the default
action.)
• forward – The ACOS device forwards the traffic. If logging is enabled, the ACOS
device also generates a log message.
• reset – For TCP, the ACOS device sends a TCP RST to the client. If logging is
enabled, the ACOS device also generates a log message.
The lockout option specifies the number of minutes during which to apply the
over-limit action after the client exceeds a limit. The lockout period is activated
when a client exceeds any limit. The lockout period can be 1-1023 minutes. There is
no default lockout period.
The log option generates log messages when clients exceed a limit. When you
enable logging, a separate message is generated for each over-limit occurrence, by
default. You can specify a logging period, in which case the ACOS device holds
onto the repeated messages for the specified period, then sends one message at
the end of the period for all instances that occurred within the period. The logging
period can be 0-255 minutes. The default is 0 (no wait period).
[no] request-limit num Specifies the maximum number of concurrent Layer 7 requests allowed for a client.
You can specify 1-1048575.
[no] request-rate-limit Specifies the maximum number of Layer 7 requests allowed for the client within
num per num-of-100ms the specified limit period. You can specify 1-4294967295 connections. The limit
period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms.
[no] use-nat-pool Binds a NAT pool to the GLID. The pool is used to provide reverse NAT for class-list
pool-name members that are mapped to this GLID. (The use-nat-pool option, available in
GLIDs, is applicable only to transparent traffic, not to SLB traffic.)
Default See descriptions in the table.

Usage This command uses a single class list for IP limiting. To use multiple class lists for system-wide
IP limiting, use a policy template instead. See “slb template policy” on page 559.
A policy template is also required if you plan to apply IP limiting rules to individual virtual
servers or virtual ports.
The request-limit and request-rate-limit options apply only to HTTP, fast-HTTP,

and HTTPS virtual ports. For details on configuring these options, see “Request Limiting and
Request-Rate Limiting in Class Lists” on page 80.
The over-limit-action log option, when used with the request-limit or

request-rate-limit option, always lists Ethernet port 1 as the interface.
The use-nat-pool option is applicable only to transparent traffic, not to SLB traffic.
Example The following commands configure a global IP limiting rule to be applied to all IP clients (the
clients that match class list “global”):
ACOS(config)#glid 1
ACOS(config-glid:1)#conn-rate-limit 10000 per 1
ACOS(config-glid:1)#conn-limit 2000000
ACOS(config-glid:1)#over-limit forward logging
ACOS(config-glid:1)#exit
ACOS(config)#system glid 1
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1
gslb
Description Configure Global Server Load Balancing (GSLB) parameters. See the Global Server Load Bal-
ancing Guide.
hd-monitor enable
Description Enable hard disk monitoring on your ACOS device.
Syntax [no] hd-monitoring enable
Default Hard disk monitoring is disabled by default.
Example The example below shows how to enable hard disk monitoring.
ACOS(config)#hd-monitor enable
Harddisk monitoring turned on.
Please write mem and reload to take effect.
ACOS(config)#

health global
Description Globally change health monitor parameters.
Syntax health global
This command changes the CLI to the configuration level for global health monitoring
parameters, where the following commands are available.
[no] health check-rate threshold Change the health-check rate limiting threshold.
Replace threshold with the maximum number of health-check packets
the ACOS device will send in a given 500-millisecond (ms) period.
The valid range is 1-5000 health-check packets per 500-ms period.
When you disable auto-adjust mode, the default threshold is 1000
health-check packets per 500-ms period.
When auto-adjust mode is enabled, you can not manually change the
threshold. To change the threshold, you first must disable auto-adjust
mode. (See below.)
[no] health disable-auto-adjust Disable the auto-adjust mode of health-check rate limiting.
When necessary, the auto-adjust mode dynamically increases the default
interval and timeout for health checks. By increasing these timers, health-
check rate limiting provides more time for health-check processing.
Auto-adjust mode is enabled by default.
[no] health external-rate scripts Specify the maximum number of external health-checks scripts the
per 100-ms-units ACOS device is allowed to perform during a given interval.
• scripts – Maximum number of external health-check scripts, 1-999.
• 100-ms-units – Interval to which the scripts option applies, 1-20
100-ms units.
The default rate is 2 scripts every 200 ms.
interval seconds Number of seconds between health check attempt, 1-180 seconds. A
health check attempt consists of the ACOS device sending a packet to
the server. The packet type and payload depend on the health monitor
type. For example, an HTTP health monitor might send an HTTP GET
request packet. Default is 5 seconds.
multi-process cpus Enable use of multiple CPUs for processing health checks.
Replace cpus with the total number of CPUs to use for processing health
checks.
The default is 1.
retry number Maximum number of times ACOS will send the same health check to an
unresponsive server before determining that the server is down. You can
specify 1-5. Default is 3.

timeout seconds Number of seconds ACOS waits for a reply to a health check, 1-12 sec-
onds. Default is 5 seconds.
up-retry number Number of consecutive times the device must pass the same periodic
health check, in order to be marked Up. You can specify 1-10. The default
is 1.
NOTE: The timeout parameter is not applicable to external health monitors.
You can change one or more parameters on the same command line.
Default See above.
NOTE: To change a global parameter back to its factory default, use the “no” form of the
command (for example: no up-retry 10).
Usage Globally changing a health monitor parameter changes the default for that parameter. For
example, if you globally change the interval from 5 seconds to 10 seconds, the default inter-
val becomes 10 seconds.
If a parameter is explicitly set on a health monitor, globally changing the parameter does not
affect the health monitor. For example, if the interval on health monitor hm1 is explicitly set
to 20 seconds, the interval remains 20 seconds on hm1 regardless of the global setting.
NOTE: Global health monitor parameter changes automatically apply to all new health
monitors configured after the change. To apply a global health monitor parameter
change to health monitors that were configured before the change, you must
reboot the ACOS device.
Example The following command globally changes the default number of retries to 5:
ACOS(config)#health global retry 5
Example The following command globally changes the timeout to 10 seconds and default number of
retries to 4:
ACOS(config)#health global timeout 10 retry 4
health monitor
Description Configure a health monitor.
Syntax [no] health monitor monitor-name
The monitor-name can be 1-31 characters. This command changes the CLI to the
configuration level for the health monitor. For information about the commands available at

the health-monitor configuration level, see “Config Commands: Health Monitors” on

page 665.
health-test
Description Test the status of a device at a specified IP address using a defined health monitor.
To configure a health monitor, use the health monitor command.
Syntax health-test ipaddr [count num] [monitorname name] [port portnum]
ipaddr IPv4 or IPv6 address of the device you want to test.
count num Wait for count tests (1-65535).
monitorname name Specify the pre-configured health monitor to use for the test.
port portnum Specify the port to test.
hostname
Description Set the ACOS device’s hostname.
Syntax [no] hostname string
Replace string with the desired hostname (1-31 characters). The name can contain any
alpha-numeric character (a-z, A-Z, 0-9), hypen (-), period (.), or left or right parentheses
characters.
Default The default hostname is the name of the device; for example, an AX Series 5630 device will
have “AX5630” as the default hostname.
Usage The CLI command prompt also is changed to show the new hostname.
Example The following example sets the hostname to “SLBswitch2”:
ACOS(config)#hostname SLBswitch2
SLBswitch2(config)#

hsm
Description Configures settings for DNSSEC Hardware Security Module (HSM) support. (See “Config
Commands: DNSSEC” on page 229.)
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks.
Syntax [no] icmp-rate-limit normal-rate lockup max-rate lockup-time
normal-rate Maximum number of ICMP packets allowed per second. If the ACOS device receives more
than the normal rate of ICMP packets, the excess packets are dropped until the next one-sec-
ond interval begins. The normal rate can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMP packets allowed per second before the ACOS device locks up
ICMP traffic. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup
expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be
larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMP traffic, after the maximum rate
is exceeded. The lockup time can be 1-16383 seconds.
Default None
Usage This command configures ICMP rate limiting globally for all traffic to or through the ACOS
device. To configure ICMP rate limiting on individual Ethernet interfaces, see “icmp-rate-
limit” on page 245. To configure it in a virtual server template, see “slb template virtual-
server” on page 598. If you configure ICMP rate limiting filters at more than one of these lev-
els, all filters are applicable.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify
them, lockup does not occur.
Log messages are generated only if the lockup option is used and lockup occurs. Otherwise,
the ICMP rate-limiting counters are still incremented but log messages are not generated.
Example The following command globally configures ICMP rate limiting to allow up to 2048 ICMP
packets per second, and to lock up all ICMP traffic for 10 seconds if the rate exceeds 3000
ICMP packets per second:
ACOS(config)#icmp-rate-limit 2048 lockup 3000 10
icmpv6-rate-limit
Description Configure ICMPv6 rate limiting for IPv6 to protect against denial-of-service (DoS) attacks.

Syntax [no] icmpv6-rate-limit normal-rate lockup max-rate lockup-time
normal-rate Maximum number of ICMPv6 packets allowed per second. If the ACOS device receives more
than the normal rate of ICMPv6 packets, the excess packets are dropped until the next one-
second interval begins. The normal rate can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMPv6 packets allowed per second before the ACOS device locks up
ICMPv6 traffic. When ICMPv6 traffic is locked up, all ICMPv6 packets are dropped until the
lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate
must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMPv6 traffic, after the maximum rate
is exceeded. The lockup time can be 1-16383 seconds.
Default None
Usage This command configures ICMPv6 rate limiting globally for all traffic to or through the ACOS
device. To configure ICMPv6 rate limiting on individual Ethernet interfaces, see “icmp-rate-
limit” on page 245. To configure it in a virtual server template, see “slb template virtual-
server” on page 598. If you configure ICMPv6 rate limiting filters at more than one of these
levels, all filters are applicable.
the ICMPv6 rate-limiting counters are still incremented but log messages are not generated.
import
Description See “import” on page 34.

import-periodic
Description Get files from a remote site periodically.
Syntax import-periodic
{
aflex file |
auth-portal file |
bw-list file |
class-list file |
dnssec-ds file |
geo-location file |
license file |
policy file |
ssl-cert {[bulk] | file}
[csr-generate]
ssl-cert-key bulk |
ssl-crl file [csr-generate] |
ssl-key {bulk | file} [csr-generate] |
wsdl file |
xml-schema file
}
period seconds
aflex Import an aFleX file.
auth-portal Import an authentication portal file for Application Access Management (AAM).
bw-list Import a black/white list.
class-list Import an IP class list.
dnssec-dnskey Import a DNSEC key-signing key (KSK) file.
dnssec-ds Import a DNSSEC DS file.
geo-location Imports a geo-location data file for Global Server Load Balancing (GSLB).
license Import a license file, if applicable to your model.
local-uri-file Import a local URI file.
policy Import a WAF policy file.
ssl-cert [bulk] Imports a certificate.
ssl-cert-key [bulk] Imports a certificate and key together as a single file.
ssl-key [bulk] Import a certificate key.

ssl-crl Import a certificate revocation list (CRL).
wsdl Import a WSDL file.
xml-schema Import an XML schema file.
interface.
period seconds Enables automated updates of the file. You can specify 60 (one minute)-31536000 (one year)
seconds.
The period option simplifies update of imported files, especially files that are used by mul-
tiple ACOS devices. You can edit a single instance of the file, on the remote server, then con-
figure each of ACOS device to automatically update the file to import the latest changes.
When you use this option, the ACOS device periodically replaces the specified file with the
version that is currently on the remote server. If the file is in use in the running-config, the
updated version of the file is placed into memory.
The updated file affects only new sessions that begin after the update but does not affect
existing sessions. For example, when an aFleX script that is bound to a virtual port is
updated, the update affects new sessions that begin after the update, but does not affect
existing sessions that began before the update.
from its directory named “backups” every 30 days:
ACOS(config)#import-periodic aflex aflex-01 tftp://192.168.1.101/backups/aflex-01 period

2592000
interface
Description Access the CLI configuration level for an interface.
Syntax interface {
ethernet port-num |
lif logical-interface-id |
loopback num |

management |
trunk num |
tunnel num |
ve ve-num
}
Default N/A
Usage If the ACOS device is a member of an aVCS virtual chassis, specify the interface number as
follows: DeviceID/Portnum
For information about the commands available at the interface configuration level, see
“Config Commands: Interface” on page 241.
Example The following command changes the CLI to the configuration level for Ethernet interface 3:
ACOS(config-if:ethernet:3)#
ip
Description Configure global IP settings. For information, see “Config Commands: IP” on page 291.
ip-list
Description Create a list of IP addresses with group IDs to be used by other GSLB commands.
For example, you can create an IP list and use it in a GSLB policy.
Refer to Global Server Load Balancing Guide for more information.
Syntax [no] ip-list list-name
After entering this command, you are placed in a sub-configuration mode where you can
enter the IP addresses as follows:
ipv4-addr [to end-ipv-addr]

ipv6-addr [to end-ipv6-addr]
ipv6-addr/range [count num] [to end-ipv6-addr/range]
Example The following example shows how to use the ip-list command to create a list of IPv4
addresses from 10.10.10.1 to 10.10.10.44:
ACOS(config)#ip-list ipv4-list
ACOS(config-ip-list)#10.10.10.1 to 10.10.10.44

ipv6
Description Configure global IPv6 settings. For information, see “Config Commands: IPv6” on page 317.
key
Description Configure a key chain for use by RIP or IS-IS MD5 authentication.
Syntax [no] key chain name
Replace name with the name of the key chain (1-31 characters).
This command changes the CLI to the configuration level for the specified key chain, where
the following key-chain related command is available:
[no] key num
This command adds a key and enters configuration mode for the key. The key number can
be 1-255. This command changes the CLI to the configuration level for the specified key,
where the following key-related command is available:
[no] key-string string
This command configures the authentication string of the key, 1-16 characters.
Default By default, no key chains are configured.
Mode Global Config
Usage Although you can configure multiple key chains, A10 Networks recommends using one key
chain per interface, per routing protocol.
Example The following commands configure a key chain named “example_chain”.
ACOS(config)#key chain example_chain

ACOS(config-keychain)#key 1
ACOS(config-keychain-key)#key-string thisiskey1
ACOS(config-keychain-key)#exit
ACOS(config-keychain-key)#exit
lacp system-priority
Description Set the Link Aggregation Control Protocol (LACP) priority.
Syntax [no] lacp system-priority num

Replace num with the LACP system priority, 1-65535. A low priority number indicates a high
priority value. The highest priority is 1 and the lowest priority is 65535.
Default 32768
Usage In cases where LACP settings on the local device (the ACOS device) and the remote device at
the other end of the link differ, the settings on the device with the higher priority are used.
lacp-passthrough
Description Specify peer ports to which received LACP packets can be forwarded.
Syntax lacp-passthrough ethernet num ethernet num
Replace num with the ethernet interface of the peer member to forward LACP packets.
Default Not set
Introduced in Release 2.7.1
lacp-trunk
Description Configure settings for an LACP trunk.
Syntax [no] lacp-trunk Trunknum
Replace Trunknum with the LACP trunk ID, 1-4096.
If the ACOS device is a member of an aVCS virtual chassis, specify the trunk ID as follows:
DeviceID/Trunknum
This command changes the CLI to the configuration level for the specified trunk, where the
following trunk-related commands are available:
Command Description
disable-lacp Disables the trunk or specific interfaces in the trunk.
[ethernet portnum
[to portnum] [ethernet portnum ...]]
enable-lacp Enables the trunk or specific interfaces in the trunk.
[ethernet portnum
[to portnum] [ethernet portnum ...]] Interfaces in the trunk are enabled by default.
[no] name string Assign a name to a trunk.

Command Description
[no] ports-threshold num Specifies the minimum number of ports that must be up in order for
[do-manual-recovery] the trunk to remain up. If the number of up ports falls below the con-
figured threshold, the ACOS device automatically disables the trunk’s
member ports. The ports are disabled in the running-config. You can
specify 2-8.
The do-manual-recovery option disables automatic recovery of
the trunk when the required number of ports come back up. If you
use this option, the trunk remains disabled until you re-enable it.
By default, this is not set; a trunk’s status remains Up so long as at least
one of its member ports is up
[no] ports-threshold-timer seconds Specifies how many seconds to wait after a port goes down before
marking the trunk down, if the configured threshold is exceeded. You
can set the ports-threshold timer to 1-300 seconds.
The default is 10 seconds.
Usage Notes Regarding the Ports Threshold
If the number of up ports falls below the configured threshold, ACOS automatically disables
the trunk’s member ports. The ports are disabled in the running-config. The ACOS device
also generates a log message and an SNMP trap, if these services are enabled.
In some situations, a timer is used to delay the ports-threshold action. The configured port
threshold is not enforced until the timer expires. The ports-threshold timer for a trunk is used
in the following situations:
• When a member of the trunk links up.

• A port is added to or removed from the trunk.
• The port threshold for the trunk is configured during runtime. (If the threshold is set in
the startup-config, the timer is not used.)
ldap-server
Description Set Lightweight Directory Access Protocol (LDAP) parameters for authenticating administra-
tive access to the Thunder Series device.
Syntax [no] ldap-server host {hostname | ipaddr}

{
cn cn-name dn dn-name |
domain domain-name
[base domain-name]
[group group-id]
}
[port portnum]

[ssl]
[timeout seconds]
hostname | ipaddr Hostname or IP address of the LDAP server.
cn cn-name The cn option specifies the value for the Common Name
dn dn-name (CN) attribute.
The dn option specifies the value for the Distinguished Name
(DN) attribute.
NOTE: For the dn option, do not use quotation marks. For
example, the following DN string syntax is valid:
cn=xxx3,dc=maxcrc,dc=com
The following string is not valid:
“cn=xxx3,dc=maxcrc,dc=com”
domain domain-name Configure login based on domain name (for example, LDAP
[base domain-name] login).
[group group-id]
port portnum Specifies the protocol port on which the server listens for
LDAP traffic.
ssl Uses SSL to secure the connection.
timeout seconds Specifies the maximum number of seconds the ACOS device
waits for a reply from the LDAP server for a given request. You
can specify 1-60 seconds. If the LDAP server does not reply
before the timeout, authentication of the admin fails.
The default timeout is 44 seconds.
Default No LDAP servers are configured by default. When you add an LDAP server, it has the default
settings described in the table above.
Usage LDAP is a AAA protocol that the ACOS device can use to authenticate admins and authorize
their management access based on admin account information on external LDAP servers.
This release supports the following types of LDAP servers:
• OpenLDAP
• Microsoft Active Directory (AD)
To enable LDAP authentication, use the following command at the global configuration level
of the CLI:
[no] authentication type ldap [method2 [method3 [method4]]]
To use backup methods, specify them in the order you want to use them.
Nested OUs

To use nested OUs, specify the nested OU first, then the root. For example, a user account
could be nested as follows:
Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1
To configure the ACOS device to provide LDAP AAA for “UserAccUser1”, use a command such
as the following:
ldap-server host ldapserver.ad.example.edu cn cn dn ou=StaffElevatedAccounts,

ou=Service Accounts,dc=ad,dc=example,dc=edu
Example The following commands enable LDAP authentication and add LDAP server 192.168.101.24:
ACOS(config)#authentication type ldap

ACOS(config)#ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com
link
Description Link the “startup-config” token to the specified configuration profile. By default, “startup-con-
fig” is linked to “default”, which means the configuration profile stored in the image area from
which the ACOS device most recently rebooted.
Syntax link startup-config {default | profile-name}

[primary | secondary]
default Links “startup-config” to the configuration profile stored in the
image area from which the ACOS device was most recently
rebooted.
profile-name Links “startup-config” to the specified configuration profile.
primary | secondary Specifies the image area. If you omit this option, the image
area last used to boot is selected.
Default The “startup-config” token is linked to the configuration profile stored in the image area from
which the ACOS device was most recently rebooted.
Usage This command enables you to easily test new configurations without replacing the configu-
ration stored in the image area.
The profile you link to must be stored on the boot device you select. For example, if you use
the default boot device (hard disk) selection, the profile you link to must be stored on the
hard disk. If you specify cf, the profile must be stored on the compact flash. (To display the
profiles stored on the boot devices, use the show startup-config all command. See
“show startup-config” on page 782.)
After you link “startup-config” to a different configuration profile, configuration management

commands that affect “startup-config” affect the linked profile instead of affecting the
configuration stored in the image area. For example, if you enter the write memory

command without specifying a profile name, the command saves the running-config to the
linked profile instead of saving it to the configuration stored in the image area.
Likewise, the next time the ACOS device is rebooted, the linked configuration profile is
loaded instead of the configuration that is in the image area.
To relink “startup-config” to the configuration profile stored in the image area, use the default
option (link startup-config default).
Example The following command links configuration profile “slbconfig3” with “startup-config”:
ACOS(config)#link startup-config slbconfig3
Example The following command relinks “startup-config” to the configuration profile stored in the
image area from which the ACOS device was most recently rebooted”:
ACOS(config)#link startup-config default
lldp enable
Description Use this command to enable or disable LLDP from the global level. You can enable LLDP to
either receive only, transmit only, or transmit and receive.
Syntax [no] lldp enable [rx] [tx]
Usage LLDP commands are only available in the shared partition.
Example To enable LLDP transmission and receipt from the global level, issue the following com-
mand:
ACOS(config)#lldp enable rx tx
lldp management-address
Description Configures the management-address that can include the following information:
• DNS name
• IPv4 address
• IPv6 address
Optionally, you can specify the interface on which the management address is configured.
The management interface can be either a physical Ethernet interface or a virtual interface
(VE).
Syntax [no] lldp management-address

{dns dns-value | ipv4 ipv4-value ipv6 ipv6-value}
interface {Ethernet eth-num | management | ve ve-num}

Default Not set
lldp notification interval

Description This object controls the interval between transmission of LLDP notifications during normal
transmission periods.
Syntax [no] lldp notification interval notification-value
Default 30
lldp system-description
Description Defines the alpha-numeric string that describes the system in the network.
Syntax [no] lldp system-description sys-description-value
Default None
lldp system-name
Description Defines the string that will be assigned as the system name.
Syntax [no] lldp system-name system-name-value
Default hostname
Example The following command will set the LLDP system name to “testsystem”:
ACOS(config)#lldp system-name testsystem
lldp tx interval
Description Defines the transmission (tx) interval between a normal transmission period.
Syntax [no] lldp tx interval value

Replace value with the transmission interval from 1 to 3600 seconds.
Default 30 seconds
Example The following command will set the transmission interval to 200:
ACOS(config)#lldp tx interval 200
lldp tx hold
Description Determines the value of the message transmission time to live (TTL) interval that is carried in
LLDP frames. The hold-value can be from 1 to 100 seconds.
Syntax [no] lldp tx hold hold-value
Default Default 4 seconds
Example The following command will set the transmission hold time to 255:
ACOS(config)#lldp tx hold 255
lldp tx reinit-delay
Description Indicates the delay interval when the administrative status indicates ‘disabled’ after which re-
initialization is attempted. The range for the
reinit-delay-value is 1-5 seconds.
Syntax [no] lldp tx reinit-delay reinit-delay-value
Default 2 seconds
Example The following command will set the retransmission delay to 3 seconds:
ACOS(config)#lldp tx reinit-delay 3
lldp tx fast-count
Description This value is used as the initial value for the Fast transmission variable. This value determines
the number of LLDP data packets that are transmitted during a fast transmission period. This
value can range from 1-8 seconds.

Syntax [no] lldp tx fast-count value
Default 4
Example The following command will set the LLDP fast count transmission value to 3 seconds:
ACOS(config)#lldp tx fast-count 3
lldp tx fast-interval
Description This variable defines the time interval in timer ticks between transmissions during fast trans-
mission periods (that is, txFast is non-zero). The range for this variable is 1-3600 seconds.
Syntax [no] lldp tx fast-interval
Default 1 second
Example The following command will set the LLDP fast transmission interval value to 2000 seconds:
ACOS(config)#lldp tx fast-interval 2000
locale
Description Set the CLI locale.
Syntax [no] locale {test | locale}
Default en_US.UTF-8
Usage Use this command to configure the locale or to test the supported locales.
Example The following commands test the Chinese locales and set the locale to zh_CN.GB2312:
ACOS(config)#locale test zh_CN

ACOS(config)#locale zh_CN.GB2312
logging target severity-level

Description Specify the severity levels of event messages to send to message targets other than the
ACOS log buffer.

Syntax [no] logging target severity-level
target Specified where the event messages are sent.
• console – serial console
• email – email
• monitor – Telnet and SSH sessions
• syslog – external Syslog host
• trap – external SNMP trap host
NOTE: For information about the email option, see “logging
email buffer” on page 122. and “logging email filter” on page 122.
severity-level Specifies the severity levels to log. You must enter the name of the
severity level (in previous releases, entering the severity level
number was allowed):
• emergency (level 0)
• alert (level 1)
• critical (level 2)
• error (level 3)
• warning (level 4)
• notification (level 5)
• information (level 6)
• debugging (level 7)
Default The default severity level depends on the target:

• console – 3 (error)
• email – not set (no logging)
• monitor – not set (no logging)
• syslog – not set (no logging)
• trap – not set (no logging)
Usage To send log messages to an external host, you must configure the external host using the
logging host command.
Example The following command sets the severity level for event messages sent to the console to 2
(critical):
ACOS(config)#logging console 2
logging auditlog host

Description Configure audit logging to an external server.

Syntax [no] logging auditlog host {ipaddr | hostname}

[facility facility-name]
ipaddr | hostname IP address or hostname of the server.
facility-name Name of a log facility:
• local0
• local1
• local2
• local3
• local4
• local5
• local6
• local7
Default N/A
Usage The audit log is automatically included in system log backups. You do not need this com-
mand in order to back up audit logs that are within the system log. To back up the system
log, see “backup system” on page 27 and “backup log” on page 25.
In the current release, only a single log server is supported for remote audit logging.
logging buffered
Description Configure the event log on the Thunder Series device.

Syntax [no] logging buffered {maximum-messages | severity-level}
maximum-messages Specifies the maximum number of messages the event log buf-
fer will hold.
The default is 30000.
severity-level Specifies the severity levels to log. You must enter the name of
the severity level (in previous releases, entering the severity
level number was allowed):
• alert (level 1)
• error (level 3)
The default severity level is debugging (level 7).
Example The following command sets the severity level for log messages to 7 (debugging):
ACOS(config)#logging buffered debugging
logging disable-partition-name
Description Disable display of L3V partition names in log messages.
Syntax [no] logging disable-partition-name
Default Display of L3V partition names in log messages is enabled by default.
Usage When this option is enabled partition names are included in log messages as the following
example illustrates.
Jan 24 2014 15:30:21 Info [HMON]:<partition_1> SLB server rs1 (4.4.4.4) is down
Jan 24 2014 15:30:19 Info [HMON]:<partition_1> SLB server rs1 (4.4.4.4) is up
Jan 24 2014 15:30:17 Info [ACOS]:<partition_1> Server rs1 is created
Introduced in Release ACOS 2.7.2

logging email buffer

Description Configure log email settings.
Syntax [no] logging email buffer [number num] [time minutes]
number num Specifies the maximum number of messages to buffer. You can spec-
ify 16-256.
The default number is 50 messages.
time minutes Specifies how long to wait before sending all buffered messages, if the
buffer contains fewer than the maximum allowed number of mes-
sages. You can specify 10-1440 minutes.
The default time is 10 minutes.
Default By default, emailing of log messages is disabled. When you enable the feature, the buffer
options have the default values described in the table above.
Usage To configure the ACOS device to send log messages by email, you also must configure an
email filter and specify the email address to which to email the log messages. See “logging
email filter” on page 122 and “logging email-address” on page 125.
Example The following command configures the ACOS device to buffer log messages to be emailed.
Messages will be emailed only when the buffer reaches 32 messages, or 30 minutes passes
since the previous log message email, whichever happens first.
ACOS(config)#logging email buffer number 32 time 30
logging email filter

Description Configure a filter for emailing log messages.

Syntax [no] logging email filter filter-num “conditions” operators

[trigger]
filter-num Specify the filter number (1-8).
conditions Message attributes on which to match. The conditions list can contain
one or more of the following:
• Severity levels of messages to send in email. Specify the severity
levels by number or word:
• 0 - emergency
• 1 - alert
• 2 - critical
• 3 - error
• 4 - warning
• 5 - notification
• 6 - information
• 7 - debugging
• Software modules for which to email messages. Messages are
emailed only if they come from one of the specified software mod-
ules. For a list of module names, enter ? instead of a module name,
and press Enter.
• Regular expression. Standard regular expression syntax is sup-
ported. Only messages that meet the criteria of the regular expres-
sion will be emailed. The regular expression can be a simple text
string or a more complex expression using standard regular expres-
sion logic.
operators Set of Boolean operators (AND, OR, NOT) that specify how the condi-
tions should be compared.
The CLI Boolean expression syntax is based on Reverse Polish Notation
(also called Postfix Notation), a notation method that places an opera-
tor (AND, OR, NOT) after all of its operands (in this case, the conditions
list).
After listing all the conditions, specify the Boolean operator(s). The fol-
lowing operators are supported:
• AND – All conditions must match in order for a log message to be
emailed.
• OR – Any one or more of the conditions must match in order for a
log message to be emailed.
• NOT – A log message is emailed only if it does not match the condi-
tions
For more information about Reverse Polish Notation, see:
http://en.wikipedia.org/wiki/Reverse_Polish_notation
trigger Immediately sends the matching messages in an email instead of
buffering them. If you omit this option, the messages are buffered
based on the logging email buffer settings.

Default Not set. Emailing of log messages is disabled by default.
Usage To configure the ACOS device to send log messages by email, you also must specify the
email address to which to email the log messages. See “logging email-address” on page 125.
Below are some additional usage considerations:
• You can configure up to 8 filters. The filters are used in numerical order, starting with fil-
ter 1. When a message matches a filter, the message will be emailed based on the buf-
fer settings. No additional filters are used to examine the message.
• A maximum of 8 conditions are supported in a filter.
• The total number of conditions plus the number of Boolean operators supported in a
filter is 16.
• The filter requires a valid module name, even if you omit the module option.
• For backward compatibility, the following syntax from previous releases is still sup-
ported:
logging email severity-level
The severity-level can be one or more of the following (specify either the severity
number o r name):
• 0 - emergency
• 1 - alert
• 2 - critical
• 5 - notification
The command is treated as a special filter. This filter is placed into effect only if the com-
mand syntax shown above is in the configuration. The filter has an implicit trigger
option for emergency, alert, and critical messages, to emulate the behavior in previous
releases.
Example The following command configures a filter that matches on log messages if they are infor-
mation-level messages and contain the string “abc”. The trigger option is not used, so the
messages will be buffered rather than emailed immediately.
ACOS(config)#logging email filter 1 “level information pattern abc and”
The following command reconfigures the filter to immediately email matching messages.
ACOS(config)#logging email filter 1 “level information pattern abc and” trigger
Example The following example configures a filter to send email if the log message is generated by
the “AFLEX” module and the severity level is “warning”:
ACOS(config)#logging email filter 1 “level warning module AFLEX and”

Example The following example configures a filter to send email if the log message has the pattern of
“disk is full” or the severity level is “critical”:
ACOS(config)#logging email filter 2 “pattern disk is full level critical or”
Example The following example configures a filter to send email if the log message is generated by
(module “SYSTEM” or “ALB”) and (the severity level is “alert” or has pattern of “unexpected
error”)
ACOS(config)#logging email filter 3 “module SYSTEM module ALB or level alert pattern unex-
pected error or and”
logging email-address
Description Specify the email addresses to which to send event messages.
Syntax [no] logging email-address address [...]
Replace address with a valid email address. You can specify multiple email addresses; use a
space between each email address.
Default None
Usage To configure the ACOS device to send log messages by email, you also must configure an
email filter. See “logging email filter” on page 122.
Example The following command sets two email addresses to which to send log messages:
ACOS(config)#logging email-address admin1@example.com admin2@exam-

ple.com
logging export
Description Send the messages that are in the event buffer to an external file server.

Syntax [no] logging export [all] url
all Include system support messages.
url Protocol, user name (if required), and directory path you want to use
to send the file.
You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire URL
and a password is required, you will still be prompted for the pass-
word. The password can be up to 255 characters long.
Default N/A
Example The following example sends the event buffer to an external file server using FTP. The file
“event-buffer-messages.txt” will be created on the remote server.
ACOS(config)#logging export ftp://exampleuser@examplehost/event-buf-

fer-messages.txt
logging facility
Description Enable logging facilities.
Syntax [no] logging facility facility-name
Replace facility-name with the name of a log facility:
• local0
• local1
• local2
• local3
• local4
• local5
• local6
• local7

Default The default facility is local0.
logging host
Description Specify a Syslog server to which to send event messages.
Syntax [no] logging host ipaddr [ipaddr...]

[use-mgmt-port]
[port protocol-port]
ipaddr IP address of the Syslog server. You can enter multiple IP addresses.
Up to 10 remote logging servers are supported.
use-mgmt-port Use the management routing table and management interface to
reach the server.
port Protocol port number to which to send messages. You can specify
protocol-port only one protocol port with the command. All servers must use the
same protocol port to listen for syslog messages.
Default The default protocol port is 514.
Usage If you use the command to add some log servers, then need to add a new log server later,
you must enter all server IP addresses in the new command. Each time you enter the log-
ging host command, it replaces any set of servers and syslog port configured by the previ-
ous logging host command.
Example The following command configures 4 external log servers. In this example, the servers use
the default syslog protocol port, 514, to listen for log messages.
ACOS(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4
Example The following command reconfigures the set of external log servers, with a different protocol
port. All the log servers must use this port.
ACOS(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 port 8899
logging single-priority severity-level

Description Configure single-priority logging to log one specific severity level from among the standard
syslog message severity levels.
Syntax [no] logging single-priority severity-level

Replace severity-level with the severity level to log. You must enter the name of the severity
level:
• alert (level 1)
• error (level 3)
Default Not set
mac-address
Description Configure a static MAC address.
Syntax [no] mac-address mac-address port port-num vlan vlan-id

[trap {source | dest | both}]
mac-address Hardware address, in the following format:
aabb.ccdd.eeff
port port-num ACOS Ethernet port to which to assign the MAC address.
If the ACOS device is a member of an aVCS virtual chassis, specify
the interface as follows:
DeviceID/Portnum
vlan vlan-id Layer 2 broadcast domain in which to place the device.
trap Send packets to the CPU for processing, instead of switching them
in hardware.:
• source – Send packets that have this MAC as a source address to
the CPU.
• dest – Send packets that have this MAC as a destination address
to the CPU.
• both – Send packets that have this MAC as either a source or
destination address to the CPU.
NOTE: The trap option is supported on only some AX models: AX 3200-12, AX 3400,
AX 5200-11 and AX 5630.
Default No static MAC addresses are configured by default.

Example The following command configures static MAC address abab.cdcd.efef on port 5 in VLAN 3:
ACOS(config)#mac-address abab.cdcd.efef port 5 vlan 3
mac-age-time
Description Set the aging time for dynamic (learned) MAC entries. An entry that remains unused for the
duration of the aging time is removed from the MAC table.
Syntax [no] mac-age-time seconds
Replace seconds with the number of seconds a learned MAC entry can remain unused
before it is removed from the MAC table (10-600).
Default 300 seconds
On some AX models, the actual MAC aging time can be up to 2 times the configured value.
For example, if the aging time is set to 50 seconds, the actual aging time will be between 50
and 100 seconds. (This applies to the AX 3200-12, AX 3400, AX 5200-11 and AX 5630.)
On other models, the actual MAC aging time can be +/- 10 seconds from the configured
value.
Example The following command changes the MAC aging time to 600 seconds:
ACOS(config)#mac-age-time 600
maximum-paths
Description Change the maximum number of paths a route can have in the forwarding Information Base
(FIB).
Syntax [no] maximum-paths num
Replace num for the maximum number of paths a route can have. You can specify 1-64.
Default 10
mirror-port
Description Specify a port to receive copies of another port’s traffic.
For more information about mirror port configuration, see “Multiple Port-Monitoring Mirror
Ports” in the System Configuration and Administration Guide.

Syntax [no] mirror-port portnum ethernet portnum [input | output | both]
mirror-port Mirror port index number.
portnum
ethernet Ethernet port number. This is the port that will act as the mirror port.
portnum Mirrored traffic from the monitored port will be copied to and sent out
of this port.
input Configures the mirror port so that only inbound traffic from the moni-
tored port can be sent out of the mirror port.
output Configures the mirror port so that only outbound traffic from the
monitored port can be sent out of the mirror port.
both Configures the mirror port so that both inbound and outbound traffic
from the monitored port can be sent out of the mirror port.
This is the default behavior, meaning that if no traffic direction is spec-
ified, then both inbound and outbound traffic will be mirrored with-
out having to explicitly specify the both option.
Default Not set
Usage When enabling monitoring on a port, you can specify the mirror port to use. You also can
specify the traffic direction. A monitored port can use multiple mirror ports.
To specify the port to monitor, use the monitor command at the interface configuration
level. (See “monitor” on page 281.)
Example The following command configures Ethernet port 4 so that it is able to send both inbound
and outbound traffic from the monitored port:
ACOS(config)#mirror-port 1 ethernet 4 both
The following commands configure a monitor port, Ethernet port 8, to use Ethernet port 4 as
the mirror port, using mirror index 1 from above:
ACOS(config)#inferface ethernet 8
ACOS(config-if:ethernet:8)#monitor 1 both
Example The following command configures Ethernet port 3 to send only inbound traffic from the
monitored port:
ACOS(config)#mirror-port 2 ethernet 3 input
The following commands configure a monitor port, Ethernet port 6, to use Ethernet port 3 as
the mirror port, using mirror index 2 from above. Note that the input parameter must be

used on the monitor port since the mirror port was also configured with the input
parameter:
ACOS(config)#inferface ethernet 6
ACOS(config-if:ethernet:6)#monitor 2 input
monitor
Description Specify event thresholds for utilization of resources.
Syntax [no] monitor resource-type threshold-value [conn-type] [smp-type]
resource-type Type of resource for which to set the monitoring threshold:
• buffer-drop – Packet drops (dropped IO buffers)
• buffer-usage – Control buffer utilization
• conn-type threshold-value – Thresholds for Symmet-
ric Multi-Processing (SMP) resources per CPU:
• conn-type0 – 32 bytes
You can enter a value between 32767 to 256000000 (256
million). The default is 32767.
• ctrl-cpu – Control CPU utilization
• data-cpu – Data CPUs utilization
• disk – Hard disk utilization
• memory – Memory utilization
• smp-type threshold-value – Threshold for SMP
resources for the global session memory pool, shared across
all of the ACOS device’s CPUs:
• smp-type0 – 32 bytes
You can enter a value between 32767 to 256000000 (256
million). The default is 32767.
• warn-temp – CPU temperature
threshold-value The values you can specify depend on the event type and on
the ACOS device model. For information, see the CLI help.
Default The default threshold values depend on the event type and on the ACOS model. For infor-
mation, see the CLI help.

Usage If utilization of a system resource crosses the configured threshold, a log message is gener-
ated. If applicable, an SNMP trap is also generated.
To display the configured event thresholds, see “show monitor” on page 759.
Example The following command sets the event threshold for data CPU utilization to 80%:
ACOS(config)#monitor data-cpu 80
multi-config
Description Enable simultaneous admin sessions.
Syntax [no] multi-config enable
Default Enabled
Mode Config
Usage Use the “no” form of the command to disable multiple admin access.
NOTE: Disabling multiple admin access does not terminate currently active admin ses-
sions. For example, if there are 4 active config sessions, disabling multi-user access
will cause the display of a permission prompt when a 5th user attempts to log onto
the device. However, the previous 4 admin sessions will continue to run unaffected.
multi-ctrl-cpu
Description Enable use of more than one CPU for control processing.
Syntax [no] multi-ctrl-cpu num
Replace num with the number of CPUs to use for control processing. Up to one fourth of the
device’s CPUs can be used for control processing.
To display the number of CPUs your device has, enter the show hardware command.
Default One CPU is used for control processing.
Mode Global configuration level
Usage A reboot is required to place this command into effect.
This command is required if you plan to enable use of multiple CPUs for health-check
processing.
Example The following commands display the number of CPUs (cores) the device being managed
contains, and enable use of multiple CPUs for control processing.

ACOS(config)#show hardware
AX Series Advanced Traffic Manager AX2500
Serial No : AX2505abcdefghij
CPU : Intel(R) Xeon(R) CPU
8 cores
5 stepping
Storage : Single 74G drive
Memory : Total System Memory 6122 Mbyte, Free Memory 1275
Mbyte
SMBIOS : Build Version: 080015
Release Date: 02/01/2010
SSL Cards : 5 device(s) present
5 Nitrox PX
GZIP : 0 compression device(s) present
FPGA : 0 instance(s) present
L2/3 ASIC : 0 device(s) present
Ports : 12
The first attempt does not succeed because the number of CPUs requested (3) was more
than the number available for control processing on this device.
ACOS(config)#multi-ctrl-cpu 3
The number of control CPUs should be less than a quarter of the total number of CPUs
The next attempt succeeds. The number of CPUs requested (2) is one-fourth of the total
number of CPUs on the device, which is the maximum that can be allocated to control
processing.
ACOS(config)#multi-ctrl-cpu 2
This will modify your boot profile for multiple control CPUs.
It will take effect after the next reboot.
Please confirm: You want to configure multiple control CPUs (N/Y)?:Y
...
netflow common max-packet-queue-time

Description Specify the maximum amount of time ACOS can hold onto a NetFlow record packet in the
queue before sending it to the NetFlow collector. ACOS holds a NetFlow packet in the queue
until the packet payload is full of record data or until the queue timer expires.
Syntax [no] netflow common max-packet-queue-time queue-time-multiplier
Replace queue-time-multiplier with the multiplier for the maximum queue time.
Multiply this value by 20 to calculate the maximum number of milliseconds (ms) ACOS will
hold a NetFlow packet in the queue before sending it. The multiplier can be 0-50. For
example, to specify a half-second maximum queue time, set the multiplier to 25. Likewise, to
specify a 1-second queue time, set the multiplier to 50.
Setting the multiplier to 0 means that there will be no delay for NetFlow packets to be sent
to the NetFlow collector, and NetFlow records will not be buffered.

Default 50 (1-second maximum queue time)
netflow monitor
Description Enable ACOS to act as a NetFlow exporter, for monitoring traffic and exporting the data to
one or more NetFlow collectors for analysis.
Syntax [no] netflow monitor monitor-name
Default Replace monitor-name with the name of the NetFlow monitor.
This command changes the CLI to the configuration level for the specified NetFlow monitor,
where the following commands are available.
Command Description
[no] destination Configure the destination where NetFlow records will be sent.
ipaddr [portnum]
disable Disable this NetFlow monitor.
[no] flow-timeout Timeout value interval at which flow records will be periodically exported for long-
lived sessions. Flow records for short-lived sessions (if any) are sent upon termination
of the session.
After the specified amount of time has elapsed, the ACOS device will send any flow
records to the NetFlow collector, even if the flow is still active. The flow timeout can
be set to 0-1440 minutes. The flow timeout default value is 10 minutes.
Setting the timeout value to 0 disables the flow timeout feature. Regardless of how
long-lived a flow might be, the ACOS device waits until the flow has ended and the
session is deleted before it sends any flow records for it.
[no] protocol Configure the version of the NetFlow protocol you want to use:
• v9 – Version 9 (default)
• v10 – Version 10
[no] record Configure the NetFlow record types to be exported. (See the “NetFlow v9 and v10
netflow-template-type (IPFIX)” chapter in the System Configuration and Administration Guide.)
[no] resend-template Configure when to resend the NetFlow template. The trigger can be either the num-
{records num | ber of records, or the amount of time that has passed.
timeout seconds}
• records – Specifies the counters by which the ACOS device resends templates to
the collectors. The num can be 0-1000000. The default is 1000.
• timeout – Specifies the time between when templates are resent to the collec-
tors. The num is the number of seconds and can be 0-86400. The default is 1800.
NOTE: Specifying 0 means never resend the template.

Command Description
[no] sample {ethernet | Enable sampling.
global | nat-pool | ve}
Configure filters for monitoring traffic. Identify the specific type and subset of
resources to monitor.
• ethernet portnum – Specify the list of Ethernet data ports to monitor. Flow
information for the monitored interfaces is sent to the NetFlow collector(s).
• global – (Default) No filters are in effect. Traffic on all interfaces is monitored.
• nat-pool pool-name – NAT pool.
• ve ve-num – Specify the list of Virtual Ethernet (VE) data ports to monitor.
[no] source-address Uses the specified IP address as the source address for exported NetFlow packets. By
{ip ipv4addr | default, the IP address assigned to the egress interface is used. This command does
ipv6 ipv6addr} not change the egress port out which the NetFlow traffic is exported.
[no] source-ip-use-mgmt Use the management interface’s IP address as the source IP for exported NetFlow
packets. This command does not change the egress port out which the NetFlow traf-
fic is exported.
Default Described above, where applicable.
no
Description Remove a configuration command from the running configuration.
Syntax no command-string
Default N/A
Mode Config
Usage Use the “no” form of a command to disable a setting or remove a configured item. Configu-
ration commands at all Config levels of the CLI have a “no” form, unless otherwise noted.
The command is removed from the running-config. To permanently remove the command
from the configuration, use the write memory command to save the configuration
changes to the startup-config. (See “write” on page 43.)
Example The following command removes server “http99” from the running-config:
ACOS(config)#no slb server http99
ntp
Description Configure Network Time Protocol (NTP) parameters.
Syntax [no] ntp auth-key {M | SHA | SHA1} [hex] string
Syntax [no] ntp trusted-key ID-num

Syntax [no] ntp server {hostname | ipaddr}
The ntp server command changes the CLI to the configuration level for the server, where
disable Disables synchronization with the NTP server.
enable Enables synchronization with the NTP server.
key ID-num Creates an authentication key. For ID-num, enter a value
between 1-65535.
prefer Directs ACOS to use this NTP server by default. Additional
NTP servers are used as backup servers if the preferred NTP
server is unavailable.
{M | SHA | SHA1} Specifies the type of authentication key you want to create
{ascii | hex} for authenticating the NTP servers.
string
• M - encryption using MD5
• SHA - encryption using SHA
• SHA1 - encryption using SHA1
Specify the authentication key string (1-20 characters. Use
the hex parameter to specify the string in hex format (21-40
characters), or ascii to specify it in text.
trusted-key ID-num Adds an authentication key to the list of trusted keys. For
num, enter the identification number of a configured
authentication key to add the key to the trusted key list. You
can enter more than one number, separated by whitespace,
to simultaneously add multiple authentication keys to the
trusted key list.
Default NTP synchronization is disabled by default. If you enable it, DST is enabled by default, if appli-
cable to the specified timezone.
Usage You can configure a maximum of 4 NTP servers.
If the system clock is adjusted while OSPF or IS-IS is enabled, the routing protocols may stop
working properly. To work around this issue, disable OSPF and IS-IS before adjusting the
system clock.
Example The following commands configure an NTP server and enable NTP:
ACOS(config)#ntp server 10.1.4.20

ACOS(config)#ntp server enable
Example The following example creates 3 authentication keys (1337 using MD5 encryption, 1001
using SHA encryption, and 1012 using SHA1 encryption) and adds these keys to the list of

trusted keys. The NTP server located at 10.1.4.20 is configured to use a trusted key (1337) for
authentication:
ACOS(config)#ntp auth-key 1337 M XxEnc192

ACOS(config)#ntp auth-key 1001 SHA Vke1324as
ACOS(config)#ntp auth-key 1012 SHA1 28fj039
ACOS(config)#ntp trusted-key 1337 1001 1012
ACOS(config)#ntp server 10.1.4.20 key 1337
You can verify the NTP server and authentication key configuration with the show run
command. The following example includes an output modifier to display only NTP-related
configuration:
ACOS(config)#show run | include ntp

ntp auth-key 1001 SHA encrypted
FSNiuf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1012 SHA1 encrypted
NEMuh8GgapM8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1337 M encrypted zIJptJHuaQaw/5o10esBTDwQjLjV2wDnPBC-
MuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 1001 1012 1337
ntp server 10.1.4.20 key 1337
ntp server enable
object-group network
Description Create a network object group.
Syntax [no] object-group network group-name
This command changes the CLI to the configuration level for the network object group,
where the following commands are available:
Command Description
[no] any Matches on all IP addresses.
[no] host host-src-ipaddr Matches only on the specified host IPv4 or IPv6 address.

Command Description
[no] net-src-ipaddr { Matches on any host in the specified IPv4 subnet.
filter-mask |
/mask-length } The filter-mask specifies the portion of the address to filter:
• Use 0 to match.
For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify the portion of the address to fil-
ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit sub-
net.
[no] net-src-ipv6addr Matches on any host in the specified subnet. The prefix-length specifies the por-
/prefix-length tion of the address to filter.
Default Not set
Example The following commands configure network object groups INT_CLIENTS, HTTP_SERVERS
and FTP_SERVERS:
ACOS(config)#object-group network INT_CLIENTS

ACOS(config-network-group:INT_CLIENTS)#host 10.9.9.1
ACOS(config-network-group:INT_CLIENTS)#host 10.9.9.2
ACOS(config-network-group:INT_CLIENTS)#10.1.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)#10.2.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)#exit
ACOS(config)#object-group network HTTPS_SERVERS
ACOS(config-network-group:HTTPS_SERVERS)#host 192.168.230.215
ACOS(config-network-group:HTTPS_SERVERS)#exit
ACOS(config)#object-group network FTP_SERVERS
ACOS(config-network-group:FTP_SERVERS)#host 192.168.230.5
ACOS(config-network-group:FTP_SERVERS)#host 192.168.230.216
ACOS(config-network-group:FTP_SERVERS)#exit
object-group service
Description Create a service object group.
Usage [no] object-group service group-name

This command changes the CLI to the configuration level for the service object group, where
Command Description
[no] icmp Matches on ICMP traffic.
[type {type-option}
[code {any-code | code-num}]] The type type-option parameter matches based on the specified
ICMP type. You can specify one of the following ICMP types (enter either
the number or the name):
• any-type – Matches on any ICMP type.
• dest-unreachable | 3 – Type 3, destination unreachable
• echo-reply | 0 – Type 0, echo reply
• echo-request | 8 – Type 8, echo request
• info-reply | 16 – Type 16, information reply
• info-request | 15 – Type 15, information request
• mask-reply | 18 – Type 18, address mask reply
• mask-request | 17 – Type 17, address mask request
• parameter-problem | 12 – Type 12, parameter problem
• redirect | 5 – Type 5, redirect message
• source-quench | 4 – Type 4, source quench
• time-exceeded | 11 – Type 11, time exceeded
• timestamp | 13 – Type 13, timestamp
• timestamp-reply | 14 – Type 14, timestamp reply
The code code-num option is applicable if the protocol type is icmp.
You can specify:
• any-code – Matches on any ICMP code.
• code-num – ICMP code number, 0-254

Command Description
[no] icmpv6 Matches on ICMPv6 traffic.
[type {type-option}
[code {any-code | code-num}]] The type type-option parameter matches based on the specified
ICMPv6 type. You can specify one of the following types (enter either the
number or the name):
• any-type – Matches on any ICMPv6 type.
• dest-unreachable – Matches on type 1, destination unreachable
messages.
• echo-reply – Matches on type 129, echo reply messages.
• echo-request – Matches on type 128, echo request messages.
• packet-too-big – Matches on type 2, packet too big messages.
• param-prob – Matches on type 4, parameter problem messages.
• time-exceeded – Matches on type 3, time exceeded messages.
{tcp | udp} Specifies the protocol ports on which to match:
eq src-port |
gt src-port | • eq src-port – The ACL matches on traffic on the specified port.
lt src-port | • gt src-port – The ACL matches on traffic on any port with a higher
range start-src-port end-src-port number than the specified port.
• lt src-port – The ACL matches on traffic on any port with a lower
number than the specified port.
• range start-src-port end-src-port – The ACL matches on
traffic on any port within the specified range.
Default Not set
Example The following commands configure service object group WEB_SERVICES and display the
configuration:
ACOS(config)#object-group service WEB-SERVICES

ACOS(config-service-group:WEB-SERVICES)#tcp eq 80
ACOS(config-service-group:WEB-SERVICES)#tcp source range 1025 65535 eq 8080
ACOS(config-service-group:WEB-SERVICES)#tcp source range 1025 65535 eq 443
ACOS(config-service-group:WEB-SERVICES)#exit
ACOS#show object-group
object-group service WEB-SERVICES
tcp eq 80
tcp source range 1025 65535 eq 8080
tcp source range 1025 65535 eq 443
Example The following command configures an ACL that uses service object group configured above:
ACOS(config)#access-list 111 permit object-group WEB-SERVICES any any

overlay-mgmt-info
Description Configure management-specific data for an overlay network. (See “fConfig Commands:
Overlay Tunnels” on page 465.)
overlay-tunnel
Description Configure an overlay network. (See “fConfig Commands: Overlay Tunnels” on page 465.)
packet-handling
Description Configure how you want the system to handle unregistered broadcast packets.
Syntax [no] packet-handling broadcast {trap | flood}
trap Trap packets to the CPU.
flood Flood packets to other ports.
partition
Description Configure an L3V private partition.
For more information, see “ADP CLI Commands” in Configuring Application Delivery
Partitions.
partition-group
Description Create a named set of partitions.
For more information, see “ADP CLI Commands” in Configuring Application Delivery
Partitions.
ping
Description Ping is used to diagnose basic network connectivity. For syntax information, see “ping” on
page 20.

pki copy-cert
Description Make a copy of the SSL certificate file.
Syntax pki copy-cert source-cert-name [rotation num] dest-cert-name

[overwrite]
source-cert-name Name of the existing SSL certificate file (1-63 characters).
rotation Specify the rotation number of the SCEP generated certificate file (1-4).
dest-cert-name Name of the copy of the SSL certificate file (1-63 characters).
overwrite if there is an existing file with the same name as the specified dest-cert-name, overwrite the
existing file.
Example Create a copy of the existing SSL cert file (example_existing_cert.crt) to a new file (exam-
ple_new_cert.crt), and overwrite the destination file if it has the same name:
ACOS(config)#pki copy-cert example_existing_cert.crt example_new_cert.crt overwrite
pki copy-key
Description Make a copy of the SSL key file.
Syntax pki copy-key source-key-name [rotation num] dest-key-name

[overwrite]
source-cert-name Name of the existing SSL key file (1-63 characters).
rotation Specify the rotation number of the SCEP generated key file (1-4).
dest-cert-name Name of the copy of the SSL key file (1-63 characters).
overwrite if there is an existing file with the same name as the specified dest-key-name, overwrite the
existing file.
Example Create a copy of the existing SSL key file (example_existing_key.key) to a new file (exam-
ple_new_key.key), and overwrite the destination file if it has the same name:
ACOS(config)#pki copy-key example_existing_key.key example_new_key.key overwrite

pki create
Description Create a self-signed certificate.
Syntax pki create {

certificate cert-name [csr-generate] |
csr
{name [renew cert-name] use-mgmt-port url |
cert-expiration-within days {local | use-mgmt-port url}
}
Commands Description
create Creates a self-signed certificate or a certificate signed request (CSR) file.
[certificate certificate- Creates the self-signed certificate. You can specify up to 255 characters in the
name] name.
[csr csr_name] Creates a certificate signed request (CSR) and allows you to specify a file name.
{name [renew cert-name] You can specify up to 255 characters in the name.
use-mgmt-port url | The following options apply to name:
cert-expiration-within
days {local | use-mgmt- • name is the name of the CSR file.
port url} • renew allows you to create a CSR file name to renew an expiring certificate.
• use-mgmt-port uses the management interface as the source interface for
the connection to the remote device. The management route table is used
to reach the device. By default, the ACOS device attempts to use the data
route table to reach the remote device through a data interface.
The following options apply to cert-expiration-within:
• days allows you to specify in how many days the certificate will expire. You can
select from 0 to 100 days.
• local allows you to save the CSR file on your local drive.
• use-mgmt-port uses the management interface as the source interface for
the connection to the remote device. The management route table is used to
reach the device. By default, the ACOS device attempts to use the data route
table to reach the remote device through a data interface.
You can enter the entire URL on the command line or press Enter to display a
prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted for the password. The password can be up to
255 characters long.

Mode Configuration Mode
Usage See the description.
pki delete
Description Deletes an self-signed certificate.
Syntax pki delete {

certificate {cert-name | ca cert-name} |
crl file-name |
private-key key-name |
unsused {cert-key | client-ssl | server-ssl}
}
Commands Descriptions
delete Deletes the self-signed certificate or the CSR file.
{certificate certificate-name} Deletes a specific self-signed certificate.
crl crl_file_name Deletes a specific certificate revocation list (CRL) file.
[private-key private_key_name] Deletes a specific private key.
[unused name_of_unused_certifi- Deletes a specific unused certificate or unused SSL templates:
cate_and_ssl_templates]
• cert-key deletes specific unused certificates and keys.
cert-key unused_certs_and_keys
• client-ssl deletes specific unused client SSL templates.
client-ssl unused_client-ssl_tem-
plates • server-ssl deletes specific unused server SSL templates.
server-ssl unused_server-ssl_tem-
plates
pki renew-self
Description Renews a self-signed certificate.
Syntax pki renew-self cert-name {days num | days-others}
renew Renews the self-signed certificate or the CSR file.
cert-name Deletes a specific self-signed certificate.

days num Number of effective dates for which the certificate should be extended. This should
be a value from 30 to 3650 days. The default value is a 730 day extension
days-others Presents a more extensive set of input options. After entering the value for an
option, press Enter to display the input prompt for the next option. The following
specifications will be presented sequentially:
• input valid days, 30-3650, default 730: num
• input Common Name, 0-64: name
• input Division, 0-31: division-name
• input Organization, 0-63: organization-name
• input Locality, 0-31: city-or-region
• input State or Province, 0-31: state-or-province
• input Country, 2 characters: country-code
• input email address, 0-64: email-address

The num specifies the number of effective days for which the certificate should be
extended, ranging from 30 to 3650 days. If this field is left blank, then the default
value is a 730 day extension.
Every other option can be left blank, except for the country-code value. The num-
bers following Common Name, Division, Organization, Locality, State or Province,
and email address specify the number of characters allowed.
pki scep-cert
Description Create an SCEP certificate enrollment object.
Syntax pki scep-cert object-name
Replace object-name with the name of the certificate you want to enroll (1-63 characters).
poap
Description Enables Power On Auto Provisioning (POAP).
NOTE: After using the poap command, you must reboot the system. The device will return
to service in POAP mode.
Syntax [no] poap {enable | disable}

Default POAP mode is enabled by default on virtual appliances. However, the feature is disabled by
default on all physical devices.
radius-server
Description Set RADIUS parameters, for authenticating administrative access to the ACOS device.
Syntax [no] radius-server host {hostname | ipaddr} secret secret-string

[acct-port protocol-port]
[auth-port protocol-port]
[retransmit num]
[timeout seconds]
Default [no] radius-server default-privilege-read-write
hostname | ipaddr Hostname or IP address of the RADIUS server.
secret secret-string Password, 1-128 characters, required by the RADIUS server for authentication
requests.
acct-port Protocol port to which the ACOS device sends RADIUS accounting information.
protocol-port
auth-port Protocol port to which the ACOS device sends authentication requests.
protocol-port
retransmit num Maximum number of times the ACOS device can resend an unanswered
authentication request to the server. If the ACOS device does not receive a reply
to the final request, the ACOS device tries the secondary server, if one is config-
ured.
If no secondary server is available, or if the secondary server also fails to reply
after the maximum number of retries, authentication fails and the admin is
denied access.
You can specify 0-5 retries. The default is 3 retries.
timeout seconds Maximum number of seconds the ACOS device will wait for a reply to an
authentication request before resending the request. You can specify 1-15 sec-
onds.
default-privilege-read-write Change the default privilege authorized by RADIUS from read-only to read-
write. The default privilege is used if the Service-Type attribute is not used, or
the A10 vendor attribute is not used.
This is disabled by default; if the Service-Type attribute is not used, or the A10
vendor attribute is not used, successfully authenticated admins are authorized
for read-only access.

Default No RADIUS servers are configured by default. When you add a RADIUS server, it has the
default settings described in the table above.
You can configure up to 2 RADIUS servers. The servers are used in the order in which you add
them to the configuration. Thus, the first server you add is the primary server. The second
server you add is the secondary (backup) server. Enter a separate command for each of the
servers. The secondary server is used only if the primary server does not respond.
Example The following commands configure a pair of RADIUS servers and configure the ACOS device
to use them first, before using the local database. Since 10.10.10.12 is added first, this server
will be used as the primary server. Server 10.10.10.13 will be used only if the primary server is
unavailable.

ACOS(config)#authentication type radius local
raid
Description Enter the configuration level for RAID, if applicable to your device model.
Syntax raid
CAUTION: RAID configuration should be performed only by or with the assistance of A10 Net-
works. A10 strongly advises that you do not experiment with these commands.
rba enable
Description Enable Role-Based Access Control (RBA) configuration.
This feature supports the creation of multiple users, groups, and roles with varying degrees
of permissions. RBA can limit the read/write privileges on different partitions and for different
objects.
For more information about this feature, see “Role-Based Access Control” in the
Management Access and Security Guide.
Syntax rba enable
Mode Configuration mode.
rba disable
Description Disable Role-Based Access Control (RBA) configuration.

Syntax rba disable
rba group
Description Configure an RBA group.
Syntax [no] rba group

users
partition
roles | privileges
Example The following example defines an RBA group “slb-group.” The group has two users, “slb-
user1” and “slb-user2.” Both users are granted write privileges on SLB server objects but read
only privileges on all other SLB objects in partition “companyA”:
!
rba group slb-group
user slb-user1
user slb-user2
partition companyA
slb read
slb.server write
rba role
Description Configure an RBA role.
Syntax [no] rba role-name

privileges
Example The following example defines an RBA role “role1.” Any user assigned this role will have write
access on SLB server objects, but read privileges on all other SLB objects.
!
rba role role1

slb read
slb.server write
rba user
Description Configure RBA for a user.
Syntax [no] rba user

partition partition-name
roles | privileges
Example The following example configures an RBA user “user1”. In partition companyA, this user has
read privileges for SLB virtual server objects, write privileges for SLB server objects, but no
access to all other SLB objects. In partition companyB, this user has all privileges defined by
RBA role “role1”:
!
rba user user1
partition companyA
slb no-access
slb.server write
slb.virtual-server read
partition companyB
role role1
!
restore
Description Restore the startup-config, aFleX policy files, and SSL certificates and keys from a tar file pre-
viously created by the backup command. The restored configuration takes effect following a
reboot.

Syntax restore [use-mgmt-port] url
connection to the remote device. The management route table is
used to reach the device. By default, the ACOS device attempts to
use the data route table to reach the remote device through a data
interface.
You can enter the entire URL on the command line or press Enter
to display a prompt for each part of the URL. If you enter the entire
URL and a password is required, you will still be prompted for the
password. The password can be up to 255 characters long.
Default N/A
Usage Do not save the configuration (write memory) after restoring the startup-config. If you do,
the startup-config will be replaced by the running-config and you will need to restore the
startup-config again.
To place the restored configuration into effect, reboot the ACOS device.

route-map
Description Configure a rule in a route map. You can use route maps to provide input to routing com-
mands such as, for example, the following OSPF commands:
• “redistribute” on page 366
• “default-information originate” on page 374
Syntax [no] route-map map-name {deny | permit} sequence-num
map-name Route map name.
deny | permit Action to perform on data that matches the rule.
sequence-num Sequence number of the rule within the route map, 1-65535. Rules
are used in ascending sequence order.
The action in the first matching rule is used, and no further match-
ing is performed.
You do not need to configure route map rules in numerical order.
The CLI automatically places them in the configuration (running-
config) in ascending numerical order.
This command changes the CLI to the configuration level for the specified route map rule,

Command Description
match attribute Specifies the match criteria for routes:
• match as-path list-id – Matches on the BGP AS paths in the specified AS path list.
• match community list-id [exact-match] – Matches on the BGP communities in
the specified community list.
• match extcommunity list-id [exact-match]– Matches on the BGP communities
listed in the specified extended community list.
• match group num {active | standby} – Matches on VRRP-A set ID and state (active
or standby).
• match interface {ethernet portnum | loopback num | trunk num |
ve ve-num} – Matches on the data interface used as the first hop for a route.
• match ip address {acl-id | prefix-list list-name} – Matches on the route
IP addresses in the specified ACL or prefix list.
• match ip next-hop {acl-id | prefix-list list-name}– Matches on the next-
hop router IP addresses in the specified ACL or prefix list.
• match ip peer acl-id – Matches on the peer router IP addresses in the specified list.
• match ipv6 address {acl-id | prefix-list list-name} – Matches on the
route IP addresses in the specified ACL or prefix list.
• match ipv6 next-hop {acl-id | prefix-list list-name | ipv6-addr} –
Matches on the next-hop router IP addresses in the specified ACL or prefix list, or the speci-
fied IPv6 address.
• match ipv6 peer acl-id – Matches on the peer router IP addresses in the specified
ACL.
• match local-preference num – Matches on the specified local preference value,
0-4294967295.
• match metric num – Matches on the specified route metric value, 0-4294967295.
• match origin {egp | igp | incomplete} – Matches on the specified BGP origin
code.
• match route-type external {type-1 | type-2} – Matches on the specified
external route type.
• match tag tag-value – Matches on the specified TAG value, 0-4294967295.

Command Description
set attribute Sets information for matching routes:
• set aggregator as as-num ipaddr – Sets the aggregator attribute.
• set as-path prepend as-num [...]– Adds the specified BGP AS number(s) to the
front of the AS-path attribute.
• set atomic-aggregate – Specifies that a BGP route has been aggregated, and that path
information for the individual routes that were aggregated together is not available.
• set comm-list list-id delete – Sets the specified BGP community list to be
deleted.
• set community community-value – Sets the BGP community ID to the specified value:
1-4294967295
AS:NN, where AS is the AS number and NN is a numeric value in the range 1-4294967295.
internet – Internet route.
local-AS – Advertises routes only within the local Autonomous System (AS), not to exter-
nal BGP peers.
no-advertise – Does not advertise routes.
no-export – Does not advertise routes outside the AS boundary.
none – No community attribute.
• set dampening [reachability-half-life [reuse-value [suppress-value]
[max-duration [unreachability-half-life]]]] – Enables route-flap dampening.
Route-flap dampening helps minimize network instability caused by unstable routes.
reachability-half-life – Reachability half life, 1-45 minutes. After a route remains
reachable for this period of time, the penalty value for that route is divided in half. The
default is 15 minutes.
reuse-value [suppress-value] – Penalty thresholds for the suppression and reuse
(re-advertisement) of a route. The supported range for each value is 1-20000. The default
suppress-value is 2000. the default reuse-value is 750.
max-duration – Maximum amount of time a route will remain suppressed, 1-255 minutes.
The default is 4 times the reachability-half-life.
unreachability-half-life – Unreachability half life, 1-45 minutes. After a route
remains unreachable for this period of time, the penalty value for that route is divided in half.
(cont.)

Command Description
set attribute • set extcommunity comm-id [...]– Sets the BGP extended community attribute.
• set ip next-hop ipaddr – Sets the next hop for matching IPv4 routes.
• set ipv6 [local] ipv6addr – Set the next hop for matching IPv6 routes. If the address
is for an inside network (not globally routable), use the local option.
• set level {level-1 | level-1-2 | level-2} – Sets the IS-IS level for exporting a
route to IS-IS.
• et local-preference num – Sets the BGP local preference path attribute.
• set metric metric-value – Sets the metric value for the destination routing protocol.
• set metric-type {external | internal | type-1 | type-2} – Sets the metric
type for the destination routing protocol.
• set origin {egp | igp | incomplete} – Sets the origin attribute:
egp – Exterior gateway protocol.
igp – Interior gateway protocol.
incomplete – Unknown heritage.
• set originator-id ipaddr – Sets the BGP originator attribute.
• set tag tag-value – Sets the tag value for the destination routing protocol.
• set weight num – Sets the BGP weight value for the routing table.
Default None
Usage For options that use an ACL, the ACL must use a permit action. Otherwise, the route map
action is deny.

router protocol
Description Enter the configuration mode for a dynamic routing protocol.
Syntax [no] router protocol
Replace protocol with one of the following:
Command Description
bgp AS-num Specifies an Autonomous System (AS) for which to run Border Gateway Protocol
(BGP) on the ACOS device. This also enters BGP configuration mode.
For more information, see “Config Commands: Router – BGP” on page 415.
ipv6 {ospf [tag] | rip} Specifies an IPv6 OSPFv3 process (1-65535) or Routing Information Protocol (RIP) pro-
cess to run on the IPv6 link, and also enter configuration mode for the specified pro-
tocol.
For more information, see “Config Commands: Router – OSPF” on page 357 or “Config
Commands: Router – RIP” on page 329.
isis [tag] Enter configuration mode for Intermediate System to Intermediate System (IS-IS).
For more information, see “Config Commands: Router – IS-IS” on page 393.
ospf [process-id] Specifies an IPv4 OSPFv2 process (1-65535) to run on the ACOS device, and also enter
OSPF configuration mode.
For more information, see “Config Commands: Router – OSPF” on page 357.
rip Enter configuration mode for Routing Information Protocol (RIP).
For more information, see “Config Commands: Router – RIP” on page 329.
Default Dynamic routing protocols are disabled by default.
Usage This command is valid only when the ACOS device is configured for gateway mode (Layer 3).
Example The following command enters the configuration level for OSPFv2 process 1:
ACOS(config)#router ospf 1
ACOS(config-ospf:1)#
router log file

Description Configure router logging to a local file.
Syntax [no] router log file

{
name string |
per-protocol |
rotate num |

size Mbytes
}
name string Name of the log file.
per-protocol Uses separate log files for each protocol. Without this option, log mes-
sages for all protocols are written to the same file.
By default, this is disabled.
rotate num Specifies the number of backups to allow for each log file. When a log
file becomes full, the logs are saved to a backup file and the log file is
cleared for new logs. You can specify 0-100 backups. If the maximum
number of backups is reached, the oldest backups are purged to make
way for new ones.
The default is 0.
size Mbytes Specifies the size of each log file. You can specify 0-1000000 Mbytes. If
you specify 0, the file size is unlimited.
The default size is 0.
Usage When you enable logging, the default minimum severity level that is logged is debugging.
The per-protocol option is recommended. Without this option, messages from all routing
protocols will be written to the same file, which may make troubleshooting more difficult.
router log log-buffer

Description Sends router logs to the logging buffer.
Syntax [no] router log log-buffer
Default Disabled by default.

running-config display
Description Configure whether or not aFleX and class-list file information should be included in the run-
ning-config.
Syntax [no] running-config display {aflex | class-list}
aflex Show aFleX scripts in the running-config.
class-list Show class-list files in the running-config.
Default By default, aFlex and class-list file information is not displayed.
Usage One or both options may be specified.
session-filter
Description Configure a session filter.
Syntax [no] session-filter filter-name set

{
dest-addr ipv4addr [dest-mask {/length | mask}] |
dest-port portnum |
ipv6 |
sip |
source-addr ipv4addr |
source-port portnum
}
dest-addr Matches on sessions that have a source or destination IPv4 address or port:
dest-port
source-addr • source-addr ipaddr [{subnet-mask | /mask-length}] – Matches on IPv4
source-port sessions that have the specified source IP address.
• source-port port-num – Matches on IPv4 sessions that have the specified source
protocol port number, 1-65535.
• dest-addr – Matches on IPv4 sessions that have the specified destination IP address.
• dest-port – Matches on IPv4 sessions that have the specified destination protocol port
number, 1-65535.
You can use one or more of the suboptions together in a single command, nested in the
order shown above. For example, if the first suboption you enter is dest-addr, the only
additional suboption you can specify is dest-port.
ipv6 Matches on all sessions that have a source or destination IPv6 address.
sip Matches on all SIP sessions.
Default No session filters are configured by default.

Usage Session filters allows you to save session display options for use with the clear session
and show session commands. Configuring a session filter allows you to specify a given set of
options one time rather than re-entering the options each time you use the clear ses-
sion or show session command.
Example The following commands configure a session filter and use it to filter show session output:
ACOS(config)#session-filter f1 source-addr 1.0.4.147

ACOS(config)#show session filter f1
Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:51613 1.0.100.1:21 1.0.3.148:21 1.0.4.147:51613
120 1
sflow
Description Enables the ACOS device to collect information about Ethernet data interfaces and send the
data to an external sFlow collector (v5).
Syntax [no] sflow

{
agent address {ipaddr | ipv6addr} |
collector {ip ipaddr | ipv6 ipv6addr} portnum |
polling type |
sampling {ethernet portnum [to portnum] | ve ve-num [to ve-num]} |
setting sub-options |
source-address {ip ipaddr | ipv6 ipv6addr}
}
agent address Configure an sFlow agent. The ipaddr value can be any valid IPv4 or IPv6 address.
{ipaddr | ipv6addr} By default, sFlow datagrams use the management IP of the ACOS device as the
source address, but you can specify a different IP address, if desired. The informa-
tion will appear in the Layer 4 information section of the sFlow datagram, and it is
not used to make routing decisions.
collector Configure up to four sFlow collectors. The IP address is that of the sFlow collector
{ip ipaddr | ipv6 ipv6addr} device. Specify the port number, with a range from 1-65535.
portnum
The default port number is 6343.
polling type Enables sFlow export of DDoS Mitigation statistics for the source IP address(es)
matched by this rule. You can enable polling for the following types of data:
• cpu-usage – Polls for CPU utilization statistics.
• ethernet – Polls for Ethernet data interface statistics.
• http-counter - Polls for HTTP statistics.
• ve - Polls for statistics for Virtual Ethernet (VE) interfaces.
All sFlow polling (collection) is disabled by default

sampling Enable sFlow sampling on a specified interface.
{ethernet portnum
[to portnum] | There is no default.
setting sub-options Configure global sFlow settings:
• counter-polling-interval seconds – Configure the sFlow counter
polling interval. The interval seconds option specifies the frequency with
which statistics for an interface are periodically sampled and sent to the sFlow
collector. The range can be configured to a value from 1-200 seconds. The
default polling interval is 20 seconds.
• max-header bytes – Maximum number of bytes to sample from any given
packet, 14-512 bytes. The default is 128 bytes.
• packet-sampling-rate num – Configure sFlow default packet sampling
rate. The num option specifies the value of N, where N is the value of the
denominator in the ratio at which a single packet will be sampled from a
denominator ranging from 10-1000000. The default is 1000, meaning one
packet out of every 1000 will be sampled.
• source-ip-use-mgmt – Enable use of the management interface’s IP as the
source address for outbound sFlow packets.
source-address Source IP address for sFlow packets sent from ACOS to sFlow collectors.
{ip ipaddr | ipv6 ipv6addr}
NOTE: By default, the IP address of the egress interface is used. You can specify a
data interface’s IP address or the management interface’s IP address as the source
address for sFlow packets sent to the collector. However, the current release does
not support routing of sFlow packets out the management interface. The sFlow
collector must be able to reach the ACOS device through a data interface, even if
you use the ACOS device’s management IP address as the source address of sFlow
packets sent to the collector.
Default Described above, where applicable.
Usage Enable either or both of the following types of data collection, for individual Ethernet data
ports:
• Packet flow sampling – ACOS randomly selects incoming packets on the monitored
interfaces, and extracts their headers. Each packet flow sample contains the first 128
bytes of the packet, starting from the MAC header. Note that setting a smaller value for
the num variable increases the sampling frequency, and larger numbers decrease the
sampling frequency. This is due to the fact that the variable is in the denominator.
• Counter sampling – ACOS periodically retrieves the send and receive statistics for the
monitored interfaces. These are the statistics listed in the Received and Transmitted
counter fields in show interface output.
Notes
• Sampling of a packet includes information about the incoming interface but not the
outgoing interface.
• None of the following are supported:
• Host resource sampling

• Application behavior sampling

• Duplication of traffic to multiple sFlow collectors
• Configuration of sFlow Agent behavior using SNMP
Example The following commands specify the sFlow collector, and enables use of the management
interface’s IP as the source IP for the data samples sent to the sFlow collector:
ACOS(config)#sflow collector 192.168.100.3

ACOS(config)#sflow source-ip-use-mgmt
slb
Description Configure Server Load Balancing (SLB) parameters. For information about the slb com-
mands, see “Config Commands: Server Load Balancing” on page 487.
smtp
Description Configure a Simple Mail Transfer Protocol (SMTP) server to use for sending emails from the
ACOS device.
Syntax [no] smtp

{
{hostname | ipaddr} |
[mailfrom email-src-addr] |
[needauthentication] |
[port protocol-port] |
[username string password string]
}
hostname | ipaddr Specifies an SMTP server.
mailfrom email-src-addr Specifies the email address to use as the sender (From) address.
needauthentication Specifies that authentication is required.
port protocol-port Specifies the protocol port on which the server listens for SMTP traffic.
username string Specifies the username and password required for access. The password can be 1-31
password string characters long.
Default No SMTP servers are configured by default. When you configure one, it has the default set-
tings described in the table above.
Example The following command configures the ACOS device to use SMTP server “ourmailsrvr”:

ACOS(config)#smtp ourmailsrvr
snmp-server community
Description Configure an SNMP community string.
[no] snmp-server community read ro-community-string
Replace ro-community-string with the desired community string (1-31 characters).
This command changes the CLI to an SNMP community configuration mode, where the
following commands are available:
oid oid-value Object ID. This option restricts the objects that the Thunder Series device
returns in response to GET requests. Values are returned only for the
objects within or under the specified OID.
remote { Restricts SNMP access to a specific host or subnet. When you use this
ipaddr [/mask-length | prefix] | option, only the specified host or subnet can receive SNMP data from
ipv6-addr/prefix-length] the Thunder Series device by sending a GET request to this community.
}
Default The configuration does not have any default SNMP communities. When you configure one,
all OIDs are allowed by default and all remote hosts are allowed by default.
Usage All SNMP communities are read-only. Read-write communities are not supported. The OID
for A10 Thunder Series and AX Series objects is 1.3.6.1.4.1.22610.
The “no” form removes the read-only community string.
CAUTION: To protect from potential vulnerability, it is recommended to change the name of

the SNMP public community from its default (“public”) to another name.
Example The following commands enable SNMP and define community string “a10community”:
ACOS(config)#snmp-server enable service

ACOS(config)#snmp-server community read a10community
ACOS(config-read:a10community)#remote 10.10.10.0 /24
ACOS(config-read:a10community)#remote 20.20.20.0 /24
ACOS(config-read:a10community)#oid 1.2.3
ACOS(config-read:a10community-oid:1.2.3)#remote 30.30.30.0 /24
ACOS(config-read:a10community-oid:1.2.3)#remote 40.40.40.0 /24

Hosts in 10.10.10.0 /24 and 20.20.20.0 /24 can access the entire MIB tree using the
“a10community” community string. Hosts in 30.30.30.0 /24 and 40.40.40.0 /24 can access the
MIB sub-tree 1.2.3 using the community string “a10community.”
Example The following example deletes the OID sub-tree 1.2.3:
ACOS(config-read:community)#no oid 1.2.3
snmp-server contact
Description Configure SNMP contact information.
Syntax [no] snmp-server contact contact-name
Replace contact-name with the SNMP contact; for example, an E-mail address.
Default Empty string
Usage The no form removes the contact information.
By default, the SNMP sysContact OID value is synchronized among all member ACOS devices
of an aVCS virtual chassis. You can disable this synchronization, on an individual device basis.
NOTE: After configuring this option for an ACOS device, if you disable aVCS on that device,
the running-config is automatically updated to continue using the same sysCon-
tact value you specified for the device. You do not need to reconfigure the sysCon-
tact on the device after disabling aVCS.
Example The following command defines the SNMP contact with the E-mail address “exampleu-
ser@exampledomain.com”:
ACOS(config)#snmp-server contact exampleuser@exampledomain.com
snmp-server enable
Description Enable the Thunder Series device to accept SNMP MIB data queries and to send SNMP v1/
v2c traps.
To use SNMP on the device, you must enter this command. Enter this command first, then
enter the other snmp-server commands to further configure the feature.
Syntax [no] snmp-server enable service
Syntax [no] snmp-server enable traps {

all |
gslb trap-name |
lldp |
lsn |
network trap-name |
routing trap-name |

slb trap-name |
slb-change trap-name |
snmp trap-name |
system trap-name |
vrrp-a
}
traps Specify the traps you want to enable.
all Enable all the traps described below.
Note: The all option can be specified at any command level to enable all SNMP traps at that level.
gslb Enable GSLB group traps:
• group – Enable group-related traps.
• service-ip – Enable traps related to service-IPs.
• site – Enable site-related traps.
• zone – Enable zone-related traps.
lldp Enable LLDP group traps.
lsn Enable LSN group traps:
• per-ip-port-uage-threshold - Enable LSN trap when IP total port usage reaches the thresh-
old (default 64512).
• total-port-usage-threshold - Enable LSN trap when NAT total port usage reaches the
threshold (default 655350000).
• traffic-exceeded - Enable LSN trap when NAT pool reaches the threshold.
network Enable network group traps:
• trunk-port-threshold – Indicates that the trunk ports threshold feature has disabled trunk
members because the number of up ports in the trunk has fallen below the configured threshold.

routing Enable the routing group traps:
• bgp – Enables traps for BGP routing:
• bgpEstablishedNotification - A BGP neighbor transitions to the Established state.
• bgpBackwardTransNotification - a BGP neighbour transitions from a higher state to a
lower state; for example, if the BGP neighbour’s state transitions from Established to OpenCon-
firm or from Connect to Idle.
• isis – Enables traps for IS-ID routing:
• isisAdjancencyChange
• isisAreaMismatch
• isisAttemptToExceedMaxSequence
• isisAuthenticationFailure
• isisAuthenticationTypeFailure
• isisCorruptedLSPDetected
• isisDatabaseOverload
• isisIDLenMismatch
• isisLSPTooLargeToPropagate
• isisManualAddressDrops
• isisMaxAreaAddressesMismatch
• isisOriginatingLSPBufferSizeMismatch
• isisOwnLSPPurge
• isisProto9colSupportedMismatch
• isisRejectedAdjacency
• isisSequenceNumberSkip
• isisVersionSkew
• ospf – Enables traps for OSPF routing:
• ospfIfAuthFailure
• ospfIfConfigError
• ospfIfRxBadPacket
• ospfIfStateChange
• ospfLsdbApproachingOverflow
• ospfLsdbOverflow
• ospfMaxAgeLsa
• ospfNbrStateChange
• ospfOriginateLsa
• ospfTxRetransmit
• ospfVirtIfAuthFailure
• ospfVirtIfConfigError
• ospfVirtIfRxBadPacket
• ospfVirtIfStateChange
• ospfVirtIfTxRetransmit
• ospfVirtNbrStateChange

slb Enable the SLB group traps:
• application-buffer-limit – Indicates that the configured SLB application buffer threshold
has been exceeded. (See “monitor” on page 131.)
• server-conn-limit – Indicates that an SLB server has reached its configured connection limit.
• server-conn-resume – Indicates that an SLB server has reached its configured connection-
resume value.
• server-disabled – Indicates that an SLB server has been disabled.
• server-down – Indicates that an SLB server has gone down.
• server-selection-failure – Indicates that SLB was unable to select a real server for a request.
• server-up – Indicates that an SLB server has come up.
• service-conn-limit – Indicates that an SLB service has reached its configured connection limit.
• service-conn-resume – Indicates that an SLB service has reached its configured connection-
resume value.
• service-down – Indicates that an SLB service has gone down.
• service-group-down – Indicates that an SLB service group has gone down.
• service-group-member-down – Indicates that an SLB service group member has gone down.
• service-group-member-up – Indicates that an SLB service group member has come up.
• service-group-up – Indicates that an SLB service group has come up.
• service-up – Indicates that an SLB service has come up.
• vip-connlimit – Indicates that the connection limit configured on a virtual server has been
exceeded.
• vip-connratelimit – Indicates that the connection rate limit configured on a virtual server has
been exceeded.
• vip-down – Indicates that an SLB virtual server has gone down.
• vip-port-connlimit – Indicates that the connection limit configured on a virtual port has been
exceeded.
• vip-port-connratelimit – Indicates that the connection rate limit configured on a virtual port
has been exceeded.
• vip-port-down – Indicates that an SLB virtual service port has gone down.
• vip-port-up – Indicates that an SLB virtual service port has come up. An SLB virtual server’s ser-
vice port is up when at least one member (real server and real port) in the service group bound to
the virtual port is up.
• vip-up – Indicates that an SLB virtual server has come up.
slb-change Enables the SLB change traps:
• connection-resource-event - Enable system connection resource event trap.
• resource-usage-warning – Indicates resource usage threshold met.
• server – Indicates a real server was created or deleted.
• server-port – Indicates a real server port was created or deleted.
• ssl-cert-change – Indicates that an SSL certificate has been changed.
• ssl-cert-expire – Indicates that an SSL certificate has expired.
• vip – Indicates a virtual server was created or deleted.
• vip-port – Indicates a virtual service port was created or deleted.

snmp Enable SNMP group traps:
• linkdown – Indicates that an Ethernet interface has gone down.
• linkup – Indicates that an Ethernet interface has come up.
ssl Enable the SSL group traps:
• server-certificate-error – Indicates a certificate error.
system Enable the system group traps:
• control-cpu-high – Indicates that the control CPU utilization is higher than the configured
threshold. (See “monitor” on page 131.)
• data-cpu-high – Indicates that data CPU utilization is higher than the configured threshold. (See
“monitor” on page 131.)
• fan – Indicates that a system fan has failed. Contact A10 Networks.
• file-sys-read-only – Indicates that the file system has entered read-only mode.
• high-disk-use – Enables system high disk usage traps.
• high-memory-use – Indicates that the memory usage on the ACOS device is higher than the
configured threshold. (See “monitor” on page 131.)
• high-temp – Indicates that the temperature inside the ACOS chassis is higher than the configured
threshold. (See “monitor” on page 131.)
• license-management – Enables license management traps.
• packet-drop – Indicates that the number of dropped packets during the previous 10-second
interval exceeded the configured threshold. (See “monitor” on page 131.)
NOTE: This trap is not applicable to some device types. The trap is applicable to Thunder Series and
AX Series hardware-based models and software-based models.
• power – Indicates that a power supply has failed. Contact A10 Networks.
• pri-disk – Indicates that the primary Hard Disk has failed or the RAID system has failed. In dual-
disk models, the primary Hard Disk is the one on the left, as you are facing the front of the ACOS
device chassis.
• restart – Indicates that the ACOS device is going to reboot or reload.
• sec-disk – Indicates that the secondary Hard Disk has failed or the RAID system has failed. The
secondary Hard Disk is the one on the right, as you are facing the front of the ACOS device chassis.
NOTE: This trap applies only to models that use disk drives.
• shutdown – Indicates that the ACOS device has shut down.
• start – Indicates that the ACOS device has started.
vrrp-a Enable VRRP-A high availability traps:
• active - Indicates a device has become the active device.
• standby - Indicated a device bas become the standby device.
Default The SNMP service is disabled by default and all traps are disabled by default.
Usage For security, SNMP and SNMP trap are disabled on all data interfaces. Use the enable-man-
agement command to enable SNMP on data interfaces. (See “enable-management” on
page 91.)
The no form disables traps.

command to specify the device in the chassis to which to apply this command. This is only
valid for SNMP routing (snmp-server enable traps routing trap-name) and
network (snmp-server enable traps network trap-name) traps.
Example The following command enables all traps:
ACOS(config)#snmp-server enable traps
Example The following command enables all SLB traps:
ACOS(config)#snmp-server enable traps slb
Example The following commands enable SLB traps server-conn-limit and server-conn-resume:
ACOS(config)#snmp-server enable traps slb server-conn-limit

ACOS(config)#snmp-server enable traps slb server-conn-resume
snmp-server engineID
Description Set the SNMPv3 engine ID of this ACOS device.
Syntax [no] snmp-server engineID hex-string
Replace hex-string with a hexadecimal string representing the engine ID.
snmp-server group
Description Configure an SNMP group for SNMPv3.
Syntax [no] snmp-server group group-name v3

{auth | noauth | priv} read view-name
group-name Specifies the name of the SNMP group.
auth Uses packet authentication but does not encrypt the packets.
(This is the authNoPriv security level.)
noauth Does not use any authentication of packets.
(This is the noAuthNoPriv security level.)
priv Uses packet authentication and encryption.
(This is the authPriv security level.)
read view-name Specifies the name of a read-only view for accessing the MIB
object values (1-31 characters).

Default The configuration does not have any default SNMP groups.
Example The following commands add SNMP v3 group “group1” with authPriv security and read-only
view “view1”:
ACOS(config)#snmp-server group group1 v3 priv read view1
snmp-server host
Description Configure an SNMP v1/v2c trap receiver.
Syntax [no] snmp-server host trap-receiver

[version {v1 | v2c | v3}]
community-string
[udp-port port-num]
trap-receiver Hostname or IP address of the remote device to which
traps will be sent.
version {v1 | v2c | v3} SNMP version. If you omit this option, the trap receiver
can use SNMP v1 or v2c.
community-string Community string for the traps.
udp-port port-num UDP port to which the ACOS device will send the trap.
Default No SNMP hosts are defined. When you configure one, the default SNMP version is v2c and
the default UDP port is 162.
Usage You can configure up to 16 trap receivers.
The “no” form removes the trap receiver.
Example The following command configures SNMP trap receiver 100.10.10.12 to use community
string “public” and UDP port 166 for SNMP v2c traps.
ACOS(config)#snmp-server host 100.10.10.12 public udp-port 166
snmp-server location
Description Configure SNMP location information.
Syntax [no] snmp-server location location
Replace location with the location of the ACOS device.
Default Empty string

Usage The “no” form removes the location information.
Example The following command configures the location as “VeridianDynamics”:
ACOS(config)#snmp-server location VeridianDynamics
snmp-server slb-data-cache-timeout
Description Configure the SLB data cache timeout.
Syntax snmp-server slb-data-cache-timeout seconds
Replace seconds with the number of seconds (5-120) for the SLB data cache timeout.
Default 60 seconds.
Example The following example sets the SLB data cache timeout to 45 seconds.
AOCS(config)#snmp-server slb-data-cache-timeout 45
snmp-server user
Description Configure an SNMP user.
Syntax [no] snmp-server user username group groupname v3

{
auth {md5 | sha} auth-password [priv {aes | des} priv-password]] |
noauth
}
username Specifies the SNMP user name.
groupname Specifies the group to which the SNMP user belongs.
v3 Specifies SNMP version 3.
auth {md5 | sha} Specifies the encryption method to use for user authentication.
• md5 - Uses Message Digest Algorithm 5 (MD5) encryption.
• sha - Uses Security Hash Algorithm (SHA) encryption.
auth-password Password for user authentication (8-31 characters).
priv {aes | des} Specifies the encryption method to use for user privacy.
• aes - Uses Advanced Encryption Standard (AES) algorithm.
This uses a fixed block size of 128 bits, and has a key size of
128, 192, or 256 bits. AES encryption supersedes DES encryp-
tion.
• des - Uses Data Encryption Standard (DES) algorithm to apply
a 56-bit key to each 64-bit block of data. This is considered
strong encryption.

priv-password Password for message encryption and privacy (8-31 characters).
noauth Does not use message encryption or privacy.
Default No SNMP users are configured by default. When you configure one, all remote hosts are
allowed by default. There is no authentication by default.
Usage SNMPv3 enables you to configure each user with a name, authentication type with an asso-
ciated key, and privacy type with an associated key.
• Authentication (auth) is performed by using the user’s authentication key to sign the
message being sent. This can be done using either MD5 or SHA encryption; the
authentication key is generated using the specified encryption method and the speci-
fied auth-password.
• Encryption (priv) is performed by using a user’s privacy key to encrypt the data portion
of the message being sent. This can be done using either AES or DES encryption; the
authentication key is generated using the specified encryption method and the speci-
fied priv-password.
Example The following example shows how to configure an SNMP user “jon”, who is a member in
“group1”. Authentication using MD5 encryption for “jonpassword1” is configured, along with
message encryption using AES or “jonpassword2”.
ACOS(config)#snmp-server user jon group group1 v3 auth md5 jonpassword1 priv aes jonpass-
word2
snmp-server view
Description Configure an SNMP view.
Syntax [no] snmp-server view view-name oid {oid-mask | included | excluded}
view-name Name of the SNMP view.
oid MIB family name or OID.
oid-mask OID mask. Use hex octets, separated by a dot ( . ) character.
included MIB family is included in the view.
excluded MIB family is excluded from the view.
Default N/A
Usage The OID for A10 Thunder Series objects is 1.3.6.1.4.1.22610.
Example The following command adds SNMP view “view1” and includes all objects in the 1.3.6 tree:

ACOS(config)#snmp-server view view1 1.3.6 included
so-counters
Description Show scale out statistics.
Syntax so-counters [sampling-enable options]
Specify sampling-enable to enable baselining. The following options are available:
Option Description
all All packets.
so_pkts_conn_in Total packets processed for an established con-
nection.
so_pkts_conn_redirect Total packets redirected for an established con-
nection.
so_pkts_dropped Total packets dropped.
so_pkts_errors Total packet errors.
so_pkts_in Total number of incoming packets.
so_pkts_new_conn_in Total packets processed for a new connection.
so_pkts_new_conn_redirect Total packets redirected for a new connection.
so_pkts_out Total number of packets sent out.
so_pkts_redirect Total number of packets redirected.

sshd
Description Perform an SSHD operation on the system.
Syntax sshd
{
key generate [size {2048 | 4096}] |
key load [use-mgmt-port] url |
key regenerate [size {2048 | 4096}] |
key wipe |
restart
}
key generate Generate an SSH key.
You can choose to specify a key size; use size 2048 to generate a 2048-bit key, or size 4096
to generate a 4096-bit key.
key load Load an SSH key.
Specify use-mgmt-port to use the management interface as the source interface for the con-
nection to the remote device. The management route table is used to reach the device. By
default, the ACOS device attempts to use the data route table to reach the remote device
through a data interface.
Specify the url to the SSH key. You can enter the entire URL on the command line or press Enter
to display a prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted for the password. The password can be up to 255 characters
long.
key regenerate Regenerate an SSH key.
You can choose to specify a key size; use size 2048 to generate a 2048-bit key, or size 4096
to generate a 4096-bit key.
key wipe Wipe an SSH key.
restart Restart the SSH service.

syn-cookie
Description Enable hardware-based SYN cookies, which protect against TCP SYN flood attacks.
Syntax [no] syn-cookie enable [on-threshold num off-threshold num]
on-threshold num Maximum number of concurrent half-open TCP connections
allowed on the ACOS device, before SYN cookies are enabled.
If the number of half-open TCP connections exceeds the on-
threshold, the ACOS device enables SYN cookies. You can
specify 0-2147483647 half-open connections.
off-threshold num Minimum number of concurrent half-open TCP connections
for which to keep SYN cookies enabled. If the number of half-
open TCP connections falls below this level, SYN cookies are
disabled. You can specify 0-2147483647 half-open connec-
tions.
NOTE: It may take up to 10 milliseconds for the ACOS device to detect and respond to
crossover of either threshold.
Default Hardware-based SYN cookies are disabled by default. When the feature is enabled, there are
no default settings for the on and off thresholds.
Usage Hardware-based SYN cookies are available only on some models.
If both hardware-based and software-based SYN cookies are enabled, only hardware-based
SYN cookies are used. You can leave software-based SYN cookies enabled but they are not
used. (Software-based SYN cookies are enabled at the virtual port level using the syn-cookie
enable command.)
If you omit the on-threshold and off-threshold options, SYN cookies are enabled and are
always on regardless of the number of half-open TCP connections present on the ACOS
device.
This command globally enables SYN cookie support for SLB and also enables SYN cookie
support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie
support. However, to use Layer 2/3 SYN cookie support, you also must enable it at the
configuration level for individual interfaces. See “ip tcp syn-cookie threshold” on page 314.
If Role-Based Administration (RBA) partitions are configured, hardware-based SYN cookies

apply to all partitions. The feature is not partition-aware.
On FTA models only, it is recommended not to use hardware-based SYN cookies if DSR also is
enabled. If both features are enabled, a client who sends TCP requests to a VIP that is
configured for DSR will receive two SYN-ACKS, one from the ACOS hardware-based SYN-
cookie feature, and the other from the server. This can be confusing to a client because the
client expects only one SYN-ACK in reply to the client’s SYN.

Example The following command enables hardware-based SYN cookies:
ACOS(config)#syn-cookie enable
The command in the following example configures dynamic SYN cookies when the number
of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when
the number falls below 30000:
ACOS(config)#syn-cookie enable on-threshold 50000 off-threshold

30000
system all-vlan-limit
Description Set the global traffic limits for all VLANs.
The limit applies system-wide to all VLANs; collectively, all ACOS device VLANs cannot
exceed the specified limit.
To configure the limit per individual VLAN, use “system per-vlan-limit” on page 178.
Syntax [no] system {all-vlan-limit | per-vlan-limit}

{bcast | ipmcast | mcast | unknown-ucast} num
all-vlan-limit Limit applies system-wide to all VLANs. Collectively, all the Thun-
der Series device’s VLANs together cannot exceed the specified
limit.
per-vlan-limit Limit applies to each VLAN. No individual can exceed the speci-
fied limit.
bast Limit broadcast traffic.
ipmcast Limit IP multicast traffic.
mcast Limit all multicast packets except for IP multicast packets.
unknown-ucast Limit all unknown unicast traffic.
num Specifies the maximum number of packets per second that are
allowed of the specified traffic type.
Default 5000 packets per second.
Example The following command limits each VLAN to 1000 multicast packets per second:
ACOS(config)#system per-vlan-limit mcast 1000
Related Commands system per-vlan-limit

system anomaly log

Description Enable logging for packet anomaly events. This type of logging applies to system-wide
attacks such as SYN attacks.
Syntax [no] system anomaly log
Default Disabled
system attack log

Description Enable logging for DDoS attacks.
Syntax [no] system attack log
Default Disabled
system cpu-load-sharing
Description The CPU Round Robin feature can be used to mitigate the effects of Denial of Service (DoS)
attacks that target a single CPU on the ACOS device. You can use this command to configure
thresholds for CPU load sharing. If a threshold is exceeded, CPU load sharing is activated, and
additional CPUs are enlisted to help process traffic and relieve the burden on the targeted
CPU. A round robin algorithm distributes packets across all of the other data CPUs on the
device. Load sharing will remain in effect until traffic is no longer exceeding the thresholds
that originally activated the feature. (See the “Usage” section below for details.)
Syntax [no] system cpu-load-sharing

{
cpu-usage low percent |
cpu-usage high percent |
disable |
packets-per-second min num-pkts
}
cpu-usage low Lower CPU utilization threshold. Once the data CPU utilization rate drops below this thresh-
percent old, then CPU round robin redistribution will stop. The default is 60, but you can specify 0-
100 percent.
cpu-usage high Upper CPU utilization threshold. Once the data CPU utilization rate exceeds this threshold,
percent then CPU round robin redistribution will begin. The default is 75, but you can specify 0-100
percent.
disable Disables CPU load sharing. The CPU round robin feature is not used, even if a triggering
threshold is breached.
packets-per-second Maximum number of packets per second any CPU can receive, before CPU load sharing is
min num-pkts used. You can specify 0-30000000 (30 million) packets per second.

Default The CPU load sharing feature is enabled. The thresholds have the following default values:
• cpu-usage low – 60 percent
• cpu-usage high – 75 percent
• packets-per-second – 100000
Usage If a hacker targets the ACOS device by repeatedly flooding the device with many packets
that have the same source and destination ports, this could overwhelm the CPU that is being
targeted. However, the CPU load sharing feature (which is enabled by default) protects the
device by using a round robin algorithm to distribute the load across multiple CPUs when
such an attack is detected.
ACOS will activate this round robin distribution across multiple CPUs if all of the following
conditions occur:
1. If the utilization rate of the CPU being targeted exceeds the configured high threshold
(which has a default value of 75%), AND
2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum config-
ured threshold (the default is 100,000 packets per second), AND
3. If the CPU being targeted is receiving significantly more traffic than the other CPUs on
the ACOS device. If all CPUs are under a heavy load, there would be no advantage to
using round robin to distribute the traffic. Therefore, the CPU being targeted must have
an elevated utilization rate that is at least 50% higher than the median utilization rate of
its peer CPUs. (For example, this criterion would be met if the non-targeted CPUs have a
median packet flow of 100,000 packets per second, but the targeted CPU is receiving
packets at a rate exceeding 150,00 packets per second, in which case it would be 50%
higher than the median of the rate of the other processors).
ACOS will de-activate CPU round robin mode and return to normal mode when the first
criterion, and either 2 or 3 above are no longer true.
For example, CPU round robin mode will cease:
1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND
• If the targeted CPU is receiving packets at a rate below the minimum configured
packets-per-second threshold, OR
• If the utilization rate of the targeted CPU is no longer 50% higher than the median
of its neighboring CPUs.
system ddos-attack
Description Enable logging for DDoS attack events.
Syntax [no] system ddos-attack log
system glid
Description Apply a combined set of IP limiting rules to the whole system.

Syntax [no] system glid num
Replace num with the global LID you want use.
Default None
Usage This command uses a single global LID. To configure the global LID, see “glid” on page 99.
Example The following commands configure a standalone IP limiting rule to be applied globally to all
IP clients (the clients that match class list “global”):
ACOS(config)#glid 1
ACOS(config-glid:1)#conn-rate-limit 10000 per 1
ACOS(config-glid:1)#conn-limit 2000000
ACOS(config-glid:1)#over-limit forward logging
ACOS(config-glid:1)#exit
ACOS(config)#system glid 1
system ipsec
Description Configure Crypto Cores for IPsec processing.
Syntax [no] system ipsec {crypto-core num | crypto-mem percentage}
crypto-core num Number of crypto cores assigned for IPsec processing (0-56).
crypto-mem percentage Percentage of memory that can be assigned for IPsec processing.
Default N/A
system log-cpu-interval
Description Log occurrences where the CPU is at a high usage for a specified duration.
Syntax [no] system log-cpu-interval seconds
Replace seconds with the number of consecutive seconds that the CPU must be at a high
usage level before a log event is created.
system module-ctrl-cpu
Description Throttle CLI and SNMP output when control CPU utilization reaches a specific threshold.

Syntax [no] system module-ctrl-cpu {low | medium | high}
low Throttles CLI and SNMP output when control CPU utilization reaches
10 percent. This is the most aggressive setting.
medium Throttles CLI and SNMP output when control CPU utilization reaches
25 percent.
high Throttles CLI and SNMP output when control CPU utilization reaches
45 percent. This is the least aggressive setting.
Default Not set. Throttling does not occur.
Usage The command takes effect only for new CLI sessions that are started after you enter the com-
mand. After entering the command, close currently open CLI sessions and start a new one.
system per-vlan-limit
Description Configure the packet flooding limit per VLAN.
The limit applies to each VLAN. No individual can exceed the specified limit.
To configure a global limit for all VLANs, use “system all-vlan-limit” on page 174.
Syntax [no] system per-vlan-limit

{bcast | ipmcast | mcast | unknown-ucast} limit
bcast Configure the limit for broadcast packets.
ipmcast Configure the limit for IP multicast packets.
mcast Configure the limit for multicast packets.
unknown-ucast Configure the limit for unknown unicast packets.
limit Configure the number of packets per second (1-65535).
Default 1000 packets per second.
Example The following example sets the packet limit to 5000 broadcast packets per second:
AOCS(config)#system per-vlan-limit bcast 5000
Related Commands system all-vlan-limit

system promiscuous-mode
Description Enable the system to pass traffic in promiscuous mode.
This setting enables an interface to pass all received traffic directly to the CPU, instead of
passing only the packets that were intended for that interface. Promiscuous mode is
commonly used as a tool to help diagnose network connectivity problems.
Syntax [no] system promiscuous-mode
Default Not enabled.
system resource-usage
Description Change the capacity of a system resource.
Syntax [no] system resource-usage resource-type
Command Description
resource-type Specifies the resource type and the maximum allowed:
• auth-portal-html-file-size num – Maximum file size allowed for AAM HTML files
(4-120).
• auth-portal-image-file-size num – Maximum file size allowed for AAM portal
image files (1-80).
• class-list-ipv6-addr-count - Maximum number of IPv6 addresses allowed within
each IPv6 class list (524288-1048576).
•
• l4-session-count num – Maximum number of Layer 4 sessions supported (32768 -
524288).
• max-aflex-file-size num – Maximum size of an aFleX script in Kbytes (16-256). The
default maximum allowable file size is 32K.
Usage To place a change to l4-session-count into effect, a reboot is required. A reload will not
place this change into effect. For changes to any of the other system resources, a reload is
required but a reboot is not required.
system template
Description Globally applies a template to the ACOS device.
Syntax [no] system template template-type template-name
Default N/A

Usage This command applies on only to certain template types. For each valid option, a section in
the configuration guide describes it use.
system ve-mac-scheme
Description Configure MAC address assignment for Virtual Ethernet (VE) interfaces.
Syntax [no] system ve-mac-scheme {round-robin | system-mac | hash-based}
round-robin Assigns MAC addresses in round-robin fashion, beginning with the
address for port 1.
Each new VE, regardless of the VE number, is assigned the MAC
address of the next Ethernet data port. For example:
• The MAC address of Ethernet data port 1 is assigned to the first VE
you configure.
• The MAC address of Ethernet data port 2 is assigned to the second
VE you configure.
• The MAC address of Ethernet data port 3 is assigned to the third VE
you configure.
This process continues until the MAC address of the highest-num-
bered Ethernet data port on the ACOS device is assigned to a VE. After
the last Ethernet data port’s MAC address is assigned to a VE, MAC
assignment begins again with Ethernet data port 1. The number of
physical Ethernet data ports on the ACOS device differs depending on
the ACOS model.
system-mac Assigns the system MAC address (the MAC address of Ethernet data
port 1) to all VEs. This method provides the same MAC assignment
used in AX releases earlier than 2.6.1.
hash-based Uses a hash value based on the VE number to select an Ethernet data
port, and assigns that data port’s MAC address to the VE. This method
always assigns the same Ethernet data port’s MAC address to a given
VE number, on any model, regardless of the order in which VEs are
configured.
Default hash-based
Usage This command is supported only for VEs that belong to the shared partition, not to VEs that
belong to private partitions.
A reload or reboot is required to place the change into effect.

system-jumbo-global enable-jumbo
Description Globally enable jumbo frame support. In this release, a jumbo frame is an Ethernet frame
that is more than 1522 bytes long.
NOTE: Jumbo frames are not supported on all platforms. For detailed information, refer to
the jumbo frames chapter in the System Configuration and Administration Guide.
Syntax [no] system-jumbo-global enable-jumbo
NOTE: This is the only command required to enable jumbo support on FPGA models. See
the Usage section below for details on enabling jumbo support on non-FPGA mod-
els.
Default Disabled
Usage Notes about the usage of this command:

• If your configuration uses VEs, you must enable jumbo on the individual Ethernet ports
first, then enable it on the VEs that use the ports. If the VE uses more than port, the MTU
on the VE should be the same or smaller than the MTU on each port.
• Enabling jumbo support does not automatically change the MTU on any interfaces.
You must explicitly increase the MTU on those interfaces you plan to use for jumbo
packets.
• Jumbo support is not recommended on 10/100 Mbps ports.
• On FPGA models only, for any incoming jumbo frame, if the outgoing MTU is less than
the incoming frame size, the ACOS device fragments the frame into 1500-byte frag-
ments, regardless of the MTU set on the outbound interface. If it is less than 1500 bytes,
it will be fragmented into the configured MTU.
• Setting the MTU on an interface indirectly sets the frame size of incoming packets to
the same value. (This is the maximum receive unit [MRU]).
• In previous releases, the default MTU is 1500 and can not be set to a higher value.
• For a list of devices that support jumbo frames, refer to the “Jumbo Frames” chapter in
the System Administration and Configuration Guide.
CAUTION: On non-FPGA models, after you enable (or disable) jumbo frame support, you must
save the configuration (write memory command) and reboot (reboot com-
mand) to place the change into effect.
If jumbo support is enabled on a non-FPGA model and you erase the startup-config, the
device is rebooted after the configuration is erased.
system-reset
Description Restore the ACOS device to its factory default settings.

The following table summarizes that is removed or preserved on the system:
What is Erased What is Preserved

Saved configuration files Running configuration
System files, such as SSL certificates and keys, Audit log entries
aFleX policies, black/white lists, and system logs
Management IP address
Admin-configured admins
Enable password
Imported files
Inactive partitions
Syntax system-reset
Default N/A
Usage This command is helpful when you need to redeploy an ACOS device in a new environment
or at a new customer site, or you need to start over the configuration at the same site.
The command does not automatically reboot or power down the device. The device
continues to operate using the running-config and any other system files in memory, until
you reboot or power down the device.
Reboot the ACOS device to erase the running-config and place the system reset into effect.
Example The following commands reset an ACOS device to its factory default configuration, then
reboot the device to erase the running-config:
ACOS(config)#system-reset
ACOS(config)#end
ACOS#reboot
Related Commands erase
tacacs-server host
Description Configure TACACS+ for authorization and accounting. If authorization or accounting is spec-
ified, the ACOS device will attempt to use the TACACS+ servers in the order they are config-
ured. If one server fails to respond, the next server will be used.

Syntax [no] tacacs-server host {hostname | ipaddr}

secret secret-string [port protocol-portnum] [timeout seconds]
hostname | ipaddr Hostname or IP address of the TACACS+ server. If a hostname
is to be used, make sure a DNS server has been configured.
secret-string Password, 1-128 characters, required by the TACACS+ server
for authentication requests.
protocol-portnum The port used for setting up a connection with a TACACS+
server.
seconds The maximum number of seconds allowed for setting up a
connection with a TACACS+ server. You can specify 1-12 sec-
onds.
Usage You can configure up to 2 TACACS+ servers. The servers are used in the order in which you
add them to the configuration. Thus, the first server you add is the primary server. The sec-
ond server you add is the secondary (backup) server. Enter a separate command for each of
the servers. The secondary server is used only if the primary server does not respond.
Example The following command adds a TACACS+ server "192.168.3.45" and sets its shared secret as
"SharedSecret":
ACOS(config)#tacacs-server host 192.168.3.45 secret SharedSecret
Example The following command adds a TACACS+ server "192.168.3.72", sets the shared secret as
"NewSecret", sets the port number as 1980, and sets the connection timeout value as 6 sec-
onds:
ACOS(config)#tacacs-server host 192.168.3.72 secret NewSecret port

1980 timeout 6
Example The following command deletes TACACS+ server “192.168.3.45:
ACOS(config)#no tacacs-server host 192.168.3.45
Example The following command deletes all TACACS+ servers:
ACOS(config)#no tacacs-server

tacacs-server monitor
Description Check the status of TACACS+ servers.
Syntax [no] tacacs-server monitor [interval seconds]
Replace seconds with the frequency (in seconds) that you want the ACOS device to check
the status of the TACACS+ server. You can specify 1 - 120 seconds.
Default Status checking of the TACACS+ server is not enabled. When enabled, the default interval is
60 seconds.
Mode Global configuration
Usage When TACACS+ server monitoring is configured, the ACOS device sends a TACACS+ monitor
request, which contains the user name and password to the server in order to log into the
device and check if the server is available. If it is, then the last_available_timestamp will be
updated with current time.
• If a user login authentication request arrives at the ACOS device, then ACOS will send
the request to the TACACS+ server that has the most recent last_available_timestamp
value.
• If the user’s login attempt is successful, then timestamp for that server will be
updated to the current time.
• However, if the user authentication request fails, then ACOS will send the request to
the secondary TACACS+ server.
• To enable this feature, you must configure the user name and password for the
TACACS+ server’s administrative account. While a simple server port “ping” could be
used to check the status, this is not recommended because it could cause the ACOS
device to be mistakenly seen as an attacker, thus causing it to be added to the ACL.
techreport
Description Configure automated collection of system information. If you need to contact Technical Sup-
port, they may ask you to for the techreports to help diagnose system issues.
Syntax [no] techreport

{interval minutes | disable | priority-partition name}
interval minutes Specifies how often to collect new information. You can specify 15-120 minutes.
The default interval is 15 minutes.
disable Disable automated collection of system information.
Automated collection of system information is enabled by default.
priority-partition name Configure the specified partition to automatically collect system information.
Default Automated collection of system information is enabled by default. The default interval is 15
minutes.

Usage The ACOS device saves all techreport information for a given day in a single file. Timestamps
identify when each set of information is gathered. The ACOS device saves techreport files for
the most recent 31 days. Each day’s reports are saved in a separate file.
The techreports are a light version of the output generated by the show techsupport
command. To export the information, use the show techsupport command. (See “show
techsupport” on page 789.)
terminal
Description Set the terminal configuration.
Syntax [no] terminal

{
auto-size |
editing |
gslb-prompt options |
history [size number] |
idle-timeout minutes |
length number |
prompt options |
width lines
}
auto-size Automatically adjusts the length and width of the terminal display.
Auto-sizing is enabled by default.
gslb-prompt options Enables display of the ACOS device’s role within a GSLB group at the CLI prompt.
• disable - disables display of the GSLB group status.
• group-role symbol - Displays “Member” or “Master” in the CLI prompt; for example:
ACOS:Master(config)#
• symbol - Displays “gslb” in the CLI prompt after the name of the ACOS device; for
example:
ACOS-gslb:Master(config)#
editing Enables command editing.
This feature is enabled by default.
history [size number] Enables the command history and specifies the number of commands it can contain, 0-
1000.
By default, history is enabled for up to 256 commands.
idle-timeout minutes Specifies the number of minutes a CLI session can be idle before it times out and is termi-
nated, 0-60 minutes. To disable timeout, enter 0.
The default idle timeout is 15 minutes.

length number Specifies the number of lines to display per page, 0-512. To disable paging, enter 0.
The default length is 24 lines.
prompt options See “Using the CLI” on page 1.
width lines Specifies the number of columns to display, 0-512. To use an unlimited number of col-
umns, enter 0.
The default width is 80 columns.
Example The following example sets the idle-timeout to 30 minutes:
ACOS(config)#terminal idle-timeout 30
tftp blksize
Description Change the TFTP block size.
Syntax [no] tftp blksize bytes
Replace bytes with the Maximum packet length the ACOS TFTP client can use when sending
or receiving files to or from a TFTP server. You can specify from 512-32768 bytes.
Default 512 bytes
Usage Increasing the TFTP block size can provide the following benefits:
• TFTP file transfers can occur more quickly, since fewer blocks are required to a send a
file.
• File transfer errors due to the server reaching its maximum block size before a file is
transferred can be eliminated.
To determine the maximum file size a block size will allow, use the following formula:
1K-blocksize = 64MB-filesize
Here are some examples.
Block Size Maximum File Size

1024 64 MB
8192 512 MB
32768 2048 MB
Increasing the TFTP block size of the ACOS device only increases the maximum block size
supported by the ACOS device. The TFTP server also must support larger block sizes. If the

block size is larger than the TFTP server supports, the file transfer will fail and a
communication error will be displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit (MTU) on any device
involved in the file transfer, the TFTP packets will be fragmented to fit within the MTU. The
fragmentation will not increase the number of blocks; however, it can re-add some overhead
to the overall file transmission speed.
Example The following commands display the current TFTP block size, increase it, then verify the
change:
ACOS(config)#show tftp
TFTP client block size is set to 512
ACOS(config)#tftp blksize 4096
timezone
Description Configure the time zone on your system.
Syntax [no] timezone zone [nodst]
zone Specify the time zone.
Enter timezone ? at the CLI prompt to see a list of available time
zones.
nodst Disable daylight savings time adjustments for the time on your sys-
tem.
Default GMT
Usage If you use the GUI or CLI to change the ACOS timezone or system time, the statistical data-
base is cleared. This database contains general system statistics (performance, and CPU,
memory, and disk utilization) and SLB statistics.
Example The following example sets the time zone to America/Los_Angeles. Daylight savings time
adjustments will be made.
ACOS(config)#timezone America/Los_Angeles

tx-congestion-ctrl
Description Configure looping on the polling driver, on applicable models.
NOTE: This command can impact system performance. It is recommended not to use this
command unless advised by A10 Networks technical support.
Syntax tx-congestion-ctrl retries
You can specify 1-65535 retries.
Default 1
upgrade
Description Upgrade the system.
Syntax upgrade {cf pri | hd {pri | sec}}

{local image-name | [use-mgmt-port] url}
[staggered-upgrade-mode Device device-id]
[reboot-after-upgrade]
cf Write the upgrade image to the compact flash, replacing the image currently at that
location.
hd Write the upgrade image to the hard disk, replacing the image currently at that loca-
tion.
pri Replace the primary image on the specified location (compact flash or hard disk).
sec Replace the secondary image on the hard disk.
local image-name Use the specified upgrade image from the local VCS image repository.
Use show vcs images to view a list of available local images.
use-mgmt-port Uses the management interface as the source interface for the connection to the
remote device. The management route table is used to reach the device. By default, the
ACOS device attempts to use the data route table to reach the remote device through
a data interface.
You can enter the entire URL on the command line or press Enter to display a prompt
for each part of the URL. If you enter the entire URL and a password is required, you will
still be prompted for the password. The password can be up to 255 characters long.

staggered-upgrade-mode Use VCS staggered upgrade mode.
reboot-after-upgrade Reboot the system after the upgrade is complete.
Default N/A
Usage For complete upgrade instructions, see the release notes for the ACOS release to which you
plan to upgrade.
vcs
Description Configure ACOS Virtual Chassis System (aVCS).
The vcs commands are available only when aVCS is enabled. To enable aVCS, use the vcs
enable command.
For more information, see “aVCS CLI Commands” in Configuring ACOS Virtual Chassis
Systems.
ve-stats
Description Enable statistics collection for Virtual Ethernet (VE) interfaces.
NOTE: This command does not work in L3V partitions.
Syntax [no] ve-stats enable
Default Disabled
vlan
Description Configure a virtual LAN (VLAN). This command changes the CLI to the configuration level for
the VLAN.
Syntax [no] vlan vlan-id
Replace vlan-id with the ID of the VLAN (2-4094).
If the ACOS device is a member of an aVCS virtual chassis, specify the vlan-id as follows:
DeviceID/vlan-id

Default VLAN 1 is configured by default. All Ethernet data ports are members of VLAN 1 by default.
Usage You can add or remove ports in VLAN 1 but you cannot delete VLAN 1 itself.
For information about the commands available at the VLAN configuration level, see “Config
Commands: VLAN” on page 287.
Example The following command adds VLAN 69 and enters the configuration level for it:
ACOS(config)#vlan 69
ACOS(config-vlan:69)#
vlan-global
Description Set global VLAN parameters.
Syntax [no] vlan-global

{enable-def-vlan-l2-forwarding | vlan-global l3-vlan-fwd-disable}
enable-def-vlan-l2-forwarding Enable Layer 2 forwarding on the default VLAN (VLAN 1).
Layer 2 forwarding is disabled on VLAN 1, on ACOS devices deployed in Layer
3 (route) mode.
By default, Layer 2 forwarding is disabled on VLAN 1, on ACOS devices
deployed in route mode.
When Layer 2 forwarding on VLAN 1 is disabled, broadcast, multicast, and
unknown unicast packets are dropped instead of being forwarded. Learning is
also disabled on the VLAN. However, packets for the ACOS device itself (ex:
LACP or OSPF) are not dropped.
NOTE: Configuring an IP interface on an individual Ethernet interface indi-
cates you are deploying in route mode (also called “gateway mode”). If you
deploy in transparent mode instead, in which the ACOS device has a single IP
address for all data interfaces, Layer 2 forwarding is left enabled by default on
VLAN 1.
l3-vlan-fwd-disable Globally disable Layer 3 forwarding between VLANs.
By default, the ACOS device can forward Layer 3 traffic between VLANs.
vrrp-a
Description Configure VRRP-A high availability for ACOS.
For more information, see “VRRP-A CLI Commands” in Configuring VRRP-A High Availability.

waf
Description Configure Web Application Firewall (WAF) parameters. See the Web Application Firewall
Guide.
web-category
Description Configure Web Category classification. See “Config Commands: Web Category” on page 659.
web-service
Description Configure web services.
Syntax [no] web-service

{
auto-redir |
axapi-session-limit num |
axapi-timeout-policy idle minutes |
port protocol-port |
secure {
certificate load [use-mgmt-port] url |
private-key load [use-mgmt-port] url |
generate domain-name domain_name [country country_code]
[state state_name] |
regenerate domain-name domain_name [country country_code]
[state state_name] |
restart |
wipe} |
secure-port protocol-port |
server disable |
secure-server disable |
}
auto-redir Enables requests for the unsecured port (HTTP) to be automatically redirected to the
secure port (HTTPS).
This feature is enabled by default.
axapi-session-limit Specifies the maximum number of aXAPI sessions that can be run simultaneously (1-
num 100).
The default is 30.
axapi-timeout-policy Specifies the number of minutes an aXAPI session can remain idle before being termi-
idle minutes nated. Once the aXAPI session is terminated, the session ID generated by the ACOS
device for the session is no longer valid. You can specify 0-60 minutes. If you specify 0,
sessions never time out.
port port Specifies the port number for the unsecured (HTTP) port.
The default HTTP port is 80.

secure Generate a new certificate for your ACOS device when it is booted for the first time.
Use the certificate or private-key parameters to load an externally-generated
certificate or private-key. For the URL, you can specify:
Use generate or regenerate for certificate creation. You must specify the domain
name, and can optionally specify the country and state location.
secure-port port Specifies the port number for the secure (HTTPS) port.
The default HTTPS port is 443.
server disable Disables the HTTP server.
This sever is enabled by default.
secure-server disable Disables the HTTPS server.
This sever is enabled by default.
Usage If you disable HTTP or HTTPS access, any sessions on the management GUI are immediately
terminated.
Example The following command disables management access on HTTP:
ACOS(config)#web-service server disable
write
Description Write the running-config to a configuration profile. (See “write” on page 43.)
write terminal
Description Display the running-config on the terminal. (See “write” on page 43.)

Config Commands: Application Access Management
This chapter describes the commands for configuring Application Access Management (AAM).
To access this configuration level, enter the configure command at the Privileged EXEC level.
• write – See “write” on page 43.
This chapter contains the following sections:
• “AAM Configuration Commands” on page 194
• “AAM AAA Rule Configuration Commands” on page 213
• “AAM Show Commands” on page 216

AAM Configuration Commands

This section describes the AAM commands available at the global configuration level of the CLI:
• aam aaa-policy
• aam authentication account kerberos-spn
• aam authentication log enable
• aam authentication log facility
• aam authentication logon form-based
• aam authentication logon http-authenticate
• aam authentication portal default-portal
• aam authentication relay form-based
• aam authentication relay http-basic
• aam authentication relay kerberos
• aam authentication relay ntlm
• aam authentication relay ws-federation
• aam authentication saml identity-provider
• aam authentication saml service-provider
• aam authentication server ldap
• aam authentication server ocsp
• aam authentication server radius
• aam authentication server windows
• aam authentication service-group
• aam authentication template
• aam authorization policy
aam aaa-policy
Description Configure an AAA policy to bind configured templates, access-lists, and domains.
Syntax [no] aam aaa-policy profile-name

Replace profile-name with the name of the AAA policy (1-63 characters).
After entering this command, enter the following command to designate rules for the AAA
policy:

[no] aaa-rule rule-number
You can specify a rule index number 1-256. This command drops you into AAA Rule
configuration mode. To view the commands available in this mode, see “AAM AAA Rule
Configuration Commands” on page 213.
Default There are no default AAA policy profiles.
Example Enter AAM AAA Rule configuration mode:
ACOS(config)#aam aaa-policy policyname

ACOS(config-aaa policy:policyname)#aaa-rule 255
ACOS(config-aaa policy:policyname-aaa rule:...)#
aam authentication account kerberos-spn

Description Configure an Active Directory domain account with a Kerberos SPN and specify account cre-
dentials.
Syntax [no] aam authentication account kerberos-spn profile-name

This command changes the CLI to the configuration level for the profile, where the following
Command Description
[no] account account-name-string Admin account name required to log onto the Active Directory server.
[no] password string Password required for logging onto the Active Directory server.
[no] realm realm-string URL of the host realm for the Active Directory server.
[no] service-principal-name string Name of the account object used for the authentication service
instance.
Default None
aam authentication log enable

Description Enable collection of authentication logs for generated authentication data.
Syntax [no] aam authentication log enable

This command changes the CLI to the configuration level for the profile. In the current
release, no commands specific to this type of profile are available.

Default None
aam authentication log facility

Description Specify the location on the syslog server to send authentication logs.
Syntax [no] aam authentication log facility facility-name
Default The default facility is local 0.
aam authentication logon form-based

Description Configure an authentication logon profile for form-based logon.
Syntax [no] aam authentication logon form-based profile-name

Command Description
[no] action-url url-string URL for the POST action to be performed by the client
browser after the end-user enters their credentials. Use this
option if the URL is not the same as the URL for the page that
contains the form. Use the following format:
/url-string
[no] changepassword-new-password-variable Name of the data field for the new password entered into the
string change-password form by the end-user.
[no] changepassword-old-password-variable Name of the data field for the old password entered into the
[no] Name of the data field for the confirmed new password
changepassword-password-confirm-variable entered into the change-password form by the end-user.
string
[no] changepassword-url string URL for the POST action to be performed by the client
browser after the end-user enters their expired and new cre-
dentials.
[no] changepassword-username-variable Name of the data field for the username entered into the
[no] login-failure-message string Message to display to an end-user if their login attempts fails.
The message string is included in the logon form resent by
AAM to the end-user.
[no] password-variable string Name of the data field for the password entered into the
logon form by the end-user.

Command Description
[no] portal portal-name Names of the web pages sent by the Logon Portal to end-
users for logon and password maintenance.
logon page-name Name of the logon page sent to clients. This page should
contain a form that includes the data fields identified by the
following commands (also described in this table):
• username-variable string
• password-variable string
failpage page-name Name of the logon failure page sent to clients.
changepasswordpage page-name Name of the change password page sent to clients. This page
should contain a form that includes the data fields identified
by the following commands (described in this table):
• changepassword-username-variable string
• changepassword-old-password-variable string
• changepassword-new-password-variable string
• changepassword-password-confirm-variable
string
[no] retry num Number of times ACOS will resend the authentication
request to the client, to allow the end-user to re-enter their
credentials. You can specify 1-32.
The default is 3.
[no] username-variable string Name of the data field for the username entered into the
logon form by the end-user.
Default There are no default authentication-logon profiles. When you create one for form-based
logon, the profile has no default values.
aam authentication logon http-authenticate

Description Configure an authentication-logon profile for HTTP-based logon.
Syntax [no] aam authentication logon http-authenticate profile-name

Command Description
[no] auth-method Specify the type of authentication logon mechanisms.
{
basic { • basic enable– Enables a basic authentication logon.
challenge-response-form name • negotiate enable – Enables a Kerberos-based SPNEGO protocol for
new-pin-page name the authentication logon.
next-token-page name • ntlm enable– Enables an NTLM logon.
new-pin-variable name
next-token-variable name |
enable |
realm name} |
negotiate |
ntlm
}
[no] retry num Number of times ACOS will resend the authentication request to the client,
to allow the end-user to re-enter their credentials. You can specify 1-32.
The default is 3.
Default There are no default authentication-logon profiles. When you create one for basic HTTP
logon, the default retry value is 3.
aam authentication portal default-portal

Description Configure an authentication portal.

Command Description
change-password Change the password page configuration. The following commands are available after
you enter change-password:
• action-url– Specify the form action URL in the default change password page (1-
63 characters). The default is /change.fo.
• background {color color | file name}– Configure the background on the
default change password page. You can specify a color, either by name or hex value,
or a file to use for the background. The default is a10bg.gif.
• confirm-password – Configure the confirm password text on the default change
password page. Specify at least one of the following:
• color color - name or hex value for the desired font color.
• font font-name - font type to use for the text. Type font ? to see the list of
available fonts.
• size size - size of the font (1-7).
• text string - text you want to use on the page (1-63 characters).
• confirm-password-var - Configure the confirm password variable name on the
default change password page (1-63 characters). The default is cp_cfm_pwd.
• new-password - Configure the new password text on the default change password
page. The sub-options are the same as confirm-password (above).
• new-password-var - Configure the new password variable name on the default
change password page (1-63 characters). The default is cp_new_pwd.
• old-password - Configure the old password text on the default change password
page. The sub-options are the same as confirm-password (above).
• old-password-var - Configure the old password variable name on the default
change password page (1-63 characters). The default is cp_old_pwd.
• reset-text - Configure the text you want to appear on the Reset button on the
default change password page (1-63 characters). The default is “Reset.”
• submit-text - Configure the text you want to appear on the Submit button on
the default change password page (1-63 characters). The default is “Submit.”
• title - Configure the title on the default change password page. The sub-options
are the same as confirm-password (above).
• username - Configure the username text on the default change password page. The
sub-options are the same as confirm-password (above).
• username-var - Configure the username variable name on the default change
password page (1-63 characters). The default is cp_usr.
logo filename Specify the name of the image file you want to use for the logo (1-63 characters). You
[height num] can also specify the height (50-400 pixels) and/or width (50-400 pixels) of the image.
[width num]

Command Description
logon Configure the login page for the default portal. The following commands are available
after you enter logon:
• action-url– Specify the form action URL (1-63 characters). The default is
/logon.fo.
logon page. You can specify a color, either by name or hex value, or a file to use for
the background. The default is def_bg.gif.
• enable-passcode - Enable the Passcode field on the logon page.
• fail-msg - Configure the message users will see if their logon attempt fails (1-63
characters). Specify at least one of the following:
available fonts.
• text string - text you want to use (1-63 characters). The default is “Invalid user-
name or password. Please try again.”
• passcode - Configure the text you want to use for the Passcode field. The sub-
options are the same as fail-msg (above). The default is “Passcode.”
• passcode-var - Configure the passcode variable name on the logon page (1-63
characters). The default is passcode.
• password - Configure the text you want to use for the Password field. The sub-
options are the same as fail-msg (above). The default is “Password.”
• password-var - Configure the password variable name on the logon page (1-63
characters). The default is pwd.
• submit-text - Configure the text you want to appear on the Submit button (1-63
characters). The default is “Submit.”
• username- Configure the text you want to use for the Username field on the logon
page. The sub-options are the same as fail-msg (above). The default text is “User
Name.”
• username-var - Configure the username variable name on the logon page (1-63
characters). The default is user.
logon-fail Configure the login failed page for the default portal. The following commands are
available after you enter logon-fail:
logon page. You can specify a color, either by name or hex value, or a file to use for
the background. The default is a10bg.gif.
• fail-msg - Configure the message users will see if their logon attempt fails (1-63
characters). Specify at least one of the following:
available fonts.
• text string - text you want to use (1-63 characters). The default is “Login failed!”
• title - Configure the title on the default change password page. The sub-options
are the same as fail-msg (above), except that there is no default text string.

Command Description
reset-change-password Reset the configuration on the change password page to all default values.
reset-logon Reset the configuration on the logon page to all default values.
reset-logon-fail Reset the configuration on the logon fail page to all default values.
Syntax aam authentication portal default-portal
Example Enter portal configuration mode:
ACOS(config)#aam authentication portal default-portal

ACOS(config:default-portal)#
aam authentication relay form-based

Description Configure an authentication relay profile for form-based authentication.
Syntax [no] aam authentication relay form-based profile-name

commands are available:
Command Description
[no] request-uri URI path of the authentication web page.
{equals |
contains |
starts-with |
ends-with}
uri
Default None
aam authentication relay http-basic

Description Configure an authentication relay profile for basic HTTP authentication.
Syntax [no] aam authentication relay http-basic profile-name

Command Description
domain domain-name Specify the user domain.
domain-format Specify the format to use for appending the domain to the credential:
{user-principal-name |
down-level-logon-name} • user-principal-name - Append the domain using the User Principal Name
format (for example: user@domain).
• down-level-logon-name - Append the domain using the Down Level Logon
Name format (for example: domain\user).
The default is down-level-logon-name.
Default None
aam authentication relay kerberos

Description Configure an authentication-relay profile for Kerberos authentication.
Syntax [no] aam authentication relay kerberos profile-name

Command Description
[no] kerberos-account name [...] Kerberos admin account name required to log onto the KDC.
[no] kerberos-kdc Hostname or IP address of the KDC.
{hostname | ipaddr}
[no] kerberos-kdc-service-group Name of the service group for multiple KDC servers configured in AAM
{auth_service_group} (under authentication server).
[no] kerberos-realm realm-string Name of the Kerberos realm secured by the AAA servers.
[no] password string Password required for logging onto the KDC.
[no] port port-num Protocol port number on which the KDC listens for requests.
[no] timeout seconds Maximum number of seconds ACOS waits for the Kerberos server to
respond to a request. If a request times out, ACOS aborts that request. You
can specify 1-255 seconds.
Default There are no default authentication-relay profiles. When you create one, it has the default val-
ues described in the table above.

aam authentication relay ntlm

Description Configure an authentication relay profile for NTLM authentication.
Syntax [no] aam authentication relay ntlm profile-name

Command Description
[no] domain domain-name Domain of the NTLM authentication server. The default
for this is null.
[no] version num Version of NTLM running on the existing network. The
default value is the newest version, 2.
Default None
aam authentication relay ws-federation

Description Configure an authentication relay profile for ws-federation authentication.
Syntax [no] aam authentication relay ws-federation profile-name

Command Description
[no] application-server Specify the type of application server:
{sharepoint |
exchange-owa} • sharepoint - Microsoft Sharepoint
• exchange-owa - Microsoft Exchange
The default is Microsoft sharepoint.
[no] authentication-uri Specify WS-Federation relay URI.
uri-name
The default URI is /_trust/.
Default None

aam authentication saml identity-provider

Description Configure profile and specifications for the identity provider within Security Assertion
Markup Language (SAML) for authentication.
Syntax [no] aam authentication saml identity-provider identity-provider-

name
[no] metadata url
Replace url with the URL of the SAML identity provider's metadata file (1-63 characters)
Default None
aam authentication saml service-provider

Description Configure profile and specifications for the service provider within Security Assertion Markup
Language (SAML) for authentication.
Syntax [no] aam authentication saml service-provider service-provider-name

Command Description
[no] adfs-ws-federation enable Enable ADFS WS_Federation.
[no] artifact-resolution-service The SAML service provider artifact resolution service configuration.
index index-num location string
binding soap Specify the index number of the artifact resolution service (0-5), and
the location of the artifact resolution service (for example, /SAML/
POST), and SOAP binding of the artifact resolution service.
[no] assertion-consuming-service The SAML service provider assertion consuming service configura-
index index-num location string tion.
binding {artifact | paos | post}
Specify the index number of the assertion consuming service (0-5),
and the location of the assertion consuming service (for example, /
SAML/POST), and the binding:
• artifact - Artifact binding of the assertion consuming service.
• paos - PAOS binding of the assertion consuming service.
• post - POST binding of the assertion consuming service.
[no] certificate filename The SAML service provider certificate file (1-63 characters).
[no] entity-id id The SAML service provider entity ID (1-63 characters).

Command Description
[no] metadata-export-service loca- The SAML service provider metadata export service.
tion uri [sign-xml]
The default location is /A10SP_Metadata. The sign-xml option
signs the exported service provider metadata XML with service pro-
vider's certificate.
[no] require-assertion-signed enable Require SAML assertion to be signed.
[no] saml-request-signed disable Signing SAML requests (AuthnRequest or Artifact Resolve).
[no] service-url url SAML service provider service URL (for example, https://
www.a10networks.com/saml.sso).
[no] single-logout-service location The SAML service provider single logout service configuration.
name binding {post | redirect |
soap} Specify the location of the single logout service (for example, /SAML/
POST), and the binding:
• post - POST binding of the single logout service.
• redirect - Redirect binding of the single logout service.
• soap - SOAP binding of the single logout service.
[no] soap-tls-certificate-validate Verifies the IDP certificate when you establish the TLS connection to
disable IDP for Artifact resolution.
Default None
aam authentication server ldap

Description Configure an authentication-server profile for a Lightweight Directory Access Protocol
(LDAP) server.
Syntax [no] aam authentication server ldap profile-name

Command Description
[no] admin-dn string The Distinguished Name (DN) of the LDAP admin account that is required
to access the server (1-127 characters).
[no] admin-secret string Admin password (1-128 characters).
[no] base string LDAP server’s search base (1-127 characters).
[no] bind-with-dn DN must be used for LDAP binding.
[no] default-domain domain-name Default domain for LDAP (1-63 characters).
[no] derive-bind-dn username-attr Derive Distinguished Name for binding from server.
attr-name
Specify the attribute name of username (1-31 characters).
[no] dn-attribute attr-name Specify Distinguished Name attribute (1-31 characters).
The default is CN.

Command Description
[no] health-check mon-name Check the server’s health check status. Specify the name of an existing
health check monitor (1-31 characters).
[no] health-check-disable Disable the configured health check configuration.
[no] host {hostname | ipaddr} Hostname or IP address of the LDAP server.
[no] port port-num Protocol port on which the server listens for LDAP traffic.
[no] pwdmaxage seconds Maximum amount of time an end-user’s password can be cached. You
[no] timeout seconds Maximum number of seconds ACOS waits for the LDAP server to respond
to a request. If a request times out, ACOS aborts that request. You can
specify 1-255 seconds.
Default There are no default authentication-server profiles. When one is created, the default values
are specified in the descriptions above.
aam authentication server ocsp

Description Configure an authentication-server profile for an Online Certificate Status Protocol (OCSP)
server.
Syntax [no] aam authentication server ocsp profile-name

Command Description
[no] health-check mon-name Check the server’s health check status. Specify the name of an existing
[no] port-health-check mon-name Check the port’s health check status. Specify the name of an existing
[no] port-health-check-disable Disable the configured port health check configuration.
[no] responder-ca The trusted OCSP responder's CA certificate filename.
[no] responder-cert The trusted OCSP responder's certificate filename.
[no] url url-string The OCSP server’s address in the following format:
http://host[:port]/)

Default There are no default authentication-server profiles. When you create one for OCSP, it has no
default values.
aam authentication server radius

Description Configure an authentication-server profile for a RADIUS server.
Syntax [no] aam authentication server radius profile-name

Command Description
[no] health-check mon-name Check the server’s health check status. Specify the name of an existing health
check monitor (1-31 characters).
[no] host {hostname | ipaddr} Hostname or IP address of the RADIUS server.
[no] interval seconds Maximum number of seconds ACOS will wait for a reply to a request before
resending the request. You can specify 1-1024 seconds.
The default interval is 3.
[no] port port-num Protocol port on which the server listens for RADIUS traffic.
[no] retry num Maximum number of times ACOS will send the same request before giving up.
The default retry is 5.
[no] secret string Password, 1-128 characters, required by the RADIUS server for authentication
requests.
Default There are no default authentication-server profiles. When you create one, it has the default
values specified in the table above.
aam authentication server windows

Description Configure an authentication-server profile for a Windows server for either Kerberos, NTLM, or
Windows Integrated Authentication.
Syntax [no] aam authentication server windows profile-name

Command Description
[no] auth-protocol protocol Specifies an enabled authentication protocol. The user can choose among the
following:
• kerberos-disable –Disable Kerberos protocol.
• kerberos-port value –Specify the Kerberos port, default is 88.
• health-check string–Specify a previously configured health monitor
for running health checks on the Kerberos KDC server port.
• health-check-disable –Disable a configured health check for the Ker-
beros KDC server port.
• ntlm-health-check string–Specify a previously configured health
monitor for running health checks on the NTLM server port. NTLM uses a
fixed port number, port 445.
• ntlm-health-check-disable–Disable a configured health check for the
NTLM server port.
• ntlm-disable –Disable NTLM protocol.
• ntlm-version value –Specify the NTLM version, default is 2.
[no] health-check mon-name Check the server’s health check status. Specify the name of an existing health
check monitor (1-31 characters).
[no] host {hostname | ipaddr} Hostname or IP address of the Windows server.
[no] health-check Checks the health status of a port when user enters a configured health moni-
health-monitor-name tor.
[no] health-check-disable Disables a health check configuration.
[no] realm realm-name URL of the host realm for the authentication server.
[no] timeout value Specifies connection timeout to server, default is 10 seconds.
Default There are no default authentication-server profiles. When you create one, it has the default
values specified in the table above.

aam authentication service-group

Description Configure an authentication service group for multiple authentication servers. Can be used
to create a group of multiple KDCs for a Kerberos relay.
Syntax [no] aam authentication service-group service_group_name

{tcp | udp}
This command changes the CLI to the configuration level for the service-group, where the
following commands are available.
Command Description
[no] health-check profile-name Enables a health check for the service group when user enters a configured
health monitor.
[no] health-check-disable Disables a health check configuration.
[no] member profile-name Binds servers as members of the configured service-group.
[no] method type Specifies load balancing method between servers in configured service-
group.
The default is round-robin.
aam authentication template

Description Configure an authentication template. You can use authentication templates to bind secu-
rity resources to SLB resources (typically, an HTTP virtual port).
Syntax [no] aam authentication template template-name
This command changes the CLI to the configuration level for the template, where the
Command Description
[no] account name Specify the name of an AD accoun t(1-63 characters).
[no] cookie-domain domain Specify the domain scope for authentication (for example, .exampledo-
main.com).
[no] cookie-domain-group id Specify the group ID (1-31 characters) to join in the specified cookie-
domain.
[no] cookie-max-age seconds Configure the maximum age for the authentication session cookie in sec-
onds (1-2592000).
The default is 604800 (1 week).
[no] forward-logout-disable Disable forward logout request to the back-end application server. The
logut-url must first be configured before you can use this option.
[no] logon profile-name Name of a configured authentication logon profile.

Command Description
[no] logout-idle-timeout seconds Maximum amount of time an authenticated end-user session can be idle
before being terminated by ACOS. You can specify 1-86400 seconds.
The default is 300 seconds (5 minutes).
[no] logout-url url-string [...] Web page to serve to end-users after they log out.
[no] relay profile-name Name of a configured authentication-relay profile.
[no] saml-idp idp-name Name of the SAML identity provider (1-63 characters).
[no] saml-sp sp-name Name of the SAML service provider (1-63 characters)
[no] server profile-name Name of a configured authentication-server profile. Use this option
instead of the service-group option, if you have only one authentica-
tion server.
[no] service-group group-name Name of a configured service group of authentication servers.
[no] type {saml | standard} Specify the type of authentication template.
Default There are no default authentication templates. When you create one, the defaults are
described in the table above.

aam authorization policy

Description Configure an authorization policy.
Syntax [no] aam authorization policy policy-name
This command changes the CLI to the configuration level for the policy, where the following
Command Description
[no] attribute attr-num Configure authorization attribute values.
{attr-name | A10-AX-AUTH-URI}
attr-type type • attr-num – Attribute number, 1-32.
operator attr-value • attr-name – Attribute name, either a custom name or A10-AX-AUTH-
URI.
• attr-type type – Data type of the attribute:
• integer
• ip-addr
• string
• operator – Type of comparison to perform:
• equal
• not-equal
• less-than
• more-than
• less-than-equal-to
• more-than-equal-to
• match
• sub-string
(The operators supported for a given data type differ depending on the
type.)
• attr-value – Value to be compared.
[no] attribute-rule attr-num Rule for combining multiple attributes.
{and | or} attr-num} ...
[no] server profile-name Name of a configured authorization-server profile. Use this option instead of
the service-group option, if you have only one authorization server.
[no] service-group group-name Name of a configured service group of authorization servers.
Default Not set

clear aam authentication kcache

Description Clear Kerberos authentication cache.
Syntax clear aam authentication session kcache [kerberos-relay-name]
Mode Privileged EXEC and all configuration levels
clear aam authentication service-group

Description Clear authentication service-group statistics.
Syntax clear aam authentication service-group {all | group-name}
clear aam authentication session

Description Clear authentication session table entries.
Syntax clear aam authentication session all
or
clear aam authentication session

source-addr {ipv4 ipv4-addr | ipv6 ipv6-addr}
[username username]
[vip virtual-server-name]
or
clear aam authentication session username username

[source-addr {ipv4 ipv4-addr | ipv6 ipv6-addr}]
[vip virtual-server-name]
or
clear aam authentication session vip virtual-server-name

[source-addr {ipv4 ipv4-addr | ipv6 ipv6-addr}]
[username username]
all Clears all entries.
source-addr Clears sessions with a specific IPv4 or IPv6 address.
username Clears sessions with a specific username.
vip Clears sessions with a specific virtual-server.

AAM AAA Rule Configuration Commands
clear aam authentication statistics

Description Clear authentication statistics
Syntax clear aam authentication statistics

[
aaa-policy |
aaa-rule |
logon spn-kerberos |
relay [type] |
saml-sp |
server [type]
]
[name]

This section describes the commands available in AAM AAA Rule configuration mode. To enter this mode, use the aam aaa-
policy and aaa-rule commands. For example:

ACOS(config-aaa policy:policyname-aaa rule:...)#
The are the following commands available:
• access-list
• action
• authentication-template
• authorize-policy
• domain-name
• match-encoded-uri
• uri

access-list
Description Allows the user to specify which access list will be included in the rule by using the following
options
Syntax access-list {1-199 | ip-name acl_name | ipv6-name acl_name}
1-199 ID of the access list.
ip-name acl_name Specify the name of an IPv4 access list.
ipv6-name acl_name Specify the name of an IPv6 access list.
Mode AAA Rule configuration mode
Example Include the IPv4 access list named acl1 in the rule:

ACOS(config-aaa policy:policyname-aaa rule:...)#access-list ip-name acl1
action
Description Set the action that should be taken for this rule.
Syntax action {allow | deny}
Example Allow traffic that matches the rule.

ACOS(config-aaa policy:policyname-aaa rule:...)#action allow
authentication-template
Description Specify the name of the authentication template you want to bind to this rule.
Syntax [no] authentication-template template-name
Replace template-name with the name of an existing authentication template (1-63

characters).
Example Bind the authentication template named auth-tmplt-1 to this rule:


ACOS(config-aaa policy:policyname-aaa rule:...)#authentication-template auth-tmplt-1
authorize-policy
Description Specify the name of the authorization policy you want to bind to this rule.
Syntax [no] authorize-policy policy-name
Replace policy-name with the name of an existing authorization policy (1-63 characters).
Example Bind the authorization policy named auth-policy-1 to this rule:

ACOS(config-aaa policy:policyname-aaa rule:...)#authorize-policy auth-policy-1
domain-name
Description Specify the name of a specific domain you want to bind to this rule.
Syntax [no] domain-name domain-name
Replace domain-name with the name of a domain (1-127 characters).
Example Bind the domain named www.exampledomain.com to this rule:

ACOS(config-aaa policy:policyname-aaa rule:...)#domain-name www.exampledomain.com
match-encoded-uri
Description Enable URL decoding for URI matching.
Syntax [no] match-encoded-uri
Example Configure the rule to enable URL decoding for URI matching:

AAM Show Commands

ACOS(config-aaa policy:policyname-aaa rule:...)#match-encoded-uri
uri
Description Specify the URI path for the AAA rule. This is useful in setting up varying authentication
methods for different URLs.
Syntax [no] uri {contains | ends-with | equals | starts-with} uri-string
contains Match if the request URI contains the same string as the specified URI.
ends-with Match if the request URI ends with the same string as the specified URI.
equals Match if the entire request URI is the same as the specified URI.
starts-with Match if the request URI starts with the same string as the specified URI.
uri-string The URI string (1-128 characters).
AAM Show Commands

The following commands show AAM information.
show aam aaa-policy

Description Shows the AAA policy settings or RDNS records.
Syntax show aam aaa-policy [aaa-policy-name]
Syntax show aam aaa-policy rdns

AAM Show Commands
show aam authentication account

Description Shows the authentication account settings.
Syntax show aam authentication account kerberos-spn [account-name]
Replace account-name with the Kerberos SPN account name for which you want to view
information.
show aam authentication default-portal

Description Shows authentication default portal settings.
Syntax show aam authentication default-portal
show aam authentication klist

Description Shows a list of cached Kerberos tickets.
Syntax show aam authentication klist [relay-profile-name]
Replace relay-profile-name with the name of a configured authentication-relay profile.
show aam authentication logon

Description Shows the configured AAM authentication-logon profiles.
Syntax show aam authentication logon

{form-based profile-name | http-authenticate profile-name}
show aam authentication portal

Description Shows the AAM logon portal archives that were imported to the ACOS device.
Syntax show aam authentication portal [portal-archive-name]
Replace portal-archive-name with the filename of the imported archive for a logon portal.

AAM Show Commands
show aam authentication portal-image

Description Shows authentication default portal images.
Syntax show aam authentication portal-image
Mode Privileged EXEC and all configuration levels.
show aam authentication relay

Description Shows the configured AAM authentication-relay profiles.
Syntax show aam authentication relay

{
form-based relay-name |
http-basic relay-name |
kerberos relay-name |
ntlm relay-name |
ws-federation relay-name
}
Replace relay-name with the name (1-63 characters) of the configured authentication
relay.
Introduced in Release 4.0. The ws-federation option was introduced in release 4.0.1.
show aam authentication saml

Description Shows the configured SAML settings.
Syntax show aam authentication saml

{idp | metadata | sp sp-name | sp-session sp-name}
Parameter Descriptions
idp Shows the SAML identity provider settings.
metadata Shows the imported SAML metadata.
sp Shows the SAML service provider settings.
sp-session Shows the SAML service provider sessions.
sp-name The name of the service provider.

AAM Show Commands
show aam authentication server

Description Shows the configured AAM authentication-server profiles.
Syntax show aam authentication server

{
bindings
config [all-partitions | partition [shared | name]]
[all-partitions | partition [shared | name]]
[server-name] |
ldap [server-name] |
ocsp {server-name] |
radius {server-name] |
windows{server-name]
bindings View server and service-group binding information.
The config option also displays the server configuration.
Specify a server-name to view the binding information for a single
server only.
You can also specify partition information to view server binding infor-
mation by partition.
ldap View profile for the specified LDAP authentication server.
ocsp View profile for the specified OCSP authentication server.
radius View profile for the specified Radius authentication server.
windows View profile for the specified Windows authentication server.
show aam authentication service-group

Description Shows authentication service group settings.
Syntax show aam authentication service-group

{
all-partitions |
brief [all-partitions | partition {shared | partition-name}] |
config [all-partitions | partition {shared | partition-name}] |
sg-name
partition {shared | partition-name}
all-partitions Shows authentication service group settings for all partitions.
partition shared Shows authentication service group settings for the shared partition only.
partition partition-name Shows authentication service group settings for the specified L3V partition only.
brief Shows brief service group information.

AAM Show Commands
config Shows service group configuration information.
sg-name Show the authentication details for the specified service group.
show aam authentication session

Description Show the aFleX authentication session table statistics.
Syntax show aam authentication session

partition {all | shared | partition-name}
source-addr [specific-address] |
username [username] |
vip [virtual-server]]
partition Show sessions for the specified partition.
source-addr Shows sessions with a specific address.
username Shows sessions with a specific username.
vip Show sessions with a specific virtual-server.
NOTE: If your administrative session is in the shared partition, do not include the parti-
tion parameter.
show aam authentication statistics

Description Shows AAM statistics.
Syntax show aam authentication statistics

[kerberos [relay-profile-name] | ldap | radius]
aaa-policy [AAA-policy-name]|
form-based-relay [form-based relay-name]|
http-basic-relay [HTTP-basic relay-name]|
kerberos-relay [Kerberos-relay-name]|
ldap [LDAP-instance-name]|
ntlm-relay [NTLM-relay-name]|
ocsp [OCSP-server-name]|
ocsp-stapling [OCSP-server-name]|
radius [Radius-instance-name]|
saml-sp [SAML-service-provider-name]|
spn-kerberos [negotiate-logon-name]|
windows-kerberos [Windows-server-name]|

AAM Show Commands
windows-ntlm-smb [Windows-server-name]]
[relay-profile- Shows statistics for the specified authentication server that is
name] using the specified relay type.
aaa-policy Shows authentication form-based relay statistics.
form-based-relay Shows authentication HTTP basic relay statistics.
http-basic-relay Shows connection-reuse state information and statistics for the
real servers.
kerberos-relay Shows authentication Kerberos-relay statistics.
ldap Shows authentication LDAP statistics
ntlm-relay Shows authentication NTLM-relay statistics
ocsp Shows authentication OCSP server statistics.
ocsp-stapling Shows authentication OCSP-stapling statistics
radius Shows authentication Radius statistics.
saml-sp Shows SAML service provider statistics.
spn-kerberos Shows SPN-kerberos statistics.
windows-kerberos Shows authentication Windows Server Kerberos statistics.
windows-ntlm-smb Shows authentication Windows Server NTLM-SMB statistics.
Example The following command shows AAM statistics:
ACOS#show aam authentication statistics

A10LB statistics:
-----------------------
Requests to A10Authd: 0
Responses from A10Authd: 0
Requests to A10SAML: 0
Responses from A10SAML: 0
Misses: 0
OCSP Stapling Requests to A10Authd: 0
OCSP Stapling Responses from A10Authd: 0
A10authd statistic:
-----------------------
Opened socket: 0
Open socket failed: 0
Connect: 0
Connect failed: 0
Created timer: 0

AAM Show Commands
Create timer failed: 0

Total request: 0
--------------------------------------------------------------------------------------
\ statistic Request Request Response Response Response Response Response
Type\ Normal Dropped Success Failure Error Timeout Other
--------------------------------------------------------------------------------------
OCSP 0 0 0 0 0 0 0
RADIUS 0 0 0 0 0 0 0
LDAP 0 0 0 0 0 0 0
Windows-KERBEROS 0 0 0 0 0 0 0
Windows-NTLM-SMB 0 0 0 0 0 0 0
KERBEROS-RELAY 0 0 0 0 0 0 0
OCSP-STAPLING 0 0 0 0 0 0 0
SPN-KERBEROS 0 0 0 0 0 0 0
--------------------------------------------------------------------------------------
A10authd RADIUS statistic:

-----------------------
Request: 0
Authentication success: 0
Authentication failure: 0
Authorize success: 0
Authorize failure: 0
Access challenge: 0
Timeout error: 0
Other error: 0
A10authd LDAP statistic:

-----------------------
Request: 0
Admin bind success: 0
Admin bind failure: 0
Bind success: 0
Bind failure: 0
Search success: 0
Search failure: 0
Authorize success: 0
Authorize failure: 0
Timeout error: 0
Other error: 0
A10authd Windows-Kerberos statistic:

-----------------------

AAM Show Commands
kerberos request send: 0

kerberos response get: 0
Timeout error: 0
Other error: 0
A10authd Kerberos-relay statistic:

-----------------------
kerberos-relay request send: 0
kerberos-relay response get: 0
Timeout error: 0
Other error: 0
A10authd Windows-NTLM-SMB statistics:

-----------------------
Authentication success: 0
Authentication failure: 0
SMB proto negotiation success: 0
SMB proto negotiation failure: 0
SMB session setup success: 0
SMB session setup failed: 0
Prepare req success: 0
Prepare req failed: 0
Timeout error: 0
Other error: 0
A10authd OCSP-Stapling statistics:

-----------------------------------
Certificate Good: 0
Certificate Revoked: 0
Certificate Unknown: 0
Kerberos SPN statistic:

-----------------------
SPN kerberos request: 0
SPN kerberos response success: 0
SPN kerberos response failure: 0
SAML statistic:
-----------------------
SP metadata export requests: 0
SP metadata export successes: 0
Login authn requests: 0
Login authn responses: 0
ACS requests: 0

AAM Show Commands
ACS successes: 0
ACS errors: 0
SLO requests: 0
SLO succeses: 0
SLO errors: 0
Other errors: 0
Table 4 describes the fields in this command’s output.
TABLE 4 Description of the show aam authentication statistics Output

Column Description
Authentication Statistics Section
No. of requests Total number of authentication requests that were handled by AAM.
No. of responses Total number of responses that were sent by AAM to clients.
No. of misses Number of authentication requests that were handled by AAM that failed because the
end-users’ credentials did not match the credentials in the ACOS AAM cache or on the
backend AAA server.
A10authd Statistics Section
Opened socket Statistics used by A10 Networks.
Open socket failed
Connect Total number of attempts to set up a connection between AAM and a backend AAA
server.
Connect failed Number of failed attempts to set up a connection between AAM and a backend AAA
server.
Created timer Total number of times a cached set of user credentials, with an expiration timer, was suc-
cessfully set up.
Create timer failed Number of times an attempt to cache a set of user credentials failed.
Name resolution failed Number of times ACOS could not obtain the IP address of a backend AAA server from
DNS.
NOTE: This counter applies to AAA servers that are added to

the configuration by hostname instead of by IP
address.
Total request Total number of AAA requests that were received from end-users and were handled by
AAM.

AAM Show Commands

Column Description
Auth type Lists request and response counters by each AAM-supported AAA type (for example,
OCSP, RADIUS, LDAP, and Kerberos).
• Request – Number of requests that were forwarded by AAM to backend AAA servers.
• Response success – Number of requests where the username and password that were
entered by the user matched the credentials on the backend AAA server and that
resulted in successful authentications.
• Response failure – Number of requests that failed because the credentials that were
entered by the user did not match the credentials on the backend AAA server.
• Response error – Number of requests that failed because an error occurred in the
exchange between AAM and the backend AAA server.
• Response timeout – Number of requests sent by AAM to backend AAA servers for
which AAM did not receive a reply before the request timed out.
• Response other – Number of AAM errors not counted above.
A10authd RADIUS Statistics Section
Authentication success Number of successful RADIUS authentication requests that were handled by AAM. A
request can succeed one of the following ways:
• ACOS AAM cache has a current entry that matches the user’s credentials.
• Backend RADIUS server had an entry that matches the user’s credentials.
Authentication failure Number of unsuccessful RADIUS authentication requests that were handled by AAM that
failed because the credentials entered by the user were not found in the ACOS AAM
cache or on the backend server.
Authorize success Authorization statistics.
Authorize failure
Timeout error Number of RADIUS authentication requests that were forwarded by AAM to a backend
server that timed out before AAM received a response from the server.
Other error Number of RADIUS AAM errors that were not included in the counters above.
A10authd LDAP Statistics Section
Bind success Number of times that AAM successfully logged in to a backend LDAP server to verify a
user’s credentials.
Bind failure Number of times that AAM unsuccessfully attempted to log in to a backend LDAP server.
Search success Number of times that the credentials that were entered by a user were found on the
LDAP server.
Search failure Number of times that the credentials that were entered by a user could not be found on
the LDAP server.
Authorize success Authorization statistics.
Authorize failure
Timeout error Number of LDAP authentication requests forwarded by AAM to a backend server that
timed out before AAM received a response from the server.
Other error Number of LDAP AAM errors not included in the counters above.
A10authd Kerberos Statistics Section
kerberos request send Number of requests that were forwarded by ACOS to a backend Kerberos Domain Con-
troller (DC).
kerberos request get Number of requests that were received from clients that AAM handled by using Kerberos.

AAM Show Commands

Column Description
Timeout error Number of Kerberos authentication requests that were forwarded by AAM to a backend
server that timed out before AAM received a response from the server.
Other error Number of Kerberos AAM errors not included in the counters above.
A10authd Windows-NTLM-SMB statistics
Authentication success Number of successful authentication attempts.
Authentication failure Number of unsuccessful authentication attempts.
SMB proto negotiation suc- Number of authentication requests that passed NTLM protocol negotiation phase.
cess
SMB proto negotiation fail- Number of authentication requests that failed during NTLM protocol negotiation phase.
ure
SMB session setup success Number of authentication requests that succeeded in SMB session setup.
SMB session setup failed Number of authentication requests that failed in SMB session setup.
Prepare req success Number of NTLM requests successfully prepared and sent to the server.
Prepare req failed Number of NTLM requests failed during request preparation phase before sending to the
server.
Timeout error Number of NTLM authentication requests forwarded to a backend server that timed out
before receiving a response from the server.
Other error Number of NTLM specific errors not included in the counters above.
A10authd OCSP-Stapling statistics
Certificate Good The specified certificate has been validated and can be used.
Certificate Revoked The specified certificate has been revoked.
Certificate Unknown The status of the specified certificate is unknown.
Kerberos SPN statistic
SPN kerberos requests Number of SPN kerberos requests.
SPN kerberos response suc- Number of successful SPN kerberos responses.
cess
SPN kerberos response fail- Number of unsuccessful SPN kerberos responses.
ure
SAML statistic
SP metadata export requests Number of service provider metadata export requests.
SP metadata export suc- Number of successful service provider metadata export.
cesses
Login authn requests: 0 Number of login requests to the SAML service provider.
Login authn response Number of login responses from the SAML service provider.
ACS requests Number of requests to the SAML assertion consuming service.
ACS successes Number of successful assertion verifications.
ACS errors Number of errors when handling assertion consuming requests.
SLO requests Number of requests to the SAML single logout service.
SLO successes Number of successful single log outs.
SLO errors Number of errors when handling single logout requests.
Other errors Number of SAML errors not included in the counters above.

AAM Show Commands
show aam authentication template

Description Shows the authentication template.
Syntax show aam authentication template [template-name]
Specify a template-name to view only the specified template.
show aam authorization policy

Description Shows details about your authorization policy.
Syntax show aam authorization policy [policy-name]
Specify a specific policy-name to view detailed information for the specified policy.

AAM Show Commands

Config Commands: DNSSEC
This chapter lists the CLI commands for DNS Security Extensions (DNSSEC).
To access this configuration level, enter the configure [terminal] command at the Privileged EXEC level.
NOTE: For information about Hardware Security Module (HSM) commands, see “Config Com-
mands: Hardware Security Module” on page 237.

DNSSEC Configuration Commands
DNSSEC Configuration Commands

This section shows the configuration commands for DNSSEC.
dnssec standalone
Description Enable the ACOS device to run DNSSEC without being a member of a GSLB controller group.
Syntax [no] standalone
Default Disabled
Usage GSLB is still required. The ACOS device must be configured to act as a GSLB controller, and as
an authoritative DNS server for the GSLB zone.
dnssec template
Description Configure a DNSSEC template.
Syntax [no] dnssec template template-name
This command changes the CLI to the configuration level for the specified DNSSEC template,
Command Description
[no] algorithm Cryptographic algorithm to use for encrypting DNSSEC keys.
{RSASHA1 | RSASHA256 | RSASHA512}
The default algorithm is RSASHA256.
[no] combinations-limit num Maximum number of combinations per Resource Record Set (RRset),
where RRset is defined as all the records of a particular type for a particu-
lar domain, such as all the “quad-A” (IPv6) records for www.example.com.
The default number of combinations is 31.
[no] dnskey-ttl seconds Lifetime for DNSSEC key resource records. The TTL can range from 1-
864,000 seconds.
The default is 14,400 seconds (4 hours).
[no] enable-nsec3 Enables NSEC3 support. This is disabled by default.
[no] hsm template-name Binds a Hardware Security Module (HSM) template to this DNSSEC tem-
plate.
[no] ksk keysize bits Key length for KSKs. You can specify 1024-4096 bits.
The default is 2048 bits.

DNSSEC Operational Commands
Command Description
[no] ksk lifetime seconds Lifetime for KSKs, 1-2147483647 seconds (about 68 years). The rollover-
[rollover-time seconds] time specifies how long to wait before generating a standby key to
replace the current key. The rollover-time setting also can be
1-2147483647 seconds. Generally, the rollover-time setting should be
shorter than the lifetime, to allow the new key to be ready when needed.
The default is 31536000 seconds (365 days), with rollover-time
30931200 seconds (358 days)
[no] return-nsec-on-failure Returns an NSEC or NSEC3 record in response to a client request for an
invalid domain. As originally designed, DNSSEC would expose the list of
device names within a zone, allowing an attacker to gain a list of network
devices that could be used to create a map of the network.
[no] signature-validity-period Period for which a signature will remain valid. The time can range from 5
days to 30 days.
The default is 10 days.
[no] zsk lifetime seconds Lifetime for ZSKs, 1-2147483647 seconds. The rollover-time specifies
[rollover-time seconds] how long to wait before generating a standby key to replace the current
key. The rollover-time setting also can be 1-2147483647 seconds. Gen-
erally, the rollover-time setting should be shorter than the lifetime, to
allow the new key to be ready when needed.
The default is 7776000 seconds (90 days), with rollover-time 7171200
seconds (83 days).
Mode Global configuration mode

This section describes the operational commands for DNSSEC and for HSM support. Because these are operational com-
mands, they are not added to the running-config or saved to the startup-config.
dnssec dnskey delete

Description Delete DNS Public Key (DNSKEY) resource records.
Syntax dnssec dnskey delete [zone-name]
Replace zone-name with the name of the zone for which to delete DNSKEY resource
records. If you do not specify a zone name, the DNSKEY resource records for all child zones
are deleted.

Default N/A
dnssec ds delete
Description Delete Delegation Signer (DS) resource records for child zones.
Syntax dnssec dnskey delete [zone-name]
Replace zone-name with the name of the zone for which to delete DS resource records. If
you do not specify a zone name, the DS resource records for all child zones are deleted.
Default N/A
dnssec key-rollover
Description Perform key change (rollover) for ZSKs or KSKs.
Syntax dnssec key-rollover zone-name

{KSK {ds-ready-in-parent-zone | start} | ZSK start}
zone-name Name of the child zone for which to regenerate keys. If you do not spec-
ify a zone name, all child zones are re-signed.
KSK Regenerates key-signing keys (KSKs).:
{ds-ready-in-parent-zone | start}
• ds-ready-in-parent-zone – Indicates that the DS resource record
has already been transferred to the parent zone, so it is ok to remove
the old active key.
• start – Immediately begins KSK rollover.
ZSK start Immediately begins ZSK rollover.
Default N/A

DNSSEC Show Commands
dnssec sign-zone-now
Description Force re-signing of zone-signing keys (ZSKs).
Syntax dnssec sign-zone-now [zone-name]
Replace zone-name with the name of the child zone for which to re-sign the ZSKs. If you do
not specify a zone name, all child zones are re-signed.
Default N/A

This section describes the show commands for DNSSEC.
show dnssec dnskey

Description Show the DNS Public Key (DNSKEY) resource records for child zones.
Syntax show dnssec dnskey [zone-name]

[all-partitions | partition partition-name]
zone-name The name of the child zone. If you do not specify a zone name,
DNSKEY resource records for all child zones are displayed.
partition Display the information for a specific partition.
partition-name

show dnssec ds
Description Show the Delegation Signer (DS) resource records for child zones.
Syntax show dnssec ds [zone-name]

zone-name The name of the child zone. If you do not specify a zone name, DS
resource records for all child zones are displayed.
partition-name
show dnssec statistics

Description Show memory statistics for DNSSEC.
Syntax show dnssec statistics memory
show dnssec status

Description Show the DNSSEC status for each zone.
Syntax show dnssec status

show dnssec template

Description Show DNSSEC templates.
Syntax show dnssec template [default | template-name]

default | The name of the template. If you do not specify a template name,
template-name all DNSSEC templates are displayed.
partition-name
show dnssec thales-kmdata

Description List the Thales key data files imported onto the ACOS device.
Syntax show dnssec thales-kmdata
show dnssec thales-secworld

Description List the Thales Security World files imported onto the ACOS device.
Syntax show dnssec thales-secworld


Config Commands: Hardware Security Module
This chapter lists the CLI commands for Hardware Security Module (HSM).
To access this configuration level, enter the configure [terminal] command at the Privileged EXEC level.
NOTE: For information about DNSSEC commands, see “Config Commands: DNSSEC” on
page 229.
HSM Configuration Commands

This section shows the configuration commands for HSM.
hsm template
Description Configure a template for DNSSEC Hardware Security Module (HSM) support.
Syntax [no] hsm template template-name softHSM

HSM Operational Commands
Replace template-name with the name of the template (1-63 characters).
This command changes the CLI to the configuration level for the specified template, where
password hsm-passphrase
This command configures the HSM passphrase.
Hardware Security Module” on page 237.)
Default Not set

This section describes the operational commands for HSM support. Because these are operational commands, they are not
added to the running-config or saved to the startup-config.
hsm check key

Description Check data in HSM.
Syntax [no] hsm check key [key-name]
Replace key-name with the name of the Thales key data file.
Default N/A
hsm delete key

Description Delete data in HSM.
Syntax [no] hsm delete key key-name
Default N/A

hsm import key

Description Import data to HSM.
Syntax [no] hsm import key key-name
Default N/A
hsm thales-kmdata delete

Description Delete a Thales key data file.
Syntax [no] hsm thales-kmdata delete [filename]
Replace filename with the name of the Thales key data file to delete.
Default N/A
hsm thales-secworld
Description Delete a Thales Security World file.
Syntax [no] hsm thales-secworld delete [filename]
Replace filename with the name of the Thales Security World file to delete.
Default N/A
hsm zeroize
Description Zeroize HSM values.
Syntax [no] hsm zeroize

HSM Show Commands
Default N/A
HSM Show Commands

This section describes the show commands for HSM.
show hsm config

Description Show the configured HSM templates.
Syntax show hsm config
Mode All
Example The following command shows the HSM templates configured on the ACOS device:
ACOS(config)#show hsm config

hsm template example1 softhsm
hsm template hsm-example-2 softhsm
show hsm config

Description Show HSM key information.
Syntax show hsm key

Config Commands: Interface
This chapter describes the commands for configuring ACOS interface parameters.
To access this configuration level, enter the interface command at the Global Config level.
If the ACOS device is a member of an aVCS virtual chassis, specify the interface number as follows: DeviceID/num, where
DeviceID is the device’s aVCS ID and num is the interface or trunk number.
• do – See “do” on page 90.
• end – See “end” on page 93.
• exit – See “exit” on page 95.
• no – See “no” on page 135.
access-list
Description Apply an Access Control List (ACL) to an interface.
Syntax [no] access-list acl-num in
acl-num Number of a configured ACL.
in Applies the ACL to inbound traffic received on the interface.
Default N/A
Mode Interface
Usage The ACL must be configured before you can apply it to an interface. To configure an ACL, see
“access-list (standard)” on page 48 and “access-list (extended)” on page 50.
You can apply ACLs to Ethernet data interfaces, Virtual Ethernet (VE) interfaces, the
management interface, trunks, and virtual server ports. Applying ACLs to the out-of-band
management interface is not supported.

You can apply ACLs only to the inbound traffic direction. This restriction ensures that ACLs
are used most efficiently by filtering traffic as it attempts to enter the Thunder Series device,
before being further processed by the device.
Example The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x,
and apply the ACL to the inbound traffic direction on Ethernet interface 4:

bfd
Description Enable or disable BFD on an individual interface.
Syntax [no] bfd {

authentication key-id {auth-type} |
echo [demand] |
interval ms min-rx ms multiplier num
}
authentication key-id { The authentication option specifies the authentication type to be used for
md5 | BFD. You can specify a key-id from 0-255. The authentication options include the
meticulous-md5 | following:
meticulous-sha1 |
sha1 | • md5 – Keyed MD5
simple} • meticulous-md5 – Meticulous keyed MD5
• meticulous-sha1 –Meticulous keyedSHA1
• sha1 – Keyed SHA1
• simple – Simple password
echo [demand] Specify echo mode. You can enable the demand mode to work in conjunction
with the echo function. When demand mode is enabled (and a BFD session has
been established), the system will be able to verify connectivity with another sys-
tem at will instead of routinely.
interval ms min-rx ms The interval value is the transmit timer, and it specifies the rate at which the
multiplier num ACOS device sends BFD control packets to its BFD neighbors. You can specify 48-
1000 milliseconds (ms). The default is 800 ms. This timer is used in Asynchronous
mode only.
The min-rx option is the detection timer, and this allows you to specify the max-
imum number of ms the ACOS device will wait for a BFD control packet from a
BFD neighbor. The min-rx value can be 48-1000 ms, and is 800 ms by default.
This timer is used in Asynchronous mode only.
The multiplier value is the wait multiplier, and this enables you to specify the
maximum number of consecutive times the ACOS device will wait for a BFD con-
trol packet from a neighbor. If the multiplier value is reached, the ACOS device
concludes that the routing process on the neighbor is down. The multiplier
value can be 3-50 and is 4 by default.

Mode Interface
Usage If you configure the timers on an individual interface, the interface’s settings are used instead
of the global settings. Likewise, if the BFD timers are not set on an interface, that interface
uses the global settings. For BGP loopback neighbors, BFD always uses the global timer.
NOTE: For a BFD session for BGP using a loopback address, for an OSPFv2 virtual link, and
for an OSPFv3 virtual link, the ACOS device will always use the global timer regard-
less of the timer that is configured at the interface level.
Example The following example shows enabling BFD on an interface:
ACOS(config-if:ethernet:1)#bfd authentication 1 md5 password-string
The following example shows a BFD session for BGP:

ACOS(config)#router bgp 1
ACOS(config-bgp:1)#neighbor 1.2.3.4 fall-over bfd authentication 1
md5 password-string
cpu-process
Description Enable software-based switching or routing of Layer 2/Layer 3 traffic.
NOTE: This command is applicable only to AX models AX 3200-12, AX 3400, AX 5200-11

and AX 5630.
Syntax [no] cpu-process
Default Disabled. Traffic is switched or routed in hardware.
Mode Interface
disable
Description Disable an interface.
Syntax disable
Default The management interface is enabled by default. Data interfaces are disabled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-of-band Ethernet
management interface, Virtual Ethernet (VE) interfaces, and loopback interfaces.
The command also applies to trunks. When you disable a trunk at the interface configuration
level for the trunk, Layer 3 forwarding is disabled on the trunk.

In L3V deployments, tagged VLAN ports can be enabled or disabled only from the shared
partition.
Example The following command disables Ethernet interface 3:
ACOS(config-if:ethernet:3)#disable
Example The following commands access the interface configuration level for trunk 7 and disable
Layer 3 forwarding on the trunk:
ACOS(config)#interface trunk 7
ACOS(config-if:trunk7)#disable
duplexity
Description Set the duplex mode for an Ethernet interface.
Syntax [no] duplexity {Full | Half | auto}
Full Full-duplex mode.
Half Half-duplex mode.
auto The mode is negotiated based on the mode of the other end of the link.
Default auto
Mode Interface
Usage This command applies only to physical interfaces (Ethernet ports or the management port).
Example The following command changes the mode on Ethernet interface 6 to half-duplex:
ACOS(config-if:ethernet:6)#duplexity Half

enable
Description Enable an interface.
Syntax enable
Default The management interface is enabled by default. Data interfaces are disabled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-of-band Ethernet
management interface, Virtual Ethernet (VE) interfaces, trunks, and loopback interfaces.
In L3V deployments, tagged VLAN ports can be enabled or disabled only from the shared
partition.
Example The following command enables Ethernet interface 3:
ACOS(config-if:ethernet:3)#enable
flow-control
Description Enable 802.3x flow control on a full-duplex Ethernet interface.
Syntax [no] flow-control
Default Disabled. The ACOS Ethernet interface auto-negotiates flow control settings with the other
end of the link.
Mode Interface
Usage This command can cause the interface to briefly go down, then come back up again.
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks.
Syntax [no] icmp-rate-limit normal-rate lockup max-rate lockup-time
normal-rate Maximum number of ICMP packets allowed per second on the inter-
face. If the ACOS interface receives more than the normal rate of ICMP
packets, the excess packets are dropped until the next one-second
interval begins. The normal rate can be 1-65535 packets per second.
lockup Maximum number of ICMP packets allowed per second before the
max-rate ACOS device locks up ICMP traffic on the interface. When ICMP traffic
is locked up, all ICMP packets on the interface are dropped until the
lockup expires. The maximum rate can be 1-65535 packets per sec-
ond. The maximum rate must be larger than the normal rate.

lockup-time Number of seconds for which the ACOS device drops all ICMP traffic
on the interface, after the maximum rate is exceeded. The lockup time
can be 1-16383 seconds.
Default None
Mode Global Config
Usage This command configures ICMP rate limiting on a physical, virtual Ethernet, trunk, or loop-
back interface. To configure ICMP rate limiting globally, see “icmp-rate-limit” on page 105. To
configure it in a virtual server template, see “slb template virtual-server” on page 598. If you
configure ICMP rate limiting filters at more than one of these levels, all filters are applicable.
the ICMP rate-limiting counters are still incremented but log messages are not generated.
Example The following command configures ICMP rate limiting on Ethernet interface 3:
ACOS(config-if:ethernet:3)#icmp-rate-limit 1024 lockup 1200 10
icmpv6-rate-limit
Description Configure ICMPv6 rate limiting, to protect against denial-of-service (DoS) attacks.
Syntax [no] icmpv6-rate-limit normal-rate lockup max-rate lockup-time
normal-rate Maximum number of ICMPv6 packets allowed per second on the
interface. If the ACOS interface receives more than the normal rate of
ICMPv6 packets, the excess packets are dropped until the next one-
second interval begins. The normal rate can be 1-65535 packets per
second.
lockup Maximum number of ICMPv6 packets allowed per second before the
max-rate ACOS device locks up ICMPv6 traffic on the interface. When ICMPv6
traffic is locked up, all ICMPv6 packets on the interface are dropped
until the lockup expires. The maximum rate can be 1-65535 packets
per second. The maximum rate must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMPv6 traffic
on the interface, after the maximum rate is exceeded. The lockup time
can be 1-16383 seconds.
Default None
Mode Global Config

Usage This command configures ICMPv6 rate limiting on a physical, virtual Ethernet, trunk, or loop-
back interface. To configure ICMPv6 rate limiting globally, see “icmpv6-rate-limit” on
page 105. To configure it in a virtual server template, see “slb template virtual-server” on
page 598. If you configure ICMPv6 rate limiting filters at more than one of these levels, all fil-
ters are applicable.
the ICMPv6 rate-limiting counters are still incremented but log messages are not generated.
Example The following command configures ICMPv6 rate limiting on Ethernet interface 3:
ACOS(config-if:ethernet:3)#icmpv6-rate-limit 1024 lockup 1200 10
interface
Description Access the interface configuration level for another interface.
Syntax interface {
ethernet port-num |
lif lif-number |
loopback number |
management |
trunk num |
tunnel num |
ve number
}
Default N/A
Mode Interface
Usage This command allows you to go directly to the configuration level for another interface,
without the need to return to the global Config level first.
If the ACOS device is a member of an aVCS virtual chassis, specify the interface number as
follows: DeviceID/Portnum
Example The following command changes the CLI to the configuration level for Ethernet interface 4:
ACOS(config-if:ethernet:4)#

ip address
Description Assign an IP address to an interface.
Syntax [no] ip address ipaddr {subnet-mask | /mask-length}
Default There are no IP addresses configured by default.
Mode Interface
Usage This command applies only when the Thunder Series is used in gateway mode.
You can configure multiple IP addresses on Ethernet and Virtual Ethernet (VE) data interfaces,
trunks, and on loopback interfaces, on ACOS devices deployed in gateway (route) mode.
Each IP address must be unique on the ACOS device. Addresses within a given subnet can be
configured on only one interface on the device. (The ACOS device can have only one data
interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The addresses
appear in show command output and in the configuration in the same order.
The first IP address you add to an interface becomes the primary IP address for the interface.
If you remove the primary address, the next address in the list (the second address to be
added to the interface) becomes the primary address.
It does not matter which address is the primary address. OSPF can run on all subnets
configured on a data interface.
The ACOS device automatically generates a directly connected route to each IP address. If
you enable redistribution of directly connected routes, those protocols can advertise the
routes to the IP addresses.
The ACOS device allows the same IP address to be configured as the ACOS device’s global IP
address, and as a NAT pool address. However, in Layer 2 (transparent) deployments, if you do
configure the same address in both places, and later delete one of the addresses, you must
reload the ACOS device to place the change into effect.
Example The following command assigns IP address 10.2.4.69 to Ethernet interface 9:
ACOS(config-if:ethernet:9)#ip address 10.2.4.69 /24
Example The following commands configure multiple IP addresses on an Ethernet data interface, dis-
play the addresses, then delete the primary IP address and display the results.
ACOS(config-if:ethernet:1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:

10.10.10.1 /24 (Primary)

10.10.20.2 /24
20.20.20.1 /24
ACOS(config-if:ethernet:1)#no ip address 10.10.20.2 /24
ACOS(config-if:ethernet:1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
20.20.20.1 /24
ip address dhcp
Description Enable Dynamic Host Configuration Protocol (DHCP) to configure multiple IP addresses on
an Ethernet data interface.
Syntax [no] ip address dhcp
Default Disabled
Mode Interface
Usage You can configure VIPs and IP NAT pools to use the DHCP-assigned address of a given data
interface. If this option is enabled, ACOS updates the VIP or pool address any time the speci-
fied data interface’s IP address is changed by DHCP.
Notes About This Command
• DHCP can be enabled on an interface only if that interface does not already have any
statically assigned IP addresses.
• On ACOS devices deployed in gateway (Layer 3) mode, Ethernet data interfaces can
have multiple IP addresses. An interface can have a combination of dynamically
assigned addresses (by DHCP) and statically configured addresses. However, if you plan
to use both methods of address configuration, static addresses can be configured only
after you finish using DHCP to dynamically configure addresses. To use DHCP in this
case, you must first delete all the statically configured IP addresses from the interface.
• On virtual appliance models, if single-IP mode is used, DHCP can be enabled only at the
physical interface level.
• On devices deployed in Transparent (Layer 2) mode:
• you can enable DHCP on the management interface and at the global level.
• The VIP address and pool NAT address (if used) should match the global data IP
address of the device. Make sure to enable this option when configuring the VIP or
pool.
ip allow-promiscuous-vip
Description Enable client traffic received on this interface and addressed to TCP port 80 to be load bal-
anced for any VIP address.
Syntax [no] ip allow-promiscuous-vip

Default Disabled
Mode Interface
Usage This feature also requires configuration of a virtual server that has IP address 0.0.0.0. For more
information, see the Application Delivery and Server Load Balancing Guide.
ip cache-spoofing-port
Description Configure the interface to support a spoofing cache server. A spoofing cache server uses the
client’s IP address instead of its own as the source address when obtaining content
requested by the client.
Syntax [no] ip cache-spoofing-port
Default Disabled
Mode Interface
Usage This command applies to the Transparent Cache Switching (TCS) feature. Enter the com-
mand on the interface that is attached to the spoofing cache. For more information about
TCS, including additional configuration requirements and examples, see the Application
Delivery and Server Load Balancing Guide.
Example The following command configures interface 9 to support a spoofing cache server that is
attached to the interface.
ACOS(config-if:ethernet:9)#ip cache-spoofing-port
ip control-apps-use-mgmt-port
Description Enable use of the management interface as the source interface for automated manage-
ment traffic.
NOTE: This command is valid for the management interface only.
Syntax [no] ip control-apps-use-mgmt-port
Default By default, use of the management interface as the source interface for automated manage-
ment traffic is disabled.
Mode Interface
Usage The ACOS device uses separate route tables for management traffic and data traffic.
• Management route table – Contains all static routes whose next hops are connected to
the management interface. The management route table also contains the route to the
device configured as the management default gateway.
• Main route table – Contains all routes whose next hop is connected to a data interface.
Also contains copies of all static routes in the management route table, excluding the

management default gateway route. Only the data routes are used for load-balanced
traffic.
By default, the ACOS device attempts to use a route from the main route table for
management connections originated on the ACOS device. The ip control-apps-use-mgmt-
port command enables the ACOS device to use the management route table for these
connections instead.
The ACOS device will use the management route table for reply traffic on connections
initiated by a remote host that reaches the ACOS device on the management port. For
example, this occurs for SSH or HTTP connections from remote hosts to the ACOS device.
Example The following command enables use of the management interface as the source interface
for automated management traffic:
ACOS(config-if:management)#ip control-apps-use-mgmt-port
ip default-gateway
Description Specify the default gateway for the out-of-band management interface.
NOTE: This command is valid for the management interface only.
Syntax [no] ip default-gateway ipaddr
Default None
Mode Interface
Usage Configuring a default gateway for the management interface provides the following bene-
fits:
• Ensures that reply management traffic sent by the Thunder Series travels through the
correct gateway
• Keeps reply management traffic off the data interfaces
The default gateway configured on the management interface applies only to traffic sent
from this interface. For traffic sent through data interfaces, either the globally configured
default gateway is used instead (if the ACOS device is deployed in transparent mode) or an IP
route is used (if the ACOS device is deployed in route mode).
To configure the default gateway for data interfaces on an ACOS device deployed in
transparent mode, use the ip default-gateway command at the global Config level.
(See “ip default-gateway” on page 297.)
NOTE: Normally, if the ACOS device is deployed in transparent mode, outbound traffic
through the management interface is limited to the same subnet. However, out-
bound traffic through data interfaces is not restricted to the same subnet. To per-
form operations that require exchanging files with a host (upgrade, import, export,
and so on) that is in a different subnet from the management interface:

• For automated management traffic such as syslog messages and SNMP traps, see “ip
control-apps-use-mgmt-port” on page 250.
• For management traffic that you initiate using a command, use the
use-mgmt-port option with the command.
Example The following commands configure an IP address and default gateway for the management
interface:
ACOS(config)#interface management
ACOS(config-if:management)#ip address 10.10.20.1 /24
ACOS(config-if:management)#ip default-gateway 10.10.20.1
ip helper-address
Description Configure a helper address for Dynamic Host Configuration Protocol (DHCP).
Syntax [no] ip helper-address ipaddr
Replace ipaddr with the IP address of the DHCP server.
Default None
Mode Interface
Usage In the current release, the helper-address feature provides service for DHCP packets only.
The ACOS interface on which the helper address is configured must have an IP address.
The helper address can not be the same as the IP address on any ACOS interface or an IP
address used for SLB.
The current release supports DHCP relay service for IPv4 only.
Example The following commands configure two helper addresses. The helper address for DHCP
server 100.100.100.1 is configured on ACOS Ethernet interface 1 and on Virtual Ethernet (VE)
interfaces 5 and 7. The helper address for DHCP server 20.20.20.102 is configured on VE 9.
ACOS(config-if:ethernet:1)#ip helper-address 100.100.100.1
ACOS(config-if:ethernet:1)#exit
ACOS(config)#interface ve 5
ACOS(config-if:ve:5)#ip helper-address 100.100.100.1
ACOS(config-if:ve:5)#exit
ACOS(config-if:ve:7)#ip helper-address 100.100.100.1
ACOS(config-if:ve:7)#exit
ACOS(config-if:ve9)#ip helper-address 20.20.20.102

ip igmp
Description Configure IGMPv2 membership request queries.
Syntax [no] ip igmp generate-membership-query query-timer max-resp-time

response-timer
query-timer Sets the time interval (1-255 seconds) after which your device
(using the interface under which you are configuring this feature)
will initiate an IGMP membership query request. The default query
timer is 125 seconds. This means that IGMP membership queries
will be sent every 125 seconds from the configured interface.
response-timer Sets the time interval (in 1/10 of a second) before which receiving
devices will send an ICMP query message response to indicate
intention to join the IGMP group or not. The default response
timer is 100. This means that receiving devices have 10 seconds in
which to indicate if they will join the IGMP membership group or
not.
Default None
Mode Interface
Usage The configured timer is valid only per interface and it must be set for each individual inter-
face.
Example To configure IGMP membership request queries on a physical interface, do the following:
ACOS(config-if)#interface ethernet 2
ACOS(config-if:ethernet:2)#ip igmp generate-membership-query 10 max-resp-time 50
Example To view your IGMP membership request query configuration for a a physical interface, do the
following:
ACOS(config)#show interfaces ethernet 2

Ethernet 2 is up, line protocol is up
Hardware is GigabitEthernet, Address is 001f.a004.2e71
Internet address is 192.168.1.1, Subnet mask is 255.255.255.0
Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
IGMP Membership Query is enabled, IGMP Membership Queries sent 3
Flow Control is disabled, IP MTU is 1500 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts
0 input errors, 0 CRC 0 frame

0 runts 0 giants
3003 packets output 264264 bytes
Transmitted 0 broadcasts 3003 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
300 second output rate: 12768 bits/sec, 18 packets/sec, 0% utilization
Example To configure IGMP membership request queries on an virtual Ethernet interface, do the fol-
lowing:
ACOS(config-vlan:50)#tagged ethernet 1
ACOS(config-vlan:50)#router-interface ve 50
ACOS(config-vlan:50)#exit
ACOS(config-if:ve:50)#ip address 10.10.10.219 /24
ACOS(config-if:ve:50)#ip igmp generate-membership-query 10 max-resp-time 50
Example To view your IGMP membership request query configuration for a virtual Ethernet interface,
do the following:
ACOS(config)#show interfaces ve 50
VirtualEthernet 50 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.2e72
Router Interface for L2 Vlan 50
IP MTU is 1500 bytes
0 packets input 0 bytes
Transmitted 0 broadcasts, Transmitted 0 multicasts, Transmitted 0 unicasts
300 second input rate: 0 bits/sec, 0 packets/sec
300 second output rate: 0 bits/sec, 0 packets/sec
Example To configure IGMP membership request queries on a trunk, do the following:
ACOS(config)#trunk 2
ACOS(config-trunk:2)#ethernet 2
ACOS(config-trunk:2)#exit
ACOS(config)#interface trunk 2
ACOS(config-if:trunk:2)#enable
ACOS(config-if:trunk:2)#ip address 11.11.11.219 /24
ACOS(config-if:trunk:2)#ip igmp generate-membership-query 20 max-resp-time 80

ACOS(config-if:trunk:2)#exit
Example To view your IGMP membership request query configuration for a trunk, do the following:
ACOS(config)#show interfaces trunk 2

Trunk 2 is up, line protocol is up
Hardware is TrunkGroup, Address is 001f.a004.2e71
ip nat
Description Enable source Network Address Translation (NAT) on an interface.
Syntax [no] ip nat {inside | outside}
inside Specifies that this interface is connected to the internal hosts on the
private network that need to be translated into external addresses for
routing.
outside Specifies that this interface is connected to the external network or
Internet. Before sending traffic from an inside host out on this inter-
face, the ACOS device translates the host’s private address into a pub-
lic, routable address.
Default None
Mode Interface
Usage On an ACOS device deployed in transparent mode, this command is valid only on Ethernet
data ports. On an ACOS device deployed in route mode, this command is valid on Ethernet
data ports, Virtual Ethernet (VE) interfaces, and trunks.
To use source NAT, you also must configure global NAT parameters. See the ip nat
commands in “Config Commands: IP” on page 291.
In addition, on some AX models, if Layer 2 IP NAT is required, you also must enable CPU
processing on the interface. (See “cpu-process” on page 243.) This applies to AX models
AX 3200-12, AX 3400, AX 5200-11, and AX 5630.
Example The following commands configure IP source NAT for internal addresses in the 10.1.1.x/24
subnet connected to interface 14. The addresses are translated into addresses in the range
10.153.60.120-150 before traffic from the internal hosts is sent onto the Internet on interface
15. Likewise, return traffic is translated back from public addresses into the private host
addresses.
ACOS(config)#access-list 3 permit 10.1.1.0 0.0.0.255

ACOS(config)#ip nat pool 1 10.153.60.120 10.153.60.150 netmask /24

ACOS(config)#ip nat inside source list 3 pool 1

ACOS(config-if:ethernet:14)#ip address 10.1.1.1 255.255.255.0
ACOS(config-if:ethernet:14)#ip nat inside
ACOS(config-if:ethernet:15)#ip address 10.153.60.100
255.255.255.0
ACOS(config-if:ethernet:15)#ip nat outside
ip rip authentication
Description Configure IPv4 RIP authentication on the interface.
Syntax [no] ip rip authentication

{
key-chain name [name ...] |
mode {md5 | text} |
string auth-string [auth-string ...]
}
key-chain name [name ...] Enables authentication using the specified key chains. (To configure a key-
chain file, use the key chain command at the global configuration level of
the CLI.)
mode {md5 | text} Authentication mode:
• md5 – Message Digest 5
• text – Clear text
string Enables authentication using the specified passwords.
auth-string [auth-string ...]
Default None
Mode Interface
ip rip receive version

Description Specify the RIP version allowed in RIP packets received on the interface.
Syntax [no] ip rip receive version {1 [2] | 2}
Specify the RIP version:
• 1 - RIP version 1.

• 2 - RIP version 2 (default).
Mode Interface
ip rip receive-packet
Description Enable the interface to receive RIP packets.
Syntax [no] ip rip receive-packet
Default Enabled
Mode Interface
ip rip send version

Description Specify the RIP version allowed to be sent on the interface.
Syntax [no] ip rip send version {1 [2] | 2}
Specify the RIP version:
• 1 - RIP version 1.
• 2 - RIP version 2 (default).
Mode Interface
ip rip send-packet
Description Enable the interface to send RIP packets.
Syntax [no] ip rip send-packet
Default Enabled
Mode Interface
ip rip split-horizon
Description Configure the split-horizon method. Split horizon prevents the ACOS device from advertising
a route to the neighbor that advertised the same route to the ACOS device.

Syntax [no] ip rip split-horizon {poisoned | disable | enable}
poisoned Enables advertisement of a route to the neighbor that advertised the
route to the ACOS device, but sets the metric value to infinity, thus mak-
ing the route advertised by the ACOS device unusable by the neighbor
(poisoned reverse).
Without this option, advertisement of a route to the neighbor that adver-
tised the route to the ACOS device is not allowed.
disable Disable the split-horizon method.
enable Enables split-horizon, but without the poisoned reverse.
Default Split-horizon with poison is enabled.
Mode Interface
{ip | ipv6} router isis

Description Enable Intermediate System to Intermediate System (IS-IS) routing on the interface.
Syntax [no] {ip | ipv6} router isis [tag]
Default Not set
Mode Interface
ip slb-partition-redirect
Description Enable routing redirection on an ingress Ethernet data port that will receive traffic addressed
to the VIP in a private partition.
Syntax [no] ip slb-partition-redirect
Default Not set
Mode Interface
Example The following example enables routing redirection on ethernet interface 4 so that traffic
addressed to partition p69 will be received on the partition.
ACOS(config-if:ethernet:4)#ip slb-partition-redirect
ACOS(config)#ip route 10.2.4.0 /24 partition p69
ACOS(config)#active-partition p69
ACOS(config)#ip route 0.0.0.0 /24 partition shared

ip stateful-firewall
Description Configure stateful firewall direction for this interface.
Syntax [no] ipv6 stateful-firewall {inside | outside [access-list num]}
inside Inside (private) interface for the stateful firewall.
outside Outside (public) interface for the stateful firewall.
access-list Access list id. You can specify 1-199.
Mode Interface
ACOS(config-if:ethernet:1)#ip stateful-firewall outside access-list
1
ipv6 (on management interface)

Description Configure an IP version 6 address and default gateway on the management interface.
Syntax [no] ipv6 address ipaddr/mask-length
Syntax [no] ipv6 default-gateway gateway-ipaddr
Default None.
Mode Interface
Usage The ipv6 default-gateway command applies only to the management interface. To config-
ure IPv6 on a data interface, see “ipv6 address” on page 260.
Example The following commands configure an IPv6 address and default gateway on the manage-
ment port:
ACOS(config-if:management)#ipv6 address 2001:db8:11:2/32

ACOS(config-if:management)#ipv6 default-gateway 2001:db8:11:1/32

ipv6 access-list
Description Apply an IPv6 Access Control List (ACL) to an interface.
Syntax [no] ipv6 access-list name in
name Name of a configured IPv6 ACL.
in Applies the ACL to inbound IPv6 traffic received on the interface.
Default N/A
Mode Interface
ipv6 address
Description Configure an IPv6 address on the interface.
Syntax [no] ipv6 address ipv6-addr/prefix-length [link-local] [anycast]
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6 address for the inter-
face, instead of a global address. Without this option, the address is
a global address.
anycast Configures the address as an anycast address. An anycast address
can be assigned to more than one interface. A packet sent to an
anycast address is routed to the “nearest” interface with that
address, based on the distance in the routing protocol.
Default None.
Mode Interface
Usage Use this command to configure the link-local and global IP addresses for the interface.
• The ipv6 address command, used without the link-local option, configures a
global address. If you use the link-local option, the address is instead configured as
the link-local address.
• To enable automatic configuration of the link-local IPv6 address instead, use the ipv6
enable command.
To configure IPv6 on the management interface, see “ipv6 (on management interface)” on
page 259.
Example The following command configures a global IPv6 address on Ethernet interface 8:

ACOS(config-if:ethernet:8)#ipv6 address e101::1112/64
Example The following command overrides any auto-generated link-local address on interface 6 and
explicitly configures a new link-local address:
ACOS(config-if:ethernet:6)#ipv6 address fe80::1/64 link-local
ipv6 enable
Description Enable automatic configuration of a link-local IPv6 address on the interface.
Syntax [no] ipv6 enable
Default Disabled
Mode Interface
Usage Use this command to enable automatic configuration of the link-local IPv6 address.
To manually configure the address instead, see “ipv6 address” on page 260.
Example The following command enables an automatically generated link-local IPv6 address on
Ethernet interface 6:
ACOS(config-if:ethernet:6)#ipv6 enable
ipv6 nat inside

Description Enable inside NAT on the interface.
Syntax [no] ipv6 nat inside
Default Disabled
Mode Interface
ipv6 nat outside

Description Enable outside NAT for IPv6 on the interface.
Syntax [no] ipv6 nat outside
Default Disabled
Mode Interface

ipv6 ndisc router-advertisement

Description Configure IPv6 neighbor router discovery (RFC 4861).
Syntax [no] ipv6 ndisc router-advertisement

{
default-lifetime seconds |
disable |
enable |
hop-limit num |
max-interval seconds |
min-interval seconds |
mtu {disable | bytes} |
prefix ipv6-addr/prefix-length
[not-autonomous | not-on-link |
preferred-lifetime seconds |
valid-lifetime seconds] |
rate-limit num |
reachable-time ms |
retransmit-timer seconds |
vrid num
}
default-lifetime seconds Specifies the number of seconds for which router advertisements sent on this inter-
face are valid. You can specify 0 or 4-9000 seconds. The value can not be less than
the maximum advertisement interval. If you specify 0, the host will not use this
interface (IPv6 router) as a default route.
The default lifetime is 1800 seconds.
disable Disables IPv6 router discovery (default).
enable Enables IPv6 router discovery (by default, this is disabled).
hop-limit num Specifies the default hop count value that should be used by hosts. For a given
packet, the hop count is decremented at each router hop. If the hop count reaches
0, the packet becomes invalid.
You can specify 0-255. If you specify 0, the value is unspecified by this IPv6 router.
The default is 255.
max-interval seconds Specifies the maximum number of seconds between transmission of unsolicited
router advertisement messages on this interface. You can specify 4-1800 seconds.
min-interval seconds Specifies the minimum number of seconds between transmission of unsolicited
router advertisement messages on this interface. You can specify 3-1350 seconds.
mtu {disable | bytes} Specifies the MTU value to include in the MTU options field. You can specify 1200-
9216 bytes or disabled.
NOTE: If this option is disabled, no MTU value is included.
This is disabled by defaul.t

prefix Specifies the IPv6 prefixes to advertise on this interface. A maximum of 32 prefixes
ipv6-addr/prefix-length can be advertised on an interface.
[options]
The following options are supported:
• not-autonomous – Disables support for auto-configuration of IPv6 addresses
by clients. This is disabled by default.
• not-on-link – Disables the On-Link flag. When enabled, the On-Link flag indi-
cates that the prefix is assigned to this interface. If you enable this option, the
valid-lifetime is 2592000 seconds (30 days). This is enabled by default.
• preferred-lifetime seconds – Specifies the number of seconds for which
auto-generated addresses remain preferred. You can specify 0-4294967295 sec-
onds. The default is 604800.
• valid-lifetime seconds – specifies the number of seconds for which adver-
tisement of the prefix is valid. You can specify 1-4294967295 seconds. The default
is 2592000.
rate-limit num Specifies the maximum number of router solicitation requests per second that will
be processed on the interface. You can specify 1-100000 messages per second.
The default rate limit is 00000 messages per second
reachable-time ms Specifies the number of milliseconds (ms) for which the host should assume a
neighbor is reachable, after receiving a reachability confirmation from the neighbor.
You can specify 0-3600000 ms. If you specify 0, the value is unspecified by this IPv6
router.
The default is 0.
retransmit-timer seconds Specifies the number of seconds a host should wait between sending neighbor
solicitation messages.
You can specify 0-4294967295 seconds. If you specify 0, the value is unspecified by
this IPv6 router.
The default is 0.
vrid num Specifies a VRID for which to send router advertisements.
By default, no VRID is set; advertisement are sent regardless of VRID.
Default IPv6 router discovery is disabled by default. The command options have the default values
specified in the table above.
Mode Interface
Usage When router discovery is enabled, the ACOS device:

• Sends IPv6 router advertisements out the IPv6 interfaces on which router discovery is
enabled. IPv6 hosts that receive the router advertisements will use the ACOS device as
their default gateway.
• Replies to IPv6 router solicitations received by IPv6 interfaces on which router discovery
is enabled.
IPv6 router discovery is not supported in transparent mode. The ACOS device must be
deployed in gateway mode.

When IPv6 router discovery is enabled on an interface, any new IPv6 addresses that you add
to the interface are automatically added to the set of prefixes to advertise.
Router advertisements are sent to the all-nodes multicast address at an interval that is
uniformly distributed between the minimum and maximum advertisement intervals. If a
host sends a router solicitation message, the ACOS device sends a router advertisement as a
unicast to that host instead.
The source address of router advertisements is always a link-local IPv6 address.
For the reachable-time, hop-limit, and retransmit-timer options, the ACOS

device recommends the configured value to hosts but does not itself use the value.
Example The following commands configure an IPv6 address on Ethernet interface 1, enable IPv6
router discovery, change the minimum and maximum advertisement intervals, and add two
prefixes to the prefix advertisement list.
ACOS(config-if:ethernet:1)#ipv6 address 2001::1/64
ACOS(config-if:ethernet:1)#ipv6 ndisc router-advertisement enable
ACOS(config-if:ethernet:1)#ipv6 ndisc router-advertisement max-interval 300
ACOS(config-if:ethernet:1)#ipv6 ndisc router-advertisement min-interval 150
ACOS(config-if:ethernet:1)#ipv6 ndisc router-advertisement prefix 2001::/64 on-link
ACOS(config-if:ethernet:1)#ipv6 ndisc router-advertisement prefix 2001:a::/96 on-link
ipv6 ospf cost

Description Explicitly set the link-state metric (cost) for this OSPF interface.
Syntax [no] ipv6 ospf cost num
Replace num with the cost (1-65535).
Default By default, an interface’s cost is calculated based on the interface’s bandwidth. If the auto-
cost reference bandwidth is set to its default value (100 Mbps), the default interface cost is
10.
Mode Interface
ipv6 ospf dead-interval

Description Specify the maximum time to wait for a reply to a hello message, before declaring the neigh-
bor to be offline.
Syntax [no] ipv6 ospf dead-interval seconds
Replace seconds with the number of seconds this OSPF router will wait for a reply to a hello
message sent out this interface to an OSPF neighbor, before declaring the neighbor to be
offline. You can specify 1-65535 seconds.

Default 40
Mode Interface
ipv6 ospf hello-interval

Description Specify the time to wait between sending hello packets to OSPF neighbors.
Syntax [no] ipv6 ospf hello-interval seconds
Replace seconds with the number of seconds this OSPF router will wait between
transmission of hello packets out this interface to OSPF neighbors. You can specify 1-65535
seconds.
Default 10
Mode Interface
ipv6 ospf mtu-ignore

Description Disable checking of the maximum transmission unit (MTU) during OSPFv3 Database Descrip-
tion (DD) exchange.
Syntax [no] ipv6 ospf mtu-ignore [instance-id num]
Replace num with a specific an OSPFv3 process, 0-255. If you do not use this option, MTU
checking on the interface is disabled for all OSPFv3 processes.
Default MTU checking is enabled by default.
Mode Interface
ipv6 ospf neighbor

Description Configure an OSPFv3 neighbor that is located on a non-broadcast network reachable
through this interface.
Syntax [no] ipv6 ospf neighbor ipv6-addr

[
cost num [instance-id num] |
instance-id num |
poll-interval seconds [priority num] [instance-id num] |
priority num [poll-interval seconds] [instance-id num]
]
ipv6-addr IPv6 address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor, 1-65535.
There is no default cost set.

poll-interval Number of seconds this OSPFv3 interface will wait for a reply to a
seconds hello message sent to the neighbor, before declaring the neighbor
to be offline. You can specify 1-4294967295 seconds.
priority num Router priority of the neighbor, 1-255.
The default priority is 0.
Default No neighbors on non-broadcast networks are configured by default. When you configure
one, the other parameters have the default settings described in the table above.
ipv6 ospf network

Description Specify the network type.
Syntax [no] ipv6 ospf network

{broadcast | non-broadcast | point-to-multipoint | point-to-point}
[instance-id num]
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess (NBMA) network.
point-to-multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
num Specifies an OSPFv3 process, 0-255. If you do not use this
option, MTU checking on the interface is disabled for all
OSPFv3 processes.
Default Depends on the media type.
Mode Interface
ipv6 ospf priority

Description Priority of this OSPF router (and process) on this interface for becoming the designated
router for the OSPF domain.
Syntax [no] ipv6 ospf priority num
Replace num with the priority of this OSPF process on this interface, 0-255. The lowest
priority is 0 and the highest priority is 255.

Default 1
Mode Interface
Usage If more than one OSPF router has the highest priority, the router with the highest router ID is
selected as the designated router.
ipv6 ospf retransmit-interval

Description Specify the time to wait before resending an unacknowledged packet out this interface to
an OSPF neighbor.
Syntax [no] ipv6 ospf retransmit-interval seconds
Replace seconds with the number of seconds this OSPF router waits before resending an
unacknowledged packet out this interface to a neighbor. You can specify 1-65535 seconds.
Default 5
Mode Interface
ipv6 ospf transmit-delay

Description Specify the time to wait between sending packets out this interface to an OSPF neighbor.
Syntax [no] ipv6 ospf transmit-delay seconds
Replace seconds with the number of seconds this OSPF router waits between transmission
of packets out this interface to OSPF neighbors. You can specify 1-65535 seconds.
Default 1
Mode Interface
ipv6 rip split-horizon

Description Configure the split-horizon method. Split horizon prevents the ACOS device from advertising
a route to the neighbor that advertised the same route to the ACOS device.

Syntax [no] ipv6 rip split-horizon {poisoned | disable | enable}
poisoned Enables advertisement of a route to the neighbor that advertised the
route to the ACOS device, but sets the metric value to infinity, thus mak-
ing the route advertised by the ACOS device unusable by the neighbor
(poisoned reverse).
Without this option, advertisement of a route to the neighbor that adver-
tised the route to the ACOS device is not allowed.
disable Disable the split-horizon method.
enable Enables split-horizon, but without the poisoned reverse.
Default Split-horizon with poison is enabled.
Mode Interface
ipv6 router isis

Description Configure options for Intermediate System to Intermediate System (IS-IS) on an IPv6 data
interface.
Syntax [no] ipv6 router isis [ISO routing area tag name]
Default None
Mode Interface
ipv6 router ospf

Description Configure an OSPFv3 area.
Syntax [no] ipv6 router ospf

{
area {num | ipaddr} [tag tag [instance-id num]] |
tag tag area {num | ipaddr} [instance-id num]
}
Mode Interface
Usage For OSPFv3, the area tag ID configured on an interface must be the same as the tag ID for the
OSPF instance.
ipv6 router rip

Description Configure RIP routing for IPv6.
Syntax [no] ipv6 router rip

Mode Interface
ipv6 stateful-firewall
Description Configure stateful firewall direction for this interface.
Syntax [no] ipv6 stateful-firewall {inside | outside [access-list num]}
inside Inside (private) interface for the stateful firewall.
outside Outside (public) interface for the stateful firewall.
access-list Access list id. You can specify 1-199.
Mode Interface
Example ACOS(config-if:ethernet:1)#ipv6 stateful-firewall outside access-

list 1
isis authentication
Description Configure authentication for this IS-IS interface.
Syntax [no] isis authentication send-only [level-1 | level-2]
[no] isis authentication mode md5 [level-1 | level-2]
[no] isis authentication key-chain name [level-1 | level-2]
send-only Disables checking for keys in IS-IS packets received by this interface.
[level-1 | level-2]
• level-1 – Disables key checking only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Disables key checking only for Level-2 (inter-area) IS-IS traffic.
mode md5 Enabled MD5 authentication.
[level-1 | level-2]
• level-1 – Enables MD5 only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Enables MD5 only for Level-2 (inter-area) IS-IS traffic.
key-chain name Specifies the name of the certificate key chain to use for authenticating IS-IS traffic.
[level-1 | level-2]
• level-1 – Applies to Level-1 (intra-area) IS-IS traffic.
• level-2 – Applies to Level-2 (inter-area) IS-IS traffic.

Default Clear-text authentication is enabled by default. MD5 authentication is disabled by default.

No key chain is set by default. The send-only option is disabled by default. For all options
that accept the level-1, level-1-2, or level-2 keyword, the default is level-1.
Mode IS-IS
Usage This command overrides the globally configured authentication settings for the IS-IS
instance.
Use the send-only option to temporarily disable key checking, then use the key-chain
option to specify the key chain. To use MD5, use the md5 option to disable clear-text
authentication and enable MD5 authentication. After key-chains are installed on the other IS-
IS routers, disable the send-only option.
Example The following command disables MD5 authentication for IS-IS on interface VE 2. Clear-text
authentication will be used instead.
ACOS(config-if:ve:3)#no isis authentication mode md5
isis bfd
Description Disable BFD.
Syntax [no] isis bfd disable
Default Takes the value from the global BFD configuration.
Mode Interface
isis circuit-type
Description Specify the IS-IS routing level (circuit type) for this interface.
Syntax [no] isis circuit-type [level-1 | level-1-2 | level-2]
Specify the IS-IS routing level:
• level-1 - Intra-area adjacencies are formed

• level-1-2 - both intra-area and inter-area adjacencies are formed
• level-2 - Inter-area adjacencies are formed
Default level-1
Mode Interface

isis csnp-interval
Description Configure the interval between transmission of complete sequence number PDUs (CSNPs).
Syntax [no] isis csnp-interval seconds [level-1 | level-2]
seconds Specifies the number of seconds to wait between transmission
of CSNPs. You can specify 0-65535 seconds.
level-1 | Specifies the IS-IS routing level to which the interval setting
level-2 applies:
• level-1 – Intra-area
• level-2 – Inter-area
The default is level-1.
Default 10 seconds, for both level-1 and level-2
Mode Interface
Usage This command is valid only on broadcast interfaces (network type broadcast).

isis hello
Description Enable padding of IS-IS Hello packets.
Syntax [no] isis hello padding
Default Enabled
Mode Interface
Usage When padding is enabled, extra bytes are added to IS-IS Hello packets to make them equal
to the MTU size of the interface. This option informs neighbors of the interface’s MTU, so that
neighbors do not send Hello packets that are longer than the MTU.
isis hello-interval
Description Configure the interval between transmission of IS-IS Hello packets on this interface.
Syntax [no] isis hello-interval seconds [level-1 | level-2]
seconds Specifies the number of seconds between transmission of Hello packets
to neighbors. You can specify 0-65535 seconds.
level-1 | Specifies the IS-IS routing level to which the interval setting applies:
level-2
Mode Interface

isis hello-interval-minimal
Description Base the hello interval value on the hello multiplier value.
Syntax [no] isis hello-interval-minimal [level-1 | level-2]
level-1 | Specifies the IS-IS routing level to which the interval setting applies:
level-2
Mode Interface
Usage The minimal option bases the hello interval on the hello multiplier, by setting the hold time
to 1, and dividing the hold time by the hello multiplier:
hello-interval = hold-time % hello-multiplier
hello-interval = 1 % hello-multiplier
(For more information, see “isis hello-multiplier” on page 273.)
isis hello-multiplier
Description Configure the multiplier used for calculating the neighbor hold time for Hello packets.
Syntax [no] isis hello-multiplier num [level-1 | level-2]
num Specifies the multiplier. You can specify 2-100.
level-1 | level-2 Specifies the IS-IS routing level to which the multiplier setting
applies.:
Default 3
Mode Interface
Usage The hold time specifies the maximum number of seconds IS-IS neighbors should allow
between Hello packets from this IS-IS interface. If the neighbor does not receive a Hello

packet before the hold time expires, the neighbor terminates the adjacency with this IS-IS
router on this interface.
To calculate the hold time, IS-IS multiplies the IS-IS hello interval by the multiplier:
hello-interval x hello-multiplier = hold-time
The hold-time value is included in Hello packets sent to IS-IS neighbors.
NOTE: If the minimal option is used with the isis hello-interval command, the
hold time is set to 1. This overrides the hold time calculated based on the hello-
multiplier value.
isis lsp-interval
Description Configure the minimum LSP transmission interval.
Syntax [no] isis lsp-interval ms
Replace ms with the minimum number of milliseconds IS-IS will wait between transmission
of LSPs (1-4294967295).
Default 33 ms
Mode Interface
Usage The LSP transmission interval helps avoid high CPU utilization on IS-IS neighbors during LSP
floods, by allowing the neighbors time to send, receive, and process LSPs.
isis mesh-group
Description Configure mesh-group membership to control LSP flooding from this interface.
Syntax [no] isis mesh-group {group-num | blocked}
group-num Specifies the mesh group number. You can specify 1-4294967295.
LSPs are flooded to all Level-1 or Level-2 IS-IS neighbors (as applica-
ble), except to the neighbors who are in the same mesh group. LSPs
are not flooded to the neighbors who are in the same mesh group as
this interface.
blocked Blocks flooding of LSPs on this interface.
Default None
Mode Interface

isis metric
Description Configure the default IS-IS metric (cost) for the interface.
Syntax [no] isis metric num [level-1 | level-2]
num Specifies the cost of using this interface as a link in an IS-IS
route. You can specify 1-63.
level-1 | level-2 Specifies the IS-IS routing level to which the default metric set-
ting applies:
Default 10, for Level-1 and Level-2 routing levels
Mode Interface
Usage The default metric is used for SPF calculation. Links with lower metrics are preferred to links
with higher metrics.
The default metric is applicable only when the metric style is narrow. (See “metric-style” on
page 401.)
isis network
Description Configure the network type.
Syntax [no] isis network {broadcast | point-to-point}
broadcast The network is a broadcast network.
point-to-point The network is a point-to-point network.
Default broadcast
Mode Interface

isis password
Description Configure the plain-text password for authentication of Hello packets sent and received on
this interface.
Syntax [no] isis password string [level-1 | level-2]
string Specifies the password.
level-1 | level-2 Specifies the IS-IS routing level to which the password applies:
Default None
Mode Interface
Usage The password is applicable only if the authentication type is plain-text. (See “isis authentica-
tion” on page 269.)
isis priority
Description Configure this interface’s priority for Designated Integrated System (DIS) election.
Syntax [no] isis priority num [level-1 | level-2]
num Specify the priority (0-127).
level-1 | level-2 Specifies the IS-IS routing level to which the priority applies:
Mode Interface
Usage During DIS election, the IS-IS router with the highest priority is elected as the DIS for the LAN.
If more than one IS-IS router has the highest priority, the router that has the IS-IS interface
with the highest MAC address is elected as the DIS.
The priority is applicable only if the network type is broadcast. (See “isis network” on
page 275.)

isis restart-hello-interval
Description Configure the amount of time this interface waits for acknowledgement from neighbors of
its notification to restart IS-IS, before resending the notification.
Syntax [no] isis restart-hello-interval seconds [level-1 | level-2]
seconds Specifies the number of seconds IS-IS waits to receive an
acknowledgment of its restart notification. You can specify 1-
65535 seconds.
level-1 | level-2 Specifies the IS-IS routing level to which the interval applies:
Default 3 seconds, for Level-1 and Level-2 routing levels
Mode Interface
Usage To notify its IS-IS neighbors of an intent to restart the IS-IS process, the ACOS device inserts a
Restart TLV in IS-IS Hello packets sent to neighbors on this interface. If the an acknowledge-
ment of the restart notification is not received on this interface before the restart hello inter-
val expires, IS-IS resends the notification.
isis retransmit-interval
Description Configure the interval between transmission of LSPs on point-to-point links.
Syntax [no] isis retransmit-interval seconds
Replace seconds with the number of seconds IS-IS waits before resending an LSP that was
dropped (0-65535). Use a value that is greater than the expected round-trip delay between
any two routers on the attached network.
Default 5
Mode Interface
Usage The retransmit interval is applicable only if the network type is point-to-point. (See “isis net-
work” on page 275.)

isis wide-metric
Description Configure the length of a wide metric on the interface.
Syntax [no] isis wide-metric num [level-1 | level-2]
num Specifies the metric length. You can specify 1-16777214.
level-1 | level-2 Specifies the IS-IS routing level to which the metric applies:
Mode Interface
Usage The wide metric is applicable only if the metric style is set to wide or transition. (See “metric-
style” on page 401.)
l3-vlan-fwd-disable
Description Disable Layer 3 forwarding between VLANs on tis interface.
Syntax [no] l3-vlan-fwd-disable
Default By default, the ACOS device can forward Layer 3 traffic between VLANs.
Mode Interface
Usage This command is applicable only on ACOS devices deployed in gateway (route) mode. If the
option to disable Layer 3 forwarding between VLANs is configured at any level, the ACOS
device can not be changed from gateway mode to transparent mode, until the option is
removed.
The command is applicable to inbound traffic on the interface.
The command is valid on physical Ethernet interfaces, Virtual Ethernet (VE) interfaces, trunks,
and on the lead interface in trunks.
However, if the command is configured on a physical Ethernet interface, that interface can
not be added to a trunk or VE.
If the command is used on a trunk or VE and that trunk or VE is removed from the
configuration, the command is also removed from all physical Ethernet interfaces that were
members of the trunk or VE. Likewise, if a VLAN is removed, the command is removed from
any physical Ethernet interfaces that were members of the VLAN.
To display statistics for this option, see “show slb switch” on page 858.

lldp enable
Description Configure this interface to send only, receive only, or send and receive LLDP data packets.
Specify rx to configure the interface to only receive LLDP data packets; specify tx to
configure the interface to only send LLDP data packets. If neither is specified, the interface
can both receive and send LLDP data packets.
Syntax [no] lldp enable [rx] [tx]
Mode Port configuration mode
lldp notification
Description Configure this port to send notifications.
Syntax [no] lldp notification enable
Mode Interface
lldp tx-dot1-tlvs
Description The TLVs VLAN name and link-aggregation are dictated by 802.1ab Annex E.
Syntax [no] lldp tx-dot1-tlvs [vlan] [link-aggregation]
vlan Assign a name to the VLAN and map the VLAN ID to the VLAN.
link-aggregation Link-aggregation TLV, dictated by 802.1ab 2005 and 802.1ab
2009.
Default Since 802.1ab 2009 and 802.1ab2005 are inherently different, some older devices do support
these TLVs by default. The TLVs will not automatically be included in the transmitted frame.
Mode Interface

lldp tx-tlvs
Description Configure the transmission TLV packets to exclude. All basic TLVs will be included by default.
Syntax [no] lldp tx tlvs exclude [port-description] [system-name]

[system-description] [system-capabilities] [management-address]
Mode Interface
load-interval
Description Change the interval for utilization statistics for the interface.
Syntax [no] load-interval seconds
You can specify 5-300 seconds.
You must specify the amount in 5-second intervals. For example, 290 and 295 are valid
interval values. However, 291, 292, 293, and 294 are not valid interval values.
Default 300 seconds
Mode Interface
Usage This command applies only to data interfaces.
To display interface utilization statistics, see and “show interfaces” on page 721 and “show
statistics” on page 784.
Example The following command changes the utilization statistics interval for Ethernet interface 1 to
200 seconds:
ACOS(config-if:ethernet:1)#load-interval 200
lw-4o6
Description Configure an LW-4over6 interface.
Syntax [no] lw-4o6 {inside | outside}
inside Configure an LW-4over6 inside interface.
outside Configure an LW-4over6 outside interface.
Mode Interface

monitor
Description Configure an Ethernet interface to send a copy of its traffic to another Ethernet interface.
Before using this command, you must have first configured a mirror port to accept the
copied (mirrored) traffic. For more information, see “mirror-port” on page 129.
Syntax [no] monitor {both | input | output} [vlan vlan-id]
both Send a copy of both inbound and outbound traffic to the mirror port.
The mirror port must have already been configured to send both inbound
and outbound mirrored traffic from this monitored port. For example:
ACOS(config)#mirror-port 1 ethernet 1 both
input Send inbound traffic only to the mirror port.
The mirror port must have already been configured to send inbound mir-
rored traffic from this monitored port. For example:
ACOS(config)#mirror-port 2 ethernet 2 input
output Send outbound traffic only to the mirror port.
The mirror port must have already been configured to accept outbound
mirrored traffic from this monitored port. For example:
ACOS(config)#mirror-port 3 ethernet 3 output
vlan If applicable, specify the VLAN to which the monitored port belongs.
vlan-id
Default By default, no traffic is mirrored.
Mode Interface
Usage This command is valid only on Ethernet data interfaces. To specify the port where mirrored
traffic should be sent, use the mirror-port command at the global Config level. (See “mir-
ror-port” on page 129.)
NOTE: Only one mirror port is supported. All mirrored traffic for the directions you specify
goes to that port.
Example The following commands enable monitoring of input traffic on Ethernet port 5, and enable
the monitored traffic to be copied (“mirrored”) to Ethernet port 3:
ACOS(config)#mirror-port 2 ethernet 3
ACOS(config-if:ethernet:5)#monitor input 2

mtu
Description Change the Maximum Transmission Unit (MTU) for an Ethernet interface.
Syntax [no] mtu bytes
Replace bytes with the largest packet size that can be forwarded out the interface (1200-
1500).
NOTE: See Usage section below for details on jumbo frame support.
Default 1500 bytes
Mode Interface
Usage This command applies to the Ethernet data interfaces.
If the ACOS device needs to forward a packet that is larger than the MTU of the ACOS egress
interface to the next hop, but the Do Not Fragment bit is set in the packet, the ACOS device
drops the packet and sends an ICMP Destination Unreachable code 4 (Fragmentation
required, and DF set) message to the sender.
To display a counter of how many outbound packets have been dropped because they were
longer than the outbound interface's MTU, use the following command:
show slb switch [detail | ethernet port-num [detail]]
The counter is labeled “MTU exceeded Drops”. The counter includes packets that had the Do
Not Fragment bit set and packets that did not have the bit set.
You can enable jumbo support on a global basis. In this case, the MTU is not automatically
changed on any interfaces, but you can increase the MTU on individual interfaces.
• On FPGA models, you can increase the MTU on individual Ethernet interfaces up to
12000 bytes.
• On non-FPGA models, you can increase the MTU on individual Ethernet interfaces up
to 9216 bytes.
name
Description Assign a name to the interface.
Syntax [no] name string
Replace string with the name for the interface, 1-32 characters.

Default None
Mode Interface
Usage This command applies to physical and virtual Ethernet data interfaces, and trunks. This com-
mand does not apply to the management interface.
Example The following commands assign the name "WLAN-interface" to an interface and show the
result:
ACOS(config-if:ve:1)#name WLAN-interface
ACOS(config-if:ve:1)#show ip interfaces
Port IP Netmask PrimaryIP Name
-------------------------------------------------------------------
---------
mgm 192.168.20.136 255.255.255.0 Yes
ve1 192.168.217.1 255.255.255.0 Yes WLAN-interface
ve2 50.50.50.1 255.255.255.0 Yes
ports-threshold
Description Configure the minimum port threshold for a trunk.
Syntax [no] ports-threshold number-of-ports

[timer seconds [do-auto-recovery]]
number-of- Minimum number of ports that must be up in order for the trunk to
ports remain up. If the number of up ports falls below the configured
threshold, the AX automatically disables the trunk’s member ports.
The ports are disabled in the running-config. You can specify 2-8.
timer Number of seconds to wait after a port goes down before marking the
seconds trunk down, if the configured threshold is exceeded. You can set the
[do-auto- ports-threshold timer to 1-300 seconds.
recovery]
The do-auto-recovery option brings the trunk back Up when the
required number of ports comes back up. Without this option, the
trunk remains disabled until you re-enable it. This option is applicable
only to LACP trunks.

Mode Interface
Usage This command is applicable only to trunk interfaces.
remove-vlan-tag
Description Remove the VLAN tag from packets to ensure that packets going out of the interface will be
untagged.
NOTE: This command is not available on non-FPGA platforms, and is also not available on
the A10 Thunder Series 3230S(S), 3430(S), and 5330(S) platforms.
Syntax [no] remove-vlan-tag
Default Disabled
Mode Interface
Example Ensure packets going out of ethernet interface 2 are untagged:
ACOS(config-if:ethernet:2)#remove-vlan-tag
snmp-server
Description Specify a data interface to use as the source interface for SNMP traps.
Syntax [no] snmp-server trap-source
Default Management interface
Mode Interface
Usage Select a data interfaces from which to send SNMP traps. The interface can be any of the fol-
lowing types:
• Ethernet
• VLAN / VE
• Loopback
When the ACOS device sends an SNMP trap from the specified data interface, the “agent-
address” in the SNMP trap is the data interface’s IP address.

Implementation Details:
• This feature does not support IPv6.

• This feature supports SNMPv1 but not SNMPv2c or SNMPv3.
Example The following command attempts to set a loopback interface as the SNMP trap source. How-
ever, the feature has already been enabled on Ethernet port 1, and only one interface can be
enabled for SNMP traps, so this example shows that the existing trap source will be overwrit-
ten with the new one:
ACOS(config)#interface loopback 1
ACOS(config-if:loopback:1)#snmp-server trap-source
The trap source already exists for interface eth1. Do you want to
overwrite? [yes/no]:yes
ACOS(config-if:loopback:1)#
trunk-group
Description Add the interface to a trunk group.
Syntax [no] trunk-group TrunkID [static | lacp | lacp-udld]
static Adds the interface to a static trunk.
lacp Adds the interface to a dynamic trunk.
lacp-udld Adds the interface to a dynamic trunk that uses Unidirectional Link
Detection.
Default static
Mode Interface
Usage Use this command on each Ethernet data port you want to add to the trunk. When finished,
use the interface trunk TrunkID command to access the configuration level for the
trunk interface.
For more information about trunk configuration, see the System Administration and
Configuration Guide.


Config Commands: VLAN
The commands in this chapter configure parameters on individual VLANs.
To access this CLI level, enter the vlan vlan-id command from the global Config level.
If the ACOS device is a member of an aVCS virtual chassis, specify the VLAN ID as follows: DeviceID/vlan-id, where
DeviceID is the device’s aVCS ID and vlan-id is the VLAN ID.
name
Description Assign a name to the VLAN.
Syntax [no] name string
Replace string with the name for the VLAN, 1-63 characters.
Default The default name for VLAN 1 is “DEFAULT VLAN”. For other VLANs, if a name is not configured,
“None” appears in place of the name.
Mode VLAN
Example The following commands assign the name “Test100” to VLAN 100 and show the result:
ACOS(config-vlan:100)#name Test100
ACOS(config-vlan:100)#show vlan
Total VLANs: 3
VLAN 1, Name [DEFAULT VLAN]:
Untagged Ports: 3 4 5 6 7 9 10

Tagged Ports: None
VLAN 100, Name [Test100]:

Untagged Ports: 1
Tagged Ports: None
Router Interface: ve 1
VLAN 200, Name [None]:

Untagged Ports: 2
Tagged Ports: None
router-interface
Description Add a virtual Ethernet (VE) router interface to the VLAN. A VE is required in order to configure
an IP address on a VLAN.
Syntax [no] router-interface ve ve-num
Replace ve-num with the VE number, 2-4094. The VE number must be the same as the VLAN
number.
Default By default, a VLAN does not have a VE.
Mode VLAN
Usage This command is valid only on ACOS devices deployed in route mode.
The VE interface on a VLAN must have the same number as the VLAN. For example, in VLAN
69, the VE number also must be 69.
MAC Address Assignment
The MAC addresses used by the ACOS device’s physical Ethernet data ports also are used for
VEs. (See “system ve-mac-scheme” on page 180.)
Example The following command configures VE 4 on VLAN 4:
ACOS(config)#vlan 4
ACOS(config-vlan:4)#router-interface ve 4

tagged
Description Add tagged ports to a VLAN. A tagged port can be a member of more than one VLAN. An
untagged port can be a member of only a single VLAN.
Syntax [no] tagged

{ethernet port-num [to port-num] | trunk trunk-num [to trunk-num]}
port-num Add the specified tagged ethernet port to the VLAN.
To add a range of ports, use the to port-num option.
trunk-num Add the specified tagged trunk to the VLAN.
To add a range of trunks, use the to trunk-num option.
Default A VLAN has no ports by default.
Mode VLAN
Usage A port can be a tagged member of a maximum of 128 VLANs.
Example The following command adds ports 4 and 5 to VLAN 4 as tagged ports:
ACOS(config)#vlan 4
ACOS(config-vlan:4)#tagged ethernet 4 to 5
untagged
Description Add untagged ports to a VLAN. An untagged port can be a member of only a single VLAN.
Syntax [no] untagged

{
ethernet port-num [to port-num] |
lif lif-num |
trunk trunk-num [to trunk-num] |
}
port-num Add the specified untagged ethernet port to the VLAN.
To add a range of ports, use the to port-num option.
lif-num Add the specified logical interface to the VLAN.
trunk-num Add the specified untagged trunk to the VLAN.
To add a range of trunks, use the to trunk-num option.

Default VLAN 1 contains all ports by default. New VLANs do not contain any ports by default.
Mode VLAN
Example The following command adds port 6 and ports 8-10 to VLAN 4 as an untagged ports:
ACOS(config)#vlan 4
ACOS(config-vlan:4)#untagged ethernet 6
ACOS(config-vlan:4)#untagged ethernet 8 to 10

Config Commands: IP
The IP commands configure global IPv4 parameters.
NOTE: To configure global IPv6 parameters, see “Config Commands: IPv6” on page 317.
ip access-list
Description Configures an IPv4 access control list (ACL).
Syntax [no] ip access-list acl-name
Replace acl-name with the name of the IP ACL, 1-16 characters.
This command changes the CLI to the configuration level for the specified IPv4 ACL, where
{
[sequence-number]
{[remark string] |
[deny | permit | l3-vlan-fwd-disable]}
{traffic-type}
{traffic-source}
{traffic-destination}
{more-options}
}

Match Option Description

sequence-number Sequence number of this rule in the ACL. You can use this option to resequence the rules in
the ACL.
remark string Adds a remark to the ACL (1-63 characters). The remark appears at the top of the ACL when
you display it in the CLI. To use blank spaces in the remark, enclose the entire remark string
in double quotes. The ACL must already exist before you can configure a remark for it. An
ACL and its individual rules can have multiple remarks.
deny | Specify the action to take for traffic that matches the ACL:
permit |
l3-vlan-fwd-disable • deny - Drops any traffic that matches the ACL applied to interfaces or used for manage-
ment access.
• permit - Allows any traffic that matches the ACL applied to interfaces or used for man-
agement access. For ACLS used for IP source NAT, this option specifies the inside host
addresses to be translated into external addresses.
NOTE: If you are configuring an ACL for source NAT, use the permit action. For ACLs
used with source NAT, the deny action does not drop traffic, it simply does not use the
denied addresses for NAT translations.
• l3-vlan-fwd-disable - Disables Layer 3 forwarding between VLANs for IP addresses
that match the ACL rule.
traffic-type Specifies the type of traffic to match:
• geo-location – Matches on geo-location name.
• icmp [type {type-option} [code {any-code | code-num}]] – Matches on
ICMP traffic. (For information about the type and code options, see “object-group service”
on page 138.)
• ip – Matches on any type of IP traffic.
• object-group group-name – Matches on the values in the specified service object
group. (See “object-group service” on page 138.)
• tcp – Matches on TCP traffic.
• udp – Matches on UDP traffic.
traffic-source Specifies the source address(es) on which to match:
• any – The ACL matches on all source IP addresses.
• host host-src-ipaddr – The ACL matches only on the specified host IP address.
• net-src-ipaddr {filter-mask | /mask-length} – The ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the address to filter:
• Use 0 to match.
For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify the portion of the address to filter. For
example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.
• object-group group-name – Matches on the addresses in the specified network
object group. (See “object-group service” on page 138.)

Match Option Description

eq src-port | These options are available for both TCP or UDP only; they specify the source protocol ports
gt src-port | on which to match:
lt src-port |
range • eq src-port – The ACL matches on traffic from the specified source port.
start-src-port • gt src-port – The ACL matches on traffic from any source port with a higher number
end-src-port than the specified port.
• lt src-port – The ACL matches on traffic from any source port with a lower number
than the specified port.
• range start-src-port end-src-port – The ACL matches on traffic from any
source port within the specified range.
traffic-destination Specifies the destination address(es) on which to match. (The options are the same as those
for source address.)
more-options Specifies additional match criteria:
• fragments – Matches on packets in which the More bit in the header is set (1) or has a
non-zero offset.
• vlan vlan-id – Matches on the specified VLAN. VLAN matching occurs for incoming
traffic only.
• dscp num – Matches on the 6-bit Diffserv value in the IP header, 1-63.
• established – Matches on TCP packets in which the ACK or RST bit is not set. This
option is useful for protecting against attacks from outside. Since a TCP connection from
the outside does not have the ACK bit set (SYN only), the connection is dropped. Similarly,
a connection established from the inside always has the ACK bit set. (The first packet to
the network from outside is a SYN/ACK.)
• log [transparent-session-only] – Configures the ACOS device to generate log
messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and dele-
tion of transparent sessions for traffic that matches the ACL rule.
Usage The support for named IPv4 ACLs supplements the support for IPv4 ACLs configured by ID.
You can use a named IPv4 ACL in any place a standard or extended IPv4 ACL is supported. In
the CLI, use the name option in front of the IPv4 ACL name.
Example The following commands configure a named, extended IPv4 ACL called “Deny-Rules” to
deny traffic sent from subnet 10.10.10.x to 10.10.20.5:80, and apply the ACL to inbound traffic
received on Ethernet interface 7:
ACOS(config)#ip access-list Deny-Rules

ACOS(config-ext-access-list:Deny-Rules)#deny tcp 10.10.10.0 0.0.0.255 10.10.20.5 /32 eq 80
ACOS(config-ext-access-list:Deny-Rules)#exit
ACOS(config-if:ethernet:7)#access-list name Deny-Rules in

ip address
Description Configure the global IP address of the Thunder Series device, when the device is deployed in
transparent mode (Layer 2 mode).
Syntax [no] ip address ipaddr {subnet-mask | /mask-length}
Default None.
Usage This command applies only when the Thunder Series device is deployed in transparent
mode. To assign IP addresses to individual interfaces instead (gateway mode), use the ip
address command at the interface configuration level. (See “ip address” on page 248.)
Loopback Interface Support for OSPF
If an IP address is configured on a loopback interface, and the address is in a subnet that is

also configured as an OSPF network subnet, the loopback interface is automatically included
in the OSPF subnet.
The ACOS device’s table of OSPF interfaces will include the loopback interface. Likewise, the
ACOS device will include the loopback interface in link-state advertisements sent to
neighbor OSPF routers.
Multiple OSPF Networks on the Same Interface Not Supported
The ACOS device does not support multiple OSPF networks on a data interface. One OSPF
network configuration can enable at most one network per interface.
For example, assume a data port has 3 IP addresses configured that belong to 3 separate
subnets, S1, S2, and S3. If you configure network S4 with area A.B.C.D, and S4 contains S1, S2,
and S3, then only S1 will be running OSPF. S2 and S3 will not be known to other OSPF
routers.
To work around this limitation, enable OSPF redistribution of directly connected routes so
that OSPF will redistribute S2 and S3 via the network running on S1.
Example The following command configures global IP address 10.10.10.4/24:
ACOS(config)#ip address 10.10.10.4 /24

ip anomaly-drop
Description Enable filtering for IP packets that exhibit predictable, well-defined anomalies. You can ena-
ble filtering for the following types of IP anomalies:
Syntax [no] ip anomaly-drop {parameter} variable if applicable
bad-content Bad content threshold. You can specify a value of 1-127.
drop-all Drop all IP anomaly packets.
frag Drop all fragmented packets.
ip-option Drop packets with IP options.
land-attack Drop IP packets with the same source and destination
addresses.
out-of-sequence Out of sequence packet threshold. You can specify a value
of 1-127.
packet-deformity Drop packets with deformity. You can specify layer-3 or
layer-4.
ping-of-death Drop oversize ICMP packets.
security-attack Drop packets causing a security attack. You can specify
layer-3 or layer-4.
tcp-no-flag Drop TCP packets with no flag.
tcp-syn-fin Drop TCP packets with both syn and fin flags set.
tcp-syn-frag Drop fragmented TCP packets with a syn flag set.
zero-window Zero window size threshold.
Default All options are disabled by default.
Example ACOS(config)#ip anomaly-drop security-attack layer-3

ip as-path
Description Configure an AS-path list for BGP.
Syntax [no] ip as-path access-list regular-expression {deny | permit}
regular-expression Access list name.
deny | permit Action to perform on matching entries.
Default None
ip community-list
Description Specify BGP community attributes.
Syntax [no] ip community-list num

{deny | permit}
[community-number]
[local-AS]
[no-advertise]
[no-export]
Syntax [no] ip community-list {expanded | standard} list-name

{deny | permit}
[community-number]
[local-AS]
[no-advertise]
[no-export]
num List number.
{expanded | standard} List type and name.
list-name
deny | permit Action to perform for matching communities.
community-number Community number.
local-AS Advertises routes only within the local Autonomous Sys-
tem (AS), not to external BGP peers.
no-advertise Does not advertise routes.
no-export Does not advertise routes outside the AS boundary.

Default None
Example ACOS(config)#ip community-list standard list-name permit 10 no-

advertise
ip default-gateway
Description Specify the default gateway to use to reach other subnets, when the Thunder Series device is
deployed in transparent mode (Layer 2 mode).
Syntax [no] ip default-gateway ipaddr
Default None.
Usage This command applies only when the ACOS device is used in transparent mode. If you
instead want to use the device in gateway mode (Layer 3 mode), configure routing.
To configure the default gateway for the out-of-band management interface, use the
interface management command to go to the configuration level for the interface, then
enter the ip default-gateway command. (See “ip default-gateway” on page 251.)
Example The following command configures an ACOS device deployed in transparent mode to use
router 10.10.10.1 as the default gateway for data traffic:
ACOS(config)#ip default-gateway 10.10.10.1
ip dns
Description Configure DNS servers and the default domain name (DNS suffix) for hostnames on the
ACOS device.
Syntax [no] ip dns {primary | secondary} ipaddr
[no] ip dns suffix string
Default None
Usage This command applies to transparent mode and gateway mode.
This command can only be used in the shared partition.
Example The following command sets primary DNS server 20.20.20.5:

ACOS(config)#ip dns primary 20.20.20.5
ip extcommunity-list
Description Configure an extended community list for BGP.
Syntax [no] ip extcommunity-list num

{deny | permit}
{rt | soo {AS-num:nn | ipaddr:nn}}
Syntax [no] ip extcommunity-list

{expanded | standard} list-name
{deny | permit}
{rt | soo {AS-num:nn | ipaddr:nn}}
num List number.
{expanded | standard} List type and name.
list-name
deny | permit Action to perform for matching communities.
rt | soo Community type and ID:
{AS-num:nn | ipaddr:nn}
• rt – Route-target extended community.
• soo – Site-of-origin extended community.
Default None
Example ACOS(config)#ip extcommunity-list standard list-name permit soo

10:20
ip frag buff
Description Maximum buffer size used for fragmentation.
Syntax [no] ip frag buff num
Replace num with the maximum number of buffers the ACOS device will allow for
fragmentation sessions. You can specify 10000-3000000 (3 million). The specified maximum
applies to both IPv4 and IPv6.
Default The default range on 64-bit ACOS models is 5% of total buffers

ip frag max-reassembly-sessions
Description Configure the IP fragment queue size.
Syntax [no] ip frag max-reassembly-sessions num
Replace num with the maximum number of simultaneous fragmentation sessions the ACOS
device will allow. You can specify 1-200000. The specified maximum applies to both IPv4 and
IPv6.
Default 100000
ip frag timeout
Description Configure the timeout for IP packet fragments.
Syntax [no] ip frag timeout ms
Replace ms with the number of milliseconds (ms) the ACOS device buffers fragments for
fragmented IP packets. If any fragments of an IP packet do not arrive within the specified
time, the fragments are discarded and the packet is not re-assembled. You can specify 4-
16000 ms (16 seconds), in 10-ms increments.

Default 1000 ms (1 second)
ip icmp disable
Description Disable ICMP messages.
Syntax [no] ip icmp disable {redirect | unreachable}
redirect Disables sending of ICMP Redirect messages.
unreachable Disables sending of ICMP Destination Unreachable messages.
Default Both types of ICMP messages are enabled.
Example The following command disables sending of IPv4 ICMP Redirect messages:
ACOS(config)#ip icmp disable redirect
ip mgmt-traffic
Description Allows a loopback interface IP address to be used as the source interface for management
traffic originated by the ACOS device.
Syntax {all | ftp | ntp | rcp | snmp | ssh | syslog |

telnet | tftp | web}
source-interface loopback num
To apply the command only to a specific type of traffic (SNMP, NTP, and so on), use the option
for that traffic type. To apply the command to all management traffic types, use the all
option.
Default Not set
Usage Notes about the implementation of this command:

• Loopback interface IP address – The loopback interface you specify when configuring
this feature must have an IP address configured on it. Otherwise, this feature does not
take effect.

• Management interface – If use of the management interface as the source for manage-
ment traffic is also enabled, the loopback interface takes precedence over the manage-
ment interface. The loopback interface’s IP address will be used instead of the
management interface’s IP address as the source for the management traffic.
• Likewise, the use-mgmt-port option has no effect.
• Ping traffic – Configuration for use of a loopback interface as the source for manage-
ment traffic does not apply to ping traffic. By default, ping packets are sourced from the
best interface based on the route table. You can override the default interface selection
by specifying a loopback or other type of interface as part of the ping command.
• Layer 2/3 Virtualization – This feature is supported only for loopback interfaces that
belong to the shared partition. When this feature is configured, management traffic ini-
tiated from a private partition will use the IP address of the specified loopback interface
as the source address, and will use the shared partition’s data routing table to select the
outbound interface.
Limitations
• The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
• IPv6 interfaces are not supported.
• aVCS is not supported.
Example The following commands configure an IP address on loopback interface 2:
ACOS(config)#interface loopback 2
ACOS(config-if:loopback2)#ip address 10.10.10.66 /24
ACOS(config-if:loopback2)#exit
Example The following command configures the ACOS device to use loopback interface 2 as the
source interface for management traffic of all types listed above:
ACOS(config)#ip mgmt-traffic all loopback 2
ip nat alg pptp

Description Disable or re-enable NAT Application-Layer Gateway (ALG) support for the Point-to-Point
Tunneling Protocol (PPTP). This feature enables clients and servers to exchange Point-to-

Point (PPP) traffic through the ACOS device over a Generic Routing Encapsulation (GRE) tun-
nel. PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts.
Syntax ip nat alg pptp {enable | disable}
Default Enabled
Usage NAT ALG for PPTP has additional configuration requirements. For information, see the “NAT
ALG Support for PPTP” section in the “Network Address Translation” chapter of the Applica-
tion Delivery and Server Load Balancing Guide.
ip nat icmp
Description Disable ICMP messages.
Syntax [no] ip icmp disable {redirect | unreachable}
redirect Disables sending of ICMP Redirect messages.
unreachable Disables sending of ICMP Destination Unreachable messages.

ip nat inside source

Description Configure inside Network Address Translation (NAT).
Syntax [no] ip nat inside source

{
class-list name |
list acl-name pool pool-or-group-name
[msl seconds]
[respond-to-user-mac] |
static inside-ipaddr nat-ipaddr
[disable | enable]
[vrid num]
}
class-list name Specifies a class list. Entries in the class list map internal IP addresses to IP NAT
pools.
list acl-name Specifies an Access Control List (ACL) that matches on the inside addresses to be
translated. (To configure the ACL, see “access-list (standard)” on page 48 or “access-
list (extended)” on page 50.)
pool pool-or-group-name Dynamically assigns addresses from a range defined in a pool or pool group.
[msl seconds]
[respond-to-user-mac] The msl seconds option sets the TCP Maximum Segment Life (MSL) for source-NAT
connections that use the specified pool or pool group. This option is useful for NAT
connections to devices with older TCP/IP stacks, where the MSL is up to 2 minutes,
resulting in a wait of up to 240 seconds (4 minutes) after a FIN before the endpoint
can enter a new connection. You can set the MSL to 1-1800 seconds.
The respond-to-user-mac option causes existing connections to follow the active
ACOS device to use the inside client’s MAC address, instead of the routing table, to
select the next hop for the reply.
NOTE: This option is valid only for the current session. After the client’s MAC
address expires, the ACOS device will use the routing table to select the next hop. If
the session has traffic from the inside client, the ACOS device will learn the inside
client's MAC address again.
static Statically maps the specified inside address to a specific NAT address.
inside-ipaddr nat-ipaddr
disable | enable Disables or re-enables the static mapping.
vrid num VRRP-A VRID.
Default None
For static NAT mappings, the following limitations apply:
• Application Layer Gateway (ALG) services other than FTP are not supported when the
server is on the inside.

• Syn-cookies are not supported.
Example The following command configures static inside NAT translation of 10.10.10.55 to
192.168.20.44:
ACOS(config)#ip nat inside source static 10.10.10.55 192.168.20.44
ip nat pool
Description Configure a named set of IP addresses for use by NAT.
Syntax [no] ip nat pool pool-name

start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr]
[ip-rr]
[scaleout-device-id device-id]
[vrid num]
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask Network mask for the IP addresses in the pool.
{subnet-mask | /mask-length}
gateway ipaddr Default gateway to use for NATted traffic.
ip-rr Uses pool IP addresses in round robin fashion. Without this option, IP address
selection from a NAT pool depends on the incoming tuple and the usage of
the NAT pool.
scaleout-device-id device-id Configure the Scale Out device ID to which this IP NAT pool will be bound (1-
64).
vrid num VRRP-A VRID. In the shared partition, you can specify 1-31 or default. In pri-
vate partitions, you can specify default.
Default None.
Usage The pool can be used by other ip nat commands. The IP addresses must be IPv4 addresses.
To configure a pool of IPv6 addresses, see “ipv6 nat pool” on page 323.
To enable inside or outside NAT on interfaces, see “ip nat” on page 255.
When you use the gateway option, the gateway you specify is used as follows:
• For forward traffic (traffic from a client to a server), the NAT gateway is used if the source
NAT address (the address from the pool) and the server address are not in the same IP
subnet.
• On reverse traffic (reply traffic from a server to a client), the NAT gateway is used if all
the following conditions are true:

• The session is using translated addresses (is source NATted).

• The source protocol port is in the source NAT subnet.
• The destination is not in the source NAT subnet.
For conditions under which the NAT gateway is needed, if no NAT gateway is configured, the
ACOS device uses the default gateway configured for the ACOS device’s other traffic instead.
Example The following command configures an IP address pool named “pool1” that contains
addresses from 30.30.30.1 to 30.30.30.254:
ACOS(config)#ip nat pool pool1 30.30.30.1 30.30.30.254 netmask /24
ip nat pool-group
Description Configure a set of IP pools for use by NAT. Pool groups enable you to use non-contiguous IP
address ranges, by combining multiple IP address pools.
Syntax [no] ip nat pool-group pool-group-name [vrid num]
pool-group-name Name of the pool group.
This command changes the CLI to the configuration level for the specified pool group,
where the following command is available:
member pool-name
Replace pool-name with the name of a configured IP address pool.
Default None.
Usage To use a non-contiguous range of addresses, configure a separate pool for each contiguous
portion of the range, then configure a pool group that contains the pools.
The addresses within an individual pool still must be contiguous, but you can have gaps
between the ending address in one pool and the starting address in another pool. You also
can use pools that are in different subnets.
For SLB, a pool group can contain up to 5 pools. Pool group members must belong to the
same protocol family (IPv4 or IPv6). A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the ACOS device selects the pool that
matches the outbound subnet. For example, if there are two routes to a given destination, in
different subnets, and the pool group has a pool for one of those subnets, ACOS selects the
pool that is in the subnet for the outbound route.

The ACOS device selects the pool whose addresses are in the same subnet as the next-hop
interface used by the data route table to reach the server.
Example The following commands create a pool group containing 3 pools:
ACOS(config)#ip nat pool-group group1

ACOS(config-pool-group:group1)member pool1
ip nat range-list
Description Configure a range of IP addresses to use with static NAT.
Syntax [no] ip nat range-list list-name

local-ipaddr /mask-length
global-ipaddr /mask-length
count number
[vrid num]
list-name Name of the static NAT address range.
local-ipaddr /mask-length Beginning (lowest) IP address in the range of local addresses.
global-ipaddr /mask-length Beginning (lowest) IP address in the range of global addresses.
count number Number of addresses to be translated, 1-200000. The range contains a contiguous
block of the number of addresses you specify.
The block of local addresses starts with the address you specify for local-ipaddr.
Likewise, the block of global addresses begins with the address you specify for
global-ipaddr.
Default None.
Usage You can configure up to 2000 ranges. You can specify IPv4 or IPv6 addresses within a range.
Example The following command configures an IP address range named “nat-list-1” that maps up to
100 local addresses starting from 10.10.10.97 to Internet addresses starting from
192.168.22.50:
ACOS(config)#ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16 count 100

ip nat template logging

Description Configure a template for external logging of SLB traffic events.
Syntax [no] ip nat template logging template-name
This command changes the CLI to the configuration level for the specified NAT logging
template, where the following commands are available.
Command Description
[no] facility facility-name Specifies the logging facility to use. For a list of available facilities, enter
the following command: facility ?
The default facility is local0.
[no] include-destination Includes the destination IP addresses and protocol ports in NAT port
mapping logs.
[no] include-rip-rport Includes the IP and port of real server in logs (SLB function only).
[no] log option Enables logging for specific options:
• port-mappings – Logs NAT port mappings. The both option
logs NAT session creation and deletion. The creation option logs
NAT session creation only.
• sessions – Logs NAT session creation and deletion.
NOTE: The “no” form of the command returns the logging method to
its default, Syslog.
By default, logging of both port mappings and sessions is set.
[no] service-group Specifies the service group for the external log servers.
group-name

Command Description
[no] severity severity-level Specifies the severity level to assign to LSN traffic logs generated using
this template. You can enter the name or the number of a severity
level.
• 0 | emergency
• 1 | alert
• 2 | critical
• 3 | error
• 4 | warning
• 5 | notice
• 6 | informational
• 7 | debug
The default severity is 7 (debugging).
[no] source-port Specifies the source protocol port the ACOS device uses to send out
{severity-level | any} log messages to the external log servers.
NOTE: This does not conflict with the real server port, which is the
destination port of the logging packet.
If the any option is configured, the ACOS device randomly selects a
source-port for each logging packet.
The default source port is 514 (for UDP only).
NOTE: The source-port command is only applicable to syslog over UDP, and does not
apply to TCP traffic. With syslog over TCP traffic, the source port is determined by
ACOS through Smart NAT.
Default There is no NAT logging template by default. When you configure one, the template options
have the default values as described in the table above.
Usage The template keeps track as to which external clients were mapped to the NAT IP and load
balances multiple IP address requests. Therefore it can be used once VIPs are configured.
Example The following commands show a configuration for external logging of SLB NAT activity.
ACOS(config)#ip nat pool pool1 20.0.0.1 20.0.0.1 netmask /32

ACOS(config)#ip nat template logging testlog
ACOS(config-nat logging)#log port-mappings both
ACOS(config-nat logging)#log session
ACOS(config-nat logging)#include-destination
ACOS(config-nat logging)#include-rip-rport
ACOS(config-nat logging)#service-group log
ACOS(config)#slb server rs1 20.0.0.6
ACOS(config-real server)#port 80 tcp
ACOS(config)slb server rs2 20.0.0.8


ACOS(config)#slb server ls1 20.0.0.7
ACOS(config-real server)#port 514 udp
ACOS(config)#slb service-group sg1 udp
ACOS(config-slb svc group)#member ls1:514
ACOS(config)#slb virtual-server vip1 10.0.0.111
ACOS(config-slb vserver)#template logging testlog
Log Output:
Apr 15 14:27:04 Apr 15 14:27:03 ACOS NAT-TCP-C: 10.0.0.12:25235 ->

20.0.0.1:2097 RS 20.0.0.7:80#015
ip nat translation
Description Configure NAT timers.
Syntax [no] ip nat translation

{
icmp-timeout {seconds | fast} |
service-timeout {seconds | fast} |
tcp-timeout seconds |

udp-timeout seconds
}
icmp-timeout Specifies the minimum number of seconds NATted ICMP sessions can remain idle before
{age seconds | fast} being terminated. You can specify 2-15000 seconds, or fast. The fast option terminates the
session as soon as a response is received.
The default is fast.
service-timeout Specifies the minimum number of seconds NATted sessions on a specific protocol port
{tcp | udp} portnum can remain idle before being terminated. The timeout set for an individual protocol port
{age seconds | fast} overrides the global TCP or UDP timeout for NATted sessions. You can specify 2-15000 sec-
onds, or fast. The fast option terminates the session as soon as a response is received.
By default, this is not set. For all service ports except UDP 53, the tcp-timeout or udp-time-
out setting is used. For UDP port 53, the SLB MSL time is used.
tcp-timeout seconds Timeout for TCP sessions that are not ended normally by a FIN or RST. You can specify
2-15000 seconds.
udp-timeout seconds The supported values and timer behavior for UDP sessions are the same as those for tcp-
timeout (described above).
Usage The timeout value you specify is the minimum number of seconds the session can remain
idle. It takes up to 60 seconds following expiration of the configured timeout value for the
session to be removed.
If you specify 2-31 seconds, the timeout takes place very rapidly, as close to the configured
timeout as possible.
If you specify 32-12000 seconds, the timeout value must be divisible by 60, and can be a
minimum of 1 minute. If the timeout is set to a value in the range 32-59, the timeout value is
rounded up to 60. Values in the range 61-11999 are rounded down to the nearest multiple of
60.
Example The following command changes the SYN timeout to 120 seconds:
ACOS(config)#ip nat translation syn-timeout 120

ip nat-global reset-idle-tcp-conn
Description Enable client and server TCP Resets for NATted TCP sessions that become idle.
Syntax [no] ip nat-global reset-idle-tcp-conn
Default Disabled.
ip prefix-list
Description Configure an IPv4 prefix list.
Syntax [no] prefix-list list-name

[description string]
[seq sequence-num]
{deny | permit}
{any | ipaddr/mask-length}
[ge prefix-length] [le prefix-length]
list-name Name of the IP prefix list. The name can not contain blanks.
description string Description of the IP prefix list.
seq sequence-num Changes the sequence number of the IP prefix-list rule. The sequence number can
be 1-4294967295.
deny | permit Action to take for IP addresses that match the prefix list.
any | ipaddr /mask-length IP address and number of mask bits, from left to right, on which to match. If you
omit the ge and le options (described below), the mask-length is also the subnet
mask on which to match.
ge prefix-length Specifies a range of prefix lengths on which to match. Any prefix length equal to or
greater than the one specified will match. For example, ge 25 will match on any of
the following mask lengths: /25, /26, /27, /28, /29, /30, /31, or /32.
le prefix-length Specifies a range of prefix lengths on which to match. Any prefix length less than
or equal to the one specified will match. The lowest prefix length in the range is
the prefix specified with the IP address. For example, 192.168.1.0/24 le 28 will
match on any of the following mask lengths: /24, /25, /26, /27, or /28.
Default N/A
Usage You can use IP prefix lists to provide input to the OSPFv2 command “area area-id filter-list” on
page 371.
How Matching Occurs

Matching begins with the lowest numbered IP prefix-list rule and continues until the first
match is found. The action in the first matching rule is applied to the IP address. For example,
if the IP prefix list contains the following two rules, rule 5 is used for IP address 192.168.1.9,
even though the address also matches rule 10.
ip prefix-list 5 permit any

ip prefix-list 10 deny 192.168.1.0/24
The ge prefix-length and le prefix-length options enable you to specify a range of mask
lengths on which to match. If you do not use either option, the mask-length in the address (/
24 in the example above) specifies both the following:
• Number of bits to match, from left to right

• Mask length on which to match
If you use one or both of the ge or le options, the mask-length specifies only the number of
bits to match. The ge or le option specifies the mask length(s) on which to match.
The following rule matches on any address whose first octet is 10 and whose mask-length is
8:
ip prefix-list match_on_8bit_mask_only permit 10.0.0.0/8
IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would not.
The following rule uses the le option to extend the range of mask lengths that match:
ip prefix-list match_on_24bit_mask_or_less permit 10.0.0.0/8 le 24
This rule matches on any address that has 10 in the first octet, and whose mask length is 24
bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/24 would both match this rule.
The following rule permits any address from any network that has a mask 16-24 bits long.
ip prefix-list match_any_on_16-24bit_mask permit 0.0.0.0/0 ge 16 le

24
Implied Deny any Rule
The IP prefix list has an implied deny any rule at the end. This rule is not visible and can not
be changed or deleted. If an IP address does not match any of the rules in the IP prefix list,
the ACOS device uses the implied deny any rule to deny the address.
Sequence Numbering
As described above, the sequence of rules in the IP prefix list can affect whether a given
address matches a permit rule or a deny rule.
When you configure the first IP prefix-list rule, the ACOS device assigns sequence number 5
to the rule by default. After that, the sequence number for each new rule is incremented by
5. If you explicitly set the sequence number of a rule, subsequent rules are still sequenced in
increasing increments of 5. For example, if you set the sequence number of the first rule to 7,
the next rule is 12 by default.

You can explicitly set the sequence number of a rule when you configure the rule. You also
can change the sequence number of a rule that is already configured.
Example The following commands add descriptions to some IP prefix-list rule and display the results:
ACOS(config)#ip prefix-list aaa description Here_is_a_string_to_describe_the_rule.

ACOS(config)#ip prefix-list ccc description And_here_is_a_string_to_describe_this_rule.
ACOS(config)#show running-config | section ip prefix-list
ip prefix-list aaa description Here_is_a_string_to_describe_the_rule.
ip prefix-list aaa seq 5 permit any
ip prefix-list bbb seq 10 permit 192.168.1.0/24
ip prefix-list ccc description And_here_is_a_string_to_describe_this_rule.
ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
ip route
Description Configure a static IP route.
Syntax [no] ip route destination-ipaddr {subnet-mask | /mask-length}

{
next-hop-ipaddr
[distance]
[cpu-process]
[description string] |
lif num next-hop-ipaddr
[distance]
[cpu-process]
[vrid vrid]
tunnel num next-hop-ipaddr
[distance]
[cpu-process]

}
Syntax [no] ip route static bfd local-ipaddr remote-ipaddr
destination-ipaddr Specifies the destination of the route. To configure a default route, specify
{subnet-mask | /mask-length} 0.0.0.0/0.
next-hop-ipaddr Specifies the next-hop router to use to reach the route destination. The address
must be in the same subnet as the Thunder Series device.
distance Distance value for the route, 1-255.
cpu-process Sends traffic that uses this route to the CPU for processing. This option is appli-
cable only to certain models, including AX models AX 3200-12, AX 3400,
AX 5200-11, and AX 5630.
partition partition-name Forwards the traffic to the specified L3V partition as the next hop. The vrid
[vrid vrid] option specifies the VRRP-A VRID, if applicable.
description string Description of the static route.
Default There are no static routes configured by default.
Usage If a destination can be reached by an explicit route (a route that is not a default route), then
the explicit route is used. If an explicit route is not available to reach a given destination, the
default route is used (if a default route is configured).
Example The following command configures a default route using gateway 10.10.10.1 and the default
metric:
ACOS(config)#ip route 0.0.0.0/0 10.10.10.1
ip tcp syn-cookie threshold

Description Modify the threshold for TCP handshake completion. The TCP handshake threshold is appli-
cable when SYN cookies are active.
Syntax [no] ip tcp syn-cookie threshold seconds
Replace seconds with the number of seconds allowed for a TCP handshake to be completed.
If the handshake is not completed within the allowed time, the ACOS device drops the
session. You can specify 1-100 seconds.

Default 4 seconds
Usage The TCP handshake threshold is applicable only when hardware-based SYN cookies are
active. To enable support for hardware-based SYN cookies, see “syn-cookie” on page 173.
Example The following command changes the TCP TCP handshake threshold to 15 seconds:
ACOS(config)#ip tcp syn-cookie threshold 15


Config Commands: IPv6
The IPv6 commands configure global IPv6 parameters.
NOTE: To configure global IPv4 parameters, see “Config Commands: IP” on page 291.
ipv6 access-list
Description Configure an extended IPv6 ACL.
Syntax [no] ipv6 access-list name
This command changes the CLI to the configuration level for the ACL, where the following
ACL-related commands are available.
Syntax [no] [seq-num] {permit | deny}

{ipv6 | icmp | geo-location name | object-group name}
{any | host host-src-ipv6addr | net-src-ipv6addr /mask-length |

object-group name}
{any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length |

object-group name}
[log]

or
Syntax [no] {permit | deny} {tcp | udp}

{any | host host-src-ipv6addr | net-src-ipv6addr /mask-length |
object-group name}
{any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length |

object-group name}

[established]
[log]
seq-num Sequence number of this rule in the ACL. You can use this option to
resequence the rules in the ACL.
deny | permit Action to take for traffic that matches the ACL:
• deny – Drops the traffic.
• permit – Allows the traffic.
ipv6 | icmp | geo-location name | Type of traffic on which to match.
object-group name
tcp | udp
any | Source IP address(es) to filter.
host host-src-ipv6addr |
net-src-ipv6addr /prefix-length | • any – The ACL matches on all source IP addresses.
object-group name • host host-src-ipv6addr – The ACL matches only on the specified
host IPv6 address.
• net-src-ipv6addr /prefix-length – The ACL matches on any host in
the specified subnet.
• object-group name – The ACL matches on the object group.
eq src-port | For tcp or udp, the source protocol ports to filter.
gt src-port |
lt src-port | • eq src-port – The ACL matches on traffic from the specified source
range start-src-port end-src-port port.
• gt src-port – The ACL matches on traffic from any source port with a
higher number than the specified port.
• lt src-port – The ACL matches on traffic from any source port with a
lower number than the specified port.
• range start-src-port end-src-port – The ACL matches on traffic
from any source port within the specified range.

any | Destination IP address(es) to filter.
host host-dst-ipv6addr |
net-dst-ipv6addr /mask-length |
object-group name
eq dst-port | For tcp or udp, the destination protocol ports to filter.
gt dst-port |
lt dst-port | • eq dst-port – The ACL matches on traffic from the specified destina-
range start-dst-port end-dst-port tion port.
• gt dst-port – The ACL matches on traffic from any destination port
with a higher number than the specified port.
• lt dst-port – The ACL matches on traffic from any destination port
with a lower number than the specified port.
• range start-dst-port end-dst-port – The ACL matches on traffic
from any destination port within the specified range.
fragments Matches on packets in which the More bit in the header is set (1) or has
a non-zero offset.
vlan vlan-id Matches on the specified VLAN. VLAN matching occurs for incoming
traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP header, 1-63.
established Matches on TCP packets in which the ACK or RST bit is not set. This
option is useful for protecting against attacks from outside. Since a TCP
connection from the outside does not have the ACK bit set (SYN only),
the connection is dropped. Similarly, a connection established from the
inside always has the ACK bit set. (The first packet to the network from
outside is a SYN/ACK.)
log Configures the ACOS device to generate log messages when traffic
matches the ACL.
Syntax [no] remark string
The remark command adds a remark to the ACL. The remark appears at the top of the ACL
when you display it in the CLI. The string can be 1-63 characters. To use blank spaces in the
remark, enclose the entire remark string in double quotes.
Default None

ipv6 address
Description Configure the global IPv6 address of the Thunder Series device, when the device is deployed
in transparent mode (Layer 2 mode).
Syntax [no] ipv6 address ipv6-addr/prefix-length

[link-local]
[anycast]
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6 address for the interface, instead of a global
address. Without this option, the address is a global address.
anycast Configures the address as an anycast address. An anycast address can be assigned to more than
one interface. A packet sent to an anycast address is routed to the “nearest” interface with that
address, based on the distance in the routing protocol.
Default N/A
Usage This command applies only when the ACOS device is deployed in transparent mode. To
assign IPv6 addresses to individual interfaces instead (gateway mode), use the ipv6
address command at the interface configuration level. (See “ipv6 address” on page 260.)
Example The following command configures global IPv6 address 2001:db8::1521:31ab/32:
ACOS(config)#ipv6 address 2001:db8::1521:31ab/32
ipv6 default-gateway
Description Specify the default gateway to use to reach other IPv6 networks, when the ACOS device is
used in transparent mode (Layer 2 mode).
Syntax [no] ipv6 default-gateway ipv6-addr
Replace ipv6-addr with the IPv6 address of the next-hop gateway.

Default N/A
Usage This command applies only when the ACOS device is used in transparent mode. If you
instead want to use the device in gateway mode (Layer 3 mode), configure routing.
Example The following command configures default IPv6 gateway 2001:db8::1521:31ac:
ACOS(config)#ipv6 default-gateway 2001:db8::1521:31ac
ipv6 frag timeout

Description Configure the timeout for IPv6 packet fragments.
Syntax [no] ipv6 frag timeout ms
Replace ms with the number of milliseconds (ms) the ACOS device buffers fragments for
fragmented IPv6 packets. If any fragments of an IPv6 packet do not arrive within the
specified time, the fragments are discarded and the packet is not re-assembled. You can
specify 4-16000 ms (16 seconds), in 10-ms increments.
Default 1000 ms (1 second)

ipv6 icmpv6 disable

Description Disable ICMPv6 messages.
Syntax [no] ipv6 icmpv6 disable {redirect | unreachable}
redirect Disables sending of ICMPv6 Redirect messages.
unreachable Disables sending of ICMPv6 Destination Unreachable messages.
Example The following command disables sending of IPv6 ICMP Destination Unreachable messages:
ACOS(config)#ipv6 icmpv6 disable unreachable
ipv6 nat icmpv6 respond-to-ping

Description Enable ACOS to respond to ping requests sent to NAT addresses owned by the ACOS device.
Syntax [no] ipv6 icmpv6 respond-to-ping
Default Disabled.
ipv6 nat inside source list

Description Inside configuration for IPv6 NAT.
Syntax [no] ipv6 nat inside source list list-name pool pool-name
list-name Name of the source list.
Default N/A

ipv6 nat pool

Description Configure a named set of IPv6 addresses for use by Network Address Translation (NAT).
Syntax [no] ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr

netmask mask-length
[gateway ipaddr]
[ip-rr]
[vrid num]
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask Network mask for the IP addresses in the pool, 64-128.
mask-length
gateway Next-hop gateway address.
ipv6-addr
ip-rr Uses pool IP addresses in round robin fashion. Without this option,
IP address selection from a NAT pool depends on the incoming
tuple and the usage of the NAT pool.
Default None.
Example The following command configures an IPv6 address pool named “ipv6pool2”:
ACOS(config)#ipv6 nat pool ipv6pool2 abc1::1 abc1::10 netmask 96
ipv6 nat pool-group

Description Configure a set of IPv6 pools for use by NAT. Pool groups enable you to use non-contiguous
IP address ranges, by combining multiple IPv6 address pools.
Syntax [no] ipv6 nat pool-group pool-group-name

[vrid num]
pool-group-name Name of the pool group.
This command changes the CLI to the configuration level for the specified pool group,
member pool-name

Replace pool-name with the name of a configured IP address pool.
Default None.
Usage To use a non-contiguous range of addresses, configure a separate pool for each contiguous
portion of the range, then configure a pool group that contains the pools.
The addresses within an individual pool still must be contiguous, but you can have gaps
between the ending address in one pool and the starting address in another pool. You also
can use pools that are in different subnets.
For SLB, a pool group can contain up to 5 pools. Pool group members must belong to the
same protocol family (IPv4 or IPv6). A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the ACOS device selects the pool that
matches the outbound subnet. For example, of there are two routes to a given destination,
in different subnets, and the pool group has a pool for one of those subnets, ACOS selects
the pool that is in the subnet for the outbound route.
The ACOS device selects the pool whose addresses are in the same subnet as the next-hop
interface used by the data route table to reach the server.
ipv6 neighbor
Description Configure a static IPv6 neighbor.
Syntax [no] ipv6 neighbor ipv6-addr macaddr

{ethernet port-num | trunk TrunkID}
[vlan vlan-id]
ipv6-addr IPv6 unicast address of the neighbor.
macaddr MAC address of the IPv6 neighbor.
ethernet Ethernet interface or trunk connected to the neighbor.
port-num |
trunk
TrunkID
vlan-id VLAN for which to add the IPv6 neighbor entry. If you do not specify
the VLAN, the entry is added for all VLANs.

Default N/A
Usage The neighbor must be directly connected to the ACOS device’s Ethernet port you specify, or
connected through a Layer 2 switch.
Example The following command configures IPv6 neighbor 2001:db8::1111:2222 with MAC address
abab.cdcd.efef, connected to the ACOS device’s Ethernet port 5:
ACOS(config)#ipv6 neighbor 2001:db8::1111:2222 abab.cdcd.efef ether-

net 5
ipv6 ospf display

Description Change how IPv6 routes are displayed in show ipv6 ospf route output.
Syntax [no] ipv6 ospf display route single-line
Default By default, this option is disabled. Routes are displayed on multiple lines.
ipv6 prefix-list sequence-number

Description Configure an IPv6 prefix list.
Syntax [no] prefix-list list-name

[seq sequence-num]
{deny | permit}
{any | ipav6ddr/prefix-length}
[ge prefix-length] [le prefix-length]
list-name Name of the IP prefix list. The name can not contain blanks.
description string Description of the IP prefix list.
seq sequence-num Changes the sequence number of the IP prefix-list rule. The sequence number can
be 1-4294967295.
deny | permit Action to take for IP addresses that match the prefix list.
any | ipav6ddr/prefix- IP address and number of mask bits, from left to right, on which to match. If you
length omit the ge and le options (described below), the mask-length is also the subnet
mask on which to match.

ge prefix-length Specifies a range of prefix lengths on which to match. Any prefix length equal to or
greater than the one specified will match. For example, ge 25 will match on any of
the following mask lengths: /25, /26, /27, /28, /29, /30, /31, or /32.
le prefix-length Specifies a range of prefix lengths on which to match. Any prefix length less than
or equal to the one specified will match. The lowest prefix length in the range is
the prefix specified with the IP address. For example, 192.168.1.0/24 le 28 will
match on any of the following mask lengths: /24, /25, /26, /27, or /28.
Default N/A
Usage You can use IP prefix lists to provide input to the OSPFv2 command “area area-id filter-list” on
page 371.
The rules for matching and sequence numbering are the same as those for IPv4 prefix lists.
(See “ip prefix-list” on page 311.)
ipv6 route
Description Configure a static IPv6 route.
Syntax [no] ipv6 route ipv6addr/prefix-length

{
next-hop-ipv6addr
[distance]
[cpu-process]
[vrid vrid]
tunnel num next-hop-ipv6addr
[distance]
[cpu-process]
}
ipv6addr IPv6 unicast address of the route destination.
prefix-length Prefix length, 1-128.
next-hop- IPv6 unicast address of the next-hop gateway to the destination.
ipv6addr
cpu-process Sends traffic that uses this route to the CPU for processing. This
option is applicable only to certain models, including AX models
AX 3200-12, AX 3400, AX 5200-11, and AX 5630.
partition Forwards the traffic to the specified L3V partition as the next hop.
partition-name The vrid option specifies the VRRP-A VRID, if applicable.
[vrid vrid]

description Description of the static route.
string
Default N/A
Usage The ethernet, trunk, and ve options are available only if the gateway-addr is a link-local
address. Otherwise, the options are not displayed in the online help and are not supported.
• If you use an individual Ethernet port, the port can not be a member of a trunk or a VE.
If you use a trunk, the trunk can not be a member of a VE.
• After you configure the static route, you can not change the interface’s membership in
trunks or VEs. For example, if you configure a static route that uses Ethernet port 6’s link-
local address as the next hop, it is not supported to later add the interface to a trunk or
VE. The static route must be removed first.
Example The following command configures a static IPv6 route to destination 2001:db8::3333:3333/
32, though gateway 2001:db8::3333:4444:
ACOS(config)#ipv6 route 2001:db8::3333:3333/32 2001:db8::3333:4444
Example The following command configures a default IPv6 route:
ACOS(config)#ipv6 route ::/0 abc1::1111
Example The following command configures an IPv6 static route that uses Ethernet port 6’s link-local
address as the next hop:
ACOS(config)#ipv6 route abaa:3::0/64 fe80::2 ethernet 6


Config Commands: Router – RIP
This chapter describes the syntax for the Routing Information Protocol (RIP) commands. The commands are described in the
following sections:
• “Enabling RIP” on page 329
• “Interface-level RIP Commands” on page 330
• “IPv4 RIP Configuration Commands” on page 330
• “IPv6 RIP Configuration Commands” on page 341
• “RIP Show Commands” on page 350
• “RIP Clear Commands” on page 354
NOTE: This CLI level also has the following commands, which are available at all configura-
tion levels:
Enabling RIP
You can enable RIP for IPv4 and RIP for IPv6. Each version runs independently of the other. The ACOS device supports a single
IPv4 RIP process and a single IPv6 RIP process.
NOTE: Optionally you also can enable RIPv1. RIPv1 and RIPv2 can be enabled separately for
inbound and outbound RIP traffic.

Interface-level RIP Commands
Enabling RIP for IPv4
1. To enable the protocol and access the configuration level for global IPv4 RIP parameters, enter the following command
at the global configuration level:
router rip
2. To enable IPv4 RIP for specific networks, enter the following command separately for each network from the RIP routing
mode:
network {ipaddr/mask-length | interface}
This is the minimum required configuration. Additional configuration may be required depending on your deployment.
Enabling RIP for IPv6
1. To enable the protocol and access the configuration level for global IPv6 RIP parameters, enter the following command
at the global configuration level:
router ipv6 rip
2. To enable IPv6 RIP on an individual interface:
a. Use the following command to return to the global configuration level of the CLI:
exit
b. Use the following command to access the interface:

interface {ethernet port-num | lif lif-num | loopback loopback-num | trunk trunk-num
| tunnel tunnel-num | ve ve-num}
c. Use the following command to enable IPv6 RIP on the interface:

ipv6 router rip

In addition to global parameters, RIP has parameters on the individual interface level. To configure RIP on an interface, use
the interface command to access the configuration level for the interface, then use the ip rip or ipv6 rip command. (See
“Config Commands: Interface” on page 241.)
IPv4 RIP Configuration Commands

The configuration commands in the following sections are applicable to IPv4 RIP.
Global IPv4 RIP Commands

The commands in this section apply globally to the IPv4 RIP process.

To access the configuration level for a IPv4 RIP process, use the router rip command at the global configuration level of the
CLI.

the interface command to access the configuration level for the interface, then use the ip rip command. (See “Config Com-
mands: Interface” on page 241.)
cisco-metric-behavior
Description Enable Cisco-compatible metric behavior. This option affects the display of metric values in
the RIP routing table.
Syntax [no] cisco-metric-behavior {enable | disable}
enable The metric values displayed for routes in the RIP routing table are the
values before modification by this RIP router (the ACOS device).
disable The metric values displayed for routes in the RIP routing table are the
values after modification by this RIP router (the ACOS device).
Default disable
Mode IPv4 RIP
default-information originate
Description Enable generation of a default route into RIP.
Syntax [no] default-information originate
Default Disabled
Mode IPv4 RIP
default-metric
Description Configure the default metric value for routes that are redistributed into IPv4 RIP.
Syntax [no] default-metric num
Replace num with the default metric, 1-16.
Default 1
Mode IPv4 RIP

distance
Description Set the administrative distance for IPv4 RIP routes.
Syntax [no] distance num [ipaddr/mask-length [acl-id]]
num Administrative distance, 1-255.
ipaddr/mask-length Network prefix and mask length. The specified distance is
applied only to routes with a matching source address.
acl-id ACL ID. The specified distance is applied only to routes that
match the source IP address in the ACL.
NOTE: In the ACL, use the permit action, not the deny action.
Default The default distance is 120.
Mode IPv4 RIP
Usage The administrative distance specifies the trustworthiness of routes. In cases where there are
multiple routes to the same destination, from different routing protocols, the administrative
distance can be used as a tie-breaker.
A low administrative distance value indicates a high level of trust. Likewise, a high
administrative distance value indicates a low level of trust. For example, setting the
administrative distance value for external routes to 255 means those routes are very
untrustworthy and should not be used.
distribute-list
Description Configure filtering of route updates.
Syntax [no] distribute-list {acl-id | prefix list-name} {in | out} [inter-

face]
acl-id | ACL or prefix list that specifies the routes to filter. The action you
prefix list-name use in the ACL or prefix list determines whether matching routes
are allowed:
permit – Matching routes are allowed.
deny – Matching routes are prohibited.

in | out Traffic direction for which to filter updates:
in – Inbound route updates are filtered.
out – Outbound route updates are filtered.
interface Interface on which updates are filtered. You can specify the fol-
lowing types of interfaces:
• ethernet portnum – Ethernet data interface.
• loopback [num] – Loopback interface. If you do not spec-
ify an interface number, route updates are filtered out on all
loopback interfaces.
• trunk trunknum – Trunk interface.
• ve ve-num – Virtual Ethernet (VE) interface.
If no interface is specified, the filter applies to all interfaces.
NOTE: The internal option is not applicable.
Default Route updates are not filtered out.
Mode IPv4 RIP
Usage Distribute lists can be global or interface-specified:

• If you do not specify an interface with the distribute list, the list is global.
• If you do specify an interface with the distribute list, the list applies only to routes
received (in) or advertised (out) on that interface.
The ACOS device can have one global inbound distribute list and one global outbound
distribute list. Likewise, each interface can have one inbound distribute list and one
outbound distribute list.
For inbound updates, if the interface on which the update is received has a distribute list,
that distribute list is checked before the global distribute list. Likewise, for outbound updates,
the distribute list on the outbound interface is checked before the global distribute list. The
action (permit or deny) in the first distribute list that matches is used.
ACL Implicit Deny Rule
Every ACL has an implicit “deny any” rule at the end. Traffic that does not match any of the
explicitly configured rules in an ACL will match the implicit deny rule.
Example The following commands allow incoming RIP routes only for network 30.30.30.0/24, and only
when received through Ethernet interface 4:
ACOS(config)#ip prefix-list rip-subnet-only permit 30.30.30.0/24

ACOS(config)#router rip
ACOS(config-router)#distribute-list prefix rip-subnet-only in ether-

net 4
Example The following commands allow advertisement of RIP routes only for network 10.0.0.0/8, and
only when advertised through VE interface 45:
ACOS(config)#access-list 23 permit 10.0.0.0 0.255.255.255

ACOS(config-router)#distribute-list 23 out ve 45
maximum-prefix
Description Specify the maximum number of routes allowed in the IPv4 RIP route table.
Syntax [no] maximum-prefix num [threshold]
num Maximum number of RIP routes allowed. You can specify 1-2048.
threshold Percentage of the maximum number of routes at which a warning is
generated. You can specify 1-100. The warnings appear in the routing
log.
Default 256. The default threshold is 75 percent.
Mode IPv4 RIP
neighbor
Description Specify a neighboring IPv4 RIP router.
Syntax [no] neighbor ipaddr

Replace ipaddr with the IP address of the neighboring IPv4 RIP router.
Default None
Mode IPv4 RIP
Usage Enter the command separately for each IPv4 RIP neighbor.
network
Description Enable IPv4 RIP on a network.
Syntax [no] network {ipaddr/mask-length | interface}
ipaddr/mask-length Prefix and mask length of a IPv4 RIP network.
interface Interface on which to enable RIP. You can specify the follow-
ing types of interfaces:
• loopback [num] – Loopback interface. If you do not
specify an interface number, RIP is enabled on all loopback
interfaces.
If no interface is specified, RIP is enabled on all the interfaces.
Default None
Mode IPv4 RIP
offset-list
Description Increase the metric for specific routes.
Syntax [no] offset-list acl-id {in | out} offset [interface]
acl-id ACL that matches on the routes for which to increase the metric.
in | out Direction to which to apply the metric:
• in – Applies the additional metric value to routes received in
updates from RIP neighbors.
• out – Applies the additional metric value to routes advertised to
RIP neighbors.

offset Additional metric to add to routes. You can specify 0-16.
interface Interface on which to increase the metric. You can specify the follow-
• loopback [num] – Loopback interface. If you do not specify an
interface number, the metric is increased on all loopback interfaces.
If no interface is specified, the metric is increased on all interfaces.
Default Not set. The metric that is otherwise applied to the route by the RIP process is used.
Mode IPv4 RIP
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Syntax [no] passive-interface interface
Replace interface with the interface on which to block RIP broadcasts. You can specify the
following types of interfaces:

• loopback [num] – Loopback interface. If you do not specify an interface number, RIP
broadcasts are blocked on all loopback interfaces.
Default None. RIP broadcasts are not blocked on any interfaces.
Mode IPv4 RIP
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Syntax [no] recv-buffer-size bytes

Replace bytes with the maximum RIP UDP packet size allowed. You can specify 8192-
2147483647 bytes.
Default 8192
Mode IPv4 RIP
redistribute
Description Redistribute route information from other sources into RIP.
Syntax [no] redistribute

{
bgp [options] |
connected [options] |
floating-ip [options] |
ip-nat-list [options] |
ip-nat [options] |
isis [options] |
lw4o6 [options] |
ospf [options] |
static [options] |
vip [only-flagged | only-not-flagged [options]]
}
bgp [options] Redistributes route information from Border Gateway Protocol (BGP) into RIP. For options,
see the end of this parameter list.
connected [options] Redistributes route information for directly connected networks into RIP. For options, see
the end of this parameter list.
floating-ip [options] Redistributes route information for floating IP addresses into RIP. For options, see the end
of this parameter list.
ip-nat-list [options] Redistributes routes into RIP for reaching translated NAT addresses allocated from a range
list. For options, see the end of this parameter list.
ip-nat [options] Redistributes routes into RIP for reaching translated NAT addresses allocated from a pool.
For options, see the end of this parameter list.
isis [options] Redistributes route information from Intermediate System to Intermediate System (IS-IS)
into RIP. For options, see the end of this parameter list.
lw406 [options] Redistributes routes into OSPF for Lightweight 4over6. (This is an IPv6 Migration feature.)
ospf [options] Redistributes route information from Open Shortest Path First (OSPF) into RIP. For options,

static [options] Redistributes routes into RIP for reaching networks through static routes. For options, see
vip Redistributes routes into RIP for reaching virtual server IP addresses.
[only-flagged |
only-not-flagged By default, all VIPs are redistributed when you use the vip option. To restrict redistribution
[options]] to a subset of VIPs, use one of the following options:
• only-flagged – Redistributes only the VIPs on which the redistribution-flagged
command is used.
• only-not-flagged – Redistributes all VIPs except those on which the redistribu-
tion-flagged command is used.
For more information, see the “Usage” information for this command.
• options - Optional parameters supported for the options listed above:
• metric num – Metric for the route, 0-16. There is no default.
• route-map map-name – Name of a route map. (To configure a route map, use the
route-map map-name command at the global configuration level of the CLI.)
NOTE: The kernel option is not applicable.
Default Disabled. By default, RIP routes are not redistributed. For other defaults, see above.
Mode IPv4 RIP
Usage When you enable redistribution, routes to all addresses of the specified type are redistrib-
uted. For example, if you use the vip option, routes to all VIPs are redistributed into RIP.
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of the following
methods.
• If more VIPs will be excluded than will be allowed to be redistributed:

• At the configuration level for each of the VIPs to allow to be redistributed, enter the
following command: redistribution-flagged
• At the configuration level for the RIP process, enter the following command: redis-
tribute vip only-flagged
• If fewer VIPs will be excluded than will be allowed to be redistributed:
• At the configuration level for each of the VIPs to exclude from redistribution, enter
the following command: redistribution-flagged
• At the configuration level for the RIP process, enter either of the following com-
mands: redistribute vip only-not-flagged or redistribute vip
NOTE: In the configuration, the redistribute vip command is automatically converted

into the redistribute vip only-not-flagged command. When you display the con-
figuration, it will contain the redistribute vip only-not-flagged command, not the
redistribute vip command.

VIP Redistribution Usage Examples:
• If you have 10 VIPs and all of them need to be redistributed by RIP, use the redistribute
vip command at the configuration level for the RIP process.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the redistribution-
flagged command at the configuration level for each of the 2 VIPs, then use the redis-
tribute vip only-flagged command at the configuration level for the RIP process.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistribution-flagged
command at the configuration level for the 2 VIPs that should not be redistributed.
Enter the redistribute vip only-not-flagged command at the configuration level for
the RIP process. (In this case, alternatively, you could enter redistribute vip instead of
redistribute vip only-not-flagged.)
Example The following commands redistribute floating IP addresses and VIP addresses into RIP:
ACOS(config-router)#redistribute floating-ip
ACOS(config-router)#redistribute vip
Example The following commands flag a VIP, then configure RIP to redistribute only that flagged VIP.
The other (unflagged) VIPs will not be redistributed.
ACOS(config)#slb virtual-server vip1

ACOS(config-slb virtual server)#redistribution-flagged
ACOS(config-slb virtual server)#exit
ACOS(config-router)redistribute vip only-flagged
route
Description Configure static RIP routes.
Syntax [no] route ipaddr/prefix-length
Replace ipaddr/prefix-length with the destination of the route.
Default None
Mode IPv4 RIP

timers
Description Configure RIP timers.
Syntax [no] timers basic update timeout garbage-collection
update Amount of time between transmission of RIP route updates to neigh-
bors. You can specify 5-2147483647 seconds.
timeout Maximum number of seconds the ACOS device waits for an update to
a RIP route before the route becomes invalid. You can specify
5-2147483647 seconds.
An invalid route remains in the route table and is not actually removed
until the garbage-collection timer expires. (See below.)
garbage-col- Amount of time after a route becomes invalid that the route remains
lection in the route table before being removed. You can specify
5-2147483647 seconds.
Mode IPv4 RIP
Usage All RIP routers in the network should use the same timer values. However, the timers should
not be synchronized among multiple routers, since this can cause unnecessary collisions.
version
Description Specify the RIP version to run.
Syntax [no] version {1 [2] | 2}
1 RIP version 1.
2 RIP version 2.
Default 2
Mode IPv4 RIP
Usage The version you specify runs on all RIP interfaces on the ACOS device.
CAUTION: RIPv1 is less secure than RIPv2. It is recommended to run RIPv2 if your other routers

support it.

The configuration commands in the following sections are applicable to IPv6 RIP.
Global IPv6 RIP Commands

The commands in this section apply globally to the IPv6 RIP process.
To access the configuration level for a IPv6 RIP process, use the router ipv6 rip command at the global configuration level
of the CLI.

the interface command to access the configuration level for the interface, then use the ip rip or ipv6 rip command. (See
“Config Commands: Interface” on page 241.)
aggregate-address
Description Configure an aggregate of multiple IPv6 RIP routes.
Syntax [no] aggregate-address ipv6addr/mask-length
Replace ipv6addr/mask-length with the IPv6 address and prefix length of the aggregate.
The aggregate route will be used instead of the individual routes to destinations that match
the aggregate’s address and prefix.
Default None
Mode IPv6 RIP

cisco-metric-behavior
Description Enable Cisco-compatible metric behavior. This option affects the display of metric values in
the RIP routing table.
Syntax [no] cisco-metric-behavior {enable | disable}
enable The metric values displayed for routes in the RIP routing table are the
values before modification by this RIP router (the ACOS device).
disable The metric values displayed for routes in the RIP routing table are the
values after modification by this RIP router (the ACOS device).
Default disable
Mode IPv6 RIP
Description Enable generation of a default route into RIP.
Default Disabled
Mode IPv6 RIP
default-metric
Description Configure the default metric value for routes that are redistributed into IPv6 RIP.
Replace num with the default metric, 1-16.
Default 1
Mode IPv6 RIP

distribute-list
Description Configure filtering of route updates.
Syntax [no] distribute-list {acl-id | prefix list-name} {in | out}

[interface]
acl-id | ACL or prefix list that specifies the routes to filter. The action you
prefix list-name use in the ACL or prefix list determines whether matching routes
are allowed:
• permit – Matching routes are allowed.
• deny – Matching routes are prohibited.
in | out Traffic direction for which to filter updates:
• in – Inbound route updates are filtered.
• out – Outbound route updates are filtered.
interface Interface on which updates are filtered. You can specify the fol-
lowing types of interfaces:
• loopback [num] – Loopback interface. If you do not spec-
ify an interface number, route updates are filtered out on all
loopback interfaces.
If no interface is specified, the filter applies to all interfaces.
Default Route updates are not filtered out.
Mode IPv6 RIP
Usage Distribute lists can be global or interface-specified:

• If you do not specify an interface with the distribute list, the list is global.
• If you do specify an interface with the distribute list, the list applies only to routes
received (in) or advertised (out) on that interface.
The ACOS device can have one global inbound distribute list and one global outbound
distribute list. Likewise, each interface can have one inbound distribute list and one
outbound distribute list.
For inbound updates, if the interface on which the update is received has a distribute list,
that distribute list is checked before the global distribute list. Likewise, for outbound updates,
the distribute list on the outbound interface is checked before the global distribute list. The
action (permit or deny) in the first distribute list that matches is used.

ACL Implicit Deny Rule
Every ACL has an implicit “deny any” rule at the end. Traffic that does not match any of the
explicitly configured rules in an ACL will match the implicit deny rule.
neighbor
Description Specify a neighboring IPv6 RIP router.
Syntax [no] neighbor ipv6addr interface
ipv6addr Link-local IPv6 address of the neighboring IPv6 RIP router.
interface Interface on which the neighbor can be reached. You can specify the
Default None
Mode IPv6 RIP
Usage Enter the command separately for each IPv4 RIP neighbor.
offset-list
Description Increase the metric for specific routes.
Syntax [no] offset-list acl-id {in | out} offset [interface]
acl-id ACL that matches on the routes for which to increase the metric.
in | out Direction to which to apply the metric:
in – Applies the additional metric value to routes received in
updates from RIP neighbors.
out – Applies the additional metric value to routes advertised to RIP
neighbors.

offset Additional metric to add to routes. You can specify 0-16.
interface Interface on which to increase the metric. You can specify the follow-
interface number, the metric is increased on all loopback interfaces.
If no interface is specified, the metric is increased on all interfaces.
Default Not set. The metric that is otherwise applied to the route by the RIP process is used.
Mode IPv6 RIP
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Syntax [no] passive-interface interface
Replace interface with the interface on which to block RIP broadcasts. You can specify the

• loopback [num] – Loopback interface. If you do not specify an interface number, RIP
broadcasts are blocked on all loopback interfaces.
Default None. RIP broadcasts are not blocked on any interfaces.
Mode IPv6 RIP
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Syntax [no] recv-buffer-size bytes

Replace bytes with the maximum RIP UDP packet size allowed. You can specify 8192-
2147483647 bytes.
Default 8192
Mode IPv6 RIP

redistribute
Description Redistribute route information from other sources into RIP.

{
bgp [options] |
ip-nat [options] |
isis [options] |
ospf [options] |
static [options] |
vip [only-flagged | only-not-flagged [options]]
}
bgp [options] Redistributes route information from Border Gateway Protocol (BGP) into RIP. For options,
connected [options] Redistributes route information for directly connected networks into RIP. For options, see
floating-ip [options] Redistributes route information for floating IP addresses into RIP. For options, see the end
of this parameter list.
ip-nat [options] Redistributes routes into RIP for reaching translated NAT addresses allocated from a pool.
ip-nat-list [options] Redistributes routes into RIP for reaching translated NAT addresses allocated from a range
list. For options, see the end of this parameter list.
isis [options] Redistributes route information from Intermediate System to Intermediate System (IS-IS)
into RIP. For options, see the end of this parameter list.
ospf [options] For options, see the end of this parameter list.
static [options] Redistributes routes into RIP for reaching networks through static routes. For options, see
vip Redistributes routes into RIP for reaching virtual server IP addresses.
[only-flagged |
only-not-flagged | By default, all VIPs are redistributed when you use the vip option. To restrict redistribution
[options]] to a subset of VIPs, use one of the following options:
• only-flagged – Redistributes only the VIPs on which the redistribution-flagged
command is used.
• only-not-flagged – Redistributes all VIPs except those on which the redistribu-
See “Usage” below for more information.
• options - Optional parameters supported for the options listed above:
• metric num – Metric for the route, 0-16. There is no default.
• route-map map-name – Name of a route map. (To configure a route map, use
the route-map map-name command at the global configuration level of the CLI.)
Default Disabled. By default, RIP routes are not redistributed. For other defaults, see above.

Mode IPv6 RIP
uted. For example, if you use the vip option, routes to all VIPs are redistributed into RIP.
VIP Redistribution
methods.

• At the configuration level for the RIP process, enter the following command: redis-
tribute vip only-flagged
• At the configuration level for the RIP process, enter either of the following com-
mands: redistribute vip only-not-flagged or redistribute vip

• If you have 10 VIPs and all of them need to be redistributed by RIP, use the redistribute
vip command at the configuration level for the RIP process.
tribute vip only-flagged command at the configuration level for the RIP process.
the RIP process. (In this case, alternatively, you could enter redistribute vip instead of
redistribute vip only-not-flagged.)
route
Description Configure static RIP routes.
Syntax [no] route ipv6addr/prefix-length
Replace ipv6addr/prefix-length with the destination of the route.
Default None
Mode IPv6 RIP

route-map
Description Configure a list of interfaces to use as input to other RIP commands.
Syntax [no] route-map map-name {in | out} interface
map-name Name of the route map.
in | out Direction to which the map applies:
in – Applies to incoming routes received in updates from RIP neighbors.
out – Applies to routes advertised to RIP neighbors.
interface Interface to which to apply the route map. You can specify the following
types of interfaces:
interface number, the route map is applied to all loopback interfaces.
Default None
Mode IPv6 RIP

RIP Show Commands
timers
Description Configure RIP timers.
Syntax [no] timers basic update timeout garbage-collection
update Amount of time between transmission of RIP route updates
to neighbors. You can specify 5-2147483647 seconds.
timeout Maximum number of seconds the ACOS device waits for an
update to a RIP route before the route becomes invalid. You
An invalid route remains in the route table and is not actually
removed until the garbage-collection timer expires. (See
below.)
The defaul tis 180 seconds.
garbage-collection Amount of time after a route becomes invalid that the route
remains in the route table before being removed. You can
Mode IPv6 RIP
Usage All RIP routers in the network should use the same timer values. However, the timers should
not be synchronized among multiple routers, since this can cause unnecessary collisions.
RIP Show Commands

This section lists the RIP show commands.
show ip rip database

Description Display the RIP IPv4 route database.
Syntax show ip rip database
Mode All
Example The following command displays the IPv4 RIP database:
ACOS(config)#show ip rip database

RIP Show Commands
AX2600-1(config)#show ip rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
v - VIP, V - VIP selected, N - IP NAT group,
n - IP NAT, f - Floating IP
Network Next Hop Metric From If Time

Rc 1.0.3.0/24 1 ethernet 5
R 1.0.4.0/24 12.0.0.2 2 12.0.0.2 ethernet 2 02:59
Rc 12.0.0.0/24 1 ethernet 2
Codes R - RIP
Rc - RIP connected
Rs - RIP static
K - Kernel
C - Connected
S - Static
O - OSPF
I - IS-IS
B - BGP,
v - VIP
V - VIP selected
N - IP NAT group,
n - IP NAT
f - Floating IP
Network
Next Hop
Metric From
If
Time

RIP Show Commands
show ipv6 rip database

Description Display the RIP IPv4 route database.
Syntax show ipv6 rip database
Mode All
Example The following command displays the IPv6 RIP database:
ACOS(config)#show ipv6 rip database

Codes: R - RIP, Rc - RIP connected, Rs - RIP static, Ra - RIP aggregated,
Rcx - RIP connect suppressed, Rsx - RIP static suppressed,
K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
v - VIP, V - VIP selected, N - IP NAT group,
n - IP NAT, f - Floating IP
Network Next Hop If Met Tag Time

Rc 3000::/64 :: ethernet 2 1 0
Rc 3ff3::/64 :: ethernet 5 1 0
R 3ff4::/64 fe80::21f:a0ff:fe10:a4a6 ethernet 2 2 0 02:59

RIP Show Commands
Codes R - RIP
Rc - RIP connected
Rs - RIP static
Ra - RIP aggregated
Rcx - RIP connect suppressed
Rsx - RIP static suppressed
K - Kernel
C - Connected
S - Static
O - OSPF
I - IS-IS
B - BGP,
v - VIP
V - VIP selected
N - IP NAT group,
n - IP NAT
f - Floating IP
Network
Next Hop
If
Met
Tag
Time

RIP Clear Commands
RIP Clear Commands

This section lists the RIP clear commands.
clear ip rip route

Description Clears routes from the IPv4 RIP table.
Syntax clear ip rip route {ipaddr/mask-length | rip}
ipaddr/mask-length Replace ipaddr/mask-length to clear the route to the speci-
fied network.
rip Clears all RIP routes from the table.
Mode Privileged EXEC or any configuration level
clear ipv6 rip route

Description Clears routes from the IPv6 RIP table.
Syntax clear ipv6 rip route

{
ipv6addr/mask-length |
all |
bgp |
connected |
floating-ip |
ip-nat |
ip-nat-list |
isis |
ospf |
rip |
static |
vip [only-flagged | only-not-flagged]
}
ipv6addr/mask-length Clears the route to the specified network.
rip Clears all RIP routes from the table.
all Clears all RIP routes from the table.
bgp Clears all RIP routes received from BGP.
connected Clears all RIP routes to directly connected networks.
floating-ip Clears all RIP routes to floating IP addresses.
ip-nat Clears all RIP routes to translated NAT addresses allocated
from a pool.

RIP Clear Commands
ip-nat-list Clears all RIP routes to translated NAT addresses allocated
from a range list.
isis Clears all RIP routes received from IS-IS.
ospf Clears all RIP routes received from OSPF.
static Clears all static RIP routes.
vip Clears all RIP routes to virtual server IP addresses.
[only-flagged |
only-not-flagged] By default, routes to all VIPs are cleared. To clear routes to a
subset of VIPs, use one of the following options:
• only-flagged – Clears the RIP routes to only the VIPs
on which the redistribution-flagged command is
used.
• only-not-flagged – Clears the RIP routes to all VIPs
except those on which the redistribution-flagged
command is used.
NOTE: The kernel option is not applicable.
Mode Privileged EXEC or any configuration level

RIP Clear Commands

Config Commands: Router – OSPF
This chapter describes the commands for configuring global OSPFv2 and OSPFv3 parameters.
NOTE: This CLI level also has the following commands, which are available at all configuration
levels:
Enabling OSPF
To enable OSPF, use one of the following commands at the global configuration level of the CLI. Each command changes the
CLI to the configuration level for the specified OSPFv2 process ID or OSPFv3 process tag.
Enable OSPFv2
To enable OSPFv2, use the following command:
ACOS(config)#router ospf [process-id]
The process-id specifies the IPv4 OSPFv2 process to run on the ACOS device, and can be 1-65535.
Enable OSPFv3
To enable OSPFv3, use the following command:
ACOS(config)#router ipv6 ospf [tag]
The tag specifies the IPv6 OSPFv3 process to run on the IPv6 link, and can be 1-65535.

Configuration Commands Applicable to OSPFv2 or OSPFv3
NOTE: It is recommended to set a fixed router-ID for all dynamic routing protocols you plan to
use on the ACOS device, to prevent router-ID changes caused by VRRP-A failover.
NOTE: For OSPFv3, the area tag ID configured on an interface must be the same as the tag ID
for the OSPF instance.
Interface-level OSPF Commands

In addition to global parameters, OSPF has parameters on the individual interface level. To configure OSPF on an interface,
use the interface command to access the configuration level for the interface, then use the ip ospf or ipv6 ospf command.
(See “Config Commands: Interface” on page 241.)
Show Commands
To display OSPF settings, use show ip ospf or show ipv6 ospf commands. (See “Show Commands” on page 681.)
Configuration Commands Applicable to OSPFv2 or

OSPFv3
The following configuration commands are applicable to OSPFv2 and OSPFv3.
The commands in this section apply throughout the OSPFv2 process or OSPFv3 process in which the commands are
entered.
abr-type
Description Specify the Area Border Router (ABR) type.
Syntax [no] abr-type {cisco | ibm | standard}
cisco Alternative ABR using Cisco implementation (RFC 3509).
ibm Alternative ABR using IBM implementation (RFC 3509).
standard Standard ABR behavior (RFC 2328)
Default cisco
Mode OSPFv3

area area-id default-cost

Description Specify the cost of a default summary route sent into a stub area.
Syntax [no] area area-id default-cost num
area-id Area ID, either an IP address or a number.
num Cost of the default summary route, 0-16777214.
Default The default is 1.
Mode OSPFv2 or OSPFv3
Example The following command assigns a cost of 4400 to default summary routes injected into stub
areas:
ACOS(config-ospf:1)#area 5.5.5.5 default-cost 4400
area area-id range

Description Summarize routes at an area boundary.
Syntax [no] area area-id range ipaddr/mask-length

[advertise | not-advertise]
area area-id Beginning area ID (either an IP address or a number).
range Ending area ID.
ipaddr Subnet address for the range.
/mask-length Network mask length for the range.
advertise Generates Type 3 summary LSAs for the areas in the range.
not-advertise Does not generate Type 3 summary LSAs. The networks are hid-
den from other networks.
Default There is no default range configuration. When you configure a range, the default advertise-
ment string is advertise.
Example The following command configures a range and disables advertisement of routes into the
areas:
ACOS(config-ospf:1)#area 8.8.8.8 range 10.10.10.10/16 not-advertise

area area-id stub

Description Configure a stub area.
Syntax [no] area area-id stub [no-summary]
area-id Area ID.
no-summary ABRs do not send summary LSAs into the stub area.
Default None
Example The following command configures a stub area with area ID 10.2.4.5:
ACOS(config-ospf:1)#area 10.2.4.5 stub
area area-id virtual-link

Description Configure a link between two backbone areas that are separated by non-backbone areas.
Syntax [no] area area-id virtual-link ipaddr

[authentication]
[authentication-key string [string ...]]
[dead-interval seconds]
[fall-over bfd]
[hello-interval seconds]
[message-digest-key num md5 string [string ...]]
[retransmit-interval seconds]
[transmit-delay seconds]
ipaddr IP address of the OSPF neighbor at the other end of the link.
authentication Enables authentication on the link.
authentication-key string Specifies a simple text password for authenticating OSPF traffic
[string ...] between this router and the neighbor at the other end of the virtual
link. The string is an 8-character authentication password.
dead-interval seconds Number of seconds this OSPF router will wait for a reply to a hello
message sent to the neighbor on the other end of the virtual link,
before declaring the neighbor to be offline. You can specify 1-65535
seconds.
fall-over bfd Enable fall-over detection.

hello-interval seconds Number of seconds this OSPF router waits between sending hello
messages to the neighbor on the other end of the virtual link. You can
message-digest-key num Specifies an MD5 key, 1-255. The string is a 16-character authentication
md5 string [string ...] password.
retransmit-interval seconds Number of seconds this OSPF router waits before resending an unac-
knowledged packet to the neighbor on the other end of the virtual
link. You can specify 1-65535 seconds.
transmit-delay seconds Number of seconds this OSPF router waits between sending packets
to the neighbor on the other end of the virtual link. You can specify
1-65535 seconds.
The default is 1 second.
Default None. When you configure a virtual link, it has the default settings described in the table
above.
auto-cost reference bandwidth

Description Change the reference bandwidth used by OSPF to calculate default metrics.
Syntax [no] auto-cost reference-bandwidth mbps
Replace mbps with the reference bandwidth, in Mbps. You can specify 1-4294967.
Default 100 Mbps
Usage By default, OSPF calculates the OSPF metric for an interface by dividing the reference band-
width by the interface bandwidth. This command differentiates high-bandwidth links from
lower-bandwidth links. If multiple links have high bandwidth, specify a larger reference
bandwidth so that the cost of those links is differentiated from the cost of lower-bandwidth
links.
bfd
Description Enable BFD on all interfaces for which OSPF is running.
Syntax [no] bfd all-interfaces
Default Disabled

clear
Description Clear all or specific OSPF neighbors.
Syntax clear ip ospf [process-id]

{
process |
neighbor
{all | neighbor-id | interface
{interface-ip-address [neighbor-ip-address]}}
}
clear ipv6 ospf [process-tag]

{
process |
neighbor
{all | neighbor-id |
interface-name [neighbor-id]}
}
process-id Specifies the IPv4 OSPFv2 process to run on the device,
and can be 1-65535.
process-tag Specifies the IPv6 OSPFv3 process to run on the IPv6 link,
and can be 1-65535.
neighbor-id Router-id of the OSPF device.
neighbor-ip-address IP address of the interface for the neighboring device.
interface-ip-address IP address of the interface of the device on which the
OSPF neighbor exists.
Default N/A
Usage Using OSPFv2, the CLI enables you to indicate an interface IP Address of the ACOS device.
Using OSPFv3, the CLI enables you to specify the interface name for a specific neighbor.
Example The following command clears all OSPFv2 neighbors:
ACOS(config)#clear ip ospf neighbor all
Example The following command clears all neighbors to a specific router:
ACOS(config)#clear ip ospf neighbor 192.1.1.1
Example The following command clears all neighbors on an interface:

ACOS(config)#clear ip ospf neighbor interface 10.1.1.10
Example The following command clears a neighbor on a specified interface to a specified router:
ACOS(config)#clear ip ospf neighbor interface 10.1.1.10 192.1.1.10
Example The following command clears all OSPFv3 neighbors:
ACOS(config)#clear ipv6 ospf 5 neighbor all
Example The following command clears all neighbors to a specific router:
ACOS(config)#clear ipv6 ospf neighbor 192.1.1.1
Example The following command clears all OSPFv3 neighbors on a specified

interface:
ACOS(config)#clear ipv6 ospf neighbor ethernet 1
Example The following command clears all neighbors on a specified interface to a specific router:
ACOS(config)#clear ipv6 ospf neighbor ethernet 1 192.1.1.1
default-metric
Description Set the numeric cost that is assigned to OSPF routes by default. The metric (cost) is added to
routes when they are redistributed.
Replace num with the default cost, 0-16777214.
Default 20
Example The following command configures a default metric of 6666:
ACOS(config-router)#default-metric 6666
distribute-internal
Description Enable redistribution of ACOS-specific resources as internal routes (type-1 LSAs).
Syntax [no] distribute-internal

{lw4o6 [options] | floating-ip | ip-nat | ip-nat-list | vip | vip-
only-flagged} area area-id [cost num]
Default Distribute-internal for router IPv6 OSPF:
Syntax [no] distribute-internal

{lw4o6 [options] | nat64 | floating-ip | ip-nat | ip-nat-list | vip
| vip-only-flagged}

Description
lw4o6 [options] Redistributes LW4o6 routes into OSPF.
nat64 Redistributes NAT64 routes into OSPF.
floating-ip Redistributes routes into OSPF for reaching floating IP addresses.
[options]
ip-nat Redistributes routes into OSPF for reaching translated NAT
addresses allocated from a pool.
ip-nat-list Redistributes routes into OSPF for reaching translated NAT
addresses allocated from a range list.
vip Redistributes routes into OSPF for reaching virtual server IP
addresses.
vip-only-flagged Same as the vip option, but applies only to VIPs on which the
redistribution-flagged option is enabled.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults, see above.
Usage Routes that are redistributed into OSPF as external routes are redistributed as type-5 link state
advertisement (LSAs). Routes that are redistributed into OSPF as internal routes are redistrib-
uted as type-1 LSAs.
You can enable either external or internal redistribution for a given ACOS-specific resource
type.
Example The following command enables internal distribution into OSPF area 0, of routes to all VIPs
configured on the ACOS device, and assigns cost 11 to the routes:
ACOS(config-router)#distribute-internal vip area 0 cost 11
Example The following command enables internal distribution into OSPF area 1, of routes to VIPs that
have the redistribution-flagged option, and assigns cost 21 to the routes:
ACOS(config-router)#distribute-internal vip-only-flagged area 1 cost

21
Example The following command enables internal distribution into OSPF area 5, of routes to floating
IP addresses, and assigns cost 555 to the routes:
ACOS(config-router)#distribute-internal floating-ip area 5 cost 555
Example The following command displays the OSPF IPv4 route table. The routes configured for inter-
nal distribution are indicated by “internal”.
ACOS(config-router)#show ip ospf route
OSPF process 11: counter = 6

Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
C 6.1.1.0/24 [10] is directly connected, ve 6, Area 0.0.0.0

C 111.1.1.2/32 [21] is directly connected, internal vip-only-
flagged, Area 0.0.0.1
C 111.1.1.3/32 [11] is directly connected, internal vip, Area
0.0.0.0
C 114.1.1.1/32 [21] is directly connected, internal vip-only-
flagged, Area 0.0.0.1
C 200.1.1.2/32 [555] is directly connected, internal floating-ip,
Area 0.0.0.5
ha-standby-extra-cost
Description Enable OSPF awareness of High Availability (HA).
Syntax [no] ha-standby-extra-cost num
Replace num with the extra cost to add to the ACOS device’s OSPF interfaces, if the HA status
of one or more of the device’s HA groups is Standby. You can specify 1-65535. If the resulting
cost value is more than 65535, the cost is set to 65535.
Default Not set. The OSPF protocol on the ACOS device is not aware of the HA state (Active or
Standby) of the ACOS device.
Usage Enter the command on each of the ACOS devices in the HA pair.
log-adjacency-changes
Description Log changes in adjacency state.
Syntax log-adjacency-changes {detail | disable}
detail Enable the logging of all changes in adjacency state.
disable Disable logging.
Default Logging is enabled in brief mode by default.
Mode OSPFv3
Usage In brief mode, the following state changes are logged:

• FULL -> XXXX
• XXXX -> FULL
• XXXX -> DOWN

In detail mode, all state changes will be logged. In disable mode, no state changes are
logged.
Example Enable the logging of all adjacency state changes.
ACOS(config)#router ipv6 ospf 2

ACOS(config-ospf:2)#log-adjacency-changes detail
max-concurrent-dd
Description Set the maximum number of OSPF neighbors that can be processed concurrently during
database exchange between this OSPF router and its OSPF neighbors.
Syntax [no] max-concurrent-dd num
Replace num with the maximum number of neighbors that can be processed at the same
time during database exchange. You can specify 1-65535.
Default Not set (no limit)
Usage This command is useful in cases where router performance is being adversely affected by
processing of neighbor adjacencies.
passive-interface
Description Disable Link-State Advertisements (LSAs) from being sent on an interface.
Syntax [no] passive-interface

{ethernet portnum | lif num | loopback num | ve ve-num}
Default LSAs are enabled. (No interfaces are passive.)
Example The following command configures a passive interface on the Virtual Ethernet (VE) interface
on VLAN 3:
ACOS(config-router)#passive-interface ve 3
redistribute
Description Enable distribution of routes from other sources into OSPF.

{
bgp [options] |

ip-nat [ipaddr/mask-length
floating-IP-forward-address ipaddr] [options] |
isis [options] |
lw4o6 [options] |
ospf [process-id] [options] |
rip [options] |
static [options] |
vip [ipaddr floating-IP-forward-address ipaddr |
{only-flagged | only-not-flagged}] [options]
}
bgp [options] Redistributes routes into OSPF for reaching BGP. For options, see the
end of this parameter list.
connected [options] Redistributes routes into OSPF for reaching directly connected net-
works. For options, see the end of this parameter list.
floating-ip [options] Redistributes routes into OSPF for reaching floating IP addresses. For
options, see the end of this parameter list.
ip-nat Redistributes routes into OSPF for reaching translated NAT addresses
[ipaddr/mask-length | allocated from a pool.
floating-IP-forward-address ipaddr]
[options] By default, the forward address for all redistributed NAT pool
addresses is 0.0.0.0. To set a floating IP address as the forward address,
use the ipaddr/mask-length] option to specify the NAT pool address.
The floating-IP-forward-address ipaddr option specifies the for-
ward address to use when redistributing the route to the NAT pool
address.
ip-nat-list [options] Redistributes routes into OSPF for reaching translated NAT addresses
allocated from a range list. For options, see the end of this parameter
list.
isis [options] Redistributes routes into OSPF for IS-IS.
lw406 [options] Redistributes routes into OSPF for Lightweight 4over6. (This is an IPv6
Migration feature.)
ospf [process-id] [options] Redistributes routes into this OSPFv2 process for reaching networks in
another OSPFv2 process. For options, see the end of this parameter
list.
rip [options] Redistributes routes into OSPF for RIP.

static [options] Redistributes routes into OSPF for reaching networks through static
routes. For options, see the end of this parameter list.
vip Redistributes routes into OSPF for reaching virtual server IP addresses.
[ipaddr
floating-IP-forward-address ipaddr | By default, the forward address for all redistributed VIPs is 0.0.0.0. To
{only-flagged | only-not-flagged}] set a floating IP address as the forward address, use the ipaddr option
[options] to specify the VIP address. Use the floating-IP-forward-address
ipaddr option to specify the forward address to use when redistribut-
ing the route to the VIP.
By default, all VIPs are redistributed when you use the vip option. To
restrict redistribution to a subset of VIPs, use one of the following
options:
• only-flagged – Redistributes only the VIPs on which the redistri-
bution-flagged command is used.
• only-not-flagged – Redistributes all VIPs except those on which
the redistribution-flagged command is used.
For more information, see the “Usage” section for this command.
• options - Optional parameters supported for the options above:
• metric-type {1 | 2} – External link type associated with the route
advertised into the OSPF routing domain (1 for Type 1 external
route, or 2 for Type 2 external route).
• metric num – Metric for the route, 0-16777214. The default is 20.
• route-map map-name – Name of a route map. (To configure a
route map, see “route-map” on page 151.)
• tag num – Includes the specified tag value in external Link-State
Advertisements (LSAs). Inter-domain routers running Border
Gateway Protocol (BGP) can be configured to make routing deci-
sions based on the tag value. The tag value can be
0-4294967295. The default is 0.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults, see above.
uted. For example, if you use the vip option, routes to all VIPs are redistributed into OSPF.
By default, the ACOS device uses 0.0.0.0 as the forward address in routes that are
redistributed in OSPF type-5 link state advertisement (LSAs). In this case, other OSPF routers
find a route to reach the ACOS device (which is acting as OSPF ASBR), then use the
corresponding next-hop address as the next hop for the destination network. You can
specify a floating IP address to use as the forward address, for individual NAT pools or VIPs.
(See the syntax above.)
VIP Redistribution
methods.


• At the configuration level for the OSPFv2 process or OSPFv3 process, enter the fol-
lowing command: redistribute vip only-flagged
• At the configuration level for the OSPFv2 process or OSPFv3 process, enter either of
the following commands: redistribute vip only-not-flagged or redistribute vip

• If you have 10 VIPs and all of them need to be redistributed by OSPF, use the redistrib-
ute vip command at the configuration level for the OSPF process.
tribute vip only-flagged command at the configuration level for the OSPFv2 process
or OSPFv3 process.
the OSPFv2 process or OSPFv3 process. (In this case, alternatively, you could enter
redistribute vip instead of redistribute vip only-not-flagged.)
Example The following commands redistribute floating IP addresses and VIP addresses into OSPF:
Example The following commands flag a VIP, then configure OSPF to redistribute only that flagged VIP.

ACOS(config)#router ospf
Example The following command enables redistribution of VIPs, and sets tag value 555 to be included
in external LSAs that advertise the route to the VIP:
ACOS(config-router)#redistribute vip metric-type 1 metric 1 tag 555

router-id
Description Set the value used by this OSPF router to identify itself when exchanging route information
with other OSPF routers.
Syntax [no] router-id ipaddr
NOTE: The syntax for this command is slightly different for OSPFv2. See “ospf router-id” on
page 379.
Default The default router ID is the highest-numbered IP address configured on any of the ACOS
device’s loopback interfaces. If no loopback interfaces are configured, the highest-numbered
IP address configured on any of the ACOS device’s other Ethernet data interfaces is used.
NOTE: Setting the router ID is required for OSPFv3 and is strongly recommended for OSP-
Fv2.
Usage The ACOS device has only one router ID. The address does not need to match an address
configured on the ACOS device. However, the address must be an IPv4 address and must be
unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart the OSPF process,
use the clear ip ospf process command.
Example The following commands set the router ID to 3.3.3.3 and reload OSPF to place the new router
ID into effect:
ACOS(config-router)#router-id 3.3.3.3
ACOS(config-router)#clear ip ospf process
timers spf exp

Description Change Shortest Path First (SPF) timers used for route recalculation following a topology
change. This command enables exponential back-off delays for route recalculation.
Syntax [no] timers spf exp min-delay max-delay
min-delay Specifies the minimum number of milliseconds (ms) the OSPF process
waits after receiving a topology change, before recalculating its OSPF
routes. You can specify 0-2147483647.
max-delay Specifies the maximum number of milliseconds (ms) the OSPF process
waits after receiving a topology change, before recalculating its OSPF
routes. You can specify 0-2147483647.

Configuration Commands Applicable to OSPFv2 Only
Default The default min-delay is 500 ms. The default max-delay is 50000 ms.
Usage After you enter this command, any pending route recalculations are rescheduled based on
the new timer values.

The following configuration commands are applicable to OSPFv2 only.
The commands in this section apply throughout the OSPFv2 process in which the commands are entered.
area area-id authentication

Description Enable authentication for an OSPF area.
Syntax [no] area area-id authentication [message-digest]
The message-digest option enables MD5 authentication. If you omit this option, simple
text authentication is used.
Default Disabled. No authentication is used.
Mode OSPFv2
area area-id filter-list

Description Filter the summary routes advertised by this OSPF router, if it is acting as an Area Border
Router (ABR).
Syntax [no] area area-id filter-list

{access acl-id {in | out} | prefix list-name {in | out}}
access acl-id ID of an Access Control List (ACL). The only routes that are adver-
{in | out} tised are routes to the subnets permitted by the ACL.
prefix list-name ID of an IP prefix list. The only routes that are advertised are
{in | out} routes to the subnets that match the list.

Default Not set.
Mode OSPFv2
Usage You can specify an ACL or an IP prefix list. To configure an ACL, see “access-list (standard)” on
page 48, “access-list (extended)” on page 50, or “ipv6 access-list” on page 317. To configure a
prefix list, see “ip prefix-list” on page 311.
area area-id multi-area-adjacency

Description Enables support for multiple OSPF area adjacencies on the specified interface.
Syntax [no] area area-id multi-area-adjacency

{ethernet portnum | loopback num | management |
ve ve-num}
neighbor ipaddr
Default Disabled. By default, only one OSPF adjacency is allowed on an interface for a given OSPF
process.
Mode OSPFv2
Usage This command is applicable only if this OSPF router is an ABR.
area area-id nssa

Description Configure a not-so-stubby area (NSSA).
Syntax [no] area area-id nssa

[
default-information-originate
[metric num] [metric-type {1 | 2}] |
no-redistribution |
no-summary |
translator-role {always | candidate | never}
]
area-id Area ID.
default-information-originate Generates a Type 7 LSA into the NSSA area. (This option takes effect only on
[metric num] Area Border Routers (ABRs)):
[metric-type {1 | 2}]
• metric num – Metric for the default route, 0-16777214. The default is 20.
• metric-type {1 | 2} – External link type associated with the route adver-
tised into the OSPF routing domain:
• 1 – Type 1 external route
• 2 – Type 2 external route
no-redistribution Disables redistribution of routes into the area.

no-summary Disables sending summary LSAs into the NSSA.
translator-role Specifies the types of LSA translation performed by this OSPF router
{always | candidate | never} for the NSSA:
• always – If this OSPF router is an NSSA border router, the router will always
translate Type 7 LSAs into Type 5 LSAs, regardless of the translator state of
other NSSA border routers.
• candidate – If this OSPF router is an NSSA border router, the router is eligi-
ble to be elected the Type 7 NSSA translator.
• never – This OSPF router is ineligible to be elected the Type 7 NSSA trans-
lator.
Default None
Mode OSPFv2
Example The following command configures an NSSA with area ID 6.6.6.6:
ACOS(config-router)#area 6.6.6.6 nssa
area area-id shortcut

Description Configure short-cutting through an area.
Syntax [no] area area-id shortcut {default | disable | enable}
area-id Area ID.
default Enables the default shortcut behavior. (See below.)
disable Disables shortcutting through the area.
enable Forces shortcutting through the area.
Default None
Mode OSPFv2
Usage A shortcut enables traffic to go through a non-backbone area with a lower metric, regardless
of whether the ABR router is attached to the backbone area.
compatible rfc1583
Description Enable calculation of summary route costs per RFC 1583.
Syntax [no] compatible rfc1583

Default Disabled. Summary route costs are calculated based on RFC 2328.
Mode OSPFv2
Description Create a default route into the OSPF domain.

[always]
[metric num]
[metric-type {1 | 2}]
[route-map name]
always Configures the ACOS device to automatically declare itself a default
gateway for other OSPF routers, even if the ACOS device does not
have a default route to 0.0.0.0/0.
metric num Metric for the default route, 0-16777214.
metric-type External link type associated with the default route advertised into the
{1 | 2} OSPF routing domain:
• 1 - Type 1 external route.
• 2 - Type 2 external route.
route-map Name of a route map. (To configure a route map, see “route-map” on
map-name page 151.)
Default This option is disabled by default. If you enable it, the default metric is 10. The default metric
type is 2.
Mode OSPF
Example The following command creates a default route into the OSPF domain with a metric of 20:
ACOS(config-router)#default-information originate metric 20
distance
Description Set the administrative distance for OSPF routes, based on route type.

Syntax [no] distance

{num | ospf {external | inter-area | intra-area} num}
num Sets the administrative distance for all route types. You can specify
1-255.
ospf Sets the administrative distance for specific route types:
{external |
inter-area | • external – Routes that OSPF learns from other routing domains
intra-area} by redistribution.
num • intra-area – Routes within the same OSPF area.
• inter-area – Routes between OSPF areas.
You can use the ospf option with one or more of its suboptions. For
each route type, you can specify 1-255.
Default For all route types, the default administrative distance is 110.
Mode OSPFv2
Usage The administrative distance specifies the trustworthiness of routes. A low administrative dis-
tance value indicates a high level of trust. Likewise, a administrative distance value indicates
a low level of trust. For example, setting the administrative distance value for external routes
to 255 means those routes are very untrustworthy and should not be used.
distribute-list
Description Filter the networks received or sent in route updates.
Syntax [no] distribute-list acl-id

{
in |
out {connected | floating-ip | ip-nat |
ip-nat-list | ospf | static | vip}
acl-id ID of an ACL. Only the networks permitted by the ACL will be allowed.
in Uses the specified ACL to filter routes received by OSPF from other
sources. The filter applies to routes from all sources.

out Uses the specified ACL to filter routes advertised by OSPF to other
route-type routing domains. The route-type can be one of the following:
• connected – Filters advertisement of directly connected networks.
• floating-ip – Filters advertisement of networks for floating IP
addresses.
• ip-nat – Filters advertisement of networks that are translated NAT
addresses allocated from a pool.
• ip-nat-list – Filters advertisement of networks that are translated
NAT addresses allocated from a range list.
• ospf [process-id] – Filters advertisement of networks to another
OSPF process.
• static [only-flagged | only-not-flagged] – Filters advertisement of
networks reached by static routes.
• vip [only-flagged | only-not-flagged] – Filters advertisement of
networks to reach VIPs.
• By default, the option applies to all VIPs. To restrict the option to a
subset of VIPs, use one of the following options:
• only-flagged – Redistributes only the VIPs on which the redistri-
bution-flagged command is used.
• only-not-flagged – Redistributes all VIPs except those on which the
redistribution-flagged command is used.
Default None
Mode OSPFv2
host ipaddr area

Description Configure a stub host entry for an area.
Syntax [no] host ipaddr area area-id [cost num]
ipaddr IP address of the host.
area area-id OSPF area where the host is located.
cost num Cost of the stub host entry, 0-65535.
Default None
Mode OSPFv2
Usage Routes to the host are listed in router LSAs as stub links.

Description Log adjacency changes.
Syntax [no] log-adjacency-changes {detail | disable}
detail Log changes in adjacency state.
disable Disable logging of adjacency state changes.
Default Enabled by default.
Mode OSPFv2
Example The following example disables logging of adjacency state changes:
ACOS(config)#router ospf
ACOS(config-ospf)#log-adjacency-changes disable
maximum-area
Description Set the maximum number of OSPF areas supported for this OSPF process.
Syntax [no] maximum-area num
Replace num with the maximum number of areas allowed for this OSPF process. You can
specify 1-4294967294.
Default 4294967294
Mode OSPFv2

neighbor
Description Configure an OSPF neighbor that is located on a non-broadcast network.
Syntax [no] neighbor ipaddr

[
cost num |
poll-interval seconds [priority num] |
priority num [poll-interval seconds]
]
ipaddr IP address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor, 1-65535.
By default, no cost is set.
poll-interval Number of seconds this OSPF router will wait for a reply to a hello
seconds message sent to the neighbor, before declaring the neighbor to
be offline. You can specify 1-65535 seconds.
priority num Router priority of the neighbor, 1-255.
By default, no priority is set.
Default No neighbors on non-broadcast networks are configured by default. When you configure
one, the other parameters have the default settings described in the table above.
Mode OSPFv2
Usage This command is required only for neighbors on networks. Adjacencies to neighbors on
other types of networks are automatically established by the OSPF protocol.
It is recommended to set the poll-interval to a much higher value than the hello interval.
network
Description Enable OSPF routing for an area, on interfaces that have IP addresses in the specified area
subnet.
Syntax [no] network

ipaddr {/mask-length | wildcard-mask}

area area-id
[instance-id num]
ipaddr Subnet of the area. You can specify the subnet in CIDR format (ipaddr/mask-
{/mask-length | wildcard-mask} length) or as ipaddr wildcard-mask. In a wildcard-mask, 0s represent the net-
work portion and 1s represent the host portion. For example, for a subnet
that has 254 hosts and a 24-bit network mask, the wildcard-mask is
0.0.0.255.
area area-id Area ID.
instance-id num Range of OSPF instances for which to enable OSPF routing for the area, 0-255.
If you omit this option, OSPF routing is enabled for all OSPF instances that are
running on interfaces that have IP addresses in the specified area subnet.
Default None
Mode OSPFv2
Example The following command configures an OSPF network:
ACOS(config-router)#network 10.10.20.20/24 area 10.10.20.30
ospf abr-type
Description Specify the Area Border Router (ABR) type.
Syntax [no] ospf abr-type {cisco | ibm | shortcut | standard}
cisco Alternative ABR using Cisco implementation (RFC 3509).
ibm Alternative ABR using IBM implementation (RFC 3509).
shortcut Shortcut ABR (draft-ietf-ospf-shortcut-abr-02.txt).
standard Standard ABR behavior (RFC 2328)
Default cisco
Mode OSPFv2
ospf router-id
Description Set the value used by this OSPF router to identify itself when exchanging route information
with other OSPF routers.
Syntax [no] ospf router-id ipaddr
Default For OSPFv2, the default router ID is the highest-numbered IP address configured on any of
the ACOS device’s loopback interfaces. If no loopback interfaces are configured, the highest-

numbered IP address configured on any of the ACOS device’s other Ethernet data interfaces
is used.
NOTE: Setting the router ID is strongly recommended for OSPFv2.
Mode OSPFv2
Usage The ACOS device has only one router ID. The address does not need to match an address
configured on the ACOS device. However, the address must be an IPv4 address and must be
unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart the OSPF process,
use the clear ip ospf process command.
Example The following commands set the router ID to 2.2.2.2 and reload OSPF to place the new router
ID into effect:
ACOS(config-router)#router-id 2.2.2.2
ACOS(config-router)#clear ip ospf process
overflow database
Description Specify the maxim number of LSAs or the maximum size of the external database.
Syntax [no] overflow database

{max-lsa [hard | soft] | external max-lsa recover-time}
max-lsa [hard | soft] Specifies the maximum number of LSAs per OSPF process, 0-4294967294. The
hard | soft option specifies the action to take if the LSA limit is exceeded:
• hard – Shut down the OSPF process for the process.
• soft – Issue a warning message without shutting down the OSPF process
for the process.
external max-lsa recover-time Specifies the maximum number of AS-external-LSAs the OSPF router can
receive, 0-2147483647. The recover-time option specifies the number of sec-
onds OSPF waits before attempting to recover after max-lsa is exceeded. You
can specify 0-65535 seconds. To disable recovery, specify 0.
Default The default max-lsa is 2147483647.
Mode OSPFv2
summary-address
Description Summarize or disable advertisement of external routes for a specific IP address range. A sum-
mary-address helps reduce the size of the OSPF link-state database.

Syntax [no] summary-address ipaddr/mask {not-advertise | tag num}
ipaddr/mask Specifies the address range.
not-advertise Disables advertisement of routes for the specified range.
tag num Includes the specified tag value in external LSAs for IP addresses
within the specified range. The tag value can be 0-4294967295. The
default tag value is 0.
Default None
Mode OSPFv2

All the global OSPF commands that are applicable to OSPFv3 are also applicable to OSPFv2. (See “Configuration Commands
Applicable to OSPFv2 or OSPFv3” on page 358.)
OSPF Show Commands

This section lists the OSPF show commands.
show {ip | ipv6} ospf

Description Display configuration information and statistics for OSPFv2 processes or OSPFv3 processes.
Syntax show ip ospf [process-id]
show ipv6 ospf [tag]
process-id Specifies the OSPFv2 process. If you omit this option, settings for all
configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, settings for all
configured OSPFv3 processes are displayed.
Example The following command shows information for OSPFv2 process 0:
ACOS#show ip ospf 0
Routing Process "ospf 0" with ID 1.1.1.1
Process uptime is 3 hours 12 minutes

OSPF Show Commands
Process bound to VRF default

Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Graceful Restart
This router is an ASBR (injecting external routing information)
SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 79
Number of areas attached to this router: 1
Area 1 (NSSA)
Number of interfaces in this area is 2(2)
Number of fully adjacent neighbors in this area is 2
Number of fully adjacent virtual neighbors through this area
is 0
Area has no authentication
SPF algorithm last executed 02:07:40.860 ago
SPF algorithm executed 16 times
Number of LSA 10. Checksum 0x06b2fa
NSSA Translator State is disabled
Shortcutting mode: Default, S-bit consensus: ok
show ip ospf border-routers

Description Display route information for OSPFv2 ABRs and ASBRs.
Syntax show ip ospf border-routers
Example The following command shows route information for ABRs and ASBRs:
ACOS#show ip ospf border-routers
OSPF process 0 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 9.1.1.1 [10] via 10.1.1.2, ethernet 1, ASBR, Area 0.0.0.0

OSPF Show Commands
OSPF process 1 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
show ip ospf database

Description Displays information about the OSPFv2 databases on the device.
NOTE: The options are different for OSPFv3. See “show ipv6 ospf database” on page 385.
Syntax show ip ospf database

[
adv-router ipaddr |
{asbr-summary | external | network | nssa-external |
opaque-area | opaque-as | opaque-link | router | summary}
[[ipaddr [adv-router ipaddr] [self-originate]] |
[adv-router ipaddr] | [self-originate]] |
max-age |
self-originate
]
adv-router ipaddr Displays LSA information for the specified advertising router.
asbr-summary Displays information about ASBR summary LSAs.
max-age Displays information for the LSAs that have reached the maxi-
mum age allowed, which is 3600 seconds.
self-originate Displays information for LSAs originated by this OSPF router.
external Displays information about external LSAs.
network Displays information about network LSAs.
nssa-external Displays information about NSSA external LSAs.
opaque-area Displays information about Type-10 Opaque LSAs. Type-10
Opaque LSAs are LSAs with local-area scope (link state type 10),
and are not flooded outside the local area.
opaque-as Displays information about Type-11 LSAs, which are flooded
throughout the Autonomous System (AS).
opaque-link Displays information about Type-9 LSAs. Type-9 LSAs have link-
local scope, and are not flooded beyond the local network.
router Displays information about router LSAs.
summary Displays information about summary LSAs.

OSPF Show Commands
The following suboptions are available for the external, network, nssa-external, opaque-
area, opaque-as, opaque-link, router, and summary options:
ipaddr Displays LSA information for a specific link-state ID (expressed
as an IP address).
adv-router ipaddr Displays LSA information for the specified advertising router.
self-originate Displays information for LSAs originated by this OSPF router.
Example The following command shows the OSPFv2 database:
ACOS#show ip ospf database
Router Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Link count

1.1.1.1 1.1.1.1 1105 0x800000c9 0xcb72 2
2.2.2.2 2.2.2.2 638 0x80000008 0xdb92 2
3.3.3.3 3.3.3.3 1998 0x800000cb 0x47c1 2
4.4.4.4 4.4.4.4 1717 0x800000f6 0xe1d2 3
Net Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum

10.0.0.1 3.3.3.3 1998 0x80000006 0xec1b
11.0.0.1 3.3.3.3 203 0x80000005 0x14ef
13.0.0.2 4.4.4.4 1717 0x80000006 0xbf3c
14.0.0.1 4.4.4.4 1962 0x80000004 0xf207
Summary Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Route

0.0.0.0 3.3.3.3 1998 0x800000a3 0x99ed 0.0.0.0/0
NSSA-external Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Route

Tag
1.0.100.1 1.1.1.1 1105 0x8000008e 0x942a E2 1.0.100.1/
32 0

OSPF Show Commands
show ipv6 ospf database

Description Displays information about the OSPFv3 databases on the device.
Syntax show ipv6 ospf [tag] database

[
external [adv-router ipaddr] |
grace [adv-router ipaddr] |
inter-prefix [adv-router ipaddr] |
inter-router [adv-router ipaddr] |
intra-prefix [adv-router ipaddr] |
link [adv-router ipaddr] |
network [adv-router ipaddr] |
router [adv-router ipaddr]
]
external Displays information about external LSAs.
grace Displays information about grace LSAs, used during graceful restart.
inter-prefix Displays information about Inter-Area-Prefix LSAs.
inter-router Displays information about Inter-Area-Router LSAs.
intra-prefix Displays information about Intra-Area-Prefix LSAs.
links Displays information about link LSAs.
network Displays information about network LSAs.
router Displays information about router LSAs.
[adv-router] Displays LSA information for the specified advertising router.
ipaddr
Example The following command shows the OSPFv3 database:
ACOS#show ipv6 ospf database
OSPFv3 Router with ID (100.1.1.1) (Process *null*)
Link-LSA (Interface ethernet 1)
Link State ID ADV Router Age Seq# CkSum Prefix

0.0.0.3 9.1.1.1 498 0x8000000c 0xfa01 1
0.0.0.3 100.1.1.1 31 0x80000001 0xf29e 1
Router-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum Link

OSPF Show Commands
0.0.0.0 9.1.1.1 19 0x8000000d 0x9356 1

0.0.0.0 100.1.1.1 18 0x80000003 0x7127 1
Network-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum

0.0.0.3 9.1.1.1 19 0x80000001 0x7d29
Intra-Area-Prefix-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum Prefix Ref-

erence
0.0.0.2 9.1.1.1 18 0x80000001 0x5d5f 1 Net-
work-LSA
AS-external-LSA
Link State ID ADV Router Age Seq# CkSum

0.0.0.4 9.1.1.1 1508 0x80000017 0x6aad E2
0.0.0.1 100.1.1.1 29 0x80000001 0xcd18 E2
show {ip | ipv6} ospf interface

Description Display OSPF information for an interface.
Syntax show {ip | ipv6} ospf interface

{ethernet portnum | lif num | loopback num | management |
trunk num | tunnel num | ve ve-num}
Example The following command shows OSPFv3 information for interface Ethernet 1:
ACOS#show ipv6 ospf interface

ethernet 1 is up, line protocol is up
Interface ID 3
IPv6 Prefixes
fe80::21f:a0ff:fe04:d7e4/64 (Link-Local Address)
1000::1/32
OSPFv3 Process (*null*), Area 0.0.0.0, Instance ID 0
Router ID 100.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 9.1.1.1
Interface Address fe80::21f:a0ff:fe04:b1f0
Backup Designated Router (ID) 100.1.1.1
Interface Address fe80::21f:a0ff:fe04:d7e4

OSPF Show Commands
Timer interval configured, Hello 10, Dead 40, Wait 40, Retrans-
mit 5
Hello due in 00:00:02
Neighbor Count is 1, Adjacent neighbor count is 1
show {ip | ipv6} ospf neighbor

Description Display information about OSPF neighbors.
Syntax show ip ospf neighbor

[ipaddr [detail]] |
[all] |
[detail [all]] |
[interface interface-num]]
Syntax show ipv6 ospf [tag] neighbor

[ipaddr [detail]] |
[detail [all]] |
[interface interface-num]
NOTE: The all option applies only to OSPFv2.
process-id Specifies the OSPFv2 process. If you omit this option, informa-
tion for all configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, informa-
tion for all configured OSPFv3 processes are displayed.
ipaddr [detail] Displays information for the specified neighbor. For detailed
information, use the detail option. For summary information,
omit the detail option.
all Includes neighbors whose status is Down. Without this option,
down neighbors are not included in the output.
detail [all] Displays detailed information for all neighbors. To include down
neighbors in the output, use the all option.
interface ipaddr Displays information for neighbors reachable through the speci-
fied IP interface.
Example The following command shows information for OSPFv2 neighbors:
ACOS#show ip ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface Instance ID
9.1.1.1 1 Full/Backup 00:00:34 10.1.1.2 ethernet 1 0

OSPF Show Commands
show ip ospf redistributed

Description Display the routes that are being redistributed into OSPFv2.
Syntax show ip ospf [process-id] redistributed

[
bgp |
connected |
floating-ip |
ip-nat |
ip-nat-list |
isis |
kernel |
lw4o6 |
ospf [|process-id] |
rip
selected-vip
static |
vip
]
process-id Specifies the OSPFv2 process. If you omit this option, information for
all configured OSPF processes is displayed.
bgp Displays redistributed routes from BGP.
connected Displays redistributed routes to directly-connected networks.
floating-ip Displays redistributed routes to floating IP addresses.
ip-nat Displays redistributed routes to IP addresses assigned from an IP NAT
pool.
ip-nat-list Displays redistributed routes to IP addresses assigned from an IP NAT
range list.
isis Displays redistributed routes from IS-IS.
kernel Displays redistributed kernel routes.
lw4o6 Displays redistributed Lightweight 4over6 routes.
ospf Displays redistributed routes from other OSPFv2 processes.
[process-id]
rip Displays redistributed routes from RIP.
selected-vip Displays redistributed routes to SLB VIPs that are explicitly flagged for
redistribution. This option is applicable if the only-flagged option
was used with the redistribute vip command.
static Displays redistributed static routes.
vip Displays redistributed routes to SLB VIPs that are implicitly flagged for
redistribution. This option is applicable if the only-not-flagged
option was used with the redistribute vip command.

OSPF Show Commands
Usage For more information on VIP redistribution, see “Usage” in “redistribute” on page 366.

OSPF Show Commands
show {ip | ipv6} ospf route

Description Display information for OSPFv2 routes.
Syntax show ip ospf [process-id] route
show ipv6 ospf [tag] route
all configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, information for
Example The following command shows OSPFv2 IPv4 routes and OSPFv3 IPv6 routes:
ACOS#show ip ospf route

IA 0.0.0.0/0 [2] via 10.0.0.1, ve 1, Area 0.0.0.1
O 1.0.4.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1
C 10.0.0.0/24 [1] is directly connected, ve 1, Area 0.0.0.1
O 11.0.0.0/24 [2] via 10.0.0.1, ve 1, Area 0.0.0.1
ACOS#show ipv6 ospf route

OSPFv3 Process (*null*) Total = 1
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2
Destination Metric
Next-hop
C 1000::/32 10
directly connected, ethernet 1, Area 0.0.0.0
E2 9111::/32 10/20
via fe80::21f:a0ff:fe04:b1f0, ethernet 1

OSPF Show Commands
show ipv6 ospf topology

Description Display OSPFv3 topology information.
Syntax show ipv6 ospf [tag] topology [area area-id]
all configured OSPFv3 processes is displayed.
area area-id Displays OSPFv3 topology information for the specified area.
Example The following command shows the OSPFv3 topology:
ACOS#show ipv6 ospf topology
OSPFv3 Process (*null*)

OSPFv3 paths to Area (0.0.0.0) routers
Router ID Bits Metric Next-Hop Interface
9.1.1.1 E 10 9.1.1.1 ethernet 1
100.1.1.1 E --
show {ip | ipv6} ospf virtual-links

Description Display virtual link information.
Syntax show ip ospf [process-id] virtual-links
show ipv6 ospf [tag] virtual-links
Example The following command shows information for OSPFv2 virtual links:
ACOS#show ip ospf virtual-link

Virtual Link VLINK1 to router 143.0.0.143 is up
Transit area 0.0.0.1 via interface ethernet 1
Local address 13.0.0.2/32
Remote address 13.0.0.1/32

OSPF Show Commands
Transmit Delay is 1 sec, State Point-To-Point,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
5
Hello due in 00:00:10
Adjacency state Full
ACOS#show ipv6 ospf virtual-links

Virtual Link VLINK1 to router 5.6.7.8 is up
Transit area 0.0.0.1 via interface eth0, instance ID 0
Local address 3ffe:1234:1::1/128
Remote address 3ffe:5678:3::1/128
Transmit Delay is 1 sec, State Point-To-Point,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Config Commands: Router – IS-IS
This chapter describes the commands for configuring global Intermediate System to Intermediate System (IS-IS) parameters.
levels:
Enabling IS-IS
To enable IS-IS, use the following command at the global configuration level of the CLI.
router isis [tag]
The tag specifies the IS-IS instance to configure, and can be 1-65535.
This command changes the CLI to the configuration level for the specified IS-IS instance. At this level, use the following com-
mand to configure the Network Entity Title (NET):
[no] net area-address.system-id.00
use on the ACOS device, to prevent router-ID changes caused by VRRP-A failover.
Interface-level IS-IS Commands

In addition to global parameters, IS-IS has parameters on the individual interface level. To configure IS-IS on an interface, use
the interface command to access the configuration level for the interface, then use the ip isis commands. (See “Config
Commands: Interface” on page 241.)

Show Commands
To display IS-IS settings, use show isis, show ip isis, and show ipv6 isis commands. (See “Show Commands” on page 681.)
address-family
Description Configure this IS-IS instance to exchange IPv6 addresses with other IS-IS routers.
Syntax [no] address-family ipv6 [unicast]
The unicast option enables unicast IPv6 addresses to be exchanged, in addition to

multicast addresses. Without this option, only multicast addresses can be exchanged.
This command changes the CLI to the address-family configuration level, where the
Command Description
adjacency-check Enables IS-IS router adjacency based on Type-Length-Value (TLV) fields in
IS-IS Hello packets between routers.
default-information originate Enables advertisement of the default route in Link State Packets (LSPs)
sent by this IS-IS instance.
distance Sets the administrative distance, 1-255, for IS-IS routes.
exit Exits from the address-family configuration level.
[no] multi-topology Enables multi-topology mode. The transition option accepts and gener-
[level-1 | level-1-2 | level-2] ates both IS-IS IPv6 and multi-topology IPv6 TLVs.
[transition]
redistribute option Enables distribution of routes from other sources into IS-IS. For available
options, see “redistribute” on page 404.
summary-prefix ipv6-addr/prefix Configures an IPv6 summary prefix.
[level-1 | level-1-2 | level-2]
Default Disabled. When you enable IPv6 exchange, the unicast option is disabled by default.
Mode IS-IS
Example The following command enables exchange of IPv6 multicast and unicast addresses with
other IS-IS routers:
ACOS(config-router)#address-family ipv6 unicast

adjacency-check
Description Enable IS-IS router adjacency based on Type-Length-Value (TLV) fields in IS-IS Hello packets
between routers.
Syntax [no] adjacency-check
Default Enabled.
Mode IS-IS
area-password
Description Configure the password for authenticating IS-IS traffic between Level-1 routers.
Syntax [no] area-password string

[authenticate snp {send-only | validate}]
authenticate snp Uses the password for authentication of Sequence Num-
{send-only | validate} ber Packets (SNPs).
• send-only – Inserts the password into SNP PDUs
before sending them, but does not check for the pass-
word in SNP PDUs received from other routers.
• validate – Inserts the password into SNP PDUs before
sending them, and also checks for the password in
SNP PDUs received from other routers.
Default None. If you configure a Level-1 password, the snp option is disabled by default.
Mode IS-IS
Usage This command applies only to Level-1. To configure authentication for Level-2, see “domain-
password” on page 398.
Example The following command configures IS-IS to use password “isisl1pwd” to authenticate Level-1
IS-IS traffic within the area, including inbound and outbound SNP PDUs:
ACOS(config-router)#area-password isisl1pwd authenticate snp validate

authentication
Description Configure authentication for this IS-IS instance.
Syntax [no] authentication send-only [level-1 | level-2]
[no] authentication mode md5 [level-1 | level-2]
[no] authentication key-chain name [level-1 | level-2]
send-only [level-1 | level-2] Disables checking for keys in IS-IS packets received by this IS-IS instance.
• level-1 – Disables key checking only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Disables key checking only for Level-2 (inter-area) IS-IS traffic.
mode md5 [level-1 | level-2] Enables MD5 authentication.
• level-1 – Enables MD5 only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Enables MD5 only for Level-2 (inter-area) IS-IS traffic.
key-chain name Specifies the name of the certificate key chain to use for authenticating IS-IS
[level-1 | level-2] traffic.
• level-1 – Applies only to Level-1 (intra-area) IS-IS traffic.
• level-2 – Applies only to Level-2 (inter-area) IS-IS traffic.
Default Clear-text authentication is enabled by default. MD5 authentication is disabled by default.

No key chain is set by default. The send-only option is disabled by default. All options apply
to Level-1 and Level-2, unless you specify one level or the other. For all options that accept
the level-1, level-1-2, or level-2 keyword, the default is level-1.
Mode IS-IS
Usage Use the send-only option to temporarily disable key checking, then use the key-chain
option to specify the key chain. To use MD5, use the md5 option to disable clear-text
authentication and enable MD5 authentication. After key-chains are installed on the other IS-
IS routers, disable the send-only option.
Example The following commands configure MD5 authentication for this IS-IS instance:
ACOS(config-router)#authentication send-only
ACOS(config-router)#authentication mode md5
ACOS(config-router)#authentication key-chain chain1
ACOS(config-router)#no authentication send-only

bfd
Description Enable BFD on all interfaces for which IS-IS is running.
Syntax [no] bfd all-interfaces
Default Disabled
Mode IS-IS
Description Enable advertisement of the default route in Link State Packets (LSPs) sent by this IS-IS
instance.
Default Disabled
Mode IS-IS
Usage If the IPv4 or IPv6 data route tables contain a default route, the default route is included in
Level-2 LSPs sent by this IS-IS instance. This command does not apply to Level-1 LSPs.
distance
Description Set the administrative distance for IS-IS routes.
Syntax [no] distance num [system-id]
num Specifies the distance, 1-255.
system-id Assigns the distance only to routes from the router with the specified
IS-IS system ID.
Default None
Mode IS-IS
Usage The administrative distance specifies the trustworthiness of routes. A low administrative dis-
tance value indicates a high level of trust. Likewise, a administrative distance value indicates
a low level of trust. For example, setting the administrative distance value for external routes
to 255 means those routes are very untrustworthy and should not be used.

domain-password
Description Configure the password for authenticating IS-IS traffic between Level-2 routers.
Syntax [no] domain-password string

[authenticate snp {send-only | validate}]
authenticate snp Uses the password for authentication of Sequence Num-
{send-only | validate} ber Packets (SNPs).
• send-only – Inserts the password into SNP PDUs
before sending them, but does not check for the pass-
word in SNP PDUs received from other routers.
• validate – Inserts the password into SNP PDUs before
sending them, and also checks for the password in
SNP PDUs received from other routers.
Default None. If you configure a Level-2 password, the snp option is disabled by default.
Mode IS-IS
Usage This command applies only to Level-2. To configure authentication for Level-1, see “area-
password” on page 395.
Example The following command configures IS-IS to use password “isisl2pwd” to authenticate Level-2
IS-IS traffic, including inbound and outbound SNP PDUs:
ACOS(config-router)#domain-password isisl2pwd authenticate snp validate
ha-standby-extra-cost
Description Enable IS-IS awareness of High Availability (HA).
Syntax [no] ha-standby-extra-cost num
Replace num with the extra cost to add to the ACOS device’s IS-IS interfaces, if the HA status
of one or more of the device’s HA groups is Standby. You can specify 1-65535. If the resulting
cost value is more than 65535, the cost is set to 65535.
Default Not set. The IS-IS protocol on the ACOS device is not aware of the HA state (Active or
Standby) of the ACOS device.
Mode IS-IS
Usage Enter the command on each of the ACOS devices in the HA pair.

ignore-lsp-errors
Description Disable checksum verification for inbound LSPs.
Syntax [no] ignore-lsp-errors
Default Disabled. The checksums of inbound LSPs are verified.
Mode IS-IS
is-type
Description Specify the IS-IS routing level for this IS-IS instance.
Syntax [no] is-type {level-1 | level-1-2 | level-2-only}
level-1 Level-1 (intra-area) only.
level-1-2 Level-1 and Level-2.
level-2-only Level-2 (inter-area) only.
Default Level-1-2, unless another IS-IS instance on the ACOS device already is running at Level-2. In
this case, the default is Level-1.
Mode IS-IS
Usage Only one IS-IS instance on the ACOS device can run Level-2 routing.
Description Log adjacency changes.
Syntax [no] log-adjacency-changes {detail | disable}
detail Log changes in adjacency state.
disable Disable logging of adjacency state changes.
Mode IS-IS
Example The following example disables logging of adjacency state changes:
ACOS(config)#router isis
ACOS(config-isis)#log-adjacency-changes disable

lsp-gen-interval
Description Configure the minimum interval for LSP regeneration.
Syntax [no] lsp-gen-interval [level-1 | level-2] seconds
level-1 | level-2 Specifies the circuit type to which to apply the interval configu-
ration. The default is level-1.
seconds Specifies the minimum number of seconds between each
regeneration of the LSP. You can specify 1-120 seconds.
Default 30 seconds, for both Level-1 and Level2
Mode IS-IS
lsp-refresh-interval
Description Configure the LSP refresh interval.
Syntax [no] lsp-refresh-interval seconds
Replace seconds with the minimum number of seconds IS-IS must wait before refreshing an
LSP. You can specify 1-65535 seconds.
Default 900
Mode IS-IS
Usage The lsp-refresh-interval must be smaller than the max-lsp-lifetime.
max-lsp-lifetime
Description Configure the LSP maximum lifetime.
Syntax [no] max-lsp-lifetime seconds
Replace seconds with the maximum number of seconds an LSP can remain in the database
without being refreshed. You can specify 350-65535 seconds.
Default 1200
Mode IS-IS
Usage The max-lsp-lifetime must be larger than the lsp-refresh-interval.

metric-style
Description Configure the metric style to use for SPF calculation and for TLV encoding in LSPs.
Syntax [no] metric-style

{
narrow [[level-1 | level-1-2 | level-2]] |
transition [level-1 | level-1-2 | level-2] |
wide [[level-1 | level-1-2 | level-2] |
narrow-transition [level-1 | level-1-2 | level-2] |
wide-transition [level-1 | level-1-2 | level-2]}
narrow [level-1 | level-1-2 | Supports 6-bit metric length for SPF calculation and TLV encoding.
level-2]]
The transition option also allows 24-bit metrics for SPF calculation,
but not for TLV encoding.
• level-1 – Supports 24-bit SPF calculation only for circuit type Level-
1.
2.
• level-1-2 – Supports 24-bit SPF calculation for circuit types Level-1
and Level-2. (This is the default, if the transition option is used.)
transition [level-1 | level-1-2 | Supports 6-bit and 24-bit metric lengths for SPF calculation and TLV
level-2] encoding.
• level-1 – Supports both metric lengths only for circuit type Level-1.
• level-2 – Supports both metric lengths only for circuit type Level-2.
• level-1-2 – Supports both metric lengths for circuit types Level-1
wide [level-1 | level-1-2 | Supports 24-bit metric length for SPF calculation and TLV encoding.
level-2]]
The transition option also allows 6-bit metrics for SPF calculation, but
not for TLV encoding.
• level-1 – Supports 6-bit SPF calculation only for circuit type Level-1.

narrow-transition Supports 6-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 24-bit metrics for SPF calculation,
but not for TLV encoding.
1.
2.
wide-transition Supports 24-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 6-bit metrics for SPF calculation, but
not for TLV encoding.
Default Narrow, for Level-1 and Level-2 routing levels (level-1-2). For all options that accept the
level-1, level-1-2, or level-2 keyword, the default is level-1.
Mode IS-IS
net
Description Configure a Network Entity Title (NET) for the instance.
Syntax [no] net area-address.system-id.00
area-address Specifies the address of the IS-IS area.
system-id Specifies the system ID.
Default None
Mode IS-IS
Usage Each IS-IS instance must have at least 1 NET.
The total length of the NET can be 8-20 bytes.
• The last (right-most) byte must be 00.

• The system-id must be 6 bytes long. For Level-1, the system-id must be unique within
the area. For Level-2, the system-id must be unique within the entire domain.
• The area-address can be up to 13 bytes long.

You can configure more than 1 NET. This is useful in cases where you are reconfiguring the
network and need to temporarily merge or split existing areas.
If you configure more than 1 NET, the area-address must be unique in each NET but the
system-id must be the same.
passive-interface
Description Disable routing IS-IS routing updates on ACOS interfaces.
Syntax [no] passive-interface

[
ethernet port-num |
lif num |
loopback num |
trunk num |
ve ve-num
]
ethernet Disables routing updates from being sent on the specified Ethernet
port-num data port.
lif num Disables routing updates from being sent on the specified logical
interface.
loopback num Disables routing updates from being sent on the specified loopback
interface.
trunk num Disables routing updates from being sent on the specified trunk inter-
face.
ve ve-num Disables routing updates from being sent on the specified Virtual
Ethernet (VE) interface.
NOTE: The current release does not support the loopback, trunk, or udld option.
Default Disabled
Mode IS-IS
Usage This command removes all IS-IS configuration from the specified interface.
For proper operation of IS-IS, routing updates must be enabled on at least one interface.

protocol-topology
Description Enable IS-IS protocol topology support, which provides IPv4/IPv6/dual-stack support.
Syntax [no] protocol-topology
Default Disabled
Mode IS-IS
Usage For standard IS-IS support, leave this option disabled.
redistribute
Description Enable distribution of routes from other sources into IS-IS.

{
bgp [options] |
ip-nat [options] |
isis [options] |
lw4o6 [options] |
ospf [process-id] [options] |
rip [route-map map-name] |
static [options] |
vip [only-flagged | only-not-flagged] [options]
}
bgp [options] Redistributes route information from Border Gateway Protocol (BGP) into
IS-IS. For options, see the end of this parameter list.
connected [options] Redistributes routes into IS-IS for reaching directly connected networks.
floating-ip [options] Redistributes routes into IS-IS for reaching floating IP addresses.
ip-nat [options] Redistributes routes into IS-IS for reaching translated NAT addresses allo-
cated from a pool.
ip-nat-list [options] Redistributes routes into IS-IS for reaching translated NAT addresses allo-
cated from a range list.
isis [options] Redistributes routes back into IS-IS.
lw406 [options] Redistributes routes into IS-IS for Lightweight 4over6. (This is an IPv6
Migration feature.)
ospf [process-id] [options] Redistributes OSPF routes into IS-IS.
rip [options] Redistributes routes into IS-IS for RIP.

static [options] Redistributes routes into IS-IS for reaching networks through static
routes.
vip Redistributes routes into IS-IS for reaching virtual server IP addresses.
[only-flagged | only-not-flagged]
[options] By default, all VIPs are redistributed when you use the vip option. To
restrict redistribution to a subset of VIPs, use one of the following options:
• only-flagged – Redistributes only the VIPs on which the redistribu-
• only-not-flagged – Redistributes all VIPs except those on which the
For more information, see the “Usage” description of this command.
[options] Optional parameters supported for all other options in this table:
• level-1 – Redistributes only at the IS-IS area level. (This is the default
IS-IS level.)
• level-1-2 – Redistributes at both the IS-IS area and domain levels.
• level-2 – Redistributes only at the IS-IS domain level. (This is the
default.)
• metric num – Metric for the default route, 0-4261412864. The default
is 0.
• metric-type – Specifies the metric information used when comparing
the route to other routes:
• The external type uses the route’s metric for comparison.
• The internal type uses the route’s metric for comparison and also
uses the cost of the router that advertised the route (this is the
default).
• route-map map-name – Name of a route map. (To configure a route
map, use the route-map command. See “route-map” on page 151.)
Default Disabled. By default, IS-IS routes are not redistributed. For other defaults, see above.
Mode IS-IS
uted. For example, if you use the vip option, routes to all VIPs are redistributed into IS-IS.
VIP Redistribution
methods.

• At the configuration level for IS-IS, enter the following command: redistribute vip
only-flagged

• At the configuration level for IS-IS, enter either of the following commands: redis-
tribute vip only-not-flagged or redistribute vip

• If you have 10 VIPs and all of them need to be redistributed by IS-IS, use the redistrib-
ute vip command at the configuration level for IS-IS.
tribute vip only-flagged command at the configuration level for IS-IS.
IS-IS. (In this case, alternatively, you could enter redistribute vip instead of redistrib-
ute vip only-not-flagged.)
Example The following command enables redistribution of IS-IS routes into OSPF:
ACOS(config-router)#redistribute ospf
Example The following commands redistribute floating IP addresses and VIP addresses into IS-IS:
Example The following commands flag a VIP, then configure IS-IS to redistribute only that flagged VIP.

ACOS(config)#router isis
set-overload-bit
Description Disable use of this IS-IS router as a transit router during SPF calculation.
Syntax [no] set-overload-bit
Syntax [no] set-overload-bit on-startup {seconds | wait-for-bgp}

Syntax [no] set-overload-bit suppress {[external] [interlevel]}
on-startup Sets the overload bit only after startup of the IS-IS instance, and clears the bit
{seconds | wait-for-bgp} based on one of the following options:
• seconds – Clears the overload bit after the specified number of seconds. You
• wait-for-bgp – Clears the overload bit after BGP signals that it has finished
convergence.
• If BGP is not running, the overload bit is immediately cleared.
• If BGP is running but does not signal convergence within 10 minutes after
the IS-IS instance starts, the overload bit is cleared.
supress Suppresses redistribution of specific types of reachability information during the
{external | interlevel} overload state.
• external – Suppresses redistribution of IP prefixes learned from other proto-
cols. For example, redistribution of IP prefixes from OSPF is suppressed.
• interlevel – Suppresses redistribution of IP prefixes learned from other IS-IS
levels. For example, redistribution of IP prefixes from Level-2 to Level-1 is sup-
pressed.
Default Disabled. The overload bit is not set, and this IS-IS router can be used as a transit (intermedi-
ate hop) router during SPF calculation.
Mode IS-IS
Usage IP prefixes that are directly connected to this IS-IS router continue to be reachable even
when the overload bit is set.

spf-interval-exp
Description Configure the minimum and maximum delay between receiving a link-state or IS-IS configu-
ration change, and SPF recalculation.
Syntax [no] spf-interval-exp [level-1 | level-2] min-delay max-delay
level-1 | level-2 Specifies the IS-IS level to which to apply the interval setting.
min-delay Specifies the minimum number of milliseconds (ms) to wait
before SPF recalculation following a link-state or IS-IS configura-
tion change. You can specify 0-2147483647 ms.
max-delay Specifies the maximum number of ms to wait. You can specify
0-2147483647 ms.
Default The default min-delay is 500 ms and the default max-delay is 50000 ms, for Level-1 and Level-
2 routing levels.
Mode IS-IS
summary-address
Description Configure an IPv4 summary address to aggregate multiple IPv4 prefixes for advertisement.
Syntax [no] summary-address ipaddr/mask-length

ipaddr/mask-length Specifies the summary IPv4 address to advertise.
level-1 | Specifies the IS-IS routing level to which to advertise the
level-1-2 | summary address. If you do not specify a routing level, the
level-2 summary address is advertised at Level-2 only.
Default None
Mode IS-IS
Usage The summary address is advertised instead of the individual IP prefixes contained in the sum-
mary address. For example, if the IPv4 route table has routes to 192.168.1.x/24, 192.168.2.x/

IS-IS Show Commands
24, and 192.168.11.x/24, you can configure IS-IS to advertise summary address 192.168.0.0/16
instead of each of the individual prefixes.
IS-IS Show Commands

This section lists the IS-IS show commands.
show ip isis
Description Display the IPv4 IS-IS route table.
Syntax show ip isis {tag | route}
Replace tag with the IS-IS tag (area). If you do not specify a tag value, IPv4 routes for all areas
are displayed.
Mode All
Example The following command shows the IPv4 IS-IS route table:
ACOS(config)#show ip isis route
System wide total number of IS-IS IPv4 routes is 1 (Limit 8192)
Codes: C - connected, E - external, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, D - discard, e - external metric
Area (null):
Destination Metric Next-Hop Interface Tag
C 1.0.3.0/24 10 -- ethernet 5 --
L1 1.0.4.0/24 20 12.0.0.2 ethernet 2 0
C 12.0.0.0/24 10 -- ethernet 2 --
show ipv6 isis [tag] route

Description Display the IPv6 IS-IS route table.
Syntax show ipv6 isis [tag] route
Replace tag with the IS-IS tag (area). If you do not specify a tag value, IPv6 routes for all areas
are displayed.
Mode All
Example The following command shows the IPv6 IS-IS route table:

IS-IS Show Commands
ACOS(config)#show ipv6 isis route

System wide total number of IS-IS IPv6 routes is 1 (Limit 8192)
Codes: C - connected, E - external, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, D - discard, e - external metric
Area (null):
C 3000::/64 [10]
via ::, ethernet 2
C 3ff3::/64 [10]
via ::, ethernet 5
L1 3ff4::/64 [20]
via fe80::21f:a0ff:fe10:a4a6, ethernet 2
show ipv6 isis [tag] topology

Description Display IPv6 IS-IS topology information.
Syntax show ipv6 isis [tag]

topology [l1 | l2 | level-1 | level-2]
Mode All
Example The following command shows IPv6 IS-IS topology information:
ACOS(config)#show ipv6 isis topology

Area (null):
IS-IS paths to level-1 routers
System Id Metric Next-Hop Interface SNPA
0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 2 001f.a010.a4a6

0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 2 001f.a010.a4a6
AX2600-1(config)#
show isis counter

Description Display IS-IS statistics.
Syntax show isis counter
Mode All
Example The following command shows IS-IS counters:

IS-IS Show Commands
ACOS(config)#show isis counter

Area (null):
IS-IS Level-1 isisSystemCounterEntry:
isisSysStatCorrLSPs: 0
isisSysStatAuthTypeFails: 0
isisSysStatAuthFails: 0
isisSysStatLSPDbaseOloads: 0
isisSysStatManAddrDropFromAreas: 0
isisSysStatAttmptToExMaxSeqNums: 0
isisSysStatSeqNumSkips: 0
isisSysStatOwnLSPPurges: 0
isisSysStatIDFieldLenMismatches: 0
isisSysStatMaxAreaAddrMismatches: 0
isisSysStatPartChanges: 0
isisSysStatSPFRuns: 4
IS-IS Level-2 isisSystemCounterEntry:

isisSysStatCorrLSPs: 0
isisSysStatAuthTypeFails: 0
isisSysStatAuthFails: 0
isisSysStatLSPDbaseOloads: 0
isisSysStatManAddrDropFromAreas: 0
isisSysStatAttmptToExMaxSeqNums: 0
isisSysStatSeqNumSkips: 0
isisSysStatOwnLSPPurges: 0
isisSysStatIDFieldLenMismatches: 0
isisSysStatMaxAreaAddrMismatches: 0
isisSysStatPartChanges: 0
isisSysStatSPFRuns: 3show isis [tag] database
show isis [tag] database

Description Display the IS-IS database entries.
Syntax show isis [tag] database

[lspid]

IS-IS Show Commands
[detail]
[l1 | l2 | level-1 | level-2]
tag Specifies the IS-IS tag (area). If you do not specify a tag value, database
entries for all areas is displayed.
lspid Specifies the ID of a specific LSP to display.
detail Displays detailed contents of the LSPs. Without this option, summary
information is displayed.
l1 | Specifies the IS-IS routing level for which to display database entries.
l2 |
level-1 | The default is level-1.
level-2
Mode All
Example The following command shows the IS-IS database:
ACOS(config)#show isis database

IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.0001.00-00* 0x00000007 0x8223 857 0/0/0
0000.0000.0002.00-00 0x00000007 0x0F96 865 0/0/0
0000.0000.0002.02-00 0x00000004 0x01D4 865 0/0/0
IS-IS Level-2 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.0001.00-00* 0x00000003 0x77F4 884 0/0/0
0000.0000.0002.00-00 0x00000003 0x640A 879 0/0/0
0000.0000.0002.02-00 0x00000001 0x07D1 853 0/0/0
show isis interface

Description Display IS-IS information for interfaces.
Syntax show isis interface

[
counter |
ethernet port-num |
lif num |
loopback num |
trunk num |

IS-IS Show Commands
ve ve-num
}
counter Displays IS-IS interface status information and statistics.
ethernet port-num Displays IS-IS information for the specified Ethernet data port.
lif num Displays IS-IS information for the specified logical interface.
loopback num Displays IS-IS information for the specified loopback interface.
trunk num Displays IS-IS information for the specified trunk interface.
ve ve-num Displays IS-IS information for the specified VE interface.
Mode All
Example The following command shows IS-IS interface information:
ACOS(config)#show isis interface

Routing Protocol: IS-IS ((null))
Network Type: Broadcast
Circuit Type: level-1-2
Local circuit ID: 0x01
Extended Local circuit ID: 0x00000005
Local SNPA: 001f.a002.5bc9
MTU: 1500 (Jumbo enabled)
IP interface address:
12.0.0.1/24
IPv6 interface address:
3000::1/64
fe80::21f:a0ff:fe02:5bc9/64
Level-1 Metric: 10/10, Priority: 64, Circuit ID: 0000.0000.0002.02
Number of active level-1 adjacencies: 1
Next IS-IS LAN Level-1 Hello in 4 seconds
Routing Protocol: IS-IS ((null))
Network Type: Broadcast
Circuit Type: level-1-2
Local circuit ID: 0x02
Extended Local circuit ID: 0x0000000B
Local SNPA: 001f.a002.5bcc
MTU: 1500 (Jumbo enabled)
IP interface address:

IS-IS Show Commands
1.0.3.1/24
IPv6 interface address:
3ff3::1/64
fe80::21f:a0ff:fe02:5bcc/64
show isis [tag] topology

Description Display IPv4 IS-IS topology information.
Syntax show isis topology [l1 | l2 | level-1 | level-2]
You can specify one of l1, l2, level-1, or level-2 as the IS-IS routing level for which to
display topology information. The default is level-1.
Mode All
Example The following command shows IPv4 IS-IS topology information:
ACOS(config)#show isis topology
Area (null):
0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 2 001f.a010.a4a6

0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 2 001f.a010.a4a6
AX2600-1(config)#

Config Commands: Router – BGP
This chapter describes the syntax for the Border Gateway Protocol (BGP) commands. The commands are described in the fol-
lowing sections:
• “Enabling BGP” on page 416
• “BGP Configuration Commands” on page 417
• “BGP Show Commands” on page 447
• “BGP Clear Commands” on page 458
levels:
• write – See “write” on page 43..

Enabling BGP
Enabling BGP
To enable BGP on the ACOS device:
1. Enable the protocol and specify the Autonomous System (AS) number, using the following command at the global
configuration level of the CLI:
router bgp AS-num
The AS-num specifies the Autonomous System Number (ASN), which can be 1-4294967295. The ACOS device supports
configuration of one local AS.
2. Specify the ACOS device’s BGP router ID:

bgp router-id ipaddr
NOTE: It is strongly recommended to manually set a unique BGP router ID for each BGP
instance within the ACOS device's partitions.
3. Specify each of the ACOS device’s neighbor (peer) BGP routers:

neighbor neighbor-id remote-as AS-num
use on the ACOS device, to prevent router ID changes caused by VRRP-A failover. If you
do not explicitly configure the ACOS device’s BGP router ID, BGP sessions may become
reset whenever there is an interface state change.

BGP Configuration Commands

The commands in this section apply globally to the BGP process running on the ACOS device.
Commands at the Global Configuration Level

The commands in this section are available at the global configuration level of the CLI.
bgp extended-asn-cap
Description Enable the ACOS device to send 4-octet BGP Autonomous System Number (ASN) capabili-
ties.
Syntax [no] bgp extended-asn-cap
Default Disabled; 2-octet ASN capabilities are enabled instead.
bgp nexthop-trigger
Description Configure BGP nexthop tracking.
Syntax [no] bgp nexthop-trigger {delay seconds | enable}
delay seconds Specifies the how long BGP waits before walking the full BGP table
to determine which prefixes are affected by the nexthop changes,
after receiving a trigger about nexthop changes. You can specify 1-
100 seconds.
enable Enables nexthop tracking.
Default BGP nexthop tracking is disabled by default. When you enable it, the default delay is 5 sec-
onds.

Commands at the BGP Router Configuration Level

The commands in this section are available at the configuration level for the BGP routing process for an AS.
To access the BGP router configuration level, use the router protocol (router bgp, in this case) command at the global config-
uration level of the CLI.
address-family
Description Configure address family parameters.
Syntax [no] address-family ivp6
This command changes the CLI to the configuration level for the specified address family,
Command Description
[no] aggregate-address options See “aggregate-address” on page 420.
[no] auto-summary See “auto-summary” on page 420.
[no] bgp dampening options See “bgp dampening” on page 422.
[no] default-information originate See “default-information originate” on page 424.
[no] distance See “distance” on page 425.
[no] exit-address-family Exits the address-family configuration level.
[no] maximum-paths See “maximum-paths” on page 426.

Command Description
[no] neighbor options The following neighbor commands are supported under the address-
family configuration level:
• neighbor neighbor-id activate
• neighbor neighbor-id advertisement-interval
• neighbor neighbor-id allowas-in
• neighbor neighbor-id as-origination-interval
• neighbor neighbor-id capability
• neighbor neighbor-id collide-established
• neighbor neighbor-id default-originate
• neighbor neighbor-id description
• neighbor neighbor-id disallow-infinite-holdtime
• neighbor neighbor-id distribute-list
• neighbor neighbor-id dont-capability-negotiate
• neighbor neighbor-id ebgp-multihop
• neighbor neighbor-id enforce-multihop
• neighbor neighbor-id fall-over
• neighbor neighbor-id filter-list
• neighbor neighbor-id maximum-prefix
• neighbor neighbor-id next-hop-self
• neighbor neighbor-id override-capability
• neighbor neighbor-id passive
• neighbor neighbor-id password
• neighbor neighbor-id peer-group
• neighbor neighbor-id prefix-list
• neighbor neighbor-id remote-as
• neighbor neighbor-id remove-private-as
• neighbor neighbor-id route-map
• neighbor neighbor-id send-community
• neighbor neighbor-id shutdown
• neighbor neighbor-id soft-reconfiguration
• neighbor neighbor-id strict-capability-match
• neighbor neighbor-id timers
• neighbor neighbor-id unsuppress-map
• neighbor neighbor-id update-source
• neighbor neighbor-id weight
[no] network options See “network” on page 443.
[no] redistribute options See “redistribute” on page 444.
Default None
Mode BGP

aggregate-address
Description Configure an aggregate address.
Syntax [no] aggregate-address ipaddr/mask-length [as-set] [summary-only]
ipaddr/mask-length If you are using this command at the BGP configuration
level, specify an IPv4 aggregate network address.
If you are using the command at the address-family config-
uration level, you must specify an IPv6 IP aggregate net-
work address.
as-set Generates AS set path information.
summary-only Filters more specific routes from updates.
Default None
Mode BGP or address-family
auto-summary
Description Enable sending of summarized routes to BGP peers.
Syntax [no] auto-summary
Default Disabled
Mode BGP
bgp always-compare-med
Description Enable comparison of the Multi Exit Discriminators (MEDs) for paths from neighbors in differ-
ent ASs.
Syntax [no] bgp always-compare-med
Default Disabled. By default, MED comparison is done only among paths from the same AS.
Mode BGP

bgp bestpath
Description Configure options to select the best of multiple paths for a route.
Syntax [no] bgp bestpath {as-path [ignore] | compare-routerid}
as-path Specifies whether to consider the AS path when selecting the best
[ignore] path for a route.
• To consider the AS path, use the as-path option without the
ignore option.
• To ignore the AS path, use the as-path ignore option.
compare- Enables comparison of router IDs when comparing identical routes
routerid received from different neighbors. In this case, the route from the
neighbor with the lowest route ID is selected.
Default This command has the following default settings:

• as-path – AS-path consideration is enabled by default.
• compare-routerid – BGP receives routes with identical eBGP paths from eBGP peers
and selects the first route received as the best path.
Mode BGP

bgp dampening
Description Configure the BGP response to route flapping, to minimize network disruption.
Syntax [no] bgp dampening {dampening-options | route-map map-name}
dampening-options Configures the dampening options:
• reachability-half-life – Specifies the reachability half-life, which is the time
it takes the penalty to decrease to one-half of its current value. You can specify 1-45 min-
utes.
The default is 15 minutes.
• reuse-start – Specifies the reuse limit value. When the penalty for a suppressed
route decays below the reuse value, the routes become unsuppressed. You can specify
1-20000.
The default is 750.
• suppress-start – Specifies the suppress limit value. When the penalty for a route
exceeds the suppress value, the route is suppressed. You can specify 1-20000.
• max-suppress-duration – Specifies the maximum time that a dampened route
is suppressed. You can specify 1-255 minutes.
The default is 60 minutes (4 times the half-life time).
route-map map-name Applies the dampening settings only to routes that match the specified route map.
Mode BGP
bgp default
Description Change BGP default settings.
Syntax [no] bgp default {ipv4-unicast | local-preference num}
ipv4-unicast Activates IPv4 unicast for communication with peers.
By default, this is enabled.
local-preference num Specifies the local preference value for routes. You can
specify 0-4294967295.
The default is 100.
Mode BGP

bgp deterministic-med
Description Enable comparison of the Multi Exit Discriminator (MED) values during selection of a route
among routes advertised by different peers in the same AS.
Syntax [no] bgp deterministic-med
Default Disabled
Mode BGP
bgp enforce-first-as
Description Enable the ACOS device to deny any updates received from an external neighbor that do not
have the neighbor’s configured AS at the beginning of the AS_PATH.
Syntax [no] bgp enforce-first-as
Default Enabled
Mode BGP
bgp fast-external-failover
Description Enable immediate reset of a BGP session if the interface used for the BGP connection goes
down.
Syntax [no] bgp fast-external-failover
Default Enabled
Mode BGP
bgp log-neighbor-changes
Description Enable logging of status change messages without enabling BGP debugging.
Syntax [no] bgp log-neighbor-changes
Default Disabled
Mode BGP

bgp nexthop-trigger-count
Description Configure display of BGP nexthop-tracking status.
Syntax [no] bgp nexthop-trigger-count num
Replace num with the count value, 0-127.
Mode BGP
bgp router-id
Description Configure the router ID.
Syntax [no] bgp router-id ipaddr
Replace ipaddr with the IPv4 address.
Default If a loopback interface is configured, the router ID is set to the IP address of the loopback
interface. If there are multiple loopback interfaces, the loopback interface with the highest
numbered IP address is used.
If there are no loopback interfaces, the interface with the highest numbered IP address is
used.
Mode BGP
bgp scan-time
Description Set the interval for BGP route next-hop scanning.
Syntax [no] bgp scan-time seconds
Replace seconds with the amount of time between scans. You can specify 0-60 seconds.
Default 60
Mode BGP
Description Enable advertisement of the default route in packets sent by this BGP instance.

A valid default route must exist and be verified to complete this configuration or the default
route will not be advertised
Default Disabled
Mode BGP
distance
Description Configure the administrative distance for BGP. The administrative distance is a rating of trust-
worthiness of the BGP process relative to other routing processes running on the ACOS
device. The greater the distance, the lower the trust rating.
Syntax [no] distance

{
admin-distance ipaddr/mask-length [acl-id] |
bgp external internal local
}
admin-distance Overrides the configured administrative distance for specific prefixes.
ipaddr/mask-length
[acl-id] The acl-id option specifies an ACL that matches on the routes for which to over-
ride the default administrative distance. If you do not use this option, the distance
is applied to all IPv4 BGP routes.
NOTE: This option is not available if you are configuring the distance at the
address-family configuration level.
bgp • external – Specifies the administrative distance (1-255) for BGP routes learned
external internal local from another AS.
The default external administrative distance is 20.
• internal – Specifies the administrative distance (1-255)for BGP routes learned
from a neighbor within the same AS.
The default internal administrative distance is 200.
• local – Specifies the administrative distance (1-255) for BGP routes redistrib-
uted from another route source on this ACOS device.
The default local administrative distance is 200.
Mode BGP

maximum-paths
Description Specify the maximum number of ECMP paths to a given route destination allowed for BGP:
Syntax [no] maximum-paths path-num
Replace path-num with the maximum number of paths to a given destination. You can
specify 1-10.
Default 1. BGP will install the single best ECMP route into the FIB used by the ACOS device to forward
traffic.
Mode BGP
neighbor neighbor-id activate

Description Enable the exchange of address family routes with a neighboring BGP router.
Syntax [no] neighbor neighbor-id activate
Replace neighbor-id with the ID of the neighbor, which can be one of the following types of
values:
• ipv4ipaddr – IPv4 address.

• ipv6addr – IPv6 address.
• tag – Name of a peer group.

Default N/A
Mode BGP
Usage After the TCP connection is opened with the neighbor, use this command to enable or disa-
ble the exchange of address family information with the neighboring router.
neighbor neighbor-id advertisement-interval

Description Configure the minimum interval between transmission of BGP route updates to a neighbor.
Syntax [no] neighbor neighbor-id advertisement-interval seconds
neighbor-id ID of the neighbor, which can be one of the following types of values:
seconds Minimum interval between route updates. You can specify 0-600 sec-
onds.
Default The advertisement interval has the following default settings:

• eBGP – 30 seconds
• iBGP – 5 seconds
Mode BGP
neighbor neighbor-id allowas-in

Description Allow re-advertisement of all prefixes containing duplicate AS numbers.
Syntax [no] neighbor neighbor-id allowas-in [occurrences]
occurrences Maximum number of occurrences of a given AS number. You can
specify 1-10.
Default Disabled
Mode BGP

neighbor neighbor-id as-origination-interval

Description Configure the interval between transmission of AS origination route updates.
Syntax [no] neighbor neighbor-id as-origination-interval seconds
seconds Time between AS origination route updates. You can specify 1-600
seconds.
Default 15 seconds
Mode BGP

neighbor neighbor-id capability

Description Configure capability settings for the ACOS device’s BGP communication with a neighbor.
Syntax [no] neighbor neighbor-id capability

{dynamic | orf prefix-list {both | receive | send} | route-refresh}
dynamic Enables the ACOS device to advertise or withdraw an address family capability with
the neighbor, without bringing down the BGP session with the peer.
orf prefix-list Enables Outbound Router Filtering (ORF) and advertises the ACOS device’s ORF capa-
{both | receive | send} bility to the neighbor.
• both – ACOS device can send ORF entries to the neighbor, as well as receive ORF
entries from the neighbor.
• receive – ACOS device can receive ORF entries from the neighbor, but can not
send ORF entries to the neighbor.
• send – ACOS device can send ORF entries to the neighbor, but can not receive
ORF entries from the neighbor.
route-refresh Enables advertisement of route-refresh capability to the neighbor. When this option is
enabled, the ACOS device can dynamically request the neighbor to re-advertise its
Adj-RIB-Out.
Default None. (This assumes that the neighbor has no special capabilities or functions.)
Mode BGP
Usage BGP neighbors exchange ORFs reduce the number of updates exchanged between neigh-
bors. By filtering updates, this option minimizes generating and processing of updates.
The local router (ACOS device) advertises the ORF capability in send mode, and the remote
router receives the ORF capability in receive mode applying the filter as outbound policy.
The two routers exchange updates to maintain the ORF for each router. Only an individual
router or a peer group can be configured to be in receive or send mode. A peer-group
member cannot be configured to be in receive or send mode.
neighbor neighbor-id collide-established

Description Include the neighbor, if already in TCP established state, in conflict resolution if a TCP con-
nection collision is detected.
Syntax [no] neighbor neighbor-id collide-established
values:


Default Use this command only if necessary. Generally, the command is not required.
Inclusion of a neighbor with an established TCP connection into resolution of TCP

connection collision conflicts is automatically enabled when the neighbor is configured for
BGP graceful-restart.
Mode BGP
neighbor neighbor-id default-originate

Description Enable transmission of a default route (0.0.0.0) to a neighbor.
Syntax [no] neighbor neighbor-id default-originate [route-map map-name]
map-name Route map that specifies the nexthop IP address.
Default Disabled
Mode BGP
neighbor neighbor-id description

Description Configure a description for a neighbor.
Syntax [no] neighbor neighbor-id description string [string ...]
string String that describes the neighbor (up to 80 characters).
Default None
Mode BGP

neighbor neighbor-id disallow-infinite-holdtime

Description Disallow a neighbor to set the holdtime to “infinite” (0 seconds).
Syntax [no] neighbor neighbor-id disallow-infinite-holdtime
values:

Default Disabled. Infinite holdtime is allowed.
Mode BGP
neighbor neighbor-id distribute-list

Description Filter route updates to or from a neighbor.
Syntax [no] neighbor neighbor-id distribute-list ip-access-list {in | out}
neighbor-id ID of the neighbor, which can be one of the following types of val-
ues:
ip-access-list Time between AS origination route updates. You can specify 1-600
seconds.
in | out Specifies the update direction to filter:
• in – Updates received from the neighbor are filtered.
• out – Updates sent to the neighbor are filtered before trans-
mission.
Default None. By default, updates are not filtered.
Mode BGP

neighbor neighbor-id dont-capability-negotiate

Description Disable capability negotiation with a neighbor.
Syntax [no] neighbor neighbor-id dont-capability-negotiate
values:
• ipv4ipaddr – IPv4 address

• ipv6addr – IPv6 address
• tag – Name of a peer group
Default Capability negotiation is enabled by default.
Mode BGP
neighbor neighbor-id ebgp-multihop

Description Allow BGP connections with external peers on indirectly connected networks.
Syntax [no] neighbor neighbor-id ebgp-multihop [count]
neighbor The IPv4 or IPv6 address of the neighbor router, or the router tag (1-
128 characters).
count The maximum hop count to reach the neighbor (1-255).
If no count is specified, the default hop count is 1.
Replace count with the maximum number of hops allowed, 1-255.
Mode BGP
neighbor neighbor-id enforce-multihop

Description Enforce eBGP neighbors to perform multihop.
Syntax [no] neighbor neighbor-id enforce-multihop
Default Enabled
Mode BGP

neighbor neighbor-id fall-over

Description Enable neighbor fall-over detection.
Syntax [no] neighbor neighbor-id fall-over bfd
Mode BGP
neighbor neighbor-id filter-list

Description Filter route updates to or from a neighbor based on AS path.
Syntax [no] neighbor neighbor-id filter-list

AS-path-access-list {in | out}
neighbor-id ID of the neighbor, which can be one of the following types
of values:
AS-path-access-list AS path list. To configure an AS path list, use the following
command at the global configuration level of the CLI: ip as-
path access-list
• out – Updates sent to the neighbor are filtered before
transmission.
Default None. By default, updates are not filtered.
Mode BGP

neighbor neighbor-id maximum-prefix

Description Configure the maximum number of network prefixes that can be received in route updates
from a neighbor.
Syntax [no] neighbor neighbor-id maximum-prefix num [threshold]
of values:
num Maximum number of prefixes allowed. You can specify 1-
1024.
The default is 128.
threshold Percentage of the allowed maximum at which a warning
message is generated. You can specify 1-100.
The default is 75 percent.
Mode BGP
Usage If the maximum is reached, the ACOS device brings down the BGP session with the peer.
neighbor neighbor-id next-hop-self

Description Configure the ACOS device as the BGP next hop for a neighbor.
Syntax [no] neighbor neighbor-id next-hop-self
values:

Default Disabled
Mode BGP

neighbor neighbor-id override-capability

Description Override the results of capability negotiation with a neighbor.
Syntax [no] neighbor neighbor-id override-capability
values:

Default Disabled
Mode BGP
neighbor neighbor-id passive

Description Do not initiate a TCP connection with the specified neighbor, but allow the neighbor to initi-
ate a TCP connection with the ACOS device. Once the connection is up, BGP will work over
the connection.
Syntax [no] neighbor neighbor-id passive
values:

Default Disabled
Mode BGP

neighbor neighbor-id password

Description Enable MD5 authentication for sessions with a BGP neighbor.
Syntax [no] neighbor neighbor-id password encrypted string
• tag – Neighbor tag.
• ipv4ipaddr – IPv4 address of the neighbor.
• ipv6addr – IPv6 address of the neighbor.
password The string can be up to 80 characters long. The string can include the
string printable ASCII characters, which are [0-9], [a-z], and [A-Z] and are fully
defined by hexadecimal value range 0x20-0x7e. The string can not
begin with a blank space, and can not contain any of the following
special characters: ' " < > & \ / ?
The password string is encrypted when viewing the the running-con-
fig and startup-config output.
Default Disabled
Mode BGP
Usage Message Digest 5 (MD5) authentication of TCP segments (as introduced in RFC 2385), pro-
vides protection of BGP sessions via the TCP MD5 Signature Option. This feature is enabled
on a per-neighbor basis for the individual BGP peer configuration, and a password is
required. The password must be the same on the ACOS device and on the peer (BGP neigh-
bor).
Example The following command enables MD5 for the connection with eBGP neighbor 10.10.10.22:

ACOS(config-router:device1)#neighbor 10.10.10.22 remote-as 456
ACOS(config-router:device1)#neighbor 10.10.10.22 password
1234567890abcde

neighbor neighbor-id peer-group

Description Add the ACOS device to a BGP peer group.
Syntax [no] neighbor neighbor-id peer-group group-name
group-name Name of the peer group.
Default None
Mode BGP
neighbor neighbor-id prefix-list

Description Use a prefix list to filter route updates to or from a neighbor.
Syntax [no] neighbor neighbor-id prefix-list list-name {in | out}
of values:
list-name Name of the prefix list.
• out – Updates sent to the neighbor are filtered before
transmission.
Default By default, updates are not filtered.
Mode BGP
Usage Filtering by prefix list matches the prefixes of routes with those listed in the prefix list. If there
is a match, the route is used. An empty prefix list permits all prefixes. If a given prefix does not
match any entries of a prefix list, the route is denied access. When multiple entries of a prefix
list match a prefix, the entry with the smallest sequence number is considered to be a real
match.

The ACOS device begins the search at the top of the prefix list, with rule sequence number 1.
Once a match or deny occurs, the ACOS device does not need to go through the rest of the
prefix list. For efficiency the most common matches or denies are listed at the top.
The neighbor distribute-list command is an alternative to the neighbor prefix-list

command. Only one of these commands can be used for filtering to the same neighbor in
any direction.
neighbor neighbor-id remote-as

Description Configure an internal or external BGP (iBGP or eBGP) TCP session with another router.
Syntax [no] neighbor neighbor-id remote-as AS-num
of values:
AS_num Neighbor’s AS number.
NOTE: AS number 23456 is a reserved 2-octet AS number. An old BGP speaker (2-byte
implementation) should be configured with 23456 as its remote AS number while
peering with a non-mappable new BGP speaker (4-byte implementation).
Default None
Mode BGP
neighbor neighbor-id remove-private-as

Description Remove the private AS number from outbound updates.
Syntax [no] neighbor neighbor-id remove-private-as
Default Disabled
Mode BGP

neighbor neighbor-id route-map

Description Apply a route map to incoming or outgoing routes.
Syntax [no] neighbor neighbor-id route-map map-name {in | out}
map-name Name of the route map.
in | out Specifies the traffic direction to which to apply the route map:
• in – The route map is applied to routes received from the neigh-
bor.
• out – The route map is applied to routes sent to the neighbor.
Default None
Mode BGP
neighbor neighbor-id send-community

Description Send community attributes to a neighbor.
Syntax [no] neighbor neighbor-id send-community

[both | none | extended | standard]
both Sends both standard and extended community attributes.
none Disable community attributes from being sent.
extended Sends only extended community attributes.
standard Sends only standard community attributes.
Default By default, both standard and extended community attributes are sent to a neighbor. To
explicitly send only the standard or extended community attribute, run the bgp config-
type command with the standard parameter, before running this command.
Mode BGP

Usage The community attribute groups destinations in a certain community and applies routing
decisions according to those communities. Upon receiving community attributes, the ACOS
device re-announces them to the neighbor.
Usage To prevent community attributes from being re-announced to the neighbor, use the “no”
form of this command.
neighbor neighbor-id shutdown

Description Disable a neighbor.
Syntax [no] neighbor neighbor-id shutdown
values:

Default None
Mode BGP
Usage This command shuts down any active session for the specified neighbor and clears all
related routing data.
neighbor neighbor-id soft-reconfiguration

Description Configure the ACOS device to begin storing updates, without any consideration of the
applied route policy.
Syntax [no] neighbor neighbor-id soft-reconfiguration inbound
values:

Default Disabled
Mode BGP
Usage Use this command to store updates for inbound soft reconfiguration. Soft-reconfiguration
can be used as an alternative to BGP route refresh capability. Using this command enables
local storage of all the received routes and their attributes. When a soft reset (inbound) is
performed on the neighbor, the locally stored routes are reprocessed according to the
inbound policy. The BGP neighbor connection is not affected.

neighbor neighbor-id strict-capability-match

Description Close the BGP connection to a neighbor if a capability value does not completely match the
value on the ACOS device.
Syntax [no] neighbor neighbor-id strict-capability-match
values:

Default Enabled
Mode BGP
neighbor neighbor-id timers

Description Configure the timers for a neighbor.
Syntax [no] neighbor neighbor-id timers

{interval holdtime | connect seconds}
interval The interval specifies the amount of time between transmission of kee-
holdtime palive messages to the neighbor. You can specify 0-65535 seconds.
The holdtime specifies the maximum amount of time the ACOS device
will wait for a keepalive message from the neighbor before declaring
the neighbor dead. You can specify 0-65535 seconds.
The default interval is 60 seconds, and the default holdtime is 180 sec-
onds.
connect Connect timer. You can specify 0-65535 seconds. In ACTIVE state, the
seconds BGP router (ACOS device) will accept an incoming connection request
from the peer before the connect time expires.
The default connect time is 0.
Mode BGP

neighbor neighbor-id unsuppress-map

Description Selectively leak more-specific routes to a neighbor.
Syntax [no] neighbor neighbor-id unsuppress-map map-name
map-name Name of the route map used to select routes to be unsuppressed.
Default Disabled
Mode BGP
Usage When the aggregate-address command is used with the summary-only option, the
more-specific routes of the aggregate are suppressed to all neighbors. Use the unsuppress-
map command to selectively leak more-specific routes to a particular neighbor.
neighbor neighbor-id update-source

Description Allows BGP sessions to use specific source IP address or interface for TCP connections with a
neighbor.
Syntax [no] neighbor neighbor-id update-source source
source Source IP address or interface name.
NOTE: It is highly recommended to specify an IP address instead of an
interface name. When multiple IP addresses are configured at one
interface, ACOS will choose the lowest IP address as source IP address.
Default IP address of the outgoing interface to the neighbor.
Mode BGP

neighbor neighbor-id weight

Description Assign a weight value to routes learned from a neighbor.
Syntax [no] neighbor neighbor-id weight num
num Weight value assigned to routes learned from the neighbor. You can
sepcify 0-65535.
Default Default weight: 0 (zero)
Mode BGP
Usage Use this command to specify a weight value, per address-family, to all routes learned from a
neighbor. The route with the highest weight gets preference when the same prefix is learned
from more than one peer.
Unlike the local-preference attribute, the weight attribute is relevant only to the local
router.
The weights assigned using the set weight command override the weights assigned using
this command.
When the weight is set for a peer group, all members of the peer group will have the same
weight. The command can also be used to assign a different weight to a particular peer-
group member. When a separately configured weight of the peer-group member is
unconfigured, its weight will be reset to its peer group’s weight.
network
Description Specify the networks to be advertised by the ACOS device’s BGP routing process.
Syntax [no] network {ipaddr/mask-length | ipaddr [mask network-mask]}

[backdoor]

[community community-list]
[route-map map-name]
ipaddr/mask-length | ipaddr IPv4 Network address and mask.
NOTE: If you are using this command under
the address-family configuration level, you can
only specify an IPv6 address and mask length:
ipv6addr/mask-length
backdoor Specify a backdoor BGP route.
community community-list Match the specified BGP community list.
route-map map-name Route map used to set or modify a value.
Default None
Mode BGP
Usage A unicast network address without a mask is accepted if it falls into the natural boundary of
its class. A class-boundary mask is derived if the address matches its natural class-boundary.
redistribute
Description Redistribute route information from other sources into BGP.

{
connected [route-map map-name] |
floating-ip [route-map map-name] |
ip-nat [route-map map-name] |
ip-nat-list [route-map map-name] |
isis [route-map map-name] |
lw4o6 [options] |
nat64 [route-map map-name] |
ospf [route-map map-name] |
rip [route-map map-name] |
static [route-map map-name] |
vip
[only-flagged [route-map map-name] |
only-not-flagged [route-map map-name] |

[route-map map-name]]
}
connected [route-map map-name] Redistributes route information for directly connected networks
into BGP. The route-map option specifies the name of a config-
ured route map.
floating-ip [route-map map-name] Redistributes route information for floating IP addresses into BGP.
The route-map option specifies the name of a configured route
map.
ip-nat [route-map map-name] Redistributes routes into BGP for reaching translated NAT
addresses allocated from a pool. The route-map option speci-
fies the name of a configured route map.
ip-nat-list [route-map map-name] Redistributes routes into BGP for reaching translated NAT
addresses allocated from a range list. The route-map option
specifies the name of a configured route map.
isis [route-map map-name] Redistributes route information from Intermediate System to
Intermediate System (IS-IS) into BGP. The route-map option
lw406 [options] Redistributes routes into BGP for Lightweight 4over6. (This is an
IPv6 Migration feature.)
nat64 [route-map map-name] Redistributes routes into BGP for Nat64. The route-map option
NOTE: This option is only available for the redistribute com-
mand under the address-family configuration level.
ospf [route-map map-name] Redistributes route information from Open Shortest Path First
(OSPF) into BGP. The route-map option specifies the name of a
configured route map.
static [route-map map-name] Redistributes routes into BGP for reaching networks through
static routes. The route-map option specifies the name of a
configured route map.
vip Redistributes routes into BGP for reaching virtual server IP
[only-flagged [route-map map-name] | addresses.
only-not-flagged [route-map map-name] |
[route-map map-name]] By default, all VIPs are redistributed when you use the vip option.
To restrict redistribution to a subset of VIPs, use one of the follow-
ing options:
• only-flagged – Redistributes only the VIPs on which the
• only-not-flagged – Redistributes all VIPs except those on
which the redistribution-flagged command is used.
For more information, see the “Usage” section of this com-
mand.
The route-map option specifies the name of a configured route
map.

Default None
Mode BGP
synchronization
Description Enable IGP synchronization of iBGP learned routes.
Syntax [no] synchronization
Default Disabled
Mode BGP
Usage Enable synchronization if the ACOS device should not advertise routes learned from iBGP
neighbors, unless those routes also are present in an IGP (for example, OSPF). Synchroniza-
tion may be enabled when all the routers in an AS do not speak BGP and the AS is a transit
for other ASs.
timers
Description Configure the BGP keepalive and holdtime timer values.
Syntax [no] timers bgp interval holdtime
interval Specifies the amount of time between transmission of keepalive mes-
sages to neighbors. You can specify 0-65535 seconds.
holdtime Specifies the maximum amount of time the ACOS device will wait for
a keepalive message from a neighbor before declaring the neighbor
dead. You can specify 0-65535 seconds.
Default The default interval is 30 seconds. The default holdtime is 90 seconds.
Mode BGP

BGP Show Commands
BGP Show Commands

This section lists the BGP show commands.
show ip bgp ipv4addr

Description Display BGP network information for IPv4.
Syntax show ip bgp {ipv4addr | ipv4addr/mask-length [longer-prefixes]}
ipv4addr | IPv4 prefix and mask length.
longer-prefixes Include prefixes that have a longer mask than the one
specified.
Mode All
Example Ths
ACOS#show ip bgp 192.10.23.67

BGP table version is 7, local router ID is 80.80.80.80
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal, S Stale
Origin codes: i - IGP, e - EGP,? - incomplete
Network Next Hop Metric LocPrf Weight Path
S>i10.70.0.0/24 192.10.23.67 0 100 0 ?
S>i30.30.30.30/32 192.10.23.67 0 100 0 ?
S>i63.63.63.1/32 192.10.23.67 0 100 0 ?
S>i67.67.67.67/32 192.10.23.67 0 100 0 ?
S>i172.22.10.0/24 192.10.23.67 0 100 0 ?
S>i192.10.21.0 192.10.23.67 0 100 0 ?
S>i192.10.23.0 192.10.23.67 0 100 0 ?
Total number of prefixes 7

BGP Show Commands
show bgp ipv6addr

Description Display BGP network information for IPv6.
Syntax show bgp {ipv6addr | ipv6addr/mask-length [longer-prefixes]}
ipv6addr | IPv6 prefix and mask length.
longer-prefixes Include prefixes that have a longer mask than the one
specified.
Mode All
show [ip] bgp ipv4 {multicast | unicast}

Description Display BGP information for IPv4.
Syntax show [ip] bgp ipv4 {multicast | unicast}

[
ipv4addr |
community [community-number] [exact-match]
[local-AS] [no-advertise] [no-export] |
community-list list-name [exact-match] |
dampening {dampened-paths | flap-statistics | parameters} |
filter-list list-name |
inconsistent-as |
neighbors [ipv4addr | ipv6addr
[advertised-routes | received prefix-filter | received-routes |
routes]] |
paths |
prefix-list list-name |
quote-regexp string |
regexp string [string ...] |
route-map map-name |

BGP Show Commands
summary
]
multicast | unicast Specifies the IPv4 address family for which to display information.
ipv4addr | ipv4addr/mask-length Network and mask information.
community [community-number] Displays routes matching the communities. Enter the community number
[options] in AA:NN format.
• exact-match – Displays only communities that exactly match.
• local-AS – Displays only communities that are not sent outside the
local AS.
• no-advertise – Displays only communities that are not sent adver-
tised to neighbors.
• no-export – Displays only communities that are not exported to the
next AS.
community-list list-name Displays routes matching the specified community list. The exact-match
[exact-match] option displays only the routes that have exactly the same communities.
dampening {options} Displays route-flap dampening information. You must specify one of the fol-
lowing options:
• dampened-paths – Displays paths suppressed due to dampening.
• flap-statistics – Displays flap statistics for routes.
• parameters – Displays details for configured dampening parameters.
filter-list list-name Displays routes that match the specified filter list.
inconsistent-as Displays routes that have inconsistent AS Paths.
neighbors Displays detailed information about TCP and BGP neighbor connections.
[ipv4addr | ipv6addr [options]]
• advertised-routes – Displays the routes advertised to a BGP
neighbor.
• received prefix-filter – Displays all received routes, both
accepted and rejected.
• received-routes – Displays the received routes from neighbor. To
display all the received routes from the neighbor, configure BGP soft
reconfiguration first.
• routes – Displays all accepted routes learned from neighbors.
paths Displays path information.
prefix-list list-name Displays routes that match the specified prefix list.
quote-regexp string Displays routes that match the specified AS-path regular expression.
Enclose the regular expression string in double quotation marks (example:
“regexp-string-1”).
regexp string [string ...] Displays routes that match the specified AS-path regular expression(s).
route-map map-name Displays routes that match the specified route map.
summary Displays a summary of BGP neighbor status.

BGP Show Commands
Mode All
show bgp ipv4 neighbors

Description Display information about IPv4 BGP neighbors.
Syntax show bgp ipv4 neighbors

[ipv4addr | ipv6addr
[advertised-routes |
received prefix-filter |
received-routes |
routes]]
ipv4addr | ipv6addr Network and mask information.
advertised-routes Displays the routes advertised to a BGP neighbor.
received Displays all received routes, both accepted and rejected.
prefix-filter
received-routes Displays the received routes from neighbor. To display all
the received routes from the neighbor, configure BGP soft
reconfiguration first.
routes Displays all accepted routes learned from neighbors.
Mode All
show bgp ipv4 prefix-list

Description Display IPv4 routes that match the specified prefix list.
Syntax show bgp ipv4 prefix-list list-name
Mode All
show bgp ipv4 quote-regexp

Description Display IPv4 routes that match the specified AS-path regular expression. Enclose the regular
expression string in double quotation marks (example: “regexp-string-1”).
Syntax show bgp ipv4 quote-regexp string
Mode All

BGP Show Commands
show bgp ipv4 summary

Description Display a summary of BGP IPv4 neighbor status.
Syntax show bgp ipv4 summary
Mode All
show bgp ipv6

Description Display BGP information for IPv6.
Syntax show bgp ipv6

[
ipv6addr |
community [community-number] [options]
[local-AS] [no-advertise] [no-export] |
community-list list-name [exact-match] |
dampening {dampened-paths | flap-statistics | parameters} |
filter-list list-name |
inconsistent-as |
multicast {ipv6addr | ipv6addr/mask-length [longer-prefixes]} |
neighbors [ipv4addr | ipv6addr
[advertised-routes | received prefix-filter | received-routes |
routes]] |
paths |
prefix-list list-name |
quote-regexp string |
regexp string [string ...] |
route-map map-name |
summary |
unicast {ipv6addr | ipv6addr/mask-length [longer-prefixes]} |
view view-name
]
ipv6addr | Network and mask information.
community Displays routes for communities. Enter the community number in AA:NN format.
[community-number]
[options] The following options are supported:
• exact-match – Displays only communities that exactly match.
• local-AS – Displays only communities that are not sent outside the local AS.
• no-advertise – Displays only communities that are not sent advertised to neigh-
bors.
• no-export – Displays only communities that are not exported to the next AS.
community-list list-name Displays routes matching the specified community list. The exact-match option dis-
[exact-match] plays only the routes that have exactly the same communities.

BGP Show Commands
dampening {options} displays route-flap dampening information. You must specify one of the following
options:
• dampened-paths – Displays paths suppressed due to dampening.
• flap-statistics – Displays flap statistics for routes.
• parameters – Displays details for configured dampening parameters.
filter-list list-name Displays routes that match the specified filter list.
inconsistent-as Displays routes that have inconsistent AS Paths.
multicast {ipv6addr | Displays IPv6 routes for the specified multicast address family.
[longer-prefixes]} The longer-prefixes option includes prefixes that have a longer mask than the one
specified.
neighbors Displays detailed information about TCP and BGP neighbor connections. The follow-
[ipv4addr | ipv6addr ing options are supported:
[options]]
• advertised-routes – Displays the routes advertised to a BGP neighbor.
• received prefix-filter – Displays all received routes, both accepted and
rejected.
• received-routes – Displays the received routes from neighbor. To display all the
received routes from the neighbor, configure BGP soft reconfiguration first.
• routes – Displays all accepted routes learned from neighbors.
paths Displays BGP path information.
prefix-list list-name Displays routes that match the specified prefix list.
quote-regexp string Displays routes that match the specified AS-path regular expression. Enclose the reg-
ular expression string in double quotation marks (example: “regexp-string-1”).
regexp string Displays routes that match the specified AS-path regular expression(s).
[string ...]
route-map map-name Displays routes that match the specified route map.
summary Displays a summary of BGP neighbor status.
unicast {ipv6addr | Displays IPv6 routes for the specified unicast address family. The longer-prefixes
ipv6addr/mask-length option includes prefixes that have a longer mask than the one specified.
[longer-prefixes]}
view view-name Displays neighbors within the specified view.
Mode All
show bgp nexthop-tracking

Description Display the status of nexthop address tracking.
Syntax show bgp nexthop-tracking
Mode All

BGP Show Commands
show bgp nexthop-tree-details

Description Display nexthop tree details.
Syntax show bgp nexthop-tree-details
Mode All
show ip bgp attribute-info

Description Display internal attribute hash information.
Syntax show ip bgp attribute-info
Mode All
show ip bgp cidr-only

Description Display routes with non-natural network masks.
Syntax show ip bgp cidr-only
Mode All
show [ip] bgp community

Description Display routes for communities.
Syntax show [ip] bgp community [community-number]

[exact-match] [local-AS] [no-advertise] [no-export]
community-number Community number, in AA:NN format.
exact-match Displays only communities that exactly match.
local-AS Displays only communities that are not sent outside the local AS.
no-advertise Displays only communities that are not sent advertised to neighbors.
no-export Displays only communities that are not exported to the next AS.
Mode All
show ip bgp community-info

Description Display all BGP community information.
Syntax show ip bgp community-info
Mode All

BGP Show Commands
show [ip] bgp community-list

Description Display routes for a specific community list.
Syntax show [ip] bgp community-list list-name [exact-match]
list-name Displays routes matching the specified community list.
exact-match Displays only the routes that have exactly the same communities.
Mode All
show [ip] bgp dampening

Description Display route-flap dampening information.
Syntax show [ip] bgp dampening

{dampened-paths | flap-statistics | parameters}
dampened-paths Displays paths suppressed due to dampening.
flap-statistics Displays flap statistics for routes.
parameters Displays details for configured dampening parameters.
Mode All
show [ip] bgp filter-list

Description Display routes that match a specific filter list.
Syntax show [ip] bgp filter-list list-name
Mode All
show [ip] bgp inconsistent-as

Description Display routes that have inconsistent AS Paths.
Syntax show [ip] bgp inconsistent-as
Mode All

BGP Show Commands
show [ip] bgp neighbors

Description Display information about BGP neighbors.
Syntax show [ip] bgp neighbors

[
ipv4addr | ipv6addr
[
advertised-routes |
received prefix-filter |
received-routes |
routes |
]
]
ipv4addr | ipv6addr Network and mask information.
advertised-routes Displays the routes advertised to a BGP neighbor.
received prefix-filter Displays all received routes, both accepted and rejected.
received-routes Displays the received routes from neighbor. To display all the received routes from
the neighbor, configure BGP soft reconfiguration first.
routes Displays all accepted routes learned from neighbors.
Mode All
Example The following example shows output for this command.
AOCS#show ip bgp neighbors

BGP neighbor is 192.10.23.67, remote AS 1, local AS 1, internal link
BGP version 4, remote router ID 172.22.10.10
BGP state = Established, up for 00:00:22
Last read 00:00:22, hold time is 240, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Received 3 messages, 0 notifications, 0 in queue
Sent 3 messages, 0 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 5 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
AF-dependant capabilities:
Graceful restart: advertised, received
Community attribute sent to this neighbor (both)
0 accepted prefixes
0 announced prefixes

BGP Show Commands
Connections established 1; dropped 0

Graceful-restart Status:
Remote restart-time is 120 sec
Local host: 192.10.23.80, Local port: 33837
Foreign host: 192.10.23.67, Foreign port: 179
Nexthop: 192.10.23.80
Nexthop global: 1111::80
Nexthop local: fe80::203:47ff:fe97:bb79
BGP connection: non shared network
show bgp nexthop-tracking

Description Use this command to display BGP nexthop-tracking status
Syntax show bgp nexthop-tracking
Mode All
show bgp nexthop-tree-details

Description Use this command to display BGP nexthop-tree details.
Syntax show bgp nexthop-tree-details
Mode All
show [ip] bgp paths

Description Display BGP path information.
Syntax show [ip] bgp paths
Mode All
show [ip] bgp prefix-list

Description Display routes that match a specific prefix list.
Syntax show [ip] bgp prefix-list list-name
Mode All

BGP Show Commands
show [ip] bgp quote-regexp

Description Display routes that match the specified AS-path regular expression. Enclose the regular
expression string in double quotation marks (example: “regexp-string-1”).
Syntax show [ip] bgp quote-regexp string
Mode All
show [ip] bgp regexp

Description Display routes that match the specified AS-path regular expression(s).
Syntax show [ip] bgp regexp string [string ...]
Mode All
show [ip] bgp route-map

Description Display routes that match the specified route map.
Syntax show [ip] bgp route-map map-name
Mode All
show ip bgp scan

Description Display BGP scan status.
Syntax show ip bgp scan
Mode All
Example Below is an example output for this command.
ACOS#show ip bgp scan

BGP scan is running
BGP scan interval is 60
BGP instance: AS is 11,DEFAULT
Current BGP nexthop cache:
BGP connected route:
10.10.10.0/24
10.10.11.0/24

BGP Clear Commands
show [ip] bgp summary

Description Display a summary of BGP neighbor status.
Syntax show [ip] bgp summary
Mode All
show ip bgp view

Description Display neighbors of a specific view.
Syntax show ip bgp view view-name

[
ipv4addr |
ipv4 {multicast | unicast} summary |
neighbors [ipv4addr | ipv6addr] |
summary
]
view-name Name of the view.
ipv4addr | ipv4addr/mask-length Prefix and mask.
ipv4 {multicast | unicast} summary Displays information for the specified IPv4 address family.
neighbors [ipv4addr | ipv6addr] Displays information for the specified neighbor.
summary Displays summary neighbor information.
Mode All
Example The following example shows sample output for this command.
BGP Clear Commands

This section lists the BGP clear commands.

BGP Clear Commands
clear [ip] bgp {* | AS-num}

Description Reset the BGP connection to all neighbors or a specific neighbor.
Syntax clear [ip] bgp {* | AS-num}

[in [prefix-filter] | out | soft [in | out]]
in [prefix-filter] Clears incoming advertised routes. The prefix-filter option
pushes out prefix-list outbound routing filters, and performs
inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the BGP
neighbor connection.
in – Requests route updates from the specified neighbor.
out – Sends route updates to the specified neighbor.
clear [ip] bgp ipv4addr

Description Reset the BGP connection for a specific IPv4 neighbor.
Syntax clear [ip] bgp ipv4addr


BGP Clear Commands
clear [ip] bgp ipv6addr

Description Reset the BGP connection for a specific IPv6 neighbor.
Syntax clear [ip] bgp ipv6addr

clear [ip] bgp external

Description Reset the BGP connection to external neighbors.
Syntax clear [ip] bgp external


BGP Clear Commands
clear [ip] bgp ipv4

Description Reset dampened routes or route-flap statistics counters and history for IPv4.
Syntax clear [ip] bgp ipv4 {multicast | unicast}

{dampening | flap-statistics}
[ipv4addr | ipv4addr/mask-length]
dampening Resets dampened routes.
flap-statistics Resets route-flap statistics and history.
ipv4addr | Resets dampened routes or route-flap statistics and history
ipv4addr/mask-length only for the specified IPv4 prefix.
clear [ip] bgp ipv6

Description Reset dampened routes or route-flap statistics counters and history for IPv6.
Syntax clear [ip] bgp ipv6 {

unicast {dampening [network] | flap-statistics network} |
{external | peer-group group-name | * | as-num | ipv4addr | ipv6addr}

BGP Clear Commands

}
unicast Resets unicast routes.
external Clear all external peers.
NOTE: This option is only available with clear bgp ipv6.
dampening [network] Resets all IPv6 dampened routes.
To reset dampened routes for an specific network, specify either an IPv6 network (for
example, “2003::”) or a network length (for example, “2003::/24”).
flap-statistics [network] Resets all IPv6 route-flap statistics and history.
To reset route-flap statistics and history for a specific network, specify either an IPv6
network (for example, “2003::”) or a network length (for example, “2003::/24”).
peer-group Clear all members of the specified peer group.
* Clear all peers.
as-num Clear all peers with the specified AS number.
ipv4-addr Clear the specified IPv4 BGP neighbor.
ipv6-addr Clear the specified IPv6 BGP neighbor.
in [prefix-filter] Clears incoming advertised routes. The prefix-filter option pushes out prefix-list
outbound routing filters, and performs inbound soft reconfiguration.
soft {in | out} Activates routing policy changes without resetting the BGP neighbor connection.

BGP Clear Commands
clear [ip] bgp peer-group

Description Reset the BGP connection to all members of a peer group.
Syntax clear [ip] bgp peer-group group-name

group-name Clear BGP connections to all members of the specified group.
clear [ip] bgp view

Description Reset the BGP connection to a specific view.
Syntax clear [ip] bgp view view-name * [soft [in | out]]
view-name Clear BGP connections to the specified view.
For option information, see “clear [ip] bgp {* | AS-num}” on page 459.

BGP Clear Commands

Commands for the Underlay/Provider Network
fConfig Commands: Overlay Tunnels
The commands in this chapter configure overlay tunnel parameters.
This chapter contains the following:
• Commands for the Underlay/Provider Network
• Commands for the Overlay/Tenant Network
• Monitoring Commands

This section includes the following:
• overlay-tunnel
• overlay-mgmt-info
• encap
• source-ip-address
• vni
• destination-ip-address
• host

overlay-tunnel
Description Top-level command to begin the configuration of the overlay tunnel. This command enables
you to create a virtual tunnel endpoint (VTEP) as well as configure some of the system and
packet behavior related to the tunnel configuration. Multiple VTEPs can be configured in the
same partition or across different partitions.
Syntax [no] overlay-tunnel

{
vtep vtep-id |
options {
gateway-mac mac-address |
vxlan-dest-port port |
ip-dscp-preserve |
nvgre-disable-flow-id |
nvgre-key-mode-lower24 |
tcp-mss-adjust-disable
}
NOTE: The options parameter and sub-parameters are only available in the shared parti-
tion.
vtep vtep-id Create a virtual tunnel endpoint (VTEP) with the specified ID.
gateway-mac mac-address Configures the MAC address for the gateway segment ID; this is mostly used with
NVGRE in conjunction with the SCVMM. When configured, the ACOS device accepts all
packets coming in with this MAC address. Outgoing packets, however use the corre-
sponding LIF/VE MAC address.
For more information about configuring a gateway, see the vni command.
vxlan-dest-port port Specifies the port number (1-65535) on which you want your ACOS device to send and
receive VXLAN traffic.
The default port number is 4789.
ip-dscp-preserve By default, the differentiated services code point (DSCP) value in the outer IP header for
packets that are being tunnelled is set to the lowest priority.
This optional command, when issued in the VTEP/underlay partition, copies the DSCP
value from the inner IP header to the outer IP header for all overlay IP packets.
nvgre-disable-flow-id The NVGRE header contains an 8 bit flow-id field that can be used to pass the entropy
of the overlay flow that is being tunnelled across. The ACOS device will compute the
entropy and pass it by default so that intermediate underlay routers/switches can
make use of it for better link or ECMP load distribution.
This optional command disables the flow-id computation for NVGRE and sets the flow-
id to zero (0).
nvgre-key-mode-lower24 This optional command causes the lower 24-bits of the key field to be treated as the
VSID. By default, only the upper 24 bits of the key field are treated as VSID (conforming
to the NVGRE specification). Having this option allows for interoperability with varying
implementations.

tcp-mss-adjust-disable VXLAN and NVGRE tunneled packets get an additional header (50 bytes for VXLAN and
42 bytes for NVGRE) for IPv4 added. This addition can result in additional fragmentation
of the packet if the exchanged maximum segment size (MSS) is not aware of this addi-
tion. The ACOS device will automatically adjust the MSS exchanged for TCP flows to
take into account this header.
Use this option to disable this automatic adjustment for Layer 4 TCP traffic.
Default N/A
Example The following example configures a VTEP with the ID of 1.
ACOS(config)#overlay-tunnel vtep 1
Example The following example removes a tunnel configuration (you are prompted to confirm the
command).
ACOS(config)#no overlay-tunnel vtep 1

This command will delete the entire overlay-tunnel and related sub-
configuration. Proceed with deleting it? [yes/no] yes
ACOS(config)#
Related Commands show running-config overlay-tunnel
overlay-mgmt-info
Description Configure the connection string used by the SCVMM plugin or other machine manager
plugins on the ACOS device.
Syntax [no] overlay-mgmt-info plugin-string application-string
plugin-string Configure the plugin string (1-128 characters).
application-string Configure the application string (1-128 characters).
Usage This command can only be used in the shared partition; it is not supported in L3V partitions.
Example The following example configures “nvgre” as the plugin string and “a10networks” as the
application string:
ACOS(config)#overlay-mgmt-info nvgre a10networks

Related Commands show running-config overlay-mgmt-info
encap
Description When used in Overlay Tunnel VTEP mode, this command sets the type of encapsulation you
want to use for tunnelling packets.
When used in the Destination VTEP mode, it specifies the encapsulation type for that specific
destination VTEP and overrides any prior encapsulation specification.
In either case, this command is optional and is not required for configuring an overlay tunnel.
Syntax encap [vxlan | nvgre]
Default VXLAN
Mode Overlay Tunnel VTEP mode or Destination VTEP mode.
Example Specify NVGRE as the encapsulation type for the tunnel.
ACOS(config-overlay-tunnel:1)#encap nvgre
Specify VXLAN as the encapsulation type for the destination VTEP and override any prior
encapsulation specification.
ACOS(config-overlay-tunnel:1-dst-vtep)#encap vxlan
source-ip-address
Description Specify the source IPv4 address of the VTEP on the underlay network.
NOTE: The IP address used in the configuration must be present in the underlay partition
as an interface IP or a floating IP before traffic flow is functional.
Syntax source-ip-address source-vtep-ip
Replace source-vtep-ip with the source VTEP IP address.
Mode Overlay Tunnel VTEP mode.
Example Configure the VTEP with 90.1.1.1 as the IP address:
ACOS(config-overlay-tunnel:1)#source-ip-address 90.1.1.1
Related Commands destination-ip-address
vni
Description When used at the Main Tunnel VTEP submode, it configures the VXLAN Network Identifier
(VNI) or NVGRE Virtual Subnet Identifier (VSID) of the segment that is being extended across
the network.

When used at the Remote VTEP submode, it specifies the VNI or VSID of the remote VTEP.
Syntax Overlay Tunnel VTEP mode:

vni overlay-segment-id [partition overlay-partition]
lif logical-interface-id [gateway]
Syntax Destination VTEP mode:

vni overlay-segment-id
overlay-segment-id When used following source-ip-address, this command configures the VNI/VSID (1-16777215) of
the segment that is being extended across the network.
When used following destination-ip-address, this command specifies the VNI/VSID of the destina-
tion VTEP.
overlay-partition The partition containing the hosts/configuration for the overlay network.
This is an optional parameter; if not specified, it defaults to the partition where this configuration
is being done.
logical-interface-id The logical interface (LIF) number which acts as a conduit interface to/from the tunnel network.
A given LIF in a partition can map to only a single VNI in the system. The only exception is when a
gateway VSID has been configured for that LIF.
gateway Optional parameter to make the configured VNI a gateway. This is typically used in NVGRE deploy-
ments, where a Hyper-V host is configured to use a specific VNI that corresponds to a default gate-
way.
In terms of packet handling, an ACOS device can receive packets on a gateway VNI but will always
transmit packets on the regular VSID.
In some implementations, traffic from a host can be received on a different VNI than the one on
which it was sent. The gateway VNI serves to support this communication.
Once a gateway VNI is configured for a LIF, multiple VNIs (called regular VNIs) can be configured
under same LIF. In this case, packets are sent out over the tunnel using regular VNIs and are
expected to be received on gateway VNI. The host command is needed to resolve the ambiguity
of which VNI to use while sending packets over the tunnel.
Multiple VNIs under same LIF cannot be configured unless the LIF is carrying a gateway VNI. There
can be multiple gateway VNIs under a given VTEP (each with a different LIF).
Default N/A
Mode Overlay Tunnel VTEP mode, or Destination VTEP mode.
Example Configure a VNI with an ID of 100, specify p1 as the partition, and 10 as the logical interface
ID:
ACOS(config-overlay-tunnel:1-src-vtep)# vni 100 partition p1 lif 10
Configure the destination VTEP VNI of 200:
ACOS(config-overlay-tunnel:1-dst-vtep)# vni 200

The example below shows how to configure multiple gateway VNIs (150 and 350) under
VTEP 1:
ACOS(config)# overlay-tunnel vtep 1

ACOS(config-overlay-tunnel:1)# encap nvgre
ACOS(config-overlay-tunnel:1)# source-ip-address 90.1.1.1
ACOS(config-overlay-tunnel:1-src-vtep:90...)# vni 200 partition px lif 4
ACOS(config-overlay-tunnel:1-src-vtep:90...)# vni 150 partition p1 lif 2 gateway
ACOS(config-overlay-tunnel:1-src-vtep:90...)# vni 350 partition p1 lif 3 gateway
ACOS(config-overlay-tunnel:1-src-vtep:90...)# vni 100 partition p1 lif 2
ACOS(config-overlay-tunnel:1-src-vtep:90...)# vni 300 partition p1 lif 3
ACOS(config-overlay-tunnel:1-src-vtep:90...)# exit
ACOS(config-overlay-tunnel:1)# destination-ip-address 100.1.1.2
ACOS(config-overlay-tunnel:1-dst-vtep:100...)# encap nvgre
ACOS(config-overlay-tunnel:1-dst-vtep:100...)# vni 100
ACOS(config-overlay-tunnel:1-dst-vtep:100...)# exit
ACOS(config-overlay-tunnel:1)# host 80.1.1.11 AABB.CCDD.EEFF vni 100 destination-vtep
100.1.1.3
ACOS(config-overlay-tunnel:1)# host 90.1.1.11 AAAA.BBBB.CCCC vni 300 destination-vtep
100.1.1.2
destination-ip-address
Description Specify the IP address of the destination tunnel endpoint.
Syntax destination-ip-address remote-vtep-ip [mac-address]
remote-vtep-ip The IP address of the destination tunnel endpoint.
mac-address The MAC address of the destination VTEP.
Example Specify the destination VTEP with 90.1.1.2 as the IP address.

Related Commands source-ip-address
host
Description This command maps the host to a specific VTEP and VNI/VSID. This is an optional command
to configure host mapping if dynamic learning is not desired.
NOTE: For NVGRE, static mapping with the host command is mandatory; dynamic learn-
ing is not supported.
With dynamic learning, ARP packets are flooded to all configured destination VTEPs that are
configured for the same VNI for this source VTEP until an ARP response or another packet
comes from that host via one of the destination VTEP tunnels. The source VTEP then learns
the host-to-destination VTEP mapping and uses it for subsequent packet forwarding.
Static mapping with the host command is recommended if you want to avoid the
overhead associated with dynamic learning.
Syntax host [host-ip] host-mac vni overlay-segment-id destination-vtep

remote-vtep-ip
host-ip Optional parameter specifying the IP address of the host
across the tunnel. This is used when the logical interface is
configured as a Layer 3 interface and causes a static ARP
entry to be added to the LIF partition corresponding to the
host IP address.
host-mac The MAC address of the overlay host.
overlay-segment-id The segment being extended.
remote-vtep-ip The IP address of the remote VTEP.
Default N/A
Example The following command maps the host with the MAC address of 001a.112b.223c to VNI 100,
located behind the destination VTEP with the IP address 100.1.1.10.
ACOS(config-overlay-tunnel:1)# host 001a.112b.223c vni 100 destination-vtep 100.1.1.10
The following example maps the host with the MAC address of 001a.002a.003a to the
destination host with the IP address 30.1.1.20. The destination host is on VNI 200 and is
located behind the destination VTEP with the IP address 110.1.1.10.
ACOS(config-overlay-tunnel:1)# host 30.1.1.20 001a.002a.003a vni 200 destination-vtep

110.1.1.10

Commands for the Overlay/Tenant Network
Commands for the Overlay/Tenant Network

This section includes the following:
• interface lif
• untagged lif
interface lif
Description Configure a Layer 2 logical tunnel interface (LIF); this is an extension of the existing interface
command. As a Layer 2 interface, the LIF will forward all unknown unicast, multicast, and
broadcast packets to all destination VTEPs on the same VNI.
The LIF can additionally have an IP address configured on it, thus making it a Layer 3
interface. As a Layer 3 interface:
• Unicast traffic causes an ARP request to be generated and flooded to all remote VTEPs
on the same VNI.
• Multicast and broadcast traffic are dropped.
Syntax [no] interface lif lif-num
Replace lif-num with the number of the logical interface.
Default N/A
Example Configure a logical interface number 1:
ACOS(config)#interface lif 1
ACOS(config-if:lif:1)#
Related Commands untagged lif
untagged lif
Description Configures an untagged Layer 2 logical tunnel interface (LIF) under a VLAN.
NOTE: Only one untagged logical tunnel interface is supported under a VLAN. Having
more than one logical tunnel interface in the same VLAN will result in traffic being
“switched” between VNIs which is not supported.
Syntax untagged lif lif-num
Replace lif-num with the number of the logical interface.
Default N/A

Monitoring Commands
Mode VLAN configuration mode.
Example Configure an untagged logical interface number 2 under VLAN 10.
ACOS(config-vlan:10)#untagged lif 2
Related Commands interface lif
Monitoring Commands
The CLI commands in this section are extended to enable the monitoring of packet flow to and from an overlay network.
• show interfaces brief
• show running-config overlay-mgmt-info
• show running-config overlay-tunnel
• show statistics interface
• show vlans
• debug packet
show interfaces brief

Description This command is extended to include and configured logical interface ports as part of the
output. The LIF ports will only appear in the overlay partition where the LIF is configured.
Syntax show interfaces brief
Default N/A
Mode Enable mode.
Example Below is a show interfaces brief command showing a logical interface in the output.
ACOS# show interfaces brief

Port Link Dupl Speed Trunk Vlan MAC IP Address IPs
Name
------------------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 000d.480a.6666 192.168.213.205/24 1
1 Up Full 1000 None Tag 000d.480a.6665 0.0.0.0/0 0
3 Disb None None None 1 000d.480a.6663 0.0.0.0/0 0
4 Up Full 1000 None 1 000d.480a.6662 0.0.0.0/0 0

Monitoring Commands
7 Disb None None None 1 000d.480a.665f 0.0.0.0/0 0

8 Disb None None None 1 000d.480a.665e 0.0.0.0/0 0
9 Disb None None None 1 000d.480a.665d 0.0.0.0/0 0
10 Disb None None None 1 000d.480a.665c 0.0.0.0/0 0
ve100 Up N/A N/A N/A 100 000d.480a.6665 100.1.1.2/24 1
ve120 Up N/A N/A N/A 120 000d.480a.6665 120.2.1.1/24 1
ve140 Up N/A N/A N/A 140 000d.480a.6665 140.1.1.12/24 1
ve160 Up N/A N/A N/A 160 000d.480a.6665 160.1.1.12/24 1
lif1 Up N/A N/A N/A 1 000d.480a.6665 80.1.1.2/24 1
The bold line shows the logical interface.
show running-config overlay-mgmt-info

Description View information used by the SCVMM plugin to configure a connection string on the ACOS
device.
Syntax show running-config overlay-mgmt-info
Mode Enable mode
Example The following example shows sample output for this command:
ACOS(config)#show running-config overlay-mgmt-info

!Section configuration: 77 bytes
!
overlay-mgmt-info nvgre a10networks
!
overlay-mgmt-info scvmm a10Thunder
!
!
end
Related Commands overlay-mgmt-info

Monitoring Commands
show running-config overlay-tunnel

Description The Displays the running configuration for the overlay tunnel. If no VTEP is specified, the con-
figuration for all configured source VTEPs in the partition are displayed.
Syntax show running-config overlay-tunnel [options][[vtep vtep-id]
options Show partition-specific overlay tunnel configuration.
vtep vtep-id Display the configuration for the specified VTEPs.
Mode Enable mode.
Example Below is sample output for this command.
ACOS# show running-config overlay-tunnel

!
overlay-tunnel vtep 1
encap vxlan
source-ip-address 100.1.1.2
vni 100 partition p1 lif 2
destination-ip-address 90.1.1.1
encap vxlan
vni 100
!
Related Commands overlay-tunnel
show statistics interface

Description This command is extended so that you can specify a logical interface as well as an ethernet
interface.
Syntax show statistics interface lif lif-num
Replace lif-num with the logical interface number.
Default N/A
Mode Enable mode.
Example Below is an example of the show statistics interface lif command output.
ACOS#show statistics interface lif 2

Port Link Dupl Speed IsTagged MAC Address IP Address
-------------------------------------------------------------------
lif2 Up NA NA Untagged 001F.A006.B200 80.1.1.40

Monitoring Commands
Lif 2 Counters:
InPkts 30072735 OutPkts 21392694
InOctets 2595444368 OutOctets 2427649700
InBroadcastPkts 461 OutBroadcastPkts 7132
InMulticastPkts 44061 OutMulticastPkts 0
InBadPkts 0 OutBadPkts 0
show vlans
Description This command is extended so that any configured logical interface ports are now also
included in the output, along with ethernet ports.
Syntax show vlans vlan
Default N/A
Mode Enable mode.
Example Below is an example of the output.
ACOS# show vlans

Total VLANs: 2
Untagged Ethernet Ports: 1 2 3 4 5 6 7 8
Tagged Ethernet Ports: None

Untagged Ethernet Ports: None
Untagged Logical Ports: lif2

Tagged Ethernet Ports: 10
The line in bold shows the logical interface in the output.

Monitoring Commands
debug packet
Description This command is extended to show the details of the encapsulated tunnel payload.
Syntax debug packet
Default N/A
Mode Enable mode.
Usage To see encapsulated packets with the appropriate headers, use debug packet in the
underlay/provider partition.
To see de-encapsulated packets, use debug packet in the overlay/tenant partition.
If both underlay and overlay are mapped to the same partition, this command will show
both encapsulated and decapsulated packets.
Example Below is an example of the debug packet command output run in the underlay/provider
partition.
ACOS# debug packet l3-protocol ip all

Wait for debug output, enter <ctrl c> to exit
@312173 i( 1, 100, 222c8)> ip 90.1.1.1 > 100.1.1.2 udp 44221 > 4789 len 76 vxlan/vni 100
arp who-has 80.1.1.10 tell 80.1.1.100
@312173 o( 1, 100, 222c8)> ip 100.1.1.2 > 90.1.1.1 udp 44221 > 4789 len 58 vxlan/vni 100
arp reply 80.1.1.10 is-at 00:0d:48:0a:66:5e tell 80.1.1.100
@312173 i( 1, 100, 222c9)> ip 90.1.1.1 > 100.1.1.2 udp 4015 > 4789 len 114 vxlan/vni 100 ip
80.1.1.100 > 80.1.1.10 icmp echo req seq=1
@312173 i(32, 1, 222c9)> ip 80.1.1.100 > 80.1.1.10 icmp echo req seq=1
@312173 o(32, 1, 222c9)> ip 80.1.1.10 > 80.1.1.100 icmp echo rsp seq=1
@312173 o( 1, 100, 222c9)> ip 100.1.1.2 > 90.1.1.1 udp 62284 > 4789 len 114 vxlan/vni 100
ip 80.1.1.10 > 80.1.1.100 icmp echo rsp seq=1
The bold portions of the output show details about the encapsulated overlay tunnel
packets.
The sixth and seventh lines of the display (duplicated below for clarity) show details about
the decapsulated packets:
@312173 i(32, 1, 222c9)> ip 80.1.1.100 > 80.1.1.10 icmp echo req seq=1
@312173 o(32, 1, 222c9)> ip 80.1.1.10 > 80.1.1.100 icmp echo rsp seq=1

Monitoring Commands

Config Commands: Scale Out
The commands in this chapter configure ACOS Scale Out.
This chapter contains the following:
• Scale Out Global Configuration Commands
• Scale Out Configuration Commands
• Scale Out Local Device Configuration Commands
• Scale Out show Commands

Scale Out Global Configuration Commands
Scale Out Global Configuration Commands

The scaleout command is used at the global configuration level to enter Scale Out configuration mode.
scaleout
Description Enter Scale Out configuration mode.
Syntax [no] scaleout cluster-id
Replace cluster-id with the ID of the cluster you are creating or configuring (1-64).
Example Enter Scale Out configuration mode for cluster 3.
ACOS(config)#scaleout 3
ACOS(config-scaleout:3)#
Scale Out Configuration Commands

This section describes the command available in Scale Out configuration mode.
To enter Scale Out configuration mode, use the scaleout command:
ACOS(config-scaleout:3)#
The following commands are available:
• cluster-devices
• device-groups
• follow-vcs
• local-device
• service-config

cluster-devices
Description Enter Scale Out cluster configuration mode to configure devices in a cluster.
Syntax cluster-devices
This command places you in another sub-configuration mode, where you can use the
following command to add devices to the cluster:
[no] device device-id
Mode Scale Out configuration mode.
Example The following example shows how to enter cluster configuration mode for cluster 3, then
add three devices to the cluster:
ACOS(config-scaleout:3)#cluster-devices
ACOS(config-scaleout:3-cluster-devices)#device-id 1
ACOS(config-scaleout:3-cluster-devices-de...)#ip 192.168.230.56
ACOS(config-scaleout:3-cluster-devices-de...)#device-id 2
ACOS(config-scaleout:3-cluster-devices-de...)#device-id 3
device-groups
Description Enter device groups configuration mode to configure Scale Out device groups.
Syntax [no] device-groups
following command to configure device groups in the cluster:
[no] device-group num
After this command, use the device-id command to add devices to the device group:
[no] device-id device-id [to device-id]
You can specify a single device or a range of devices using the to option.
Example The following example shows how to enter device groups configuration mode for cluster 3,
then creates a device group and adds a range of devices (1 to 3) to the group:
ACOS(config-scaleout:3)#device-groups
ACOS(config-scaleout:3-device-groups)#device-group 1

ACOS(config-scaleout:3-device-groups-devi...)#device-id 1 to 3
follow-vcs
Description Follow aVCS priority configuration settings.
Syntax [no] follow-vcs
Mode Scale Out configuration mode
local-device
Description Enter Scale Out local device configuration mode to configure the local device in a cluster.
Syntax [no] local-device
Usage After using this command, the commands in “Scale Out Local Device Configuration Com-
mands” on page 483 are available.
Example The following example shows how to enter local device configuration mode for cluster 3:
ACOS(config-scaleout:3)#local-device
ACOS(config-scaleout:3-local-device)#
service-config
Description Enter service configuration mode to configure Scale Out templates for SLB, SGN, or VRRP-A.
Syntax service-config
following command to create a template:
[no] template name
Replace name with the name of the template (1-63 characters).
Example The following example shows how to enter service configuration mode for cluster 3, and
then create a template called “so_template” with a bucket count of 128:
ACOS(config-scaleout:3)#service-config

Scale Out Local Device Configuration Commands
ACOS(config-scaleout:3-service-config)#template so_template
ACOS(config-scaleout:3-service-config-tem...)#bucket-count 128
Scale Out Local Device Configuration Commands

This section describes the command available in Scale Out local device configuration mode.
To enter this configuration mode, use the local-device command:
ACOS(config-scaleout:3-local-device)#
The following commands are available:
• id
• priority
id
Description Assign an ID to the local device.
Syntax [no] id num
Replace num with an ID for the device (1-64).
Default No default ID is assigned.
Mode Scale Out local device configuration
Example The following example shows how to assign an ID of 4 to the local device.
ACOS(config-scaleout:3-local-device)#id 4

Scale Out show Commands
priority
Description Assign a priority to the local device.
Syntax [no] priority num
Replace num with an ID for the device (1-255).
Default No default priority is assigned.
Mode Scale Out local device configuration
Example The following example shows how to assign a priority of 150 to the local device.
ACOS(config-scaleout:3-local-device)#priority 150

The show scaleout command can be used to view information about your Scale Out configuration.
show scaleout
Description View Scale Out information.
Syntax show scaleout

[statistics]
[traffic-map name
[vport-num]
[check-data-plane]
[src-ip ipv4-addr/mask-length]
]
statistics Show Scale Out statistics.
traffic-map View all traffic-maps, or view a traffic-map for a specific service name.
vport-num Virtual port number for the service.
check-data- Check to see if the traffic map is present in the data plane.
plane
src-ip View active and standby status for the specified source IP address.
Mode All
Example The following example shows sample output for the show scaleout command:

ACOS#show scaleout
Role - Cluster Master
Device 6 - Active
Device 7 - Active
Device 8 - Active (Local)
The following table describes the fields in this output:
Field Description
Role Shows the role of the local device (the device on which you are exe-
cuting the show scaleout command:
• Cluster Master - the local device has the highest priority of all
devices in the cluster.
• Standby Node - the local device does not have the highest priority
of the devices in the cluster.
• Unknown Node - the local device is not recognized as being part of
a Scale Out cluster.
Device Shows a list of devices in the cluster. The device marked with “(Local)”
is the local device; the device from which you are running the show
scaleout command.
Example The following example shows sample output for show scaleout traffic-map with a
specific service s1_vs:
ACOS#show scaleout traffic-map s1_vs

Virtual Server=s1_vs :
Bucket Active Device Standby Device New Act Device New Stby Device
0 8 6 - -
1 8 6 - -
2 6 8 - -
3 6 8 - -
4 6 7 - -
5 6 7 - -
6 6 7 - -
For bucket 0, the active device is device 8, and the standby device is device 6.
Example The following example shows sample output for show scaleout traffic-map with a
specific source IP address:
ACOS#show scaleout traffic-map s1_vs src-ip 1.1.1.2

Virtual Server=s1_vs :Bucket Active Device Standby Device New Act Device New Stby

Device
2 6 8 - -

Config Commands: Server Load Balancing
The commands in this chapter configure SLB parameters. In some cases, the commands create an SLB configuration item
and change the CLI to the configuration level for that item.

Global Configuration Mode SLB Commands

This section describes the SLB CLI commands that are available from global configuration mode:
slb common
Description Access the SLB configuration level for system-wide SLB parameters.
Syntax slb common
This command changes the CLI to the SLB common configuration level for system-wide SLB
parameters, where the commands in “SLB Common Configuration Mode Commands” on
page 498 are available.

slb resource-usage
Description Change the capacity of an SLB resource.
Syntax [no] slb resource-usage resource-type
The following table lists the valid resource types and values.
Resource Type Description and Acceptable Values

client-ssl-template-count Maximum number of configurable client SSL templates (32-1024).
conn-reuse-template-count Maximum number of connection reuse templates (32-512).
fast-tcp-template-count Maximum number of configuration Fast TCP templates (32-512).
fast-udp-template-count Maximum number of configuration Fast UDP templates (32-512).
http-template-count Maximum number of configurable HTTP templates (32-512).
nat-pool-addr-count Maximum number of source IP NAT pools (10-250).
persist-cookie-template-count Maximum number of persistent cookie templates (32-512).
persist-srcip-template-count Maximum number of persistent source IP templates (32-512).
proxy-template-count Maximum number of configurable proxy templates (32-512).
real-port-count Maximum number of real server ports (64-2048).
real-server-count Maximum number of real servers (32-1024).
server-ssl-template-count Maximum number of server SSL templates (32-1024).
service-group-count Maximum number of service groups (32-1024).
stream-template-count Maximum number of configurable streaming media templates (32-512).
virtual-port-count Maximum number of virtual ports (32-1024).
virtual-server-count Maximum number of virtual servers (16-512).
Default The default maximum number for each type of system resource depends on the specific
device model. To display the defaults and current values for your device, enter the following
command: “show system resource-usage” on page 787.
Usage The maximum number you can configure depends on the resource type and the Thunder
Series model. To display the range of values that are valid for a resource, enter a question
mark instead of a quantity.
• For all the following types of SLB templates, the total number allowed is 256 each, and
is not configurable in the current release:
• SIP
• SMTP
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The total number of health monitors allowed is 1024 and is not configurable.
• For every type of system resource that has a default, the ACOS device reserves one
instance of the resource.

For example, the device allows a total of 256 RAM caching templates. However, the
device reserves one RAM caching template for the default template, which leaves a
maximum of 255 additional RAM caching templates that can be configured.
slb server
Description Configure a real server. Use the first command shown below to create or a delete a server.
Use the second command to edit a server.
Syntax [no] slb server server-name {ipaddr | hostname}
server-name Server name, 1-63 characters.
After you have created a real server, you can use this command to
rename the real server.
hostname Fully-qualified hostname, for dynamic real server creation.
ipaddr IP address of the server in either IPv4 or IPv6 format. The address is
required only if you are creating a new server.
Default N/A
Usage The normal form of this command creates a new or edits an existing real server. The CLI
changes to the configuration level for the server. See “Config Commands: SLB Servers” on
page 603.
The IP address of the server can be in either IPv4 or IPv6 format. The Thunder Series supports
both address formats.
The “no” form of this command removes an existing real server.
The maximum number of real servers is configurable. See “slb resource-usage” on page 489.
NOTE: Real-servers are automatically created when added to a service group, so it is not
necessary to manually create real servers prior to adding them to a service group.
Example The following example creates a new real server with an IPv4 address:

ACOS(config-real server)#
Example The following example creates a new real server with an IPv6 address:
ACOS(config)#slb server rs2 2020:3e8::3

ACOS(config-real server)#
Example The following commands configure a hostname server for dynamic server creation using
DNS, add a port to it, and bind the server template to it:

ACOS(config)#slb server s-test1 s1.test.com

ACOS(config-real server)#template server temp-server
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
slb service-group
Description Configure an SLB service group.
Syntax [no] slb service-group group-name {tcp | udp}
group-name Name of the group, 1-31 characters.
tcp | udp Application type of the group.
Default There are no service groups configured by default.
Usage The normal form of this command creates a new or edits an existing service group. The CLI
changes to the configuration level for the service group. See “Config Commands: SLB Service
Groups” on page 615.
Example The following example adds TCP service group “my-service-group”:
ACOS(config)#slb service-group my-service-group tcp

ACOS(config-slb svc group)#

slb ssl-expire-check email-address

Description Configure email notification for certificate expiration.
Syntax [no] slb ssl-expire-check

email-address address [...]
[before days] [interval days]
address Specifies the email addresses to which to send the notifications. You
can specify up to 2 email addresses. Use a space between them.
before days Specifies how many days before expiration to begin sending notifi-
cation emails. You can specify 1-5. The default is 5 days.
interval days Specifies how many days after expiration to continue sending notifi-
cation emails. You can specify 1-5. The default is 2 days.
Default Not set
Usage One notification is sent per day. If a certificate is updated before expiration or at least before
the configured interval, no more notification emails are sent for that certificate.
Example The following command enables certificate notifications to be sent to email address
“admin1@example.com”. Expiration notifications are sent beginning 4 days before expiration
and continue for 3 days after expiration.
ACOS(config)#slb ssl-expire-check email-address admin1@example.com

before 4 interval 3
slb ssl-expire-check exception

Description Exclude specific certificates from expiration notification emails.
Syntax [no] slb ssl-expire-check exception

{add cert-name | delete cert-name | clean}
add cert-name Adds a certificate to the exception list.
delete cert-name Removes a certificate from the exception list.
clean Removes all certificates from the exception list.
Default Not set

slb ssl-module
Description Disable the SSL acceleration module.
NOTE: This command only applies to virtual appliances and not to hardware-based mod-
els.
Syntax [no] slb ssl-module software
Default SSL acceleration modules are enabled.
Usage This command applies only to add-on SSL acceleration modules, not to the on-board SSL
processors.
slb template
Description Configure an SLB template.
Syntax [no] slb template template-type template-name
template-type Type of template. For a list, enter the following command: slb
template ?
(For information about SLB templates, see “Config Commands: SLB
Templates” on page 517.)
template-name Name of the template.
Default The templates have default settings, and some template types are automatically added to a
virtual port depending on its service type. For information, see the Application Delivery and
Server Load Balancing Guide.
Usage The normal form of this command creates a new or edits an existing template. The CLI
changes to the configuration level for the template. See “Config Commands: SLB Templates”
on page 517.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See “slb resource-usage” on page 489.
Example The following command creates a TCP-proxy template named “proxy1”:
ACOS(config)#slb template tcp-proxy proxy1

ACOS(config-tcp proxy)#

slb transparent-acl-template
Description Set the idle timeout value for ACL-related pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS device (for example, a
session for which the ACOS device is not serving as a proxy for SLB).
Syntax [no] slb transparent-acl-template template-name
Replace template-name with the name of an existing TCP template (1-63 characters).
To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes. The default idle time-
out in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP
sessions. None of the other options in TCP templates affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300 seconds. This is true
even if the idle timeout in the TCP template itself is set to a higher value. Higher idle timeout
values apply only to SLB sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the idle timeout value
to 15000 seconds. This template (and thus, idle timeout value) are then applied to ACL-
related pass-through TCP sessions:
ACOS(config)#slb template tcp default

ACOS(config-l4 tcp)#idle-timeout 15000
ACOS(config-l4 tcp)#exit
ACOS(config)#slb transparent-acl-template default
Related Commands slb template tcp, slb transparent-tcp-template
slb transparent-tcp-template
Description Set the idle timeout value for pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS device (for example, a
session for which the ACOS device is not serving as a proxy for SLB).
Syntax [no] slb transparent-tcp-template template-name
Replace template-name with the name of an existing TCP template (1-63 characters).

To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes. The default idle time-
out in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP
sessions. None of the other options in TCP templates affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300 seconds. This is true
even if the idle timeout in the TCP template itself is set to a higher value. Higher idle timeout
values apply only to SLB sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the idle timeout value
to 15000 seconds. This template (and thus, idle timeout value) are then applied to pass-
through TCP sessions:
ACOS(config)#slb template tcp default

ACOS(config)#slb transparent-tcp-template default
Related Commands slb template tcp, slb transparent-acl-template
slb virtual-server
Description Configure a virtual server.
Syntax [no] slb virtual-server name

[use-if-ip {ethernet num | loopback num}] |

[ipv6-addr [ipv6-acl acl-name]] |

[ipv4-addr [/mask-length | subnet-mask] acl acl-name]
name Virtual server name, 1-31 characters.
After you have created a virtual server, you can use this command to rename the virtual server in order
to associate this IP with a different name.
use-if-ip Use the IP address of the specified interface.
This option is used on vThunder systems only.
ipv6-addr IPv6 address of the virtual server.
If you are configuring an IPv6 wildcard VIP, enter :: as the IP address.
Use the acl acl-id option to specify the IP addresses to be handled as wildcard VIPs. (For more infor-
mation, see the “Wildcard VIPs” chapter in the Application Delivery and Server Load Balancing Guide.)
After you have created a virtual server, you can use this command to change the IP address associated
with this name.
ipv4-addr IPv4 address of the virtual server.
If you are configuring a wildcard VIP, enter 0.0.0.0 as the IP address.
You can use the acl acl-id option to specify the IP addresses to be handled as wildcard VIPs. (For
more information, see the “Wildcard VIPs” chapter in the Application Delivery and Server Load Balancing
Guide.)
After you have created a virtual server, you can use this command to change the IP address associated
with this name.
To configure a contiguous set of IPv4 VIPs, specify the subnet mask or mask length. The specified
ipv4-addr will be the starting IP address of this set of VIPs.
Default N/A
Usage The normal form of this command creates a new or edits an existing virtual server. The CLI
changes to the configuration level for the virtual server. See “Config Commands: SLB Virtual
Servers” on page 633.
The “no” form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See “slb resource-usage” on

page 489.
Notes on VIP Ranges
• The IP addresses in the specified subnet range can not belong to an IP interface, real
server, or other virtual server configured on the ACOS device.
• The largest supported IPv4 subnet length is /16.
• Statistics are aggregated for all VIPs in the subnet virtual server.

• The current release supports this feature only for DNS ports on the default DNS port
number (TCP port 53 or UDP port 53).
Example The following command configures a new virtual server named “vs1”:
ACOS(config)#slb virtual-server vs1 10.10.2.1

ACOS(config-slb vserver)#

SLB Common Configuration Mode Commands

This section describes the CLI commands that are available from SLB common configuration mode.
To access this mode, use the slb common command from global configuration mode.
buff-thresh
Description Fine-tune thresholds for SLB buffer queues.
CAUTION: Do not use this command except under advisement from A10 Networks.
Syntax [no] buff-thresh

hw-buff num
relieve-thresh num
sys-buff-low num
sys-buff-high num
hw-buff num IO buffer threshold. For each CPU, if the number of queued
entries in the IO buffer reaches this threshold, fast aging is
enabled and no more IO buffer entries are allowed to be
queued on the CPU’s IO buffer.
relieve-thresh num Threshold at which fast aging is disabled, to allow IO buffer
entries to be queued again.
sys-buff-low num Threshold of queued system buffer entries at which ACOS
begins refusing new incoming connections.
sys-buff-high num Threshold of queued system buffer entries at which the
ACOS device drops a connection whenever a packet is
received for that connection.
Default N/A
Mode SLB common configuration mode
compress-block-size
Description Change the default compression block size used for SLB.
Syntax [no] compress-block-size bytes
The bytes option specifies the default compression block size, 6000-32000 bytes.

Description The default is 16000.
Default 16000
Example The following example sets the compression block size to 16000 bytes:
ACOS(config)#slb common
ACOS(config-common)#compress-block-size 16000
conn-rate-limit src-ip
Description Configure source-IP based connection rate limiting.
NOTE: All connection requests in excess of the connection limit that are received from a
client within the limit period are dropped. This action is enabled by default when
you enable the feature, and can not be disabled.
Syntax [no] conn-rate-limit src-ip {tcp | udp} conn-limit per {100 | 1000}
[shared]
[exceed-action [log] [lock-out lockout-period]]
tcp | udp Specifies the Layer 4 protocol for which the filter applies.
conn-limit Specifies the connection limit. The connection limit is the maximum number of connection
requests allowed from a client, within the limit period. You can specify 1-1000000 (one mil-
lion).
per {100 | 1000} Specifies the limit period, The limit period is the interval to which the connection limit is
applied. A client is conforming to the rate limit if the number of new connection requests
within the limit period does not exceed the connection limit. You can specify 100 millisec-
onds or 1000 milliseconds.
shared Specifies that the connection limit applies in aggregate to all virtual ports. If you omit this
option, the limit applies separately to each virtual port.
exceed-action Enables optional exceed actions:
• log - Enables logging. Logging generates a log message when a client exceeds the con-
nection limit.
• lock-out lockout-period - Locks out the client for a specified number of seconds.
During the lockout period, all connection requests from the client are dropped. The lock-
out period can be 1-3600 seconds (1 hour). There is no default.
Example The following commands allow up to 1000 connection requests per one-second interval
from any individual client. If a client sends more than 1000 requests within a given limit
period, the client is locked out for 3 seconds. The limit applies separately to each individual
virtual port. Logging is not enabled.

ACOS(config-common)#conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3
Example The following commands allow up to 2000 connection requests per 100-millisecond interval.
The limit applies to all virtual ports together. Logging is enabled but lockout is not enabled.
ACOS(config-common)#conn-rate-limit src-ip 2000 per 100 shared exceed-action log
Example The following commands allow up to 2000 connection requests per 100-millisecond interval.
The limit applies to all virtual ports together. Logging is enabled and lockout is enabled. If a
client sends a total of more than 2000 requests within a given limit period, to one or more
virtual ports, the client is locked out for 3 seconds.
ACOS(config-common)#conn-rate-limit src-ip 2000 per 100 shared exceed-action log lock-out
3
disable-server-auto-reselect
Description Disable auto-reselection of server. This is used with inband health monitors.
Syntax [no] disable-server-auto-reselect
Default Server auto-reselection is enabled by default.
dns-cache-age
Description Configure the amount of time the ACOS device locally caches DNS replies.
DNS cache aging is applicable only when DNS caching is enabled, using the dns-cache-
enable command.
Syntax [no] dns-cache-age seconds
The seconds option specifies the maximum number of seconds the ACOS device caches
DNS replies. You can specify 1-1000000 seconds.
NOTE: A DNS reply begins aging as soon as it is cached and continues aging even if the
cached reply is used after aging starts. Use of a cached reply does not reset the age
of that reply.
Default 300
Example The following example configures the ACOS device to cache DNS replies for 300 seconds.

ACOS(config-common)#dns-cache-age 300
dns-cache-enable
Description Globally enable caching of replies to DNS queries.
Syntax [no] dns-cache-enable

[
round-robin [ttl-threshold seconds] |
single-answer [ttl-threshold seconds] |
ttl-threshold seconds
]
round-robin For DNS replies that contain multiple IP addresses in the ANSWER
section, the ACOS device rotates the addresses when replying to
client requests.
single-answer Caches only replies that have a single IP address in the ANSWER
section.
ttl-threshold Specifies the minimum Time-To-Live (TTL) a reply from the DNS
second server must have, in order for the ACOS device to cache the reply.
Default DNS caching is disabled by default. Disabled. When you globally enable DNS caching, the
round-robin and single-answer options are disabled by default. The default TTL
threshold is 0 (unset).
Usage When DNS caching is enabled, the ACOS device sends the first request for a given name
(hostname, fully-qualified domain name, URL, and so on) to the DNS server. The ACOS device
caches the reply from the DNS server, and sends the cached reply in response to the next
request for the same name.
The ACOS device continues to use the cached DNS reply until the reply times out. After the
reply times out, the ACOS device sends the next request for that URL to the DNS server, and
caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies that have multiple IP
addresses. For example, if a DNS response to a query for “www.example1.com” and the DNS
reply has only one IP address (1.1.1.1), then the reply will be cached on the ACOS device.
However, if the DNS response to a query for “www.example2.com” has two IP addresses
(2.2.2.2 and 3.3.3.3), then the entry would not be cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS replies will only be
cached if they have a TTL value that is larger than the TTL threshold configured on the ACOS
device. This prevents the ACOS device from caching DNS entries that will expire shortly
thereafter.

For example, if the ACOS device’s TTL threshold is set to 7200 seconds and the ACOS device
receives a DNS response for a domain with a TTL of only 10 seconds, there would be little
benefit in caching that DNS reply, since it will soon expire. Despite the cached information,
subsequent client requests for that same domain would bypass the “stale” information
cached on the ACOS device to perform another DNS lookup just 10 seconds later.
DNS caching applies only to DNS requests sent to a UDP virtual port in a DNS SLB
configuration. DNS caching is not supported for DNS requests sent over TCP.
Example The following example enables DNS caching on the ACOS device with all the default values.
ACOS(config-common)#dns-cache-enable
dns-cache-entry-size
Description Set the maximum size in bytes for DNS cache entries.
Syntax [no] dns-cache-entry-size num
Replace num with the desired DNS cache entry size, in bytes (1 - 4096).
Default 256
Example The following example sets the DNS cache entry size to 3600 bytes:
ACOS(config-common)#dns-cache-entry-size 3600
drop-icmp-to-vip-when-vip-down
Description When a virtual IP is down it can still respond to ping (ICMP_ECHO) requests.
With this enabled, a virtual IP that is down will not respond to ping requests.
Syntax [no] drop-icmp-to-vip-when-vip-down
dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the real server IP
addresses in Direct server Return (DSR) configurations.

This feature also requires configuration of a Layer 3 health method (ICMP), with the
transparent option enabled, and with the alias address set to the virtual IP address. (See
method.) The health monitor must be applied to the real server ports.
Syntax [no] dsr-health-check-enable
Default Health checking is disabled by default.
Example The following commands configure a Layer 3 health monitor for DSR health checking, apply
it to the real server ports, and enable DSR health checking:
ACOS(config)#health monitor dsr-hm

ACOS(config-health:monitor)#method icmp transparent 10.10.10.99
ACOS(config-health:monitor)#exit
ACOS(config-common)#dsr-health-check-enable
enable-l7-req-acct
Description Globally enable Layer 7 request accounting.
If you use the least-request load-balancing method in a service group, Layer 7 request
accounting is automatically enabled for the service group’s members, and for the virtual
service ports that are bound to the service group’s members.
To display Layer 7 request statistics, use the show slb service-group group-name
command. See show slb server, show slb service-group, and show slb virtual-server.
Syntax [no] enable-l7-req-acct
Example The example below shows how to enable Layer 7 request accounting.
ACOS(config-common)#enable-l7-rreq-acct

extended-stats
Description Globally enable collection of extended SLB statistics, including peak connection statistics.
Syntax [no] extended-stats
Example The example below shows how to enable the collection of extended SLB statistics.
ACOS(config-common)#extended-stats
fast-path-disable
Description Disable fast-path packet inspection.
Fast processing of packets maximizes performance by using all the underlying hardware
assist facilities. Typically, the feature should remain enabled. The option to disable it is
provided only for troubleshooting, in case it is suspected that the fast processing logic is
causing an issue. If you disable fast-path processing, ACOS does not perform a deep
inspection of every field within a packet.
Syntax [no] fast-path-disable
Mode SLB common configuration mode.
Example The example below shows how to disable fast-path packet inspection.
ACOS(config-common)#fast-path-disable

gateway-health-check
Description Enables gateway health monitoring.
Syntax [no] gateway-health-check [interval seconds [timeout seconds]]
interval second Specifies the amount of time between health check attempts, 1-
180 seconds.
The default interval is 5 seconds.
timeout seconds Specifies how long the ACOS device waits for a reply to any of
the ARP requests, 1-60 seconds.
Usage Gateway health monitoring uses ARP to test the availability of nexthop gateways. When the
ACOS device needs to send a packet through a gateway, the ACOS device begins sending
ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable timeout, the ACOS
device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device waits for a con-
figurable timeout for a reply to any request. If the gateway does not respond to any
request before the timeout expires, the ACOS device selects another gateway and
begins the health monitoring process again.
Example The following example enables gateway health monitoring. Health check attempts will be
made every 10 seconds, with a reply timeout of 20 seconds.
ACOS(config-common)#gateway-health-check interval 10 timeout 20

graceful-shutdown
Description Allow currently active sessions time to terminate normally before shutting down a service
when you delete or disable the real or virtual server or port providing the service.
Syntax [no] graceful-shutdown grace-period

[server | virtual-server] [after-disable]
grace-period Number of seconds existing connections on a disabled or deleted
server or port are allowed to remain up before being terminated.
server Limits the graceful shutdown to real servers only.
virtual-server Limits the graceful shutdown to virtual servers only.
after-disable Applies graceful shutdown to disabled servers and service ports,
as well as deleted servers. Without this option, graceful shutdown
applies only to deleted servers.
Default Graceful shutdown is disabled by default. When you delete a real or virtual service port, the
ACOS device places all the port’s sessions in the delete queue, and stops accepting new ses-
sions on the port.
Usage When graceful shutdown is enabled, the ACOS device stops accepting new sessions on a
disabled or deleted port, but waits for the specified grace period before moving active ses-
sions to the delete queue.
Example The following commands enable graceful shutdown and sets the grace period to one hour:
ACOS(config-common)#graceful-shutdown 3600
http-fast-enable
Description When enabled, traffic for an HTTP virtual port can be processed in a Fast HTTP path, depend-
ing on features configured on the virtual port.
Syntax [no] http-fast-enable
Default Fast HTTP processing is disable by default.
Introduced in Release ACOS 4.0

hw-compression
Description Enable hardware-based HTTP compression.
Implementation Notes
• This command applies only to devices containing HTTP compression modules. If this
command does not appear in your list of available commands, it means your device
does not contain an HTTP compression module.
• Installation of the compression module into ACOS devices in the field is not supported.
Contact A10 Networks for information on obtaining an ACOS device that includes the
module.
• When you enable hardware-based compression, all compression settings configured in
HTTP templates, except the compression level, are used. Hardware-based compression
always uses the same compression level, regardless of the compression level config-
ured in an HTTP template.
Syntax [no] hw-compression
Example The following example enables hardware-based HTTP compression.
ACOS(config-common)#hw-compression
hw-syn-rr
Description Enable distribution of client SYNs across multiple CPUs. This feature protects against CPU
overload due to SYN floods, a common symptom of DDoS attacks.
Syntax [no] hw-syn-rr conn-num
The conn-num option specifies the maximum number of connection requests (TCP SYNs)
allowed from the same client (1-500000). If this threshold is exceeded, ACOS begins using all
the CPUs for processing the SYNs.
Usage Only the control CPU is used for SYN processing.
When the conn-num threshold is exceeded, ACOS begins distributing the SYNs to the CPUs
in round-robin fashion. The control CPU and all data CPUs are used.
Example The following example enables distribution of client SYNs across multiple CPUs, using
250,000 TCP SYNs as the threshold.

ACOS(config-common)#hw-syn-rr 250000
l2l3-trunk-lb-disable
Description Disable or re-enable trunk load balancing.
Syntax [no] l2l3-trunk-lb-disable
Usage When trunk load balancing is enabled, the ACOS device load balances outbound Layer 2/3
traffic among all the ports in a trunk. The round-robin method is used to load balance the
traffic. For example, in a trunk containing ports 1-4, the first Layer 2/3 packet is sent on port 1.
The second packet is sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port will always used for outbound traffic, and
the other ports will act as standby ports in case the lead port goes down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by default. However, the
CLI provides a command to disable trunk load balancing, in case there is a need to do so.
Disabling trunk load balancing causes the ACOS device to use only the lead port for
outbound traffic.
NOTE: Note: Trunk load balancing does not apply to Layer 4-7 traffic.
Example The following commands disable trunk load balancing.
ACOS(config-common)#l2l3-trunk-lb-disable
max-buff-queued-per-conn
Description Set the maximum buffer threshold per connection.
Syntax [no] max-buff-queued-per-conn buffer-value
Specify the desired buffer-value (128-4096).
Example The following commands set the maximum buffer value per connection to 1024:
ACOS(config-common)#max-buff-queued-per-conn 1024

max-http-header-count
Description Configure the number of headers supported in an HTTP request.
Syntax [no] max-http-header-count num
Replace num with the maximum number of HTTP headers supported within a request (90-
255).
Default 90
Example The following commands configure 90 as the number of headers supported in an HTTP
request.
ACOS(config-common)#max-http-header-count 90
msl-time
Description Configure the maximum session life for client sessions. The maximum session life controls
how long the ACOS device maintains a session table entry for a client-server session after
the session ends.
Syntax [no] msl-time seconds
The seconds option specifies the number of seconds a client session can remain in the
session table following completion of the session. You can specify 1-40 seconds.
Default 2 seconds
Usage The maximum session life allows time for retransmissions from clients or servers, which can
occur if there is an error in a transmission. If a retransmission occurs while the ACOS device
still has a session entry for the session, the ACOS device is able to forward the retransmission.
However, if the session table entry has already aged out, the ACOS device drops the retrans-
mission instead.
The maximum session life begins aging out a session table entry when the session ends:
• TCP – The session ends when the ACOS device receives a TCP FIN from the client or
server.
• UDP – The session ends after the ACOS device receives a server response to the client’s
request. If the reply is fragmented, the maximum session life begins only after the last
fragment is received.

NOTE: For UDP sessions, the maximum session life is used only if UDP aging is set to short,
instead of immediate. UDP aging is set in the UDP template bound to the UDP vir-
tual port. The default setting is short.
Example The following commands configure a maximum session life of 10 seconds.
ACOS(config-common)#msl-time 10
mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client traffic.
Syntax [no] mss-table num
Replace num with the maximum MSS allowed in traffic from clients. You can specify 128-750.
Default 538
Usage Clients who can only transmit TCP segments that are smaller than the MSS are unable to
reach servers.
This command globally changes the MSS. You also can change the MSS in individual TCP-
proxy templates. (See slb template tcp-proxy.)
Example The following commands configure a TCP MSS of 256.
ACOS(config-common)#mss-table 256
no-auto-up-on-aflex
Description Prevent the health status of virtual ports that are bound to aFleX scripts from being automat-
ically marked Up.
Syntax [no] no-auto-up-on-aflex
Default This option is disabled by default. Virtual ports that are bound to aFleX scripts are automati-
cally marked Up.
Example The following commands prevent the health status of virtual ports that are bound to aFleX
scripts from being automatically marked Up.

ACOS(config-common)#no-auto-up-on-aflex
rate-limit-logging
Description Configure rate limiting settings for system logging.
Syntax [no] rate-limit-logging

[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
max-local-rate Specifies the maximum number of messages per second that can be sent to the local log
msgs-per-second buffer. You can specify 1-100. The default is 32 messages per second.
max-remote-rate Specifies the maximum number of messages per second that can be sent to remote log
msgs-per-second servers. You can specify 1-100000. The default is 15000 messages per second.
exclude-destination Excludes logging to the specified destination, local or remote. By default, logging to both
destinations is enabled.
Usage Log rate limiting is enabled by default and can not be disabled. The configurable settings
have the default values as described in the table above.
The log rate limiting mechanism works as follows:
• If the number of new messages within a one-second interval exceeds the internal max-
imum (32 by default), then during the next one-second interval, ACOS sends log mes-
sages only to the external log servers.
• If the number of new messages generated within the new one-second interval is the
internal maximum or less, then during the following one-second interval, ACOS will
again send messages to the local logging buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to the external log
servers.
Example The following commands increase the maximum number of log messages per second sent
to remote log servers:
ACOS(config-common)#rate-limit-logging max-remote-rate 30000

reset-stale-session
Description Send reset if a session in the delete queue receives a SYN packet.
Syntax [no] reset-stale-session
Example The following command enables this feature.
ACOS(config-common)#reset-stale-session
scale-out
Description Enable the Scale Out feature for SLB.
Syntax [no] scale-out
snat-gwy-for-l3
Description Use an IP pool’s default gateway to forward traffic from a real server.
When this feature is enabled, ACOS checks the server IP subnet against the IP NAT pool
subnet. If they are on the same subnet, then ACOS uses the gateway as defined in the IP NAT
pool for Layer 2 / Layer 3 forwarding. This feature is useful if the server does not have its own
upstream router and ACOS can leverage the same upstream router for Layer 2 / Layer 3.
Syntax [no] snat-gwy-for-l3
Example The following commands enable traffic forwarding using an IP pool’s default gateway.
ACOS(config-common)#snat-for-gwy-l3

snat-on-vip
Description Globally enable IP NAT support for VIPs.
Syntax [no] snat-on-vip
Usage Source IP NAT can be configured on a virtual port in the following ways:
• ACL-based source NAT (access-list command at virtual port level)
• VIP source NAT (slb snat-on-vip command at Configuration mode level)
• aFleX policy (aflex command at virtual port level)
• Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source NAT is
configured using an ACL on the virtual port, and the slb snat-on-vip command is also used,
then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that
is not permitted by the ACL, VIP source NAT can be used instead.
NOTE: The current release does not support source IP NAT on FTP or RTSP virtual ports.
Example The following commands enable IP NAT support for VIPs.
ACOS(config-common)#snat-on-vip
sort-res
Description Enable the sort display option for SLB configuration. When this option is enabled, SLB
resources in the configuration are listed in alphabetical order.
The sort feature takes effect only after you configure at least one SLB resource, after you
enable the sort feature. Before you configure at least one new SLB resource, the SLB
resources still appear in the order they were configured.
Syntax [no] sort-res
Default This option is disabled by default. With this default behavior, SLB resources of a specific type
appear in the order they are configured.
Example The following command displays the configured SLB servers, before the sort option is
enabled and activated:
ACOS(config-common)#show running-config | include slb server

slb server ee 5.5.5.5

slb server rs20_10 20.20.20.10

slb server Server07 110.20.20.20
slb server MSSQLServer02 110.13.13.21
slb server srv266 10.10.100.10
slb server rs_http 10.1.2.10
slb server ldap-sr 172.16.2.10
slb server s1 20.20.20.30
slb server woo 10.10.99.99
slb server o1 10.10.10.5
slb server http1 20.20.25.10
The following commands enable the sort option, configure a new SLB server, and redisplay
the configured SLB servers. The slb server commands are now alphabetically sorted.
ACOS(config-common)#sort-res
ACOS(config-common)#exit
ACOS(config)#slb server s88 4.3.3.3
ACOS(config-real server-node port)#show running-config | include slb
server
slb server MSSQLServer02 110.13.13.21
slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server woo 10.10.99.99
slb server zsort2 4.3.3.9
ACOS(config-real server-node port)#

stats-data-disable
Description Globally disables periodic collection of statistical data for system resources, including CPU,
memory, disks and interfaces.
Syntax [no] stats-data-disable
Default Disabled (statistics collection is enabled)
Example The following commands globally disable statistics collection for system resources.
ACOS(config-common)#stats-data-disable
use-mss-tab
Description Configure ACOS to base the MSS in replies from VIPs to clients on the interface MTU and MSS
value received from clients in SYNs.
Syntax [no] use-mss-tab


Config Commands: SLB Templates
This chapter describes the commands and subcommands for configuring SLB configuration templates.
To access this configuration level, enter the slb template command at the global configuration level.
To display configured templates, use the slb template ? command.
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
NOTE: DNS templates have the highest priority and are used first, followed by policy tem-
plates. Then the other types of templates are used as applicable.
slb template cache

Description Configure the ACOS device to perform transparent Web caching.
Syntax [no] slb template cache template-name
Replace template-name with the name of the template, up to 31 characters long.
This command changes the CLI to the configuration level for the specified RAM caching

Command Description
[no] accept-reload-req Enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the ACOS
device to reload the cached object from the origin server.
[no] age seconds Specifies how long a cached object can remain in the ACOS RAM cache without
being requested. You can specify 1-999999 seconds (about 11-1/2 days).
NOTE: his value is used if the web server specifies that the object is cacheable
but does not specify for how long. If the server does specify how long the object
is cacheable, then the server value is used instead.
The default is 3600 seconds (1 hour), if the server specifies that the object is
cacheable but does not specify for how long.
[no] default-policy-nocache Changes the default cache policy in the template from cache to nocache. This
option gives you tighter control over content caching. When you use the default
no-cache policy, the only content that is cached is cacheable content whose URI
matches an explicit cache policy.
[no] disable-insert-age Disables insertion of Age headers into cached responses. Insertion of Age head-
ers is enabled by default.
Insertion of Age headers is enabled by default.
[no] disable-insert-via Disables insertion of Via headers into cached responses. Insertion of Via headers
is enabled by default.
Insertion of Via headers is enabled by default.
[no] max-cache-size size Specifies the size (in MB) of the RAM cache.
The default is 80 MB.
[no] max-content-size bytes Specifies the maximum object size that can be cached. The ACOS device will not
cache objects larger than this size. You can specify 0-4194303 bytes (256 MB). If
you specify 0, no objects can be cached.
The default is 81920 bytes (80 KB)
[no] min-content-size bytes Specifies the minimum object size that can be cached. The ACOS device will not
cache objects smaller than this size. You can specify 0-4194303 bytes (4 MB). If
you specify 0, all objects smaller than or equal to the maximum content size can
be cached.
The default is 512 bytes.

Command Description
[no] policy uri pattern Configures a policy for dynamic caching.
{cache [seconds] |
nocache | • pattern – Specifies the portion of the URL string to match on. The options
invalidate inv-pattern} below specify the action to take for URLs that match the pattern:
• cache [seconds] – Caches the content. By default, the content is cached
for the number of seconds configured in the template (set by the age com-
mand). To override the aging period set in the template, specify the number
of seconds with the cache command.
• nocache – Does not cache the content.
• invalidate inv-pattern – Invalidates the content that has been cached
for inv-pattern.
[no] remove-cookies Removes cookies from server replies so the replies can be cached. RAM caching
does not cache server replies that contain cookies. (Image files are an exception.
RAM caching can cache images that have cookies.)
[no] replacement-policy LFU Specifies the policy used to make room for new objects when the RAM cache is
full. The policy supported in the current release is Least Frequently Used (LFU).
When the RAM cache becomes more than 90% full, the ACOS device discards
the least-frequently used objects to ensure there is sufficient room for new
objects.
[no] template logging Specifies a logging template to use for external logging of RAM caching events
template-name over TCP.
[no] verify-host Enables the ACOS device to cache the host name in addition to the URI for
cached content. Use this command if a real server that contains cacheable con-
tent will host more than one host name (for example, www.abc.com and
www.xyz.com).
By default, this is disabled. Host names are not cached along with URIs for
cached content.
Usage The normal form of this command creates a RAM caching configuration template. The no
form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However, you can bind the
same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the policy command with
the most specific match is used. For example, if a template has the following commands,
content for page122 is cached whereas content for page123 is not cached:
policy uri /page12 cache 300

policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For
example, if the string pattern contains “*”, it is interpreted literally, as the “*” character.

In the current release, matching is performed based on containment. All URIs that contain
the pattern string match the rule. For example, the following policy matches all URIs that
contain the string “.jpg” and sets the cache timeout for the matching objects to 7200
seconds: policy uri .jpg cache 7200
Example The following commands configure a RAM caching template. In this example, all the default
RAM cache settings are used.
ACOS(config)#slb template cache ramcache

ACOS(config-ram caching template)#
Example The following commands configure some dynamic caching policies. The policy that matches
on “/list” caches content for 5 minutes. The policy that matches on “/private” does not cache
content.
ACOS(config)#slb template cache ram-cache

ACOS(config-ram caching)#policy uri /list cache 300
ACOS(config-ram caching)#policy uri /private nocache
Example The following commands configure a RAM caching template that will only cache content
from www.xyz.com/news-clips.
ACOS(config)#slb template cache ramcache

ACOS(config-RAM caching)#default-policy-nocache
ACOS(config-RAM caching)#policy uri www.xyz.com/news-clips cache
slb template cipher

Description Configure a template of SSL cipher settings.
Syntax [no] slb template cipher template-name
This command changes the CLI to the configuration level for the specified cipher template,
[no] cipher [priority num]
The cipher can be one of the names listed in the “Common Cipher Suite Name in ACOS”
column of Table 5 on page 521. You can remove (or re-add) one cipher in the template with
a single command. Enter separate commands for each cipher to remove or re-add.
The cipher priority value can be 1-100. The highest priority (most favored) is 100. More than
one cipher can have the same priority. In this case, the strongest (most secure) cipher is used.

NOTE: If your platform contains a Nitrox III card, all ciphers are supported; however, ECDHE
and DHE ciphers on the server side are processed by CPU, resulting in high CPU
usage.
If your platform contains a Nitrox PX card or SoftSSL, only RSA ciphers are sup-
ported.
Use the show hardware command to see your platform’s specifications. For more
information, refer to Technical Support Advisory: Recommend SSL Templates for
PFS (Perfect Forward Secrecy) Ciphers on the A10 Networks website.
TABLE 5 Supported Ciphers in ACOS
Common Cipher Suite Name (IANA/RFCs) Hex Value Cipher Suite Name in ACOS

TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x00,0x03 SSL3_RSA_RC4_40_MD5
TLS_RSA_WITH_RC4_128_MD5 0x00,0x04 SSL3_RSA_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA 0x00,0x05 SSL3_RSA_RC4_128_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x00,0x08 SSL3_RSA_DES_40_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA 0x00,0x09 SSL3_RSA_DES_64_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A SSL3_RSA_DES_192_CBC3_SHA
TLS_RSA_WITH_AES_128_CBC_SHA 0x00,0x2F TLS1_RSA_AES_128_SHA
TLS_RSA_WITH_AES_256_CBC_SHA 0x00,0x35 TLS1_RSA_AES_256_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x00,0x39 TLS1_DHE_RSA_AES_256_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 0x00,0x3C TLS1_RSA_AES_128_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 0x00,0x3D TLS1_RSA_AES_256_SHA256
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 0x00,0x60 TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x00,0x64 TLS1_RSA_EXPORT1024_RC4_56_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x00,0x67 TLS1_DHE_RSA_AES_128_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x00,0x6B TLS1_DHE_RSA_AES_256_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 0x00,0x9C TLS1_RSA_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 0x00,0x9D TLS1_RSA_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CCM 0x00,0x9E TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CCM 0x00,0x9F TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13 TLS1_ECDHE_RSA_AES_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14 TLS1_ECDHE_RSA_AES_256_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC0,0x23 TLS1_ECDHE_ECDSA_AES_128_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC0,0x24 TLS1_ECDHE_ECDSA_AES_256_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC0,0x27 TLS1_ECDHE_RSA_AES_128_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC0,0x2B TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC0,0x2C TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384

Common Cipher Suite Name (IANA/RFCs) Hex Value Cipher Suite Name in ACOS

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC0,0x2F TLS1_ECDHE_RSA_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC0,0x30 TLS1_ECDHE_RSA_AES_256_GCM_SHA384
Default The default priority is 1, and all ciphers within a template are enabled by default.
Usage A cipher template contains a list of ciphers. A client who connects to a virtual port that uses
the cipher template can use only the ciphers that are listed in the template.
Optionally, you can assign a priority value to each cipher in the template, however it is
strongly recommended that users do not leave this blank. The ACOS device tries to use the
ciphers based on priority. If the client supports the cipher that has the highest priority, that
cipher is used. If the client does not support the highest-priority cipher, the ACOS device
attempts to use the cipher that has the second-highest priority, and so on.
Notes
• An SSL cipher template takes effect only when you apply it to a client-SSL template or
server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-SSL template, the set-
tings in the cipher template override any cipher settings in that client-SSL or server-SSL
template.
• Priority values are supported only for client-SSL templates. If a cipher template is used
by a server-SSL template, the priority values in the cipher template are ignored.
Example The following commands configure a cipher template:
ACOS(config)#slb template cipher cipher_tmplt1

ACOS(config-cipher)#SSL3_RSA_DES_64_CBC_SHA priority 5
ACOS(config-cipher)#TLS1_RSA_AES_128_SHA priority 10
ACOS(config-cipher)#TLS1_RSA_AES_256_SHA
ACOS(config-cipher)#end
This template contains 3 ciphers. The ACOS device attempts to use TLS1_RSA_AES_128_SHA
first. If the client does not support this cipher, the ACOS device attempts to use
SSL3_RSA_DES_64_CBC_SHA. If the client does not support this cipher either, the ACOS
device tries to use TLS1_RSA_AES_256_SHA.
slb template client-ssl

Description Configure offload of SSL validation of clients from real servers.
Syntax [no] slb template client-ssl template-name
This command changes the CLI to the configuration level for the specified client-SSL

Command Description
[no] auth-username Specifies the field to check in SSL certificates from clients in order to find the
{ client name.
[common-name]
[subject-alt-name-email] • common-name – Configuring this option causes the ACOS device to extract
[subject-alt-name-othername] the client’s common name from the certificate.
} • subject-alt-name-email – Configuring this option causes the ACOS
device to extract the Email address from the client’s certificate. For example,
if the client name is “user@example.com” then the entire string “user@exam-
ple.com” would be extracted with this option.
• subject-alt-name-othername – Configuring this option causes the
ACOS device to extract the UPN information from the certification. For
example, if the client name is “user@example.com” then the string “user”
would be extracted with this option.
Multiple options can be specified, but you must specify at least one.
If multiple options are specified, the ACOS device will attempt to extract the
username from the options in the order they are specified. For example:
auth-username subject-alt-name-email subject-alt-name-oth-
ername
This command causes the ACOS device to first attempt to extract the user-
name from subject-alt-name-email, and only if not found, will it then
attempt to extract the username from subject-alt-name-othername.
The default is common-name.
[no] auth-username-attribute Specify attribute name of username for client SSL.
string
[no] authorization Specify LDAP server for client SSL authentication.
{name | service-group name}
[ldap-base-dn-from-cert] • Specify either an LDAP authentication server name, or service group name.
[ldap-search-filter name] • Use ldap-base-dn-from-cert to use the Subject DN as the LDAP search
base DN.
• Use ldap-search-filter to specify the name of a specific search filter.
[no] ca-cert cert-name Specifies the name of the Certificate Authority (CA) certificate to use for validat-
ing client certificates. The CA certificate must be installed on the ACOS device.
(You can use the import command.)
[no] cert cert-name Specifies the name of the certificate to use for terminating or initiating an SSL
connection. The certificate must be installed on the ACOS device.
[no] chain-cert Specifies a certificate-key chain.
chain-cert-name
[no] cipher cipher Specifies the cipher suite to support for certificates from clients.
By default, all supported ciphers (listed in Table 5 on page 521) are enabled.
You can remove (or re-add) one cipher in the template with a single command.
Enter separate commands for each cipher to remove or re-add.

Command Description
[no] client-certificate Specifies the action that the ACOS device takes in response to a client’s con-
{ignore |request | require} nection request:
• ignore – The ACOS device does not request the client to send its certifi-
cate.
• request – The ACOS device requests the client to send its certificate. With
this action, the SSL handshake proceeds even if either of the following
occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want the request to trigger an aFleX policy for further
processing.
• require – The ACOS device requires the client certificate. This action
requests the client to send its certificate. However, the SSL handshake does
not proceed (it fails) if the client sends a NULL certificate or the certificate is
invalid.
The default action is ignore.
[no] close-notify Enables closure alerts for SSL sessions. When this option is enabled, the ACOS
device sends a close_notify message when an SSL transaction ends, before
sending a FIN. This behavior is required by certain types of client applications,
including PHP cgi. For this type of client, if the ACOS device does not send a
close_notify, an error or warning appears on the client.
[no] crl filename Specifies the Certificate Revocation List (CRL) to use for verifying that client cer-
tificates have not been revoked. The CRL must be installed on the ACOS device
first. (You can use the import command.)
When you add a CRL to a client SSL template, the ACOS device checks the CRL
to ensure that the certificates presented by clients have not been revoked by
the issuing CA.
NOTE: If you plan to use a CRL, you must set the client-certificate
mode to require. The CRL should be signed by the same issuer as the CA cer-
tificate. Otherwise, the client and ACOS device will not be able to establish a
connection.
[no] dh-param Specify Diffie-Hellman parameters.
{1024 |
1024-dsa |
2048 |
512}
[no] disable-sslv3 Disables support for SSLv3 in client-SSL templates. SSLv3 support is enabled by
default.
NOTE: If you disable SSLv3 support, when ACOS receives an SSL Hello message
from a client, ACOS responds by sending a TCP-FIN to the client to end the ses-
sion.
SSLv3 support is enabled by default.
[no] ec-name Specify Elliptic Curve name.
{secp256r1 | secp384r1}

Command Description
[no] forward-proxy-bypass Sets the match criteria to bypass SSL Insight for specific traffic, based on the
option Server Name Indication (SNI) value. You can specify the following options to
enforce match rules for SSL Insight bypass:
• class-list list-name – Matches based on the specified class list.
• client-auth option – Bypasses interception of client SSL authentica-
tion traffic. The case-insensitive option disables case sensitivity for matches.
The class-list option specifies a class list to use for matching. The other
options specify string criteria for matches.
• equals sni-string – Matches only if the SNI value completely
matches the specified string.
• starts-with sni-string – Matches only if the SNI value starts with
the specified string.
• contains sni-string – Matches if the specified string appears any-
where within the SNI value.
• ends-with sni-string – Matches only if the SNI value ends with the
specified string.
• case-insensitive – Disables case sensitivity for string matching.
• web-category category-name – Bypasses traffic to URLs that are
within the specified category. (This option requires additional configuration.
See the Application Access Management Guide.)
[no] forward-proxy-ca-cert Name of the CA-signed certificate. Specify the same name you specified when
certificate-name you uploaded the certificate to the ACOS device.
[no] forward-proxy-ca-key Name of the private key for the CA-signed certificate. Specify the same name
key-name you specified when you uploaded the key to the ACOS device.
[no] forward-proxy-enable Enable SSL Insight support.
[no] hsm-param Specify HSM parameters.
{thales-embed |
thales-hwcrhk}
[no] key key-name Specifies the key for the certificate, and the passphrase used to encrypt the key.
[passphrase string]
[no] ocsp-stapling Configures OCSP stapling support.
ca-cert cert-name ocsp
{auth-server-name | You can specify a single authentication server (auth-server-name) or a
service-group group-name} group of servers (service-group group-name).
[period • period [days num | hours num | minutes num] – Specifies how
[days num | hours num | often ACOS contacts the server or service group for updates. Default is
minutes num] 1 hour.
[timeout minutes]
• timeout minutes – Specifies the timeout for server retries, 1-65535.
Default is 30 minutes.
[no] sampling-enable Enable baselining of web traffic based on category.
web-category

Command Description
[no] The domain-name is the domain that is requested by clients. The certificate-
server-name domain-name name is the certificate to map to the domain. The private-key-name is the
cert certificate-name key to map to the domain.
key private-key-name
[partition shared] NOTE: In the current release, the partition shared option has no effect on
[pass-phrase string] the configuration. The configuration always applies only to the shared parti-
tion.
The pass-phrase string specifies the passphrase used to encrypt the key, if
applicable.
[no] session-cache-size Maximum number of cached sessions for SSL session ID reuse, 0-131072. The
entries value 0 disables session ID reuse.
The default is 0; session ID reuse is disabled.
[no] session-cache-timeout Sets the maximum number of seconds a cache entry can remain unused
seconds before being removed from the cache, 1-7200 seconds. The default is 7200 sec-
onds. Cache entries age according to the ticket age time. The age time is not
reset when a cache entry is used.
The default is 7200 seconds
[no] session-ticket-lifetime Sets the lifetime for stateless SSL session ticketing. After a client’s SSL ticket
seconds expires, they must complete an SSL handshake in order to set up the next
secure session with ACOS. You can set the lifetime between 0 to 2147483647
seconds. Setting the lifetime to 0 disables the feature.
The default is 0; session ticket lifetime is disabled.
[no] ssl-false-start-disable SSL False Start support for Google Chrome browser.
NOTE: The following ciphers are not supported for SSL False Start in the cur-
rent release:
• SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the client-SSL template, SSL False
Start handshakes will fail.
SSL False Start support is enabled by default.
[no] sslv2-bypass Redirects clients who request SSLv2 sessions to the specified service group.
service-group group-name
[no] template cipher Name of a cipher template to bind to the client-SSL template. In this case, the
template-name settings in the cipher template override any cipher settings in the client-SSL
template.
Default The configuration does not have a default client-side SSL template. If you create one, the
template has the defaults described in the table above.
The normal form of this command creates a client-SSL configuration template. The no form
of this command removes the template.

For the forward-proxy-bypass option, match rules are always applied in the following
order:
• equals sni-string
• starts-with sni-string
• contains sni-string
• ends-with sni-string
A client-SSL template can contain up to 128 certificates or certificate chains. They must be
imported onto the ACOS device. To import a certificate or certificate chain, see “import” on
page 34 or “slb common” on page 488.
You can bind only one client-SSL template to a virtual port. However, you can bind the same
client-SSL template to multiple ports.
The close-notify option can not be used along with the TCP-proxy template force-
delete-timeout option. Doing so may cause unexpected behavior.
Example The following commands configure a client-SSL template named “client-ssl1” that uses
imported CA certificates and requires clients to present their certificates when requesting
connections to servers:
ACOS(config)#slb template client-ssl client-ssl1

ACOS(config-client SSL template)#ca-cert ca-bundle.crt
ACOS(config-client SSL template)#client-certificate require
Example The following commands configure a client SSL template to use an imported CA certificate
and key, and an imported Certificate Revocation List (CRL) from the CA:
ACOS(config)#slb template client-ssl client-ssl1

ACOS(config-client ssl)#ca-cert ca-cert.pem
ACOS(config-client ssl)#ca-cert ca-crl.pem
ACOS(config-client ssl)#client-certificate require
slb template connection-reuse

Description Configure re-use of established connections.
Syntax [no] slb template connection-reuse template-name
Replace template-name with the name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified connection-reuse

Command Description
[no] keep-alive-conn number Specifies the number of new reusable connections to open before beginning to
reuse existing connections. You can specify 1-1024 connections.
NOTE: This option is applicable only for SIP-over-TCP sessions. The option is not
applicable to other types of sessions, such as HTTP sessions.
By default, this option is not enabled in the template, but when activated, the
default value is 100.
[no] limit-per-server number Maximum number of reusable connections per server port. You can specify 0-
65535. 0 means unlimited.
The default is 1000 connections.
[no] timeout seconds Maximum number of seconds a connection can remain idle before it times out.
The default is 2400 seconds (40 minutes).
Default The “default” connection reuse template has the defaults described in the table above.
To display the default template settings, use the show slb template connection-
reuse default command.
Usage The normal form of this command creates a connection reuse template. The “no” form of this
command removes the template.
You can bind only one connection-reuse template to a virtual port. However, you can bind
the same connection-reuse template to multiple ports.
Due to the way the connection-reuse feature operates, backend sessions with servers will
not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than the number of
data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-per-server option.
Example The following commands configure a connection reuse template named “conn-reuse1” and
set the limit per server to 2000 re-used connections:
ACOS(config)#slb template connection-reuse conn-reuse1

ACOS(config-conn reuse)#limit-per-server 2000

slb template dblb

Description Create a template for database load-balancing (DBLB).
Syntax [no] slb template dblb template-name
This command changes the CLI to the configuration level for the specified DBLB template,
Command Description
[no] calc-sha1 password Displays the SHA1-encrypted version of a clear text string.
[no] class-list Applies a class list of username-password pairs for DBLB client authentication to
list-name access the database server.
[no] server-version type Specifies the type of database system for the DBLB server that processes database
requests. For type you can specify one of the following:
• MSSQL2008 – MS-SQL server (version 2008 or 2008 R2)
• MSSQL2012 – MS-SQL server (version 2012)
• MySQL – Any version of MySQL
Default The configuration does not have a default DBLB template.
slb template diameter

Description Configure Diameter load balancing.
Syntax [no] slb template diameter template-name
This command changes the CLI to the configuration level for the specified Diameter

Command Description
[no] Specifies a custom AVP value to insert into Capabilities-Exchange-Request mes-
avp avp-num sages sent by the ACOS device to Diameter servers.
{int32 | int64 | string}
value [mandatory] For each custom AVP value to insert, you must specify the following information:
• avp-num – Diameter AVP number.
• int32 | int64 | string – Specifies the data format of the value to insert.
• value – Specifies the value to insert.
• mandatory – Sets the AVP mandatory flag on. By default, this flag is off (not set).
You can configure up to 6 custom AVP values for insertion. Enter the command sep-
arately for each AVP value.
[no] customize-cea Replaces the AVPs in Capabilities-Exchange-Answer (CEA) messages with the cus-
tom AVP values you configure before forwarding the messages.
[no] duplicate avp-num Duplicates Accounting-Request messages and sends them to a separate service
pattern service-group group. This option is useful for logging, accounting, and so on.
To configure message duplication, configure real servers and the service group, and
use the duplicate command to configure the following parameters:
• avp-num – Diameter AVP number.
• pattern – String pattern within the message.
• service-group – The duplication service group, which is the service group to
which to send the duplicate messages.
NOTE: To place the message duplication configuration into effect, you must
unbind the Diameter template from the Diameter virtual port, then rebind it.
A Diameter template in which message duplication is configured can be bound to
only a single virtual port.
[no] dwr-time ms Specifies the maximum number of seconds the ACOS device will wait for the reply
to a device-watch-dog message sent to a Diameter server before marking the
server Down. You can specify 0-2147483647 milliseconds (ms), in 100-ms incre-
ments.
The default is 10000 ms (10 seconds).
[no] Specifies the number of minutes a Diameter session can remain idle before the ses-
idle-timeout minutes sion is deleted. You can specify 1-65535 minutes.

Command Description
[no] Enables load balancing of Diameter message codes, in addition to those already
message-code num load balanced by default. You can enable load balancing of up to 10 additional
message codes:
• Accounting-Request (code 271)
• Accounting-Answer (code 271)
• Capabilities-Exchange-Request (code 257)
• Capabilities-Exchange-Answer (code 257)
• Device-Watchdog-Request (code 280)
• Device-Watchdog-Answer (code 280)
• Session-Termination-Request (code 275)
• Session-Termination-Answer (code 275)
• Abort-Session-Request (code 274)
• Abort-Session-Answer (code 274)
• Disconnect-Peer-Request/Disconnect-Peer-Answer (code 282)
The ACOS device drops all other Diameter message codes by default.
[no] multiple-origin-host Prepends the CPU ID onto the origin-host string to identify the CPU used for a given
Diameter peer connection.
The ACOS device establishes a separate peer connection with each Diameter server
on each CPU. The multiple-origin-host option does not enable or disable this
behavior. The option simply shows or hides the CPU ID in the origin-host string.
[no] Sets the value of Diameter AVP 264. This AVP can be a character string and specifies
origin-host host.realm the identity of the originating host for Diameter messages. Since the ACOS device
acts as a proxy for Diameter, this AVP refers to the ACOS device itself, not to the
actual clients. From the Diameter server’s standpoint, the ACOS device is the Diame-
ter client.
Specify the origin-host in the following format: host.realm
The host is a string unique to the client (ACOS device). The realm is the Diameter
realm, specified by the origin-realm option (described below).
[no] origin-realm string Sets the value of Diameter AVP 296. This AVP can be a character string and specifies
the Diameter realm from which Diameter messages, including requests, are origi-
nated.
[no] product-name string Sets the value of Diameter AVP 269. This AVP can be a character string and specifies
the product; for example, “a10dra”.
[no] session-age minutes Specifies the absolute limit for Diameter sessions. Any Diameter session that is still in
effect when the session age is reached is removed from the ACOS session table. You
can specify 1-65535 minutes.
[no] vendor-id num Sets the value of Diameter AVP 266. This AVP can be a numeric value and specifies
the vendor; for example, “156”. Make sure to use a non-zero value. Zero is reserved
by the Diameter protocol.

Default The configuration does not have a default Diameter template. If you configure one, the tem-
plate has the default values described in the table above.
Mode Configure
Usage The normal form of this command creates a Diameter template. The no form of this com-
mand removes the template.
You can bind only one Diameter template to a virtual port. However, you can bind the same
Diameter template to multiple ports.
Example For configuration examples, see the “Diameter Load Balancing” chapter in the Application
slb template dns

Description Configure DNS caching.
Syntax [no] slb template dns template-name
This command changes the CLI to the configuration level for the specified DNS template,
Command Description
[no] class-list name name Applies a class list to the template.
[no] default-policy Specifies the default action to take when a query does not match any class-list
[cache | nocache] entries.
The default is nocache.
[no] disable-dns-template Disables the template. The template stops taking effect but remains in the con-
figuration.
By default, the template is enabled and takes effect when you bind it to a DNS
port.
[no] dns-log-enable period Enables logging for DNS caching. The period option specifies how often log
minutes messages are generated. You can specify 1-10000 minutes.

Command Description
[no] dns64 options Enable DNS64. Specify one of the following available options:
• answer-only-disable - Disable only translate the answer section.
• auth-data - Set AA flag in the DNS response.
• cache - Generate response by DNS cache.
• change-query - Always change incoming AAAA DNS Query to A.
• compress-disable - DNS compression is disabled.
• deep-check-rr-disable - Disable the checking of DNS response records.
• enable - Enable DNS64.
This option must be enabled before any other DNS64 options are enabled.
• ignore-rcode3-disable - Disable Ignore DNS error response with rcode 3.
• max-qr-length - Maximum question record (QR) length (1-1023); default is
128.
• parallel-query - Forward AAAA queries and generate an A query in parallel.
• passive-query-disable - Disable generation of a query upon an empty or
error response.
• retry - retry count (0-15); default is 3.
• single-response-disable - Disable single response which is used to avoid
ambiguity.
• timeout seconds - Timeout to send additional queries (0-15 seconds); default
is 1 second.
• trans-ptr - Translate DNS PTR records.
• ttl seconds - Specify maximum TTL in DNS responses in seconds (1-
1000000000)., unit: second
[no] enable-cache-sharing Enables caching of TCP-based DNS queries along with UDP-based queries.
NOTE: If DNS authentication also is enabled, the initial request is not only redi-
rected to TCP, but is then cached so that a second request is not made to the
DNS server.
[no] malformed-query Specifies the action to take for malformed DNS queries:
{drop |
forward service-group-name} • drop – Drops malformed queries.
• forward – Sends the queries to the specified service group.
With either option, the malformed queries are not sent to the DNS virtual port.
[no] max-cache-entry-size Specifies the maximum number of bytes each cache entry can have, 1-4096.
num
The default is 256.
[no] max-cache-size num Specifies the maximum number of entries that can be cached per VIP. The maxi-
mum configurable amount depends on the amount of RAM installed on the
ACOS device.
[no] max-query-length num Specifies the maximum length for DNS queries, 1-4095.
By default, there is no limit on the length.

Command Description
[no] query-id-switch Enables stateful query-ID-based load balancing.
NOTE: This feature is only supported on virtual port 53, and will not work on any
other port.
[no] redirect-to-tcp-port Enables authentication for DNS requests received over UDP. When this feature is
enabled, ACOS drops the UDP DNS request from a client, and sends the client a
DNS Truncate message. To pass DNS authentication, the client must resend the
DNS request over TCP.
By default, this feature is disabled.
Default DNS template options have the default settings described in the table above.
Mode Configure
Usage The normal form of this command creates a DNS template. The no form of this command
removes the template.
You can bind only one DNS template to a virtual port. However, you can bind the same DNS
template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual port type dns
applies only to DNS security.
DNS templates are not supported with stateless load-balancing methods.
slb template external-service

Description Configure an External Service template to steer traffic to external servers for additional pro-
cessing, based on application.
Syntax [no] slb template external-service template-name

This command changes the CLI to the configuration level for the specified External Service

Command Description
[no] bypass-ip IPv4-address If configuring for ICAP-based Traffic Steering, specifies the controller IP address.
{/nn | netmask}
[no] failure-action Specifies the action performed by ACOS when any of the following types of
{continue | drop | reset} events occurs:
• ACOS fails to select an external-service server.
• Failure occurs during creation of a new connection to the external-service
server.
• The response from the external-service server does not contain HTTP status
code 200 or 403.
• Exhaustion of memory when creating a request to the external-service server.
The failure action can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – Silently drops the connection and does not send a reset to the client.
• reset – Sends a connection reset to the client.
NOTE: If a TCP error occurs while ACOS is waiting for a response, ACOS resets the
connection. For example, this occurs in the case of a connection reset by a URL fil-
tering server.
The default is continue.
[no] service-group Binds the service group that contains the external-service servers to this tem-
group-name plate. Specify the service group that contains the external-service servers (for
example, ICAP-based Traffic Steering servers or URL-filtering servers). Do not spec-
ify the service group containing the content servers (HTTP servers).
If configuring for ICAP-based Traffic Steering, specify the group of servers here,
but not the controller. Specify the controller using the bypass-ip command
(described below)
[no] template Applies a template to the external-service template. Specify one or both of the
template-type template-name following:
• persist source-ip template-name – Applies a source-IP persistence
template to the external-service template.
• tcp-proxy template-name – Applies a custom TCP-proxy template to use
for managing the TCP connections with the servers.

Command Description
[no] timeout num action Sets the maximum number of seconds ACOS waits for a response from the server.
[continue | drop | reset] If the server does not reply before the timeout expires, ACOS takes the configured
action, which can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – ACOS silently drops the connection and does not send a reset to the
client.
• reset – ACOS sends a connection reset to the client.
The default is 1000ms, continue.
[no] type Specifies the traffic type to redirect:
[icap-traffic-steering |
url-filter] • icap-traffic-steering – Steers Internet Content Adaptation Protocol
(ICAP) to external controllers.
• url-filter – Steers HTTP requests from clients to external URL-filtering serv-
ers.
The default is url-filter.
Default The configuration does not have a default External Service template. If you configure one,
the template has the default values described in the table above.
slb template fix

Description Configure a template for Financial Information Exchange (FIX) load balancing.
Syntax [no] slb template fix template-name
This command changes the CLI to the configuration level for the specified FIX template,

Command Description
[no] insert-client-ip Inserts an AVP with the original client IP address to the tag 11447. For example, if the
client IP address is 40.40.40.20, this option will modify the tag to “11447=40.40.40.20”
when the server receives this client’s PUSH data.
[no] tag-switching Inspects the FIX message header for a SenderCompID or TargetCompID tag value and
[sender-comp-id | uses a specific service group if the tag matches the Equals keyword. The ACOS device
target-comp-id] can inspect FIX messages and perform service group switching with one of the follow-
equals string ing options:
service-group name
• sender-comp-id – Selects a service group for FIX requests based on the value of
the SenderCompID tag. This tag identifies the financial institution that is sending
the request.
• target-comp-id – Selects a service group for FIX requests based on the value of the
TargetCompID tag. This tag identifies the financial institution to which the request is
being sent.
If you select the Sender Comp ID or Target Comp ID radio button, the following
options are displayed:
• equals string – Specifies a keyword which ACOS matches against the TargetCompID
or SenderCompID tag of a FIX message header.
NOTE: The keyword is case sensitive and must match exactly with the SendCom-
pID tag or TargetCompID tag. For example, “ABC” is different from “Abc”.
• service-group name – Selects the service-group to use for a client request when
the SenderCompID or TargetCompID tag in the FIX message header of the request
matches the specified keyword.
Default The configuration does not have a default FIX template.
slb template ftp

Description Configure a template for FTP load balancing.
Syntax [no] slb template ftp template-name
This command changes the CLI to the configuration level for the specified FTP template,
[no] active-mode-port
If you plan to use a non-standard FTP port number, use this option to specify the port
number, 1-65535.

Default The configuration does not have a default FTP template.
slb template http

Description Configure HTTP modifications to server replies to clients and configure load balancing based
on HTTP information.
Syntax [no] slb template http template-name
This command changes the CLI to the configuration level for the specified HTTP template,

Global” on page 47.
Command Description
[no] compression option Offloads Web servers from CPU-intensive HTTP compression operations. Options
for this command are:
• auto-disable-on-high-cpu percent
Configures an automatic disable of HTTP compression based on CPU utilization.
The percent option specifies the threshold. You can specify 1-100.
• content-type content-string
Specifies the type of content to compress, based on a string in the content-type
header of the HTTP response. The content-string can be 1-31 characters long.
The “text” and “application” types are included by default.
• enable
Enables compression.
• exclude-content-type content-string
Excludes the specified content type from being compressed. The content-string
can be 1-31 characters long.
• exclude-uri uri-string
Excludes an individual URI from being compressed. The URI string can be 1-31
characters. An HTTP template can exclude up to 10 URI strings.
• keep-accept-encoding enable
Configures the ACOS device to leave the Accept-Encoding header in HTTP
requests from clients instead of removing the header.
When keep-accept-encoding is enabled, compression is performed by the real
server instead of the ACOS device, if the server is configured to perform the
compression. The ACOS device compresses the content that the real server does
not compress. This option is disabled by default, which means the ACOS device
performs all the compression.
• level number
Specifies the compression level. You can use compression level 1-9. Each level
provides a higher compression ratio, beginning with level 1, which provides the
lowest compression ratio. A higher compression ratio results in a smaller file size
after compression. However, higher compression levels also require more CPU
processing than lower compression levels, so performance can be affected.
Compression is supported only for HTTP and HTTPS virtual ports. Compression is
not supported for fast-HTTP virtual ports.
The default level is 1.
• minimum-content-length bytes
Specifies the minimum length (in bytes) a server response can be in order to be
compressed. The length applies to the content (payload) only and does not
include the headers. You can specify 0-2147483647 bytes.
[no] failover-url Specifies the fallback URL to send in an HTTP 302 response when all real servers are
url-string down.

Command Description
[no] host-switching Selects a service group based on the value in the Host field of the HTTP header. The
{starts-with | selection overrides the service group configured on the virtual port.
contains |
ends-with} • For host-string, you can specify an IP address or a hostname. If the host-
host-string service-group string does not match, the service group configured on the virtual port is used.
service-group-name • starts-with host-string – matches only if the hostname or IP address
starts with host-string.
• contains host-string – matches if the host-string appears anywhere
within the hostname or host IP address.
• ends-with host-string – matches only if the hostname or IP address ends
with host-string.
[no] insert-client-ip Inserts the client’s source IP address into HTTP headers. If you specify an HTTP
[http-header-name] header name, the source address is inserted only into headers with that name.
[replace]
The replace option replaces any client addresses that are already in the header.
Without this option, the client IP address is appended to the lists of client IP
addresses already in the header. For example, if the header already contains “X-For-
warded-For:1.1.1.1” and the current client’s IP address is 2.2.2.2, the replace
option changes the field:value pair to “X-Forwarded-For:2.2.2.2”. Without the
replace option, the field:value pair becomes “X-Forwarded-For:1.1.1.1, 2.2.2.2”.
[no] insert-client-port Inserts the source protocol port of the client’s request into the HTTP header. If no
[http-header-name] header name is specified, the X-ClientPort header is used.
[replace]
The replace option allows you to replace the content of an existing header that
matches the configured name with the client’s port number. If no header name is
specified, the X-ClientPort header is used. If the replace option is not specified,
and there is a header that matches the configured name, the client’s port number
is added to the end of the specified header.
[no] keep-client-alive Keeps the session between ACOS and the session up even after the part of the ses-
sion between ACOS and the backend server is terminated.
[no] log-retry Logs HTTP retries. An HTTP retry occurs when the ACOS device resends a client’s
HTTP request to a server because the server did not reply to the first request. (HTTP
retries are enabled using the retry-on-5xx or retry-on-5xx-per-req com-
mand in the HTTP template.)
[no] non-http-bypass Redirects non-HTTP traffic to a specific service group. By default, the ACOS device
service-group group-name will drop non-HTTP requests that are sent to an HTTP port.

Command Description
[no] redirect Automatically sends a redirect response to HTTP client requests. You can optionally
[location location | specify the following:
secure |
[secure] port portnum ]
• location location
[response-code A static location string to which the client will be redirected.
{301 | 302 | 303 | 307}] • port portnum
TCP port number to use for the redirect.
• response-code
The response code to apply. 302 Found is used by default. The following
response codes can be configured:
• 301 (Moved Permanently)
• 302 (Found)
• 303 (See Other)
• 307 (Temporary Redirect).
• secure
The client will be redirected using HTTPS.
[no] redirect-rewrite Modifies redirects sent by servers by rewriting the matching URL string to the spec-
match url-string ified value before sending the redirects to clients.
rewrite-to url-string
[no] redirect-rewrite Changes HTTP redirects sent by servers into HTTPS redirects before sending the
secure redirects to clients.
{port tcp-portnum}
To redirect clients to the default HTTPS port (443), enter the following command:
redirect-rewrite secure
To redirect clients to an HTTPS port other than the default, enter the following
command instead: redirect-rewrite secure port port-num
[no] req-hdr-wait-time Sets a request header wait time to prevent Slowloris attacks. All portions of a client’s
seconds request header must be received within the specified amount of time. Otherwise,
ACOS terminates the connection. You can specify 1-31 seconds. The default is 7.
[no] request-header-erase Erases the specified header (field) from HTTP requests.
field
[no] Inserts the specified header into HTTP requests. The field:value pair indicates the
request-header-insert header field name and the value to insert.
field:value
[insert-always | If you use the insert-always option, the command always inserts the
insert-if-not-exist] field:value pair. If the request already contains a header with the same field
name, the new field:value pair is added after the existing field:value pair.
Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the header
only if the request does not already contain a header with the same field name.
Without either option, if a request already contains one or more headers with the
specified field name, the command replaces the last header.
[no] Parses HTTP request lines with no case sensitivity.
request-line-case-insen-
sitive

Command Description
[no] Replaces data in the HTTP response from the server. The original-content
response-content-replace specifies the content to look for in server responses. The new-content specifies
original-content the content to use to replace the original content. For each value, you can specify a
new-content string of 1-127 characters. If a string contains blank spaces, use double quotation
marks around the string.
NOTE: A maximum of 8 content-replacement rules are supported in a given HTTP
template.
[no] Erases the specified header (field) from HTTP responses.
response-header-erase
field
[no] response-header- Inserts the specified header into HTTP responses. The field:value pair indicates
insert field:value the header field name and the value to insert.
[insert-always |
insert-if-not-exist] If you use the insert-always option, the command always inserts the
field:value pair. If the response already contains a header with the same field
name, the new field:value pair is added after the existing field:value pair.
Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the header
only if the response does not already contain a header with the same field name.
Without either option, if a response already contains one or more headers with the
specified field name, the command replaces the first header.
[no] retry-on-5xx num Configures the ACOS device to retry sending a client’s request to a service port that
replies with an HTTP 5xx status code, and reassign the request to another server if
the first server replies with a 5xx status code. The retry number specifies the num-
ber of times the ACOS device is allowed to reassign the request.
For example, assume that a service group has three members (s1, s2, and s3), and
the retry is set to 1. In this case, if s1 replies with a 5xx status code, the ACOS device
reassigns the request to s2. If s2 also responds with a 5xx status code, the ACOS
device will not reassign the request to s3, because the maximum number of retries
has already been used.
If you use this command, the ACOS device stops sending client requests to a ser-
vice port for 30 seconds following reassignment. If you want the service port to
remain eligible for client requests, use the following command instead. An HTTP
template can contain one or the other of these commands, but not both.
NOTE: The 5xx options are supported only for virtual port types HTTP and HTTPS.
They are not supported for fast-HTTP or any other virtual port type.
[no] retry-on-5xx-per-req This command provides the same function as the retry-on-5xx command
num (described above). However, the retry-on-5xx-per-req command does not
briefly stop using a service port following reassignment. An HTTP template can
contain one or the other of these commands, but not both.
[no] Forces the ACOS device to perform the server selection process anew for every
strict-transaction-switch HTTP request. Without this option, the ACOS device reselects the same server for
subsequent requests (assuming the same server group is used), unless overridden
by other template options.
[no] template logging Specifies a logging template to use for external logging of HTTP events over TCP.
template-name

Command Description
[no] Enables the ACOS device to terminate HTTP 1.1 client connections when the “Con-
term-11client-hdr- nection: close” header exists in the HTTP request. This option is applicable to con-
conn-close nection-reuse deployments that have HTTP 1.1 clients that are not compliant with
the HTTP 1.1 standard. Without this option, sessions for non-compliant HTTP 1.1.
clients are not terminated.
[no] url-hash-persist Enables server stickiness based on hash values. If this feature is configured, for each
[offset offset-bytes] URL request, the ACOS device calculates a hash value based on part of the URL
{first | last} bytes string. The ACOS device then selects a real server based on the hash value. A given
[user-server-status] hash value always results in selection of the same real server. Thus, requests for a
given URL always go to the same real server.
The offset option specifies how far into the string to begin hash calculation.
The first and last options specify which end of the URL string to use to calcu-
late the hash value.
The bytes option specifies how many bytes to use to calculate the hash value.
Optionally, you can use URL hashing with either URL switching or host switching.
Without URL switching or host switching configured, URL hash switching uses the
hash value to choose a server within the default service group (the one bound to
the virtual port). If URL switching or host switching is configured, for each HTTP
request, the ACOS device first selects a service group based on the URL or host
switching values, then calculates the hash value and uses it to choose a server
within the selected service group.
The use-server-status option enables server load awareness, which allows
servers to act as backups to other servers, based on server load.
NOTE: This feature requires some custom configuration on the server. For informa-
tion, see the “URL Hash Switching” section in the “HTTP Options for SLB” chapter of
the Application Delivery and Server Load Balancing Guide.
[no] url-switching Selects a service group based on the URL string requested by the client. The selec-
{starts-with | tion overrides the service group configured on the virtual port.
ends-with |
url-case-insensitive | • starts-with – matches only if the URL starts with url-string.
url-hits-enable} • contains – matches if the url-string appears anywhere within the URL.
url-string • ends-with – matches only if the URL ends with url-string.
service-group
• url-case-insensitive – enable case-insensitive matching for URL switch-
service-group-name
ing rules.
• url-hits-enable – enable URL hits.
Each URL matching pattern can be up to 64 bytes long.
NOTE: You can use URL switching or Host switching in an HTTP template, but not
both. However, if you need to use both types of switching, you can do so with an
aFleX script.
NOTE: For a list of media type strings, see the Internet Assigned Numbers Authority Web
site: http://www.iana.org/assignments/media-types

NOTE: The order in which content-type, exclude-content-type, and exclude-

uri filters appear in the configuration does not matter.
NOTE: You can use URL switching or Host switching in an HTTP template, but not both.
However, if you need to use both types of switching, you can do so with an aFleX
script.
Default The configuration has a default HTTP template. In the template, most options are disabled or
not set.
Compression is disabled by default. When you enable it, it has the default settings described
in the table above.
To display the default HTTP template settings, use the show slb template http
default command.
Usage The normal form of this command creates an HTTP configuration template. The no form of
this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can bind the same
HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
When the keep-client-alive option is enabled, the way ACOS keeps the session with
the client up depends on the way the server session is terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS does not forward
the RST or FIN to the client, and instead leaves the client session open. (Technically, the
session is left in the client-request-state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes this header from
the server reply before forwarding the reply to the client.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive” header option –
ACOS inserts this header from the server reply before forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied in the following
order, regardless of the order in which the commands appear in the configuration. The
service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-with,
contains, or ends-with) and a host name or URL matches on more than one of them, the
most-specific match is always used. For example, if a template has the following commands,
host "ddeeff" will always be directed to service group http-sgf:

slb template http http-host

host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string, the ends-
with rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of the URL string.
For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching
If a URL matches on more than redirect-rewrite rule within the same HTTP template, the
ACOS device selects the rule that has the most specific match to the URL. For example, if a
server sends redirect URL 66.1.1.222/000.html, and the HTTP template has the redirect-
rewrite rules shown below, the ACOS device will use the last rule because it is the most
specific match to the URL:
slb template http 1

redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/
003.bmp
Example The following commands configure an HTTP template called “http-compression” that
enables compression. The minimum length a packet must be for it to be compressed is set at
120 bytes.
ACOS(config)#slb template http http-compression

ACOS(config-http)#compression enable
ACOS(config-http)#compression minimum-content-length 120
Example The following commands configure an HTTP template called “http-header” that inserts the
client IP address and a Cookie field into HTTP headers in requests from clients before sending
the requests to servers:
ACOS(config)#slb template http http-header

ACOS(config-http)#insert-client-ip
ACOS(config-http)#header-insert Cookie:a = b
Example The following commands configure an HTTP template called “http-host” that selects a ser-
vice group based on the contents of the Host field in the HTTP headers of client requests.
Requests for hostnames that start with “Gossip” are directed to service group “http-sg1”.
Requests for hostnames that contain “NewsDeskA” are directed to service group “http-sg2”.
Requests for hostnames that end with “weather.com” are directed to service group “http-
sg3”.

ACOS(config)#slb template http http-host

ACOS(config-http)#host-switching starts-with Gossip service-group http-sg1
ACOS(config-http)#host-switching contains NewsDeskA service-group http-sg2
ACOS(config-http)#host-switching ends-with weather.com service-group http-sg3
Example The following commands configure an HTTP template to use URL hashing. Hash values will
be calculated based on the last 8 bytes of the URL. In this example, URL switching is also con-
figured in the template. As a result, the ACOS device uses URL switching to select a service
group first, then uses URL hashing to select a server within that service group. If the template
did not also contain URL switching commands, this template would always select a server
from service group sg3.
ACOS(config)#slb template http hash

ACOS(config-http)#url-hash-switching last 8
ACOS(config-http)#url-switching starts-with /news service-group sg1
ACOS(config-http)#url-switching starts-with /sports service-group
sg2
ACOS(config-http)#exit
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#service-group sg3
ACOS(config-slb vserver-vport)#template http hash
Example The following commands configure an HTTP template called “http-compress”, that uses
compression level 5 to compress files with media type “application” or “image”. Files with
media type “application/zip” are explicitly excluded from compression.
ACOS(config)#slb template http http-compress

ACOS(config-http)#compression enable
ACOS(config-http)#compression level 5
ACOS(config-http)#compression content-type image
ACOS(config-http)#compression exclude-content-type application/zip
Example The following commands configure an HTTP template that replaces the client IP addresses in
the X-Forwarded-For field with the current client IP address:
ACOS(config)#slb template http clientip-replace

ACOS(config-http)#insert-client-ip X-Forwarded-For replace
slb template http-policy

Description Configure an HTTP-policy template to override WAF template application for different types
of client traffic.
Syntax [no] slb template http-policy template-name

This command changes the CLI to the configuration level for the specified logging template,
where the following command is are available.
Command Description
[no] cookie Matches based on cookie values. For descriptions of the other options, see
match-option cookie-value below.
template waf-template-name
[no] cookie-name Matches based on cookie names. For descriptions of the other options, see
match-option cookie-name below.
[no] geo-location string Matches the traffic source based on its geo-location.
{service-group group-name
[template waf template-name]
| template waf template-name
[service-group group-name]}
[no] host Matches based on host names. For descriptions of the other options, see below.
match-option host-name
[no] url Matches based on URL strings. For descriptions of the other options, see below.
match-option url-string
match-option Type of matching to perform:
• equals – Matches only if the URL, hostname, or cookie name completely
matches the specified string.
• starts-with – Matches only if the URL, hostname, or cookie name starts
with the specified string.
• contains – Matches if the specified string appears anywhere within the
URL, hostname, or cookie name.
• ends-with – Matches only if the URL, hostname, or cookie name ends with
the specified string.
Usage These match options are always applied in the order shown above, regardless of the order in
which the rules appear in the configuration. The WAF template associated with the rule that
matches first is used.
If a template has more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a URL matches on more than one of them, the most-specific
match is always used.
For more information, see the Web Application Firewall Guide.

slb template logging

Description Configure external logging over TCP.
Syntax [no] slb template logging template-name
This command changes the CLI to the configuration level for the specified logging template,
where the following command is are available.
Command Description
[no] format string Configures a log string. For syntax information, see the Application Delivery and
Server Load Balancing Guide.
[no] local-logging {0 | 1} Enables or disables local logging:
• 0 – Disables local logging.
• 1 – Enables local logging.
The default is 0 (disabled).
[no] pcre-mask pattern Mask matched Perl Compatible Regular Expression (PCRE) pattern in the log.
[keep-end num |
keep-start num | • Use keep-end to specify the number of unmasked characters to keep at the
mask char end (0-65535); the default is 0.
] • Use keep-start to specify the number of unmasked characters to keep at
the start (0-65535); the default is 0.
• Use mask to specify a character to use as the mask for the matched pattern; the
default is “X”.
[no] service-group For remote logging, specifies the name of the service group that contains the log
group-name servers.
[no] template tcp-proxy Binds a TCP-proxy template to the logging template.
template-name
Default The configuration does not have a default logging template. When you add one, it has the
following default values:

Usage Logging over TCP also requires some additional configuration. See the Application Delivery
and Server Load Balancing Guide.
slb template monitor

Description Configure a link monitoring template.
Syntax [no] slb template monitor num
Replace num with the identification number of the template. This can be a number between
1 to 16.
This command changes the CLI to the configuration level for the specified monitor template,
Command Description
[no] action options Specifies the action to perform when a monitored event is detected.
• clear sessions {all | sequence portnum}
• link-disable eth portnum sequence portnum
• link-enable eth portnum sequence portnum
[no] monitor options Specifies the events and links (Ethernet data ports) to monitor.
• link-down eth portnum [eth portnum ...]
sequence portnum
• link-up eth portnum [eth portnum ...]
sequence portnum
[no] monitor-and Uses the logical operator “AND” for link monitoring. The actions are
performed only if all of the monitored events are detected. This is
selected by default.
[no] monitor-or Uses the logical operator “OR”. The actions are performed if any of the
monitored events are detected.
Default The ports within a given monitor entry are always ANDed. If you specify more than one port
(eth portnum option) in the same monitor entry, the specified event must occur on all the

ports in the entry. For example, if you specify link-down eth 9 eth 11, the link must go down
on ports 9 and 11, for the link-state changes to count as a monitored event.
Usage The logical operator applies only to monitor entries, not to action entries. For example, if the
logical operator is OR, and at least one of the monitored events occurs, all the actions config-
ured in the template are applied.
You can configure the entries in any order. In the configuration, the entries of each type are
ordered based on sequence number.
Example The following commands configure monitor template 1:
ACOS(config)#slb template monitor 1

ACOS(config-monitor)#monitor-or
ACOS(config-monitor)#monitor link-down eth 5 sequence 1
ACOS(config-monitor)#action clear sessions sequence 1
ACOS(config-monitor)#action link-disable eth 5 sequence 2
slb template persist cookie

Description Configure session persistence by inserting persistence cookies into server replies to clients.
Syntax [no] slb template persist cookie template-name
This command changes the CLI to the configuration level for the specified persistence
Command Description
[no] domain domain-name Adds the specified domain name to the cookie.
[no] dont-honor-conn-rules Ignores connection limit settings configured on real servers and real ports. This
option is useful for applications in which multiple sessions (connections) are likely
to be used for the same persistent cookie.
By default, this is disabled; the connection limit set on real servers and real ports is
used.

Command Description
[no] expire expire-seconds Specifies the number of seconds a cookie persists on a client’s PC before being
deleted by the client’s browser. You can specify from 0 to 31,536,000 seconds (one
year). (Do not enter the commas.) If you specify 0, cookies persist only for the cur-
rent session.
The default value is 10 years.
NOTE: Although the default is 10 years (essentially, unlimited), the maximum
configurable expiration is one year.
[no] httpOnly Sets the HTTP-only flag in the persistence cookie.
[no] insert-always Specifies whether to insert a new persistence cookie in every reply, even if the
request already had a persistence cookie previously inserted by the ACOS device.
This is disabled by default; the ACOS device inserts a persistence cookie only if the
client request does not already contain a persistence cookie inserted by the ACOS
device, or if the server referenced by the cookie is unavailable.
[no] match-type Changes the granularity of cookie persistence.
{server [service-group] |
service-group} • server – The cookie inserted into the HTTP header of the server reply to a cli-
[scan-all-members] ent ensures that subsequent requests from the client for the same VIP are sent
to the same real server. (This assumes that all virtual ports of the VIP use the
same cookie persistence template with match-type set to server.)
Without this option, the default behavior is used: subsequent requests from
the client will be sent to the same real port on the same real server.
• server service-group – Sets the granularity to the same as server, and
also enables cookie persistence to be used along with URL switching or host
switching. Without the service-group option, URL switching or host switch-
ing can be used only for the initial request from the client. After the initial
request, subsequent requests are always sent to the same service group.
• service-group – This option enables support for URL switching and host
switching, along with the default cookie persistence behavior.
• scan-all-members – This option scans all members bound to the template.
This option is useful in configurations where match-type “server” is used, and
where some members have different priorities or are disabled. (For more infor-
mation about this option, see the “Scan-All-Members Option in Persistence
Templates” chapter in the Application Delivery and Server Load Balancing Guide.)
NOTE: To use URL switching or host switching, you also must configure an HTTP
template with the host-switching or url-switching command.
The default match type is port. (There is no port keyword. See “Usage” for more
information.)
[no] name cookie-name Specifies the name of the persistence cookie, 1-63 characters.
The default name is “sto-id”.
[no] pass-thru Enables pass-through mode for passive cookie persistence.
[no] path path-name Adds path information to the cookie, 1-31 characters.
The default path is “/”.
[no] secure Enable secure attribute.

Default The configuration does not have a default cookie-persistence template. If you create one, it
has the defaults described in the table above.
Usage The normal form of this command creates a cookie-persistence template. The no form of this
You can bind only one cookie-persistence template to a virtual port. However, you can bind
the same cookie-persistence template to multiple ports.
When cookie persistence is configured, the ACOS device adds a persistence cookie to the
server reply before sending the reply to the client. The client’s browser re-inserts the cookie
into each request.
NOTE: For security, address information in the cookie is encrypted.
The format of the cookie depends on the match-type setting:
• match-type (port) – This is the default setting. Subsequent requests from the cli-
ent will be sent to the same real port on the same real server. URL switching or host
switching can be used only for the first request.
The cookie that the ACOS device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP address and the
rport is the real server port number.
NOTE: The port option is shown in parentheses because the CLI does not have a “port”
keyword. If you do not set the match type to server (see below), the match type is
automatically “port”.
• match-type server – Subsequent requests from the client for the same VIP will be
sent to the same real server, provided that all virtual ports of the VIP use the same
cookie persistence template with match-type set to server. URL switching or host
switching can be used only for the first request.
Set-Cookie: cookiename=rserverIP
• match-type (port) service-group – Subsequent requests from the client will

be sent to the same real port on the same real server, within the service group selected
by URL switching or host switching. URL switching or host switching, if configured, is
still used for every request.
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the client for

the same VIP will be sent to the same real server, within the service group selected by

URL switching or host switching. URL switching or host switching, if configured, is still
used for every request.
Set-Cookie: cookiename-servicegroupname=rserverIP
Example The following commands configure a cookie persistence template named “persist-cookie”.
The template inserts a cookie named “MyCookie”, containing the real server’s IP address and
protocol port in encrypted form, into server responses before sending the responses to cli-
ents. The template also sets the cookie to persist on client PCs for only 10 minutes (600 sec-
onds).
ACOS(config)#slb template persist cookie persist-cookie

ACOS(config-cookie persist)#name MyCookie
ACOS(config-cookie persist)#expire 600
slb template persist destination-ip

Description Configure the granularity of load balancing persistence (selection of the same server
resources) for clients, based on destination IP address.
Syntax [no] slb template persist destination-ip template-name

Command Description
[no] Ignores connection limit settings configured on real servers and real ports. This
dont-honor-conn-rules option is useful for applications in which multiple sessions (connections) are likely to
be used for the same persistent destination IP address.
This is disabled by default; the connection limit set on real servers and real ports is
used.
[no] hash-persist Enables hash-based persistence. Hash-based persistence provides the persistence
and performance benefits of hash-based load balancing, while allowing use of
advanced SLB features that require stateful load balancing.
(For more information, see “Hash-based IP Persistence” in the Application Delivery and
Server Load Balancing Guide.)

Command Description
[no] match-type Specifies the granularity of persistence:
{server | service-group}
[scan-all-members] • server – Traffic to a given destination IP address is always sent to the same real
server, for any service port.
By default (without the server option), traffic to the same destination IP address
and virtual port is always sent to the same real port. This is the most granular set-
ting.
• service-group – This option is applicable if you also plan to use URL switch-
ing or host switching. If you use the service-group option, URL or host switch-
ing is used for every request to select a service group. The first time URL or host
switching selects a given service group, the load-balancing method is used to
select a real port within the service group. The next time URL or host switching
selects the same service group, the same real port is used. Thus, service group
selection is performed for every request, but once a service group is selected for a
request, the request goes to the same real port that was selected the first time that
service group was selected.
• scan-all-members – This option scans all members bound to the template.
This option is useful in configurations where match-type “server” is used, and
where some members have different priorities or are disabled. (For more informa-
tion about this option, see the “Scan-All-Members Option in Persistence Tem-
plates” chapter in the Application Delivery and Server Load Balancing Guide.)
To use URL switching or host switching, you also must configure an HTTP template
with the host-switching or url-switching command.
For SLB, by default, traffic to a given destination IP address and port is always sent to
the same real port. This is the most granular setting. (There is no port keyword.)
[no] netmask ipaddr Specifies the granularity of IPv4 address hashing for initial server port selection.
You can specify an IPv4 network mask in dotted decimal notation.
• To configure initial server port selection to occur once per destination VIP subnet,
configure the network mask to indicate the subnet length. For example, to select a
server port once for all requested VIPs within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP subnet, the sends all other requests
for the same VIP subnet to the same port.
• To configure initial server port selection to occur independently for each requested
VIP, use mask 255.255.255.255. (This is the default.)
[no] netmask6 Specifies the granularity of IPv6 address hashing for initial server port selection. (See
mask-length above for more information.)
The default is 128.
[no] timeout Specifies how many minutes the mapping remains persistent after the last time it is
timeout-minutes used. You can specify 1-2000 minutes.

Default The configuration does not have a default destination-IP persistence template. If you config-
ure one, it has the defaults specified in the table above.
Usage The normal form of this command creates a destination-IP persistence template. The “no”
You can bind only one destination-IP persistence template to a virtual port. However, you
can bind the same destination-IP persistence template to multiple ports.
Use of the service-group match-type option scan-all-members is not useful in

conjunction with destination-IP persistence templates, and is not supported.
Example The following command creates a destination-IP persistence template named “persist-dest”:
ACOS(config)#slb template persist destination-ip persist-source
slb template persist source-ip

Description Configure the granularity of load balancing persistence (selection of the same server
resources) for clients, based on source IP address.
Syntax [no] slb template persist source-ip template-name
Command Description
[no] Ignores connection limit settings configured on real servers and real ports. This
dont-honor-conn-rules option is useful for applications in which multiple sessions (connections) are likely
to be used for the same persistent client source IP address.
used.
[no] Enables Source-IP Persistence Override and Reselect. When this feature is enabled,
enforce-higher-priority the ACOS device continually checks for the presence of higher-priority servers,
even if source-IP persistence is enabled and sessions are already established
between client and server.
[no] hash-persist Enables hash-based persistence. Hash-based persistence provides the persistence
and performance benefits of hash-based load balancing, while allowing use of
advanced SLB features that require stateful load balancing.
[no] incl-dst-ip Used to support the ALG protocol firewall load balancing feature for protocols such
as FTP. This option helps ensure that special persistent session will be matched on
both the source IP and destination IP addresses.

Command Description
[no] incl-sport Includes the source port in persistent sessions.
[no] match-type Specifies the granularity of persistence:
{server [scan-all-members]
| service-group} • server – Traffic from a given client to the same VIP is always sent to the same
real server, for any service port requested by the client.
By default (without the server option), traffic from a given client to the same
virtual port is always sent to the same real port. This is the most granular setting.
• The scan-all-members option scans all members bound to the template. This
option is useful in configurations where match-type “server” is used, and where
some members have different priorities or are disabled.
• service-group – This option is applicable if you also plan to use URL switch-
ing or host switching. If you use the service-group option, URL or host
switching is used for every request to select a service group. The first time URL or
host switching selects a given service group, the load-balancing method is used
to select a real port within the service group. The next time URL or host switch-
ing selects the same service group, the same real port is used. Thus, service
group selection is performed for every request, but once a service group is
selected for a request, the request goes to the same real port that was selected
the first time that service group was selected.
NOTE: To use URL switching or host switching, you also must configure an HTTP
template with the host-switching or url-switching command.
NOTE: The match type for FWLB is always server, which sets the granularity of
source-IP persistence to individual firewalls, not firewall groups or individual service
ports.
For SLB, by default, traffic from a given client to the same virtual port is always sent
to the same real port. This is the most granular setting. (There is no port keyword.)
For FWLB, the default is server and none of the other match-type options are
applicable.
[no] netmask ipaddr Specifies the granularity of IP address hashing for server port selection.
• To configure server port selection to occur on a per subnet basis, configure the
network mask to indicate the subnet length. For example, to send all clients
within a subnet such as 10.10.10.x, 192.168.1.x, and so on (“class C” subnets) to
the same server port, use mask 255.255.255.0. SLB selects a server port for the
first client in a given subnet, the sends all other clients in the same subnet to the
same port.
• To configure server port selection to occur on a per client basis, use mask
255.255.255.255. SLB selects a server port for the first request from a given client,
the sends all other requests from the same client to the same port. (This is the
default.)
The default is 255.255.255.255.

Command Description
[no] netmask6 mask-length Specifies the granularity of IPv6 address hashing for initial server port selection.
(See above for more information.)
The default is 128.
[no] timeout minutes Specifies how many minutes the mapping remains persistent after the last time
traffic from the client is sent to the server. You can specify 1-2000 minutes (about 33
hours).
NOTE: The timeout for a source-IP persistent session will not be reset if the time-
out in the source-IP persistence template is set to 1 minute. If the timeout is set to 1
minute, sessions will always age out after 1 minute, even if they are active.
Default The configuration does not have a default source-IP persistence template. If you configure
one, it has the defaults described in the table above.
Usage The normal form of this command creates a source-IP persistence template. The “no” form of
You can bind only one source-IP persistence template to a virtual port. However, you can
bind the same source-IP persistence template to multiple ports.
The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP
persistence template is set to 1 minute. If the timeout is set to 1 minute, sessions will always
age out after 1 minute, even if they are active.
If you use the incl-sport option, the IP address in the Forward Source column of show
session output is modified to include the source port. For example, “155.1.1.151:33067” is
shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
If you apply the source-IP persistence template to two virtual ports that have the same VIP
and protocol port number but different Layer 4 protocols (TCP or UDP), the member lists for
the ports must be identical in both the TCP and UDP service groups.
For example, the following configuration will work because service groups 5060-tcp and
5060-udp have the same member list although their protocols are different.
slb virtual-server vip2 13.0.0.100

port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1 5060
member s2 5060
!

slb service-group 5060-udp udp

member s1 5060
member s2 5060
The configuration will not work if the member lists in the service groups are different. For
example, the configuration will not work if the TCP group's member list is changed to either
of the following:

member s3 5060
member s4 5060
or

member s1 5061
member s2 5061
Example The following commands configure a source-IP persistence template named “persist-source”
and set the granularity to service-group:
ACOS(config)#slb template persist source-ip persist-source

ACOS(config-source ip persist)#match-type service-group
slb template persist ssl-sid

Description Direct clients based on SSL session ID.
SSL session-ID persistence directs all client requests for a given virtual port, and that have a
given SSL session ID, to the same real server and real port. For example, with SSL session-ID
persistence configured, all client requests for virtual port 443 on virtual server 1.2.3.4 that
have the same SSL session ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP address.
Syntax [no] slb template persist ssl-sid template-name

Command Description
[no] Ignores connection limit settings configured on real servers and real ports. This option
dont-honor-conn-rules is useful for applications in which multiple sessions (connections) are likely to be used
for the same persistent SSL session ID.
used.
[no] timeout minutes Specifies how many minutes the mapping remains persistent after the last time traffic
with the SSL session ID is sent to the server. You can specify 1-250 minutes.
Default The configuration does not have a default SSL session-ID persistence template. If you config-
ure one, it has the defaults described in the table above.
Usage The normal form of this command creates an SSL session-ID persistence template. The “no”
You can bind only one SSL session-ID persistence template to a virtual port. However, you
can bind the same SSL session-ID persistence template to multiple ports.
To display statistics for SSL session-ID persistence, use the following command: show slb
l4
Example The following commands configure an SSL session-ID persistence template named “ssl-per-
sist1” and apply it to virtual port 443 on virtual server “vip1”:
ACOS(config)#slb template persist ssl-sid ssl-persist1

ACOS(config-ssl session id persist)#exit
ACOS(config-slb vserver)#port 443 tcp
ACOS(config-slb vserver-vport)#service-group https-sg1
ACOS(config-slb vserver-vport)#template ssl-sid ssl-persist1
slb template policy

Description Configure a template of Policy-Based SLB (PBSLB) settings.
Syntax [no] slb template policy template-name
This command changes the CLI to the configuration level for the specified PBSLB template,

Command Description
[no] bw-list id id service Specifies the action to take for clients in the black/white list:
{service-group-name |
drop | • id – Group ID in the black/white list.
reset} • service-group-name – Sends clients to the SLB service group associated
[logging [minutes] [fail]] with this group ID on the ACOS device.
• drop – Drops connections for IP addresses that are in the specified group.
• reset – Resets connections for IP addresses that are in the specified group.
• logging [minutes] [fail] – Enables logging. The minutes option speci-
fies how often messages can be generated. This option reduces overhead
caused by frequent recurring messages.
For example, if the logging interval is set to 5 minutes, and the PBSLB rule is
used 100 times within a five-minute period, the ACOS device generates only a
single message. The message indicates the number of times the rule was
applied since the last message. You can specify a logging interval from 0 to 60
minutes. To send a separate message for each event, set the interval to 0.
PBSLB rules that use the service service-group-name option also have a
fail option for logging. The fail option configures the ACOS device to gen-
erate log messages only when there is a failed attempt to reach a service group.
Messages are not generated for successful connections to the service group.
The fail option is disabled by default. The option is available only for PBSLB
rules that use the service service-group-name option, not for rules with
the drop or reset option, since any time a drop or reset rule affects traffic, this
indicates a failure condition.
Logging is disabled by default. If you enable it, the default is 3 minutes.
[no] bw-list name file-name Binds a black/white list to the virtual ports that use this template.
[no] bw-list over-limit Specifies the action to take for traffic that is over the limit. The default is drop.
{lockup min |
logging min | • lockup min – Continues to apply the over-limit action to all new connection
reset} attempts from the client, for the specified number of minutes (1-127).
• logging min – Generates a log message when traffic goes over the limit.
The min option specifies the log interval and can be 1-255 minutes.
• reset – Resets new connections until the number of concurrent connections
on the virtual port falls below the connection limit.
[no] bw-list timeout Specifies the number of minutes dynamic black/white-list client entries can
minutes remain idle before aging out. You can specify 1-127 minutes.
[no] bw-list Matches black/white list entries based on the client’s destination IP address,
use-destination-ip instead of matching by client source address. By default, matching is based on the
client’s source IP address. Generally, this option is applicable when wildcard VIPs
are used.
This is disabled. by default; the ACOS device matches by client source IP address

Command Description
[no] class-list list-name Creates a class-list or geo-location class-list with the specified list-name (1-63
characters) within the template.
• [no] client-ip {l3-dest | l7-header [header-name]} – Specifies
the IP address to use for matching entries in an IP class list. By default, the cli-
ent’s IP address is used.
• l3-dest – Matches based on the destination IP address in packets from cli-
ents.
• l7-header [header-name] – Matches based on the IP address in the
specified header in packets from clients. The header-name specifies the name
of the header to use. If you do not specify a header name, the X-For-
warded-For header is used.
• [no] lid num – Adds a Limit ID (LID) entry to the class list, to specify traffic
limits for client traffic.
• [no] conn-limit num – Specifies the maximum number of concurrent
connections allowed for a client. You can specify 0-1048575. Connection
limit 0 immediately locks down matching clients.
• [no] conn-rate-limit num per num-of-100ms – Specifies the maxi-
mum number of new connections allowed for a client within the specified
limit period. You can specify 1-4294967295 connections. The limit period can
be 100-6553500 milliseconds (ms), specified in increments of 100 ms.
• [no] over-limit-action [forward | reset] [lockout min-
utes] [log minutes] – Specifies the action to take when a client
exceeds one or more of the limits. The command also configures lockout
and enables logging. The action can be one of the following:
Drop - The ACOS device drops that traffic. If logging is enabled, the ACOS
device also generates a log message. (There is no drop keyword. This is the
default action.)
forward – The ACOS device forwards the traffic. If logging is enabled, the
ACOS device also generates a log message.
reset – For TCP, the ACOS device sends a TCP RST to the client. If logging is
enabled, the ACOS device also generates a log message.
The lockout option specifies the number of minutes during which to apply
the over-limit action after the client exceeds a limit. The lockout period is
activated when a client exceeds any limit. The lockout period can be 1-1023
minutes.
The log option generates log messages when clients exceed a limit. When
you enable logging, a separate message is generated for each over-limit
occurrence, by default. You can specify a logging period, in which case the
ACOS device holds onto the repeated messages for the specified period,
then sends one message at the end of the period for all instances that
occurred within the period. The logging period can be 0-255 minutes. The
default is 0 (no wait period).
(cont.)

Command Description
[no] class-list list-name • [no] request-limit num – Specifies the maximum number of concur-
rent Layer 7 requests allowed for a client. You can specify 1-1048575.
• [no] request-rate-limit num per num-of-100ms – Specifies the
(cont.) maximum number of Layer 7 requests allowed for the client within the spec-
ified limit period. You can specify 1-4294967295 connections. The limit
period can be 100-6553500 milliseconds (ms), specified in increments of 100
ms.
The class-list request-limit and request-rate-limit options apply
only to HTTP, fast-HTTP, and HTTPS virtual ports.
These options, when configured in a policy template, are applicable only in
policy templates that are bound to virtual ports. These options are not appli-
cable in policy templates bound to virtual servers (rather than individual
ports).
The over-limit-action log option, when used with the request-
limit or request-rate-limit option, always lists Ethernet port 1 as the
interface.
[no] geo-location Checks the current connection count not only for the client’s specific geo-loca-
full-domain-tree tion, but for all geo-locations higher up in the domain tree.
It is recommended to enable or disable this option before enabling GSLB. Chang-
ing the state of this option while GSLB is running can cause the related statistics
counters to be incorrect.
This is disabled by default. When a client requests a connection, the ACOS device
checks the connection count only for the specific geo-location level of the client.
If the connection limit for that specific geo-location level has not been reached,
the client’s connection is permitted.
[no] geo-location overlap Enables overlap matching mode. If there are overlapping addresses in the black/
white-list or class list, use this option to enable the ACOS device to find the most
precise match.
[no] geo-location share Enables sharing of PBLSB statistics counters for all virtual servers and virtual ports
that use the template. This option causes the following counters to be shared:
• Permit
• Deny
• Connection number
• Connection limit
It is recommended to enable or disable this option before enabling GSLB. Chang-
ing the state of this option while GSLB is running can cause the related statistics
counters to be incorrect.
Default The ACOS device does not have a default PBSLB template. When you configure one, the tem-
plate has the default settings specified in the table above.

Usage The normal form of this command creates a PBSLB template. The “no” form of this command
You can bind only one PBSLB template to a virtual port. However, you can bind the same
PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template or by configuring
the individual settings on the port. Individual PBSLB settings and a PBSLB template can not
be configured on the same virtual port.
Apply the Policy Globally or on Individual Virtual Ports
The ACOS device also allows policy templates to be applied at the virtual-server level.
However, PBSLB does not take effect if you apply the policy template at the virtual-server
level. Only class lists are supported at the virtual-server level. To use PBSLB, apply the policy
template globally or on individual virtual ports.
Example The following commands configure a PBSLB template and bind it to a virtual port:
ACOS(config)#slb template policy bw1

ACOS(config-policy)#bw-list name bw1
ACOS(config-policy)#bw-list id 2 service srvcgroup2
ACOS(config-policy)#bw-list id 4 drop
ACOS(config-policy)#exit
ACOS(config)#slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb vserver-port)#template policy bw1
slb template port

Description Configure a template of SLB settings for service ports on real servers.
Syntax [no] slb template port template-name
This command changes the CLI to the configuration level for the specified real port

Command Description
[no] conn-limit Specifies the maximum number of connections allowed on ports that use this
max-connections template.
[resume connections]
[no-logging] • max-connections – specifies the maximum number of concurrent con-
nections, 0-8000000 (8 million).
• resume connections – specifies the maximum number of connections
the port can have before the ACOS device resumes use of the port. You can
specify 1-1048575 connections.
• no-logging – disables logging for the feature.
The default is 8000000 (8 million).
[no] conn-rate-limit Limits the rate of new connections the ACOS device is allowed to send to ports
connections that use this template. When a real port reaches its connection limit, the ACOS
[per {100ms | 1sec}] device stop selecting the port to serve client requests.
[no-logging]
• connections – Maximum of new connections allowed on the port. You
can specify 1-1048575 connections.
• per {100ms | 1sec} – Specifies whether the connection rate limit
applies to one-second intervals or 100-ms intervals. The default is one-sec-
ond intervals (1sec).
• no-logging – disables logging for the feature.
This is not set by default; when enabled, the default sampling rate is per 1sec.
[no] dest-nat Enables destination Network Address Translation (NAT) on ports that use this
template.
Destination NAT is enabled by default, but is automatically disabled in Direct
Server Return (DSR) configurations. You can re-enable destination NAT on indi-
vidual ports for deployment of mixed DSR configurations, which use backup
servers across Layer 3 (in different subnets).
[no] down-grace-period Specifies the number of seconds the ACOS device will continue to forward
seconds packets to a Down port. This option is useful for taking servers down for main-
tenance without immediately impacting existing sessions on the servers. You
NOTE: The service group must contain 2 or more servers for this feature to
work.
NOTE: This feature supports stateless and stateful load balancing. However, the
feature is not supported for stateful hash load-balancing methods, such as
source-IP-based or destination-IP-based hashing.
[no] dscp number Sets the differentiated services code point (DSCP) value in the IP header of a cli-
ent request before sending the request to ports that use this template. The
number specifies the DSCP value and can be 1-63. By default, DSCP is not set by
the ACOS device.

Command Description
[no] Configure service-group priority settings for ports on dynamically created serv-
dynamic-member-priority num ers. The num option sets the initial TTL for dynamically created service-group
decrement delta members, and can be 1-16. The delta option specifies how much to decrement
the TTL if the IP address is not included in the DNS reply, and can be 0-7. When
configuring the service group, add the port template to the member.
The defaults are priority 16 and delta 0.
[no] extended-stats Enables collection of SLB peak connection statistics for the port.
[no] health-check Enables health monitoring of ports that use this template. The monitor-name
[monitor-name] specifies the name of a configured health monitor.
If you omit this command or you enter it without the monitor-name option, the
default TCP or UDP health monitor is used:
• TCP – Every 30 seconds, the ACOS device sends a connection request (TCP
SYN) to the specified TCP port on the server. The port passes the health
check if the server replies to the ACOS device by sending a TCP SYN ACK.
• UDP – Every 30 seconds, the ACOS device sends a packet with a valid UDP
header and a garbage payload to the UDP port. The port passes the health
check if the server either does not reply, or replies with any type of packet
except an ICMP Error message.
[no] health-check-disable Disables health monitoring of ports that use this template.
[no] inband-health-check Supplements the standard Layer 4 health checks by using client-server traffic to
[down-timer seconds] check the health of service ports. This feature is disabled by default.
[resel-on-reset]
[retry maximum-retries] • down-timer - Set the amount of time in seconds to bring up the server or
[reassign maximum-reassigns] port that is marked down (0-255). The default is 0; the server or port is never
brought up.
• resel-on-reset - When receiving a reset from server, also re-select the
server and port. This is disabled by default.
• retry maximum-retries – Each client-server session has its own retry
counter. The ACOS device increments a session’s retry counter each time a
SYN ACK is late. If the retry counter exceeds the configured maximum num-
ber of retries allowed, the ACOS device sends the next SYN for the session to
a different server. The ACOS device also resets the retry counter to 0. You can
set the retry counter to 0-7 retries. The default number of retries is 2.
• reassign maximum-reassigns – Each real port has its own reassign
counter. Each time the retry counter for any session is exceeded, the ACOS
device increments the reassign counter for the server port. If the reassign
counter exceeds the configured maximum number of reassignments
allowed, the ACOS device marks the port down.
In this case, the port remains down until the next time the port successfully
passes a standard health check. Once the port passes a standard health
check, the ACOS device starts using the port again and resets the reassign
counter to 0. You can set the reassign counter to 0-255 reassignments. The
default is 25 reassignments.
A10 Networks recommends that you continue to use standard Layer 4 health
monitoring even if you enable in-band health monitoring. Without standard
health monitoring, a server port marked down by an in-band health check
remains down.

Command Description
[no] no-ssl Disables SSL for server-side connections. This command is useful if a server-SSL
template is bound to the virtual port that uses this real port, and you want to
disable encryption on this real port.
Encryption is disabled by default, but it is enabled for server-side connections
when the real port is used by a virtual port that is bound to a server-SSL tem-
plate.
Using the double-negative form of the command (no no-ssl) enables SSL for
server-side connections.
[no] request-rate-limit num Limits the number of new requests that can be received by the virtual port.
[per {100ms | second}]
[reset] • num – Maximum number of new connection requests allowed per the inter-
[no-logging] val specified below.
• per {100ms | second} – Interval for the rate. Up to num new connec-
tion requests are allowed per one-tenth second (100-ms) or per one second.
• reset – Sends a RST to a client that sends a new request during an interval
in which the request rate has been exceeded. By default, requests that are
received after the limit is exceeded are dropped with no RST.
• no-logging – Disables logging for this feature.
NOTE: In the current release, this command applies only to configurations that
use an external-service template.

Command Description
[no] slow-start Provides time for real ports that use the template to ramp-up after TCP/UDP
[from starting-conn-limit] service is enabled, by temporarily limiting the number of new connections on
[times scale-factor | the ports.
add conn-increment |
every interval] • from starting-conn-limit – Maximum number of concurrent connec-
[till ending-conn-limit] tions to allow on the service port after it first comes up. You can specify from
1-4095 concurrent connections. The default is 128.
• times scale-factor | add conn-incr – Amount by which to
increase the maximum number of concurrent connections allowed. You can
use one of the following methods to specify the increment:
• times scale-factor – The scale factor is the number by which to
multiply the starting connection limit. For example, if the scale factor is 2
and the starting connection limit is 128, the ACOS device increases the
connection limit to 256 after the first ramp-up interval. The scale factor can
be 2-10. The default is 2.
• add conn-incr – As an alternative to specifying a scale factor, you can
instead specify how many more concurrent connections to allow. You can
specify 1-4095 new connections.
• every interval – Number of seconds between each increase of the num-
ber of concurrent connections allowed. For example, if the ramp-up interval
is 10 seconds, the number of concurrent connections to allow is increased
every 10 seconds. The ramp-up interval can be 1-60 seconds. The default is
10 seconds.
• till ending-conn-limit – Maximum number of concurrent connec-
tions to allow during the final ramp-up interval. After the final ramp-up inter-
val, the slow start is over and does not limit further connections to the server.
You can specify from 1-65535 connections. The default is 4096.
NOTE: If a normal runtime connection limit is also configured (for example, by
the conn-limit command), and the normal connection limit is smaller than
the slow-start ending connection limit, the ACOS device limits slow-start con-
nections to the maximum allowed by the normal connection limit.
NOTE: The initial ramp-up interval can be any duration from 0 up to the con-
figured interval (10 seconds by default). After the initial ramp up, each subse-
quent ramp-up occurs at the end of the configured interval.
[no] source-nat pool-name Specifies the IP NAT pool to use for assigning source IP addresses to client traffic
sent to ports that use this template. When the ACOS device performs NAT for a
port that is bound to the template, the device selects an IP address from the
pool.
stats-data-disable | Disables or enables statistical data collection for ports that use this template.
stats-data-enable
[no] weight number Specifies the load-balancing preference for ports that use this template. You
can specify 1-100. A higher weight gives more favor to the server and port rela-
tive to the other servers and ports. Default is 1.
This option applies only to the service-weighted-least-connection
load-balancing method. This option does not apply to the weighted-least-
connection or weighted-round-robin load-balancing methods.
The default weight is 1.

Default The ACOS device has a default real port template, called “default”. The default port template
has the same default settings as the individual parameters you can configure in the tem-
plate.
NOTE: In addition to configuring custom port templates, you can modify the default port
template.
CAUTION: Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Usage The normal form of this command creates a real port template. The “no” form of this com-
You can bind only one real port template to a real port. However, you can bind the real port
template to multiple real ports.
Some of the parameters that can be set using a template can also be set or changed on the
individual port.
• If a parameter is set (or changed from its default) in both a template and on the individ-
ual port, the setting on the individual port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not set or
changed from its default on the individual port, the setting in the template takes prece-
dence.
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show
command output and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not have any active
connections.
Example The following commands configure a real port template named “common-rpsettings”,
enable slow-start in the template, and bind the template to a real port:
ACOS(config)#slb template port common-rpsettings

ACOS(config-rport)#slow-start from 256
ACOS(config-rport)#exit
ACOS(config-real server-node port)#template port common-rpsettings

slb template server

Syntax [no] slb template server template-name
This command changes the CLI to the configuration level for the specified real server
Command Description
[no] conn-limit max-connec- Specifies the maximum number of connections allowed on real servers that
tions [resume connections] use this template.
[no-logging]
The max-connections option specifies the maximum number of concur-
rent connections, 0-8000000.
The resume connections option specifies the maximum number of con-
nections the server can have before the ACOS device resumes use of the
server. You can specify 1-1048575 connections.
The no-logging option disables logging for the feature.
[no] conn-rate-limit connec- Limits the rate of new connections the ACOS device is allowed to send to
tions servers that use this template. When a real server reaches its connection limit,
[per {100ms | 1sec}] the ACOS device stops selecting the server for client requests.
[no-logging]
connections – Maximum of new connections allowed on a server. You can
specify 1-1048575 connections.
per {100ms | 1sec} – Specifies whether the connection rate limit applies
to one-second intervals or 100-ms intervals.
The no-logging option disables logging for the feature.
By default this is not set; when enabled, the default sampling rate is per
1sec.
[no] dns-query-interval Specifies how often the ACOS device sends DNS queries for the IP addresses
minutes of dynamic real servers. You can specify 1-1440 minutes (one day).
[no] dynamic-server-prefix Specifies the prefix added to the front of dynamically created servers. You can
string specify a string of 1-3 characters.
The default prefix is DRS (for “Dynamic Real Servers”).
[no] extended-stats Enables collection of peak connection statistics for a server.

Command Description
[no] health-check Enables health monitoring of ports that use this template. The monitor-name
[monitor-name] specifies the name of a configured health monitor. If you omit this command
or you enter it without the monitor-name option, the default ICMP health
monitor is used: an ICMP ping (echo request) is sent every 30 seconds. If the
ping fails 2 times consecutively, the ACOS device sets the server state to
DOWN.
[no] health-check-disable Disables health monitoring of servers that use this template.
[no] log-selection-failure Enables real-time logging for server-selection failures.
[no] max-dynamic-server num Specifies the maximum number of dynamic real servers that can be created
for a given hostname. You can specify 1-1023.
The default is 255.
[no] min-ttl-ratio num Specifies the minimum initial value for the TTL of dynamic real servers. The
ACOS device multiplies this value by the DNS query interval to calculate the
minimum TTL value to assign to the dynamically created server. The min-ttl-
ratio can be 1-15.
The default min-ttl-ratio is 2.

Command Description
[no] slow-start Provides time for real ports that use the template to ramp-up after TCP/UDP
[from starting-conn-limit] service is enabled, by temporarily limiting the number of new connections on
[times scale-factor | the ports.
add conn-incr]
[every interval] • from starting-conn-limit – Maximum number of concurrent con-
[till ending-conn-limit] nections to allow on the server after it first comes up. You can specify from
1-4095 concurrent connections. The default is 128.
• times scale-factor | add conn-incr – Amount by which to
increase the maximum number of concurrent connections allowed. You
can use one of the following methods to specify the increment:
• times scale-factor – The scale factor is the number by which to
multiply the starting connection limit. For example, if the scale factor is 2
and the starting connection limit is 128, the ACOS device increases the
connection limit to 256 after the first ramp-up interval. The scale factor
can be 2-10. The default is 2.
• add conn-incr – As an alternative to specifying a scale factor, you can
instead specify how many more concurrent connections to allow. You
can specify 1-4095 new connections.
• every interval – Number of seconds between each increase of the
number of concurrent connections allowed. For example, if the ramp-up
interval is 10 seconds, the number of concurrent connections to allow is
increased every 10 seconds. The ramp-up interval can be 1-60 seconds. The
default is 10 seconds.
• till ending-conn-limit – Maximum number of concurrent connec-
tions to allow during the final ramp-up interval. After the final ramp-up
interval, the slow start is over and does not limit further connections to the
server. You can specify from 1-65535 connections. The default is 4096.
NOTE: If a normal runtime connection limit is also configured on the server
(for example, by the conn-limit command), and the normal connection
limit is smaller than the slow-start ending connection limit, the ACOS device
limits slow-start connections to the maximum allowed by the normal connec-
tion limit.
[no] spoofing cache Enables support for a spoofing cache server. A spoofing cache server uses the
client’s IP address instead of its own as the source address when obtaining
content requested by the client.
stats-data-disable | Disables or enables statistical data collection for servers that use this template.
stats-data-enable
[no] weight num Assigns an administrative weight to the server, for weighted load balancing.
The num parameter is the administrative weight assigned to the server. You
can specify 1-100.
The default weight is 1.
Default The ACOS device has a default real server template, called “default”. The default server tem-
plate has the same default settings as the individual parameters you can configure in the
template. Here are the defaults:

NOTE: In addition to configuring custom server templates, you can modify the default
server template.
Usage The normal form of this command creates a real server template. The no form of this com-
You can bind only one real server template to a real server. However, you can bind the real
server template to multiple real servers.
individual server.
ual server, the setting on the individual server takes precedence.
changed from its default on the individual server, the setting in the template takes pre-
cedence.
connections.
Example The following commands configure a real server template called “rs-tmplt1” and bind the
template to two real servers:
ACOS(config)#slb template server rs-tmplt1

ACOS(config-rserver)#health-check ping2
ACOS(config-rserver)#conn-limit 500000
ACOS(config-rserver)#exit
ACOS(config-real server)#template server rs-tmplt1
Example The following commands configure hostname server parameters in a server port template
and a server template:
ACOS(config)#slb template port temp-port

ACOS(config-rport)#dynamic-member-priority 12
ACOS(config-rport)#exit
ACOS(config)#slb template server temp-server

ACOS(config-rserver)#dns-query-interval 5
ACOS(config-rserver)#min-ttl-ratio 3
ACOS(config-rserver)#max-dynamic-server 16
slb template server-ssl

Description Configure the ACOS device to validate real servers based on their certificates.
Syntax [no] slb template server-ssl template-name
This command changes the CLI to the configuration level for the specified server-SSL
Command Description
[no] ca-cert certificate-name Name of the CA certificate. A server-SSL template can have multiple CA-
signed certificates. Support for multiple certificates is required for SSL Insight,
and may also be useful in other deployments that use server-SSL templates.
You can add the CA certificates to the server-SSL template in either of the fol-
lowing ways:
• As separate files (one for each certificate)
• As a single file containing multiple certificates
NOTE: In the current release, import of certificates from a PKCS #7 file is not
supported. Consequently, CA certificate files exported from IE version 6 or 7
are not supported, since those browser versions can export the certificates
only in PKCS #7 format. IE version 9 can export the certificates in PFX format
as well as PKCS #7 format.
[no] cert cert-name Specifies the name of the certificate to use for terminating or initiating an SSL
connection. The certificate must be installed on the ACOS device.
[no] cipher cipher Specifies the cipher suite to support for certificates from servers.
By default, all supported ciphers (listed in Table 5 on page 521) are enabled.
You can remove (or re-add) one cipher in the template with a single com-
mand. Enter separate commands for each cipher to remove or re-add.

Command Description
[no] close-notify Enables support for close notification (close_notify) alerts. When this option
is enabled, the ACOS device sends a close_notify message when an SSL
transaction ends, before sending a FIN. This behavior is required by certain
types of applications, including PHP cgi.The close notification option may
not work if connection reuse is also configured on the same virtual port. In
this case, when the server sends a FIN to the ACOS device, the ACOS device
will not send a FIN followed by a close notification. Instead, the ACOS device
will send a RST.
[no] forward-proxy-enable Enable SSL Insight support.
[no] key key-name Specifies the key for the certificate, and the passphrase used to encrypt the
[passphrase passphrase-string] key.
[no] server-certificate-error Specifies the ACOS response if there is a server certificate error:
options
• email – Sends an email.
• ignore – Ignores the error and allows the traffic.
• logging – Generates a log message.
• trap – Generates an SNMP trap.
By default, this is not set (connection refused with no notification).
[no] session-cache-size Sets the maximum number of session-ID entries, 0-8000000. If you set the
entries size to 0, caching is disabled.
By default, this is not set (disabled).
[no] session-cache-timeout Sets the maximum number of seconds a cache entry can remain unused
seconds before being removed from the cache, 1-7200 seconds. Cache entries age
according to the ticket age time. The age time is not reset when a cache
entry is used. After a client’s SSL ticket expires, they must complete an SSL
handshake in order to set up the next secure session with ACOS.
[no] session-ticket-enable Enables stateless SSL session ticketing.

Command Description
[no] template cipher Name of a cipher template to bind to the server-SSL template. In this case,
template-name the settings in the cipher template override any cipher settings in the server-
SSL template.
This is not set by default; the ciphers enabled in the server-SSL template are
used
[no] version Specifies the security version:
{30 | 31 | 32 | 33}
[downgrade-version] • 30 – Secure Sockets Layer (SSL) v3.0
• 31 – Transport Layer Security (TLS) v1.0
• 32 – TLS v1.1
• 33 – TLS v1.2
The downgrade-version specifies a lower (less secure) SSL/TLS version to
which the session can be downgraded.
The default is 31.
Default The configuration does not have a default server-side SSL template. If you create one, it has
the default options specified in the table above.
Usage The normal form of this command creates a server-SSL configuration template.
The “no” form of this command removes the template.
To import a certificate (and key, if applicable), use the import command. (See “import” on
page 34.)
You can bind only one server-SSL template to a virtual port. However, you can bind the same
server-SSL template to multiple ports.
The close-notify option can not be used along with the TCP-proxy template force-
delete-timeout option. Doing so may cause unexpected behavior.
slb template sip (SIP over UDP)

Description Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and
non-registration traffic for SIP clients.
NOTE: Except for the timeout command, none of the commands in this section are appli-
cable to SIP over TCP/TLS. To configure a template for SIP over TCP/TLS, see “slb
template sip (SIP over TCP/TLS)” on page 577.
Syntax [no] slb template sip template-name

This command changes the CLI to the configuration level for the specified SIP template,
Command Description
[no] alg-dest-nat Translates the VIP address into the real server IP address in SIP messages,
when destination NAT is used. Disabled by default.
[no] alg-source-nat Translates source IP address in to the NAT IP address in SIP messages,
when source NAT is used. Disabled by default.
The status of ALG support does not affect address translation at the IP
layer. Address translation at the IP layer is still performed, if applicable,
even if ALG support is disabled.
NOTE: In releases earlier than 2.6.0 that support SIP load balancing, ALG
support is automatically enabled for SIP load balancing. In 2.6.1-P1 and
later, SIP ALG support is available only if you enable it.
[no] Erases the specified header. If you specify all, all instances are erased.
client-request-header erase Otherwise, only the first instance is erased.
header-name [all]
[no] client-request-header Inserts the specified header into requests. The field:value pair indicates
insert field:value the header field name and the value to insert.
[insert-always |
insert-if-not-exist] Use a colon between the header name and the value. To use a blank
space between the header name and the value, use double quotation
marks.
Examples:
header-insert Max-Forwards:15
header-insert “Max-Forwards: 15”
• insert-always – Always inserts the field:value pair. If the request

already contains a header with the same field name, the new field:value
pair is added after the existing field:value pair. Existing headers are not
replaced.
• insert-if-not-exist – Inserts the header only if the request
does not already contain a header with the same field name.
Without either option, if a request already contains one or more headers
with the specified field name, the command replaces the last header.
[no] client-response-header erase Erases the specified header. If you specify all, all instances are erased.
header-name [all] Otherwise, only the first instance is erased.
[no] client-response-header Inserts the specified header into responses. The field:value pair indi-
insert field:value cates the header field name and the value to insert. The options are the
[insert-always | same as those for client-request-header insert.
insert-if-not-exist]
[no] client-response-header Erases the specified header. If you specify all, all instances are erased.
erase header-name [all] Otherwise, only the first instance is erased.
[no] Disables reverse NAT based on the IP addresses in an extended ACL. This
keep-real-server-ip-if-match-acl command is useful in cases where a SIP server needs to reach another
acl-id server, and the traffic must pass through the ACOS device.

Command Description
[no] registrar service-group Specifies the name of a service group of SIP Registrar servers.
group-name
[no] server-request-header erase Erases the specified header. If you specify all, all instances are erased.
header-name [all] Otherwise, only the first instance is erased.
[no] server-request-header Inserts the specified header into requests. The field:value pair indicates
insert field:value the header field name and the value to insert. The options are the same
[insert-always | as those for client-request-header insert.
[no] server-response-header erase Erases the specified header. If you specify all, all instances are erased. Oth-
header-name [all] erwise, only the first instance is erased.
[no] server-response-header Inserts the specified header into responses. The field:value pair indicates
insert field:value the header field name and the value to insert. The options are the same
[insert-always | as those for client-request-header insert.
[no] timeout minutes Specifies the number of minutes a call can remain idle before the Thun-
der Series terminates it. You can specify 1-250 minutes.
Default The configuration does not have a default SIP over UDP template. If you create one, the
default timeout is 30 minutes. The other parameters are unset by default.
Usage The normal form of this command creates a SIP configuration template. The “no” form of this
You can bind only one SIP template to a virtual port. However, you can bind the same SIP
In the current release, the header-erase, header-insert, and header-replace

options apply to both traffic directions, client-to-server and server-to-client traffic.
Example The following commands configure a SIP template named “Registrar_template”:
ACOS(config)#slb template sip Registrar_template

ACOS(config-sip)#registrar service-group Registrar_gp
ACOS(config-sip)#header-replace Max-Forwards 15
ACOS(config-sip)#header-erase Contact
slb template sip (SIP over TCP/TLS)

Description Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and
non-registration traffic for SIP over TCP/TLS.
NOTE: Except for the timeout command, none of the commands in this section are appli-
cable to SIP over UDP. To configure a template for SIP over UDP, see “slb template sip
(SIP over UDP)” on page 575.

Syntax [no] slb template sip template-name
This command changes the CLI to the configuration level for the specified SIP template,
Command Description
[no] alg-dest-nat Enables SIP ALG support for the destination IP address. Disabled by default.
[no] alg-source-nat Enables SIP ALG support for the source IP address. Disabled by default.
The status of ALG support does not affect address translation at the IP
layer. Address translation at the IP layer is still performed, if applicable, even
if ALG support is disabled.
In releases earlier than 2.6.0 that support SIP load balancing, ALG support
is automatically enabled for SIP load balancing. In 2.6.1-P1 and later, SIP
ALG support is available only if you enable it.
[no] call-id-persist-disable Disables call-ID persistence.
[no] client-keep-alive Enables the ACOS device to respond to SIP pings from clients on behalf of
SIP servers. When this option is enabled, the ACOS device responds to a SIP
ping from a client with a “pong”. This option is disabled by default.
NOTE: If connection reuse is configured, even if client keepalive is dis-
abled, the ACOS device will respond to a client SIP ping with a pong.
[no] dialog-aware Enables support for multiple active client instances with the same end-
user login.
[no] exclude-translation Disables translation of the virtual IP address and virtual port in specific por-
{body | tions of SIP messages:
header string |
start-line} • body – Does not translate virtual IP addresses and virtual ports in the
body of the message.
• header string – Does not translate virtual IP addresses and virtual
ports in the specified header.
• start-line – Does not translate virtual IP addresses and virtual ports
in the SIP request line or status line.
NOTE: Regardless of the settings for this option, the ACOS device never
translates addresses in “Call-ID” or “X-Forwarded-For” headers.
By default this is not set. The ACOS device does not translate addresses in
any header except the top Via header.
[no] insert-client-ip Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets from
the client to the SIP server. The header contains the client IP address and
source protocol port number. The ACOS device uses the header to identify
the client when forwarding a server reply.
This option is disabled by default.

Command Description
[no] failed-client-selection Specifies the response when selection of a SIP client fails. You can specify
{string | drop} one of the following:
• string – Message string to send to the server; for example: “480 Tem-
porarily Unavailable”. If the message string contains a blank, use double
quotation marks around the string.
• drop – Drops the traffic.
NOTE: This option is applicable only if the configuration includes a con-
nection-reuse template.
By default this is not set. The ACOS device resets the connection.
[no] failed-server-selection Specifies the response when selection of a SIP server fails. You can specify
{string | drop} one of the following:
• string – Message string to send to the client; for example: “504 Server
Time-out”. If the message string contains a blank, use double quotation
marks around the string.
• drop – Drops the traffic.
This is not set by default; the ACOS device resets the connection.
[no] This option uses the real server’s IP for addresses that match the ACL for a
keep-real-server-ip-if-match-acl call ID.
acl-id
[no] server-keep-alive seconds For configurations that use a connection-reuse template, this option spec-
ifies how often the ACOS device sends a SIP ping on each persistent con-
nection. The ACOS device silently drops the server’s reply. If the server
does not reply to a SIP ping within the connection-reuse timeout, the ACOS
device closes the persistent connection. (The connection-reuse timeout is
configured by the timeout command at the configuration level for the
connection-reuse template. See “slb template connection-reuse” on
page 527.)You can specify 5-300 seconds.
[no] Forces the ACOS device to perform the server selection process anew for
server-selection-per-request every SIP request. Without this option, the ACOS device reselects the same
server for subsequent requests (assuming the same server group is used),
unless overridden by other template options. This option applies to SIP-
TCP and SIPS virtual ports. The option is unnecessary for SIP over UDP.
Strict transaction switching is automatically used for SIP over UDP.
[no] smp-call-id-rtp-session Create a cross-CPU call-ID RTP session.
This feature is introduced in release 4.0.1 to enable your ACOS device to
monitor RTP and SIP traffic. This command creates a cross-CPU RTP session
which can be matched by RTP traffic.
Use this command in conjunction with “rtp-sip-call-id-match” on page 650
to configure this feature.
[no] timeout minutes Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates it. You can specify 1-250 minutes.

Default The configuration does not have a default SIP over TCP/TLS template. If you create one, the
template has the following default settings, for the parameters that are applicable to SIP over
TCP/TLS:
Usage The normal form of this command creates a SIP configuration template. The no form of this
You can bind only one SIP template to a virtual port. However, you can bind the same SIP
Example The following commands configure a SIP over TCP/TLS template:
ACOS(config)#slb template sip siptls-tmplt

ACOS(config-sip)#insert-client-ip
ACOS(config-sip)#client-keep-alive
ACOS(config-sip)#failed-client-selection "480 Temporarily Unavail-
able"
ACOS(config-sip)#failed-server-selection "504 Server Time-out"
ACOS(config-sip)#exclude-translation header Authentication
slb template smpp

Description Configure a template for Short Message Peer-to-Peer (SMPP 3.3) protocol load balancing.
Syntax [no] slb template smpp template-name
Replace template-name with the name of the template, 1-31 characters long.
This command changes the CLI to the configuration level for the specified SMPP template,
Command Description
[no] client-enquire-link If enabled, ACOS replies to clients directly with an ENQUIRE_LINK message. The
ENQUIRE_LINK message prevents the client connection from timing out and
serves the same purpose as a keepalive message.
[no] server-enquire-link Prevents reusable connections to the SMPP server from aging out. When this
interval option is enabled, ACOS regularly sends an ENQUIRE_LINK message to the
SMPP server to maintain the client-to-server connection. For interval, set the
number of seconds at which the keepalive message is sent. You can set the
interval to 5-300 seconds. The default is 30 seconds.

Command Description
[no] Forces the ACOS to perform the server selection process for every SMPP
server-selection-per-request request. Without this option, the ACOS device reselects the same server for sub-
sequent requests (assuming the same server group is used), unless overridden
by other template options.
[no] user name Sets a username and password which the ACOS device will use to authenticate
password string SMPP clients.
Default The configuration does not have a default SMPP template.
Usage The normal form of this command creates an SMPP template. The “no” form of this com-
The server-selection-per-request option works only in conjunction with connec-

tion-reuse template. In addition, this option requires that a username-password pair is con-
figured in the SMPP template, so that ACOS can immediately authenticate SMPP clients for
every instance of server selection.
If you configure a user name password string, you must configure the same user-
name-password pair for all SMPP clients and servers. Otherwise, the ACOS device will never
open a TCP connection between the clients and servers.
slb template smtp

Description Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients.
Syntax [no] slb template smtp template-name
Replace template-name with the name of the template, 1-31 characters long.
This command changes the CLI to the configuration level for the specified SMTP template,

Command Description
[no] client-domain-switching Selects a service group based on the domain of the client. You can specify
{starts-with | all or part of the client domain name. This command is applicable when
contains | you have multiple SMTP service groups.
ends-with}
string • starts-with string – matches only if the client’s domain name
service-group group-name starts with string.
• contains string – matches if the string appears anywhere within
the domain name of the client.
• ends-with string – matches only if the client’s domain name ends
with string.
By default, this is not set. All client domains match, and any service group
can be used.
[no] command-disable Disables support of the specified SMTP commands. If a client tries to issue a
[vrfy] [expn] [turn] disabled SMTP command, ACOS sends the following message to the client:
“502 - Command not implemented”
If you enter this command without specifying a command name, all the
listed SMTP commands (VRFY, EXPN, and TURN) are disabled.
By default, VRFY, EXPN, and TURN are all enabled.
[no] server-domain name Specifies the email server domain. This is the domain for which the ACOS
device provides SMTP load balancing.
The default name is “mail-server-domain.”
[no] service-ready-msg string Specifies the text of the SMTP service-ready message sent to clients. The
complete message sent to the client is constructed as follows:
200 - smtp-domain service-ready-string
The default string is "ESMTP mail service ready."
starttls Specifies whether or not use of STARTTLS by clients is required:
{disable | optional | enforced}
• disable – Clients cannot use STARTTLS. Use this option if you need to
disable STARTTLS support but you do not want to remove the configu-
ration.
• optional – Clients can use STARTTLS but are not required to do so.
• enforced – Before any mail transactions are allowed, the client must
issue the STARTTLS command to establish a secured session. If the client
does not issue the STARTTLS command, ACOS sends the following mes-
sage to the client:
530 - Must issue a STARTTLS command first
The default is disable.
Default The configuration has a default SMTP template, with the settings described in the table
above.
To display the default SMTP template settings, use the show slb template smtp
default command.

Usage The normal form of this command creates an SMTP template. The no form of this command
You can bind only one SMTP template to a virtual port. However, you can bind the same
SMTP template to multiple ports.
The starts-with, contains, and ends-with options are always applied in the following
order, regardless of the order in which the commands appear in the configuration. The
service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-with,
contains, or ends-with) and a client domain matches on more than one of them, the
most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same string, the ends-
with rule is used, because it has the more specific match. Here is an example of a set of
client-domain-switching rules in an SMTP template. The numbers to the right indicate the
precedence of the rules when matching on client domain name “localhost”. In this case, the
last rule is the best match and will be used.
client-domain-switching contains localhost service-group sg-a

(4)
client-domain-switching contains local service-group sg-b
(5)
client-domain-switching ends-with host service-group sg-c
(6)
client-domain-switching ends-with localhost service-group sg-
d (3)
client-domain-switching starts-with local service-group sg-e
(2)
client-domain-switching starts-with localhost service-group sg-f
(1)
Example The following commands configure an SMTP template named “secure-mail”. The template
enforces use of STARTTLS by mail clients, disables client use of certain SMTP commands, and
directs clients to a service group based on client domain.
ACOS(config)#slb template smtp secure-mail

ACOS(config-smtp)#starttls enforced
ACOS(config-smtp)#command-disable expn turn vrfy
ACOS(config-smtp)#client-domain-switching contains hq service-group smtp-sg1
ACOS(config-smtp)#client-domain-switching contains northdakota service-group smtp-sg2
Example The following commands configure an SMTP template called “smtp-domain”. The template
uses client domain switching to select a service group based on the email client’s domain.
Clients from any domain that starts with “smb” are sent to service group “smtp-sg1”. Clients
whose domain name does not start with “smb” and whose domain name contains “compa-

ny1” are sent to service group “smtp-sg2”. Clients whose domain name does not match on
the starts-with or contains strings and ends with “.com” are sent to service group “smtp-sg3”.
ACOS(config)#slb template smtp smtp-domain

ACOS(config-smtp)#client-domain-switching starts-with smb service-group smtp-sg1
ACOS(config-smtp)#client-domain-switching contains company1 service-group smtp-sg2
ACOS(config-smtp)#client-domain-switching ends-with .com service-group smtp-sg3
slb template tcp

Description Configure TCP connection settings.
Syntax [no] slb template tcp template-name
This command changes the CLI to the configuration level for the specified TCP template,
Command Description
[no] Specifies the maximum number of seconds a session can remain active, and
force-delete-timeout seconds forces deletion of any session that is still active after the specified number of sec-
[alive-if-active] onds.
This option is useful for small, fast transactions for which the completion time of
sessions is guaranteed. When used in combination with the reset-fwd and
reset-rev options, the force-delete-timeout option can help clean up
user connections with RSTs instead of allowing the connections to hang.
The timeout can be 1-31 seconds.
The alive-if-active option quickly terminates half-open TCP sessions on
the virtual port while allowing active sessions to continue without being termi-
nated.
[no] Specifies the maximum number of milliseconds a session can remain active, and
force-delete-timeout-100ms forces deletion of any session that is still active after the specified number of mil-
100-ms-units liseconds. The timeout can be 1-31 milliseconds.
[no] half-close-idle-timeout Enables aging of half-closed TCP sessions. A half-closed TCP session is a session
seconds in which the server sends a FIN but the client does not reply with an ACK. You
can set the timeout to 60-15000 seconds.
This is not set by default; the ACOS device keeps half-closed sessions open indef-
initely.

Command Description
[no] half-open-idle-timeout Enables aging of half-open TCP sessions. A half-open TCP session is one in which
seconds the client receives a SYN-ACK, but does not reply with an ACK. You can set the
timeout value to 1-60 seconds.
[no] idle-timeout seconds Specifies the number of seconds a connection can remain idle before the ACOS
device terminates it. You can specify 1-2097151 seconds (about 24 days).
If you specify 31 seconds or higher, ACOS rounds up to the next multiple of 60
seconds.
[no] initial-window-size Sets the initial TCP window size in SYN ACK packets to clients. The TCP window
bytes size in a SYN ACK or ACK packet specifies the amount of data that a client can
send before it needs to receive an ACK. You can set the initial TCP window size to
1-65535 bytes.
The initial TCP window size applies only to the SYN ACKs sent to the client. After
the SYN ACK, the ACOS device does not modify the TCP window size for any
other packets in the session.
By default, the ACOS device uses the TCP window size set by the client or server.
[no] insert-client-ip Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP
address, but that do not use HTTP or another protocol such as Financial Informa-
tion eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be useful
for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP option
field of type 0x1c, with a length of 7 bytes. For example, the value placed by
ACOS into the TCP header for client 40.40.40.26 is 0x1c07012828281a.
[no] lan-fast-ack Increases performance of bidirectional peer sessions by acknowledging receipt
of data on behalf of clients and servers.
[no] qos num Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server SLB
traffic. You can set a value between 1 to 63. Based on the value you specify, ACOS
marks the traffic as follows:
• Layer 3 marking – ACOS sets the The Diffserv Control Point (DSCP) value in the
IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC header to the value
you specify, divided by 9.
[no] reset-fwd Sends a TCP RST to the real server after a session times out.
This is disabled by defaul.t
[no] reset-rev Sends a TCP RST to the client after a session times out.
If the server is Down, the reset-rev option sends RST to the client immedi-
ately after it receives a packet from client. It does not wait for the session to time
out.

Default The configuration has a default TCP template.
NOTE: In addition to configuring custom TCP templates, you can modify the default TCP
template.
Usage The normal form of this command creates a TCP configuration template. The “no” form of
You can bind only one TCP template to a virtual port. However, you can bind the same TCP
NOTE: The reset-rev option does not send an RST if a server selection failure occurs. To
do this, use the reset-on-server-selection-fail option at the configura-
tion level for the service group or virtual port.
The force-delete-timeout option can not be used along with the client-SSL or server-
SSL template close-notify option. Doing so may cause unexpected behavior.
Example The following commands change the idle timeout in TCP template “tcp-tmpl2” to 120 sec-
onds:
ACOS(config)#slb template tcp tcp-tmpl2

Example The following commands configure a TCP template named “test” that sets the TCP window
size to 1460 bytes, and bind the template to virtual service port 22 on virtual server vs1:
ACOS(config)#slb template tcp test

ACOS(config-l4 tcp)#initial-window-size 1460
ACOS(config-slb vserver-vport)#template tcp test
Example The following commands configure a TCP template that quickly terminates half-open ses-
sions while allowing active sessions to continue.
ACOS(config)#slb template tcp halfopen-tcp

ACOS(config-l4 tcp)#force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)#reset-fwd
ACOS(config-l4 tcp)#reset-rev

slb template tcp-proxy

Description Configure TCP/IP stack parameters.
Syntax [no] slb template tcp-proxy template-name
This command changes the CLI to the configuration level for the specified TCP-proxy
Command Description
[no] ack-aggressiveness Specifies the cases in which the ACOS device sends an ACK to the client.
{high | medium | low} You can set ACK aggressiveness to one of the following levels:
• high – ACK for each packet
• medium – Delayed ACK, with ACK on each packet with PUSH flag
• low – Delayed ACK
A high ACK aggressiveness helps reduce the delay of interactive client-
server applications, but at a cost of more ACKs.
The default aggressiveness is low.
[no] backend-wscale num Specifies the TCP window scaling factor for backend connections to serv-
ers. You can specify 1-14.
The TCP window scaling factor is applicable to virtual ports for which the
ACOS device acts as a TCP proxy.
The TCP window scaling factor is used to calculate the TCP receive win-
dow, which is the maximum amount of data (in bytes) the receiver on a
TCP connection will buffer. The sender is not allowed to send more than
this amount of data before receiving an acknowledgement that the data
has arrived.
The default backend window scaling factor is 1.
[no] dynamic-buffer-allocation Optimally adjusts the transmit and receive buffer sizes of TCP-proxy while
maintaining a constant sum of combined values.
[no] fin-timeout seconds Specifies the number of seconds that a connection can be in the FIN-WAIT
or CLOSING state before the ACOS device terminates the connection. You

Command Description
[no] force-delete-timeout Specifies the maximum number of seconds a session can remain active,
seconds and forces deletion of any session that is still active after the specified num-
ber of seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the
reset-fwd and reset-rev options, the force-delete-timeout
option can help clean up user connections with RSTs instead of allowing
the connections to hang.
The timeout can be 1-31 seconds.The alive-if-active option quickly
terminates half-open TCP sessions on the virtual port while allowing active
sessions to continue without being terminated.
[no] force-delete-timeout-100ms Specifies the maximum number of milliseconds a session can remain
100-ms-units active, and forces deletion of any session that is still active after the speci-
fied number of milliseconds. The timeout can be 1-31 milliseconds.
[no] half-close-idle-timeout Enables aging of half-closed TCP sessions. A half-closed TCP session is a
seconds session in which the server sends a FIN but the client does not reply with
an ACK. You can set the timeout to 60-15000 seconds.
By default, this is not set. The ACOS device keeps half-closed sessions open
indefinitely
[no] half-open-idle-timeout Enables aging of half-open TCP sessions. A half-open TCP session is one in
seconds which the client receives a SYN-ACK, but does not reply with an ACK. You
can set the timeout value to 1-60 seconds.
[no] idle-timeout seconds Specifies the number of minutes that a connection can be idle before the
ACOS device terminates the connection. You can specify 1-2097151 sec-
onds (about 24 days).
The default idle timeout is 600 seconds.
[no] init-cwnd num Specifies the maximum number of unacknowledged packets that can be
sent on a TCP connection. You can specify 1-10. A large initial congestion-
control window size helps reduce HTTP response latency, especially for
short web pages.
The default is 4 segments.

Command Description
[no] initial-window-size bytes Sets the initial TCP window size in SYN ACK packets to clients. The TCP win-
dow size in a SYN ACK or ACK packet specifies the amount of data that a
client can send before it needs to receive an ACK. You can set the initial
TCP window size to 1-65535 bytes. The initial TCP window size applies only
to the SYN ACKs sent to the client. After the SYN ACK, the ACOS device
does not modify the TCP window size for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client or
server:
• If the virtual port is one of the service types that is proxied by the ACOS
device, initial TCP window size applies to SYN ACKs generated by the
ACOS device and sent to clients. By default, the ACOS device uses the
TCP window size in the client’s SYN. The following service types are
proxied by the ACOS device: http, https, fast-http, ssl-proxy, and smtp
• If the virtual port is not one of the service types that is proxied by the
ACOS device (for example, the tcp service type), initial TCP window size
applies to SYN ACKs generated by servers and forwarded by the ACOS
device to clients. By default, the ACOS device uses the TCP window size
in the server’s SYN ACK.
NOTE: If SYN cookies are enabled, either globally or on the virtual service
port, the ACOS device acts as a TCP proxy even though the service type is
not normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device
[no] insert-client-ip Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP
address, but that do not use HTTP or another protocol such as Financial
Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP
option field of type 0x1c, with a length of 7 bytes. For example, the value
placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
[no] keepalive-interval seconds Number of seconds a TCP-proxy session can remain idle before the ACOS
device sends a TCP ACK to the devices on both ends of the session. You
[no] keepalive-probes num Maximum number of times the ACOS device sends a keepalive ACK, before
deleting the session. You can specify 2-10 probes.
The default is 9 probes.
[no] mss octets Set the maximum supported TCP Maximum Segment Size (MSS). You can
specify 128-1460 octets.
The default MSS is 1460.
[no] nagle Enables Nagle congestion compression (described in RFC 896).

Command Description
[no] qos num Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-
server SLB traffic. You can set a value between 1 to 63. Based on the value
you specify, ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the The Diffserv Control Point (DSCP) value
in the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC header to the
value you specify, divided by 9.
[no] receive-buffer number Specifies the maximum number of bytes addressed to the port that the
ACOS device will buffer. You can specify 1-2147483647 bytes.
The default buffer is 51200 bytes.
[no] reno Enables the TCP Reno congestion control algorithm, and disables Cubic.
By default, this is disabled and Cubic is used.
[no] reset-fwd Sends a TCP RST to the real server after a session times out.
[no] reno-rev Sends a TCP RST to the client after a session times out.
[no] retransmit-retries number Specifies the maximum number of times the ACOS device can retransmit a
data segment for which the ACOS device does not receive an ACK. You can
specify 1-20.
The default number of retransmit tries is 3.
[no] syn-retries number Specifies the maximum number of times the ACOS device can retransmit a
SYN for which the Thunder Series does not receive an ACK. You can specify
1-20.
The default is 5.
[no] timewait number Specifies the number of seconds that a connection can be in the TIME-
WAIT state before the ACOS device transitions it to the CLOSED state. You
[no] transmit-buffer number Specifies the maximum number of bytes sent by the port that the ACOS
device will buffer. You can specify 1-2147483647 bytes.
NOTE: In addition to configuring custom TCP-proxy templates, you can modify the default
TCP-proxy template.

Usage The normal form of this command creates a TCP-proxy configuration template. The “no”
You can bind only one TCP-proxy template to a virtual port. However, you can bind the same
TCP-proxy template to multiple ports.
The keepalive feature, which for TCP-proxy templates, periodically verifies that a TCP-proxy
session is still up on both ends of the session. The keepalive feature uses keepalive interval to
establish the number of seconds a TCP-proxy session can remain idle before the ACOS
device sends a TCP ACK to the devices on both ends of the session, and the keepalive probe
count allows you to set the maximum number of times the ACOS device sends a keepalive
ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle for the duration of the
keepalive interval:
• If both devices respond with an ACK before the next keepalive interval expires, the
ACOS device resets the keepalive time to 0. This starts a new keepalive interval.
• If either device does not respond with an ACK before the next keepalive interval
expires, the action taken by the ACOS device depends on the setting of the keepalive
probe count.
• Keepalive probe count set to value greater than 1 – The ACOS device sends another
ACK to each device.
- If both devices respond, the ACOS device resets the keepalive time to 0, to begin a
new keepalive interval.
- If either device does not respond, the ACOS device sends another ACK to each
device. This action can be repeated up to the configured maximum number of
probes (the probe count).
• Keepalive probe count set to 1 – The ACOS device does not send new probe ACKs.
Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout
The keepalive and idle-timeout options work independently of one another.
By default, the keepalive interval is shorter than the idle timeout. In this case, keepalive
probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following occurs, the keep-
alive interval time and the idle time are both reset to 0.
• Idle timeout expires – If this occurs, the session is deleted, even if the maximum
number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of the devices still
does not respond – In this case, the session is deleted even if the idle timeout has
not expired.

If you change the keepalive or idle-timeout settings so that the idle timeout is shorter than
the keepalive interval, the keepalive mechanism is never triggered. The idle timeout always
expires first, causing the session to be deleted. No keepalive probes are ever sent.
Example The following commands create a TCP-proxy template named “ftp-proxy” and set the idle
timeout to 240 minutes:
ACOS(config)#slb template tcp-proxy ftp-proxy

ACOS(config-tcp proxy)#idle-timeout 240
slb template udp

Description Configure UDP connection settings.
Syntax [no] slb template udp template-name
This command changes the CLI to the configuration level for the specified UDP template,
Command Description
aging Specifies how quickly sessions are terminated when the request is received.
{immediate | short [seconds]}
For a description of the immediate and short options, see Table 6.
NOTE: It is recommended to explicitly set the aging in UDP templates used for
DNS virtual ports.
[no] idle-timeout seconds Specifies the number of seconds a connection can remain idle before the
ACOS device terminates it. You can specify 1-2097151 seconds (about 24 days).
NOTE: The maximum idle timeout supported for TFTP virtual ports is 255 min-
utes.
[no] qos num Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic. You can set a value between 1 to 63. Based on the value you specify,
ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the The Diffserv Control Point (DSCP) value in
the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC header to the
value you specify, divided by 9.
[no] re-select-if-server-down Configures the ACOS device to select another real server if the server that is
bound to an active connection goes down. Without this option, another server
is not selected.
[no] stateless-conn-timeout Set the stateless current connection timeout value in seconds (5-120); the
seconds default is 120 seconds.

Default The configuration has a default UDP template.
NOTE: In addition to configuring custom UDP templates, you can modify the default UDP
template.
Usage The normal form of this command creates a UDP configuration template. The “no” form of
You can bind only one UDP template to a virtual port. However, you can bind the same UDP
UDP Session Aging
Table 6 describes UDP session aging in the current release and previous releases.
TABLE 6 UDP Session Aging

Aging
Configuration Aging Short Aging Immediate Not Set (Default)
Current Release • Response Received – • Response Received – • Response Received – Behavior
Session is terminated Session is terminated differs based on port number:
within 1 second. within 1 second. • Port 53 (default DNS port) –
• No Response – Session is • No Response – Idle time- Session is terminated within 1
terminated after config- out value in UDP template second.
ured short aging period. is used. • Any other port number – Ses-
sion is terminated after the
idle timeout expires.
• No Response – Idle timeout
value in UDP template is used.
NOTE: You can configure aging short or aging immediate, or leave aging unset. Aging
short and aging immediate can not both be enabled.
If you enable short aging, you can set the aging interval to 1-6 seconds. The default short
aging period is msl.
Example The following commands create a UDP template named “udp-quickterm” and set session
termination to occur immediately after a response is received:
ACOS(config)#slb template udp udp-quickterm

ACOS(config-l4 udp)#aging immediate

slb template virtual-port

Description Configure a template of SLB settings for virtual service ports.
Syntax [no] slb template virtual-port template-name
This command changes the CLI to the configuration level for the specified virtual port
Command Description
[no] aflow Enables aFlow control. aFlow helps avoid packet drops and retransmissions
when a real server port reaches its configured connection limit.
When aFlow is enabled, the ACOS device queues HTTP/HTTPS packets from
clients when a server port reaches a configured connection limit, instead of
dropping them. The ACOS device then monitors the port, and begins for-
warding the queued packets when connections become available again. To
prevent flooding of the port, the ACOS device forwards the queued packets
at a steady rate.
aFlow applies only to HTTP and HTTPS virtual ports.
[no] allow-syn-otherflags Allows initial SYN packet with other flags.
[no] allow-vip-to-rport-mapping Enables the VIP to Real Port Mapping feature for a subnet VIP.
NOTE: The virtual port template containing this option must be bound to
the VIP, and the VIP itself must use a subnet for the last octet (for exam-
ple,10.10.10.0 /24), or the feature will not work.
[no] conn-limit max-connections Specifies the maximum number of connections allowed on virtual ports
[reset] that use this template.
[no-logging]
• The max-connections option specifies the maximum number of con-
current connections, 0-8000000.
• The reset option specifies the action to take for connections after the
connection limit is reached on the virtual server port. By default, excess
connections are dropped. If you change the action to reset, the connec-
tions are reset instead. Excess connections are dropped by default. The
no-logging option disables logging for the feature.
The default maximum number of connections is 8000000 (8 million).

Command Description
[no] conn-rate-limit Limits the rate of new connections the ACOS device is allowed to send to
connections virtual service ports that use this template. When a virtual service port
[per {100ms | 1sec}] reaches its connection limit, the ACOS device stop selecting the port to
[reset] serve client requests.
[no-logging]
• connections – Maximum of new connections allowed on the virtual
service port. You can specify 1-1048575 connections.
• per {100ms | 1sec} – Specifies whether the connection rate limit
applies to one-second intervals or 100-ms intervals. The default is one-
second intervals (1sec).
• reset – Send a reset (RST) to a client after the connection rate has been
exceeded. By default (without this option), the ACOS device silently
drops the request.
If you configure a limit for a virtual server and also for an individual virtual
service port, the ACOS device uses the lower limit.
• The no-logging option disables logging for the feature.
By default this is not set; when enabled, the default sampling rate is per
1sec.
[no] drop-unknown-conn Drop the connection a TCP packet without a SYN or RST flag is received, and
the packet does not belong to any existing connections.
[no] dscp num Sets the Differentiated Services Code Point (DSCP) value in client requests
before forwarding them to the server. You can set the DSCP value to 1-63.
[no] ignore-tcp-msl Immediately reuse TCP sockets after session termination, without waiting
for the SLB Maximum Session Life (MSL) time to expire.
[no] reset-l7-on-failover Resets a Layer 7 connection upon failover.
[no] reset-unknown-conn Enables sending of a TCP Reset (RST) in response to a session mismatch. A
session mismatch occurs when the ACOS device receives a TCP packet for a
TCP session that is not in the active session table on the ACOS device. (For
more information, see the “TCP Reset Option for Session Mismatch” section
in the “Server and Port Templates” chapter of the Application Delivery and
Server Load Balancing Guide.)
[no] snat-msl seconds Set the Maximum Segment Life (MSL) for source-NAT connections. This
option is useful for servers that have older TCP/IP stacks, which wait up to
240 seconds (4 minutes) after a FIN before the endpoint can enter a new
connection. You can set the MSL to 1-1800 seconds.
[no] snat-port-preserve Attempts to preserve the client’s source port for traffic destined for the vir-
tual port.
NOTES:
• Port preservation is not always guaranteed and is performed on a best-
effort basis.
• Port preservation does not work for FTP active mode sessions.
• Port preservation works only if source NAT is enabled for the virtual port.
Default The ACOS device has a default virtual port template, called “default”. The default virtual port
template has the same default settings as the individual parameters you can configure in the
template.

NOTE: In addition to configuring custom virtual-port templates, you can modify the
default virtual-port template.
Usage The normal form of this command creates a virtual service port template. The no form of this
You can bind only one virtual service port template to a virtual service port. However, you
can bind the virtual service port template to multiple virtual service ports.
individual virtual port.
ual virtual port, the setting on the individual virtual port takes precedence.
changed from its default on the individual virtual port, the setting in the template takes
precedence.
connections.
aFlow Operation
aFlow control is triggered when either of the following occurs:
• If connection limit is configured on the real server or real port – The backend real server
or real port reaches its configured connection limit.
• If connection limit is not configured on the real server or real port – The response time
of the backend real server or real port increases dramatically. The response time is the
time between when the ACOS device forwards a request to the server, when the ACOS
device receives the first reply packet from the server.
When aFlow control is triggered, the ACOS device queues request packets instead of
forwarding them to the server. After the response time returns to normal, the ACOS device
sends the queued packets to the server.
NOTE: In the current release, it is recommended to use the first method for triggering
aFlow, by configuring connection limits on the real servers or real ports. The second
method of triggering aFlow is still being refined and is considered to be in Beta sta-
tus.

Example The following commands configure a virtual service port template named “common-vpset-
tings”, set the connection limit, and bind the template to a virtual port:
ACOS(config)#slb template virtual-port common-vpsettings

ACOS(config-vport)#conn-limit 500000
ACOS(config-vport)#exit
ACOS(config-slb vserver-vport)#template virtual-port common-vpset-
tings
Example The following commands create real servers “s1” at 5.5.5.1 (with a real port range of 10), real
server “s2” at 5.5.5.2 (with a range of 25), and real server “s3” at 5.5.5.3 (which does not have a
range configured and will not be used for this feature). These real servers are then bound to a
service group “sg1”, which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A virtual port
template “vport1” is created, and the allow-vip-to-rport-mapping option is used, and
the template is bound to the “vip3.

ACOS(config-real server)#port 80 tcp range 10
ACOS(config-real server)#port 80 tcp range 25
ACOS(config)#slb service-group sg1 tcp

ACOS(config-slb svc group)#member s1 80
ACOS(config-slb svc group-member:80)#exit
ACOS(config)#slb template virtual-port vport1

ACOS(config-vport)#allow-vip-to-rport-mapping
ACOS(config)#
ACOS(config)#slb virtual-server vip3 10.10.10.0 /24



ACOS(config-slb vserver-vport)#template virtual-port vport1
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver-vport)#template virtual-port vport1
ACOS(config-slb vserver-vport)#exit
slb template virtual-server

Description Configure a template of SLB settings for virtual servers.
Syntax [no] slb template virtual-server template-name
This command changes the CLI to the configuration level for the specified virtual server

Command Description
[no] conn-limit max-connections Specifies the maximum number of connections allowed on virtual serv-
[reset] [no-logging] ers that use this template.
• The max-connections option specifies the maximum number of
concurrent connections, 0-8000000.
• The reset option specifies the action to take for connections after
the connection limit is reached on the virtual server. By default,
excess connections are dropped. If you change the action to reset,
the connections are reset instead. Excess connections are dropped
by default.
[no] conn-rate-limit connections Limits the rate of new connections the ACOS device is allowed to send
[per {100ms | 1sec}] to servers that use this template. When a real server reaches its connec-
[reset] tion limit, the ACOS device stop selecting the server for client requests.
[no-logging]
• connections – Maximum of new connections allowed on a server.
You can specify 1-1048575 connections.
• per {100ms | 1sec} – Specifies whether the connection rate
limit applies to one-second intervals or 100-ms intervals. The default
is one-second intervals (1sec).
• reset – Send a reset (RST) to a client after the connection rate has
been exceeded. By default (without this option), the ACOS device
silently drops the request.
If you configure a limit for a server and also for an individual port, the
ACOS device uses the lower limit.
By default, this is not set; when enabled, the default sampling rate is
per 1sec.

Command Description
[no] icmp-rate-limit normal-rate Configures ICMP (v4) rate limiting for the virtual server, to protect
lockup max-rate lockup-time against denial-of-service (DoS) attacks.
• normal-rate – Maximum number of ICMP packets allowed per
second. If the virtual server receives more than the normal rate of
ICMP packets, the excess packets are dropped until the next one-sec-
ond interval begins. The normal rate can be 1-65535 packets per sec-
ond.
• lockup max-rate – Maximum number of ICMP packets allowed
per second before the ACOS device locks up ICMP traffic to the vir-
tual server. When ICMP traffic is locked up, all ICMP packets are
dropped until the lockup expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be larger than the nor-
mal rate.
• lockup-time – Number of seconds for which the ACOS device
drops all ICM6 traffic to the virtual server, after the maximum rate is
exceeded. The lockup time can be 1-16383 seconds.
By default, this is not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
[no] icmpv6-rate-limit normal-rate Configures ICMPv6 rate limiting for the virtual server, to protect against
lockup max-rate lockup-time denial-of-service (DoS) attacks.
• normal-rate – Maximum number of ICMPv6 packets allowed per
second. If the virtual server receives more than the normal rate of
ICMP packets, the excess packets are dropped until the next one-sec-
ond interval begins. The normal rate can be 1-65535 packets per sec-
ond.
• lockup max-rate – Maximum number of ICMPv6 packets allowed
per second before the ACOS device locks up ICMPv6 traffic to the vir-
tual server. When ICMPv6 traffic is locked up, all ICMPv6 packets are
dropped until the lockup expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be larger than the nor-
mal rate.
• lockup-time – Number of seconds for which the ACOS device
drops all ICMPv6 traffic to the virtual server, after the maximum rate is
exceeded. The lockup time can be 1-16383 seconds.
By default, this is not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
[no] subnet-gratuitous-arp Enables gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a
range of VIPs created from a range of IP addresses within a subnet.
This is disabled by default; the ACOS device sends gratuitous ARPs for
only the first IP address in a subnet VIP.
NOTE: This option applies only to VIPs that are created using a range of subnet IP
addresses. The option has no effect on VIPs created with a single IP address.

Default The ACOS device has a default virtual server template, called “default”. The default virtual
server template has the same default settings as the individual parameters you can configure
in the template.
NOTE: In addition to configuring custom virtual-server templates, you can modify the
default virtual-server template.
Usage The normal form of this command creates a virtual server template. The no form of this com-
You can bind only one virtual server template to a virtual server. However, you can bind the
virtual server template to multiple virtual servers.
individual virtual server.
ual virtual server, the setting on the individual virtual server takes precedence.
changed from its default on the individual virtual server, the setting in the template
takes precedence.
connections.
Example The following commands configure a virtual server template called “vs-tmplt1” that sets
ICMP rate limiting and bind the template to a virtual server:
ACOS(config)#slb template virtual-server vs-tmplt1

ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)#exit
ACOS(config-slb virtual server)#template virtual-server vs-tmplt1


Config Commands: SLB Servers
This chapter describes the commands for configuring SLB servers.
To access this configuration level, enter the slb server server-name command at the global Config level.
To display configured servers, use the show slb server command.
NOTE: The commands in this chapter apply to real servers, not to virtual servers. To configure
virtual servers, see “Config Commands: SLB Virtual Servers” on page 633.
alternate
Description Assign an alternate server as a dedicated backup for a primary server.
Syntax [no] alternate sequence-num server-name
sequence-num Priority of the server as a backup. You can specify 1-16.
server-name Name of the alternate server.
Default Not set
Mode Real server
Usage You can assign up to 16 alternate servers to a primary server. Only 1 alternate server for a
given primary server can be active at a time.

This feature places an alternate server into service only if the primary server goes down.
Other features such as connection limiting or connection-rate limiting can not cause an
alternate server to be used.
Do not add alternate servers to the service group.
For more information, see the “Alternate Servers for Server-specific Backup” chapter in the
Application Delivery and Server Load Balancing Guide.
conn-limit
Description Specify the maximum number of concurrent connections allowed on a real server.
Syntax [no] conn-limit max-connections
Replace max-connections with the maximum number of concurrent connections allowed

on the server. You can specify 1-8000000 (eight million).
Default 8000000
Mode Real server
Usage If you set a connection limit, A10 Networks recommends that you also set the conn-resume
interval. (See conn-resumeconn-resume“conn-resume” on page 604.)
You also can set the connection limit on individual protocol ports. In this case, the limit
specified for the port overrides the limit set at the server level.
Example The following command sets the connection limit to 10,000:
ACOS(config)#slb server rs123

ACOS(config-real server)#conn-limit 10000
conn-resume
Description Specify the maximum number of connections the server can have before the ACOS device
resumes use of the server. Use does not resume until the number of connections reaches the
configured maximum or less.
Syntax [no] conn-resume connections
Replace connections with the maximum number of connections the server can have before
the ACOS device resumes use of the server. You can specify 1-1000000 (1 million)
connections.
Default By default, this option is not set. The ACOS device is allowed to start sending new connec-
tion requests to the server as soon as the number of connections on the server falls back
below the connection limit threshold set by the conn-limit command.
Mode Real server

Usage You also can set the conn-resume value on individual protocol ports. In this case, the value
specified for the port overrides the value set at the server level.
Example The following command sets the conn-resume option to 500,000 connections:

ACOS(config-real server)#conn-resume 500000
disable
Description Disable a real server.
Syntax [no] disable
Default Enabled
Mode Real server
Example The following commands disable a server named “rs123”:

ACOS(config-real server)#disable
disable-with-health-check
Description Disable a service-group member from normal server selection, but still maintain the health
of the server.
This feature is ideal if you periodically need to take active servers out of service pools for
maintenance, but this maintenance is done through a remote client. The feature allows you
to access these servers using the same front-end VIP in the presence of a persistent cookie
template or LB::reselect aFleX command.
This feature is available in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 and later.
Syntax disable-with-health-check
Default This feature is not enabled be default.
Mode Real server
Usage In addition to real server configuration mode, this command is also available from the follow-
ing modes:
• Real server port configuration (see “port” on page 608)
• Service -group member (see “member” on page 618)
Example The following example configures health monitor “hm1” to use the ICMP transparent health
method, and apply the monitor to a TCP port on real server “realserver1”. The disable-
with-health-check option is enabled at the SLB server configuration level.
ACOS(config)#health monitor hm1


ACOS(config)#slb server realserver1 10.1.1.2
ACOS(config-real server)#disable-with-health-check
ACOS(config-real server-node port)#health-check hm1
ACOS(config-slb svc group)#member realserver1 80
ACOS(config-slb svc group-member:80)#
enable
Description Re-enable a real server.
Syntax [no] enable
Default Enabled
Mode Real server
Example The following commands re-enable a disabled server named “rs123”:

ACOS(config-real server)#enable
extended-stats
Description Enable collection of peak connection statistics for a server.
Default Disabled
Mode Real server

external-ip
Description Assign an external Network Address Translation (NAT) IP address to the server. The external IP
address allows a server that has an internal IP address to be reached from outside the inter-
nal network.
Syntax [no] external-ip ipaddr
Default None
Mode Real server
Example The following commands configure external IP address 192.168.10.11 on real server “rs123”:

ACOS(config-real server)#external-ip 192.168.10.11
health-check
Description Enable health monitoring for a server.
Syntax [no] health-check monitor-name
Replace monitor-name with the name of a configured health monitor.
If you omit this command, the default ICMP health monitor is used. (See below.)
Default ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times consecutively (the
first attempt followed by 3 retries), the ACOS device sets the server state to DOWN.
Mode Real server
Usage Entering the command at this level enables Layer 3 health checking. The monitor you specify
must use the ICMP method.
Example The following command sets a server to use the “RUthere” health monitor:

ACOS(config-real server)#health-check RUthere
health-check-disable
Description Disable health monitoring of the server.
Syntax [no] health-check-disable
Default The default Layer 3 health method (ping) is used by default.

ipv6
Description Assign an IPv6 address to the real server for GSLB.
Syntax [no] ipv6 ipv6addr
Default None
Mode Real server
port
Description Configure a TCP or UDP port on a server.
Syntax [no] port port-num {tcp | udp} [range num]
port-num Protocol port number, 0-65534.
NOTE: Port number 0 is a wildcard port used for IP protocol load bal-
ancing. (For more information, see the “IP Protocol Load Balancing”
chapter of the Application Delivery and Server Load Balancing Guide.)
tcp | udp Protocol type.
NOTE: If you are configuring a port for NetFlow, use UDP. TCP is not
supported for NetFlow.
range num Specifies the range of real ports you want to create within the real
server configuration. This value can range from 0-254.
NOTE: The port number (port-num) specified will be the base number
for the range of real ports.
This command changes the CLI to the configuration level for the specified port, where the
following port-related commands are available:
Command Description
[no] alternate sequence-num Configure an alternate port for the primary port. The sequence-num and server-
server-name port portnum name can be 1-16. (For more information, see “Dedicated Backups for Real
Server Ports” in the Application Delivery and Server Load Balancing Guide.)
[no] conn-limit Specifies the maximum number of concurrent connections allowed on the
max-connections server for this port, 0-8000000 (eight million).

Command Description
[no] conn-resume Specifies the maximum number of connections the service port can have
connections before the ACOS device resumes use of the port. Use does not resume until the
number of connections reaches the configured maximum or less. You can
specify 1-1000000 (1 million) connections.
By default, this option is not set. The ACOS device is allowed to start sending
new connection requests to the service port as soon as the number of connec-
tions on the port falls back below the connection limit threshold set by the
conn-limit command.
disable Disables the port.
disable-with-health-check Disable the member service port, but maintain the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to allow
you to disable a service-group member’s port from normal server selection, but
still maintain the health of the server.
This feature is ideal if you periodically need to take active servers out of service
pools for maintenance, but this maintenance is done through a remote client.
The feature allows you to access these servers using the same front-end VIP in
the presence of a persistent cookie template or LB::reselect aFleX com-
mand.
enable Enables the port.
[no] extended-stats Enables collection of SLB peak connection statistics for the port.
[no] health-check monitor- Enables health monitoring of the port. The monitor-name specifies the name of
name a configured health monitor.
If you omit this command or you enter it without the monitor-name option, the
default TCP or UDP health monitor is used:
• TCP – Every 5 seconds, the ACOS device sends a connection request (TCP
SYN) to the specified TCP port on the server. The port passes the health
check if the server replies to the ACOS device by sending a TCP SYN ACK.
• UDP – Every 5 seconds, the ACOS device sends a packet with a valid UDP
header and a garbage payload to the UDP port. The port passes the health
check if the server either does not reply, or replies with any type of packet
except an ICMP Error message.
[no] health-check-follow- Specifies another real port upon which to base this port’s health status. Both
port port-num {tcp | udp} the real port and the port to use for the real port’s health status must be the
same type, TCP or UDP. By default, this option is not set.
[no] health-check-disable Disables health monitoring of the port.
[no] no-ssl Disables SSL for server-side connections. This command is useful if a server-SSL
template is bound to the virtual port that uses this real port, and you want to
disable encryption on this real port.
Encryption is disabled by default, but it is enabled for server-side connections
when the real port is used by a virtual port that is bound to a server-SSL tem-
plate.
Using the double-negative form of the command (no no-ssl) enables SSL for
server-side connections.

Command Description
[no] service-principal-name Specifies the Kerberos principal name of this server port. This is the ACOS client
string [...] name presented to the application server.
NOTE: This option applies to Application Access Management (AAM).
stats-data-disable | Disable or enable statistical data collection for the port.
stats-data-enable
[no] template The port option binds a port template to the port. The parameter settings in
{port template-name | the template are applied to the port.
server-ssl template-name}
The real port template named “default” is bound to real ports by default. The
parameter settings in the default real port template are automatically applied
to the port, unless you bind a different real port template to the port.
If a parameter is set individually on this port and also is set in a port template
bound to this port, the individual setting on this port is used instead of the set-
ting in the template.
To configure a port template, see “slb template port” on page 563.
The server-ssl option binds a server-side SSL template to the port. The
parameter settings in the template are applied to the port. This may be useful in
cases where the real servers load balanced by a VIP have different SSL settings.
[no] weight number Specifies the load-balancing preference for this port, 1-100. A higher weight
gives more favor to this server for this port relative to the other servers. Default
is 1.
This option applies only to the service-weighted-least-connection
load-balancing method.
Default No ports are configured by default. The defaults for the command options are described
with the options, above. Statistical data collection of load-balancing resources is enabled by
default.
Mode Real server
The no form of this command resets the port’s connection limit, health monitoring, or
weight to its default value. To collect statistical data for a load-balancing resource, statistical
data collection also must be enabled globally. (See “slb common” on page 488.)
Usage Include the range option for each real server that will be included in the service group, but
only if you want that real server to be included in the mapping feature. The service group
can be “mixed”. That is, some real servers within a service group can have the range option
set, but it is not mandatory for all servers in a service group to be configured for “VIP to real
port mapping”.
Example The following commands configure server “terap” and add TCP port 69 to the server. The
health-check command is not entered, so by default the ACOS device will check the ser-
vice port’s health by sending a connection request to 69 on terap every 30 seconds.
ACOS(config)#slb server terap 10.2.4.69


ACOS(config-real server-node port)#
Example The following commands bind the server-SSL template directly to TCP port 80 on the real
server at IP 10.8.8.8:

ACOS(config-real server-node port)#template server-ssl server-ssl1
method, and apply the monitor to a TCP port on real server “realserver1”. The disable-
with-health-check option is enabled at the SLB server port configuration level.

ACOS(config-real server-node port)#disable-with-health-check
ACOS(config-slb svc group-member:80)#
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp up after the server is
enabled or comes online, by temporarily limiting the number of new connections on the
server.
NOTE: It is recommended to configure this feature in the real server template or real port
template instead. See the “Behavior When Slow Start Is Also Configured on the Real
Server Itself” section in the “Server and Port Templates” chapter of the Application
Syntax [no] slow-start
Default Disabled
Mode Real server
Usage Slow-start allows a maximum of 128 new connections during the first interval (anywhere
between 0 and 10 seconds). During each subsequent 10-second interval, the total number
of concurrent connections allowed to the server is doubled. Thus, during the first 20 sec-

onds, the server is allowed to have a total of 256 concurrent connections. After 59 seconds,
slow-start ends the ramp-up and no longer limits the number of concurrent connections.
After the ramp-up period ends, the number of new connections is controlled by the conn-
limit setting. (See “conn-limit” on page 604 and the description of conn-limit in “port” on
page 608.)
Slow-start is also configurable in server and port templates. (See “slb template server” on
page 569 and “slb template port” on page 563.)
Example The following command enables slow-start:

ACOS(config-real server)#slow-start
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server uses the client’s IP
address instead of its own as the source address when obtaining content requested by the
client.
Syntax [no] spoofing-cache
Default Disabled
Mode Real server
Usage This command applies to the Transparent Cache Switching (TCS) feature. For more informa-
tion about TCS, including additional configuration requirements and examples, see the
“Transparent Cache Switching” chapter in the Application Delivery and Server Load Balancing
Guide.
Example The following commands configure a real server for a spoofing cache server:
ACOS(config)#slb server cache-rs 110.110.110.10

ACOS(config-real server)#spoofing-cache
stats-data-disable
Description Disable collection of statistical data for the server.
Syntax stats-data-disable
Default Statistical data collection for load-balancing resources is enabled by default.
Mode Real server

stats-data-enable
Description Enable collection of statistical data for the server.
Syntax stats-data-enable
Mode Real server
Usage To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb common” on page 488.)
template server
Description Bind a a real server template to the server.
Syntax [no] template server template-name
Default The real server template named “default” is bound to servers by default. The parameter set-
tings in the default real server template are automatically applied to the new server, unless
you bind a different real server template to the server.
Mode Real server
Usage If a parameter is set individually on this server and also is set in a server template bound to
this server, the individual setting on this server is used instead of the setting in the template.
To configure a real server template, see “slb template server” on page 569.
Example The following commands configure a real server template called “rs-tmplt1” and bind the
template to two real servers:
ACOS(config)#slb template server rs-tmplt1

ACOS(config-rserver)#health-check ping2
ACOS(config-rserver)#conn-limit 500000
weight
Description Assign an administrative weight to the server, for weighted load balancing.
Syntax [no] weight num
Replace num with the administrative weight assigned to the server. You can specify 1-100.

Default 1
Mode Real server
Usage This parameter applies only to the weighted-least-connection and weighted-rr

(weighted round robin) load-balancing methods.
Example The following commands assign a weight of 20 to a server:
ACOS(config)#slb server 10.10.10.5

ACOS(config-real server)#weight 20

Config Commands: SLB Service Groups
This chapter describes the commands for configuring SLB service groups.
To access this configuration level, enter the slb service-group command at the Global configuration level.
To display configured service groups, use the slb service-group ? command.
backup-server-event-log
Description Enable log messages to indicate when a backup service-group member is placed into ser-
vice or is removed from service.
Syntax [no] backup-server-event-log
Default Disabled
Mode Service group
A backup member is a member that has a lower priority than the primary (highest priority)
members of the same service group. The ACOS device will not use a lower-priority member
(backup server) unless high priority members (primary servers) exceed their connection
limits or connection-rate limits, or are down.
The backup-server-event-log command generates a log message when a backup

service-group member is placed into service for either of the following reasons:
• The connection limit on the primary servers or member ports is exceeded.

• The primary servers or member ports go down.

Likewise, the command generates a log message when a backup service-group member is
removed from service, and a primary server is returned to service for either of the following
reasons:
• The primary server or member port’s connection-resume limit is reached.

• The primary server or member port comes back up.
Generation of log messages for these events is rate-limited to once per minute. The events
described in a message occur at some point within the 60 seconds prior to the log message’s
timestamp.
NOTE: By default, the backup servers are placed into service only when both primary serv-
ers exceed their connection limits or go down. You can use the min-active-
member command to allow secondary servers to be placed into service even when
some primary servers are still available. (See “min-active-member” on page 625.)
SNMP Trap Requirements
To also generate SNMP notifications, the following SLB traps must be enabled:
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
• slb service-conn-resume
(See “snmp-server enable” on page 162.)
Log Message Examples
A message such as the following is generated when a backup member is placed into service:
Enabled new connections on server rs-backup1 port 80 in sg1 group
In this example, member rs-backup1 in service group sg1 is placed into service.
When the backup member is removed from service, a message such as one of the following
is generated:
Disabled new connections on backup server(s) on group sg1, resume

primary server rs1 port 80
Disabled new connections on backup server(s), resume primary server

rs1 port 80
In the first message, the service group name is included. The service group name is not
included in the second message.
• If the primary server is a member of only one service group, or the service group can
otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group, and the service
group can not be determined, the second message is used.

extended-stats
Description Enable collection of peak connection statistics for a service group.
Default Disabled
Mode Service group
health-check
Description Use a health monitor to check the health of all members of the service group.
Syntax [no] health-check monitor-name
Replace monitor-name with the health monitor to use.
Default None
Mode Service group
Usage The health monitor is used to test the health of all members of the service group, including
any members that are added in the future.
Service group health status applies only within the context of the service group. For
example, a health check of the same port from another service group can result in a different
health status, depending on the resource requested by the health check.
Health checks can be applied to the same resource (real server or port) at the following
levels:
• In a service group that contains the server and port as a member

• In a server or server port configuration template that is bound to the server or port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the following priority:
1. Health check on real server

2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real server, real server port,
and service group members are marked Down. However, if a health check on the service
group level (3) fails, only that service group member in that service group is marked Down.
Example The following commands configure a health monitor and apply it to a service group:
ACOS(config)#health monitor qrs

ACOS(config-health:monitor)#method http url GET /media-qrs/
index.html

ACOS(config)#slb service-group qrs tcp
ACOS(config-slb svc group)#member media-rs 80
ACOS(config-slb svc group)#health-check qrs
health-check-disable
Description Disable health monitoring of the service group.
Syntax [no] health-check-disable
Default Health checking is enabled by default.
member
Description Add a server to a service group.
Syntax [no] member server-name portnum
server-name portnum Name of the real server you want to add to the service group. This server must already
exist on the system.
portnum Protocol port number on the server.
This command drops you into a sub-configuration mode, where the following additional
enable Enable the server and port for this service-group only.
disable Disable the server and port for this service-group only.
disable-with-health-check Disable the member server, but maintain the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to allow you
to disable a service-group member from normal server selection, but still maintain
the health of the server.
This feature is ideal if you periodically need to take active servers out of service
pools for maintenance, but this maintenance is done through a remote client. The
feature allows you to access these servers using the same front-end VIP in the
presence of a persistent cookie template or LB::reselect aFleX command.
priority num Sets the preference for this server and port, 1-16. The highest priority is 16.

sampling-enable param Enable baselining. The following parameters are available:
• all - All connections.
• curr_conn - Current connections.
• total_fwd_bytes - Total forward bytes.
• total_fwd_pkts - Total forward packets.
• total_rev_bytes - Total reverse bytes.
• total_rev_pkts - Total reverse packets.
• total_conn - Total connections.
• total_rev_pkts_inspected - Total reverse packets inspected.
• total_rev_pkts_inspected_status_code_2xx - Total reverse packets inspected
(status code 2xx).
• total_rev_pkts_inspected_status_code_non_5xx - Total reverse packets
inspected (status code non 5xx).
• curr_req - Current requests.
• total_req - Total requests.
• total_req_succ - Total requests successful.
• peak_conn - Peak connections.
• response_time - Response time.
• fastest_rsp_time - Fastest response time.
• slowest_rsp_time - Slowest response time.
stats-data-disable Disable statistical data collection for the service-group member.
template template-name Binds a real port template to this member port.
NOTE: The port template option slow-start is not supported if the port tem-
plate is applied using this command.
stats-data-disable Disable statistical data collection for the service-group member.
Default There are no servers in a service group by default. When you add a server and port to the ser-
vice group, the default state is enabled and the default priority is 1. Statistical data collection
of load-balancing resources is enabled by default.
To configure a real port template, see “slb template port” on page 563.
Mode Service group
Usage The normal form of this command adds a configured server to the service group. The “no”
form of this command removes the server from the group.
If you disable or re-enable a port, the state change applies only to this service group. The
state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data collection also must be
Example The following commands add servers “s1” and “s2” to service group “sgroup1”:

ACOS(config)#slb service-group sgroup1

Example The following command adds a member server and port to a service group and binds a real
port template to the port:
ACOS(config-slb svc group)#member rs1 80

ACOS(config-slb svc group-member:80)#template rptemplate1
method, and apply the monitor to a TCP port on real server “realserver1”. Then, the dis-
able-with-health-check option is enabled at the service group member configuration
level.

ACOS(config-slb svc group-member:80)#disable-with-health-check
method
Description Set the load-balancing method for a service group.
Syntax [no] method lb-method

[auto-switch
[
stateless-lb-method
{
conn-rate rate duration
[revert-rate revert-duration]
[grace-period seconds] [log] |
l4-session-usage percent duration
[revert-rate revert-duration]
[grace-period seconds] [log]
]

}
]
lb-method Load-balancing method:
• dest-ip-hash – Calculates a hash value based on the destination IP address and protocol port of
the client’s request.
• dest-ip-only-hash – Calculates a hash value based on only the destination IP address of the
client’s request.
• fastest-response – Selects the server with the fastest first data packet response time (after
three-way handshake) from end-user traffic requests.
NOTE: The fastest-response method is not applicable in Direct Server Return (DSR) deploy-
ments.
• least-connection [pseudo-round-robin] – Selects the server that currently has the fewest
connections.
For this and the other least-connection methods, if there is a tie, the default behavior is to select the
port (among those tied) that has the lowest number of request bytes plus response bytes. If there is
still a tie, a port is randomly selected from among the ones that are still tied.
To override this tie-breaker behavior, use the pseudo-round-robin option. This option selects
the server that has not been selected for the longest time.
• service-least-connection [pseudo-round-robin] – Selects the server port that cur-
rently has the fewest connections.
• weighted-least-connection [pseudo-round-robin] – Selects a server based on a com-
bination of the server’s administratively assigned weight and the number of connections on the
server. (To assign a weight to a server, see “weight” on page 613.)
• service-weighted-least-connection [pseudo-round-robin] – Same as weighted-
least-connection, but per service. (To assign a weight to a service, see “port” on page 608. Use
the weight option.)
• src-ip-hash – Calculates a hash value based on the source IP address and protocol port of the
client’s request.
• src-ip-only-hash – Calculates a hash value based on only the source IP address of the client’s
request.
• least-request – Selects the real server port for which the ACOS device is currently processing
the fewest HTTP requests. This method is applicable to HTTP load balancing.
• weighted-rr – Selects servers in rotation, based on the servers’ administratively assigned
weights.
To use this method, you also need to assign weights to the servers. (See “weight” on page 613.) If
the weight value is the same on each server, this load-balancing method simply selects the servers
in rotation.
The weighted-rr method uses only the server weight. Server port weight is not used. (Instead,
server port weight is used by the service-weighted-least-connection method).
• round-robin – Selects servers in simple rotation.
• round-robin-strict – Provides a more exact round-robin method. The standard, default round
robin method is optimized for high performance. Over time, this optimization can result in a slight
imbalance in server selection. Server selection is still basically round robin, but over time some serv-
ers may be selected slightly more often than others.

lb-method Load balancing method (continued):
(cont.) The following methods apply only to stateless SLB. See the “Usage” section of this command for more
information.
• stateless-src-ip-hash – Balances server load based on a hash value calculated using the
source IP address and source TCP or UDP port.
• stateless-src-dst-ip-hash – Balances server load based on a hash value calculated using
both the source and destination IP addresses, and the source and destination TCP or UDP ports.
• stateless-dst-ip-hash – Balances server load based on a hash value calculated using the des-
tination IP address and destination TCP or UDP port.
• stateless-per-pkt-round-robin – Balances server load by sending each packet to a different
server, in rotation. This method is applicable only for UDP DNS traffic.
• stateless-src-ip-only-hash – Calculates a hash value based only on the source IP address of
the request, and selects a server based on the hash value. Subsequently, all requests from the same
client address are sent to the same server.
auto-switch You can configure the following options for this feature.
[options]
The stateless-lb-method option specifies the stateless load-balancing method to use if the traffic
reaches the configured threshold, and can be one of the following:
• stateless-dst-ip-hash
• stateless-per-pkt-round-robin
• stateless-src-dst-ip-hash
• stateless-src-ip-hash
• stateless-src-ip-only-hash
You can specify either of the following sets of thresholds:
• conn-rate rate duration – Rate of new connection requests per second at which the load
balancing method is changed. The rate applies collectively to all servers in the service group. The
threshold can be 1-1000000 connection requests per second.
• l4-session-usage percent duration – Percentage of the system-wide Layer 4 session
capacity that is currently in use. The threshold can be 1-100 percent.
For each set of thresholds, you can specify the following options:
• revert-rate – (Optional) Rate to revert to stateful method. You can specify
1-1000000 connections per second.
• revert-duration – (Optional) Number of seconds during which the specified revert trigger
must continue to occur before the service group changes to stateful load balancing again. You can
• grace-period seconds – (Optional) Number of seconds the ACOS device continues to use the
current load balancing method for active sessions, before changing to the other load balancing
method. You can specify 1-600 seconds.
NOTE: The grace period applies only to sessions that are active when the load balancing change is
triggered. The change applies immediately to new sessions that begin after the change is triggered.
• log – Logs changes between stateful and stateless load balancing that occur due to this feature.

Default The default method is round-robin.
Mode Service group
Usage The fastest-response method takes effect only if the traffic rate on the servers is at least
5 connections per second (per server). If the traffic rate is lower, the first server in the service
group usually is selected.
To set a server’s weight, see “weight” on page 613.
Stateless SLB
Stateless SLB conserves system resources by operating without session table entries on the
ACOS device. The stateless SLB methods are valid for the following types of traffic:
• Traffic with very short-lived sessions, such as DNS

• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-table entries. (See list
of limitations below.)
You can enable stateless SLB on an individual service-group basis, by selecting a stateless SLB
load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• Session synchronization
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
• FWLB ALG
A given real server can be used in only one stateless SLB service group. A real server that is in
a stateless SLB service group cannot be used in any other stateless service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled on the virtual port. To
disable destination NAT, see “no-dest-nat” on page 649.
Graceful transitions between stateful and stateless SLB in a service group are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the multiple data
CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method.

NOTE: The stateless-per-pkt-round-robin method is applicable only for traffic

that uses a single packet for a request. Examples include DNS queries or RADIUS
requests without a Challenge-request/Response message used for EAP.
Example The following example sets the load-balancing method for a service group to least-connec-
tion:
ACOS(config-slb svc group)#method least-connection
Example The following commands configure a stateless SLB service group for UDP traffic:
ACOS(config)#slb service-group dns-stateless udp

ACOS(config-slb svc group)#member dns1 53
ACOS(config-slb svc group)#member dns2 53
ACOS(config-slb svc group)#method stateless-src-dst-ip-hash
Example The following commands configure a service group that uses the stateless-per-pkt-round-
robin stateless load-balancing method. This method is used if the rate of new connection
requests to the virtual port bound to the service group reaches 80,000 connections per sec-
ond, and remains at least this high for 300 seconds.
ACOS(config)#slb service-group auto-stateless tcp

ACOS(config-slb svc group)#method weighted-rr auto-switch stateless-per-pkt-round-robin
conn-rate 80000 300 60000 300 grace-period 15 log
To return to using the stateful load-balancing method (weighted round-robin in this

example), the rate of new connection requests to the virtual port must drop to 60,000 per
second, and remain that low for at least 300 seconds. Once this occurs, the ACOS device
waits for and additional 15 seconds (the grace period) before returning to use of stateful load
balancing. Logging is enabled.
Example In the following configuration, if Layer 4 session usage reaches 2 percent and stays at least
this high for 5 seconds, both service-group members begin using the stateless-dst-ip-hash
method. The ACOS device reverts back to stateful load balancing when 1 percent or less is
reached for 5 seconds.
slb service-group sg-auto1 tcp

method dst-ip-hash auto-switch stateless-dst-ip-hash l4-session-
usage 2 5 1 5
member s1 80
member s2 80
slb service-group sg-auto tcp

method dst-ip-hash auto-switch stateless-dst-ip-hash l4-session-
usage 2 5 1 5
member s3 80
member s4 80

min-active-member
Description Use backup servers even if some primary servers are still up.
Syntax [no] min-active-member num [dynamic-priority] [skip-pri-set]
num Minimum number of primary servers that can still be active
(available), before the backup servers are used. You can specify
1-63. There is no default.
dynamic-priority Dynamically adds lower-priority servers to the active list to meet
the min-active member requirement.
skip-pri-set Specifies whether the remaining primary servers continue to be
used. If you use this option, the ACOS device uses only the
backup servers and stops using any of the primary servers.
Default By default, the servers with the highest priority value are the primary servers. All other servers
are backups only, and are used only if all the primary servers are unavailable.
When you use this command, the skip-pri-set option is disabled by default.
Mode Service group
Usage Primary and backup servers are designated based on member priority (set with the member
command). For example, if a service group contains real servers with the following priority
settings, real servers s1, s2, and s3 are the primary servers. Real servers s4 and s5 are backup
servers.
• s1 – priority 16
When the minimum number of active members (primary servers) comes back up, the ACOS
device immediately returns to using only the primary servers.
Example The following commands add members with different priorities to a service group, and con-
figure promiscuous VIP to begin using backup servers if any of the primary servers becomes
unavailable:
ACOS(config)#slb service-group sg-prom tcp

ACOS(config-slb svc group)#method least-connection
ACOS(config-slb svc group-member:80)#priority 16


ACOS(config-slb service group)#min-active-member 1
priority
Description Configure the ACOS device to respond to the failure of service-group members of a certain
priority by taking a designated action, such as dropping the request or sending a TCP reset
back to the client.
Syntax priority num

[
drop |
drop-if-exceed-limit |
proceed |
reset |
reset-if-exceed-limit
]
num Priority of the port, ranging from 1-16. Higher-priority nodes are preferred over nodes
with lower numbers. There is no default.
drop Drops the request if all nodes with this same priority fail for any reason.
drop-if-exceed-limit Drops the request if all nodes with this same priority fail, and if one or more nodes
exceed the configured connection limit or connection-rate-limit.
proceed The ACOS device uses the node(s) with the next-highest priority if all nodes with the
currently-selected priority fail (this is the default behavior).
reset Sends a reset to the client if all nodes with this same priority fail for any reason.
reset-if-exceed-limit Sends a reset to the client if all nodes with this same priority fail, and if failure is due to
one or more nodes exceeding the configured connection-limit or connection-rate-
limit.
Default By default, the ACOS device will use the node(s) with the next-highest priority if all nodes
with the currently-selected priority fail.
Mode Service group
Usage Use this feature to define specific actions that should occur when higher-priority service-
group members fail. By default, the ACOS device uses the highest priority service-group

members until they are no longer available. When the higher-priority nodes fail, the ACOS
device fails over to the nodes with the next-highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a general failure,
such as service group members becoming disabled or failing a health check. Alternatively,
actions can be tied to connection-limits or connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-priority servers, which
are presumably less robust than higher-priority servers, from being overwhelmed by a flood
of traffic when a failover occurs.
NOTE: The actions are mutually exclusive. Only one action can be configured for each pri-
ority level.
The reset or drop actions can be triggered for the following reasons:
• If a health check fails

• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority to become unavail-
able (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example The following commands create the TCP service group “sg1” with several servers with a pri-
ority of 10, and one server with a priority of 5. The commands also assign the reset-if-
exceed-limit action for members with priority 10, and assign the drop action for mem-
bers with priority 5.

ACOS(config-slb svc group)#priority 10 reset-if-exceed-limit
ACOS(config-slb svc group)#priority 5 drop

priority-affinity
Description Configure the ACOS device to continue using backup servers (servers with lower priority)
even when the primary (high priority) servers come back up.
Syntax [no] priority-affinity [reset]
The reset option resets the priority affinity feature so that the primary servers can be used
again.
Default Disabled.
By default, the ACOS device uses only the service-group members with the highest priority.
If all the highest-priority servers go down, the ACOS device starts using the secondary
(lower-priority) members. Also by default, when one or more of the highest-priority servers
comes back up, the ACOS device returns to using only those highest-priority servers and
stops using the backup servers.
Mode Service group
Usage The min-active-member option continues using backup servers in order to maintain a
minimum number of active servers, but does not continue using only the backup servers
after the primary servers come back up.
If the ACOS device stops using the primary servers due to other features (for example,
exceeding connection limits), the priority affinity feature will take effect just as if the
switchover to the backup servers were triggered by a change in the status of the primary
servers. If those higher-priority servers become available due to the number of connections
dropping below the configured threshold, ACOS will not use them, but will instead continue
using the lower-priority backup servers.
reset auto-switch
Description Reset load balancing from stateless back to the configured stateful method.

This command applies to configurations that use the auto-switch feature, which
automatically switches from the configured stateful load-balancing method to a stateless
load-balancing method, based on a configured threshold. (See “method” on page 620.)
Syntax reset auto-switch
Default N/A
Mode Configuration
Usage This command is operational only and does not affect the configuration. The command is
not saved in the startup-config.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Service group
Usage The TCP template reset-rev option also can be used to send a RST to clients. In AX
releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selec-
tion failure. In AX Release 2.2.2 and later, this is no longer true. The reset-on-server-
selection-fail option must be used instead.
sample-rsp-time
Description View sample server response time information.
Syntax [no] sample-rsp-time [

rpt-ext-server
[report-delay mins | top-fastest | top-slowest]
]
rpt-ext-server Report the top 10 fastest or slowest servers.
report-delay mins Set the reporting frequency in minutes (1-7200).
top-fastest Report the top 10 fastest servers.
top-slowest Report the top 10 slowest servers.
Mode Service group

stats-data-disable
Description Disable collection of statistical data for the service group.
Mode Service group
stats-data-enable
Description Enable collection of statistical data for the service group.
Mode Service group
template
Description Apply a server or port configuration template to a service group.
Syntax template
{policy template-name | port template-name | server template-name}
policy template-name Name of a policy template.
port template-name Name of a port template.
server template-name Name of a server template.
Default The settings in the server or port template applied to the server or port are used, unless over-
ridden by settings in the individual server or port configuration.
Mode Service group

traffic-replication-type
Description Replicate or “mirror” traffic to one or more collector servers in a service group using one of
the traffic replication types.
Syntax traffic-replication-type
{
mirror |
mirror-da-repl |
mirror-ip-repl |
mirror-sa-da-repl |
mirror-sa-repl
}
mirror The ACOS device sends the packets “as is” to the collector server(s). Forwarding is based on
the IP address in the original packet. This mode does not change the packet header at all. The
original Layer 2 Destination Address (DA) or Source Address (SA) and Layer 3 IP addresses are
left intact.
mirror-da-repl Mirror Destination MAC Address replacement mode uses Layer 2 forwarding, with the ACOS
device replacing the destination MAC address on the incoming packet with the destination
MAC for each of the collector servers within the designated service group.
mirror-ip-repl Mirror IP-replacement mode replaces the incoming packet’s IP address with the IP address of
the collector server(s) and then forwards the duplicated packet to those servers. This option
affects the packet at Layer 4, with minor changes made to the L4 source and destination
ports. This option is recommended for scenarios in which collector servers are directly con-
nected to the ACOS device.
mirror-sa-da-repl Mirror Source MAC Address and Destination MAC Address replacement mode replaces both
the source and destination MAC addresses at Layer 2 but does not change the Layer 3 IP
addressing information.
mirror-sa-repl Mirror Source MAC Address replacement mode replaces the source MAC address on the
incoming packet with the MAC address corresponding to virtual server on the ACOS device.
NOTE: In general, most of the traffic replication options modify the headers of the dupli-
cated packets at Layer 2 by changing the MAC address. Only one of the Traffic Rep-
lication modes alters the packets’ IP address.
Default Disabled
Mode Service group
Usage The traffic replication feature intercepts traffic feeds, such as SNMP or Syslog packets, copies
them to a buffer, and forwards the duplicated packet to multiple collector servers, where the
data can be used to track users and devices. This can be helpful for organizations that need
Network Monitoring feeds to be replicated to multiple destinations.

When configuring the feature, after defining the VIP and setting up the real collector servers,
configure a service group for the collector servers, add the real collector servers to the
service group, and specify the traffic which replication mode will be used.
Example The following commands configure a service group for the collector servers and add the real
collector servers to the service group. Then, the commands specify that the mirror-da-
repl traffic replication mode will be used to forward duplicated network monitoring traffic
to the collector servers.
ACOS(config)#slb service-group SG-RS tcp

ACOS(config-slb svc group)#member RS1 0
ACOS(config-slb svc group)#member RS2 0
ACOS(config-slb svc group)#traffic-replication-type mirror-da-repl

Config Commands: SLB Virtual Servers
This chapter describes the commands for configuring SLB virtual servers.
To access this configuration level, enter the slb virtual-server vipaddr vip-name command at the global Config
level.
To display configured virtual servers, use the show slb virtual-server command.
NOTE: The commands in this chapter apply to virtual servers (also called “VIPs”), not to real
servers. To configure real servers, see “Config Commands: SLB Servers” on page 603.
arp-disable
Description Disable ARP replies from a virtual server.
Syntax [no] arp-disable
Default ARP replies are enabled by default.
Mode Virtual server
Usage Use this command if you do not want the Thunder Series device to reply to ARP requests to
the virtual server’s IP address. For example, you can use this command to put a VIP out of ser-
vice on one ACOS device and use that device as a switch or router for another ACOS device
providing SLB for the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP is automatically
disabled.

Example The following command disables ARP replies:
ACOS(config-slb vserver)#arp-disable
description
Description Add a description to a VIP.
Syntax description string
Replace string with a description of the VIP (up to 63 characters long). The string can contain
blanks. Quotation marks are not required.
Default None
Mode Virtual server
disable
Description Disable a virtual server.
Syntax [no] disable
Default Virtual servers are enabled by default.
Mode Virtual server
disable-when-all-ports-down
Description Automatically disable the virtual server if all its service ports are down. If OSPF redistribution
of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition to disa-
bling the virtual server.
Syntax [no] disable-when-all-ports-down
when-all-ports-down Automatically disables the virtual server if all its service ports are down. If OSPF redistribu-
tion of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition
to disabling the virtual server.
when-any-port-down Automatically disables the virtual server if any of its service ports is down. If OSPF redistri-
bution of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addi-
tion to disabling the virtual server.
Default Enabled.
Mode Virtual server

disable-when-any-port-down
Description Automatically disable the virtual server if any of its service ports is down. If OSPF redistribu-
tion of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition to
disabling the virtual server.
Syntax [no] disable-when-any-port-down
Default Disabled.
Mode Virtual server
enable
Description Enable a virtual server.
Syntax [no] enable
Default Enabled
Mode Virtual server
Example The following commands re-enable virtual server “vs1”:
ACOS(config)#slb virtual-server vs1

ACOS(config-slb vserver)#enable
extended-stats
Description Enable collection of peak connection statistics for a virtual server.
Default Disabled
Mode Virtual server

port
Description Configure a virtual port on a virtual server.
Syntax [no] port port-number service-type [range length] [alternate]
port Port number, 0-65534.
service-type Service type of the port:
• diameter – Diameter AAA load balancing
• dns-tcp – DNS service over TCP
• dns-udp – DNS caching
• fast-http – Streamlined Hypertext Transfer Protocol (HTTP) service
• fix – File Information Exchange (FIX) load balancing
• ftp – File Transfer Protocol
• ftp -proxy – FTP proxy service
• http – HTTP
• https – Secure HTTP (SSL)
• mlb – MLB service over TCP
• mms – Microsoft Media Server
• mssql – Database load balancing for MS-SQL servers
• mysql – Database load balancing for MySQL servers
• others – Wildcard port used for IP protocol load balancing. (For more information, see the “IP
Protocol Load Balancing” chapter of the Application Delivery and Server Load Balancing Guide.)
• radius – RADIUS
• rtsp – Real Time Streaming Protocol
• sip – Session Initiation Protocol (SIP) over UDP
• sip-tcp – SIP over TCP
• sips – SIP over TCP / TLS
• smpp-tcp – Short Message Peer-to-Peer (SMPP 3.3) load balancing over TCP
• smtp – Simple Mail Transfer Protocol
• spdy – Google SPeeDy protocol
• spdys – Secure SPDY
• ssl-proxy – SSL proxy service
• tcp – Layer 4 Transmission Control Protocol (TCP)
• tcp-proxy – Full TCP-stack service for load-balanced Layer 7 applications
• tftp – Trivial File Transfer Protocol
• udp – User Datagram Protocol
range length Assigns a range of ports to the VIP for the specified virtual-service type. The length specifies the num-
ber of contiguous ports to add to the base port, 0-254.
alternate Designates this virtual port as an alternate port for another virtual port. An alternate port is a standby
for the primary port. (See “alternate” on page 643.)
NOTE: Fast-HTTP is optimized for very high performance information transfer in compari-

son to regular HTTP. Due to this optimization, fast-HTTP does not support all the
comprehensive capabilities of HTTP such as header insertion and manipulation. It is
recommended not to use fast-HTTP for applications that require complete data
transfer integrity.
Default N/A
Mode Virtual server
Usage The normal form of this command creates a new or edits an existing virtual port. The CLI
changes to the configuration level for the virtual port. (See “Config Commands: SLB Virtual
Server Ports” on page 641.)
The “no” form of this command removes the specified virtual port from current virtual server.
The maximum number of virtual service ports allowed and the maximum number per virtual
server depend on the ACOS model.
The ACOS device allocates processing resources to HTTPS virtual ports when you bind them
to an SSL template. This results in increased CPU utilization, regardless of whether traffic is
active on the virtual port.
Example The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb vserver)#port 443 https

ACOS(config-slb vserver-vport)#
redistribution-flagged
Description Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax [no] redistribution-flagged
Default Not set. The VIP is automatically redistributed if VIP redistribution is enabled in OSPF.
Mode Virtual server
Usage Use this option if you want to redistribute only some of the VIPs rather than all of them.
Selective VIP redistribution also requires configuration in OSPF. See the description of the vip
option in “redistribute” on page 366.
stats-data-disable
Description Disable collection of statistical data for the virtual server.
Mode Virtual server

stats-data-enable
Description Enable collection of statistical data for the virtual server.
Mode Virtual server
template logging
Description Bind a logging template to the virtual server.
Syntax [no] template logging template-name
Default None
Mode Virtual server
template policy
Description Bind a PBSLB policy template to the virtual server.
Syntax [no] template policy template-name
Default None
Mode Virtual server
Usage This command is applicable only for PBSLB policy templates configured for IP limiting. (See
the Application Access Management and DDoS Mitigation Guide.)
template scaleout
Description Bind a Scale Out template to the virtual server.

More information about Scale Out is available in “Configuring Scale Out” in the System
Configuration and Administration Guide.
Syntax [no] template scaleout template-name
Default None
Mode Virtual server
template virtual-server
Description Bind a virtual server template to the virtual server.
Syntax [no] template virtual-server template-name
Default The virtual server template named “default” is bound to virtual servers by default. The param-
eter settings in the default virtual server template are automatically applied to the new vir-
tual server, unless you bind a different virtual server template to the virtual server.
Mode Virtual server
Usage If a parameter is set individually on this virtual server and also is set in a virtual server tem-
plate bound to this virtual server, the individual setting on this virtual server is used instead
of the setting in the template.
To configure a virtual server template, see “slb template virtual-server” on page 598.
Example The following commands configure a virtual server template called “vs-tmplt1” that sets
ICMP rate limiting, and bind the template to a virtual server:
ACOS(config)#slb template virtual-server vs-tmplt1

ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)#exit
ACOS(config-slb vserver)#template virtual-server vs-tmplt1
vrid
Description Assign the virtual server to a VRRP-A VRID.
Syntax [no] vrid num
Use num to specify the VRID (1-31 in the shared partition, or 1-7 in an L3V partition).
Default The default VRID, if none is assigned, is 0.
Mode Virtual server configuration mode


Config Commands: SLB Virtual Server Ports
This chapter describes the commands for configuring virtual ports.
To access this configuration level, enter the port port-num port-type command at the configuration level for a virtual
server.
aaa-policy
Description Bind an AAM policy to the virtual port.
Syntax [no] aaa-policy policy-name
Mode Virtual port
access-list
Description Apply an Access Control List (ACL) to a virtual server port.
Syntax [no] access-list {acl-num | name acl-name}

[source-nat-pool {pool-name | pool-group-name}
[sequence-number num]]
acl-num | name acl-name Number of a configured IPv4 ACL (acl-num), or the name of a configured IPv6
ACL (name acl-name).

source-nat-pool Name of a configured IP source NAT pool or pool group. Use this option if you
{pool-name | pool-group-name} are configuring policy-based source NAT. Source NAT is required if the real serv-
[sequence-number num] ers are in a different subnet than the VIP.
The sequence-number num option specifies the position of this ACL in the
sequence of ACLs that are associated with IP source NAT pools and which are
assigned to this virtual port. The sequence number is important because the
ACOS device will use the IP addresses in the pool associated with the first ACL
that matches the traffic.
By default, the ACL sequence is based on the order in which you apply them to
the virtual port. The first ACL has sequence number 1, the second ACL has
sequence number 2, and so on. You can specify 1-32 as the sequence number.
To view the sequence, use the show running-config command to view the
configuration for this virtual port.
Default N/A
Mode Virtual port
Usage The ACL must be configured before you can apply it to a virtual port. To configure an ACL,
see “access-list (standard)” on page 74 and “access-list (extended)” on page 76.
To permit or deny traffic on the virtual port, specify an ACL but do not specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool. Use an extended ACL.
The source IP address must match on the client address. The destination IP address must
match on the real server address. The action must be permit. The NAT pool is used only for
traffic that matches the ACL. This configuration allows the virtual port to have multiple pools,
and to select a pool based on the traffic.
Example The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x,
and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server
“slb1”:

ACOS(config)#slb virtual-server vslb1
ACOS(config-slb vserver-vport)#access-list 99
Example The following commands configure policy-based source NAT, by binding ACLs to NAT pools
on the virtual port.

ACOS(config-slb virtual server)#port 80 tcp
ACOS(config-slb vserver-vport)#access-list 30 source-nat-pool pool1
ACOS(config-slb vserver-vport)#access-list 50 source-nat-pool pool2

aflex
Description Apply an aFleX policy to a virtual port.
Syntax [no] aflex policy-name
Replace policy-name with the name of a configured aFleX policy.
Default N/A
Mode Virtual port
Usage The normal form of this command applies the specified aFleX policy to the port.
The no form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the aFleX Scripting Language Reference.
Example The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb vserver-vport)#aflex aflex1
alternate
Description Enables switchover to another virtual port, based on specific conditions.
Syntax [no] alternate port port-num

{alt-port-service-type [switchover-event]}
port-num Port number of the alternate virtual port.
alt-port-service-type Service type of the alternate port, tcp or http.
switchover-event The event types that cause switchover from the primary port to the alternate port:
For TCP alternate ports, you can specify the following:
• req-fail – Switches over if a request fails.
• when-down – Switches over if the service group for the primary port is down.
For HTTP alternate ports, you can specify the following:
• serv-sel-fail – Switches over if SLB server selection fails.
• when-down – Switches over if the service group for the primary port is down.
Default Not set
Mode Virtual port

bucket-count
Description Configure the number of traffic buckets used in a Scale Out configuration.
Syntax [no] bucket-count num
Replace num with the number of traffic buckets (1-256).
Mode Virtual port
clientip-sticky-nat
Description Configure client stickiness for outbound Next Hop Load Distributor (NHLD).
Syntax [no] clientip-sticky-nat
Default Disabled
Mode Virtual port
Usage Sticky NAT for Next Hop Load Distributor (NHLD) provides a virtual-port option to ensure the
ACOS device always uses the same outbound link for a given client’s traffic. You can enable it
on individual virtual ports.
NOTE: The Sticky NAT option applies only to NHLD. The option does not apply to other
features, such as SLB.
NOTE: The sticky NAT option is not supported with the ip-rr (IP round-robin) option.

conn-limit
Description Set the connection limit for a virtual port.
Syntax [no] conn-limit number [reset] [no-logging]
number Connection limit, 0-8000000 (8 million); 0 means no limit.
reset Sends a connection reset to the client, if the connection limit has
been reached. If you omit this option, the connection is silently
dropped and no reset is sent to the client.
no-logging Disables logging for this feature.
Default Not set. If you set a limit, the default action for any new connection request after the limit has
been reached is to silently drop the connection, without sending a reset to the client. Log-
ging is enabled by default.
Mode Virtual port
Usage The normal form of this command changes the current port’s connection limit.
The no form of this command resets the port’s connection limit to its default value.
The connection limit puts a hard limit on the number of concurrent connections supported
by the port. No more connections will be put on the port if its number of current
connections is already equal to or bigger than the limit.
connections.
Example The following command changes a virtual port’s connection limit to 10000:
ACOS(config-slb vserver-vport)#conn-limit 10000
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other service groups if all of the
servers are down in the first service group selected by SLB.
Syntax def-selection-if-pref-failed

Default Enabled
Mode Virtual port
Usage During SLB selection of the preferred server to use for a client request, SLB checks the follow-
ing configuration areas, in the order listed:
1. Layer 3-4 configuration items:
• aFleX policies triggered by Layer 4 events
• Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it
matches on IP addresses in black/white lists.
2. Layer 7 configuration items:
• Cookie switching
• aFleX policies triggered by Layer 7 events
• URL switching
• Host switching
3. Default service group. If none of the items above results in selection of a server, the
default service group is used.
• If the configuration uses only one service group, this is the default service group.
• If the configuration uses multiple service groups, the default service group is the
one that is used if none of the templates used by the configuration selects another
service group instead.
For example, if the CLIENT_ACCEPTED event triggers the aFleX policy, the policy is consulted
first. Similarly, if the HTTP_REQUEST event triggers the aFleX policy, the policy is consulted
only if none of the Layer 4 configuration items results in selection of a server.
The first configuration area that matches the client or VIP (as applicable) is used, and the
client request is sent to a server in the service group that is applicable to that configuration
area. For example, if the client's IP address is in a black/white list, the service group specified
by the list is used for the client request.
When the def-selection-if-pref-failed option is enabled, SLB continues to check for an

available server in other service groups if all servers are down in the first service group
selected by SLB.
If Policy-Based SLB (PBSLB) is also configured on the same virtual port, PBSLB server-selection
failures are not logged. This limitation does not affect failures that occur because a client is
over their PBSLB connection limit. These failures are still logged.
To disable the option, see “def-selection-if-pref-failed-disable” on page 1.
Example The following command enables this option:
ACOS(config-slb vserver-vport)#def-selection-if-pref-failed

def-selection-if-pref-failed-disable
Description Disable the def-selection-if-pref-failed option. (See “def-selection-if-pref-failed” on page 1.)
Syntax def-selection-if-pref-failed-disable
disable
Description Disable a virtual port.
Syntax [no] disable
Default Enabled
Mode Virtual port
Example The following command disables a virtual port:
ACOS(config-slb vserver-vport)#disable
enable
Description Enable a virtual port.
Syntax [no] enable
Default Enabled
Mode Virtual port
Example The following command re-enables a virtual port:
ACOS(config-slb vserver-vport)#enable
extended-stats
Description Enable collection of peak connection statistics for a virtual port.
Default Disabled
Mode Virtual port

force-routing-mode
Description Disables destination NAT, so that server responses go directly to clients.
Syntax [no] force-routing-mode
Default Disabled
Mode Virtual port
NOTE: In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service
types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types
TCP, UDP, and RTSP.
ipinip
Description Enables IP-in-IP tunneling. This option is available only on the following port types: TCP, UDP,
RSTP, FTP, MMS, SIP, TFTP and Radius.
Syntax [no] ipinip
Mode Virtual port
message-switching
Description Enable message switching.
This causes messages to be forwarded in their entirety, one hop at a time. Each message is
treated as its own individual entity.
Syntax [no] message-switching
Mode Virtual port
name
Description Change the name assigned to the virtual port.
Syntax name string
Replace string with the name for the virtual port.
Default The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
Mode Virtual port

no-auto-up-on-aflex
Description Disable automatic setting of an aFleX-bound virtual port’s state to Up.
Syntax [no] no-auto-up-on-aflex
Default Disabled. If an aFleX script is bound to the virtual port, the port is automatically marked Up.
Mode Virtual port
Usage This command applies only if an aFleX script is bound to the virtual port.
no-dest-nat
Description Disable destination NAT.
Syntax [no] no-dest-nat [port-translation]

For wildcard VIPs, the port-translation option enables the ACOS device to translate the
destination protocol port in a client request before sending the request to a server.
This option is useful if the real port number on the server is different from the virtual port
number of the VIP. Without this option, the ACOS device sends the request to the server
without changing the destination port number.
This option does not change the destination IP address of the request.
NOTE: This option is supported only for virtual ports that are on wildcard VIPs.
Default Destination NAT is enabled by default.
Mode Virtual port
Usage This option can be used for Direct Server Return (DSR) or for wildcard VIPs.
Direct Server Return
For virtual servers that have a specific virtual IP address (VIP), disabling destination NAT
enables Direct Server Return (DSR). When DSR is enabled, only the destination MAC address
is translated from the VIP’s MAC address to the real server’s MAC address. The destination IP
address is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to bypass the ACOS
device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service types) TCP,
UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP.

Wildcard VIPs
For wildcard VIPs (VIPs that can have any IP address), this option enables the ACOS device to
send the client request to the server without changing the destination IP address of the
request.
The destination port of the request also is unchanged, unless you use the port-
translation option. (See above.)
Depending on the network topology and the application, reply traffic from the server to the
client may or may not pass back through the ACOS device. If the port-translation
option is used, and reply traffic passes through the ACOS device, the ACOS device translates
the source port of the server reply back into the destination port to which the client sent the
request, before forwarding the reply to the client.
The port-translation option is supported only for the following virtual port types: TCP,
UDP, and HTTP/HTTPS.
redirect-to-https
Description Responds to client HTTP requests with an HTTP redirect response with response code 302
(Moved Permanently). The client is redirected to the same host and URI they requested, but
using HTTPS instead of HTTP.
Syntax [no] redirect-to-https
Default Disabled
Mode Virtual port
Usage This command is only available on HTTP virtual ports.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Virtual port
Usage The TCP template reset-rev option also can be used to send a RST to clients. In AX
releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selec-
tion failure. In AX Release 2.2.2 and later, this is no longer true. The reset-on-server-
selection-fail option must be used instead.
rtp-sip-call-id-match
Description Causes RTP traffic try to match the real server of an SIP SMP call-id session.

This command is used in conjunction with the smp-call-id-rtp-session option under

SIP template configuration (“slb template sip (SIP over UDP)” on page 575), which creates a
cross-CPU RTP session that can be matched by RTP traffic.
Syntax [no] rtp-sip-call-id-match
Mode Virtual port
Example The example below shows a sample configuration:
!
slb template sip test
smp-call-id-rtp-session
!
!
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
rtp-sip-call-id-match
port 5060 sip
message-switching
force-routing-mode
service-group winms
template sip test
!
service-group
Description Bind a virtual port to a service group.
Syntax [no] service-group group-name
Replace group-name with the service-group name.

Default N/A
Mode Virtual port
Usage The normal form of this command binds the virtual port to the specified service group. The
“no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one service group can
be associated with multiple virtual ports.
The type of service group and type of virtual port should match. For example, a UDP service
group can not be bound to an HTTP virtual port.
skip-rev-hash
Description Will not insert reverse tuple into the hash for lookup.
This is used with aFlex with stateless load-balancing methods.
Syntax [no] skip-rev-hash
Mode Virtual port
Example The following example shows how to activate this feature.
ACOS(config)#slb virtual-server vs1

ACOS(config-slb vserver-vport)#skip-rev-hash
snat-on-vip
Description Enable IP NAT support for the virtual port.
Syntax [no] snat-on-vip
Default Disabled
Mode Virtual port
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source NAT is
configured using an ACL on the virtual port, and the slb snat-on-vip command is also
used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For
traffic that is not permitted by the ACL, VIP source NAT can be used instead.

NOTE: The current release does not support source IP NAT on FTP or RTSP virtual ports.
source-nat auto
Description Configure Smart NAT, to automatically create NAT mappings using the ACOS interface con-
nected to the real server.
Syntax [no] source-nat auto [precedence]
This option is applicable if standard NAT pools are also used by the virtual port. In this case,
using the precedence option causes Smart NAT to be used before the standard NAT pools
are used.
Default Disabled
Mode Virtual port
Usage Up to 45 K mappings per real server port are supported. The ACOS device can use the same
ACOS interface IP address and port for more than one server connection. The combination
of ACOS IP address and port number (source) and server IP address and port (destination)
uniquely identifies each mapping.
Smart NAT can be used along with standard NAT pools or pool groups. In this case, by
default, the standard pool addresses are used first. Smart NAT is used only when the standard
pools can not support any more mappings. You can change this behavior so that Smart NAT
is used first.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode (also called “gateway”
mode). The feature is not applicable to devices deployed in transparent mode.
• Smart NAT uses only the primary IP address on an interface, even if multiple addresses
are configured on the interface.
• Smart NAT uses protocol ports 20032-65535.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
• VRRP-A support:
• A floating IP addresses is required for session synchronization.
• Bind the service group to only a single virtual port. If this is not possible, make sure
all virtual ports bound to the service group have the same VRID.
source-nat pool
Description Enable source NAT. Source NAT is required if the real servers are in a different subnet than the
VIP.
NOTE: This command is not applicable to the MMS or RTSP service types.

Syntax [no] source-nat pool {pool-name | pool-group-name}
pool-name Specifies the name of an IP pool of addresses to use as source
addresses.
pool-group-name Specifies the name of a group of IP address pools to use as
source addresses.
Default Disabled.
Mode Virtual port
Usage This command enables source NAT using a single NAT pool or pool group, for all source
addresses. If you want the ACOS device to select from among multiple pools based on
source IP address, configure policy-based source NAT instead. See “access-list” on page 1.
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)#source-nat pool pool2
stats-data-disable
Description Disable collection of statistical data for the virtual port.
Mode Virtual port
stats-data-enable
Description Enable collection of statistical data for the virtual port.
Mode Virtual port
enabled globally. (See “slb resource-usage” on page 497.)

syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies provide protection against
TCP SYN flood attacks.
Syntax [no] syn-cookie [expand]

The expand option enables expanded SYN cookie support. When enabled, the ACOS device
can encode values for the following TCP options in the SYN-ACK:
• Windows Scale for outbound traffic (send)

• Windows Scale for inbound traffic (receive)
• Selective acknowledgement (SACK) flag
NOTE: These options are described in RFC 1323, TCP Extensions for High Performance.
Default Disabled.
Mode Virtual port
Usage If hardware-based SYN cookies are enabled, software-based SYN cookies are not needed and
are not used. (Hardware-based SYN cookies are enabled at the global configuration level. See
“syn-cookie” on page 198.)
For software-based SYN cookies, the ACOS device bases Selective Acknowledgment (SACK)
support, and the maximum segment size (MSS) setting, in software-based SYN cookies on
server replies to TCP health checks sent to the servers.
SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health check packets sent
to servers.
• If all up servers in the service group reply with a TCP SYN-ACK that contains a SACK
option, the ACOS device uses SACK with the software-based SYN-cookie feature, for all
servers in the service group.
• If any of the up servers in the service group does not send a SACK option, the ACOS
device does not use SACK with the software-based SYN-cookie feature, for any servers
in the service group.
In releases earlier than AX Release 2.6.1-P3, the software-based SYN-cookie feature has an
option to enable SACK. This option is no longer applicable. If you are upgrading an ACOS
device whose startup-config contains the SACK option, the option is ignored.
MSS
The lowest MSS value supported by any of the servers in the service group is the MSS value
used by the ACOS device for software-based SYN-cookies.

template
Description Apply an SLB configuration template to a virtual port.
Syntax [no] template template-type template-name
template-type Type of template. The template types that are available depend
on the service type of the virtual port. To list the available tem-
plate types, enter the following command: template ?
For information about the virtual-port template type, see
“template virtual-port” on page 656.
template-name Name of the template.
Default If the ACOS device has a default template that is applicable to the service type, the default
template is automatically applied. The ACOS device has a default virtual-port template,
which is applied to a virtual port when you create it.
Mode Virtual port
Usage The normal form of this command applies the specified template to the virtual port. The “no”
form of this command removes the template from the virtual port but does not delete the
template itself.
A virtual port can be associated with only one template of a given type. However, the same
template can be associated with more than one virtual port.
To bind a virtual-port template to the port, see “template virtual-port” on page 1.
Example The following example applies connection reuse template “reuse-template” to a virtual port:
ACOS(config-slb vserver-vport)#template connection-reuse reuse-template
template virtual-port
Description Bind a virtual service port template to the virtual port.
Syntax [no] template virtual-port template-name
Default The virtual port template named “default” is bound to virtual ports by default. The parameter
settings in the default virtual port template are automatically applied to the new virtual port,
unless you bind a different virtual port template to the virtual port.
Mode Virtual port
Usage If a parameter is set individually on this virtual port and also is set in a virtual port template
bound to this virtual port, the individual setting on this port is used instead of the setting in
the template.
To configure a virtual port template, see “slb template virtual-port” on page 603.

Example The following commands configure a virtual service port template named “common-vpset-
tings”, set the connection limit, and bind the template to a virtual port:
ACOS(config)#slb template virtual-port common-vpsettings

ACOS(config-vport)#conn-limit 500000
ACOS(config-slb vserver-vport)#template virtual-port common-vpset-
tings
use-default-if-no-server
Description Forward client traffic at Layer 3, if SLB server selection fails.
Syntax [no] use-default-if-no-server
Default Disabled. If SLB server selection fails, the traffic is dropped.
Mode Virtual port
Usage This command applies only to wildcard VIPs (VIP address 0.0.0.0).
use-rcv-hop-for-resp
Description Force the Thunder Series device to send replies to clients back through the last hop on
which the request for the virtual port's service was received.
Syntax use-rcv-hop-for-resp
[
src-dst-ip-swap-persist |
use-src-ip-for-dst-persist |
use-dst-ip-for-src-persist
]
src-dst-ip-swap-persist Creates a persistent session after the source IP and destination IP have been
swapped. The new persistent session that is created should match both the
source IP and the destination IP. This option should be used with the incl-dst-
ip option for the ALG FWLB feature.
NOTE: This option cannot be used for the SIP protocol, because a SIP transaction
may involve three or more parties.
use-src-ip-for-dst-persist Creates a destination persistent session based on the source IP.
use-dst-ip-for-src-persist The ACOS device uses the destination IP to create source-IP persistent sessions
for SIP or FTP sessions. With this option, the response packet will go through the
same firewall as the client’s request packet, and the SIP session and communica-
tion sessions will be load balanced through the same firewall node.

Default Disabled.
Mode Virtual port
Usage For simple protocols, load balancing across a firewall is relatively easy. However, load balanc-
ing Application Layer Gateway (ALG) protocols, such as SIP and FTP, which have multiple
connections that can originate from either side of the firewall deployment can be more chal-
lenging. The lack of predictability that occurs with ALG protocols can cause the protocol’s
control connection and data connection to be sent to different firewalls, thus causing the
application to break.
The ACOS device uses the use-rcv-hop-for-resp command and its sub-options to load
balance ALG protocols through a firewall deployment consisting of paired firewalls.
For more information, refer to the “ALG Protocol FWLB Support for FTP and SIP” chapter in
the Thunder Series Application Delivery and Server Load Balancing Guide.

Config Commands: Web Category
This chapter describes the commands for configuring Web Category classification.
web-category
Description Configure Web Category classification. You can use Web Category classification with SSL
Insight (SSLi) to bypass SSLi operation for the URLs for certain categories of traffic. The URLs
are categorized in a third-party database that ACOS can download and periodically update.
Syntax [no] web-category
This command changes the CLI to configuration level for Web Category classification, where
[no] cloud-query- Disables cloud queries for URLs that are not present in the
disable local cache or database.
By default, cloud queries are enabled.
[no] database- URL of the BrightCloud database server.
server server-url
Default: database.brightcloud.com

[no] db-update-time Time of day at which ACOS requests an updated web cate-
hh:mm gory database from the BrightCloud server.
Default is 00:00 (12 a.m.).
[no] enable Initializes and enables the BrightCloud library. The web-cat-
egory license file must be imported prior to using this fea-
ture to enable the feature.
Disabled by default.
[no] port portnum Protocol port on which the BrightCloud server listens for
requests.
Default is 80.
[no] remote-syslog- Enables data plane logging to a remote syslog server.
enable
[no] rtu-update- Disables realtime updates.
disable
Enabled by default. ACOS periodically checks for realtime
updates based on the rtu-update-interval setting and
adds them to the service cache.
[no] rtu-update- Interval at which to periodically check for real time updates.
interval minutes You can specify 10-14400 minutes.
Default is 60 minutes.
[no] server server- URL of the BrightCloud server.
url
Default: service.brightcloud.com
[no] server- Maximum number of seconds to wait for the BrightCloud
timeout seconds server to respond to a query from ACOS. You can specify
1-300 seconds.
If a reply is not received before the timeout, ACOS termi-
nates the connection with the server.
Default is 30 seconds.
[no] ssl-port Protocol port on which the BrightCloud server listens for
seconds SSL traffic.
Default is 443.
[no] use-mgmt-port Uses the management interface for all communication with
BrightCloud servers, including downloading the database
and any lookup queries.
Note: This option is required in VRRP-A deployments.
Default N/A

show web-category
Description Show information for the Web Category feature.
Syntax show web-category

{
bypassed-urls [num | all] |
database |
intercepted-urls [num | all] |
url-category name [local-db-only] |
version
}
bypassed- Lists the URLs bypassed by the Web Category feature.
urls
[num | all] num – Specifies the number of URLs to list, 1-8000. The most recently
bypassed URLs, up to the number you specify, are listed.
all – Displays the entire list of URLs bypassed by the feature.
The entries are listed beginning with the most recently bypassed URL
on top. If a URL is bypassed multiple times, the URL is listed separately
for each time it bypassed.
By default, the 50 most recent entries are shown.
database Shows information about the currently loaded BrightCloud database.
intercepted- Lists the URLs intercepted by the Web Category feature.
urls
[num | all] num – Specifies the number of URLs to list, 1-8000. The most recently
bypassed URLs, up to the number you specify, are listed.
all – Displays the entire list of URLs bypassed by the feature.
The entries are listed beginning with the most recently intercepted
URL on top. If a URL is intercepted multiple times, the URL is listed sep-
arately for each time it intercepted.
By default, the 50 most recent entries are shown.
url-category Shows categories returned by BrightCloud library for the specified
url-name URL.
[local-db-
only] local-db-only – Checks only the local database and service cache.
Does not make a cloud query to fetch the category list for this URL.
version Shows the current version of the Web Category engine.
Mode All
Example The following command shows the URLs bypassed by the Web Category feature:
ACOS#show web-category bypassed-urls

paper.example.com
paper.example.com
paper.example.com

paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...
Example The following command shows information about the currently loaded BrightCloud data-
base:
ACOS#show web-category database

Database name : full_bcdb_4.457.bin
Database size : 352 MB
Database version : 457
Last Update Time : Fri Jan 23 00:00:40 2015
Next Update Time : Sat Jan 24 00:00:43 2015
Connection Status : GOOD
Last Successful Connection : Fri Jan 23 15:54:43 2015
Example The following command shows the URLs intercepted by the Web Category feature:
ACOS#show web-category intercepted-urls

fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org
versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
...

Example The following commands show the web categories to which some individual URLs belong.
In this example, the categories for the URLs in the ACOS device’s local database match the
most recent categorizations from the BrightCloud server.
ACOS#show web-category url-category www.google.com

Search Engines
ACOS#show web-category url-category www.google.com local-db-only
Search Engines
ACOS#show web-category url-category www.youtube.com
Streaming Media
ACOS#show web-category url-category www.youtube.com local-db-only
Streaming Media
Example The following command shows the current version of the Web Category engine:
ACOS#show web-category version

version: 4.0


Config Commands: Health Monitors
The commands in this chapter configure SLB health monitors.
To access this configuration level, enter the health monitor monitor-name command at the global config level.
For more information about health monitors, see the “Health Monitoring” chapter of the Application Delivery and Server Load
Balancing Guide.
disable-after-down
Description Disable the target of a health check if the target fails the health check.
Syntax [no] disable-after-down
Default Disabled
Mode Health monitor configuration
Usage This command applies to all servers, ports, or service groups that use the health monitor.
When a server, port, or service group is disabled based on this command, the server, port, or
service group’s state is changed to disable in the running-config. If you save the configura-
tion while the server, port, or service group is disabled, the state change is written to the
startup-config.
The server, port, or service group remains disabled until you explicitly enable it.

interval
Description Number of seconds between health check attempt, 1-180 seconds. A health check attempt
consists of the ACOS device sending a packet to the server. The packet type and payload
depend on the health monitor type. For example, an HTTP health monitor might send an
HTTP GET request packet.
Syntax [no] interval seconds [timeout seconds]
interval seconds Number of seconds between health check attempts, 1-180
seconds.
timeout seconds Number of seconds ACOS waits for a reply to a health check,
1-12 seconds.
method
Description Configure a health method.
Syntax [no] method method-options
Valid parameters for method-options are shown in the following table:
compound sub monitor-name Configures a compound health monitor. A compound health monitor con-
[sub monitor-name ...] sists of a set of health monitors joined in a Boolean expression (AND / OR /
Boolean-operators NOT). For more information, see the “Compound Health Monitors” section in
the “Health Monitoring” chapter of the Application Delivery and Server Load Bal-
ancing Guide.

[no] database database-type Configures a database health monitor. The ACOS device sends a database
db-name name query to the specified server.
username username-string
password password-string • database database-type – Specifies the type of database to test:
[query-options] • mssql
• mysql
• oracle
• postgresql
• db-name name – Specifies the name of the database to query.
• username username-string password password-string – Speci-
fies the login information required to access the database.
• query-options – Specifies query information:
send query
[receive expected-reply | receive-integer integer]
[row row-num column col-num]
• send query – SQL query to send to the database.
• receive expected-reply – Query result expected from the data-
base in order to pass the health check. To use the receive (1-31 charac-
ters) or receive-integer (0-2147483647) options, you also must use
the send option. If you do not use send, the ACOS device does not send
a query.
• row row-num column col-num – For replies that consist of multiple
results, the results are in a table. You can specify the row and column
location within the results table to use as the receive string. If you do not
specify the row and column, row 1 and column 1 are queried by default.

dns Sends a lookup request to the specified port number for the specified domain
{ipaddr | domain domain-name} name. By default, expects reply with code 0. You can specify a domain name
[options] or a server IP address as the target of the health check.
You also can configure the following options:
• expect response-code code-list – Specifies a list of response
codes, in the range 0-15, that are valid responses to a health check. The
DNS server can respond with any of the expected response codes. By
default, the expect list is empty, in which case the ACOS device expects sta-
tus code 0 (No error condition).
• port port-num – Specifies the protocol port number on which the DNS
server listens for DNS queries. Use this option if the server is not using the
default DNS port, 53.
• recurse {enabled | disabled} – Specifies whether the tested DNS
server is allowed to send the health check’s request to another DNS server if
the tested server can not fulfill the request using its own database. Recur-
sion is enabled by default.
• tcp – Enables use of TCP for a DNS health monitor.
• type {A | CNAME | SOA | PTR | MX | TXT | AAAA} – For health
checks sent to a domain name, specifies the record type the responding
server is expected to send in reply to health checks.
You can specify one of the following record types:
• A – IPv4 address record
• CNAME – Canonical name record for a DNS alias
• SOA – Start of authority record
• PTR – Pointer record for a domain name
• MX – Mail Exchanger record
• TXT – Text string
• AAAA – IPv6 address record
By default, the ACOS device expects the DNS server to respond to the
health check with an A record.
external [port portnum] Runs an external program (for example, a Tcl script) and bases the health sta-
program program-name tus on the outcome of the program. See “Usage” below for more information
[arguments argument-string] on health check using an external program.
[preference]
The preference option applies to weighted load-balancing methods such
as SNMP-based load balancing. (See the “SNMP-based Load Balancing” chap-
ter in the Application Delivery and Server Load Balancing Guide.)
External health methods are not supported in Direct Server Return (DSR)
deployments.
ftp Sends an FTP login request to the specified port. Expects OK message, or Pass-
[[username name word message followed by OK message. Unless you use anonymous login,
password string] the username and password must be specified in the health check configura-
port port-num] tion.

http [options] Sends an HTTP request to the specified TCP port and URL. Expects OK mes-
sage (200).
You can specify the following options:
• expect {string | response-code code-list} – Specifies a
response code or string expected from the server, in which case this value
is also expected. To specify a range of response codes, use a dash ( - )
between the low and high numbers of the range. Use commas to delimit
individual code numbers or separate ranges. By default, the ACOS device
expects response code 200 (OK).
• host {ipv4-addr | ipv6-addr | domain-name} [:port-num] –
Replaces the information in the Host field of the request sent to the real
server. By default, the real server’s IP address is placed in the field.
• maintenance-code code-list – Specifies a response code that indi-
cates the server needs to be placed into maintenance mode. If the ACOS
device receives the specified status code in response to a health check, the
ACOS device changes the server’s health status to Maintenance.
When a server’s health status is Maintenance, the server will accept new
requests on existing cookie-persistent or source-IP persistent connections,
but will not accept any other requests.
To leave maintenance mode, the server must do one of the following:

• – Successfully reply to a health check by sending the expected string or
response code, but without including the maintenance code. In this
case, the server’s health status changes to Up.
• – Fail a health check. In this case, the server’s status changes to Down.
The Maintenance health status applies to server ports and service-group
members. When a port’s status changes to Maintenance, this change
applies to all service-group members that use the port.
NOTE: The expect maintenance-code option applies only to servers

in cookie-persistence or source-IP persistence configurations, and can be
used only for HTTP and HTTPS ports.

http [options] • port port-num – Specifies the protocol port on which the server listens
(cont.) for HTTP traffic. Use this option if the server does not use the default HTTP
port, 80.
• url string – Specifies the request type and the page (url-path) to which
to send the request. By default, GET requests are sent for “ / ”, the index.html
page. You can specify one of the following:
• GET url-path
• HEAD url-path
• POST url-path postdata string
• POST / postfile filename
In a postdata string, use “=” between a field name and the value you are
posting to it. If you post to multiple fields, use “&” between the fields. For
example: postdata fieldname1=value&fieldname1=value. The
string can be up to 255 bytes long.
• username name – Specifies the username required for HTTP access to the
server. Unless anonymous login is used, the username must be specified.
https [options] Similar to an HTTP health check, except SSL is used to secure the connection.
The disable-sslv2hello option disables encapsulation of SSLv3, TLSv1,
or TLSv1.1 hello messages within the SSLv2 hello messages for HTTPS health
checks.
The cert cert-name and key key-name options are used to add an SSL
certificate and key to an HTTPS health monitor. When you use this option, the
ACOS device uses the certificate and key during the SSL handshake with the
HTTPS port on the server.
The certificate you plan to use with the health monitor must be present on
the ACOS device before you configure the health monitor.
icmp [transparent ipaddr] Sends an ICMP echo request to the server. Expects ICMP echo reply message.
The transparent ipaddr option is applicable if the target of the health
monitor is reached through an intermediary device. The option tests the path
through the intermediary device to the target device.
imap [port port-num] Sends an IMAP login request with the specified username and password.
[username name Expects reply with OK message.
password string]
kerberos-kdc kinit Configures a method to check accessibility of the KDC for obtaining a TGT.
principal password
{kdc-hostname | kdc-ipaddr} • principal – Name of the Kerberos principal. This is the ACOS client
[port port-num] name presented to the server.
[tcp-only] • password – Kerberos admin password.
• {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname or
IP address of the server where the KDC is running. The port option speci-
fies the protocol port on which the server listens for TGT requests. The
default KDC port is 88.
• tcp-only – Sends health checks only over TCP.

kerberos-kdc kadmin Configures a method to check accessibility of the Kerberos server for user
realm-name principal password account administration.
{kdc-hostname | kdc-ipaddr}
[port port-num] • realm-name – Name of the Kerberos realm.
{admin-hostname | • principal – Name of the Kerberos principal.
admin-ipaddr} • {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname or
[port port-num] IP address of the Kerberos server. The port option specifies the TCP port
on which the server listens for user account administration requests. The
default TCP port is 749.
For information about the other options, see the descriptions for kerberos-
kdc kinit (described above).
kerberos-kdc kpasswd Configures a method to check accessibility of the Kerberos server for user
principal password password change.
{kdc-hostname | kdc-ipaddr}
[port port-num] • {pwd-hostname | pwd-ipaddr} [port port-num] – Hostname or
{pwd-hostname | pwd-ipaddr} IP address of the Kerberos server. The port option specifies the UDP port
[port port-num] on which the server listens for user password-change requests. The default
UDP port is UDP port 464.
For information about the other options, see the descriptions for kerberos-
kdc kinit (described above).
ldap Configures a method to check accessibility the KDC for obtaining a TGT.
[StartTLS]
[binddn dn-string password] • StartTLS – Begins the health check by sending a StartTLS request.
[overssl] • binddn dn-string password – DN name and password.
[port port-num] • overssl – Uses TLS to secure the connection.
[run-search options]
• port port-num – UDP port on which the server listens for user pass-
word-change requests. The default UDP port is UDP port 464.
• run-search options – Performs the specified database search. The fol-
lowing options are supported:
• BaseDN dn-string – Searched the database for the specified DN.
• query query-string [AcceptNotFound] – Sends the specified
query string to the server.
The AcceptNotFound option allows the health check to pass even if the
search query is unsuccessful.
ntp Sends an NTP client message to UDP port 123. Expects a standard NTP 48-
byte reply packet.
pop3 Sends a POP3 user login request with the specified username and password.
port port-num Expects reply with OK message.
username name
password string
radius username name Sends a Password Authentication Protocol (PAP) request to the specified port
password string to authenticate the specified username. Expects Access Accepted message
secret string (reply code 2). The secret option specifies the shared secret required by the
[port port-num] RADIUS server.
[expect response-code
code-list] The code-list can contain one or more numeric response codes. To specify
more than one code, use commas but no spaces. (See “CLI Example” below.)

rtsp Sends a request to the specified port for information about the file specified
port port-num by rtspurl. Expects reply with information about the specified file.
rtspurl string
sip Sends a SIP request to the SIP port. Expects 200 OK in response by default. The
[register] request is an OPTION request, unless you use the register option to send a
[port port-num] REGISTER request instead.
[expect-response-code values]
[tcp] The expect-response-code option specifies a set of SIP status codes. In
this case, a SIP health check is successful only if the server reply includes one
of the specified SIP status codes. You can specify any or a combination of
individual code numbers and code ranges. Use commas as delimiters, with no
spaces. Use a dash and no spaces to delimit the lower and upper values of a
range. Examples:
expect-response-code 100,101,121,200
expect-response-code 100-121,200
expect-response-code any
The tcp option configures the health method for SIP over TCP/TLS. Without
this option, the health method is for SIP over UDP.
smtp Sends an SMTP Hello message to the specified server in the specified domain.
port port-num Expects reply with OK message (reply code 250).
domain domain-name
snmp [port port-num] Sends an SNMP Get or Get Next request to the specified OID, from the speci-
[community string] fied community. Expects reply with the value of the OID. The OID can be sys-
[oid oid-name] Descr, sysUpTime, sysName, or another name in ASN.1 style.
[operation {get | getnext}]
NOTE: Although you can enter these objects in ASN.1 format, only MIB-2
OIDs are supported.
tcp Sends a connection request (TCP SYN) to the specified TCP port on the server.
port port-num Expects TCP SYN ACK in reply.
[halfopen]
By default, ACOS responds to the SYN ACK by sending an ACK. To configure
[send send-string
response contains ACOS to send a RST (Reset) instead, use the halfopen option.
response-string] Use the send and response contains options to send and receive text
strings in TCP health checks.
The send-string is the string the ACOS device sends to the TCP port after the
three-way handshake is completed. The response-string is the string that must
be present in the server reply.
Each string can be 1-127 characters long. If a string contain blank spaces or
other special characters (for example, “ / ” or “ \ ”), use double quotation marks
around the entire string.

udp port port-num Sends a packet with a valid UDP header and a garbage payload to the speci-
fied UDP port on the server. Expects either of the following:
• server reply from the specified UDP port, with any type of packet.
• server does not reply at all.
The server fails the health check only if the server replies with an ICMP Error
message.
Default The configuration has a default “ping” health monitor that uses the icmp method. The ACOS
device applies the ping monitor by default. The ACOS device also applies the TCP or UDP
health monitor by default, depending on the port type. These default monitors are used
even if you also apply configured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new monitors with the
ICMP, TCP, or UDP method and apply those monitors instead.
When specifying a protocol port number, specify the port number on the real server, not the
port number of the virtual port. By default, the well-known port number for the service type
of the health monitor is used. For example, for LDAP, the default port is 389 (or 636 if the
overssl option is used).
If you specify the protocol port number in the health monitor, the protocol port number
configured in the health monitor is used if you send an on-demand health check to a server
without specifying the protocol port. (See “health-test” on page 19.) After you bind the
health monitor to a real server port, health checks using the monitor are addressed to the
real server port number instead of the port number specified in the health monitor’s
configuration. In this case, you can override the IP address or port using the override
commands described later in this chapter.
Usage To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assigning one of the
health methods listed above to it. Use the health monitor command at the global
Config level to create and name the monitor. (See “health monitor” on page 103.) Use
the method command at the monitor configuration level to assign a health method to
the monitor.
2. Apply the health monitor to a real server or real server port, using the health-check
command at the configuration level for the server or the server port. Apply monitors
that use the ICMP method to real servers. (See “health-check” on page 607.) Apply
monitors that use any of the other types of methods to individual server ports. (See
“port” on page 608.)
Example The following commands apply health monitor “ping” to server “rs0”. The ping monitor is
included in the ACOS device’s configuration by default, so you do not need to configure it.

ACOS(config-real server)#health-check ping

Example The following commands configure health monitor “hm1” to use the TCP health method,
and apply the monitor to a TCP port on real server “rs1”. The TCP health checks are sent to
TCP port 23 on the server.

ACOS(config-health:monitor)#method tcp port 23
ACOS(config-real server)#port 23 TCP
Example The following commands configure health monitor “hm2” and set it to use the HTTP
method. The health monitor is applied to port 80 on real server “rs1”.

ACOS(config-health:monitor)#method http
ACOS(config-real server)#port 80 http
Example The following commands configure a TCP health monitor that sends an HTTP GET request to
TCP port 80, and expects the string “200” to be present in the reply:
ACOS(config)#health monitor tcp-with-http-get

ACOS(config-health:monitor)#method tcp port 80 send "GET / HTTP/1.1\r\nHost:
22.1.2.2\r\nUser-Agent: a10\r\nAccept: */*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the target server. This
particular request uses the following header fields:
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the request. In this exam-
ple, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the response. This example
uses wildcards (*/*) to indicate that any valid media type and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port passes the health
check.
Example The following commands configure a RADIUS health monitor that accepts response code 2
or 3 as passing (healthy) responses from a server:
ACOS(config)#health monitor rad1

ACOS(config-health:monitor)#method radius port 1812 expect response-code 2,3 secret a10rad
username admin1 password pwd1

Example Here is an external health-check example. Besides internal health checks, which use a pre-
defined health check method, you can use external health checks with any of the following
types of scripts are supported:
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script through the
predefined TCL array ax_env. The array variable ax_env(ServerHost) is the server IP address
and ax_env(ServerPort) is the server port number. Set ax_env(Result) 0 as pass and set the
others as fail. TCL script filenames must use the “.tcl” extension.
To use the external method, you must import the program onto the Thunder Series device.
The script execution result indicates the server status, which must be stored in
ax_env(Result).
The following commands import external program “ext.tcl” from FTP server 192.168.0.1, and
configure external health method “hm3” to use the imported program to check the health of
port 80 on the real server:
ACOS(config)#health external import "checking HTTP server" ftp://192.168.0.1/ext.tcl

ACOS(config-health:monitor)#method external port 80 program ext.tcl
For additional information and more examples, see the “External Health Method Examples”
section in the “Health Monitoring” chapter of the Application Delivery and Server Load
Balancing Guide.
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the health check to the
IP address of the real server or GSLB service IP to which the health monitor is bound. This
command and the other override commands are particularly useful for testing the health of
remote links.
Syntax [no] override-ipv4 ipaddr
Default By default, a health check is addressed to the real server IP address of the server to which the
health monitor is bound.
Example The following commands configure a health monitor to check 192.168.1.1:
ACOS(config)#health monitor site1-hm

ACOS(config-health:monitor)#method icmp
ACOS(config-health:monitor)#override-ipv4 192.168.1.1

override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the health check to the
IP address of the real server to which the health monitor is bound.
Syntax [no] override-ipv6 ipv6addr
Default By default, a health check is addressed to the real server IP address of the server to which the
health monitor is bound.
Example The following commands configure a health monitor to check 2001:db8::1521:31ab:

ACOS(config-health:monitor)#method icmp
ACOS(config-health:monitor)#override-ipv6 2001:db8::1521:31ab
override-port
Description Send the health check to a specific protocol port, instead of sending the health check to the
server port to which the health monitor is bound.
Syntax [no] override-port portnum
Default By default, a health check is addressed to the protocol port number to which the health
monitor is bound.
Example The following commands configure a health monitor to check port 8081 on 192.168.1.1:

ACOS(config-health:monitor)#override-ipv4 192.168.1.1
ACOS(config-health:monitor)#override-prt 8081
passive
Description Configures inband health monitoring based on HTTP status code.
Syntax [no] passive

{status-code-2xx | status-code-non-5xx}
[passive-interval seconds]

[sample-threshold samples-per-second]
[threshold percent]
status-code-2xx | Healthy status code numbers – The set of status codes that indicate the HTTP service
status-code-non-5xx is healthy. You can specify any 2xx status code or any status code other than a 5xx
code.
passive-interval seconds The health-monitor interval that is used when passive health monitoring is activated.
For proper operation of the feature, the passive interval should be longer than the
health monitor’s interval. You can specify 1-180 seconds.
sample-threshold Minimum number of server replies that must contain one of the specified status
samples-per-second codes, within a given one-second interval, before passive health monitoring is
enabled. The sample threshold helps prevent passive health monitoring from taking
effect after only a small total number of samples are taken. You can specify 1-10000
samples per second.
The default is 50.
threshold percent Minimum percentage of server replies that must contain a healthy status code, within
a given one-second interval, before passive health monitoring is activated. You can
specify 0-100 percent.
The default is 75 percent. If you specify 0, this parameter is disabled, in which case
there is no minimum threshold.
Example The following commands create a new health monitor, and enable passive health-monitor-
ing mode:
ACOS(config)#health monitor http-passive

ACOS(config-health:monitor)#passive status-code-2xx
The following command sets the method to HTTP:
The following commands configure a real server, service group, and virtual server. The HTTP
health monitor configured above is applied to the TCP port on the real server.
ACOS(config)#slb server ser1 172.168.1.107

ACOS(config-real server)#no health-check
ACOS(config-real server-node port)#health-check http-passive

ACOS(config-slb svc group)#member ser1 80

ACOS(config-slb svc group)#exit
retry
Description Maximum number of times ACOS will send the same health check to an unresponsive server
before determining that the server is down. You can specify 1-5.
Syntax [no] retry number
Default 3
strictly-retry-on-server-error-response
Description Force the ACOS device to wait until all retries are unsuccessful before marking a server or
port Down.
Syntax [no] strictly-retry-on-server-error-response
Default Disabled. For some health method types, the ACOS device marks the server or port Down
after the first failed health check attempt, even if the retries option for the health monitor is
set to higher than 0.
Usage This command is applicable only to some types of health monitors, such as HTTP health
monitors. For example, this command applies to HTTP health monitors that expect a string in
the server reply. By default, if the server’s HTTP port does not reply to the first health check
attempt with the expected string, the ACOS device immediately marks the port Down.
Example The following commands configure an HTTP health monitor that checks for the presence of
“testpage.html”, and enable strict retries for the monitor.
ACOS(config)#health monitor http-exhaust

ACOS(config-health:monitor)#method http url GET /testpage.html
ACOS(config-health:monitor)#strictly-retry-on-server-error-response

up-retry
Description Number of consecutive times the device must pass the same periodic health check, in order
to be marked Up. You can specify 1-10.
Syntax [no] up-retry number
Default 1


Show Commands
The show commands display configuration and system information.
In addition to the command options provided with some show commands, you can use output modifiers to search and filter
the output. See “Searching and Filtering CLI Output” on page 11.
To automatically re-enter a show command at regular intervals, see “repeat” on page 40.
NOTE: The show slb commands are described in a separate chapter. See “SLB Show Com-
mands” on page 795.
show aam
Description Display information for Application Access Management (AAM). See “AAM Show Com-
mands” on page 216.
show access-list
Description Display the configured Access Control Lists (ACLs). The output lists the configuration com-
mands for the ACLs in the running-config.
Syntax show access-list [{ipv4 | ipv6} [acl-id]
ipv4 | ipv6 IP address type.
acl-id ACL name or number.
Mode All
Example The following command displays the configuration commands for ACL 1:
ACOS#show access-list ipv4 1

access-list 1 permit 198.162.11.0 0.0.0.255 Data plane hits: 3
access-list 1 deny 198.162.12.0 0.0.0.255 Data plane hits: 1
NOTE: The ACL Hits counter is not applicable to ACLs applied to the management port.
show active-partition
Description This command is described in the Configuring Application Delivery Partitions guide.

show admin
Description Display the administrator accounts.
Syntax show admin [admin-name] [detail | session]
admin-name Administrator name.
detail Shows detailed information about the admin account.
session Shows the current management sessions.
Mode Privileged EXEC mode and configuration mode
Example The following command lists the admins configured on an ACOS device:
ACOS#show admin
Total number of configured users: 8
Privilege R: read-only, W: write, P: partition, En: Enable
Access Type C: cli, W: web, A: axapi
UserName Status Privilege Access Partition

-------------------------------------------------------------------
admin Enabled R/W C/W/A
admin1 Enabled R/W W
admin2 Enabled R C/W/A
CorpAadmin Enabled P.En C/W/A companyA
CorpBadmin Enabled P.R/W C/W/A companyB

The following table describes the fields in the command output.
Field Description
UserName Name of the ACOS admin.
Status Administrative status of the account.
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the system.
• R – Read-only. Allows monitoring access to the system but not config-
uration access. In the CLI, this account can only access the User EXEC
and Privileged EXEC levels, not the configuration levels. In the GUI, this
account cannot modify configuration information.
• P.R/W – The admin has read-write privileges within the L3V partition to
which the admin has been assigned. The admin has read-only privi-
leges for the shared partition.
• P.R – The admin has read-only privileges within the L3V partition to
which the admin has been assigned, and read-only privileges for the
shared partition.
• P.En– The admin is assigned to an L3V partition but has permission
only to view service port statistics for real servers in the partition, and
to disable or re-enable the real servers or their service ports.
NOTE: The “P” (partition) privilege levels apply to Application Delivery
Partitions (ADP). For more information, see the Configuring Application
Delivery Partitions guide.
Access Which modules the admin is allowed to access:
• C - Admin is allowed CLI access.
• W - Admin is allowed web (GUI) access.
• A - Admin is allowed aXAPI access.
Partition L3V partition to which the admin is assigned.
Example The following command lists details for the “admin” account:
ACOS#show admin admin detail

User Name ...... admin
Status ...... Enabled
Privilege ...... R/W
Partition ......
Access type .....cli web axapi
GUI role ......
Trusted Host(Netmask) ...... Any
Lock Status ...... No
Lock Time ......
Unlock Time ......
Password Type ...... Encrypted
Password ...... $1$6334ba07$CKbWL/LuSNdY12kcE.KdS0

Field Description
User Name Name of the ACOS admin.
Status Administrative status of the account.
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the system.
• R – Read-only. Allows monitoring access to the system but not con-
figuration access. In the CLI, this account can only access the User
EXEC and Privileged EXEC levels, not the configuration levels. In the
GUI, this account cannot modify configuration information.
• Partition-write – The admin has read-write privileges within the pri-
vate partition to which the admin has been assigned. The admin
has read-only privileges for the shared partition.
• Partition-read – The admin has read-only privileges within the pri-
vate partition to which the admin has been assigned, and read-only
privileges for the shared partition.
• Partition-enable-disable – The admin is assigned to a private parti-
tion but has permission only to view service port statistics for real
servers in the partition, and to disable or re-enable the real servers
and their service ports.
Partition Private partition to which the admin is assigned.
Note: A partition name appears only for admins with Partition-write,
Partition-read, or Partition-enable-disable privileges. For other privi-
lege levels, this field is blank.
Access type Management interfaces the admin is allowed to access, which can be
one or more of the following:
• cli
• web
• axapi
GUI role Role assigned to the admin for GUI access.
Note: If the admin is configured using the GUI, assignment of a role is
required. However, if the admin is configured using the CLI, a GUI
access role can not be assigned. In this case, the GUI role is equivalent
to ReadWriteAdmin.
Trusted IP host or subnet address from which the admin must log in.
Host(Netmask)
Lock Status Indicates whether the admin account is currently locked.
Lock Time If the account is locked, indicates how long the account has been
locked.
Unlock Time If the account is locked, indicates how long the account will continue
to be locked.
Password Type Indicates whether the password is encrypted when displayed in the
CLI or GUI and in the startup-config and running-config.
Password The admin’s password.

Example The following command lists all the currently active admin sessions:
ACOS#show admin session

Id User Name Start Time Source IP Type Partition Authen Role
Cfg
------------------------------------------------------------------------------------------
------------------
2 admin 11:35:49 IST Tue Sep 30 2014 127.0.0.1 WEBSERVICE Local
ReadWriteAdmin No
*4 admin 11:43:12 IST Tue Sep 30 2014 172.17.0.224 CLI Local
ReadWriteAdmin No
Field Description
Id Admin session ID assigned by the ACOS device. The ID applies only to the
current session.
User Name Admin name.
Start Time System time when the admin logged onto the ACOS device to start the
current management session.
Source IP IP address from which the admin logged on.
Type Management interface through which the admin logged on.
Partition Partition that is currently active for the management session.
Authen Indicates the database used to authenticate the admin:
• Local – Admin database on the ACOS device
• RADIUS – Admin database on a RADIUS server
• TACACS – Admin database on a TACACS+ server
Role Indicates the role assigned to the admin for GUI access.
Cfg Indicates whether the admin is at the configuration level.
show aflex
Description Display the configured aFleX scripts.
Syntax show aflex [aflex-name] [all-partitions | partition name]
Mode All
Usage To display the aFleX policies for a specific partition only, use the partition name option.
Example The following command shows the aFleX scripts on an ACOS device:
ACOS#show aflex
Total aFleX number: 6
Name Syntax Virtual port

------------------------------------------------------------
aFleX_Remote No No
aFleX_check_agent No No
aFleX_relay_client Check No
bugzilla_proxy_fix Check Bind
http_to_https Check No
louis No No
Field Description
Total aFleX Total number of aFleX scripts on the Thunder Series.
number
Name Name of the aFleX policy.
Syntax Indicates whether the aFleX policy has passed the syntax check per-
formed by the ACOS device:
• Check – The aFleX policy passed the syntax check.
• No – The aFleX policy did not pass the syntax check.
Virtual port Indicates whether the aFleX policy is bound to a virtual port.
show arp
Description Display ARP table entries.
Syntax show arp [all | ipaddr]
Mode All
Example The following command lists the ARP entry for host 192.168.1.144:
ACOS#show arp 192.168.1.144

Total arp entries: 3 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
192.168.210.1 021f.a000.0009 Dynamic 14 Management 1
192.168.210.5 001f.a004.ee6c Dynamic 47 Management 1
192.168.210.128 001f.a010.0dca Dynamic 274 Management 1

Field Description
Total arp entries Total number of entries in the ARP table. This total includes static and
learned (dynamic) entries.
Age time Number of seconds a dynamic ARP entry can remain in the table
before being removed.
IP Address IP address of the device.
MAC Address MAC address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry was last
used.
Interface ACOS interface through which the device that has the displayed
MAC address and IP address can be reached.
Vlan VLAN through which the device that has the MAC address can be
reached.
show audit
Description Show the command audit log.
Syntax show audit [all-partitions | partition name]
Mode All
Usage The audit log is maintained in a separate file, apart from the system log. The audit log mes-
sages that are displayed for an admin depend upon the admin’s privilege level:
• Admins with Root, Read Write, or Read Only privileges who view the audit log can view
all the messages, for all system partitions. To display the messages for a specific parti-
tion only, use the partition name option.
• Admins who have privileges only within a specific partition can view only the audit log
messages related to management of that partition. Admins with partition-enable-dis-
able privileges can not view any audit log entries.
Example Below is a sample output of the command audit log (truncated for brevity):
ACOS#show audit
Sep 30 2014 11:54:26 [admin] cli: [172.17.0.224:60009] show audit
Sep 30 2014 11:54:22 [admin] axapi: [1412074462810894] RESP HTTP status 200 OK
Sep 30 2014 11:54:22 [admin] axapi: [1412074462810894] GET: /axapi/v3/system/ctrl-cpu/
oper
Sep 30 2014 11:54:22 [admin] axapi: [1412074462808372] GET: /axapi/v3/system/memory/oper

show axdebug capture

Description Display a list of AX Debug files.
Syntax show axdebug capture [partition name] [file-name]
partition name Displays files only for a select partition.
file-name Filters the show output for only files that partially match a speci-
fied file-name
Mode All
show axdebug config

Description Display the AX Debug filter configuration currently applied on ACOS.
Syntax show axdebug config
Mode All
Example This example shows the output of the show axdebug config command:
ACOS(config)#show axdebug config

timeout 5
no incoming
no outgoing
count 3000
length 1518
show axdebug config-file

Description Display a list of the AX debug configuration files.
Syntax show axdebug config-file
Mode All

show axdebug file

Description Display AX debug capture files or their contents.
Syntax show axdebug file [filename]
Mode All
Example The following command displays the list of AX debug capture files on the device:
ACOS(axdebug)#show axdebug file

------------------------------------+--------------+----------------------------
Filename | Size(Byte) | Date
------------------------------------+--------------+----------------------------
file1 | 58801 | Tue Sep 23 22:49:07 2008
file123 | 192 | Fri Sep 26 17:06:51 2008
------------------------------------+--------------+----------------------------
Total: 2
Maximum file number is: 100
Example The following command displays the packet capture data in file “file123”:
ACOS(axdebug)#show axdebug file file123
Parse file for cpu #1:
Parse file for cpu #2:
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack

3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack
3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,time-
stamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,time-
stamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
<nop,nop,timestamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: F 192:192(0) ack 151 win 54

show axdebug filter

Description Display the configured AXdebug output filters.
Syntax show axdebug filter [filter-num]
Mode All
show axdebug status

Description Display per-CPU packet capture counts for AXdebug.
Syntax show axdebug status [cpu-num [...]]
Mode All
Example The following example shows the output for the show axdebug status command for all
CPUs:
ACOS(config)#show axdebug status

axdebug is enabled
6660 seconds left
debug incoming interface 1
debug outgoing interface 2 3 5 8 9 10 11 12
maximum 111 packets
Captured packet length 1111
cpu#1 captured 4 packets.
show backup
Description Display information about scheduled backups.
Syntax show backup
Mode All

show bfd
Description Display information for Bidirectional Forwarding Detection (BFD).
Syntax show bfd {neighbors [detail] | statistics}
neighbors Displays summarized or detailed information for BFD neighbors.
[detail]
statistics Displays overall statistics for BFD packets.
Mode All
Example The following example shows how to view overall statistics for BFD packets:
ACOS(config)#show bfd statistics

IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator 0
Multihop config mismatch 0
BFD Version mismtach 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0
BFD Packet my_discriminator is invalid 0
BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 0
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 0
BFD Destination unreachable 0
BFD Other error 0
Example The following command displays the BFD neighbor status:
ACOS#show bfd neighbors

Our Address Neighbor Address State Holddown txint mult diag
219.0.0.1 219.0.0.2 Up 150 50 3 3/0
219.0.1.1 219.0.1.2 Up 150 50 3 3/0
219.0.2.1 219.0.2.2 Up 150 50 3 0/0

219.0.3.1 219.0.3.2 Up 150 50 3 0/0

219.0.4.1 219.0.4.2 Up 150 50 3 3/0
219.0.5.1 219.0.5.2 Up 150 50 3 3/0
219.0.6.1 219.0.6.2 Up 150 50 3 0/0
219.0.7.1 219.0.7.2 Up 150 50 3 3/0
Field Description
Our Address ACOS interface associated with the BFD session.
Neighbor Address Neighbor interface associated with the BFD session.
State Shows the local state of the session.
Holdtime Maximum amount of time the ACOS device waits for a BFD control packet from the neighbor.
txint Configured interval at which the ACOS device sends BFD control packets to the neighbor.
mult Maximum number of consecutive times the ACOS device will wait for a BFD control packet from
the neighbor.
diag Diagnostic codes for the local and remote ends of the BFD session.
Example The following command displays detailed BFD neighbor status:
ACOS#show bfd neighbors detail

Our Address 219.0.0.1
Neighbor Address 219.0.0.2
Clients OSPFv2, IS-IS
Singlehop, Echo disabled, Demand disabled, UDP source port 53214
Asynchronous mode, Authentication None
CPU ID 2, Interface index 93
Local State Up, Remote State Up, 2h:29m:45s up
Local discriminator 0x00000fdf, Remote discriminator 0x0000006f
Config DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Local DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Remote DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Local Multiplier 3, Remote Multiplier 3
Hold Down Time 150 milliseconds, Transmit Interval 50 milliseconds
Local Diagnostic: Neighbor Signalled Session Down(3)
Remote Diagnostic: No Diagnostic(0)
Last sent echo sequence number 0x00000000
Control Packet sent 215226, received 215195
Echo Packet sent 0, received 0

Field Description
Our Address ACOS interface associated with the BFD session.
Neighbor Address Neighbor interface associated with the BFD session.
Clients Protocol that initiates this BFD session. It can be one or more of the following:
Static, OSPFv2, OSPFv3, IS-IS, or BGP.
Singlehop (or Multihop) BFD session can be either singlehop or multihop.
Echo Indicates whether Echo functionality has been enabled or disabled.
Demand Indicates whether Demand mode functionality has been enabled or disabled.
UDP source port UDP source port used for this BFD session.
Asynchronous mode (or Demand) If configured and running, indicates whether BFD is operating in Asynchronous
mode mode or Demand mode.
Authentication Authentication method. This can be either “None” (if it is not configured) or one of
the following supported authentication schemes:
• Simple password
• Keyed MD5
• Meticulous Keyed MD5
• Keyed SHA1
• Meticulous Keyed SHA1
CPU ID Since BFD traffic is distributed across multiple data CPUs, this CPU ID refers to the
one associated with the current BFD session.
Interface index Interface index associated with the current BFD session. This index is used mostly
for debugging purposes
Local State Shows the local state the session. The state can be one of the following:
• Init
• Up
• AdminDown
• Down
Remote State Shows the remote state the session. The state can be one of the following:
• Init
• Up
• AdminDown
• Down
Local discriminator The local discriminator value that the ACOS device assigns for the current BFD ses-
sion.
Remote discriminator The remote discriminator value that the neighboring router claims.
Config The configured timer values.
Local The configured timer values sent in the last BFD control packet. This value is deter-
mined based on BFD package exchange and negotiation.
Remote The timer values received in the last BFD control packet from the BFD neighbor.

Field Description
Local Multiplier The local multiplier sent in the last BFD packet.
Remote Multiplier The remote multiplier received in the last BFD packet from the neighbor.
Hold Down Time The expiration time after which the BFD session will be brought down. This value is
determined with the negotiated interval value and the remote multiplier value.
Transmit Interval The periodic interval to send BFD control packets.
Local Diagnostic: The diagnostic value sent in the last BFD control packet.
Remote Diagnostic: The diagnostic value received in the last BFD control packet from the neighbor.
Last sent echo sequence number A10 Network’s proprietary sequence number sent in the last echo packet.
Control Packet sent....received Statistics of control packets for this BFD session.
Echo Packet sent...received Statistics of echo packets received for this BFD session.
Example The following command shows BFD statistics:
ACOS(config)# show bfd statistics

IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator 39958
Multihop config mismatch 0
BFD Version mismatch 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0
BFD Packet my_discriminator is invalid 0
BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 103
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 2
BFD Destination unreachable 1
BFD Other error 0

Field Description
IP Checksum error Number of BFD packets that had an invalid IP checksum.
UDP Checksum error Number of BFD packets that had an invalid UDP checksum.
No session found with your_discriminator Number of BFD packets whose Your Discriminator value did not match a
My Discriminator value on the ACOS device.
Multihop config mismatch A multihop configuration mismatch occurs when an ACOS device receives
a BFD packet with a source or destination that matches an existing BFD ses-
sion. It can also be caused in two other scenarios:
• Local is configured as singlehop, but the packet is received on the UDP
port for multihop.
• Local is configured as multihop, but packet is received on the UDP port
for singlehop.
BFD Version mismatch Number of BFD packets with a different BFD version than the one in use by
the ACOS device.
BFD Packet length field is too small Number of BFD packets whose Length field value was shorter than the min-
imum BFD packet length (24 bytes without authentication or 26 bytes with
authentication).
BFD Packet data is short The packet payload size is smaller than the BFD length value.
BFD Packet DetectMult is invalid The value of the received DetectMult is “0”.
BFD Packet Multipoint is invalid The value of the received multipoint flag is set to “1”.
BFD Packet my_discriminator is invalid Number of BFD packets whose My Discriminator value was invalid.
BFD Packet TTL/Hop Limit is invalid In a singlehop BFD session, the IP time-to-live or IPv6 hop limit value must
be 255. If a value other than 255 is detected, this field is incremented.
BFD Packet auth length is invalid The BFD length without the BFD packet header does not match the
expected authentication length byte value. The number of BFD control
packets have wrong authentication lengths in bytes
BFD Packet auth type mismatch Number of BFD packets carrying an authentication type that does not
match the BFD authentication type configured on the ACOS device.
BFD Packet auth key ID mismatch This field is incremented when the key ID in the authentication header does
not match the one configured on the ACOS device.
BFD Packet auth key mismatch This field is incremented when the received authentication key does not
match the one configured on the ACOS device.
BFD Packet auth seq# invalid This field is incremented when the received authentication sequence num-
ber is not equal to or greater than the sequence number received previ-
ously.
BFD Packet auth failed Number of BFD packets with an incorrect authentication value.
BFD local state is AdminDown Number of BFD packets received while the BFD session was administra-
tively down.

Field Description
BFD Destination unreachable Number of times the destination IP address for a BFD neighbor was
unreachable while the ACOS device was attempting to transmit a BFD
packet to the neighbor.
BFD Other error Number of BFD errors not counted in any of the fields above.
show bgp
Description Display information for Border Gateway Protocol (BGP). See “BGP Show Commands” on
page 447.
show bootimage
Description Display the software images stored on the Thunder Series device.
Syntax show bootimage
Mode All
Example The following command shows the software images on an A10 Thunder Series 4430 device:
ACOS#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.0.0.485
Hard Disk secondary 2.7.2-P2-SP6.1 (*)
Compact Flash primary 2.7.2.191 (*)
Compact Flash secondary 2.7.2.191
The asterisk ( * ) indicates the default image for each boot device (hard disk and compact
flash). The default image is the one that the Thunder Series device will try to use first, if trying
to boot from that boot device. (The order in which ACOS tries to use the image areas is
controlled by the bootimage command. See “bootimage” on page 75.)

show bpdu-fwd-group
Description Display the configured Bridge Protocol Data Units (BPDU) forwarding groups.
Syntax show bpdu-fwd-group [number]
Specify a BPDU forwarding group number to view the configuration of the specified BPDU
forwarding group. If you omit this option, all configured BPDU forwarding groups are shown.
Mode All
Example The following command shows all configured BPDU forwarding groups:
ACOS#show bpdu-fwd-group
show bridge-vlan-group
Description Display information for a bridge VLAN group.
Syntax show bridge-vlan-group [group-id]
Mode All
show bw-list
Description Show black/white list information.
Syntax show bw-list [name [detail | ipaddr]]
name Name of a black/white list.
detail Displays the IP addresses contained in a black/white list.
ipaddr IP address within the black/white list.
Default N/A
Mode Config
Example The following command shows all the black/white lists on an Thunder Series device:
ACOS#show bw-list
Name Url Size(Byte) Date
----------------------------------------------------------------------------
bw1 tftp://192.168.1.143/bwl.txt 106 Jan/22 12:48:01
bw2 tftp://192.168.1.143/bw2.txt 211 Jan/23 10:02:44

bw3 tftp://192.168.1.143/bw3.txt 192 Feb/11 08:02:01

bw4 Local 82 Dec/12 21:01:05
Total: 4
Example The following command shows the IP addresses in black/white list “test”:
ACOS#show bw-list test detail

Name: test
URL: tftp://192.168.20.143/bwl_test.txt
Size: 226 bytes
Date: May/11 12:04:00
Update period: 120 seconds
Update times: 2
Content
------------------------------------------------------------------------------
1.1.1.0 #13
1.1.1.1 #13
1.1.1.2 #13
1.1.1.3 #13
1.1.1.4 #13
9.9.99.9 9
1.2.3.4/32 31
4.3.2.1/24 4
10.1.2.1/32 1
10.1.2.2/32 2
10.1.2.3/32 3
10.1.2.4/32 4
10.3.2.1/32 3
10.3.2.2/32 4
10.5.2.1/32 5
10.5.2.2/32 6
128.0.0.0/1 11
show class-list
Description Display information for class lists.
Syntax show class-list [name [ipaddr]]
Replace name with the class list name or ipaddr with an IP address in the class list. If neither
option is specified, the list of configured class lists is displayed instead.
Mode All
Example The following command displays the class-list files on the ACOS device:

ACOS#show class-list
Name IP Subnet Location
test 4 3 file
user-limit 14 4 config
Total: 2
Field Description
Name Name of the class list.
IP Number of host IP addresses in the class list.
Subnet Number of subnets in the class list.
Location Indicates whether the class list is in the startup-config or in a stand-
alone file:
• config – Class list is located in the startup-config.
• file – Class list is located in a standalone file.
Total Total number of class lists on the ACOS device.
The following command shows details for a class list:
ACOS#show class-list test

Name: test
Total single IP: 4
Total IP subnet: 3
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1
20.1.2.0 /24 lid 2
0.0.0.0 /0 lid 31
The following commands show the closest matching entries for specific IP addresses in class
list “test”:
AOCS#show class-list test 1.1.1.1

1.1.1.1 /32 glid 1
ACOS#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However, since the class list
does not contain an entry for 1.1.1.2 but does contain a wildcard entry (0.0.0.0), the wildcard
entry is shown.

show clns
Description Show Connectionless Network Service (CLNS) information.
Syntax show clns [tag] [is-neighbors options | neighbors options]
is-neighbors Displays IS neighbor adjacencies.
neighbors Displays CLNS neighbor adjacencies.
options Optional display filters:
• detail
• ethernet portnum [detail]
• loopback [portnum] [detail]
• management [detail]
• trunk num [detail]
• udld num [detail]
• ve ve-num [detail]
Mode All
Example The show clns neighbors command displays IS-IS helper information when ACOS is in
helper mode for a particular IS-IS neighbor. Here is an example:
ACOS#show clns neighbors

Area ax1:
System Id Interface SNPA State Holdtime Type Protocol
0000.0000.0004 ethernet 10 78fe.3d32.880a * Up 99 L2 M-ISIS
The asterisk (*) character in the output indicates that IS-IS is in helper mode for the neighbor.
show clock
Description Display the time, timezone, and date.
Syntax show clock [detail]
The detail option shows the clock source, which can be one of the following:
• – Time source is NTP

• – Time source is user configuration
Mode All
Example The following command shows clock information for an Thunder Series device:
ACOS#show clock detail

20:27:16 Europe/Dublin Sat Apr 28 2007
Time source is NTP

Example If a dot appears in front of the time, the ACOS device has been configured to use NTP but
NTP is not synchronized. The clock was in sync, but has since lost contact with all configured
NTP servers.
ACOS#show clock
.20:27:16 Europe/Dublin Sat Apr 28 2007
Example If an asterisk appears in front of the time, the clock is not in sync or has never been set.
ACOS#show clock
*20:27:16 Europe/Dublin Sat Apr 28 2007
show config
Description This command displays the entire running configuration
Syntax show config
Default N/A
Mode Global
Usage Use this command to display the entire running configuration for the ACOS device, or for the
particular partition which you are viewing.
Related Commands show running-config
show config-block
Description This command displays the current configurations being made in either block-merge or
block-replace mode.
Syntax show config-block
Default N/A
Mode Block-merge or Block-replace configuration mode
Usage Use this command to display the uncommitted configurations you have made in either
block-merge or block-replace mode. These commands are not a part of the running configu-
ration, but they will be implemented upon ending block-merge or block-replace mode.
show context
Description View the configuration for the sub-module in which the command is run.

For example, if you are configuring a virtual port under a virtual server, the show context
command displays only the portion of the configuration within the context of the virtual
port configuration; see the examples below.
Unlike other show commands, the show context command is only available in Global
configuration mode, or any additional sub-mode. For example, if you are configuring a port
under an SLB server, this command shows only the configuration related to the port.
Syntax show context
Mode Global configuration mode or further sub-modes
Example The following example shows the portion of the configuration related to BGP AS 1:
ACOS(config-bgp:1)#show context
!
router bgp 1
network 2.2.2.2/32
neighbor a peer-group
neighbor 3.3.3.3 remote-as 1
address-family ipv6
bgp dampening 3 3 3 3
neighbor a activate
neighbor a capability orf prefix-list send
Example The following example first shows the portion of the running-config related to server s1,
then only the portion related to port 80:
ACOS(config-bgp:1-ipv6)#slb server s1
ACOS(config-real server)#show context
!
port 80 tcp
weight 2
conn-limit 2
conn-resume 1
port 81 tcp
ACOS(config-real server-node port)#show context
!
port 80 tcp
weight 2
conn-limit 2

conn-resume 1
show core
Description Display core dump statistics.
Syntax show core [process]
The process parameter shows core dump statistics for processes on the ACOS device.
Without this option, system core dump statistics are shown instead.
Mode Privileged EXEC level and configuration levels
Example The following command shows system core dump statistics:
ACOS#show core
The LB process has reloaded 1 time.
The LB process has crashed 0 time.
The LB process has been up for 2755 seconds.
show cpu
Description Display CPU statistics.
Syntax show cpu

[history [seconds | minutes | hours | control-cpu | data-cpu]]
[overall]
[interval seconds]
history Show control CPU and data CPU usage information.
seconds Show CPU usage information in last 60 seconds.
minutes Show CPU usage information in last hour.
hours Show CPU usage information in last 72 hours.
control-cpu Show Control CPU usage information.
data-cpu Show Data CPU usage information.
interval Automatically refreshes the output at the specified interval. If you omit
seconds this option, the output is shown one time. If you use this option, the
output is repeatedly refreshed at the specified interval until you press
ctrl+c.

If you enter the show cpu command from within an L3V partition, the command shows
utilization for only that partition.
Example The following command shows CPU statistics in 10-second intervals:
ACOS#show cpu interval 10

Cpu Usage: (press ^C to quit)
1Sec 5Sec 10Sec 30Sec 60Sec
--------------------------------------------------------
Time: 16:28:57 PST Wed Jan 16 2008
Control 2% 2% 2% 2% 2%
Data0 0% 0% 0% 0% 0%
Data1 0% 0% 0% 0% 0%
Time: 16:29:07 PST Wed Jan 16 2008

Control 2% 2% 2% 2% 2%
Data0 0% 0% 0% 0% 0%
Data1 0% 0% 0% 0% 0%
...
<ctrl+c>
ACOS#
Field Description
Time System time when the statistics were gathered.
Control Control CPU.
Data0-7 Data CPU. The number of data CPUs depends on the ACOS model.
1Sec-60sec Time intervals at which statistics are collected.
Example The following command output displays CPU utilization rates plotted over the last 60 sec-
onds. The x-axis represents the time elapsed and the y-axis represents the CPU utilization
rate. Asterisks appear along the bottom of the output to illustrate the CPU utilization rates
over time. The figure below only shows the usage for the Control CPU. The usage for the
Control CPU and Data CPU are displayed in separate figures. The CLI command prints 1 aster-
isk for every 10 percent utilization. This means no asterisk will be printed if the CPU usage is
from 0-4; one asterisk will be printed if the CPU usage is 5-14; two asterisks will be printed if
the CPU usage is 15-24; and so on.
ACOS(config)#show cpu history seconds

Time: 12:27:35 IST Tue Sep 30 2014
533743333333244342332253334382533636436465444746756446654678
100

90
80
70
60
50
40
30
20
10* * * * * * * * ** * **** *** ***
0....0....1....1....2....2....3....3....4....4....5....5....
5 0 5 0 5 0 5 0 5 0 5
Control CPU1: CPU% per second (last 60 seconds)
100
90
80
70
60
50
40
30
20
10
0....0....1....1....2....2....3....3....4....4....5....5....
5 0 5 0 5 0 5 0 5 0 5
Data CPU1: CPU% per second (last 60 seconds)
show debug
Description This command applies to debug output. It is recommended to use the AXdebug subsystem
commands instead of the debug commands. See the following:
• “AX Debug Commands” on page 875
• “show axdebug file” on page 689
• “show axdebug filter” on page 690
• “show axdebug status” on page 690

show default-running-config
Description Show the configuration commands in the running-config, including those for default set-
tings.
Syntax show default-running-config [feature-area]
Replace feature-area to see the configuration information for a specific feature area. For a
list of available feature areas, use the show default-running-config ? command.
Example This example shows the default timeout value for admin administration:
ACOS#show default-running-config admin-lockout

!
admin-lockout duration 5
!
!
end
show disk
Description Display status information for the ACOS device hard disks.
Syntax show disk
Example The following command shows hard disk information for an A10 Thunder Series 4430 device:
ACOS#show disk
Total(MB) Used Free Usage
-----------------------------------------
95393 11301 84091 11.8%
Device Primary Disk Secondary Disk

----------------------------------------------
md0 Active
md1 Active

Field Description
Total(MB) Total amount of data the hard disk can hold.
NOTE: The hard disk statistics apply to a single disk. This is true even
if your ACOS device contains two disks. In systems with two disks, the
second disk is a hot standby for the primary disk and is not counted
separately in the statistics.
Used Number of MB used.
Free Number of MB free.
Usage Percentage of the disk that is in use.
Device Virtual partition on the disk:
• md0 – The boot partition
• md1 – The A10 data partition
Primary Disk Status of the left hard disk in the redundant pair:
• Active – The disk is operating normally.
• Inactive – The disk has failed and must be replaced. Contact your
A10 Networks representative.
• Synchronizing – The disk has just been installed and is synchroniz-
ing itself with the other disk.
Secondary Disk Status of the right hard disk in the redundant pair.
show dns cache

Description Display DNS caching information.
Syntax show dns cache {client | entry | statistics}
client DNS client statistics.
entry DNS cache entries.
statistics DNS caching statistics.
Mode All
Example The following command shows DNS caching statistics:

ACOS#show dns cache statistics

Total allocated: 0
Total freed: 0
Total query: 0
Total server response: 0
Total cache hit: 0
Query not passed: 0
Response not passed: 0
Query exceed cache size: 0
Response exceed cache size: 0
Response answer not passed: 0
Query encoded: 0
Response encoded: 0
Query with multiple questions: 0
Response with multiple questions: 0
Response with multiple answers: 0
Response with short TTL: 0
Total aged out: 0
Total aged for lower weight: 0
Total stats log sent: 0
******The following counters are global to system and not per parti-
tion*****
Current allocate: 0
Current data allocate: 0
Field Description
Total Allocated Total memory allocated for cached entries.
Total Freed Total memory freed.
Total Query Total number of DNS queries received by the ACOS device.
Total Server Response Total number of responses form DNS servers received by the ACOS device.
Total Cache Hit Total number of times the ACOS device was able to use a cached reply in response
to a query.
Query Not Passed Number of queries that did not pass a packet sanity check.
Response Not Passed Number of responses that did not pass a packet sanity check. The ACOS device
checks the DNS header and question in the packet, but does not parse the entire
packet.
Query Exceed Cache Size Number of queries that were not cached because they had a payload greater than
the maximum size of 512 bytes.
Response Exceed Cache Size Number of responses that were not cached because they had a payload greater
than the maximum size of 512 bytes.
Response Answer Not Passed Number of responses that were not cached because they were malformed DNS
responses.

Field Description
Query Encoded Number of queries that were not cached because the domain name in the ques-
tion was encoded in the DNS query packet.
Response Encoded Number of queries that were not cached because the domain name in the ques-
tion was encoded in the DNS response packet.
Query With Multiple Questions Number of queries that were not cached because they contained multiple ques-
tions.
Response With Multiple Questions Number of responses that were not cached because they contained answers for
multiple questions.
Response With Multiple Answers Number of responses that were not cached because they contained more than
one answer.
Response with Short TTL Number of responses that had a short time to live (TTL).
Total Aged Out Total number of DNS cache entries that have aged out of the cache.
Total Aged for Lower Weight Number of cache entries aged out due to their weight value.
Total Stats Log Sent Total number of logs sent.
Current Allocate Current memory allocation.
Current Data Allocate Current data allocation.
show dns statistics

Description Show DNS statistics.
Syntax show dns {cache {client | entry | statistics} | statistics}
cache client Show DNS client statistics.
cache entry Show DNC cache entry.
cache statistics Show DNS cache statistics
statistics Show DNS packet statistics.
Usage This command lists statistics values only if the configuration contains a virtual port that is
bound to a UDP template.
Example The following command displays DNS statistics:
ACOS#show dns statistics

DNS statistics for SLB:
-----------------------
No. of requests: 510
No. of responses: 508
No. of request retransmits: 0

No. of requests with no response: 2

No. of resource failures: 0
DNS statistics for IP NAT:
--------------------------
No. of requests: 0
No. of responses: 0
No. of request retransmits: 0
No. of requests reusing a transaction id: 0
No. of requests with no response: 0
No. of resource failures: 0
show dnssec
Description Show DNS Security Extensions (DNSSEC) information. (See “DNSSEC Show Commands” on
page 233.)
show dumpthread
Description Show status information about the SLB process.
Syntax show dumpthread
Example The following command shows status information for the SLB process:
ACOS#show dumpthread
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 101102 sec.
show environment
Description Display temperature, fan, and power supply status.
Syntax show environment
Mode All
Example The following command shows environment information for an A10 Thunder Series 4430
device:
ACOS#show environment
Physical System temperature: 47C / 116F
Fan1A : OK-med/high Fan1B : OK-med/high


System Voltage 12V : OK
System Voltage 5V : OK
System Voltage CPU1 DDR3 1.5V : OK
System Voltage CPU1 VCORE (1V) : OK
System Voltage AVCC 3.3V : OK
System Voltage AUX 5V : OK
System Voltage VSB (3.3V) : OK
System Voltage VBAT (3.3V) : OK
Right Power Unit(Rear view) State: On
Left Power Unit(Rear view) State: Off
show event-action
Description View the events generated for L3V partition creation or deletion as configured by the.event
command.
Syntax show event-action partition {partition-create | partition-delete}
partition-create View partition creation events.
partition-delete View partition deletion events.
Mode All
Example This example shows the output of this command:
ACOS(config)#show event-action vnp part-create

Event VNP part-create action configuration: logging off, email off
Related Commands event

show fail-safe
Description Display fail-safe information.
Syntax show fail-safe {config | information}
config Displays the fail-safe configuration entered by you or other admins.
information Displays fail-safe settings and statistics. The output differs between
models that use FPGAs in hardware and models that do not. (See
“Example” below.)
Mode All
Example The following commands configure some fail-safe settings and verify the changes.
ACOS(config)#fail-safe session-mem-recovery-threshold 30
ACOS(config)#fail-safe fpga-buff-recovery-threshold 2
ACOS(config)#fail-safe sw-error-recovery-timeout 3
ACOS(config)#show fail-safe config
fail-safe hw-error-monitor-enable
fail-safe session-memory-recovery-threshold 30
fail-safe fpga-buff-recovery-threshold 2
fail-safe sw-error-recovery-timeout 3
Example The following command shows fail-safe settings and statistics on an ACOS device that uses
FPGAs in hardware:
ACOS(config)#show fail-safe information

Total Session Memory (2M blocks): 1012
Free Session Memory (2M blocks): 1010
Session Memory Recovery Threshold (2M blocks): 809
Total Configured FPGA Buffers (# of buffers): 4194304
Free FPGA Buffers in Domain 1 (# of buffers): 507787
Free FPGA Buffers in Domain 2 (# of buffers): 508078
Total Free FPGA Buffers (# of buffers): 1015865
FPGA Buffer Recovery Threshold (# of buffers): 256
Total System Memory (Bytes): 2020413440

Field Description
Total Session Memory Total amount of the ACOS device’s memory that is allocated for session process-
ing.
Free Session Memory Amount of the ACOS device’s session memory that is free for new sessions.
Session Memory Recovery Threshold Minimum percentage of session memory that must be free before fail-safe
occurs.
Total Configured FPGA Buffers Total number of configured FPGA buffers the ACOS device has. These buffers are
allocated when the ACOS device is booted. This number does not change during
system operation.
The FPGA device is logically divided into 2 domains, which each have their own
buffers. The next two counters are for these logical FPGA domains.
Free FPGA Buffers in Domain 1 Number of FPGA buffers in Domain 1 that are currently free for new data.
Free FPGA Buffers in Domain 2 Number of FPGA buffers in Domain 2 that are currently free for new data.
Total Free FPGA Buffers Total number of free FPGA buffers in both FPGA domains.
FPGA Buffer Recovery Threshold Minimum number of packet buffers that must be free before fail-safe occurs.
Total System Memory Total size the ACOS device’s system memory.
Example The following command shows fail-safe settings and statistics on an ACOS device that does
not use FPGAs in hardware. (The FPGA buffer is an I/O buffer instead.)
ACOS(config)#show fail-safe information

Total Session Memory (2M blocks): 1018
Free Session Memory (2M blocks): 1017
Session Memory Recovery Threshold (2M blocks): 305
Total Configured FPGA Buffers (# of buffers): 2097152
Free FPGA Buffers (# of buffers): 2008322
FPGA Buffer Recovery Threshold (# of buffers): 1280
Total System Memory (Bytes): 4205674496
Field Description
Total Session Memory Total amount of the ACOS device’s memory that is allocated for session process-
ing.
Free Session Memory Amount of the ACOS device’s session memory that is free for new sessions.
Session Memory Recovery Threshold Minimum percentage of session memory that must be free before fail-safe
occurs.
Total Configured FPGA Buffers Total number of configured FPGA buffers the ACOS device has. These buffers are
allocated when the ACOS device is booted. This number does not change
during system operation.
Free FPGA Buffers Number of FPGA that are free for new data.

Field Description
FPGA Buffer Recovery Threshold Minimum number of packet buffers that must be free before fail-safe occurs.
Total System Memory Total size the ACOS device’s system memory.
show glid
Description Show information for global IP limiting rules.
Syntax show glid [num]
Mode All
Example The following command the configuration of each global IP limiting rule:
ACOS#show glid
glid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
glid 2
conn-limit 20000
request-limit 200
glid 30
conn-limit 10000
over-limit-action forward log
Example The following command shows the configuration of global IP limiting rule 1:
ACOS#show glid 1
glid 1
conn-limit 100
request-limit 1

show gslb
Description See the Global Server Load Balancing Guide.
show hardware
Description Displays hardware information for the ACOS device.
Syntax show hardware
Default All
Example Below is a sample output for this command on an A10 Thunder Series 6430S platform:
ACOS#show hardware
Thunder Series Unified Application Service Gateway TH6430S
Serial No : ................
CPU : Intel(R) Xeon(R) CPU
32 cores
7 stepping
Storage : Single 93G drive
Memory : Total System Memory 64118 Mbyte, Free Memory 39743 Mbyte
SSL Cards : 4 device(s) present
4 Nitrox III
GZIP : 0 compression device(s) present
L2/3 ASIC : 1 device(s) present
IPMI : Present
Ports : 20
Flags : CF
SMBIOS : Build Version: 4.6.5
Release Date: 12/11/2012
FPGA : 8 instance(s) present
Date & Time: 07112014

show health
Description Show status information for health monitors.
Syntax show health

{
database |
external [name] |
gateway |
monitor [name] |
postfile [name] |
stat
[all-partitions | partition {shared | name}]
}
database Show the database health check log.
external [name] Shows configuration settings for the specified external health monitoring program.
gateway Shows configuration settings and statistics for gateway health monitoring.
monitor [name] Shows configuration settings and status for the specified health monitor.
postfile [name] Shows the files used for POST requests in HTTP/HTTPS health checks.
stat Shows health monitoring statistics. The statistics apply to all health monitoring activity on the
Thunder Series device.
Mode All
Usage To display health monitor information for a specific partition only, use the partition name
option.
Example The following command shows configuration settings and status for health monitor “ping”:
ACOS#show health monitor ping

Monitor Name: ping
Interval: 30
Max Retry: 3
Timeout: 5
Status: In use
Method: ICMP
The output shows the method used for the monitor, and the settings for each of the
parameters that are configurable for that method.
Example The following command shows the configuration settings of external health monitoring pro-
gram “http.tcl”:
ACOS#show health external http.tcl

External Program Description
http.tcl check http method
!!! Content Begin !!!

set ax_env(Result) 1
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
# Send the request

puts $sock "GET / HTTP/1.0\n"
# Wait for the response from http server

set line [read $sock]
if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {

puts "server $ax_env(ServerHost) response : $status"
}
close $sock
# Check exit code

if { $status == 200 } {
set ax_env(Result) 0
}
}
!!! Content End !!!
Example The following command shows health monitoring statistics:
ACOS#show health stat

Health monitor statistics
Total run time: : 2 hours 1345 seconds
Number of burst: : 0
max scan jiffie: : 326
min scan jiffie: : 1
average scan jiffie: : 1
Opened socket: : 1140
Open socket failed: : 0
Close socket: : 1136
Send packet: : 0
Send packet failed: : 259379
Receive packet: : 0
Receive packet failed : 0
Retry times: : 4270
Timeout: : 0

Unexpected error: : 0
Conn Immediate Success: : 0
Socket closed before l7: : 0
Socket closed without fd notify: : 0
Configured health-check rate (/500ms) : Auto configured
Current health-check rate (/500ms): : 1600
External health-check max rate(/200ms) : 2
Total number: : 8009
Status UP: : 8009
Status DOWN: : 0
Status UNKN: : 0
Status OTHER: : 0
IP address Port Health monitor Status Cause(Up/Down) Retry PIN

--------------------------------------------------------------------------------
10.0.0.11 80 http UP 11 /0 @0 0 0 /0 0
10.0.0.12 80 http UP 10 /0 @0 0 0 /0 0
Field Description
Total run time Time elapsed since the health monitoring process started.
Number of burst Number of times the system detected that a health check would leave the ACOS
device as a traffic burst, and remedied the situation.
max scan jiffie These are internal counters used by A10 Networks Technical Support for debugging
min scan jiffie purposes.
average scan jiffie

Opened socket Number of sockets opened.
Open socket failed Number of failed attempts to open a socket.
Close socket Number of sockets closed.
Send packet Number of health check packets sent to the target of the health monitor.
Send packet failed Number of sent health check packets that failed. (This is the number of times a tar-
get server or service failed its health check.)
Receive packet Number of packets received from the target in reply to health checks.
Receive packet failed Number of failed receive attempts.
Retry times Number of times a health check was resent because the target did not reply.
Timeout Number of times a response was not received before the health check timed out.
Unexpected error Number of unexpected errors that occurred.
Conn Immediate Success These are internal counters used by A10 Networks Technical Support.
Socket closed before l7
Socket closed without fd notify

Field Description
Configured health-check rate If auto-adjust is enabled, shows “Auto configured”.
If auto-adjust is disabled, shows the manually configured threshold.
Current health-check rate If auto-adjust is enabled, shows the total number of health monitors divided by the
global health-check timeout:
total-monitors / global-timeout
If auto-adjust is disabled, shows the manually configured threshold.
External health-check max rate The external health-check probe rate.
Total number Total number of health checks performed.
Status UP Number of health checks that resulted in status UP.
Status DOWN Number of health checks that resulted in status DOWN.
Status UNKN Number of health checks that resulted in status UNKN.
Status OTHER Number of health checks that resulted in status OTHER.
IP address IP address of the real server.
Port Protocol port on the server.
Health monitor Name of the health monitor.
If the name is “default”, the default health monitor settings for the protocol port type
are being used. (See “health-check” on page 607 for Layer 3 health checks or “port”
on page 608 for Layer 4-7 health checks.)
Status Indicates whether the service passed the most recent health check.
Cause (Up/Down) Up and Down show internal codes for the reasons the health check reported the
server or service to be up or down. (See “Up and Down Causes for the show health
stat Command” on page 885.)
Retry Number of retries.
PIN Indicates the following:
• Current number of retries – Displayed to the left of the slash ( / ). The number of
times the most recent health check was retried before a response was received or
the maximum number of retries was used.
• Current successful up-retries – Displayed to the right of the slash ( / ). Number of
successful health check replies received for the current health check. This field is
applicable if the up-retry option is configured for the health check. (See “health
monitor” on page 103.)
show history
Description Show the CLI command history for the current session.
Syntax show history
Usage Commands are listed starting with the oldest command, which appears at the top of the list.
Example The following example shows a history of CLI commands (truncated for brevity):

ACOS#show history
enable
show version
show access-list
show admin
show admin admin
show admin detail
show admin session
...
show hsm
Description See “Config Commands: DNSSEC” on page 229.
show icmp
Description Show ICMP rate limiting configuration settings and statistics.
Syntax show icmp [stats]
Use the stats option to view detailed statistics.
Mode All
Example The following command shows ICMP rate limiting settings, and the number of ICMP packets
dropped because the threshold has been exceeded:
ACOS(config)#show icmp
Global rate limit: 5
Global lockup rate limit: 10
Lockup period: 20
Current global rate: 0
Global rate limit drops: 0
Interfaces rate limit drops: 0
Virtual server rate limit drops: 0
Total rate limit drops: 0
show icmpv6
Description Show ICMPv6 rate limiting configuration settings and statistics.
Syntax show icmpv6 [stats]
Use the stats option to view detailed statistics.
Mode All

show interfaces
Description Display interface configuration and status information.
Syntax show interfaces

[brief] |
[ethernet [port-num]] | [ve [vlan-id]] | [lif num] |
[loopback num] | [management] | [trunk [num] | [tunnel num]] |
[media] | [statistics]
NOTE: For information about the media option, see “show interfaces media” on page 723.
For information about the statistics options, see “show interfaces statistics” on
page 724.
Example The following example shows brief interface information:
ACOS#show interfaces brief

Port Link Dupl Speed Trunk Vlan MAC IP Address Total IPs
-----------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 0090.0b0a.a594 192.168.20.241/24 1
1 Up Full 1000 None 1 0090.0b0a.a596 10.10.10.241/24 5
2 Up Full 1000 None 1 0090.0b0a.a597 20.20.20.241/24 1
3 Down None None None 1 0090.0b0a.a598 0.0.0.0/0 0
4 Down None None None 1 0090.0b0a.a599 0.0.0.0/0 0
5 Disb None None None 1 0090.0b0a.a59a 0.0.0.0/0 0
6 Disb None None None 1 0090.0b0a.a59b 0.0.0.0/0 0
7 Up Full 1000 None 1 0090.0b0a.a59c 70.70.70.241/24 4
8 Disb None None None 1 0090.0b0a.a59d 0.0.0.0/0 0
...
ve4 Down N/A N/A N/A 4 0090.0b0a.a597 60.60.60.241/24 2
ve6 Up N/A N/A N/A 5 0090.0b0a.a597 99.99.99.241/24 1
lo2 Up N/A N/A N/A N/A N/A 68.67.65.64/23 3
Example The following example shows information for Ethernet port 1:
ACOS#show interfaces ethernet 1

Ethernet 1 is up, line protocol is up
Hardware is GigabitEthernet, Address is 0090.0b0a.a596
Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
Member of L2 Vlan 1, Port is Untagged

Flow Control is enabled, IP MTU is 1500 bytes

Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
0 input errors, 0 CRC 0 frame
0 runts 0 giants
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 158073232 bits/sec, 154368 packets/sec, 15% utilization
300 second output rate: 35704 bits/sec, 5 packets/sec, 0% utilization
Example The following example shows information for loopback interface 8:
ACOS#show interfaces loopback 8

Loopback 8 is up, line protocol is up
Hardware is Loopback
Example The following example shows Virtual Ethernet (VE) interface statistics:
ACOS#show interface ve 10
VirtualEthernet 10 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.c0e2
IPv6 address is 2001:10::241 Prefix 64 Type: unicast
IPv6 link-local address is fe80::21f:a0ff:fe04:c0e2 Prefix 64 Type: unicast
Router Interface for L2 Vlan 10
28 packets input 2024 bytes
Transmitted 8 broadcasts, Transmitted 2 multicasts, Transmitted 0 unicasts
300 second input rate: 48 bits/sec, 0 packets/sec
300 second output rate: 16 bits/sec, 0 packets/sec

show interfaces media

Description Display information about 1-Gbps and 10-Gbps small form-factor pluggable (SFP+) inter-
faces.
Syntax show interfaces media
Usage On Virtual Chassis System (VCS), this command provides device-specific media information.
NOTE: This command does not show information on media installed in ports that belong
to an L3V partition.
On platforms that do not have a 1 Gigabit Ethernet port installed, on FPGA plat-
forms, or on a virtual appliance model, the following message is displayed when
you issue the show interfaces media command:
No SPF/SPF+ ports found in this model.
Example The following example sample output for this command. The example displays output on
ports with an installed 1 Gigabit SFP and a 10 Gigabit SFP+ module. When an SFP is not
installed, or if the port has not been enabled, an error message appears in the output, as
shown below:
ACOS-Active#show interface media

port 10:
Type: SFP 1000BASE-SX
Vendor: JDS UNIPHASE
Part#: JSH-21S3AB3 Serial#:F549470401B0
port 11:
No media detected.
port 18:
Type: SFP+ 10G Base-SR
Vendor: FINISAR CORP.
Part#: FTLX8571D3BCL Serial#:UG505PM
port 19:
No media detected.
port 20:
Cannot retrieve media information when port is disabled.

In this example, the SFP+ interface for port 18 is installed and its link is up. The other 10-Gbps
interfaces either are down or do not have an SFP+ installed.
Example The following example shows the CLI response if you enter show interfaces media on
an ACOS device that does not support SFP+ interfaces:
ACOS#show interfaces media

No 10G fiber port installed.
show interfaces statistics

Description Display interface statistics.
Syntax show interfaces statistics

[ethernet portnum [ethernet portnum ...]][lif ifnum [lif ifnum ...]]
[{in-pps | in-bps | out-pps | out-bps}]
[interval seconds]
ethernet Ethernet data interface numbers for which to display statistics. If you
portnum omit this option, statistics are displayed for all Ethernet data interfaces
and logical tunnel interfaces.
lif ifnum Logical tunnel interface numbers for which to display statistics. If you
omit this option, statistics are displayed for all Ethernet data interfaces
and logical tunnel interfaces.
in-pps Inbound traffic, in packets per second (PPS).
in-bps Inbound traffic, in bytes per second (BPS).
out-pps Outbound traffic, in packets per second (PPS).
out-bps Incoming traffic, in bytes per second (BPS).
interval Refreshes the statistics at the specified interval, 1-32 seconds. If you do
seconds not use this option, the statistics are displayed only once.
show ip
Description Show the IP mode in which the ACOS device is running, gateway or transparent mode.
Syntax show ip
Mode All
Example The following command shows that the ACOS device is running in gateway mode:
ACOS#show ip
System is running in Gateway Mode

show ip active-vrid
Description Show information for the active VRRP-A device.
Syntax show ip active-vrid vrid-num
Replace vrid-num with the VRID number (1-31 in the shared partition, or 1-7 in an L3V
partition).
Mode All
Usage This command displays information for the active VRRP-A device in aVCS deployments that
also use VRRP-A. In aVCS deployments, the virtual chassis has a floating IP address that serves
as the management interface. When you enter show commands from within a session on
the virtual chassis’ floating IP address, the information in the output comes from the vMaster.
In some cases, the information can differ depending on whether the vMaster is also the
active VRRP-A device.
NOTE: The active-vrid option is displayed in the CLI help only if aVCS and VRRP-A both
are enabled. Otherwise, the option is inapplicable and is not displayed.
The following commands support the active-vrid option:
• vcs admin-session-connect command

• All show slb commands that include statistics in the output
Example The following examples show how the output can differ depending on whether the vMaster
is also the active VRRP-A device. These examples also show use of the active-vrid option.
All of the commands are entered in the CLI session on the virtual chassis’s floating IP address.
Output Examples for show arp
The following command displays the ARP table. In this example, the ACOS device is the
vMaster for an aVCS virtual chassis, and is also the active VRRP-A device.
ACOS-Active-vMaster[1/1]#show arp
---------------------------------------------------------------------------
192.168.18.1 aaaa.aaaa.aaaa Dynamic 9 Management 1
192.168.18.120 bbbb.bbbb.bbbb Dynamic 251 Management 1
Since neither the device nor the active-vrid option is used, by default the ARP table of
the vMaster is displayed. In the following example, a failover has occurred. The vMaster is a
standby VRRP-A device instead of the active device.
ACOS-Standby-vMaster[1/1]#show arp


---------------------------------------------------------------------------
192.168.18.1 aaaa.aaaa.aaaa Dynamic 11 Management 1
192.168.18.120 bbbb.bbbb.bbbb Dynamic 253 Management 1
Notice that the ARP entries are the same. The information is still from the vMaster.
In the current release and previous releases, you can use show commands to determine
which device is the active VRRP-A device for a VRID, then use the device option with the
show command to display the information from the active VRRP-A device. The active-
vrid option provides a simpler way to access the information, as shown in the following
example:
ACOS-Standby-vMaster[1/1]#show arp active-vrid default

---------------------------------------------------------------------------
192.168.20.11 cccc.cccc.cccc Dynamic 15 Management 1
192.168.20.13 dddd.dddd.dddd Dynamic 257 Management 1
This output shows the ARP table on the active VRRP-A device for the default VRID. The CLI
prompt does not change, because the CLI session is still on the virtual chassis’ floating IP
address, which is managed by the vMaster. The information, however, comes from the active
device for the VRID.
Output Examples for show virtual-server
This example is similar to the previous one. The information in the first two output examples
shown below comes from the vMaster, even though the vMaster is a VRRP-A standby in the
second set of output.
ACOS-Active-vMaster[1/1]#show slb virtual-server

Total Number of Virtual Services configured: 20
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets connection
---------------------------------------------------------------------------------------
*vip1(A) 70.70.70.51 Partial Up
port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 816531 3035452 0
Total received conn attempts on this port: 0
ACOS-Standby-vMaster[1/1]#show slb virtual-server

---------------------------------------------------------------------------------------
*vip1(S) 70.70.70.51 Partial Up

port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 816531 3035452 0
In both sets of output, the counters for request packets and response packets are the same,
indicating that the statistics come from the same ACOS device, which is the vMaster.
In the following example, the active-vrid option is used. The statistics counter values are
from the active VRRP-A device for the default VRID. In this example, the counters show 0; it is
likely that failover very recently occurred.
ACOS-Standby-vMaster[1/1]#show slb virtual-server active-vrid default

----------------------------------------------------------------------------------------
*vip1(A) 70.70.70.51 Partial Up
port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 0 0 0
show ip anomaly-drop statistics

Description Show drop statistics for malformed IP packets.
Syntax show ip anomaly-drop statistics
Mode All
show ip bgp
Description Display BGP information. (See “BGP Show Commands” on page 447.)
show ip dns
Description Display system DNS information.
Syntax show ip dns
Mode All
Example The following example shows example output for this command.
ACOS#show ip dns

DNS suffix: ourcorp

Primary server: 10.10.20.25
Secondary server: 192.168.1.25
show {ip | ipv6} fib

Description Display Forwarding Information Base (FIB) entries.
NOTE: This command is applicable only on Thunder Series devices that are configured in
route mode. The command returns an error if you enter it on a device configured
for transparent mode.
Syntax show {ip | ipv6} fib
Mode All
Example The following command shows the IPv4 FIB entries on an Thunder Series device configured
in route mode:
ACOS#show ip fib
Prefix Next Hop Interface Distance
------------------------------------------------------------------------
0.0.0.0 /0 192.168.20.1 ve10 0
192.168.20.0 /24 0.0.0.0 ve10 0
Total routes = 2
Example The following command shows IPv6 FIB entries:
ACOS(config)#show ipv6 fib

Prefix Next Hop Interface Metric Index
----------------------------------------------------------------------------
b101::/64 :: Ethernet 6 256 0
Total routes = 1
show {ip | ipv6 | ipv4-in-ipv6 | ipv6-in-ipv4} fragmentation statistics

Description Show statistics for IP fragmentation.
Syntax show {ip | ipv6 | ipv4-in-ipv6 | ipv6-in-ipv4}

fragmentation statistics
Mode All

Field Description
Session Inserted Number of times the ACOS device received a new fragment that did not match
any existing session (based on source IP, destination ID, and fragment ID).
A fragment session represents multiple fragments that should be reassembled
together into a single logical packet.
Session Expired Number of times a fragment session timed out before all the fragments for the
packet were received.
ICMP Received Number of ICMP fragments received.
ICMPv6 Received Number of ICMPv6 fragments received.
UDP Received Number of UDP fragments received.
TCP Received Number of TCP fragments received.
IP-in-IP Received Number of IP-in-IP fragments received.
IPv6-in-IP Received Number of IPv6-in-IP fragments received.
Other Received Number of other types of fragments received.
ICMP Dropped Number of ICMP fragments that were dropped. This counter and the other
“Dropped” counters below are incremented when a fragment is dropped for
any of the following reasons:
• Invalid length
• Overlap with other fragments
• Exceeded fragmentation session threshold
ICMPv6 Dropped Number of ICMPv6 fragments that were dropped.
UDP Dropped Number of UDP fragments that were dropped.
TCP Dropped Number of TCP fragments that were dropped.
IP-in-IP Dropped Number of IP-in-IP fragments that were dropped.
IPv6-in-IP Dropped Number of IPv6-in-IP fragments that were dropped.
Other Dropped Number of other types of fragments that were dropped.
Overlapping Fragment Drop Number of fragments dropped because the data in the fragment overlapped
with data in another fragment already received by the ACOS device.
Bad IP Length This counter includes both of the following:
• Number of IPv4 packets for which the total length was invalid.
• Number of IPv6 packets for which the payload length was invalid.
Fragment Too Small Drop Number of fragments in which the length of the data was too short. IP frag-
mentation requires at least 8 bytes of data in all except the last fragment.
First TCP Fragment Too Small Drop Number of fragmented TCP packets that did not contain the entire Layer 4
header in the first fragment.
First L4 Fragment Too Small Drop Number of fragmented packets other than TCP packets that did not contain
the entire Layer 4 header in the first fragment.
Total Sessions Exceeded Drop Number of times a fragment was dropped because the maximum number of
concurrent fragment sessions were already in use.
Out of Session Memory Number of times the ACOS device ran out of memory for fragment sessions.

Field Description
Fragmentation Fast Aging Set Number of times the ACOS device sped up aging of existing fragment sessions
in order to accommodate new sessions.
Fragmentation Fast Aging Unset Number of times the ACOS device returned to normal aging for fragment ses-
sions.
Fragment Queue Success Number of times a new fragment session was created, or a new fragment was
added to an existing session.
Payload Length Unaligned Number of fragments whose length did not consist of a multiple of 8 bytes.
Note: This counter does not apply to the final fragments of fragmented pack-
ets. The final fragment of a packet is not required to have a length that is a mul-
tiple of 8.
Payload Length Out of Bounds Number of times a fragmented packet’s data length exceeded what should
have been the end of the reassembled packet.
Duplicate First Fragment Number of times a duplicate first fragment was received for the same packet.
Duplicate Last Fragment Number of times a duplicate last fragment was received for the same packet.
Total Queued Fragments Exceeded Number of times the maximum number of concurrent fragmented packets
supported by the ACOS device was exceeded.
Fragment Queue Failure Total number of times a fragmented packet could not be queued to a session,
due to any of the errors listed separately by the following counters:
• Duplicate First Fragment
• Duplicate Last Fragment
• Payload Length Out of Bounds
• Payload Length Unaligned
Fragment Reassembly Success Number of times all fragments for a packet were reassembled successfully.
Fragment Max Data Length Exceeded Number of times the total length of all reassembled fragments for a packet
exceeded 65535. This type of error can indicate an attack such as a ping-of-
death attack.
Fragment Reassembly Failure Total number of fragment reassembly errors, including errors due to unlikely
causes such as memory corruption.
MTU Exceeded Policy Drop Number of packets dropped due to an MTU exceeded policy.
Fragment Processing Drop Number of packets dropped due to errors during fragment processing.
Too Many Packets Per Reassembly Number of packets dropped because too many fragments were received for
Drop the packet.
Session Max Packets Exceeded Number of times the limit for fragmented packets has been reached.
IPv4-in-IPv6 Fragmentation Statistics These are the same as the counters described above, but they apply to packets
(Not shown in the example above.) fragmented into IPv4 fragments before being sent in the IPv6 tunnel. For exam-
ple, these counters can apply to fragmented DS-Lite traffic.
These counters are displayed if you use the ipv6 option instead of the ip
option.
Mode All

show ip helper-address
Description Display DHCP relay information.
Syntax show ip helper-address [detail]
Mode All
Example The following command shows summary DHCP relay information:
ACOS(config)#show ip helper-address
Interface Helper-Address RX TX No-Relay Drops
--------- -------------- ------------ ------------ ------------ ------------
eth1 100.100.100.1 0 0 0 0
ve5 100.100.100.1 1669 1668 0 1
ve7 1668 1668 0 0
ve8 100.100.100.1 0 0 0 0
ve9 20.20.20.102 0 0 0 0
Field Description
Interface ACOS interface. Interfaces appear in the output in either of the fol-
lowing cases:
• A helper address is configured on the interface.
• DHCP packets are sent or received on the interface.
Helper-Address Helper address configured on the interface.
RX Number of DHCP packets received on the interface.
TX Number of DHCP packets sent on the interface.
No-Relay Number of packets that were examined for DHCP relay but were not
relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not have a
helper address and the packets are not destined to the relay.
• DHCP packets are received on an interface that does have a helper
address, but the packets are unicast directly from the client to the
server and do not need relay intervention.
Drops Number of packets that were ineligible for relay and were dropped.
Example The following command shows detailed DHCP relay information:
ACOS#show ip helper-address detail

IP Interface: eth1
------------
Helper-Address: 100.100.100.1
Packets:

RX: 0
BootRequest Packets : 0
BootReply Packets : 0
TX: 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
No Route to Dest : 0
Dest Processing Err : 0
IP Interface: ve5
------------
Helper-Address: 100.100.100.1
Packets:
RX: 16
TX: 14
No-Relay: 0
Drops:
Invalid Dest IP : 0
Exceeded TTL : 0
IP Interface: ve7
------------
Helper-Address: None
Packets:
RX: 14

TX: 14
No-Relay: 0
Drops:
Invalid Dest IP : 0
Exceeded TTL : 0
Field Description
IP Interface ACOS interface.
Helper-Address IP address configured on the ACOS interface as the DHCP helper
address.
Packets DHCP packet statistics:
• RX – Total number of DHCP packets received on the interface.
• BootRequest Packets – Number of DHCP boot request packets
(Op = BOOTREQUEST) received on the interface.
• BootReply Packets – Number of DHCP boot reply packets (Op =
BOOTREPLY) received on the interface.
• TX – Total number of DHCP packets sent on the interface.
• BootRequest Packets – Number of DHCP boot request packets
(Op = BOOTREQUEST) sent on the interface.
• BootReply Packets – Number of DHCP boot reply packets (Op =
BOOTREPLY) sent on the interface.

Field Description
No-Relay Number of packets that were examined for DHCP relay but were not
relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not have a
helper address and the packets are not destined to the relay.
• DHCP packets are received on an interface that does have a helper
address, but the packets are unicast directly from the client to the
server and do not need relay intervention.
Drops Lists the following counters for packets dropped on the interface:
• Invalid BOOTP Port – Number of packets dropped because they had
UDP destination port 68 (BOOTPC).
• Invalid IP/UDP Len – Number of packets dropped because the IP or
UDP length of the packet was shorter than the minimum required
length for DHCP headers.
• Invalid DHCP Oper – Number of packets dropped because the Op
field in the packet header did not contain BOOTREQUEST or BOOT-
REPLY.
• Exceeded DHCP Hops – Number of packets dropped because the
number in the Hops field was higher than 16.
• Invalid Dest IP – Number of packets dropped because the destina-
tion was invalid for relay.
• Exceeded TTL – Number of packets dropped because the TTL value
was too low (less than or equal to 1).
• No Route to Dest – Number of packets dropped because the relay
agent (ACOS device) did not have a valid forwarding entry towards
the destination.
• Dest Processing Err – Number of packets dropped because the relay
agent experienced an error in sending the packet towards the desti-
nation.
show {ip | ipv6} interfaces

Description Display IP interfaces.
Syntax show {ip | ipv6} interfaces

[ethernet port-num] |
[ve ve-num] |
[loopback lb-num] |
[management]
Mode All
Example The following command shows the IPv4 interfaces configured on Ethernet interface 1:
ACOS#show ip interfaces ethernet 1

IP addresses on ethernet 1:
ip 10.10.10.241 netmask 255.255.255.0 (Primary)

ip 10.10.10.242 netmask 255.255.255.0

ip 10.10.10.243 netmask 255.255.255.0
ip 10.10.10.244 netmask 255.255.255.0
ip 10.10.11.244 netmask 255.255.255.0
Example The following command shows the IPv4 interfaces configured on VEs:
ACOS#show ip interfaces ve
Port IP Netmask PrimaryIP
--------------------------------------------------
--------------------------------------------------
ve4 60.60.60.241 255.255.255.0 Yes
50.60.60.241 255.255.252.0 No
--------------------------------------------------
ve6 99.99.99.241 255.255.255.0 Yes
The PrimaryIP column indicates whether the address is the primary IP address for the
interface. (For more information, see “ip address” on page 248.)
show ip nat alg pptp

Description Display Application Level Gateway (ALG) information for IP source NAT.
Syntax show ip nat alg pptp {statistics | status}
Example The following command displays the status of the PPTP NAT ALG feature:
ACOS#show ip nat alg pptp status

NAT ALG for PPTP is enabled on port 1723.
Example The following command displays PPTP NAT ALG statistics.
ACOS(config-if:ethernet:2)#show ip nat alg pptp statistics

Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 10
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 1
Mismatched PAC Call ID: 0
Retransmitted PAC Message: 3
Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching GRE Session: 4

Field Description
Calls In Progress Current call attempts, counted by inspecting the TCP control session. This counter will
decrease once the first GRE packet arrives.
Call Creation Failure Number of times a call could not be set up because the ACOS device ran out of mem-
ory or other system resources.
Truncated PNS Message Number of runt TCP PPTP messages received from clients.
Truncated PAC Message Number of runt TCP PPTP messages received from servers.
Mismatched PNS Call ID Number of calls that were disconnected because the GRE session had the wrong Call
ID.
Mismatched PAC Call ID Number of calls that were disconnected because they had the wrong Call ID.
Retransmitted PAC Message Number of TCP packets retransmitted from PAC servers.
Truncated GRE Packets Number of runt GRE packets received by the ACOS device.
Unknown GRE Packets Number of GRE packets that were not used for PPTP and were dropped.
No Matching GRE Session Number of GRE PPTP packets sent with no current call.
show ip nat interfaces

Description Display IP source NAT information for data interfaces.
Syntax show ip nat interfaces
Example The following command shows the NAT interface settings:
ACOS#show ip nat interfaces

Total IP NAT Interfaces configured: 2
Interface NAT Direction
-----------------------------
ve10 outside
ve11 inside

show ip nat pool

Description Display information for IP source NAT pools.
Syntax show ip nat pool [pool-name] [statistics]
pool-name Displays information only for the specified pool.
statistics Displays pool statistics.
Example The following command displays pool information:
ACOS#show ip nat pool

Total IP NAT Pools: 2
Pool Name Start Address End Address Mask Gateway Vrid
-----------------------------------------------------------------------------------------
dmz1 10.0.0.200 10.0.0.200 /24 0.0.0.0 default
dmz2 10.10.10.200 10.10.10.200 /24 0.0.0.0 default
Field Description
Pool Name Name of the pool.
Start Address Beginning IP address in the pool address range.
End Address Ending IP address in the pool address range.
Mask Network mask.
Gateway Default gateway for traffic mapped to an address in the pool.
Vrid VRRP-A VRID to which the pool is assigned, if applicable.
Entering a pool name displays the same fields but for only the specified pool:
ACOS#show ip nat pool dmz1

Pool Name Start Address End Address Mask Gateway Vrid
------------------------------------------------------------------------------------------
------
dmz1 10.0.0.200 10.0.0.200 /24 0.0.0.0 default
Example The following command displays pool statistics:
ACOS#show ip nat pool statistics

Pool Address Port Usage Total Used Total Freed Failed

-------------------------------------------------------------------------------
dmz1 10.0.0.200 0 0 0 0
Pool Address Port Usage Total Used Total Freed Failed
-------------------------------------------------------------------------------
dmz2 10.10.10.200 0 0 0 0
Field Description
Pool Name of the pool.
Address IP address in the pool.
Port Usage Number of Layer 4 protocol port mappings currently in use on the port.
Note: A local address can have multiple NAT mappings. Each NAT mapping for a local
address consists of an IP:port tuple.
Total Used Total number of port mappings (IP:port tuples) used from the pool.
Total Freed Total number of port mappings that were used and then returned to the pool.
Failed Number of mappings that failed.
show ip nat pool-group

Description Display configuration information for IP source NAT pool groups.
Syntax show ip nat pool-group [group-name]
show ip nat range-list

Description Displays information for IP source NAT range lists.
Syntax show ip nat range-list
Example The following command shows NAT range-list information:
ACOS(config)#show ip nat range-list

Total Static NAT range lists: 1
Name Local Address/Mask Global Address/Mask Count HA
--------------------------------------------------------------------------------
rl1 10.10.10.88/24 192.168.10.88/24 10 0

The following table describes the fields in the command’s output.
Field Description
Name Name of the range list.
Local Address/Mask Beginning local address of the range to be translated into global (NAT)
addresses.
Global Address/Mask Beginning global address of the range.
Count Number of address translations in the range.
HA VRRP-A VRID to which the range list belongs, if applicable.
show ip nat static-binding

Description Display information for static IP source NAT bindings.
Syntax show ip nat static-binding [statistics] [ipaddr]
statistics Displays statistics.
ipaddr Displays information for the specified IP address.
Example The following command displays the static source NAT binding for local address 10.10.10.20:
ACOS#show ip nat static-binding 10.10.10.20

Local Address 10.10.10.20 statically bound to Global Address 10.10.10.1
Example The following command displays static-binding statistics:
ACOS#show ip nat static-binding statistics

Source Address Port Usage Total Used Total Freed
---------------------------------------------------------------------------
10.10.10.20 0 0 0
Field Description
Source Address Source IP address that is statically mapped to a global IP address (source NAT address).
Port Usage Number of Layer 4 protocol port mappings currently in use by the local address.
Note: A local address can have multiple NAT mappings. Each NAT mapping for a local
address consists of an IP:port tuple.

Field Description
Total Used Total number of port mappings (IP:port tuples) used by the inside address.
Total Freed Total number of port mappings returned to the static pool.
show ip nat statistics

Description Displays IP source NAT statistics.
Syntax show ip nat statistics
Example Displays IP NAT statistics:
ACOS(config)#show ip nat statistics

Outside interfaces: ethernet8, ethernet11, ve20, ve110, ve120
Inside interfaces: ethernet8, ethernet11, ve20, ve110, ve120
Hits: 1707 Misses: 0
Outbound TCP sessions created: 1363
Outbound UDP sessions created: 344
Outbound ICMP sessions created: 0
Inbound TCP sessions created: 0
Inbound UDP sessions created: 0
Dynamic mappings:
-- Inside Source
access-list 8 pool v4
start 10.10.120.200 end 10.10.120.202
total addresses 3, allocated 2315, misses 0
access-list v6 pool l3nat6
start 6020::203 end 6020::203
total addresses 1, allocated 0, misses 0
The output lists the inside NAT and outside NAT interfaces and provides address translation
statistics.

show ip nat template logging

Description Display configuration information for IP source NAT logging templates.
Syntax show ip nat template logging [template-name]
show ip nat timeouts

Description Display the IP source NAT protocol port timeouts.
Syntax show ip nat timeouts
Example The following command displays the timeout settings IP source NAT sessions.
ACOS(config)#show ip nat timeouts

NAT Timeout values in seconds:
TCP UDP ICMP
------------------------
300 300 fast
Service 53/udphas fast-aging configured
show ip nat translations

Description Display IP source NAT translations.
Syntax show ip nat translations
Mode All
Example The following command shows source NAT translations:
ACOS#show ip nat translations

Prot Inside global Inside local Outside local Outside global
Age Hash Type
------------------------------------------------------------------------------------------
---------------------
Tcp 10.10.120.200:33345 10.10.30.19:35955 10.10.120.124:1107
10.10.120.124:1107 0 1 NF NAT
Tcp 10.10.120.200:28260 10.10.30.16:64602 10.10.120.111:443
10.10.120.111:443 0 1 NS NAT
Tcp 10.10.120.200:29988 10.10.30.20:2466 10.10.120.111:80
10.10.120.111:80 0 1 NS NAT
Tcp 10.10.120.200:29952 10.10.30.16:64638 10.10.120.124:21
10.10.120.124:21 0 1 NS NAT
Tcp 10.10.120.200:9257 10.10.30.15:48569 10.10.120.124:1093
10.10.120.124:1093 0 1 NF NAT
Tcp 10.10.120.200:28170 10.10.30.18:38106 10.10.120.124:21
10.10.120.124:21 0 1 NS NAT

Tcp 10.10.120.200:29845 10.10.30.15:48619 10.10.120.111:443

10.10.120.111:443 0 2 NS NAT
Tcp 10.10.120.200:28716 10.10.30.15:48624 10.10.120.124:1111
10.10.120.124:1111 0 2 NF NAT
Tcp 10.10.120.200:29377 10.10.30.19:35947 10.10.120.111:80
10.10.120.111:80 0 2 NS NAT
Tcp 10.10.120.200:29179 10.10.30.15:48565 10.10.120.111:443
10.10.120.111:443 0 2 NS NAT
Tcp 10.10.120.200:21887 10.10.30.15:48635 10.10.120.124:1118
10.10.120.124:1118 0 2 NF NAT
Tcp 10.10.120.200:21800 10.10.30.18:38108 10.10.120.124:1097
10.10.120.124:1097 0 2 NF NAT
Tcp 10.10.120.200:29971 10.10.30.20:2467 10.10.120.111:443
10.10.120.111:443 0 2 NS NAT
show ip-list
Description Display IP-list information.
Syntax show ip-list [list-name]
list-name Displays the configuration of the specified list. If you omit this option, the config-
ured IP lists are listed instead.
Mode All
Example The following example shows the IP lists configured on an ACOS device:
ACOS-Active(config)#show ip-list
Name Type Entries
--------------------------------------------------
sample_ip_list_ng IPv4 3
test-list IPv4 0
Total: 2
The following command shows the configuration of an individual IP list:
ACOS#show ip-list sample_ip_list_ng

ip-list sample_ip_list_ng
10.10.10.1
20.20.3.1
123.45.6.7

show ipv6 nat interfaces

Description Display IPv6 source NAT information for data interfaces.
Syntax show ipv6 nat interfaces
show ipv6 nat pool

Description Display information for IPv6 source NAT pools.
Syntax show ipv6 nat pool [pool-name] [statistics]
pool-name Displays information only for the specified pool.
statistics Displays pool statistics.
show ipv6 nat pool-group

Description Display configuration information for IP source NAT pool groups.
Syntax show ipv6 nat pool-group [group-name]
show ipv6 ndisc

Description Display information for IPv6 router discovery.
Syntax show ipv6 ndisc router-advertisement

{ethernet portnum | ve ve-num | statistics}
Mode All
Example The following command displays configuration information for IPv6 router discovery on an
Ethernet interface. In this example, the interface is VE 10.
ACOS#show ipv6 ndisc router-advertisement ve 10

Interface VE 10
Send Advertisements: Enabled
Max Advertisement Interval: 200
Min Advertisement Interval: 150
Advertise Link MTU: Disabled
Reachable Time: 0
Retransmit Timer: 0
Current Hop Limit: 255
Default Lifetime: 200
Max Router Solicitations Per Second: 100000
HA Group ID: None

Number of Advertised Prefixes: 2

Prefix 1:
Prefix: 2001:a::/96
On-Link: True
Valid Lifetime: 4400
Prefix 2:
Prefix: 2001:32::/64
On-Link: True
Valid Lifetime: 2592000
The following command displays router discovery statistics:
ACOS(config)#show ipv6 ndisc router-advertisement statistics

IPv6 Router Advertisement/Solicitation Statistics:
--------------------------------------------------
Good Router Solicitations (R.S.) Received: 1320
Periodic Router Advertisements (R.A.) Sent: 880
R.S. Rate Limited: 2
R.S. Bad Hop Limit: 1
R.S. Truncated: 0
R.S. Bad ICMPv6 Checksum: 0
R.S. Unknown ICMPv6 Code: 0
R.S. Bad ICMPv6 Option: 0
R.S. Src Link-Layer Option and Unspecified Address: 0
No Free Buffers to send R.A.: 0
The error counters apply to router solicitations (R.S.) that are dropped by the ACOS device.
The Src Link-Layer Option and Unspecified Address counter indicates the number of times
the ACOS device received a router solicitation with source address “::” (unspecified IPv6
address) and with the source link-layer (MAC address) option set.
NOTE: In the current release, the ACOS device does not drop IPCMv6 packets that have
bad (invalid) checksums.
show ipv6 neighbor

Description Display information about neighboring IPv6 devices.
Syntax show ipv6 neighbor [ipv6-addr]
Mode All
Example The following command shows IPv6 neighbors:
ACOS(config)#show ipv6 neighbor

Total IPv6 neighbor entries: 2
IPv6 Address MAC Address Type Age State Interface Vlan

---------------------------------------------------------------------------------------
b101::1112 0007.E90A.4402 Dynamic 30 Reachable ethernet 6 1
fe80::207:e9ff:fe0a:4402 0007.E90A.4402 Dynamic 20 Reachable ethernet 6 1
show {ip | ipv6} ospf

Description Display OSPF information. (See “Config Commands: Router – OSPF” on page 357.)
show {ip | ipv6} prefix-list

Description Display information about prefix lists.
show {ip|ipv6} protocols

Description Show information for dynamic routing protocols.
Syntax show {ip|ipv6} protocols [bgp | isis | ospf | rip]
Mode All
show {ip | ipv6} rip

Description Show information for RIP. (See “Config Commands: Router – RIP” on page 329.)
show ip route
Description Display the IPv4 routing table.
Syntax show ip route

[
ipaddr[/mask-length] |
all |
bgp |
connected |
database |
isis |
mgmt |
ospf |
rip |
static |
summary
]
Mode All
Usage The show ip route summary command displays summary information for all IP routes,
including the total number of routes. The command output applies to both the data route
table and the management route table, which are separate route tables.
The following commands display routes for only one of the route tables:

• show ip route – Shows information for the data route table only.
• show ip route mgmt – Shows information for the management route table only.
The total number of routes listed by the output differs depending on the command you use.
For example, the total number of routes listed by the show ip route command includes only
data routes, whereas the total number of routes listed by the show ip route summary
command includes data routes and management routes.
Example The following example shows the IP route table:
ACOS#show ip route
Codes: C - connected, S - static, O - OSPF
S* 0.0.0.0/0 [1/0] via 192.168.20.1, ve 10

S* 192.168.1.0/24 [1/0] is directly connected, Management
C* 192.168.1.0/24 is directly connected, Management
C* 192.168.19.0/24 is directly connected, ve 10
Total number of routes : 4
show ipv6 route

Description Display the IPv6 routing table.
Syntax show ipv6 route

[
ipv6-addr[/mask-length] |
bgp |
connected |
database |
isis |
mgmt |
ospf |
rip |
static |
summary
]
Mode All
show {ip|ipv6} stats

Description View statistics for IPv4 or IPv6 packets.
Syntax show {ip | ipv6} stats
Mode All

show ipv6 traffic

Description Display IPv6 traffic management statistics.
Syntax show ipv6 traffic
Mode All
Example The following command shows IPv6 traffic management statistics:
ACOS#show ipv6 traffic

Traffic Type Received Sent Errors
------------------------------------------------------------------
Router Solicit 1 1 0
Router Adverts 0 0 0
Neigh Solicit 0 0 0
Neigh Adverts 0 0 0
Echo Request 0 0 0
Echo Replies 0 0 0
Other ICMPv6 Errs 0 0 0
show isis
Description See “Config Commands: Router – IS-IS” on page 393.
show json-config
Description View the JSON/aXAPI data format associated with the running-config, or for a specific object.
Syntax show json-config [object]
If no object is specified, then the JSON configuration for the entire running-config will be
shown.
Mode All
Example The following example shows the JSON configuration for SLB server “web2”:
ACOS#show json-config slb server web2
a10-url:/axapi/v3/slb/server/web2
{
"server": {
"name":"web2",
"host":"10.10.10.2",
"health-check":"https-with-key",
"port-list": [
{

"port-number":80,
"protocol":"tcp",
"health-check-disable":1
}
]
}
}
Related Commands show json-config-detail, show json-config-with-default
show json-config-detail
Description View the JSON/aXAPI data format, including the URI and object type, associated with the
running-config, or for a specific object.
Syntax show json-config-detail [object]
shown.
Mode All
Example The following example shows the JSON configuration, with URI and object type information,
for SLB server “web2”:
ACOS#show json-config-detail slb server web2
{
"server": {
"name":"web2",
"host":"10.10.10.2",
"port-list": [
{
"port-number":80,
"protocol":"tcp",
"health-check-disable":1,
"a10-url":"/axapi/v3/slb/server/web2/port/80+tcp",
"obj-type":"multi"
}
]
}
}
Related Commands show json-config, show json-config-with-default

show json-config-with-default
Description View the JSON/aXAPI data format, including default values, associated with the running-con-
fig or for a specific object.
Syntax show json-config-with-default [object]
shown.
Mode All
Example The following example shows the JSON configuration, with default values, for SLB server
“web2”:
ACOS#show json-config-with-default slb server web2
{
"server": {
"name":"web2",
"host":"10.10.10.2",
"action":"enable",
"template-server":"default",
"conn-limit":8000000,
"no-logging":0,
"weight":1,
"slow-start":0,
"spoofing-cache":0,
"stats-data-action":"stats-data-enable",
"extended-stats":0,
"port-list": [
{
"port-number":80,
"protocol":"tcp",
"range":0,
"action":"enable",
"no-ssl":0,
"health-check-disable":1,
"weight":1,
"conn-limit":8000000,
"no-logging":0,
"stats-data-action":"stats-data-enable",
"extended-stats":0,
"a10-url":"/axapi/v3/slb/server/web2/port/80+tcp"

}
]
}
}
Related Commands show json-config, show json-config-detail
show key-chain
Description Show configuration information for authentication key chains.
Syntax show key-chain [key-chain-name]
The key-chain-name is the name of the authentication key chain.
Mode Privileged EXEC and all Config levels

Example The following text is an example of the output for this command:
ACOS#show key-chain
key chain test1
key 1
key-string test1key1
key 2
key chain test2
key 2
ACOS#show key-chain test1

key chain test1
key 1
key 2
show lacp
Description Show configuration information and statistics for Link Aggregation Control Protocol (LACP).
Syntax show lacp

{
counter [lacp-trunk-id] |
sys-id |
trunk
[admin-key-list-details | detail | summary | lacp-trunk-id]
}
counter View LACP packet statistics for all trunks, or for just the
specified trunk.
sys-id Shows the LACP system ID of the ACOS device.
admin-key-list-details View LACP admin key list details.
detail View detailed trunk information.
summary View trunk summary information.
Mode All
Example The following command shows LACP statistics:
ACOS#show lacp counters

Traffic statistics
Port LACPDUs Marker Pckt err
Sent Recv Sent Recv Sent Recv

Aggregator po5 1000000

ethernet 1 81 81 0 0 0 0
ethernet 2 81 81 0 0 0 0
ethernet 6 233767 233765 0 0 0 0
In this example, LACP has dynamically created two trunks, 5 and 10. Trunk 5 contains ports 1
and 2. Trunk 10 contains port 6.
Example The following command shows summary trunk information:
ACOS#show lacp trunk summary

Admin Key: 0005 - Oper Key 0005
Link: ethernet 1 (3) sync: 1
Admin Key: 0010 - Oper Key 0010
show lacp-passthrough
Description Show information for the LACP passthrough feature.
Syntax show lacp-passthrough
Mode All
show license
Description Display the host ID and, if applicable, serial number of the license applied to this ACOS
device.
Syntax show license [uid]
Specify the uid option to show the serial number associated with the UID.
Mode All
Example The following example shows sample output for this command.
ACOS(config)#show license
Host ID: 029984E1BC8EF50901B63DC0DCD1FE8A02017B9B
ACOS(config)#show license uid
029984E1BC8EF50901B63DC0DCD1FE8A02017B9B

show license-manager
Description View the license manager server and other license manager-related information.
Syntax show license-manager [overage]
Use the overage parameter to view overage setting information.
Mode All
show lldp neighbor statistics

Description Displays information on all remote neighbors or on the specified interface.
Syntax show lldp neighbor statistics [interface Ethernet eth-num]
Mode All
show lldp statistics

Description Displays LLDP receive or send error statistics, You can display information on all interfaces or
only display information on a specified interface.
Syntax show lldp statistics [interface Ethernet eth-num]
Mode All
show local-uri-file
Description Display local imported URI files.
Syntax show local-uri-file

{[name] | [all-partitions] |
[partition [shared] | [partition-name]]
Mode All
show locale
Description Display the configured CLI locale.
Syntax show locale
Mode All
Example The following command shows the locale configured on an ACOS device:
ACOS#show locale
en_US.UTF-8 English locale for the USA, encoding with UTF-8 (default)

show log
Description Display entries in the syslog buffer or display current log settings (policy). Log entries are
listed starting with the most recent entry on top.
Syntax show log [debug] [length num] [policy]
debug Show debug logging entries only.
length num Shows the most recent log entries, up to the number of entries you
specify. You can specify 1-1000000 (one million) entries.
policy Shows the log settings. To display log entries, omit this option.
Mode All
Example The following command shows the log settings:
ACOS#show log policy

Syslog servers: (0 hosts)
Facility: local0
Name Level
----------------------------
Console error
Syslog disable
Monitor disable
Buffer debugging
Email disable
Trap disable
Example The following command shows log entries (truncated for brevity):
ACOS#show log
Log Buffer: 30000
Jan 17 11:32:02 Warning A10LB HTTP request has p-conn
Jan 17 11:31:01 Notice The session [1] is closed
Jan 17 11:31:00 Info Load libraries in 0.044 secs
Jan 17 11:26:19 Warning A10LB HTTP response not beginning of
header: m counterType="1" hourlyCount="2396" dailyCount="16295"
weeklyCount="16295" monthly
Jan 17 11:16:00 Info Load libraries in 0.055 secs


...
show mac-address-table
Description Display MAC table entries.
Syntax show mac-address-table

[macaddr | port port-num | vlan vlan-id]
macaddr Shows the MAC table entry for the specified MAC address. Enter
the MAC address in the following format: aaaa.bbbb.cccc
port port-num Shows the MAC table entries for the specified Ethernet port.
vlan vlan-id Shows the MAC table entries for the specified VLAN.
Mode All
Example The following command displays the MAC table entries:
ACOS#show mac-address-table
Total active entries: 10 Age time: 300 secs
MAC-Address Port Type Index Vlan Trap
---------------------------------------------------------
001e.bd62.d021 2 Dynamic 85 0 None
001e.bd62.d01e 1 Dynamic 244 120 None
000c.2923.c500 lif2 Dynamic 456 1 None
000d.480a.6665 1 Dynamic 594 120 None
001f.a002.fdc3 1 Dynamic 676 120 None
000c.2923.c500 2 Dynamic 713 60 None
001e.bd62.d01e 1 Dynamic 734 0 None
000c.2960.8990 1 Dynamic 752 120 None
001f.a002.10a8 5 Dynamic 918 100 None
001e.bd62.d021 2 Dynamic 975 60 None

Field Description
Total active entries Total number of active MAC entries in the table. An active entry is
one that has not aged out.
Age time Number of seconds a dynamic (learned) MAC entry can remain
unused before it is removed from the table.
MAC-Address MAC address of the entry.
Port Ethernet port through which the MAC address is reached.
Type Indicates whether the entry is dynamic or static.
Index The MAC entry’s position in the MAC table.
Vlan VLAN the MAC address is on.
Trap Shows any SNMP traps enabled on the port.
show management
Description Show the types of management access allowed on each of the ACOS device’s Ethernet inter-
faces.
Syntax show management [ipv4 | ipv6]
Mode All
Usage To configure the management access settings, see “enable-management” on page 91 and
“disable-management” on page 88.
NOTE: If you do not use either option, IPv4 access information is shown.
Example The following command shows IPv4 management access information:
PING SSH Telnet HTTP HTTPS SNMP ACL

------------------------------------------------------------------------------------------
mgmt on on off on on on -
eth1 on off off off off off -
...
If management access is controlled by an ACL, the ACL ID would be listed instead of “on”
or “off” status.

show memory
Description Display memory usage information.
Syntax show memory [cache | system]
cache Shows cache statistics.
system Shows summary statistics for memory usage.
Example The following command shows summary statistics for memory usage:
ACOS#show memory system

System Memory Usage:
Total(KB) Free Shared Buffers Cached Usage
---------------------------------------------------------------------------
2070368 751580 0 269560 96756 59.0%
Example The following command shows memory usage for individual system modules:
ACOS#show memory
Total(KB) Used Free Usage
----------------------------------------------------
Memory: 31941112 8310060 23631052 26.0%
System memory:
Object size(byte) Allocated(#) Max(#)
----------------------------------------------------------------
4 223 3639
36 2536 3639
100 71095 71262
228 152 992
484 12 503
996 183 253
2020 92 127
4068 339 378
8164 72 93
aFleX memory:
----------------------------------------------------------------
32 1412 58224

64 7008 30816
128 7621 20960
256 181 12768
512 509 7168
1024 52 3824
2048 0 0
4096 0 0
TCP memory:
----------------------------------------------------------------
1104 1 225
184 0 0
Example The following command shows memory cache information (truncated for brevity):
ACOS#show memory cache

System block 4:
Object size: 4, Total in pool: 3639, Allocated to control: 223
Misc1 92 Misc2 1 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0,
System block 36:

Misc1 0 Misc2 1 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
System block 100:

Misc1 0 Misc2 37 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0,
...
show mirror
Description Display port mirroring information.
Syntax show mirror
Mode All
Example The following example shows the port mirroring configuration on an Thunder Series device:
ACOS#show mirror
Mirror Ports 1: Input = 4 Output = 4

Ports monitored at ingress : 1

Mirror Ports 2: Input = None Output = 7
Mirror Ports 3: Input = 9 Output = 9
Mirror Ports 4: Input = 3 Output = None
Field Description
Mirror Port Mirror port index number.
Input Indicates that inbound mirrored traffic from the monitor port can be sent out of the
specified ethernet interface. If “None” appears instead of an ethernet interface number, it
means that inbound mirrored traffic will not be sent out of this ethernet port.
Output Indicates that outbound mirrored traffic from the monitor port can be sent out of the
specified ethernet interface. If “None” appears instead of an ethernet interface number, it
means that outbound mirrored traffic will not be sent out of this ethernet port.
Port monitored at ingress Port(s) whose inbound traffic is copied to the monitor port.
Port monitored at egress Port(s) whose outbound traffic is copied to the monitor port.
show monitor
Description Display the event thresholds for system resources.
Syntax show monitor
Mode All
Example Below is an example output for this command.
ACOS#show monitor
Current system monitoring threshold:
Hard disk usage: 85
Memory usage: 95
Control CPU usage: 90
Data CPU usage: 90
IO Buffer usage: 734003
Buffer Drop: 1000
Warning Temperature: 68
Conn type 0: 32767
Conn type 1: 32767
Conn type 2: 32767
Conn type 3: 32767
Conn type 4: 32767
SMP type 0: 32767
SMP type 1: 32767
SMP type 2: 32767
SMP type 3: 32767

SMP type 4: 32767
show netflow
Description Display NetFlow information.
Syntax show netflow

{common | monitor [monitor-name]}
common Displays the currently configured maximum queue
time for NetFlow export packets.
monitor [monitor-name] Displays information for NetFlow monitors.
Mode All
Example The following example shows the configuration of a NetFlow monitor:
ACOS(config)#show netflow monitor

Netflow Monitor netflow-1
Protocol Netflow v9
Status: Enable
Filter: Global
Destination: Not Configured
Source IP Use MGMT: No
Flow Timeout: 10 Minutes
Resend Template Per Records: 1000
Resend Template Timeout: 1800 Seconds
Sent: 0 (Pkts) / 0 (Bytes)
Records: Not Configured
The following table shows the descriptions of the command output:
Field Description
Protocol Specifies the NetFlow Protocol version (NetFlow v9 or NetFlow v10/
IPFIX)
Status Specifies whether or not the NetFlow monitor is enabled.
Filter Identifies the specific type and subset of resources that are being
monitored (global, specific ports, or a NAT pool).
Destination Indicates the destination IP address and port, if configured.
Source IP Use Specifies whether the IP address of the management port of the
MGMT ACOS device is being used as the source IP of NetFlow packets.

Field Description
Flow Timeout Timeout value interval at which flow records are periodically
exported for long-lived sessions. Flow records for short-lived sessions
(if any) are sent upon termination of the session.
Resend Tem- The number of records before the ACOS device resends the NetFlow
plate Per Records template that describes the data to perform a refresh of the template
on the NetFlow collector.
Resend Tem- The amount of time before the ACOS device resends the template
plate Timeout that describes the data to perform a refresh of the template on the
NetFlow collector.
Sent Total number of NetFlow packets and bytes sent.
Records Specifies the NetFlow template types configured, which define the
NetFlow records to export.
show ntp
Description Show the Network Time Protocol (NTP) servers and status.
Syntax show ntp {servers | status}
servers Lists the configured NTP servers and their state (enabled/disabled).
status Lists the configured NTP servers and the status of the connection
between ACOS and the server.
Example The following commands show NTP information:
ACOS#show ntp servers

Ntp Server isPreferred Mode Authentication
----------------------------------------------------------------------------
10.255.254.50 no enabled disabled
10.255.249.43 no enabled disabled
ACOS#show ntp status

NTP Server Status
------------------------------------------
10.255.254.50 synchronized
10.255.249.43 polling

show object-group
Description Show object groups, a named set of IP addresses or protocol values used for extended IPv4
or IPv6 ACLs.
Syntax show object-group [network name | service name]
network name Show a network object group which contains IP address match crite-
ria.
service name Show a service object group which contains protocol match criteria.
Mode All
show overlay-mgmt-info
Description See “fConfig Commands: Overlay Tunnels” on page 465.
show overlay-tunnel
Description See “fConfig Commands: Overlay Tunnels” on page 465.
show partition
Description All show commands related to partitions are available in Configuring Application Delivery
Partitions.
show partition-group
Description All show commands related to partitions are available in Configuring Application Delivery
Partitions.
show pbslb
Description Show configuration information and statistics for Policy-based SLB (PBSLB).
Syntax show pbslb [name]
show pbslb client [ipaddr]
show pbslb system

show pbslb virtual-server virtual-server-name

[port port-num service-type]
Field Description
name Shows information for virtual servers.
client [ipaddr] Shows information for black/white list clients.
system Shows system-wide statistics for PBSLB.
virtual-server Shows statistics for IP limiting on the specified vir-
virtual-server-name tual server.
[port port-num
service-type]
Mode All
Example The following command shows PBSLB class-list information for an Thunder Series device:
ACOS#show pbslb
Virtual server class list statistics:
F = Flag (C-Connection, R-Request), Over-RL = Over rate limit
Source Destination F Current Rate Over-limit Over-RL
---------------+---------------------+-+---------+---------+----------+----------
10.1.2.1 10.1.11.1:80 C 15 1 0 0
Total: 1
Field Description
Source Client IP address.
Destination VIP address.
Flag Indicates whether the row of information applies to connections or
requests:
• C – The statistics listed in this row are for connections.
• R – The statistics listed in this row are for HTTP requests.
Current Current number of connections or requests.
Rate Current connection or request rate, which is the number of connec-
tions or requests per second.
Over Limit Number of times client connections or requests exceeded the con-
figured limit.
Over Rate Limit Number of times client connections or requests exceeded the con-
figured rate limit.
Example The following command shows PBSLB black/white-list information for an Thunder Series
device:
ACOS#show pbslb

Total number of PBSLB configured: 1

Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0
Field Description
Total number of Number of black/white lists imported onto the Thunder Series
PBSLB config- device.
ured
Virtual server SLB virtual server to which the black/white list is bound.
Port Protocol port.
Blacklist/whitelist Name of the black/white list.
GID Group ID.
Connection # Number of client connections established to the group and protocol
Establish port.
Connection # Number of client connections to the group and protocol port that
Reset were reset.
Connection # Number of client connections to the group and protocol port that
Drop were dropped.
Example The following command shows PBSLB information for VIP “vs-22-4”:
ACOS#show pbslb vs-22-4

GID = Group ID, A = Action, OL = Over-limit
GID Establish Reset(A) Drop(A) Reset(OL) Drop(OL) Ser-sel-fail
-------+-----------+-----------+-----------+-----------|-----------+------------
Virtual server: vs-22-4 Port: 80 B/W list: test
1 88 0 3 2 0 0
2 112 0 2 0 0 1
3 29 0 0 0 0 0
4 11 1 0 0 0 0
show pki
Description Shows information about the certificates on the ACOS device.
Syntax show pki

{ca-cert [cert-name [detail]| cert [cert-name [detail]] | crl}
[all-partitions | partition {shared | partition-name} | sort-by]

Option Description
ca-cert cert-name Shows the CA certificate.
cert-name specifies a name for the certificate, and you can a
name with a maximum of 255 characters.
cert cert-name Shows information about the certificates on the ACOS device. To
display information for a specific certificate, use the cert-name
option. To display additional details about the certificate, use the
detail option.
crl Shows information about the Certificate Revocation Lists (CRLs)
that have been imported to the ACOS device.
[all-partitions | partition | Allows you to select what type of information you want to dis-
sort-by] play:
• All partitions
• A specific partition
You can display information from the shared partition or from a
specific L3V partition.
• Sort by the certificate files
Mode All
Example The following command shows SSL certificate information:
ACOS(config)#pki create certificate server

input key bits(1024,2048,4096) default 1024:1024
input Common Name, 1~64:server
input Division, 0~31:division
input Organization, 0~63:org
input Locality, 0~31:sj
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:
input valid days, 30~3650, default 730:
ACOS(config)#show pki cert

Name: server Type: certificate/key Expiration: Sep 13 18:35:26
2016 GMT [Unexpired, Unbound]

show poap
Description Display the Power On Auto Provisioning (POAP) mode.
Syntax show poap
Mode All
Example Example command and output:
ACOS(config)#show poap
Disabled
show process system

Description Display the status of system processes.
Syntax show process system
Usage For descriptions of the system processes, see the “System Overview” chapter of the System
Configuration and Administration Guide.
Example The following command shows the status of system processes on an Thunder Series device:
ACOS#show process system

a10mon is running
syslogd is running
a10logd is running
a10timer is running
a10Stat is running
a10hm is running
a10switch is running
a10rt is running
a10rip is running
a10ospf is running
a10snmpd is running
a10gmpd is running
a10wa is running
a10lb is running

show radius-server
Description Display statistics about a RADIUS server.
Syntax show radius-server
Example The following text is a sample output for this command:
ACOS(config)#show radius-server
Radius server : 10.0.0.0
contact start : 5
contact failed : 3
authentication success : 1
authentication failed : 1
authorization success : 1
Radius server : 10.0.0.1

contact start : 0
contact failed : 0
authentication success : 0
authentication failed : 0
authorization success : 0
ACOS(config)#
Mode All
show reboot
Description Display scheduled system reboots.
Syntax show reboot
Mode All
Example The following command shows a scheduled reboot on the ACOS device:
ACOS#show reboot
Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16
minutes) by admin on 192.168.1.144
Reboot reason: Outlook_upgrade

show route-map
Description Show the configured route maps.
Syntax show route-map [map-name]
Mode All
show router log file

Description Show router logs.
Syntax show router log file

[
file-num |
bgpd [file-num] |
isisd [file-num] |
nsm [file-num] |
ospf6d [file-num] |
ospfd [file-num] |
ripd [file-num] |
ripngd [file-num]
]
file-num Log file number.
bgpd [file-num] Displays the specified BGP log file, or all BGP log files.
isisd [file-num] Displays the specified IS-IS log file, or all IS-IS log files.
nsm [file-num] Displays the specified Network Services Module (NSM) log file,
or all NSM log files.
ospf6d [file-num] Displays the specified IPv6 OSPFv3 log file, or all OSPFv3 log
files.
ospfd [file-num] Displays the specified IPv4 OSPFv2 log file, or all OSPFv2 log
files.
ripd [file-num] Displays the specified IPv4 RIP log file, or all IPv4 RIP log files.
ripngd [file-num] Displays the specified IPv6 RIP log file, or all IPv6 RIP log files.
Mode All

show running-config
Description Display the running-config.
This command is used to view the running-config in the partition where the command is
issued. To view the running-config for a different partition, use the show partition-
config command.
Syntax show running-config [options]
Usage This command displays the entire running-config in the current partition.
To narrow the output to specific feature modules, use show running-config ? to view
the available modules, then specify them from the command line. For example, to view the
running-config related only to SLB servers, use:
show running-config slb server
Example The following example shows the running-config for SLB virtual servers:
ACOS#show running-config slb virtual-server

!
slb virtual-server test-vip 10.10.10.15
port 80 tcp
!
!
end
ACOS(NOLICENSE)#
show session
Description Display session information.
Syntax show session

[
brief |
filter {filter-name | config} |
ipv4 [addr-suboptions] |
ipv4v6 [addr-suboptions] |
ipv6 [addr-suboptions] |
persist [persistence-type [addr-suboptions]] |
radius |
sip [addr-suboptions] |
tcp-stat |

udp-stat
]
brief Displays summary statistics for all session types.
filter Displays information about configured session filters.
{filter-name | config}
Specify config to view all configured session filters, or specify a filter-
name to view the specified filter only.
ipv4 [addr-suboptions] Displays information for IPv4 sessions. The following address subop-
tions are available:
• source-addr ipaddr
[{subnet-mask | /mask-length}] – Displays IPv4 sessions that have the
specified source IP address.
• source-port port-num – Displays IPv4 sessions that have the speci-
fied source protocol port number, 1-65535.
• dest-addr ipaddr
[{subnet-mask | /mask-length}] – Displays IPv4 sessions that have the
specified destination IP address.
• dest-port port-num – Displays IPv4 sessions that have the specified
destination protocol port number, 1-65535.
You can use one or more of the suboptions, in the order listed above.
For example, if the first suboption you enter is dest-addr, the only
ipv4v6 Displays information for IPv4-IPv6 or IPv6-IPv4 sessions. The following
[addr-suboptions] address suboptions are available:
• source-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} – Displays sessions that have the specified
IPv4 or IPv6 source IP address.
• source-port port-num – Displays sessions that have the specified
source protocol port number, 1-65535.
• dest-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} – Displays sessions that have the specified
IPv4 or IPv6 destination IP address.
• dest-port port-num – Displays sessions that have the specified des-
tination protocol port number, 1-65535.

ipv6 [addr-suboptions] Displays information for IPv6 sessions. The following address subop-
tions are available:
• source-addr ipv6addr/mask-length – Displays sessions that have
the specified IPv6 source IP address.
• source-port port-num – Displays IPv6 sessions that have the speci-
fied source protocol port number, 1-65535.
• dest-addr ipv6addr/mask-length – Displays sessions that have the
specified IPv6 destination IP address.
• dest-port port-num – Displays IPv6 sessions that have the specified
destination protocol port number, 1-65535.
persist Displays session persistence information.
[persistence-type
[addr-suboptions]] The following persistence types can be specified:
• dst-ip – Displays destination-IP persistent sessions.
• src-ip – Displays source-IP persistent sessions.
• ssl-sid – Displays SSL-session-ID persistent sessions.
• uie – Displays sessions that are made persistent by the aFleX per-
sist uie command.
The available addr-suboptions are the same as the ones for show
session ipv4 (see above).
radius Displays RADIUS session information.
sip [addr-suboptions] Displays information for Session Initiation Protocol (SIP) sessions.
The available addr-suboptions are the same as the ones for show
session ipv4v6 (see above).
tcp-stat Displays TCP session statistics.
udp-stat Displays UDP session statistics.
Mode All
Usage For convenience, you can save session display options as a session filter. (See “session-filter”
on page 157.)
Note on Clearing Sessions
After entering the clear session command, the ACOS device may remain in session-clear
mode for up to 10 seconds. During this time, any new connections are sent to the delete
queue for clearing.
Example The following command lists information for all IPv4 sessions:
ACOS(config)#show session ipv4

Traffic Type Total
--------------------------------------------

TCP Established 2
TCP Half Open 0
TCP Half Close 0
UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Free Buff Count 0
Curr Free Conn 2007033
Conn Count 10
Conn Freed 8
TCP SYN Half Open 0
Conn SMP Alloc 13
Conn SMP Free 2
Conn SMP Aged 2
Conn Type 0 Available 3997696
Conn SMP Type 0 Available 3997696

Age Hash Flags
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Tcp 1.0.16.2:58736 1.0.100.1:21 1.0.3.148:21 1.0.16.2:58736
60 2 OS
Total Sessions: 2
Field Description
TCP Established Number of established TCP sessions.
TCP Half Open Number of half-open TCP sessions. A half-open session is one for which the Thunder Series device
has not yet received a SYN ACK from the backend server.
TCP Half Close Number of half-closed TCP sessions. A half-closed TCP session is a session in which the server sends a
FIN but the client does not reply with an ACK.

Field Description
UDP Number of UDP sessions.
Non TCP/UDP IP Number of IP sessions other than TCP or UDP sessions.
sessions
This counter applies specifically to IP protocol load balancing. (See the “IP Protocol Load Balancing”
chapter in the Application Delivery and Server Load Balancing Guide.)
Other Number of internally used sessions. As an example, internal sessions are used to hold fragmentation
information.
Reverse NAT TCP Number of reverse-NAT TCP sessions.
Reverse NAT UDP Number of reverse-NAT UDP sessions.
Free Buff Count Number of IO buffers currently available.
Curr Free Conn Number of Layer 4 sessions currently available.
Conn Count Number of connections.
Conn Freed Number of connections freed after use.
TCP SYN Half Number of half-open TCP sessions. These are sessions that are half-open from the client’s perspective.
Open
Conn SMP Alloc Statistics for session memory resources.
Conn SMP Free
Conn SMP Aged
Conn Type 0-4
Available
Conn SMP Type
0-4 Available
Prot Transport protocol.
Forward Source Client IP address when connecting to a VIP.
Notes:
• For DNS sessions, the client’s DNS transaction ID is shown instead of a protocol port number.
• The output for connection-reuse sessions shows 0.0.0.0 for the forward source and forward desti-
nation addresses.
• For source-IP persistent sessions, if the option to include the client source port (incl-sport) is
enabled in the persistence template, the client address shown in the Forward Source column
includes the port number.
• IPv4 client addresses – The first two bytes of the displayed value are the third and fourth octets
of the client IP address. The last two bytes of the displayed value represent the client source
port. For example, “155.1.1.151:33067” is shown as “1.151.129.43”.
• IPv6 client addresses – The first two bytes in the displayed value are a “binary OR” of the first two
bytes of the client’s IPv6 address and the client’s source port number. For example,
“2001:ff0:2082:1:1:1:d1:f000” with source port 38287 is shown as “b58f:ff0:2082:1:1:1:d1:f000”.
Also see the output examples below.
Forward Dest VIP to which the client is connected.

Field Description
Reverse Source Real server’s IP address.
Note: If the ACOS device is functioning as a cache server (RAM caching), asterisks ( * ) in this field and
the Reverse Dest field indicate that the ACOS device directly served the requested content to the cli-
ent from the ACOS RAM cache. In this case, the session is actually between the client and the ACOS
device rather than the real server.
Reverse Dest IP address to which the real server responds.
• If source NAT is used for the virtual port, this address is the source NAT address used by the ACOS
device when connecting to the real server.
• If source IP NAT is not used for the virtual port, this address is the client IP address.
Age Number of seconds since the session started.
Hash CPU ID.
Flags This is an internal flag used for dubbing purposes. This identifies the attributes of a session.
Type Indicates the session type, which can be one of the following:
• SLB-L4 – SLB session for Layer 4 traffic.
• SLB-L7 – SLB session for Layer 7 traffic.
• NAT – Network Address Translation (NAT) session for dynamic NAT.
• ST-NAT – NAT session for static NAT.
• ACL – Session for an ACL.
• TCS – Transparent Cache Switching session.
• XNT – Transparent session.
NOTE: The following counters apply only to the current partition:
• TCP Established
• TCP Half Open
• UDP
• Non TCP/UDP IP sessions
• Other
• Reverse NAT TCP
• Reverse NAT UDP
The other counters apply to all partitions, regardless of the partition from which the
command is entered.
Example The following command displays the IPv4 session for a specific source IP address:
ACOS(config)#show session ipv4 source-addr 1.0.4.147

Age Hash Flags
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Total Sessions: 1

Example The following commands display IPv4 source-IP persistent sessions, clear one of the sessions,
then verify that the session has been cleared:
ACOS(config)#show session persist src-ip

Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.16.2 1.0.100.1:21 1.0.3.148 6000 120 2 OS
src 1.0.4.147 1.0.100.1:21 1.0.3.148 6000 120 2 OS
Total Sessions: 2
ACOS(config)#clear sessions persist src-ip source-addr 1.0.16.2
ACOS(config)#show session persist src-ip
Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.4.147 1.0.100.1:21 1.0.3.148 5880 2 OS
In this example, IPv4 source-IP persistent sessions are shown. The incl-sport option in the
source-IP persistence template is enabled, so the value shown in the Forward Source column
is a combination of the client source IP address and source port number. The first two bytes
of the displayed value are the third and fourth octets of the client IP address. The last two
bytes of the displayed value represent the client source port.
Example The following commands display IPv6 source-IP persistent sessions:
ACOS(config)#show session persist ipv6

Prot Forward Source
Forward Dest
Reverse Source Age
------------------------------------------------------------------
src [2001:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80
[2001:ff0:2082:4:1:1:f000:1e4]:6880 300
In the output above, the Forward Source column shows the client’s IPv6 address but does
not show the port number. The port number is omitted because the incl-sport option in the
source-IP persistence template is disabled.
In the output below, the same client IPv6 address is shown. However, in this case, the incl-
sport option in the source-IP persistence template is enabled. Therefore, the Forward Source
column includes the port number. The first two bytes in the displayed value are a “binary OR”
of the first two bytes of the client’s IPv6 address and the client's source port number. In this
example, the Forward source value is “b58f:ff0:2082:1:1:1:d1:f000”. The first two bytes, “b58f”,
are a “binary OR” value of “2001” and port number 38287.
ACOS(config)#show session persist ipv6

Prot Forward Source
Forward Dest
Reverse Source Age

------------------------------------------------------------------
src [b58f:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80
[2001:ff0:2082:4:1:1:f000:1e3]:6880 300
Example The following command shows active RADIUS sessions:
ACOS#show session radius

Traffic Type Total
--------------------------------------------
TCP Established 0
TCP Half Open 0
UDP 30
...

Age Hash Flags Radius ID
----------------------------------------------------------------------------------------
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.15:1812 10.11.11.50:32836
120 1 NSe0 104
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.12:1812 10.11.11.50:32836
120 1 NSe0 111
...
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.14:1812 10.11.11.50:32836
120 7 NSe0 103
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.11:1812 10.11.11.50:32836
120 7 NSe0 222
Total Sessions: 30
The session table contains a separate session for each RADIUS Identifier value. The following
address information is shown for each session:
• Forward Source – The sender of the RADIUS message. This is the IP address of the BRAS.
• Forward Dest – The RADIUS VIP on the ACOS device.
• Reverse Source – The RADIUS server to which the ACOS device sends requests that
have the Identifier listed in the RADIUS ID field.
• Reverse Dest – The destination of the RADIUS server reply forwarded by the ACOS
device. (This is the sender of the initial RADIUS message that started the session, the
BRAS in the example above.)
Example The following example displays the output when viewing the sessions on a real server
named “s2” whose IP address is 172.16.1.11:
ACOS(config)#show session server s2

Traffic Type Total
--------------------------------------------
TCP Established 5
TCP Half Open 0

UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Curr Free Conn 2018015
Conn Count 47300
Conn Freed 46529
TCP SYN Half Open 0
Conn SMP Alloc 22
Conn SMP Free 0
Conn SMP Aged 0
Prot Forward Source Forward Dest Reverse Source Reverse DestAge Hash Flags Type
------------------------------------------------------------------------------
Tcp 172.16.2.10:59992 172.16.2.200:80 172.16.1.11:80 172.16.1.50:18254
600 1 NSe1 SLB-L7
Tcp 172.16.2.10:60171 172.16.2.200:44333 172.16.1.11:80 172.16.1.50:18253
600 1 NSe1 SLB-L7
Total Sessions: 2
show sflow
Description Show sFlow information.
Syntax show sflow {configuration | statistics}

[ethernet portnum | ve ve-num]
Mode All

show shutdown
Description Display scheduled system shutdowns.
Syntax show shutdown
Example The following command shows a scheduled shutdown on an Thunder Series device:
ACOS#show shutdown
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and
23 minutes) by admin on 192.168.1.144
Shutdown reason: Scheduled shutdown
show slb
Description See “SLB Show Commands” on page 795.
show smtp
Description Display SMTP information.
Syntax show smtp
Mode All
Example The following command shows the SMTP server address:
ACOS#show smtp
SMTP server address: 192.168.1.99
show snmp
Description Display SNMP OIDs.
For more information, see the MIB Reference.
Syntax show snmp oid

{
server [svr-name] [port portnum] |
service-group
[sg-name] [addr-type {firewall | tcp | udp}]

[port portnum] [server-member name] |

virtual-server [vs-name] [port portnum]
server svr-name Returns OIDs for the axServerStatTable.
If a name is specified, this command returns OIDs for the axServerPortStatTable.
service-group sg-name Returns OIDs for the axServiceGroupStatTable.
If a name is specified, this command returns OIDs for the axServerPortStatTable.
You can narrow the command output by specifying the IP address type for addr-type
or specific service-group member. Valid address types are firewall, tcp, or udp.
virtual-server vs-name Returns OIDs for the axVirtualServerStatTable.
If a name is specified, this command returns OIDs for the axVirtualServerPortStatTable.
port port-num Returns OIDs for the specific port of a virtual server.
If no port is specified, this command returns OIDs for all virtual port entries of the speci-
fied VIP.
Mode All
Example The sample command output below narrows the displayed OIDs for TCP IP addresses:
ACOS#show snmp oid service-group sg1 addr-type tcp

OID for axServiceGroupMemberStatTable
service-group-name sg1: type 2: server-name s2: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.50.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.50.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPktsIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatBytesIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPktsOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatBytesOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPersistConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatCurConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.50.80
axServerPortStatusInServiceGroupMemberStat:

1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalCurrL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalSuccL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatResponseTime:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPeakConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.50.80
==========================================================================
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.49.80
Example This output narrows the displayed OIDs for the service-group member “s1”:

ACOS#show snmp oid service-group sg1 server-member s1

OID for axServiceGroupMemberStatTable
==========================================================================
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.49.80
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.49.80
show snmp-stats all

Description Display SNMP statistics.

NOTE: SNMP statistics also are included automatically in show techsupport output.
Syntax show snmp-stats all
Mode All
Example The following command displays SNMP statistics:
ACOS#show snmp-stats all
Bad SNMP version errors 0

Unknown community name 0
Illegal operation for community name 0
Encoding Error 0
Unknown security models 0
Invalid ID 0
Input packets 0
Number of requested variables 0
Get-Request PDUs 0
Get-Next PDUs 0
Packets drop 0
Too big errors 0
No such name errors 0
Bad values errors 0
General errors 0
Output packets 0
Get-Response PDUs 0
SNMP output traps 0
show startup-config
Description Display a configuration profile or display a list of all the locally saved configuration profiles.
Syntax show startup-config

[
all|
all-partitions |
partition {shared | partition-name} |

profile profile-name
]
all Displays a list of the locally stored configuration profiles.
all-partitions Shows all resources in all partitions. In this case, the resources in the shared parti-
tion are listed first. Then the resources in each private partition are listed, organized
by partition.
partition Shows only the resources in the specified partition.
{shared | partition-name}
profile profile-name Displays the commands that are in the specified configuration profile.
Mode All
Usage The all-partitions and partition partition-name options are applicable on ACOS devices
that are configured with L3V partitions. If you omit both options, only the resources in the
shared partition are shown. (If no partitions are configured, all resources are in the shared
partition, so you can omit both options.)
The all-partitions option is applicable only to admins with Root, Read-write, or Read-only
privileges. (See “show admin” on page 682 for descriptions of the admin privilege levels.)
When entered without the all or profile-name option, this command displays the contents
of the configuration profile that is currently linked to “startup-config”. Unless you have
relinked “startup-config”, the configuration profile that is displayed is the one that is stored in
the image area from which the ACOS device most recently rebooted.
Example The following example shows how to view the startup-config in partition “companyB” (trun-
cated for brevity):
ACOS#show startup-config partition companyB

Show startup-config profile in partition "companyB"
!Current configuration: 2442 bytes

!Configuration last updated at 11:23:01 IST Tue Sep 30 2014
!Configuration last saved at 11:31:59 IST Tue Sep 30 2014
!
active-partition companyB
!
exit
!
!
ip access-list test
remark 123
exit
!

!
ipv6 access-list test
remark 123
exit
!
...
show statistics
Description Display packet statistics for Ethernet interfaces.
Syntax show statistics [interface int-type port-num]
Mode All
Example The following command shows brief statistics for all Ethernet interfaces on an ACOS device:
ACOS#show statistics
Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors
---------------------------------------------------------------------------
1 3026787 3013699 91573 154220 0
2 0 0 0 0 0
3 0 0 0 0 0
...
Example The following command shows detailed statistics for Ethernet interface 1:
ACOS#show statistics interface ethernet 1

Port Link Dupl Speed IsTagged MAC Address
---------------------------------------------------
1 Up Full 1000 Untagged 0090.0B0A.D860
Port 1 Counters:
InPkts 6926 OutPkts 427659
InOctets 477802 OutOctets 323788182
InBroadcastPkts 5573 OutBroadcastPkts 62389
InMulticastPkts 0 OutMulticastPkts 359729
InBadPkts 0 OutBadPkts 0
OutDiscards 0 Collisions 0
InLongOctet 477802 InAlignErr 0
InLengthErr 0 InOverErr 0
InFrameErr 0 InCrcErr 0
InNoBufErr 0 InMissErr 48
InLongLenErr 0 InShortLenErr 0
OutAbortErr 0 OutCarrierErr 0

OutFifoErr 0 OutLateCollisions 0
InFlowCtrlXon 0 OutFlowCtrlXon 0
InFlowCtrlXoff 0 OutFlowCtrlXoff 0
InBufAllocFailed 0
InUtilization 15 OutUtilization 0
show store
Description Display the configured file transfer profiles in the credential store. The credential store is a
saved set of access information for file transfer between the ACOS device and remote file
servers.
Syntax show store [backup | export | import] name
Mode All
Example The example below shows an example of this command output:
ACOS(config)#show store export

Export Store Information
StoreName url SuccessRate FailedRate
==============================================================================
1k_ca_cert_2.crt scp://bxgu:****@192.168.12.12/home/exp/1k_ca_cert_2.crt 0 0
show switch
Description Display internal system information from the ASIC registers for troubleshooting.
NOTE: This command is applicable to only the following AX models: AX 2200, AX 2200-11,
AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 3530, AX 5100, AX 5200,
AX 5200-11, and AX 5630.
Mode show switch {debug | mac-table | vlan-table | xfp-temp}
debug View debug information.
mac-table View the MAC addresses configured on the ASIC.
vlan-table View the VLANs configured on the ASIC.
xfp-temp View the XFP temperatures.
Mode All
Usage Some options apply only to certain models. Only the mac-table, vlan-table, and xfp-temp
options are supported on AX models AX 5100, AX 5200, and AX 5200-11 and AX 5630.

show system cpu-load-sharing

Description Displays CPU load sharing information.
Syntax show system cpu-load-sharing [statistics [detail]]
statistics Shows CPU load sharing statistics.
detail Show per-CPU counters.
Mode All
Example The following command shows output from the cpu-load sharing feature. In this exam-
ple, the counter for the Load Sharing Triggered field is incremented every time a CPU enters
into load-sharing mode. Similarly, the counter for the Load Sharing Untriggered field is incre-
mented every time a CPU is subsequently removed from load-sharing mode.
ACOS(config)#show system cpu-load-sharing statistics

CPU Load-Sharing Stats
---------------------
Load Sharing Triggered 1
Load Sharing Untriggered 1
Example If the show system cpu-load-sharing command is used without the statistics option,
then the output simply displays which CPUs are in load-sharing mode. The example below
shows that CPU 1, CPU 2, and CPU 3 are in load-sharing mode.
ACOS(config)#show system cpu-load-sharing

CPUs in Load-Sharing Mode: 1 2 3
show system platform

Description Display platform-related information and statistics.
Syntax show system platform

{buffer-stats | busy-counter | interface-stats | statistics}
buffer-stats Shows counters for buffer statistics.
busy-counter Shows counters for system busy statistics.
interface-stats Shows counters for interface statistics.
statistics Shows counters for internal statistics.
Mode All
Example The following command shows platform buffer statistics:

ACOS#show system platform buffer-stats

# buffers in Q0 cache: 2049 App: 0 TCPQ: 0 misc: 0
Approximate # buffers in App 0
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1023
Approximate # buffers in Cache 30721
Approximate # buffers in Queue 0
Approximate # buffers in misc 0
Approximate # buffers free 100351
Approximate # buffers avail from HW 99309
show system resource-usage

Description Display the minimum and maximum numbers of system resources that can be configured or
used, the default maximum number allowed by the configuration, and the number currently
in use.
For example, the “l4-session-count” row of the output shows the number of Layer 4 sessions
that are currently in use, as well as the maximum number currently supported by the
configuration (the default maximum), and the range of values that can be assigned to the
default maximum.
In general, if a resource listed in the output has the same value in the Current and Maximum
columns (GSLB resources, for example), then the allocation for that resource can not be
changed.
Syntax show system resource-usage [template [default | template-name]]
Mode All
Usage To change system resource usage settings, see “system resource-usage” on page 179 com-
mand.
You must reload or reboot the system after making changes to system resource-usage
settings in order to place the changes into effect. For most system resource-usage settings, a
reload is sufficient. However, a change to the l4-session-count setting requires a reboot.
If the target device is not reloaded, the system resource-usage settings synchronized from
the active device appear in the standby device’s running-config, but do not actually take
effect until the reload or reboot.

• If you manually synchronize the configuration, you have the option to reload the target
device immediately following the synchronization. If you do not use this option, you
can reload the device later.
• If you are using VRRP-A in combination with aVCS, configuration synchronization is
automatic. In this case, you must reload or reboot the target device to place the system
resource-usage changes into effect.
NOTE: The target device is not automatically reloaded following configuration synchroni-
zation.
Example Below is a sample output for this command.
ACOS#show system resource-usage

Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 67108864 67108864 16777216 268435456
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
ACOS#
The following table describes the fields in this output for each resource.
Field Description
Current Number of resources (for example, Layer 4 sessions) currently in use.
Default Default number of maximum resources (for example, Layer 4 sessions)
that can be configured based on the current configuration.
Minimum Minimum number of resources (for example, Layer 4 sessions) that can
be configured.
Maximum Maximum number of resources (for example, Layer 4 sessions) that
can be configured.
show tacacs-server
Description Display TACACS statistics.
Syntax show tacacs-server [hostname | ipaddr]
Mode All
Example The following command shows information for TACACS server 5.5.5.5:
ACOS#show tacacs-server 5.5.5.5

TACACS+ server : 5.5.5.5:49
Socket opens: 0
Socket closes: 0
Socket aborts: 0

Socket errors: 0
Socket timeouts: 0
Failed connect attempts: 0
Total packets recv: 0
Total packets send: 0
show techsupport
Description Display or export system information for use when troubleshooting.
Syntax show techsupport [export [use-mgmt-port] url] [page]
export Exports the output to a remote server. The url specifies the file
[use-mgmt-port] transfer protocol, username (if required), and directory path.
url
You can enter the entire URL on the command line or press Enter
to display a prompt for each part of the URL. If you enter the
entire URL and a password is required, you will still be prompted
for the password. To enter the entire URL:
page Shows the information page by page. Without this option, all of
the output is sent to the terminal at one time.
Example Below is an example of the output for this command using the page option:
ACOS#show techsupport page
============= Clock Info <Sep 30 2014 13:51:42.025524> =============

.14:51:42 IST Tue Sep 30 2014
============= Version Info <Sep 30 2014 13:51:42.059739> =============

AX Series Advanced Traffic Manager AXSoftAX
Copyright 2007-2014 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents:
8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507
8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635
7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114
6535516, 6363075, 6324286, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912
7346695, 7287084, 6970933, 6473802, 6374300

64-bit Advanced Core OS (ACOS) version 4.0.0, build 407 (Sep-30-2014,07:38)

Booted from Hard Disk primary image
Serial Number: N/A

aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.0.0, build 407
Hard Disk secondary image version 2.7.0-P2, build 53
Last configuration saved at Sep-30-2014, 11:34
Virtualization type: VMware
Hardware: 1 CPUs(Stepping 7), Single 9G Hard disk
Memory 2054 Mbyte, Free Memory 492 Mbyte
Hardware Manufacturing Code: N/A
Current time is Sep-30-2014, 14:51
The system has been up 0 day, 3 hours, 16 minutes
--MORE--
show terminal
Description Show the terminal settings.
Syntax show terminal
Mode All
Example The following command shows the terminal settings.
ACOS#show terminal
Idle-timeout is 00:59:00
Length: 32 lines, Width: 90 columns
Editing is enabled
History is enabled, history size is 256
Auto size is enabled
Terminal monitor is off
Terminal prompt format: hostname
Command timestamp format: none

show tftp
Description Display the currently configured TFTP block size.
Syntax show tftp
Mode All
Example The following command shows the TFTP block size.
show trunk
Description Show information about a trunk group.
Syntax show trunk num
Replace num with the trunk number
Mode All
Example The following command shows information for trunk group 1:
ACOS#show trunk 1
Trunk ID : 1 Member Count: 8
Trunk Status : Up
Members : 1 2 3 4 5 6 7 8
Cfg Status : Enb Enb Enb Enb Enb Enb Enb Enb
Oper Status : Up Up Up Up Up Up Up Up
Ports-Threshold : 6 Timer: 10 sec(s) Running: No
Working Lead : 1
Field Description
Trunk ID ID assigned to the trunk by the admin who configured it.
Member Count Number of ports in the trunk.
Trunk Status Indicates whether the trunk is up.
Members Port numbers in the trunk.
Cfg Status Configuration status of the port.
Oper Status Operational status of the port.

Field Description
Ports-Threshold Indicates the minimum number of ports that must be up in order for
the trunk to remain up.
If the number of up ports falls below the configured threshold, ACOS
automatically disables the trunk’s member ports. The ports are dis-
abled in the running-config. The ACOS device also generates a log
message and an SNMP trap, if these services are enabled.
Timer Indicates how many seconds the ACOS device waits after a port goes
down before marking the trunk down, if the ports threshold is
exceeded.
Running Indicates whether the ports-threshold timer is currently running.
When the timer is running, a port has gone down but the state
change has not yet been applied to the trunk’s state.
Working Lead Port number used for responding to ARP requests.
Note: If the lead port is shown as 0 or “None”, the trunk interface is
down.
show vcs
Description aVCS-specific show commands are available in Configuring ACOS Virtual Chassis Systems.
show version
Description Display software, hardware, and firmware version information.
Syntax show version
Mode All
Usage
Example Below is sample output for this command on an A10 Thunder Series 6430S platform.
ACOS#show version
Thunder Series Unified Application Service Gateway TH6430S
Copyright 2007-2014 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents:
8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507
8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635
7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114
6535516, 6363075, 6324286, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912
7346695, 7287084, 6970933, 6473802, 6374300
64-bit Advanced Core OS (ACOS) version 4.0.0, build 378 (Sep-18-2014,06:54)

Booted from Hard Disk primary image

Serial Number: ................

Firmware version: 4.4
aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.0.0, build 378
Hard Disk secondary image version 4.0.0, build 226
Compact Flash primary image (default) version 2.7.1-P1, build 76
Last configuration saved at Sep-18-2014, 19:47
Hardware: 32 CPUs(Stepping 7), Single 93G Hard disk
Memory 64118 Mbyte, Free Memory 39744 Mbyte
Hardware Manufacturing Code: ....00
Current time is Sep-19-2014, 20:26
The system has been up 1 day, 0 hour, 37 minutes
show vlans
Description Display the configured VLANs.
Syntax show vlans [vlan-id]
Mode All
Example The following command lists all the VLANs configured on an ACOS device:
ACOS#show vlans
Total VLANs: 4
Untagged Ethernet Ports: 3 4 6 7 8 9 10 11
12 13 14 15 16 17 18 19
20
Untagged Logical Ports: None
Tagged Logical Ports: None





show vrrp-a
Description All show commands related to VRRP-A are available in Configuring VRRP-A High Availability.
show waf
Description Display information for the Web Application Firewall (WAF). See the Web Application Firewall
Guide.

SLB Show Commands
The show slb commands display information for Server Load Balancing (SLB).
To automatically re-enter a show slb command at regular intervals, see “repeat” on page 40.
In addition to the command options provided with some show commands, you can use output modifiers to search and filter
the output. See “Searching and Filtering CLI Output” on page 11.
The active-vrid option will appear in the CLI only if VRRP-A is configured and enabled on your device.
NOTE: For information about other show commands, see “Show Commands” on page 681.

show slb aflow

Description Show aFlow statistics.
Syntax show slb aflow [active-vrid {default | num}] [detail]
active-vrid Show aFlow statistics for the specified VRID only.
You can specify default for VRID 0, or specify a VRID 1-31.
detail List separate counters for each CPU in the statistics output.
Mode All
show slb attack-prevention

Description Show SYN-cookie statistics for the number of packets received during different intervals of
time.
Syntax show slb attack-prevention [active-vrid {default | num}]
Use the active-vrid option to view statistics for a specific VRID. You can specify default for
VRID 0, or specify a VRID 1-31.
Mode All
Usage When running the show slb attack-prevention command on an FPGA-based model,
the “SYN attack” field does not show output for the historical counters (1s/5s/30s/1min/
5min). Output is only provided for the “current” column.
This feature is supported for L3V private partitions in non-FPGA-based models. If the show
slb attack-prevention command is run from an L3V network partition on an FPGA-
based model, the “SYN attack” counter displays zero for all columns.
Example The following command shows SYN-cookie statistics:
ACOS#show slb attack-prevention

Current 1 sec 5 sec 30 sec 1 min 5 min
--------------------------------------------------------------------------------------
SYN cookie snt 0 0 0 0 0 0
SYN cookie snt ts 0 0 0 0 0 0
SYN cookie snt fail 0 0 0 0 0 0
SYN cookie chk fail 0 0 0 0 0 0
SYN attack 0 0 0 0 0 0

Field Description
SYN cookie snt Number of TCP SYN cookies sent.
SYN cookie snt ts Number of expanded TCP SYN cookies sent.
SYN cookie snt fail Number of TCP SYN cookie send attempts that failed.
SYN cookie chk fail Number of TCP SYN cookies for which the responding ACK failed
the SYN cookie check.
SYN attack Total number of SYN connections that did not receive an ACK
from the client and assumed to be SYN attack.
show slb cache

Description Display statistics and other information for RAM caching.
Syntax show slb cache

[active-vrid {default | num}]
[entries vip-name port-num |
memory-usage |
replacement vip-name port-num |
stats [vip-name port-num]]
Option Description
active-vrid Show RAM caching statistics for the specified VRID only.
entries vip-name port-num Shows a list of the cached objects.
memory-usage Shows memory usage for RAM caching.
replacement vip-name port-num Shows replacement information for the specified virtual port on the speci-
fied virtual server.
stats [vip-name port-num] Lists RAM caching statistics by VIP. If you specify a VIP or port number, statis-
tics are displayed only for that VIP or port number.
Mode All
Usage If you do not use any of the optional parameters, RAM caching statistics are displayed. This is
equivalent to entering the show slb cache stats command.
Example The following command shows RAM caching statistics:
ACOS#show slb cache

Total
---------------------------------------------------------------
Cache Hits 0 (0.0 %)
Cache Misses 0
Memory Used 0
Bytes Served 0

Requests
- Total Requests 0
- Cacheable Requests 0
- No-cache Requests 0
- IMS Requests 0
Responses (from server)

- 304 Not Modified 0
- 200 OK - Cont Len 0
- 200 OK - Chnk Enc 0
- 200 OK - Other 0
- Not cacheable 0
Responses (from cache)

- 304 Not Modified 0
- 200 OK - No Comp 0
- 200 OK - Gzip 0
- 200 OK - Deflate 0
- Other 0
Entries
- Cached 0
- Replaced 0
- Aged Out 0
- Cleaned 0
- Create failures 0
Revalidation
- Successes 0
- Failures 0
Policies
- URI nocache 0
- URI cache 0
- URI invalidate 0
- Content Too Big 0
- Content Too Small 0

Field Description
Cache Hits Number of times a requested page was found in the cache and served from the cache.
Cache Misses Number of times a requested page was not found in the cache.
Memory Used Amount of RAM currently used by cached content.
Bytes Served Number of bytes served.
Requests Contains the following conters:
• Total Requests – Total number of requests received on all virtual server ports on which
caching is configured.
• Cacheable Requests – Number of requests that are potentially cacheable.
• No-cache Requests – Number of requests with no-cache header directives.
• IMS Requests – Number of requests that contained an If-Modified-Since header.
Responses (from server) Contains the following counters:
• 304 Not Modified – Number of “304 Not Modified” responses sent from the server.
• 200 OK - Cont Len – Number of “200 OK - Cont Len” responses sent to clients.
• 200 OK - Chnk Enc – Number of “200 OK - Chnk Enc” responses sent to clients.
• 200 OK - Other – Number of “200 OK - Other” responses sent to clients.
• Not cacheable – Number of responses with no-cache header directives.
Responses (from cache) Contains the following counters:
• 304 Not Modified – Number of “304 Not Modified” responses sent from the cache.
• 200 OK - No Comp – Number of “200 OK - No Comp” responses sent from the cache. “No
Comp” indicates that the object is not compressed.
• 200 OK - Gzip – Number of “200 OK - Gzip” responses sent from the cache. This indicates
that an object was compressed using gzip. Gzip is an encoding format produced by the
file compression program “gzip” (GNU zip) as described in RFC 1952 (Lempel-Ziv coding
[LZ77] with a 32 bit CRC).
• 200 OK - Deflate – Number of “304 Not Modified” responses sent from the cache. This indi-
cates that an object was compressed using deflate. Deflate is the “zlib” format defined in
RFC 1950 in combination with the “deflate” compression mechanism described in RFC
1951.
• Other – Number of “Other” responses sent from the cache. This indicates that an object
was compressed using compress. Compress is the encoding format produced by the com-
mon UNIX file compression program “compress” (adaptive Lempel-Ziv-Welch coding
[LZW]).
Entries Contains the following counters:
• Cached – Number of objects currently in the cache.
• Replaced – Number of cached items that were removed to make room for newer entries,
per the replacement policy.
• Aged Out – Number of entries that were removed because they are older than their expi-
ration time.
• Cleaned – Number of cached objects that have aged out and therefore been removed
from the cache.
• Create Failures – Number of times ACOS failed to create a cache entry.

Field Description
Revalidation Contains the following counters:
• Successes – Number of entries that were successfully revalidated by the server.
• Failures– Number of times revalidation failed.
Policies Contains the following counters:
• URI nocache – Number of times requested content was not cached due to a URI policy.
• URI cache – Number of times a request was cached due to a URI policy.
• URI invalidate – Number of times a request was invalidated due to a URI policy.
• Content Too Big – Number of cacheable items that were not cached because the file size
was larger than the configured maximum content size.
• Content Too Small – Number of cacheable items that were not cached because the file
size was smaller than the configured minimum content size.
Example The following command shows cached objects:
ACOS#show slb cache entries vs-cookie-cache 80

vs-cookie-cache:80
Host Object URL Bytes Type Status Expires in
---------------------------------------------------------------------------------------
10.20.0.120 /static2/1000.txt 1365 CL,No FR 3410 s
10.20.0.120 /static2/1000000.txt 636152 CE,Gz FR 3594 s
10.20.0.120 /ewen/index.html 1479 CL,Mo FR -57 s
Field Description
cached-vip Virtual port number on which RAM caching is enabled.
Host IP address of the content server.
Object URL URL from which the cached object was obtained by the ACOS device.
Bytes Length of the cached object.

Field Description
Type Indicates whether the cached object has a Content-Length header, is
compressed, or is chunk-encoded.
The value after the comma indicates the type of compression used:
• No – Object is uncompressed.
• Gz – Object was compressed using gzip. Gzip is an encoding format
produced by the file compression program “gzip” (GNU zip) as
described in RFC 1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC).
• Cm – Object was compressed using compress. Compress is the
encoding format produced by the common UNIX file compression
program “compress” (adaptive Lempel-Ziv-Welch coding [LZW]).
• Df – Object was compressed using deflate. Deflate is the “zlib” format
defined in RFC 1950 in combination with the “deflate” compression
mechanism described in RFC 1951.
Status Status of the entry:
• FR – Fresh
• ST – Stale
• IN – Incomplete
• FA – Failed
• UN – Unknown
• R – The entry must be revalidated.
Expires in Number of seconds the object can remain unused before it ages out.
Example The following command shows RAM caching memory usage:
ACOS#show slb cache memory-usage

VIP Port Memory Configured Memory Used Percent Used
---------------------------------------------------------------------------------------
vs120 80 10485760 8386560 79.98%
---------------------------------------------------------------------------------------
Total 10485760 8386560 79.98%
Example The following command shows replacement statistics:
ACOS#show slb cache replacement cached-vip 80

Frequency Total
---------------------------------------------------------------
1/256 6
1/128 0
1/64 0
1/32 0
1/16 0
1/8 0

1/4 0
1/2 0
1 0
2 0
4 0
8 0
16 0
32 0
64 0
128 2
The output shows the distribution of requests for the cached entries. Entries listed for 1/256
(one in 256 requests) are the least requested, whereas entries listed for 128 are the most
requested.
show slb compression

Description Show HTTP compression statistics in bytes.
Syntax show slb compression

[active-vrid {default | num}]
[virtual-server port-num]
[all-partition | partition {shared | name}]
Option Description
active-vrid Show HTTP compression statistics for the specified VRID only.
virtual-server Show HTTP compression statistics for the specified virtual server
port-num only.
The port-num option shows information only for the specified
virtual port on the virtual server.
all-partition Show HTTP compression statistics in all partitions.
partition Show HTTP compression statistics in the specified partition or
{shared | name} shared partition.
Mode All
show slb connection-reuse

Description Show SLB connection-reuse statistics.

Syntax show slb connection-reuse [active-vrid {default | num}] [detail]
active-vrid Show statistics for the specified VRID only.
detail List separate counters for each CPU in the statistics output.
Mode All
Example The following command shows summary connection-reuse statistics:
ACOS#show slb connection-reuse

Total
------------------------------------------------------------------
Open persist 0
Active persist 0
Total established 1787
Total terminated 1787
Total terminated by err 0
Total bind 1277
Total unbind 2389
Delayed unbind 4
Long resp 0
Missed resp 0
Unbound data rcvd 0
Pause request 0
Pause request fail 0
Resume request 0
Not remove from list 0
Field Description
Open persist Number of new client connections directed to the same server as previous connections by
the persistence feature.
Active persist Number of currently active connections that were sent to the same real server by the per-
sistence feature.
Total established Total number of established connections to the backend server.
Total terminated Total number of terminated connections to the backend server.
Total terminated by err Total Number of backend connections terminated due to an error.
Total bind Total number of client persistent connections bound to the backend server.
Total unbind Total number of client persistent connections unbound from the backend server.

Field Description
Delayed unbind Number of connections whose unbinding was delayed.
NOTE: In the current release, this counter is unused and is always 0.
Long resp Number of responses that took too long.
Missed resp Number of missed responses to HTTP requests.
Unbound data rcvd Amount of data received on an unbound connection. This is used for debugging purposes.
Pause request These are internal counters used by A10 Technical Support for debugging purposes.
Pause request fail
Resume request
Not remove from list
show slb conn-rate-limit

Description Show statistics for source-IP based connection rate limiting.
Syntax show slb conn-rate-limit src-ip

{locked-out-ips | statistics [debug]}
Mode All
Example The following command shows statistics for source-IP based connection rate limiting:
ACOS(config)#show slb conn-rate-limit src-ip statistics

Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
The following table describes the fields in the show command output.
Field Description
Sessions allocated Number of sessions allocated.
Sessions freed Number of sessions freed.
Too many sessions consumed Number of times too many sessions were consumed.
Out of sessions Number of times the device ran out of sessions.

Field Description
Threshold check count Number of times the ACOS device has checked for connection-limit violations.
Honor threshold count Number of requests permitted because they were within the connection limit.
Threshold exceeded count Number of requests denied because they exceeded the connection limit.
Lockout drops Number of requests dropped because a client was locked out.
Log messages sent Number of log messages generated by this feature.
DNS requests re-transmitted Number of re-transmitted DNS requests detected. These are DNS requests for which
no response was received by the ACOS device.
No DNS response for request Number of DNS requests for which no response was received.
show slb diameter

Description Show statistics for Diameter load balancing.
Syntax show slb diameter [active-vrid {default | vrid-num}] [detail]
Specify default for VRID 0, or specify a VRID 1-31.
detail Show statistics per CPU in the output.
Mode All
Example The following command shows statistics for Diameter load balancing:
ACOS#show slb diameter

Total
------------------------------------------------------------------
Current proxy conns 0
Total proxy conns 0
client fail 0
server fail 0
Server selection failure 0
no route failure 0
Source NAT failure 0
concurrent user-session 0
acr out 0
acr in 0
aca out 0
aca in 0
cea out 0
cea in 0
cer out 0

cer in 0
dwr out 0
dwr in 0
dwa out 0
dwa in 0
str out 0
str in 0
sta out 0
sta in 0
asr out 0
asr in 0
asa out 0
asa in 0
other out 0
other in 0
Field Description
Current proxy conns Number of currently active Diameter connections using the ACOS device as an Diameter
proxy.
Total proxy conns Total number of Diameter connections that have used the ACOS device as an Diameter
proxy.
client fail Number of times selection of a client failed.
server fail Number of times selection of a server failed.
Server selection failure Number of times selection of a real server failed.
no route failure Number of failures due to no route.
Source NAT failure Number of source NAT failures.
concurrent user-session Number of concurrent user sessions.
acr out Number of Accounting-Request messages sent by the ACOS device.
acr in Number of Accounting-Request messages received by the ACOS device.
aca out Number of Accounting-Answer messages sent by the ACOS device.
aca in Number of Accounting-Answer messages received by the ACOS device.
cea out Number of Capabilities-Exchange-Answer messages sent by the ACOS device.
cea in Number of Capabilities-Exchange-Answer messages received by the ACOS device.
cer out Number of Capabilities-Exchange-Request messages sent by the ACOS device.
cer in Number of Capabilities-Exchange-Request messages received by the ACOS device.
dwr out Number of Device-Watchdog-Request messages sent by the ACOS device.
dwr in Number of Device-Watchdog-Request messages received by the ACOS device.
dwa out Number of Device-Watchdog-Answer messages sent by the ACOS device.
dwa in Number of Device-Watchdog-Answer messages received by the ACOS device.

Field Description
str out Number of Session-Termination-Request messages sent by the ACOS device.
str in Number of Session-Termination-Request messages received by the ACOS device.
sta out Number of Session-Termination-Answer messages sent by the ACOS device.
sta in Number of Session-Termination-Answer messages received by the ACOS device.
asr out Number of Abort-Session-Request messages sent by the ACOS device.
asr in Number of Abort-Session-Request messages received by the ACOS device.
asa out Number of Abort-Session-Answer messages sent by the ACOS device.
asa in Number of Abort-Session-Answer messages received by the ACOS device.
other out Number of Diameter messages of other types (other message codes) sent by the ACOS
device.
other in Number of Diameter messages of other types received by the ACOS device.
show slb fast-http-proxy

Description Show statistics for SLB fast-HTTP proxy.
Syntax show slb fast-http-proxy

[server-name port]
[active-vrid {default | vrid-num}]
[detail]
server-name Show statistics for the specified server and port only.
port
Mode All
Example The following command shows summary fast-HTTP-proxy statistics:
ACOS#show slb fast-http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
No proxy error 0
Client RST 0

Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 0
Request over limit 0
Request rate over limit 0
Out RSTs 0
Full proxy tot 0
Full proxy POST 0
Full proxy pipeline 0
Full proxy fpga err 0
Close on DDoS 0
DNS unresolve 0
Policy drop 0
Field Description
Curr Proxy Conns Number of currently active connections using the fast-HTTP proxy.
Total Proxy Conns Total number of connections that have used the fast-HTTP proxy.
HTTP requests Number of HTTP requests received by the fast-HTTP proxy.
HTTP requests(succ) Number of HTTP requests successfully fulfilled (by establishing a connection to a real
server).
No proxy error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No tuple error Number of tuple errors.
Parse req fail Number of times the HTTP parser failed to parse a received HTTP request.
Server selection fail Number of times selection of a real server failed.
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of-order Number of request packets received from clients out of sequence.

Field Description
Server reselection Number of times initial selection of a real server for an HTTP request failed (for example,
due to a TCP Reset sent by the server).
Server premature close Number of times the connection with a server closed prematurely.
Server conn made Number of connections made with servers.
Request over limit Number of times the request limit was exceeded.
Request rate over limit Number of times the request rate limit was exceeded.
Out RSTs Number of TCP RSTs sent out.
Full proxy tot Total number of full proxy HTTP sessions.
Full proxy POST Total number of full proxy sessions for HTTP POST request.
Full proxy pipeline Total number of pipelined requests.
Full proxy fpga err Total number of FPGA errors.
Close on DDoS Number of times session is closed due to Denial of Service attack.
show slb fix

Description Show SLB statistics for the Financial Information Exchange (FIX) proxy.
Syntax show slb fix [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows FIX SLB statistics.
ACOS(config)#show slb fix

Total
------------------------------------------------------------------
Total proxy conns 2
Client fail 7
Server fail 2
no route failure 0
Insert client IP 5
Default switching 1

Sender ID switching 4
Target ID switching 0
Field Description
Current proxy conns Number of currently active connections using the FIX proxy.
Total proxy conns Total number of connections that have used the FIX proxy.
Client fail Number of times that the connection was terminated due to an error on the client side.
Server fail Number of times that the connection was terminated due to an error on the server side.
no route failure Number of times FIX failed due to a route lookup failure.
Source NAT Failure Number of source NAT failures.
Insert client IP Number of times that the ACOS inserted the client’s IP address into tag 11447 and forwarded
the recalculated request packet to the FIX server.
Default switching Number of times that the ACOS parsed the tag value from a client’s request and selected a
service-group based on a match with the configured tag keyword.
Sender ID Switching Instances of content switching based on the sender’s identification tag (SenderCompID).
Target ID Switching Instances of content switching based on the receiver’s identification tag (TargetCompID).
show slb ftp

Description Show SLB FTP statistics.
Syntax show slb ftp [active-vrid {default | vrid-num}]
Use active-vrid to show statistics for the specified VRID only. Specify default for VRID 0,
or specify a VRID 1-31.
Mode All
Example The following command shows SLB FTP statistics.
ACOS#show slb ftp

Total Control Sessions 0
Total ALG packets 0
ALG packets rexmitted 0
Total Data Sessions 0
Total PORT helper sessions 0
Total PASV helper sessions 0
Drop Data Port out of range 0

Field Description
Total Control Sessions Total number of FTP control sessions load-balanced by the Thunder Series device.
Total ALG packets Total number of Application Layer Gateway (ALG) packets.
ALG packets rexmitted Number of ALG packets that have been retransmitted.
Out of Connections Number of times an FTP control session could not be established because none of the real
servers had available connections.
Total Data Sessions Total number of FTP data sessions load-balanced by the Thunder Series device.
Out of Connections Number of times an FTP data session could not be established because none of the real
servers had available connections.
show slb ftp-proxy

Description Display FTP-proxy statistics.
Syntax show slb ftp-proxy [active-vrid {default | vrid-num}] [detail]
Mode All
show slb generic-proxy

Description Display generic-proxy statistics.
Syntax show slb generic-proxy [active-vrid {default | vrid-num}] [detail]
Mode All

show slb geo-location

Description Display geo-location information.
Syntax show gslb geo-location

[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option Description
virtual-server-name Displays geo-location information for only the specified virtual server.
port-num Displays geo-location information for only the specified virtual port.
bad-only Displays only the invalid entries.
depth num Specifies how many nodes within the geo-location data tree to display. For example, to
display only continent and country entries and hide individual state and city entries,
specify depth 2. By default, the full tree (all nodes) is displayed. You can specify 1-5.
id group-id Displays geo-location information for only the specified black/white-list group ID.
ip ipaddr Displays geo-location database entries for only the specified IP address.
location location-name Displays geo-location database entries for only the specified location.
statistics Displays statistics for the specified geo-location.
Mode All
Usage Some options can be combined on the same command line. See the CLI help for informa-
tion.
show slb http-proxy

Description Show statistics for SLB HTTP proxy.
Syntax show slb http-proxy


[virtual-server port-num]
[detail]
Option Description
active-vrid View statistics for the specified VRID only.
Specify default for VRID 0, or specify a VRID number 1-31.
detail Lists separate counters for each CPU.
virtual-server Displays counters for HTTP response codes. For the virtual-server
port-num port-num, enter the name of a virtual server and its port. The port-
num can be 1-65534.
Mode All
Example The following command shows summary HTTP-proxy statistics:
ACOS#show slb http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 2
Total Proxy Conns 3266
HTTP requests 3860
HTTP requests(succ) 3605
HTTP req (cache succ) 0
No proxy error 0
Client RST 351
Server RST 1
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 10
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server conn made 1791
Tot data before compress 1373117
Tot data after compress 404410
Request over limit 0
Request rate over limit 0
Close on DDoS 0
DNS unresolve 0
Policy drop 0

Field Description
Curr Proxy Conns Number of currently active HTTP connections using the Thunder Series device as an
HTTP proxy.
Total Proxy Conns Total number of HTTP connections that have used the Thunder Series device as an HTTP
proxy.
HTTP requests Total number of HTTP requests received by the HTTP proxy.
HTTP requests(succ) Number of HTTP requests received by the HTTP proxy that were successfully fulfilled (by
connection to a real server).
HTTP req (cache succ) Number of HTTP requests received by the HTTP proxy that were successfully fulfilled
from the cache.
Parse req fail Number of times parsing of an HTTP request failed.
Server selection fail Number of times selection of a real server failed.
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of-order Number of request packets received from clients out of sequence.
Server reselection Number of times a request was forwarded to another server because the current server
was failing.
Server conn made Number of connections made with servers.
Tot data before compress These counters show statistics for HTTP compression, in bytes.
Tot data after compress
Request over limit Current request number exceeds the limit defined in policy template.
Request rate over limit Request rate exceeds the limit defined in policy template.
Close on DDoS Connection was forced to close due to a DDoS attack.
Example The following command shows HTTP response code statistics:
ACOS(config)#show slb http-proxy vs800-http 80

Total
------------------------------------------------------------------
status code 1XX 3
status code 2XX 1

status code 3XX 12

status code 4XX 8
status code 5XX 2
status code 6XX 3
...
Rsp time < 200m 0
Rsp time < 500m 1
Rsp time < 1s 3
Rsp time < 2s 7
Rsp time < 5s 13
Rsp time >= 5s 22
show slb hw-compression

Description Show statistics for hardware-based compression.
Syntax show slb hw-compression [active-vrid {default | vrid-num}] [detail]
Mode All
Usage Hardware-based compression is available using an optional hardware module in some mod-
els. If this command does not appear on your ACOS device, the device does not contain a
compression module.
Example The following commands first enable hardware-based compression (hw-compression

command), then display statistics for the feature:
ACOS(config-common)#hw-compression
ACOS(config-common)#show slb hw-compression
Hardware compression device is installed.
Hardware compression module is enabled.
Total
------------------------------------------------------------------
total request count 177157
total submit count 177157
total response count 177157
total failure count 0

last failure code 0

compression queue full 0
max queued request count 84
max queued submit count 68
show slb l4
Description Show Layer-4 SLB statistics.
Syntax show slb l4 [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows summary statistics for Layer 4 SLB:
ACOS#show slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 226510
TCP SYN cookie snt 226510
TCP SYN cookie expd snt 0
TCP SYN cookie snt fail 0
TCP received 1042844
UDP received 0
L2 DSR received 0
L3 DSR received 0
Server sel failure 0
Source NAT no fwd route 0
Source NAT no rev route 0
Source NAT ICMP Process 0
Source NAT ICMP No Match 0

Auto NAT id mismatch 0

TCP SYN cookie failed 0
L4 SYN attack 226510
NAT no session drops 0
vport not matching drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
Conn Limit resets 0
Conn rate limit drops 0
Conn rate limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP Session aged out 0
UDP Session aged out 0
Other Session aged out 0
TCP no SLB 0
UDP no SLB 0
SYN Throttle 0
Inband HM retry 0
Inband HM reassign 0
Auto-reselect server 0
Fast aging set 0
Fast aging reset 0
TCP invalid drop 0
Out of sequence ACK drop 0
SYN stale sess drop 589824
Anomaly out of sequence 0
Anomaly zero window 0
Anomaly bad content 0
Anomaly pbslb drop 0
No resource drop 0
Reset unknown conn 0
RST L7 on failover 0
TCP SYN Other Flags Drop 0
TCP SYN With Data Drop 0
ignore msl 0
NAT Port Preserve Try 0
NAT Port Preserve Succ 0
BW-Limit Exceed drop 0
BW-Watermark drop 0

L4 CPS exceed drop 0

NAT CPS exceed drop 0
L7 CPS exceed drop 0
SSL CPS exceed drop 0
SSL TPT exceed drop 0
SSL TPT-Watermark drop 0
L3V Conn Limit Drop 0
L4 server handshake fail 0
L4 AX re-xmit SYN 0
L4 rcv ACK on SYN 0
L4 rcv RST on SYN 0
TCP no-Est Sess aged out 0
no-Est CSYN rcv aged out 0
no-Est SSYN snt aged out 0
L4 rcv rexmit SYN 589824
L4 rcv rexmit SYN (delq) 589824
L4 rcv rexmit SYN|ACK 0
L4 rcv rexmit SYN|ACK DQ 0
L4 rcv fwd last ACK 0
L4 rcv rev last ACK 0
L4 rcv fwd FIN 0
L4 rcv fwd FIN dup 0
L4 rcv fwd FIN|ACK 0
L4 rcv rev FIN 0
L4 rcv rev FIN dup 0
L4 rcv rev FIN|ACK 0
L4 rcv fwd RST 226510
L4 rcv rev RST 0
L4 UDP reqs no rsp 0
L4 UDP req rsps 0
L4 UDP req/rsp not match 0
L4 UDP req > rsps 0
L4 UDP rsps > reqs 0
L4 UDP reqs 0
L4 UDP rsps 0
L4 TCP Established 0
Skip Insert-client-ip 0
DNS query id switch 0

Field Description
IP out noroute Number of IP packets that could not be routed. These packets are dropped by the ACOS
device.
TCP out RST Number of TCP Resets sent.
TCP out RST no SYN Number of Resets sent for which there was no SYN.
TCP out RST L4 proxy Number of TCP Reset packets the ACOS device has sent as a Layer 4 proxy.
TCP out RST ACK attack Number of TCP Resets sent in response to a TCP ACK attack.
TCP out RST aFleX Number of TCP Reset packets the ACOS device has sent due to an aFleX policy.
TCP out RST stale sess This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is enabled
by default)
• “slb reset-stale-session” is enabled.
In such cases, an RST is sent out and the counter is incremented.
TCP out RST TCP proxy Number of TCP Reset packets the ACOS device has sent as a TCP proxy.
TCP SYN received Number of first SYN packets the ACOS device has received from the client.
TCP SYN cookie snt Number of TCP SYN cookies sent.
TCP SYN cookie expd snt Number of TCP SYN cookies with expanded options that were sent.
NOTE: Expanded SYN cookie options are disabled by default but can be enabled. (See “syn-
cookie” on page 655.)
TCP SYN cookie snt fail Number of TCP SYN cookie send attempts that failed because delivery to the client failed.
TCP received Number of subsequent packets ACOS received from a client during a particular session.
Counter includes the following types of packets: SA, A, FINACK, PSHACK.
UDP received Number of UDP packets received.
L2 DSR received Number of reply packets received for Layer 2 DSR sessions.
L3 DSR received Number of reply packets received for Layer 3 DSR sessions.
Server sel failure Number of times selection of a real server failed.
Source NAT failure Number of times a source NAT failure occurred.
Source NAT no fwd route Number of times there was no route to the destination for Layer 3 NAT traffic.
Source NAT no rev route Number of times there was no route to the source for Layer 3 NAT traffic.
Source NAT ICMP Process Number of times an ICMP error related to source NAT occurred.
Source NAT ICMP No Number of times an ICMP error related to source NAT occurred, and there was no matching
Match session for the traffic.
Auto NAT ID mismatch Number of times a mismatch has occurred between a Smart NAT resource and a VRRP-A
VRID.
TCP SYN cookie failed Number of times a TCP SYN cookie validate failure occurred when the client never sent an
ACK packet to complete the TCP three-way handshake.

Field Description
L4 SYN attack Total number of TCP SYNs received by the ACOS device that were not followed by a valid
client ACK to establish the connection.
This counter is calculated as follows:
(Total-SYNs-Received-by-Hardware +
Total-SYNs-Received-by-Software) -
Total-Number-of-Successful-Connections =
L4-SYN-Attack-Count
NAT no session drops Number of packets sent to the NAT Pool IP, but for which there was no corresponding ses-
sion on the device.
vport not matching drops Number of packets received on a virtual port that was either down, disabled, or non-exis-
tent.
No SYN pkt drops The cumulative number of the following three types of packets: ACK, RST, FIN.
No SYN pkt drops - FIN Number of FIN packets received for which there was no corresponding session on the
ACOS device.
No SYN pkt drops - RST Number of RST packets received for which there was no corresponding session on the
ACOS device.
No SYN pkt drops - ACK Number of ACK packets received for which there was no corresponding session on the
ACOS device.
Conn Limit drops Number of connections dropped because the server connection limit had been reached.
Conn Limit resets Number of connections reset because the server connection limit had been reached.
Conn rate limit drops Number of connections dropped by connection rate limiting.
Conn rate limit resets Number of connections reset by connection rate limiting.
Proxy no sock drops Number of packets dropped because the proxy did not have an available socket.
aFleX drops Number of packets dropped due to an aFleX policy.
Session aged out Total number of TCP (TCP Session aged out), UDP (UDP Session aged out) and other (Other
session aged out) sessions that aged out.
TCP Session aged out Number of TCP sessions that aged out, including both half-open and established sessions.
UDP Session aged out Number of UDP sessions that have aged out.
Other Session aged out Number of sessions of other types (not TCP or UDP) that have aged out.
TCP no SLB This counter is deprecated and is no longer used.
UDP no SLB Number of non-SLB UDP packets received by the ACOS device.
SYN Throttle If the count of buffers allocated from system memory is higher than currently available free
system buffers, a flag is enabled to ‘throttle SYN’. For TCP connections, this means that
incoming packets for new TCP connections are dropped to avoid queuing more buffers for
processing.
Inband HM retry Number of times the ACOS device retried an inband health check, because a SYN-ACK was
not received for the previous SYN.
Inband HM reassign Number of times the ACOS device reassigned a client’s traffic to another server, because
the initial server exceeded the maximum number of retries allowed by the inband health
check.

Field Description
Auto-reselect server Number of times the ACOS device has reperformed server selection automatically because
the initially selected server did not respond to the TCP-SYN from the ACOS device.
NOTE: In the current release, this counter applies only to traffic on HTTP/HTTPS virtual
ports.
Fast aging set Number of times fast aging of idle connections was automatically enabled by the ACOS
device due to factors such as low availability of I/O buffers, number of sessions or amount
of available memory.
Fast aging reset Number of times fast aging of idle connections was disabled. This occurs after a sufficient
number of buffers become available again.
TCP invalid drop Number of TCP packets received by the ACOS device that did not conform to the standard
format for TCP packets. For example, this counter is incremented if the ACOS device
receives a packet whose total length is less than the following:
Internet-Header-Length * 4 + TCP-data-offset *4
Out of sequence ACK drop Number of TCP ACKs that were dropped because they were out of sequence.
SYN stale sess drop This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is enabled
by default)
• “slb reset-stale-session” is disabled.
In such cases, the packet is dropped and the counter is incremented.
Anomaly out of sequence Number of packets that matched an IP anomaly out-of-sequence filter.
Note: To configure IP anomaly filters, see “ip anomaly-drop” on page 295.
Anomaly zero window Number of packets that matched an IP anomaly zero-window filter.
Anomaly bad content Number of packets that matched an IP anomaly bad-content filter.
Anomaly PBSLB drop Number of packets that matched an IP anomaly filter used for system-wide Policy-Based
SLB (PBSLB).
No resource drop Number of times traffic has been dropped because the ACOS device had run out of Layer 4
session resources.
Reset unknown conn Number of times the ACOS device sent a RST in response to a non-SYN packet for a non-
existent session.
NOTE: This feature is enabled using the reset-unknown-conn option in virtual port
templates. See “slb template virtual-port” on page 594.
RST L7 on failover Number of Layer 7 sessions that were reset following VRRP-A failover.
TCP SYN Other Flags Drop Number of TCP SYN packets that were dropped by the ACOS device because they con-
tained a flag other than the SYN flag.
TCP SYN With Data Drop Number of TCP SYN packets that were dropped by the ACOS device because they con-
tained data.
Ignore MSL Number of times a SYN packet reaches the MSL limit (default is 2 seconds) during a time-
wait state and does not get dropped due to the “ignore-tcp-msl” option being configured
in the virtual-port template.
(See “slb template virtual-port” on page 594.)

Field Description
NAT Port Preserve Try Number of times the client port preservation feature attempted to preserve a client’s
source port for traffic destined to a virtual port.
Note: This feature is enabled using the snat-port-preserve option in virtual port tem-
plates. See “slb template virtual-port” on page 594.
NAT Port Preserve Succ Number of times the client port preservation feature successfully preserved a client’s
source port for traffic destined to a virtual port.
BW-Limit Exceed drop Number of times traffic was dropped because a configured bandwidth limit was exceeded.
BW-Watermark drop Number of times traffic was dropped because a configured bandwidth watermark was
exceeded.
L4 CPS exceed drop Number of times traffic was dropped because the maximum allowed number of Layer 4
connections per second (CPS) was exceeded.
NAT CPS exceed drop Number of times traffic was dropped because the maximum allowed number of NAT CPS
was exceeded.
L7 CPS exceed drop Number of times traffic was dropped because the maximum allowed number of Layer 7
CPS was exceeded.
SSL CPS exceed drop Number of times traffic was dropped because the maximum allowed number of SSL CPS
was exceeded.
SSL TPT exceed drop Number of times SSL traffic was dropped because SSL throughput exceeded the maximum
allowed by a system-resource template.
SSL TPT-Watermark drop Number of times SSL traffic was dropped because SSL throughput exceeded the config-
ured watermark.
L3V Conn Limit Drop Number of times Layer 3 traffic was dropped because a configured connection limit was
exceeded.
L4 server handshake fail Number of times traffic was dropped because the Layer 4 handshake with a server failed.
L4 AX re-xmit SYN Number of times the ACOS device needed to retransmit a TCP SYN.
L4 rcv ACK on SYN Number of SYN-ACKs (ACKs in response to TCP-SYNs) received by the ACOS device.
L4 rcv RST on SYN Number of TCP Resets (RST) the ACOS device received in response to a SYN.
TCP no-Est Sess aged out Number of half-open sessions on the ACOS device. A half-open session means the ACOS
device received a SYN packet, forwarded it to the backend server but there was no SYN-
ACK from the backend server, resulting in a half-open session on the ACOS device. These
sessions are created with a session age time of 60 seconds. If the session is idle for more
than 60 seconds, ACOS terminates the session and removes it from the session table and
increments this counter.
no-Est CSYN rcv aged out Number of times the ACOS device received a SYN from a client and forwarded it to the
server. This can create a half-open session on the ACOS device if there is no SYN-ACK from
the server for a period exceeding 60 seconds. If this happens, ACOS kills the session and
increments this counter.
no-Est SSYN snt aged out Number of TCP sessions that aged out before a SYN was received from the server, and
therefore could not be established.
L4 rcv rexmit SYN Number of times the client does not get a SYN-ACK from the server. This causes the client
to retransmit same SYN packet that it sent earlier. This counter will increment each time
such a re-transmission of the SYN packet occurs.

Field Description
L4 rcv rexmit SYN (delq) Number of times the client SYN packet matches an existing session currently in the delete
queue. When this occurs, both the “L4 rcv rexmit SYN” and “L4 rcv rexmit SYN (delq)” count-
ers are incremented.
L4 rcv rexmit SYN|ACK Total number of retransmitted SYN-ACKs received by the ACOS device.
L4 rcv rexmit SYN|ACK DQ Number of retransmitted SYN-ACKs received by the ACOS device for sessions that had
already been moved to the delete queue.
L4 rcv fwd last ACK Number of final ACKs (last ACKs of a given TCP session) received by the ACOS device from
clients.
Note: In this field and the following fields, the following terms describe the traffic origina-
tion and direction:
• rcv fwd – Final ACKs received from the client.
• rcv rev – Final ACKs received from the server.
L4 rcv rev last ACK Number of final ACKs (last ACKs of a given TCP session) received by the ACOS device from
servers.
L4 rcv fwd FIN Number of TCP FINs received from clients.
L4 rcv fwd FIN dup Number of times more than one FIN packet is received from the client.
An example of this would be if the server did not reply to a FIN-ACK in time, thus causing
the client to send another FIN.
L4 rcv fwd FIN|ACK Number of TCP FIN-ACKs received from clients.
L4 rcv rev FIN Number of TCP FINs received from servers.
L4 rcv rev FIN dup Number of duplicate TCP FINs received from servers.
L4 rcv rev FIN|ACK Number of TCP FIN-ACKs received from servers.
L4 rcv fwd RST Number of TCP RST packets that the ACOS device received from a client and forwarded to
the server.
L4 rcv rev RST Number of TCP RST packets that the ACOS device received from a server and forwarded to
the client.
L4 UDP reqs no rsp Number of port 53 UDP requests received to which there was no response.
L4 UDP req rsps Number of port 53 UDP requests received to which there was a response.
L4 UDP req/rsp not match Number of mismatches between port 53 UDP requests and responses.
L4 UDP req > rsps Number of port 53 UDP requests received for which there was no corresponding response.
L4 UDP rsps > reqs Number of port 53 UDP responses received for which there was no corresponding request.
L4 UDP reqs Total number of port 53 UDP requests received by the ACOS device.
L4 UDP rsps Total number of port 53 UDP responses received by the ACOS device.
L4 TCP Established Number of established sessions that completed a 3-way TCP handshake.
Skip Insert-client-ip Number of times client IP insertion into TCP option failed due to lack of space.
DNS query id switch Number of requests load balanced based on DNS query ID.

show slb mssql

Description Display statistics for database load-balancing (DBLB) for a MS-SQL database system.
Syntax show slb mssql [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command displays MS-SQL statistics:
ACOS(config)#show slb mssql

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
Authentication Success 0
Authentication Failure 0
The following table describes the output:

Field Description
Current Proxy Connections Number of currently active connections that use the DBLB proxy.
Total Proxy Connections Total number of connections that have used the DBLB proxy.
Current BE Encryption Connections Number of currently active, encrypted connections on the back-end (BE),
between the ACOS device and server which process database queries.
Total BE Encryption Connections Total number of encrypted connections on the back-end (BE), between the
ACOS device and server which process database queries.
Current FE Encryption Connections Number of currently active, encrypted connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Connections Total number of encrypted connections on the front-end (FE), between the
ACOS device and a client.
Client FIN Number of TCP connections that were closed on the client side.
Server FIN Number of TCP connections that were closed on the server side.
Session Error Total number of session errors that occurred while processing DBLB requests.
DB Queries Total number of received database queries.
Note: This counter corresponds to the number of instances that the aFleX
DB_QUERY event was triggered.
DB Commands Reply Total number of received database commands.
DB_COMMAND event was triggered.
Authentication Success Number of successful AUTH commands.
Authentication Failure Number of failed AUTH commands.
show slb mysql

Description Display statistics for database load-balancing (DBLB) for a MySQL database system.
Syntax show slb mysql [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command displays MySQL statistics:
ACOS(config)#show slb mysql

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
The following table describes the output:
Field Description
Current Proxy Connections Number of currently active connections that use the DBLB proxy.
Total Proxy Connections Total number of connections that have used the DBLB proxy.
Current BE Encryption Connections Number of currently active, encrypted connections on the back-end (BE),
between the ACOS device and server which process database queries.
Total BE Encryption Connections Total number of encrypted connections on the back-end (BE), between the ACOS
device and server which process database queries.
Current FE Encryption Connections Number of currently active, encrypted connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Connections Total number of encrypted connections on the front-end (FE), between the ACOS
device and a client.
Client FIN Number of TCP connections that were closed on the client side.
Server FIN Number of TCP connections that were closed on the server side.
Session Error Total number of session errors that occurred while processing DBLB requests.
DB Queries Total number of received database queries.
DB_QUERY event was triggered.
DB Commands Reply Total number of received database commands.
DB_COMMAND event was triggered.

show slb passthrough

Description Display statistics for pass-through TCP sessions. A pass-through TCP session is one that is not
terminated by the ACOS device (for example, a session for which the ACOS device is not
serving as a proxy for SLB).
Syntax show slb passthrough
Mode All
Example The following command displays TCP pass-through session statistics:
ACOS#show slb passthrough

Request packets: 10741 Response packets: 38195
Request bytes: 570272 Response bytes: 56562872
Current connections: 0 Total connections: 4
show slb performance

Description Show SLB performance statistics.
Syntax show slb performance

[interval number [detail]]
[{l4cpi | l7cpi | l7tpi | natcpi | sslcpi} [detail]]
Option Description
interval Automatically refreshes the output at the specified interval. The interval
number can be 1-32 seconds. If you omit this option, the output is shown one
time. If you use this option, the output is repeatedly refreshed at the spec-
ified interval until you press ctrl+c.
detail Lists separate counters for each CPU.
l4cpi Shows only Layer 4 connections per interval.
l7cpi Shows only Layer 7 connections per interval.
l7tpi Shows only Layer 7 transactions per interval.
natcpi Shows only Network Address Translation (NAT) connections per interval.
sslcpi Shows only SSL connections per interval.
detail This option is not used in the current release.
Mode All
Example The following command shows SLB performance statistics:
ACOS#show slb performance

Refreshing SLB performance every 1 seconds. (press ^C to quit)
Note: cpi conn/interval, tpi transactions/interval
CPU Usage L4cpi L7cpi L7tpi SSLcpi Natcpi Time

------------------------------------------------------------------------
8/9 0 0 0 0 0 11:46:10
4/4 4222 0 0 0 0 11:46:11
4/4 3 0 0 0 0 11:46:12
Field Description
Refreshing SLB Interval at which the statistics are refreshed.
performance
every # seconds
CPU Usage Utilization on each data CPU.
Each number is the utilization on one data CPU. In the example
shown above, the ACOS model has three data CPUs, and the utiliza-
tion on each one is 1%.
L4cpi Layer 4 connections per interval.
L7cpi Layer 7 connections per interval.
L7tpi Layer 7 transactions per interval.
SSLcpi SSL connections per interval.
Natcpi NAT connections per interval.
Time System time when the statistics were collected.
show slb persist

Description Show persistence load-balancing statistics.
Syntax show slb persist [active-vrid {default | vrid-num}] [detail]
Example The following command shows summary persistence statistics:
ACOS#show slb persist

Total
------------------------------------------------------------------
URL hash persist(pri) 0
URL hash persist(sec) 0
URL hash persist fail 0
SRC IP persist ok 0
SRC IP persist fail 0

SRC IP hash persist(pri) 0

SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
DST IP persist ok 0
DST IP persist fail 0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok 0
SSL SID persist fail 0
Cookie persist ok 0
Cookie persist fail 0
Persist cookie not found 0
Persist cookie Pass-thru 0
Enforce higher priority 30
Field Description
URL hash persist(pri) Number of requests successfully sent to the primary server selected by URL hashing. The
primary server is the one that was initially selected and then re-used based on the hash
value.
URL hash persist(sec) Number of requests that were sent to another server (a secondary server) because the pri-
mary server selected by URL hashing was unavailable.
URL hash persist fail Number of requests that could not be fulfilled using URL hashing.
SRC IP persist ok Number of requests successfully sent to the same server as previous requests from the
same client, based on source-IP persistence.
SRC IP persist fail Number of requests that could not be fulfilled by the same server as previous requests
from the same client, based on source-IP persistence.
SRC IP hash persist(pri) Number of requests successfully sent to the primary server selected by source IP hashing.
The primary server is the one that was initially selected and then re-used based on the
hash value.
SRC IP hash persist(sec) Number of requests that were sent to another server (a secondary server) because the pri-
mary server selected by source IP hashing was unavailable.
SRC IP hash persist fail Number of requests that could not be fulfilled using source IP hashing.
DST IP persist ok Number of requests that were sent to the same resource, based on destination-IP per-
sistence.
DST IP persist fail Number of requests that were sent to the same resource based on destination-IP per-
sistence.
DST IP hash persist(pri) Number of requests successfully sent to the primary server selected by destination IP hash-
ing. The primary server is the one that was initially selected and then re-used based on the
hash value.
DST IP hash persist(sec) Number of requests that were sent to another server (a secondary server) because the pri-
mary server selected by destination IP hashing was unavailable.

Field Description
DST IP hash persist fail Number of requests that could not be fulfilled using destination IP hashing.
SSL SID persist ok Number of requests successfully sent to the same server as previous requests that had the
same SSL session ID, based on SSL session-ID persistence.
SSL SID persist fail Number of requests that could not be fulfilled by the same server as previous requests that
had the same SSL session ID, based on SSL session-ID persistence.
Cookie persist ok Number of requests successfully sent to the same server as previous requests based on a
persistence cookie.
Cookie persist fail Number of requests that could not be fulfilled by the same server as previous requests
based on a persistence cookie.
Persist cookie not found Number of requests in which a persistence cookie was not found in the request header.
Persist cookie Pass-thru Number of requests that contained a pass-through cookie.
Enforce higher priority Number of times the enforce-higher-priority option overrode server persistence and
selected another server.
show slb rate-limit-logging

Description Show log rate-limiting statistics.
Syntax show slb rate-limit-logging [active-vrid {default | num}] [detail]
Mode All
Example The following command shows log rate-limiting statistics:
ACOS#show slb rate-limit-logging

Total
------------------------------------------------------------------
Total log times 51
Total log messages 26
Local log messages 190
Remote log messages 1959
Local rate (per sec) 32
Remote rate (per sec) 453
Log message too big 0
No route 0
Buffer alloc fail 0
Buffer send fail 0

Log-session alloc 15
Log-session free 15
Log-session alloc fail 0
No repeat message 4
Field Description
Total log times Total number of times log rate limiting has been used.
Total log messages Total number of log messages generated by the ACOS device.
NOTE: The ACOS device combines repeated messages into a single message. For this
reason, the Total log times count will differ from the Total log messages count.
Local log messages Total number of log messages in the ACOS device’s log buffer. These messages can be
displayed using the show log command.
Remote log messages Total number of log messages the ACOS device has sent to external log servers.
Local rate (per sec) Number of messages sent to the ACOS device’s log buffer during the most recent one-
second interval.
Remote rate (per sec) Number of messages sent to external log servers during the most recent one-second
interval.
Log message too big Number of log messages dropped by the ACOS device because they were too long.
No route Number of log messages dropped by the ACOS device because the device did not have
a route to the log server.
Buffer alloc fail Number of times the ACOS device was unable to allocate a buffer for sending a log mes-
sage to an external log server.
Buffer send fail Number of times the ACOS device was unable to send a log message that had been
placed in the buffer for sending to an external log server.
Log-session alloc Number of times the ACOS device allocated a log session for repeated log messages.
Log-session free Number of times the ACOS device freed a log session that was allocated for repeated log
messages.
Log-session alloc fail Number of times the ACOS device was unable to allocate a log session for repeated log
messages.
No repeat message Number of times there was no repeated message for a log session allocated for repeated
messages.
show slb resource-usage

Description Display the minimum and maximum numbers of SLB resources that can be configured or
used, the default maximum number allowed by the configuration, and the number currently
in use.
Syntax show slb resource-usage
Example Below is an example of the output for this command:
ACOS#show slb resource-usage

Resource Current Default Minimum Maximum

--------------------------------------------------------------------------
nat-pool-addr-count 10 10 10 2000
real-server-count 128 128 32 8192
real-port-count 256 256 64 16384
service-group-count 128 128 32 8192
virtual-port-count 128 128 32 8192
virtual-server-count 64 64 16 4096
http-template-count 128 128 32 4096
proxy-template-count 128 128 32 4096
conn-reuse-template-count 128 128 32 4096
fast-tcp-template-count 128 128 32 4096
fast-udp-template-count 128 128 32 4096
client-ssl-template-count 128 128 32 8192
server-ssl-template-count 128 128 32 8192
stream-template-count 128 128 32 4096
persist-cookie-template-count 128 128 32 4096
persist-srcip-template-count 128 128 32 4096
class-list-ipv6-addr-count 524288 524288 524288 1048576
gslb-site-count 500 500 500 500
gslb-device-count 1000 1000 1000 1000
gslb-service-ip-count 128 128 32 5000
gslb-service-port-count 256 256 64 10000
gslb-zone-count 5000 5000 5000 5000
gslb-service-count 10000 10000 10000 10000
gslb-policy-count 10000 10000 10000 10000
gslb-geo-location-count 5000000 5000000 5000000 5000000
gslb-ip-list-count 500 500 500 500
gslb-template-count 1000 1000 1000 1000
gslb-svc-group-count 500 500 500 500
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
show slb server

Description Show information about real servers.
Syntax show slb server [bindings]
or
show slb server

[server-name [port-num]
[all-partitions | partition {shared | name} | detail] |
[config]

[all-partitions | partition {shared | name}] |

[connection-reuse]
[all-partitions | partition {shared | name}] |
[auto-nat-stats]
server-name [[port-num] detail Shows information only for the specified server or port. If you omit this
option, information is shown for all real servers and ports.
The detail option shows statistics for the specified server or port. This
option also displays the name of the server or port template bound to the
server or port.
bindings Shows the bindings for real server ports.
config Shows the SLB configuration of the real servers.
connection-reuse Shows connection-reuse state information and statistics for the real servers.
auto-nat-stats Shows statistics for Smart NAT.
all-partitions Show SLB server configuration for all partitions.
partition {shared | name} Show SLB server configuration for either the shared partition, or the speci-
fied L3V partition name.
Mode All
Example The following command shows the output for the basic show slb server command. The
“State”
ACOS#show slb server

Total Number of Servers configured: 1
Total Number of Services configured: 1
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service Current Total Fwd-pkt Rev-pkt Peak-conn State
------------------------------------------------------------------------------------------
test-s1:80/tcp 0 0 0 0 0 Disb/Down
test-s1: Total 0 0 0 0 0 Disb/Down
Example The following command shows SLB statistics for real server “http1”. This server is in a service
group that is bound to an HTTP virtual port:
ACOS#show slb server http1

Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0

Total connections: 0 Total requests succ: 0

Response time: 0 tick
Peak connections: 0
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 938
L4 errors: 0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
Health-check average TCP RTT (us):7895
Health-check current TCP RTT (us):7933
HTTP requests sent: 938
HTTP errors: 0
Received OK: 938
Received error: 0
Response timeout: 0
Example The following table describes fields in the output for the show slb server command.
The output from this command includes statistics for health check fields. Keep in mind that
these health check fields only appear in the output for HTTP traffic. The counters begin when
the health check is configured and increment until the statistics are cleared or the health
check is deleted.
Field Description
Total Number of Services con- Total number of services configured on the ACOS device (if a server name is not speci-
figured fied) or on the specified server.
Service Real server name, service protocol port, and transport protocol (TCP or UDP), and Sta-
tus (Up/Down/Disabled)
Forward packets Number of request packets received for the service.
Reverse packets Number of response packets sent on behalf of the real server.
Forward bytes Number of request bytes received for the service.
Reverse bytes Number of response bytes sent on behalf of the real server.
Current Current number of connections to the service.
Persistent connections Number of persistent connections to the service.
Current requests Current number of requests to the service.
Total requests Total number of requests to the service.

Field Description
Total connections Total number of connections to the service.
Total requests succ Total number of requests to the service successfully received.
Response time Server response time.
Peak-conn Peak connection rate.
Note: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
• “slb common” on page 488 (global)
• “extended-stats” on page 606 (individual server)
Health check fields (HTTP traffic only)

Up / Down reason Reason the ACOS device marked the port up or down.
Monitor name Name of the health monitor used to perform the health check.
Method Health method in the monitor used for the health check.
Attribute The destination TCP port of the health check, and the HTTP request sent to the port.
Wait for HTTP response Indicates whether the ACOS device is still waiting for a response to the HTTP request.
L4 conn made Total number of Layer 4 connections made to the destination TCP port for health
checking.
L4 errors Total number of Layer 4 errors that occurred during health checking.
Health-check average RTT The average length of time it took for each health check. The time is expressed in
microseconds (us).
This counter includes the entire health-check process.
Health-check current RTT The length of time it took to perform the most recent health check.
Health-check average TCP RTT The average length of time it took to complete the 3-way handshake with the server
port.
Health-check current TCP RTT The length of time it took to complete the 3-way handshake in the most recent health
check.
HTTP requests sent Total number of HTTP requests sent to the server as part of health checks.
HTTP errors Total number of HTTP errors that occurred during health checking.
Received OK Number of times the payload of a Layer 4 health check reply was successfully read by
the ACOS device.
Received error Number of times a a read failure occurred in the a10hm module.
Response timeout Number of times a health check to the port timed out.
NOTE: The same health check fields appear in the output for the show slb service-group
group-name and similarly only apply to HTTP traffic.
Example The following command shows details for a real server:
ACOS#show slb server dang0 detail

Server name: dang0
Server IP address: 192.168.120.21

Server gateway ARP: 0000:0000:0000

State: Down
Server template: default
Health check: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connection: 0
Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway ARP Server ARP value (if directly connected) or nexthop ARP value
(if connected through a gateway).
State Current state of the service:
• Up
• Down
• Disabled
Server template Name of the real server template bound to the server.
Health check Name of the health monitor used to check the health of the
real port.
Current connection Current number of connections to the port.
Current request Current number of HTTP requests being processed by the
port.
Note: In this field and the Total request and Total request suc-
cess fields, Layer 7 requests are counted only if Layer 7 request
accounting is enabled. See “slb common” on page 488.
Total connection Total number of connections that have been made to the port.
Total request Total number of HTTP requests processed by the port.
Total request success Total number of HTTP requests that were successful.
Total forward bytes Number of request bytes forwarded to the port.
Total forward packets Number of request packets forwarded to the port.
Total reverse bytes Number of request bytes received from the port.

Field Description
Total reverse packets Number of request packets received from the port.
Peak connection Peak connection count.
Note: Peak connection statistics are collected only if the
extended-stats option is enabled. To enable extended-stats,
see the following:
Example The following command shows details for a real port on a server:
ACOS(config)#show slb server dang1 80 detail

Server name: dang1
Port: 1.1.1.1:80
State: Up
Port template: default
Health check: default
Current request: 42
Total connection: 10011
Total request: 20090
Peak connection: 24411
Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway Server ARP value (if directly connected) or nexthop ARP value (if
ARP connected through a gateway).
Port Real port number.
• Up
• Down
• Disabled
Port template Name of the real port template bound to the port.

Field Description
Health check Name of the health monitor used to check the health of the real
port.
Current connection Current number of connections to the port.
Current request Current number of HTTP requests being processed by the
port.
NOTE: In this field and the Total request and Total request success
fields, Layer 7 requests are counted only if Layer 7 request account-
ing is enabled. See “slb common” on page 488.
Total connection Total number of connections that have been made to the port.
Total request Total number of HTTP requests processed by the port.
Total request Total number of HTTP requests that were successful.
success
Total forward bytes Number of request bytes forwarded to the port.
Total forward Number of request packets forwarded to the port.
packets
Total reverse bytes Number of request bytes received from the port.
Total reverse Number of request packets received from the port.
packets
NOTE: Peak connection statistics are collected only if the
extended-stats option is enabled. To enable extended-stats, see
the following:
Example The following command displays detailed information for a dynamic hostname server. The
configuration details are shown first, followed by details for the dynamically created servers.
ACOS#show slb server s-test1 detail

Server name: s-test1
Hostname: s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
State: Up
Server template: temp-server
DNS query interval: 5
Minimum TTL ratio: 3
Maximum dynamic server:16
Health check: none
Current request: 0


Total request: 1919
Total forwarded byte: 546650
Total forwarded packet: 5715
Total received byte: 919730
Total received packet: 5631
Dynamic server name: DRS-10.4.2.5-s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
TTL: 4500
State: Up
Server template: test
DNS query interval: 5
Minimum TTL ratio: 15
Maximum dynamic server:1023
Health check: none
Current request: 0
Total request: 1919
Example The following command shows SLB configuration information for real servers:
ACOS#show slb server config

H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------------------------
1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1
1_yahoo_finance 69.147.86.163 None Enable 1000000 1
1_cybozu:80/tcp 202.218.147.129 None Enable 1000000 1

1_cybozu 202.218.147.129 None Enable 1000000 1
win20:25/tcp 172.22.66.20 Default Enable 1000000 1

win20 172.22.66.20 ping Disable 1000000 1
win21:25/tcp 172.22.66.21 Default Enable 1000000 1

--MORE--

Field Description
Total Number of Total number of SLB services configured on the Thunder Series
Services config- device.
ured
Service Real server name, service protocol port, and transport protocol (TCP
or UDP).
Address Real IP address of the server.
H-check Health check enabled for the service:
• None – No health check has been applied to the service.
• Default – The default health monitor for the service type was auto-
matically applied to the service by the Thunder Series device.
• Name of a configured health monitor (for example, “ping”) – The
named health monitor was applied to the service by an ACOS
administrator.
Status Current administrative status of the service:
• Enable
• Disable
Max conn Maximum number of connections allowed to the service.
Wgt Administrative weight assigned to the service.
Example The following command shows connection-reuse state information and statistics for real
servers:
ACOS#show slb server connection-reuse

Service State Persistent-Conn
----------------------------------------------------
1_yahoo_finance:80/tcp Up 0
1_cybozu:80/tcp Up 0
win20:25/tcp Down 0
win21:25/tcp Up 0
win21:110/tcp Up 0
win21:80/tcp Up 0
win21:443/tcp Down 0
linux22:25/tcp Disb 0
linux22:80/tcp Up 0
linux22:53/udp Disb 0

Field Description
Total Number of Total number of SLB services configured on the Thunder Series
Services config- device.
ured
Service Real server name, service protocol port, and transport protocol (TCP
or UDP).
• Up
• Down
• Disabled
Persistent-Conn Number of connections sent to the server by the persistence feature.
Example The following command shows Smart NAT statistics:
ACOS(config-slb vserver-vport)#show slb server auto-nat-stats

Service HA/VR ID Nat Address Port Usage Total Used Total Freed Failed
---------------------------------------------------------------------------------------
s1:80/tcp 0 160.160.160.1 5 1513 1508 0
s1:21/tcp 0 160.160.160.1 0 0 0 0
In this example, both virtual ports are using Smart NAT. The Nat Address, Port Usage, Total
Used, Total Freed, and Failed columns show the same information shown in show ip nat
pool statistics output. (See the CLI Reference.)
The Service column lists the server, protocol port, and Layer 4 protocol. The HA/VR ID
column lists the HA group ID or VRRP-A VRID, if applicable. In this example, the ACOS device
is deployed as a standalone device, so “0” is shown in this column.

Field Description
Service Real server name and port number, and the Layer 4 protocol (TCP or
UDP).
HA/VR ID The HA group ID or VRRP-A VRID, if applicable.
NAT Address The IP address used for the NAT mapping.
Port Usage Number of mappings currently in use by sessions.
Total Used Total number of sessions that have been NATted for the source address.
Total Freed Total number of NATted sessions that have been terminated, thus freeing
up a port for another session.
Failed Number of times a mapping attempt failed. Generally, this type of error
occurs if the system does not have any resources for new mappings.
Example The following example output shows a list of server bindings:
ACOS#show slb server bindings

Total Number of Servers configured: 24
Service Port Address State
-------------------------------------------------------------------
rs1 8080 20.20.20.20
+sg-8080 All Up
+=>vip2 10.10.10.200:8080
+linux:8080 Functional Up
+=>ITA-VIP-01 192.168.19.120:8080
This example shows server bindings for server “rs1”.
The service groups are indicated by “+”. In this example, the server is a member of the
following service groups:
• sg-8080
• linux:8080
The VIP bindings are indicated by “+=>”. In this example, “rs1” has the following bindings:
• Bound to “vip2” through service group “sg-8080”

• Bound to “ITA-VIP-01” through service group “linux:8080”
The state of each service group is shown. In this example, service group “sg-8080” is All Up.
This indicates all service ports on all real servers in the service group are up. Service group
“linux:8080” is Functionally Up. The service is up on at least one real server in the service
group, but not on all the servers in the group.

show slb service-group

Description Show SLB service-group information.
Syntax show slb service-group [group-name] [brief] [config]

group-name Shows information only for the specified service group. If you omit this option, information is
shown for all service groups configured on the Thunder Series device.
brief Shows a summary view of the configured service groups and their operational status. If you
specify a service-group name, summary information is displayed for only that group. Other-
wise, summary information for all groups is displayed.
config Shows the SLB configuration of the service groups.
all-partitions Show SLB service group information in all partitions.
partition Show SLB service group information in the specified partition only.
Mode All
Example The following command shows statistics for SLB service groups:
ACOS#show slb service-group

Current = Current Connections, Total = Total Connections
Fwd-p = Forward packets, Rev-p = Reverse packets
Peak-c = Peak connections
Service Group Name
Service Current Total Fwd-p Rev-p Peak-c
------------------------------------------------------------------------------
*sg-80-1 State: Down
rs-http:80 0 0 0 0 0
*sg-80-2 State: All Up
rs-http-2:80 1 1 1 4 5

Field Description
Total Number of Total number of SLB service groups configured on the Thunder Series
Service Groups device.
configured
Service Group Name of the service group.
Name
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are
up.
• Functional Up – Each service port number is up on at least one real
server in the service group.
• Down – Either all the service ports are down, or some but not all of
them are Disabled.
• Disabled – All the service ports are disabled.
Current Current number of connections to the service.
Total Total number of connections to the service.
Fwd-p Total number of request packets received by the Thunder Series
device for the service.
Rev-p Total number of server response packets sent to clients by the ACOS
device on behalf of real servers.
Peak-c Peak connection count.
Note: Peak connection statistics are collected only if the extended-
stats option is enabled. To enable extended-stats, see the following:
Example The following command shows configuration information and statistics for SLB service
group “louis”:
ACOS#show slb service-group louis

Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service peak connection: 0
Priority affinity: 10
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0

Peak conn: 0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
NOTE: A separate set of health check fields appears in the show slb service-group com-
mand output for HTTP traffic.
Field Description
Service group name Name of the service group.
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are up.
• Functional Up – Each service port number is up on at least one real server in the service
group.
• Partially Up – Some service ports are up but others are down.
• Down – Either all the service ports are down, or some but not all of them are Disabled.
• Disabled – All the service ports are disabled.
Service selection fail drop Number of server selection failures for which the ACOS device dropped the client request.
Service selection fail reset Number of server selection failures for which the ACOS device sent a RST to the client.
Service peak connection Peak number of connections.
Priority affinity Number associated with the currently active priority level. By default, the primary service-
group members with the highest priority are active and appear in the output. However, if
failover occurs, then the priority of the lower-priority secondary members appears in the
output.
Service Service bound to the service group. Also indicates the state of the service.
Forward packets Total number of request packets received by the Thunder Series device for the service.
Reverse packets Total number of server response packets sent to clients by the Thunder Series device on
behalf of real servers.
Forward bytes Total number of request bytes received by the Thunder Series device for the service.
Reverse bytes Total number of server response bytes sent to clients by the Thunder Series device on
behalf of real servers.
Current connections Current number of connections to the service.
Persistent connections Number of connections established on the server due to an SLB persistence feature.

Field Description
Current requests Current number of HTTP requests being processed by the server.
Note: In this field and the Total Requests and Total requests success fields, Layer 7 requests
are counted only if Layer 7 request accounting is enabled. See “slb common” on page 488.
Total requests Total number of HTTP requests processed by the server.
Total connections Total number of connections to the service.
Response time Server response time.
Total requests succ Total number of HTTP requests that were successful.
Peak conn Peak connection count.
Note: Peak connection statistics are collected only if the extended-stats option is enabled.
To enable extended-stats, see the following:
Example The following command shows configuration information for SLB service groups:
ACOS#show slb service-group config

slb service-group sg1 tcp
member s1 80
!
member s2 80
member s1 80
!
member s3 80
!
Example The following command displays a brief, summarized display of service-group information
for all service groups:
ACOS#show slb service-group brief

Total Number of Service Groups configured: 2
slb service-group rontest tcp
Service group name: rontest
Type: tcp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
slb service-group udptest udp
Service group name: udptest
Type: udp Distribution: Round Robin

Health Check: None

Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
In this example, 2 service groups are configured. Each service group

has 1 server. In each of the groups, the server is down.
show slb sip

Description Display SIP SLB statistics.
Syntax show slb sip [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows SIP SLB statistics:
ACOS#show slb sip

Total
------------------------------------------------------------------
SIP Session created 0
SIP Session freed 0
Curr SIP Proxy 0
Total SIP Proxy 0
Client message rcvd 0
Sent to server 0
Incomplete 0
Drop 0
Connecting server 0
Failed 0
Server message rcvd 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0

Field Description
SIP Session created Total number of SIP sessions created.
SIP Session freed Total number of SIP connection freed.
Curr SIP Proxy Current number of SIP connections between the ACOS device
and SIP servers.
Total SIP Proxy Total number of SIP connections between the ACOS device and
SIP servers.
Client message rcvd Total number of SIP messages received from clients:
• Sent to server — Number of SIP messages received from client
and forwarded to server.
• Incomplete — Number of packet which contains incomplete
message.
• Drop — Number of packets dropped.
• Connecting server — Client message currently in server con-
necting state.
• Failed — Number of SIP messages received from clients that
were not forwarded to servers.
Server message rcvd Total number of SIP messages received from servers:
• Sent to client — Number of SIP messages received from server
and forwarded to client.
• Incomplete — Number of packet which contains incomplete
message.
• Drop — Number of SIP messages received from servers that
were not forwarded to clients.
Server conn created Total number of connections made with servers:
• Created successfully — Number of successful connections.
• Failed — number of failed connections.

show slb smpp

Description Display Short Message Peer-to-Peer (SMPP) protocol SLB statistics.
Syntax show slb smpp [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows SMPP SLB statistics.
ACOS(config)#show slb smpp

Total
------------------------------------------------------------------
Curr SMPP Proxy 0
Total SMPP Proxy 0
Client message rcvd 0
Sent to server 0
Incomplete 0
AX responds directly 0
Drop 0
Connecting server 0
Failed 0
Server message rcvd 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0
Client conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
Server conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0

Select failed 0
Field Description
SMPP msg mem allocated Total amount of memory currently in use for SMPP connections.
SMPP msg mem cached Total amount of memory cached for SMPP connections.
SMPP msg mem freed Total amount of memory freed after an SMPP connection has closed.
SMPP msg payload allocated Total amount of memory allocated for the SMPP packet payload.
SMPP msg payload freed Total amount of memory freed from the SMPP packet payload.
Curr SMPP Proxy Number of currently active connections using the SMPP proxy.
Total SMPP Proxy Total number of connections that have used the SMPP proxy.
Client message rcvd Total number of SMPP messages received from clients.
• Sent to server – Number of SMPP messages received by the client and for-
warded to the server.
• Incomplete – Number of packets which contain incomplete messages.
• AX responds directly – Number of times the ACOS device responded directly
to a client’s request.
• Drop – Number of packets dropped due to the configured SMP resource limit.
• Connecting server – Number of times the ACOS device forwarded a client’s
request to the SMPP server.
• Failed – The following counters display the number of failed connections,
listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed
Server message rcvd Total number of SMPP messages received from servers.
• Sent to client – Number of SMPP messages received by the server and for-
warded to the client.
• Incomplete – Number of packets which contain incomplete messages.
• Drop – Number of packets dropped due to the configured SMP resource limit.
• Failed – Number of SMPP messages received by the server that were not for-
warded to the client. The following counters display the number of failed con-
nections, listed by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send

Field Description
Server conn created • Created successfully – Number of server connections created successfully.
• Failed – Number of failed server connection attempts, listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Message parsing failed Number of SMPP messages that the ACOS failed to parse. The following sub-
counters describe the cause:
• The packet size too small – Number of SMPP messages that were not parsed
because the message size was less than 4 bytes.
• Invalid sequence number – SMPP messages are incremented by +1. This
counter indicates the total number of SMPP messages that were not parsed
because of an incorrect sequence number.
Message processing failed Number of times the ACOS could not process the SMPP message. The following
sub-counters describe the cause:
• No vport – There was no virtual port that matched the destination of the SMPP
message.
• Failed to select server – Server selection failure to forward the SMPP request.
Client conn selection The following counters apply to SMPP client selection:
• Select by request – Number of client connections, selected by the type of
request message.
• Select by roundbin – Number of client connection selected by the Round
Robin algorithm.
• Select by conn – Number of client connections, selected by the connection
type.
• Select failed – Number of times the ACOS failed to select a client for the SMPP
connection.
Server conn selection The following counters apply to SMPP server selection:
• Select by request – Number of server connections, selected by the type of
request message.
• Select by roundbin – Number of server connection selected by the Round
Robin algorithm.
• Select by conn – Number of server connections, selected by the connection
type.
• Select failed – Number of times the ACOS failed to select a server for the SMPP
connection.
Bind client and server Number of times the ACOS successfully forwarded the initial BIND message from
a client an SMPP server.
Unbind client and server Number of times the ACOS disconnected the client to an SMPP server.
Receive enquire_link Total number of ENQUIRE_LINK messages that the ACOS received from the SMPP
client or server.

Field Description
Receive enquire_link_resp Total number of ENQUIRE_LINK_RESP messages that the ACOS received from the
SMPP client or server.
Send enquire_link Total number of ENQUIRE_LINK messages that the ACOS device has sent.
Send enquire_link_resp Total number of ENQUIRE_LINK_RES messages that the ACOS device has sent.
Fail to bind server Total number of times the ACOS device received a BIND message and failed to
connect the client to an SMPP server.
Single message Total number of single messages that were sent to the ACOS and did not require
a response.
Transfer msg from L4 to L7 CPU Number of SMPP messages that the ACOS transferred from a Layer 4 CPU to a
Layer 7 CPU.
Fetch msg from L7 CPU Number of SMPP messages that the ACOS transferred from the Layer 7 CPU to a
Layer 4 CPU.
Transfer msg from proxy to conn CPU Number of SMPP messages that the ACOS transferred from the proxy CPU to the
connection CPU.
Fetch msg from conn CPU Number of SMPP messages that the ACOS transferred from the connection CPU
to the proxy CPU.
Transfer msg from L7 to L4 CPU Number of SMPP messages that the ACOS transferred from a Layer 7 CPU to a
Layer 4 CPU.
Transfer msg from conn to proxy CPU Number of SMPP messages that the ACOS transferred from the connection CPU
to the proxy CPU.
Alloc mem failed Number of times a connection failed because the ACOS device did not have
access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not categorized by the other counters.
AX holds msg Number of messages that the ACOS device has received from a client or server
and has yet to forward.
Splited packet Number of times the ACOS split TCP packets which contain multiple SMPP mes-
sages.
Message in pipeline Number of SMPP messages that the ACOS processed using an HTTP pipeline.

show slb smtp

Description Shows SLB information for SMTP.
Syntax show slb smtp [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows summary SMTP SLB statistics:
ACOS#show slb smtp

Total
------------------------------------------------------------------
Total proxy conns 0
SMTP requests 0
SMTP requests (success) 0
No proxy error 0
Client reset 0
Server reset 0
No tuple error 0
Parse request failure 0
Forward request failure 0
Forward REQ data failure 0
Request retransmit 0
Request pkt out-of-order 0
Server connection made 0
Field Description
Current proxy conns Number of currently active SMTP connections using the ACOS device as an SMTP proxy.
Total proxy conns Total number of SMTP connections that have used the ACOS device as an SMTP proxy.
SMTP requests Total number of SMTP requests received by the SMTP proxy.

Field Description
SMTP requests (success) Number of SMTP requests received by the ACOS device that were successfully fulfilled
(by connection to a real server).
Client reset Number of times TCP connections with clients were reset.
Server reset Number of times TCP connections with servers were reset.
Parse request failure Number of times parsing of an SMTP request failed.
Forward request failure Number of forward request failures.
Forward REQ data failure Number of forward request data failures.
Request retransmit Number of retransmitted requests.
Request pkt out-of-order Number of request packets received from clients out of sequence.
Server reselection Number of times a request was forwarded to another server because the current server
was failing.
Server connection made Number of connections made with servers.
Example The following command shows detailed SMTP SLB statistics for each data processor (DP):
ACOS#show slb smtp detail

DP0 DP1 DP2 Total
------------------------------------------------------------------
Current proxy conns 0 0 0 0
Total proxy conns 0 0 0 0
SMTP requests 0 0 0 0
SMTP requests (success) 0 0 0 0
No proxy error 0 0 0 0
Client reset 0 0 0 0
Server reset 0 0 0 0
No tuple error 0 0 0 0
Parse request failure 0 0 0 0
Server selection failure 0 0 0 0
Forward request failure 0 0 0 0
Forward REQ data failure 0 0 0 0
Request retransmit 0 0 0 0
Request pkt out-of-order 0 0 0 0
Server reselection 0 0 0 0
Server premature close 0 0 0 0
Server connection made 0 0 0 0
Source NAT failure 0 0 0 0

show slb spdy-proxy

Description Show statistics for SLB SPDY proxy.
Syntax show slb spdy-proxy

[active-vrid {default | vrid-num}] [debug] [detail]
debug Show debug information.
Mode All
show slb ssl stats

Description Shows statistics for SLB.
Syntax show slb ssl stats [active-vrid {default | vrid-num}]
Example The following command shows SSL SLB statistics:
ACOS#show slb ssl stats

SSL module: Hardware
Number of SSL modules: 5
SSL module 1
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
SSL module 2
SSL module 3
SSL module 4
SSL module 5


Current clientside SSL connections: 0
Total clientside SSL connections: 0
Current serverside SSL connections: 0
Total serverside SSL connections: 0
Total times of reusing SSL sessions(IDs) in client ssl 0
Total times of reusing SSL sessions(IDs) in server ssl 0
Failed SSL handshakes: 0
Failed crypto operations: 0
Dropped serverside SSL connections: 0
SSL memory usage: 0 bytes
SSL server certificate errors: 0
SSL fail CA verification 0
HW Context Memory Total Count 248550
HW Context Memory in Use 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
Total client ssl context malloc failures: 0
Field Description
Number of SSL modules Total number of SSL processing modules on the device.
SSL module n ID number of the SSL module to which the following statistics
apply.
number of enabled crypto engines Number of SSL encryption/decryption processing engines that are
enabled.
number of available crypto engines Number of SSL encryption/decryption processing engines that are
available on the device.
number of requests handled Number of SSL requests handled by the SSL processing engine.
Current clientside SSL connections Number of currently active SSL client-side SSL sessions (sessions
between ACOS and clients).
Total clientside SSL connections Total number of SSL client-side sessions since the last time statistics
were cleared.
Current serverside SSL connections Number of currently active SSL server-side SSL sessions (sessions
between ACOS and servers).
Total serverside SSL connections Total number of SSL server-side sessions since the last time statis-
tics were cleared.
Total times of reusing SSL sessions(IDs) in client ssl SSL session-ID reuse statistics.
Total times of reusing SSL sessions(IDs) in server ssl
Failed SSL handshakes Number of SSL sessions in which the SSL security handshake failed.

Field Description
Failed crypto operations Number of times an encryption/decryption failure occurred for an
SSL record.
Dropped serverside SSL connections Total number of SSL server-side sessions dropped since the last
time statistics were cleared.
SSL memory usage Amount of memory in use by the SSL processing module.
SSL server certificate errors Total count of certificate errors.
SSL fail CA verification Number of times an SSL session was terminated due to a certificate
verification failure.
HW Context Memory Total Count Total amount of hardware available for SSL context memory alloca-
tion.
HW Context Memory in Use Total amount of hardware in use for SSL context memory alloca-
tion.
HW Context Memory alloc failed Number of times the encryption processor was unable to allocate
memory.
HW ring full Number of times the ACOS software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption. (Num-
ber of times the processor reached its performance limit.)
Record too big Number of times the ACOS device received an SSL record that
spanned across more than 64 packets.
Total client ssl context malloc failures Number of times ACOS failed to allocate memory for client SSL
context memory.
show slb ssl-expire-check

Description Display information about email notification of expired certificates.
Syntax show slb ssl-expire-check
Mode All

show slb ssl-forward-proxy-cert

Description Display hash entries for server certificates created by the ACOS device for SSL Insight.
Syntax show slb ssl-forward-proxy-cert name num {ipaddr | all}
name Wildcard VIP name.
num Virtual port number to which clients send requests (for example, 443).
ipaddr | all Displays entries for the certificate associated with a specific server IP
address or for all server IP addresses.
Mode All
show slb switch

Description Show SLB switching statistics.
Syntax show slb switch

[detail | ethernet port-num [detail]]
detail Shows statistics per individual CPU in the output.
ethernet port-num Shows statistics only for the specified Ethernet port.
Mode All
Example The following command shows summary SLB switching statistics:
ACOS#show slb switch

Total
------------------------------------------------------------------
L2 Forward 2793
L3 IP Forward 0
IPv4 No Route Drop 0
L3 IPv6 Forward 0
IPv6 No Route Drop 0
L4 Process 709223
Incorrect Len Drop 0
Prot Down Drop 289

Unknown Prot Drop 32136

TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppresion 0
VLAN Flood 141022
IP Fragment Rcvd 0
ARP REQ Rcvd 80272
ARP RESP Rcvd 15939
Forward Kernel 91163
IP(TCP) Fragment Rcvd 0
IP Fragment Overlap 0
IP Frag Overload Drops 0
IP Fragment Reasm OKs 23
IP Fragment Reasm Fails 0
IP Fragment Timeout 0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
IPv6 Frag UDP 0
IPv6 Frag TCP 0
IPv6 Frag ICMP 0
IPv6 Frag OSPF 0
IPv6 Frag ESP 0
IPv6 Frag Reasm OKs 0
IPv6 Frag Reasm Fails 0
IPv6 Frag Invalid Pkts 0
Bad Pkt Drop 0
IP Frag Exceed Drop 0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
L2 Default Vlan FWD Drop 507865
BW Limit Drop 0
License Expire Drop 0
L4 Misc Er 0

Management Service Drop 0

Jumbo Frag Drop 0
IPv6 Jumbo Frag Drop 0
Field Description
L2 Forward When the ACOS device is acting as a Layer-2 switch and receives a packet that has the
destination MAC address in its MAC table, ACOS sends the packet to the outgoing
interface (as per the MAC table entry) and increments this counter.
L3 IP Forward Number of packets that have been Layer 3 routed.
IPv4 No Route Drop Number of IPv4 packets that were dropped due to routing failures.
L3 IPv6 Forward Number of IPv6 packets that have been Layer 3 routed.
IPv6 No Route Drop Number of IPv6 packets that were dropped due to routing failures.
L4 Process Number of packets that went to a VIP or NAT for processing.
Incorrect Len Drop Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet length attack.
Prot Down Drop • Number of IPv6 packets received on an interface for which there was no IPv6
address configured.
• Number of IPv4 packets received on an interface for which there was no IPv4
address configured.
Unknown Prot Drop Number of times ACOS dropped a packet because the packet was not one of the fol-
lowing: IPv4, IPv6, or ARP
TTL Exceeded Drop Number of packets dropped due to TTL expiration.
Link Down Drop Number of packets dropped because the outgoing link was down.
SRC Port Number of packets dropped because the source and destination interface within the
Suppression same VLAN is same.
VLAN Flood Number of times ACOS received a packet that did not have the destination MAC
address in the MAC table, causing ACOS to flood the packet out all other interfaces on
the VLAN.
IP Fragment Rcvd Number of IPv4 fragments that have been received.
ARP REQ Rcvd Number of ARP requests the ACOS device received.
ARP RESP Rcvd Number of ARP responses the ACOS device received in response to an ARP request
sent by itself.
Forward Kernel When the ACOS device receives a health monitor packet (for example, LACP or ARP
packets), ACOS forwards these packets to the kernel for processing and increments
this counter.
IP(TCP) Fragment Rcvd Number of IP TCP fragments received.
IP Fragment Overlap Number of overlapping fragments received.
IP Frag Overload Drops Number of fragments dropped due to overload.
IP Fragment Reasm OKs Number of successfully reassembled IP fragments.

Field Description
IP Fragment Timeout Number of times ACOS device does not receive subsequent fragments for fragmenta-
tion reassembly.
IP Fragment Reasm Fails Number of IP fragment reassembly failures.
Anomaly Land Attack Drop Number of SYN packets dropped because they were spoofed (used the destination IP
address as the source IP address).
Anomaly IP OPT Drops Number of packets dropped because they had IP options set.
Anomaly PingDeath Drop Number of oversized (longer than 32 K) ICMP packets dropped.
An oversized ICMP packet can trigger Denial of Service (DoS), crashing, freezing, or
rebooting.
Anomaly All Frag Drop Number of IP fragments dropped.
Anomaly TCP noFlag Drop Number of TCP packets dropped because they had no flags set.
TCP packets are normally sent with at least one bit in the flags field set.
Anomaly SYN Frag Drop Number TCP SYN fragments dropped that had the fragmentation bit set.
A SYN fragment attack floods the target host with SYN packet fragments. An unpro-
tected host will store the fragments, in order to reassemble them. By not completing
the connection, and flooding the server or host with such fragmented SYN packets,
the attacker can cause the host’s memory buffer to fill up eventually.
Anomaly TCP SYNFIN Drop Number of TCP packets dropped that had TCP SYN and FIN bits set.
An attacker can send a packet with both bits set to determine what kind of system
reply is returned, and then use the system information for further attacks using known
system vulnerabilities. Also, some older devices will let such packets through even
though there is an established ACL defined and the state of the TCP connection is not
considered to be established.
Anomaly Any Drops Total number of packets dropped by IP anomaly filtering.
BPDUs Received Number of Bridge Protocol Data Units (BPDUs) received.
BPDUs Sent Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys Number of times traffic was not forwarded due to a deny rule in an Access Control List
(ACL).
This counter also includes traffic dropped due to the l3-vlan-fwd-disable action in ACL
rules.
SYN rate exceeded Drop Number of packets dropped because the TCP SYN threshold had been exceeded.
Packet Error Drops Number of times the ACOS device dropped a packet due to a TCP/UDP checksum
error.
IPv6 Frag UDP Number of IPv6 UDP fragments received by the ACOS device.
IPv6 Frag TCP Number of IPv6 TCP fragments received by the ACOS device.
IPv6 Frag ICMP Number of IPv6 ICMP fragments received by the ACOS device.
IPv6 Frag OSPF Number of IPv6 OSPF fragments received by the ACOS device.
IPv6 Frag ESP Number of IPv6 ESP fragments received by the ACOS device.
IPv6 Frag Reasm OKs Number of successfully reassembled IPv6 fragments.
IPv6 Frag Reasm Fails Number of IPv6 fragment reassembly failures.

Field Description
IPv6 Frag Invalid Pkts Number of IPv6 fragments that were invalid.
Bad Pkt Drop Number of bad packets dropped; this is a cumulative number for all packets that
could not be processed (for example, packet has an incorrect length).
IP Frag Exceed Drop Number of fragmented IP packets that were dropped because they exceeded the
allowed maximum.
IPv4 No L3 VLAN FWD Drop Number of IP packets that were dropped by the l3-vlan-fwd-disable action in an IPv4
ACL.
IPv6 No L3 VLAN FWD Drop Number of IP packets that were dropped by the l3-vlan-fwd-disable action in an IPv6
ACL.
L2 Default VLAN FWD Drop Number of times The DLF packets were dropped because the ACOS is configured to
disallow flooding on the default VLAN (VLAN1).
BW Limit Drop Number of packets dropped because they exceeded the bandwidth limit.
NOTE: This field does not apply to hardware models.
License Expire Drop Number of packets dropped due to an invalid license.
NOTE: This field does not apply to hardware models.
L4 Misc Er Number of Layer 4 packets dropped due to miscellaneous errors.
Management Service Drop Number of times management traffic was drop because the specific service type was
not enabled.
Jumbo Frag Drop Number of dropped fragmented IPv4 jumbo packets.
IPv6 Jumbo Frag Drop Number of dropped fragmented IPv6 jumbo packets.
Example The following command shows detailed SLB switching statistics for Ethernet port 1:
ACOS#show slb switch ethernet 1 detail

DP0 DP1 DP2 Total
------------------------------------------------------------------
L2 Forward 2115 227 453 2795
L3 IP Forward 0 0 0 0
IPv4 No Route Drop 0 0 0 0
...
show slb syn-cookie-buffer

Description Show SYN-cookie buffer statistics.
Syntax show slb syn-cookie-buffer
Mode All
Example The following command shows SYN-cookie buffer information:
ACOS#show slb syn-cookie-buffer

Maximum SYN cookie buffer size : 10
Total SYN cookie buffer queued : 0

Total SYN cookie buffer drop : 0
show slb tcp stack

Description Show statistics for TCP SLB.
Syntax show slb tcp stack [active-vrid {default | vrid-num}] [detail]
Mode All
Example The following command shows summary TCP stack statistics:
ACOS#show slb tcp stack

Total
------------------------------------------------------------------
Currently EST conns 29
Active open conns 6968
Passive open conns 7938
Connect attemp failures 0
Total in TCP packets 678804
Total out TCP packets 712974
Retransmited packets 359
Resets rcvd on EST conn 5369
Reset Sent 4303
Field Description
Currently EST conns Current number of established TCP connections being han-
dled by the proxy.
Active open conns Number of active connections open.
Passive open conns Number of passive connections open.
Connect attemp failures Number of TCP connection attempts that failed.
Total in TCP packets Total number of TCP packets received by the TCP proxy.
Total out TCP packets Total number of TCP packets sent by the TCP proxy.
Retransmitted packets Number of TCP packets retransmitted by the TCP proxy.
Resets rcvd on EST conn Number of TCP Resets received for established connections.

Field Description
Reset Sent Number of TCP Resets sent by the Thunder Series device.
TCPIP out noroute Number of times request failed to send due to route failure.
show slb template

Description Show configuration information for SLB templates. The template configuration commands
in the running-config are displayed.
Syntax show slb template

[template-type
[all-partitions]
[certificate-status]
[default]
[template-name]
[partition {shared | name}]
]
[all-partitions]
template-type The type of SLB template configure.
Enter show slb template ? to view a list of supported template types.
active-vrid View the template configuration for a specific VRID only. You can specify default for VIRD
0, or specify a VIRD number 1-31.
certificate-status Show the status of the virtual server’s certificate (OCSP-Stapling)
default Show the configuration of the default template.
template-name Show the configuration of the specified template.
all-partitions Show SLB template configuration in all partitions.
partition Show SLB template configuration in the specified partition only.
Mode All
Example The following command shows the template configuration commands in the running-con-
fig on an ACOS device:
ACOS#show slb template

slb template udp udp-aging
aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete

header-erase "Cookie"
slb template http hostdelete
header-erase "Host"
slb template http hostinsert
header-insert "Host: www.example.com"
slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--
show slb virtual-server

Description Show information for SLB virtual servers.

Syntax show slb virtual-server

[
virtual-server-name
[vport-num
{
port-type [service-group-name] |
detail |
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[all-partitions]
[bind]
[config [all-partitions | partition {shared | name}]]
Option Description
virtual-server-name Shows information only for the specified virtual server.
• The vport-num port-type option shows information only for the specified virtual
port on the virtual server.
• The service-group-name option further restricts the output, to show information
only for the specified service group.
• The detail option displays connection and packet statistics.
In ACOS release 4.0.1, specifying detail also shows the connection rate per virtual
port for each virtual server. For more information, see the examples below.
• The host-hits-counter option displays rule-matching statistics for host switching.
Each time traffic matches a host-matching rule in an HTTP template, the applicable
“hits” counter is incremented.
• The url-hits-counter option displays rule-matching statistics for URL switching.
Each time traffic matches a URL-switching rule in an HTTP template, the applicable
“hits” counter is incremented.
active-vrid Show information for the specified VRID only. You can specify default for VRID 0, or
enter a VRID number 1-31.
all-partitions Show information for all partitions.
bind Includes the service groups and real servers and ports bound to the virtual ports.
config Displays virtual-server configuration information.
You can optionally specify the specific partition for which you want to view this configura-
tion.
partition Show information for a specific partition.
Mode All
Usage To display virtual-server information for a specific partition, use the partition option; use
partition shared for the shared partition, or partition name, where name is a specific
L3V partition.
Example The following command shows summary information for all virtual servers:
ACOS#show slb virtual-server


------------------------------------------------------------------------------------------
-
*v-server(A) 3.1.1.99
port 80 http 0 3 14 10 611
abctcp 80/http 0 2 14 10 2112
port 53 udp 0 0 0 0 411
abcudp 53/udp 0 0 0 0 696969
...
Field Description
Total Number of Virtual Services configured Total number of virtual services (virtual server ports) configured on the
Thunder Series device.
Virtual Server Name Name of the virtual server.
Underneath the virtual server name, each of the virtual ports on the
server is listed, followed by the service groups in which the virtual server
and the virtual port are members.
In the example above, virtual server “v-server” has two virtual ports, HTTP
port 80 and UDP port 53. HTTP port 80 is a member of service group
“abctcp”, and UDP port 53 is a member of service group “abcudp”.
For each VIP, its VRRP-A state on the ACOS device is shown by one of the
following:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
The primary servers are listed under the virtual port. If alternates are con-
figured for a primary server, the alternates are listed under the primary
server. If an asterisk is shown at the end of an alternate server name, the
primary server is down and the alternate server is active instead.
IP Virtual IP address of the virtual server.
Current connection Current number of connections to the virtual service port.
NOTE: Connection and packet counters are listed separately for virtual
ports and for service groups.
Total connection Total number of connections to the virtual service port.
Request packets Number of request packets received for the virtual service.
Response packets Number of server reply packets sent by the ACOS device for the virtual
service.

Field Description
Note: Peak connection statistics are collected only if the extended-stats
option is enabled. To enable extended-stats, see the following:
• “extended-stats” on page 635 (individual virtual server)
• “extended-stats” on page 647 (individual virtual service port)
Total received conn attempts on this port Total number of connection requests received for this port.
Service-Group Service group bound to the virtual service.
Service Virtual service port number and service type.
Example The following command shows status information for SLB virtual server “v-server”:
ACOS(config)#show slb virtual-server v-server

Virtual server: v-server State: All Up IP: 3.1.1.99
Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Peak-conn
-------------------------------------------------------------------------------------
Virtual Port:80 / service:abctcp / state:All Up

port 80 http 0 3 10 14 1011
Source NAT Pool: pootest
Virtual Port:53 / service:abcudp / state:All Up

port 53 udp 0 0 0 0 811
Source NAT Pool: pootest
Total Traffic 0 3 10 14 1822
...

Field Description
Virtual server Name of the virtual server.
State State information is shown separately for virtual servers and for individual virtual ports.
Virtual server state:
• All Up – All virtual ports on the virtual server are Running.
• Functional Up – Some of the virtual ports are Running or Functional Running, but at least one of them
is not Running.
• Partial Up – At least one virtual port is Running or Functional Running, but at least one other virtual
port is Down.
• Down – All the virtual ports are Down.
• Disb – The virtual server has been administratively disabled.
Virtual port state:
• All Up – All members (real servers and ports) in all service groups bound to the virtual port are up.
• Functional Up – At least one member in a service group bound to the virtual port is up, but not all
members are up.
• Down – All members in all service groups bound to the virtual port are down.
Disb – The virtual port has been administratively disabled.
IP Virtual IP address of the virtual server.
Port Virtual port number and service type.
Curr-conn Current number of connections to the virtual service port.
Total-conn Total number of connections to the virtual service port.
Rev-Pkt Number of server reply packets sent by the ACOS device for the virtual service.
Fwd-Pkt Number of request packets received for the virtual service.
Peak-conn Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is enabled. To enable
extended-stats, see the following:
Example The following command shows configuration information:
ACOS#show slb virtual-server config

Virtual server Name Address
------------------------------------------------
louis2 192.168.20.253
member0:louis 80/http
Source NAT Pool: p1 HTTP Template: clientip-insert
Reuse Template: cr Persist Cookie:cookie-persist

aFleX: bugzilla_proxy_fix
Field Description
Total Number of Virtual Total number of virtual services (virtual server ports) config-
Services configured ured on the Thunder Series device.
Virtual server Name Name of the virtual server.
Address Virtual IP address of the virtual server.
member Real server bound to the virtual server. The number at the end
is assigned by the ACOS device for this show command out-
put.
Under the member name, the NAT pools and SLB templates
bound to the virtual server are listed.
Example The following command shows details for a virtual server:
ACOS#show slb virtual-server vip1 detail

Virtual server name: vip1
Virtual server IP address: 200.200.200.100
Virtual server MAC: 021f:a000:0000
Virtual server template: adi
Connection rate limit: 800000 per second
Connection rate over limit action: drop
Current request: 0
Total request: 0
Peak connections: 0
Current connection rate: 121 per second
Field Description
Virtual server name Name of the virtual server.
Virtual server IP address IP address of the virtual server.
Virtual server MAC MAC address of the VIP.
Virtual server template Name of the virtual server template bound to the virtual server.

Field Description
Current connection Current number of connections to the virtual port.
Current request Current number of HTTP requests being processed by the virtual port.
NOTE: In this field and the Total request and Total request success fields, Layer 7 requests
are counted only if Layer 7 request accounting is enabled. See “slb common” on page 488.
Total connection Total number of connections that have been made to the virtual port.
Total request Total number of HTTP requests processed by the virtual port.
Total forward bytes Number of request bytes forwarded to the virtual port.
Total forward packets Number of request packets forwarded to the virtual port.
Total reverse bytes Number of request bytes received from the virtual port.
Total reverse packets Number of request packets received from the virtual port.
Peak connections Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is
Current connection rate Current connection rate for the virtual port on the virtual server.
Example The following command shows details for a virtual port on a virtual server:
ACOS(config)#show slb virtual-server vip1 80 detail

Virtual port name: vip1:80:tcp
Virtual port number: 220.220.220.100:80
Virtual port template: default
Current request: 0
Total request: 0
Peak connections: 0
Response time: 1
Fastest Rsp time: 1
Slowest Rsp time: 1
Current connection rate: 268 per second

Field Description
Virtual port name Name of the virtual server, virtual port, and port type.
Virtual port number IP address of the virtual server and protocol port number of the virtual port.
Virtual port template Name of the virtual port template bound to the virtual port.
Current connection Current number of connections to the virtual port.
Current request Current number of HTTP requests being processed by the virtual port.
NOTE: In this field and the Total request and Total request success fields, Layer 7 requests are
counted only if Layer 7 request accounting is enabled. See “slb common” on page 488.
Total connection Total number of connections that have been made to the virtual port.
Total request Total number of HTTP requests processed by the virtual port.
Total forward bytes Number of request bytes forwarded to the virtual port.
Total forward packets Number of request packets forwarded to the virtual port.
Total reverse bytes Number of request bytes received from the virtual port.
Total reverse packets Number of request packets received from the virtual port.
Peak connections Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is
Current connection rate Current connection rate for the virtual port on the virtual server.
Example The following command shows service group and port bindings:
ACOS#show slb virtual-server bind

---------------------------------------------------------------------------------
*Virtual Server : SanJose(A) 192.192.100.100 Down
+port 80 tcp ====>sg-80-1 State :Down

+rs-http:80 192.168.215.16 State : Down
*Virtual Server : Chicago(A) 192.192.200.200 All Up
+port 80 tcp ====>sg-80-2 State :All Up

+rs-http-2:80 192.168.215.13 State : Up
In this example, virtual port 80 on virtual server SanJose is bound to real port 80 on real
server rs-http in service group sg-80-1. Likewise, virtual port 80 on virtual server Chicago is
bound to real port 80 on real server rs-http-2 in service group sg-80-2.

For each VIP, its VRRP-A state on the ACOS device is shown by one of the following:
• (A) – VIP is in active state on this ACOS device.

• (S) – VIP is in standby state on this ACOS device.
Example The following example shows the information displayed if alternate (backup) servers are con-
figured:
ACOS(config)#show slb virtual-server bind

---------------------------------------------------------------------------------
*Virtual Server : http-with-alternates(A) 192.168.10.10 Functional Up
+port 80 http ====>http1 State :Functional Up

+rs1:80 10.10.10.10 State : Up
Alternate: rs1-a1, rs1-a2, rs1-a3
+rs2:80 10.10.10.20 State : Down
Alternate: rs2-a1*, rs2-a2, rs2-a3
The primary servers are listed under the virtual port. Under each primary server, that server’s
alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary server is down and
the alternate server is active instead. In the example above, rs2 is down, so alternate rs2-a1 is
being used instead.


AX Debug Commands
The AX debug subsystem enables you to trace packets on the ACOS device. To access the AX debug subsystem, enter the
following command at the Privileged EXEC level of the CLI:
ACOS#axdebug
The CLI prompt changes as follows:
ACOS(axdebug)#
This chapter describes the debug-related commands in the AX debug subsystem.
To perform ACOS debugging using this subsystem:
1. Use the filter command to configure packet filters to match on the types of packets to capture.
2. (Optional) Use the count command to change the maximum number of packets to capture.
3. (Optional) Use the timeout command to change the maximum number of minutes during which to capture packets.
4. (Optional) Use the incoming | outgoing command to limit the interfaces on which to capture traffic.
5. Use the capture command to start capturing packets. The ACOS device begins capturing packets that match the filter,
and saves the packets to a file or displays them, depending on the capture options you specify.
6. To display capture files, use the show axdebug file command.
7. To export capture files, use the export command at the Privileged EXEC or global configuration level of the CLI.
The AXdebug utility creates a debug file in packet capture (PCAP) format. The PCAP format can be read by third-party diag-
nostic applications such as Wireshark, Ethereal (the older name for Wireshark) and tcpdump. To simplify export of the PCAP
file, the ACOS device compresses it into a zip file in tar format. To use a PCAP file, you must untar it first.

apply-config
Description Apply an AXdebug configuration file.
AXdebug configuration files can be created with the save-config command.
Syntax apply-config file
Replace file with the name of an existing AXdebug configuration file (1-63 characters).
Mode AX debug
Example The following example applies the debug configuration saved in the example-ax-debug file:
ACOS(axdebug)#apply-config testfile
Applying debug commands
Done
example-ax-debug has been applied.
ACOS(axdebug)#
capture
Description Start capturing packets.
Syntax [no] capture parameter
brief [save ...] Captures basic information about packets. (For save options, see save filename
below.)
detail [save ...] Captures packet content in addition to basic information. (For save options, see save
filename below.)
non-display [save ...] Does not display the captured packets on the terminal screen. Use the save options
to configure a file in which to save the captured packets.
save filename Saves captured packets in a file:
[max-packets]
[incoming [portnum ...]] • filename – Specifies the name of the packet capture file.
[outgoing [portnum ...]] • max-packets – Specifies the maximum number of packets to capture in the file, 0-
65535. To save an unlimited number of packets in the file, specify 0.
• incoming [portnum ...] – Captures inbound packets. You can specify one or more
physical Ethernet interface numbers. Separate the interface numbers with spaces.
If you do not specify interface numbers, inbound traffic on all physical Ethernet
interfaces is captured.
• outgoing [portnum ...] – Captures outbound packets on the specified physical
Ethernet interfaces or on all physical Ethernet interfaces. If you do not specify inter-
face numbers, outbound traffic on all physical Ethernet interfaces is captured.
Default By default, packets in both directions on all Ethernet data interfaces are captured.

NOTE: The traffic also must match the AX debug filters.
Mode AX debug
Usage To minimize the impact of packet capture on system performance, A10 Networks recom-
mends that you configure an AX debug filter before beginning the packet capture.
To display a list of AX debug capture files or to display the contents of a capture file, see
“show axdebug file” on page 689.
Example The following command captures brief packet information for display on the terminal
screen. The output is not saved to a file.
ACOS(axdebug)#capture brief
(0,1738448) i( 1, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) o( 3, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) i( 1, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A
78f07ab9:dbffc0c2(0)
(0,1738448) o( 3, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A
(1,1738450) i( 1, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
(1,1738450) o( 3, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
(1,1738450) i( 1, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
(1,1738450) o( 3, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
...
These lines of debug output show the following:
• 0 – CPU ID. Indicates the CPU that processed the packet. CPU 0 is the control CPU.
• 1738448 – Time delay between packets. This is a jiffies value that increments in 4-milli-
second (4-ms) intervals.
• i – Traffic direction: 1 (input) or o (output).
• (1, 0, cca8) – Ethernet interface, VLAN tag, and packet buffer index. If the VLAN tag is 0,
then the port is untagged. In this example, the first packet is received on Ethernet port
1, and the VLAN is not yet known. The packet is assigned to buffer index cca8.
NOTE: Generally, the VLAN tag for ingress packets is 0. It is normal for the ingress VLAN tag
to be 0 even when the egress VLAN tag is not 0.
The source and destination IP addresses are listed next, followed by the source and
destination protocol port numbers.
The TCP flag is shown next:

• S – Syn
• SA – Syn Ack
• A – Ack
• F – Fin
• PA – Push Ack
The TCP sequence number and ACK sequence number are then shown.
Finally, the packet payload is shown. The header size is excluded.
Example The following command captures packet information and packet contents for display on the
terminal screen. The output is not saved to a file.
ACOS(axdebug)#capture detail
i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@.@..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>...E.
0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0)
0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O......
0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+..
0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD......Q.lV.<
0xa6657888: 1d4041de e3380000 00000000 00000000 : .@A..8..........
0xa6657898: 00000000 00000000 00000000 00000000 : ................
...
Example The following command saves captured packet information in file “file123”. The captured
traffic is not displayed on the terminal screen.
ACOS(axdebug)#capture save file123
count
Description Specify the maximum number of packets to capture.
Syntax count num
Replace num with the maximum number of packets to capture, 0-65535. To capture an
unlimited number of packets, specify 0.

Default 3000
Mode AX debug
Example The following command sets the maximum number of packets to capture to 2048:
ACOS(axdebug)#count 2048
delete
Description Delete an axdebug capture file.
Syntax delete filename
Default N/A
Mode AX debug
Example The following command deletes capture file “file123”:
ACOS(axdebug)#delete file123
filter
Description Configure an AX debug filter, to specify the types of packets to capture.
Syntax [no] filter filter-id
Replace filter-id with the ID of the filter (1-255).
This command changes the CLI to the configuration level for the specified AX debug filter,
where the following AX debug filter-related commands are available:
Command Description
dst Matches on the specified destination IP address, MAC address,
{ip ipaddr | mac macaddr | port portnum} or protocol port number.
l3-proto {arp | ip | ipv6} Matches on the specified Layer 3 protocol.
ip ipaddr {subnet-mask | /mask-length} Matches on the specified IPv4 address.
mac macaddr Matches on the specified MAC address.

Command Description
offset position length bytes operator Matches on the specified length of bytes and value of those
value bytes within the packet:
• position – Starting position within the packet, 1-65535
bytes.
• bytes – Number of consecutive bytes to filter on, from 1-
65535, beginning at the offset position.
• operator – One of the following:
• > (greater than)
• >= (greater than or equal to)
• <= (smaller than or equal to)
• < (smaller than)
• = (equal to)
• range min-value max-value (select a range)
• value – String to filter on.
port min-portnum max-portnum Matches on the specified range of protocol port numbers.
proto Matches on the specified protocol or protocol port number.
{icmp | icmpv6 | tcp | udp | portnum}
src Matches on the specified source IP address, MAC address, or
{ip ipaddr | mac macaddr | port port-num} protocol port number.
Default No filters are configured by default. When you create one, all packets match the filter by
default.
Mode AX debug
Usage If a packet capture is running and you change the filter, there will be a 5-second delay while
the ACOS device clears the older filter. The delay does not occur if a packet capture is not
already running.
The packet filter for the debug command is internally numbered filter 0. In AXdebug, you
can create multiple filters, which are uniquely identified by filter ID. If you create filter 0 in
AXdebug, this filter will overwrite the debug packet filter. Likewise, if you configure filter 0 in
AXdebug, then configure the debug packet filter, the debug packet filter will overwrite
AXdebug filter 0.
Example The following commands configure an AX debug filter to match on source IP address
10.10.10.30, destination protocol port number 80, and source MAC address aabb.ccdd.eeff.
The show axdebug filter command displays the filter.
ACOS(axdebug)#filter 1
ACOS(axdebug-filter:1)#src ip 10.10.10.30
ACOS(axdebug-filter:1)#dst port 80
ACOS(axdebug-filter:1)#src mac aabb.ccdd.eeff
ACOS(axdebug-filter:1)#exit
ACOS(axdebug)#show axdebug filter
axdebug filter 1
src ip 10.10.10.30

dst port 80
src mac aabb.ccdd.eeff
incoming | outgoing
Description Specify the Ethernet interfaces and traffic direction for which to capture packets.
Syntax [no] incoming [portnum ...] [outgoing [portnum ...]]

outgoing [portnum ...]
Default Disabled
NOTE: The traffic also must match the AX debug filters.
Mode AX debug
Example The following command limits the packet capture to inbound packets on Ethernet interface
3 and outbound packets on Ethernet interface 4:
ACOS(axdebug)#incoming 3 outgoing 4
Example The following command limits the packet capture to outbound packets on Ethernet inter-
face 7. Inbound packets on all Ethernet interfaces are captured, unless specified otherwise in
AX debug filters.
ACOS(axdebug)#outgoing 7
length
Description Specify the maximum length of packets to capture. Packets that are longer are not captured.
Syntax [no] length bytes
Replace bytes with the maximum packet length (64-1518 bytes).
Default 1518 bytes.
Mode AX debug
Example The following command changes the maximum packet length to capture to 128:
ACOS(axdebug)#length 128
maxfile
Description Specify the maximum number of axdebug packet capture files to keep.

Once the maximum is reached, new axdebug files can not be created until existing files are
removed.
Syntax maxfile num
Replace num with the maximum number of files to keep (1-65535).
Default 100 files.
Mode AX debug
Example The following command changes the maximum number of AX debug capture files to keep
to 125:
ACOS(axdebug)#maxfile 125
outgoing
Description See “incoming | outgoing” on page 881.
save-config
Description Save your AXdebug configuration to a file.
This file can be retrieved at a later time with the apply-config command.
Syntax save-config name
Replace name with the name of the configuration file (1-63 characters).
Mode AX debug
Example The following example saves the AX debug configuration to a file called “example-ax-
debug”:
ACOS(axdebug)#save-config example-ax-debug
Config has been saved to example-ax-debug.
ACOS(axdebug)#
timeout
Description Specify the maximum number of minutes to capture packets.
Syntax timeout minutes
Replace minutes with the number of minutes to capture the packets (0-65535).

Default 5 minutes.
Mode AX debug
Example The following command changes the capture timeout to 10 minutes:
ACOS(axdebug)#timeout 10


Up and Down Causes for the show health stat
Command
This chapter lists the cause strings for the numeric cause codes that appear in the Up and Down fields of the show health
stat output. The Up / Down cause codes are shown in the output under “Cause(Up/Down/Retry)”.
Up Causes
Table 7 lists the Up causes.
TABLE 7 show health stat Up Causes

Cause Code Cause String
0 HM_INVALID_UP_REASON
1 HM_DNS_PARSE_RESPONSE_OK
2 HM_EXT_REPORT_UP
3 HM_EXT_TCL_REPORT_UP
4 HM_FTP_ACK_USER_LOGIN
5 HM_FTP_ACK_PASS_LOGIN
6 HM_HTTP_RECV_URL_FIRST
7 HM_HTTP_RECV_URL_NEARBY_FIRST
8 HM_HTTP_RECV_URL_FOLLOWING
9 HM_HTTP_RECV_URL_NEARBY_FOLLOWING
10 HM_HTTP_STATUS_CODE
11 HM_ICMP_RECV_OK
12 HM_ICMP_RECV6_OK
13 HM_LDAP_RECV_ACK
14 HM_POP3_RECV_ACK_PASS_OK
15 HM_RADIUS_RECV_OK
16 HM_RTSP_RECV_STATUS_OK
17 HM_SIP_RECV_OK
18 HM_SMTP_RECV_OK
19 HM_SNMP_RECV_OK
20 HM_TCP_VERIFY_CONN_OK
21 HM_TCP_CONN_OK
22 HM_TCP_HALF_CONN_OK
23 HM_UDP_RECV_OK

Down Causes
TABLE 7 show health stat Up Causes (Continued)

24 HM_UDP_NO_RESPOND
25 HM_COMPOUND_UP
Down Causes
Table 8 lists the Down causes.
TABLE 8 show health stat Down Causes

0 HM_INVALID_DOWN_REASON
1 HM_DNS_TIMEOUT
2 HM_EXT_TIMEOUT
3 HM_EXT_TCL_TIMEOUT
4 HM_FTP_TIMEOUT
5 HM_HTTP_TIMEOUT
6 HM_HTTPS_TIMEOUT
7 HM_ICMP_TIMEOUT
8 HM_LDAP_TIMEOUT
9 HM_POP3_TIMEOUT
10 HM_RADIUS_TIMEOUT
11 HM_RTSP_TIMEOUT
12 HM_SIP_TIMEOUT
13 HM_SMTP_TIMEOUT
14 HM_SNMP_TIMEOUT
15 HM_TCP_TIMEOUT
16 HM_TCP_HALF_TIMEOUT
17 HM_DNS_RECV_ERROR
18 HM_DNS_PARSE_RESPONSE_ERROR
19 HM_DNS_RECV_LEN_ZERO
20 HM_EXT_WAITPID_FAIL
21 HM_EXT_TERM_BY_SIG
22 HM_EXT_REPORT_DOWN
23 HM_EXT_TCL_REPORT_DOWN
24 HM_FTP_RECV_TIMEOUT
25 HM_FTP_SEND_TIMEOUT
26 HM_FTP_NO_SERVICE
27 HM_FTP_ACK_USER_WRONG_CODE
28 HM_FTP_ACK_PASS_WRONG_CODE
29 HM_COM_CONN_CLOSED_IN_WRITE

Down Causes
TABLE 8 show health stat Down Causes (Continued)

30 HM_COM_OTHER_ERR_IN_WRITE
31 HM_COM_CONN_CLOSED_IN_READ
32 HM_COM_OTHER_ERR_IN_READ
33 HM_COM_SEND_TIMEOUT
34 HM_COM_CONN_TIMEOUT
35 HM_COM_SSL_CONN_ERR
36 HM_HTTP_SEND_URL_ERR
37 HM_HTTP_RECV_URL_ERR
38 HM_HTTP_RECV_MSG_ERR
39 HM_HTTP_NO_LOCATION
40 HM_HTTP_WRONG_STATUS_CODE
41 HM_HTTP_WRONG_CHUNK
42 HM_HTTP_AUTH_ERR
43 HM_HTTPS_SSL_WRITE_ERR
44 HM_HTTPS_SSL_WRITE_OTHERS
45 HM_HTTPS_SSL_READ_ERR
46 HM_HTTPS_SSL_READ_OTHERS
47 HM_ICMP_RECV_ERR
48 HM_ICMP_SEND_ERR
49 HM_ICMP_RECV6_ERR
50 HM_LDAP_RECV_ACK_ERR
51 HM_LDAP_SSL_READ_ERR
52 HM_LDAP_SSL_READ_OTHERS
53 HM_LDAP_RECV_ACK_WRONG_PACKET
54 HM_LDAP_SSL_WRITE_ERR
55 HM_LDAP_SSL_WRITE_OTHERS
56 HM_LDAP_SEND_ERR
57 HM_POP3_RECV_TIMEOUT
58 HM_POP3_SEND_TIMEOUT
59 HM_POP3_NO_SERVICE
60 HM_POP3_RECV_ACK_USER_ERR
61 HM_POP3_RECV_ACK_PASS_ERR
62 HM_RADIUS_RECV_ERR
63 HM_RADIUS_RECV_ERR_PACKET
64 HM_RADIUS_RECV_NONE
65 HM_RTSP_RECV_STATUS_ERR
66 HM_RTSP_RECV_ERR
67 HM_RTSP_SEND_ERR
68 HM_SIP_RECV_ERR
69 HM_SIP_RECV_ERR_PACKET
70 HM_SIP_CONN_CLOSED
71 HM_SIP_NO_MEM

Down Causes
TABLE 8 show health stat Down Causes (Continued)

72 HM_SIP_STARTUP_ERR
73 HM_SMTP_RECV_ERR
74 HM_SMTP_NO_SERVICE
75 HM_SMTP_SEND_HELO_TIMEOUT
76 HM_SMTP_SEND_QUIT_TIMEOUT
77 HM_SMTP_WRONG_CODE
78 HM_SNMP_RECV_ERR
79 HM_SNMP_RECV_ERR_PACKET
80 HM_SNMP_RECV_ERR_OTHER
81 HM_TCP_PORT_CLOSED
82 HM_TCP_ERROR
83 HM_TCP_INVALID_TCP_FLAG
84 HM_TCP_HALF_NO_ROUTE
85 HM_TCP_HALF_NO_MEM
86 HM_TCP_HALF_SEND_ERR
87 HM_UDP_RECV_ERR
88 HM_UDP_RECV_ERR_OTHERS
89 HM_UDP_NO_SERVICE
90 HM_UDP_ERR
91 HM_COMPOUND_INVAL_RPN
92 HM_COMPOUND_DOWN
93 HM_COMPOUND_TIMEOUT


8
Document No.: 401-CLI-003 | 5/13/2015

401 Cli 003 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

401 Cli 003 PDF

Uploaded by

Copyright:

Available Formats

COMMAND LINE INTERFACE REFERENCE

A10 Thunder Series and AX Series

A10 Networks Inc. Software License and End User Agreement

2. sublicense, rent or lease the Software.

Using the CLI ................................................................................................................................... 1

page 1 | Document No.: 401-CLI-003 - 5/13/2015

aVCS Device Option for Show Commands ................................................................................................ 15

EXEC Commands .........................................................................................................................17

Privileged EXEC Commands ....................................................................................................25

Document No.: 401-CLI-003 - 5/13/2015 | page 2

Config Commands: Global .......................................................................................................47

page 3 | Document No.: 401-CLI-003 - 5/13/2015

disable reset statistics ........................................................................................................................................................87

Document No.: 401-CLI-003 - 5/13/2015 | page 4

page 5 | Document No.: 401-CLI-003 - 5/13/2015

router protocol ...................................................................................................................................................................155

Document No.: 401-CLI-003 - 5/13/2015 | page 6

Config Commands: Application Access Management ............................................... 193

page 7 | Document No.: 401-CLI-003 - 5/13/2015

show aam aaa-policy ......................................................................................................................................................216

Config Commands: DNSSEC ................................................................................................. 229

Config Commands: Hardware Security Module ............................................................ 237

Document No.: 401-CLI-003 - 5/13/2015 | page 8

HSM Show Commands................................................................................................................................ 240

Config Commands: Interface ............................................................................................... 241

page 9 | Document No.: 401-CLI-003 - 5/13/2015

ipv6 ospf retransmit-interval ......................................................................................................................................267

Config Commands: VLAN ...................................................................................................... 287

Config Commands: IP ............................................................................................................. 291

Document No.: 401-CLI-003 - 5/13/2015 | page 10

Config Commands: IPv6 ......................................................................................................... 317

Config Commands: Router – RIP ......................................................................................... 329

page 11 | Document No.: 401-CLI-003 - 5/13/2015

Config Commands: Router – OSPF ..................................................................................... 357

Document No.: 401-CLI-003 - 5/13/2015 | page 12

Config Commands: Router – IS-IS ....................................................................................... 393

page 13 | Document No.: 401-CLI-003 - 5/13/2015

Config Commands: Router – BGP ....................................................................................... 415

Document No.: 401-CLI-003 - 5/13/2015 | page 14

bgp log-neighbor-changes ........................................................................................................................................423

page 15 | Document No.: 401-CLI-003 - 5/13/2015

show [ip] bgp ipv4 {multicast | unicast} ..............................................................................................................448

fConfig Commands: Overlay Tunnels ................................................................................ 465

Document No.: 401-CLI-003 - 5/13/2015 | page 16

Commands for the Overlay/Tenant Network ...................................................................................... 472

Config Commands: Scale Out .............................................................................................. 479

Config Commands: Server Load Balancing ..................................................................... 487

page 17 | Document No.: 401-CLI-003 - 5/13/2015

Config Commands: SLB Templates .................................................................................... 517

Document No.: 401-CLI-003 - 5/13/2015 | page 18

slb template persist ssl-sid ..........................................................................................................................................558

Config Commands: SLB Servers .......................................................................................... 603

Config Commands: SLB Service Groups ........................................................................... 615

page 19 | Document No.: 401-CLI-003 - 5/13/2015

Config Commands: SLB Virtual Servers ............................................................................ 633

Config Commands: SLB Virtual Server Ports ................................................................... 641

Document No.: 401-CLI-003 - 5/13/2015 | page 20

Config Commands: Web Category ..................................................................................... 659

Config Commands: Health Monitors ................................................................................. 665

Show Commands ..................................................................................................................... 681

page 21 | Document No.: 401-CLI-003 - 5/13/2015

show bpdu-fwd-group .................................................................................................................................................697

Document No.: 401-CLI-003 - 5/13/2015 | page 22