Server Iron

Foundry ServerIron Switch
Command Line Interface Reference
2100 Gold Street

P.O. Box 649100
San Jose, CA 95164-9100
Tel 408.586.1700
Fax 408.586.1900
www.foundrynetworks.com
February 2002
Copyright 2002 by Foundry Networks, Inc.
Contents
CHAPTER 1
GETTING STARTED ...................................................................................... 1-1
INTRODUCTION ...........................................................................................................................................1-1
AUDIENCE ..................................................................................................................................................1-1
NOMENCLATURE .........................................................................................................................................1-1
RELATED PUBLICATIONS .............................................................................................................................1-2
HOW TO GET HELP .....................................................................................................................................1-2
WARRANTY COVERAGE ........................................................................................................................1-2
CHAPTER 2
USING THE COMMAND LINE INTERFACE ....................................................... 2-1
EXEC COMMANDS .....................................................................................................................................2-2
USER LEVEL ........................................................................................................................................2-2
PRIVILEGED LEVEL ...............................................................................................................................2-2
CONFIG C OMMANDS .................................................................................................................................2-2
GLOBAL LEVEL .....................................................................................................................................2-2
REDUNDANCY LEVEL ............................................................................................................................2-3
INTERFACE LEVEL ................................................................................................................................2-3
VLAN LEVEL .......................................................................................................................................2-3
REAL SERVER, CACHE SERVER, AND FIREWALL LEVEL ..........................................................................2-3
VIRTUAL SERVER LEVEL .......................................................................................................................2-3
CACHE GROUP AND FIREWALL GROUP LEVEL .......................................................................................2-3
GLOBAL AFFINITY LEVEL ......................................................................................................................2-3
GLOBAL SLB DNS ZONE LEVEL ...........................................................................................................2-3
GLOBAL SLB SITE LEVEL .....................................................................................................................2-3
GLOBAL SLB POLICY LEVEL .................................................................................................................2-3
URL SWITCHING POLICY LEVEL ............................................................................................................2-3
HTTP MATCHING LIST LEVEL ...............................................................................................................2-4
SERVER MONITOR LEVEL .....................................................................................................................2-4
ROUTING INFORMATION PROTOCOL (RIP) LEVEL ...................................................................................2-4
February 2002
iii
Foundry ServerIron Command Line Interface Reference
ACCESSING THE CLI ...................................................................................................................................2-4

NAVIGATING AMONG COMMAND LEVELS ................................................................................................2-5
CLI COMMAND STRUCTURE ..................................................................................................................2-5
SYNTAX SHORTCUTS ............................................................................................................................2-6
SAVING CONFIGURATION CHANGES ......................................................................................................2-6
CHAPTER 3
COMMAND LIST .......................................................................................... 3-1
COMPLETE COMMAND LIST .........................................................................................................................3-1
COMMANDS LISTED BY CLI LEVEL .............................................................................................................3-16
USER EXEC LEVEL ...........................................................................................................................3-17
PRIVILEGED EXEC LEVEL ..................................................................................................................3-17
CONFIG C OMMANDS ........................................................................................................................3-20
CHAPTER 4
USER EXEC COMMANDS ............................................................................ 4-1
CHAPTER 5
PRIVILEGED EXEC COMMANDS................................................................... 5-1
CHAPTER 6
GLOBAL CONFIG COMMANDS.................................................................... 6-1
CHAPTER 7
REDUNDANT MANAGEMENT MODULE CONFIG COMMANDS ......................... 7-1
CHAPTER 8
INTERFACE COMMANDS............................................................................... 8-1
CHAPTER 9
VLAN COMMANDS ..................................................................................... 9-1
CHAPTER 10
REAL SERVER COMMANDS........................................................................ 10-1
CHAPTER 11
VIRTUAL SERVER COMMANDS ................................................................... 11-1
CHAPTER 12
CACHE GROUP COMMANDS ...................................................................... 12-1
iv
February 2002
CHAPTER 13
GSLB AFFINITY COMMANDS ..................................................................... 13-1
CHAPTER 14
GSLB DNS ZONE COMMANDS ................................................................. 14-1
CHAPTER 15
GSLB SITE COMMANDS ........................................................................... 15-1
CHAPTER 16
GSLB POLICY COMMANDS ....................................................................... 16-1
CHAPTER 17
URL SWITCHING COMMANDS .................................................................... 17-1
CHAPTER 18
HTTP MATCH LIST COMMANDS ................................................................ 18-1
CHAPTER 19
SERVER MONITOR COMMANDS .................................................................. 19-1
CHAPTER 20
ROUTING INFORMATION PROTOCOL (RIP) COMMANDS ............................... 20-1
CHAPTER 21
SHOW COMMANDS .................................................................................... 21-1
February 2002
vi
February 2002
Chapter 1
Getting Started
Introduction
This reference describes the Command Line Interface (CLI) for Foundry ServerIron switch products.
For step-by-step instructions on how to install key features of the system, see the Foundry ServerIron Installation
and Configuration Guide.
NOTE: Some commands are supported only on specific products. Where this is the case, the description for the
command states the products to which the command applies.
NOTE: This reference lists all the commands that appear at each command level for users with super-user
access. If you are logged on with port-configuration access or read-only access, some of these commands will
not be displayed and will not be available.
Audience
This manual is designed for system administrators with a working knowledge of Layer 2 and Layer 4 7
networking.
Nomenclature
This guide uses the following typographical conventions to show information:
Italic
highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold
highlights a CLI command.
Bold Italic
highlights a term that is being defined.
Underline
highlights a link on the Web management interface.
Capitals
highlights field names and buttons that appear in the Web management interface.
NOTE: A note emphasizes an important fact or calls your attention to a dependency.

WARNING: A warning calls your attention to a possible hazard that can cause injury or death.
February 2002
1-1
CAUTION:
A caution calls your attention to a possible hazard that can damage equipment.
Related Publications
The following Foundry Networks documents supplement the information in this guide.
Foundry ServerIron Application Guide provides setup procedures for the ServerIrons basic SLB and TCS
features.
Foundry ServerIron Installation and Configuration Guide provides installation instructions as well as
detailed feature descriptions, procedures, and application examples for Server Load Balancing (SLB), Global
SLB (GSLB), Transparent Cache Switching (TCS), and URL Switching.
Foundry ServerIron Firewall Load Balancing Guide provides detailed feature descriptions, procedures, and
application examples for Firewall Load Balancing (FWLB).
To order additional copies of these manuals, do one of the following:
Call 1-877-TURBOCALL (887-2622) in the United States or 408.586.1881 outside the United States.
Send email to info@foundrynet.com.
How to Get Help

Foundry Networks technical support will ensure that the fast and easy access that you have come to expect from
your Foundry Networks products will be maintained.
Web Access
The latest product information and technical tips are always available to our customers from the Foundry
Networks web site. You can access the web site at the following URL:
http://www.foundrynetworks.com
Email Access
Technical requests can also be sent to the following email address:
support@foundrynet.com
Telephone Access
1-877-TURBOCALL (887-2622) United States
408.586.1881
Outside the United States
Warranty Coverage
Contact Foundry Networks using any of the methods listed above for information about the standard and
extended warranties.
1-2
February 2002
Chapter 2
Using the Command Line Interface
The CLI is a text-based interface for configuring and monitoring Foundry ServerIron products. You can access the
CLI can through either a direct serial connection to the device or through a Telnet session.
The commands in the CLI are organized into the following levels:
User EXEC Lets you display information and perform basic tasks such as pings and trace routes.
Privileged EXEC Lets you use the same commands as those at the User EXEC level plus configuration
commands that do not require saving the changes to the system-config file.
CONFIG Lets you make configuration changes to the device. To save the changes across reboots, you
need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for
VLANs, and other configuration areas.
NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all
these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can
configure the device to use Access Control Lists (ACLs), a RADIUS server, or a TACACS/TACACS+ server for
authentication. See the Foundry Security Guide.
To display a list of available commands or command options, enter ? or press Tab. If you have not entered part
of a command at the command prompt, all the commands supported at the current CLI level are listed. If you
enter part of a command, then enter ? or press Tab, the CLI lists the options you can enter at the point in the
command string.
The CLI supports command completion, so you do not need to enter the entire name of a command or option. As
long as you enter enough characters of the command or option name to avoid ambiguity with other commands or
options, the CLI understands what you are typing.
The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key
combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the
command.
Table 2.1: CLI Line-Editing Commands
Ctrl-Key Combination
Description
Ctrl-A
Moves to the first character on the command line.
Ctrl-B
Moves the cursor back one character.
February 2002
2-1
Table 2.1: CLI Line-Editing Commands (Continued)

Ctrl-Key Combination
Description
Ctrl-C
Escapes and terminates command prompts and

ongoing tasks (such as lengthy displays), and
displays a fresh command prompt.
Ctrl-D
Deletes the character at the cursor.
Ctrl-E
Moves to the end of the current command line.
Ctrl-F
Moves the cursor forward one character.
Ctrl-K
Deletes all characters from the cursor to the end of

the command line.
Ctrl-L; Ctrl-R
Repeats the current command line on a new line.
Ctrl-N
Enters the next command line in the history buffer.
Ctrl-P
Enters the previous command line in the history

buffer.
Ctrl-U; Ctrl-X
Deletes all characters from the cursor to the

beginning of the command line.
Ctrl-W
Deletes the last word you typed.
Ctrl-Z
Moves from any CONFIG level of the CLI to the

Privileged EXEC level; at the Privileged EXEC
level, moves to the User EXEC level.
EXEC Commands
There are two different levels of EXEC commands, the User Level and the Privileged Level. The User level
commands are at the top of the CLI hierarchy. These are the first commands that you have access to when
connected to the ServerIron through the CLI.
User Level
At the User EXEC level, you can view basic system information and verify connectivity but cannot make any
changes to the ServerIron configuration. To make changes to the configuration base, you must move to other
levels of the CLI hierarchy. This is accomplished by entering the enable command at initial log-on. Once entered
correctly, you have access to the Privileged Level.
Privileged Level
The Privileged Level EXEC commands primarily enable you to transfer and store ServerIron software images and
configuration files between the network and the system; and review its configuration. You reach this level by
entering enable <password> or enable <username> <password> at the user EXEC level.
CONFIG Commands
Global Level
The global level is the first level of the CONFIG command structure. The global CONFIG level allows you to
globally apply or modify parameters for ports on the ServerIron. You reach this level by entering configure
terminal at the privileged EXEC level.
2-2
February 2002
Redundancy Level
This redundancy level allows you to configure redundancy parameters for redundant management modules. You
reach this level by entering the redundancy command at the global CONFIG level.
NOTE: The redundancy commands apply only to a BigServerIron with redundant management modules.
Interface Level
The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this
level by entering interface ethernet <portnum> at the global level.
VLAN Level
Policy-based VLANs allow you to assign VLANs on a protocol (IP, IPX, Decnet, AppleTalk, NetBIOS, Others), subnet (IP sub-net and IPX network), port, or 802.1q tagged basis. You reach this level by entering the vlan <vlan-id>
by port command at the Global CONFIG Level for switches and vlan 1 for routers.
Real Server, Cache Server, and Firewall Level

This level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For
SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the
global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For
FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.
Virtual Server Level

The virtual server level allows you to assign and configure virtual servers. You reach this level by entering the
server virtual-name <text> <ip-addr> command at the global CONFIG level.
Cache Group and Firewall Group Level

This level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level
by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this
level by entering the server fw-group 2 command at the global CONFIG level.
Global Affinity Level

This level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb
dns affinity command at the global CONFIG level.
Global SLB DNS Zone Level

This level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb
dns zone-name <name> command at the global CONFIG level.
Global SLB Site Level

This level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name>
command at the global CONFIG level.
Global SLB Policy Level

This level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy
URL Switching Policy Level

This level allows you to configure URL switching policies. You reach this level by entering the url-map <policyname> command at the global CONFIG level.
February 2002
2-3
HTTP Matching List Level

This level allows you to configure matching lists of selection criteria for HTTP content verification health checks.
You reach this level by entering the http match-list <name> command at the global CONFIG level.
Server Monitor Level

This level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the
server monitor command at the global CONFIG level.
Routing Information Protocol (RIP) Level

This level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by
entering the router rip command at the global CONFIG level.
Accessing the CLI

The CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial
connection. Once an IP address is assigned, you can access the CLI through Telnet.
NOTE: When accessing the CLI through Telnet, you are prompted for a password. By default, the password
required is the password you enter for general access at initial setup. You also have the option of assigning a
separate password for Telnet access with the enable telnet password <password> command, available at the
global CONFIG level.
NOTE: At initial log on, all you need to do is type enable at the prompt. You only need to enter a password after
a permanent password is entered at global CONFIG level of the CLI.
Once connectivity to the ServerIron is established, you will see one of the following prompts:
FastIron>
ServerIron>
SW-TurboIron>
At this prompt, you are at the user level of the CLI EXEC command structure.
To reach the Global CONFIG Level, the uppermost level of the CONFIG commands, enter the following
commands:
ServerIron> enable
User Level EXEC commands
ServerIron# configure terminal
Privileged Level EXEC commands
ServerIron(config)#
Global Level CONFIG commands
You can then reach all other levels of the CONFIG command structure from this point.
The CLI prompt will change at each level of the CONFIG command structure, to easily identify the current level. A
summary of the look of each prompt is noted below:
2-4
ServerIron>
User EXEC level
ServerIron#
Privileged EXEC level
ServerIron(config)#
Global CONFIG level
BigServerIron(config-redundancy)#
Redundant Management Module CONFIG level
ServerIron(config-gslb-dns-affinity)#
Global SLB Affinity level
ServerIron(config-gslb-dns-zonename)#
Global SLB DNS Zone level
ServerIron(config-gslb-policy)#
Global SLB Policy level
February 2002
ServerIron(config-gslb-site-sitename)#
Global SLB Site level
ServerIron(config-if-portnum)#
Interface CONFIG level
ServerIron(config-vif-number)#
Virtual Interface CONFIG level
ServerIron(config-vlan-number)#
Port-based VLAN level
ServerIron(config-vlan-protocoltype)#
Protocol VLAN level
ServerIron(config-tc-cachename)#
Cache Group level
ServerIron(config-tc-firewallname)#
Firewall Group level
ServerIron(config-rs-servername)#
Real Server level
ServerIron(config-url-policy)#
URL Switching Policy level
ServerIron(config-vs-servername)#
Virtual Server level
ServerIron(config-http-ml-listname)#
HTTP Matching List level
ServerIron(config-slb-mon)#
NOTE: The CLI prompt at the interface level includes the port speed. The speed is one of the following:
e100 The interface is a 10/100 port.
e1000 The interface is a Gigabit port.
For simplicity, the port speeds sometimes are not shown in example Interface level prompts in this manual.
Navigating Among Command Levels

To reach other CLI command levels, you need to enter certain commands. At each level there is a launch
command that allows you to move either up or down to the next level.
CLI Command Structure

Many CLI commands may require textual or numeral input as part of the command. These fields are either
required or optional depending on how the information is bracketed. For clarity, a few CLI command examples are
explained below.
EXAMPLE:
server virtual-name <value>
vlan <num> [name <value>] by port
Whenever an item is bracketed with < > symbols, the information requested is required.
Whenever an item is bracketed with [ ] symbols, the information requested is optional.
Whenever two or more options are separated by a vertical bar, | , you must enter one of the options as part of
the command.
predictor least-conn | response-time | round-robin | weighted
means enter one of the values

For example, the command above requires that "least-conn", "response-time", "round-robin", or "weighted" be
entered as part of the command.
To get a quick display of available options at a CLI level, enter a question mark (?) at the prompt, and a summary
list of possible commands will be listed, as shown below:
To view all available commands at the user level, enter the following:
February 2002
2-5
ServerIron> ? <return>
enable
fastboot
You also can use the question mark (?) with an individual command to see all available options for that command
or to check context.
To view possible copy command options, enter the following:
ServerIron# copy ?
flash
running-config
startup-config
tftp
ServerIron# copy flash ?
tftp
Syntax Shortcuts
Commands and parameters can be abbreviated as long as enough text is entered to distinguish it from other
commands at that level. For example, given the possible commands copy tftp and config tftp, possible
shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.
Saving Configuration Changes

You can make configuration changes while the ServerIron is running. The type of configuration change
determines whether or not it becomes effective immediately or requires a save to flash (write memory) and reset
of the system (reload), before it becomes active.
This approach in adopting configuration changes:
allows you to make configuration changes to the operating or running configuration of the ServerIron to
address a short-term requirement or validate a configuration without overwriting the permanent configuration
file, the startup configuration, that is saved in the system flash, and;
ensures that dependent or related configuration changes are all cut in at the same time.
In all cases, if you want to make the changes permanent, you need to save the changes to flash using the write
memory command. When you save the configuration changes to flash, this will become the configuration that is
initiated and run at system boot.
NOTE: The majority of configuration changes are dynamic in nature. Those changes that require a reset of the
system are highlighted in the specific configuration chapter and in the CLI commands of this appendix.
2-6
February 2002
Chapter 3
Command List
This chapter lists all the commands in the CLI. The commands are listed in two ways:
All commands are listed together in a single alphabetic list. See Complete Command List on page 3-1.
Commands are listed separately for each CLI level (for example, global CONFIG level, BGP4 level, and so
on). See Commands Listed by CLI Level on page 3-16.
In each list, the page numbers in this reference that describe the commands are listed.
Complete Command List

The following table lists all the CLI commands on Foundry ServerIron products.
Table 3.1: Complete ServerIron Command List
aaa authentication
6-1
aaa authorization
6-2
aaa accounting
6-3
access-list (standard)
6-3
access-list (extended)
6-5
acl-id
11-1, 12-1
active-management
7-1
all-client
6-7
always-active
9-1
append
5-1
arp
6-8
asymmetric
atalk-proto
10-1
6-8, 9-1
attrib
5-1
auto-gig
8-1
February 2002
3-1
Table 3.1: Complete ServerIron Command List (Continued)

backup
banner exec
6-9
banner incoming
6-9
banner motd
6-9
bind
11-1
boot system bootp
5-2, 6-10
boot system flash primary
5-2, 6-10
boot system flash secondary
5-3, 6-10
boot system slot1 | slot2

boot system tftp
5-3
5-3, 6-11
broadcast filter
6-11
broadcast limit
6-12, 8-1
cache-enable
11-2
cache-group
8-1
cache-name
12-1
capacity
16-1
capacity threshold
16-1
cd
3-2
10-1
5-4
chassis name
6-12
chassis poll-time
6-13
chassis trap-log
6-13
chdir
5-4
clear arp
5-4
clear healthck statistics
5-5
clear ip cache
5-5
clear ip nat
5-5
clear ip traffic
5-6
clear logging
5-6
clear mac-address
5-6
clear public-key
5-6
clear rmon
5-6
clear server
5-7
clear server session
5-7
February 2002
Command List

clear snmp-server
5-8
clear statistics
5-8
clear statistics dos-attack
5-8
clear web-connection
5-8
clock
5-8
clock summer-time
6-13
clock timezone
6-13
clone-server
10-2
configure terminal
5-9
confirm-port-up
6-14
console
6-14
copy <from-card> <to-card>
5-9
copy flash flash
5-9
copy flash slot1 | slot2
5-10
copy flash tftp
5-10
copy running slot1 | slot2
5-10
copy running-config tftp
5-11
copy slot1 | slot2 flash
5-11
copy slot1 | slot2 running
5-11
copy slot1 | slot2 start
5-12
copy slot1 | slot2 tftp
5-12
copy start slot1 | slot2
5-13
copy startup-config tftp
5-13
copy tftp flash
5-13
copy tftp running-config
5-14
copy tftp slot1 | slot2
5-14
copy tftp startup-config
5-14
crypto key
6-15
crypto random-number-seed
6-15
debug access-list
5-18
debug ip nat
5-16
decnet-proto
6-15, 9-2
default
February 2002
17-1, 18-1
3-3

default-vlan-id
6-16
delete
5-16
deny redistribute
20-1
dest-nat
12-2
dhcp-gateway-list
dir
disable
5-17
12-2, 8-2
dns active-only
16-2
dns check-interval
16-2
dns ttl
16-2
down compound
18-1
down simple
18-2
enable
3-4
6-16, 8-2
4-1, 6-17, 8-2
enable <password>
4-1
enable <username> <password>
4-1
enable password-display
6-17
enable skip-page-display
6-17
enable snmp config-radius
6-18
enable snmp config-tacacs
6-18
enable telnet authentication
6-18
enable telnet password
6-18
end
6-18
erase flash primary
5-18
erase flash secondary
5-18
erase startup-config
5-19
exceed-max-drop
10-2
exit
6-19
failover-acl
12-3
fastboot
4-2, 5-19
fast port-span
6-19
fast uplink-span
6-19
filter-match
10-3
flashback
16-3
February 2002
Command List

flashback application | tcp tolerance <num>
flow-control
16-3
6-19, 8-3
format
5-19
fwall-info
12-3
fwall-zone
12-4
fw-exceed-max-drop
12-4
fw-group
8-3
fw-health-check icmp
12-4
fw-health-check tcp | udp
12-5
fw-name
12-6
fw-predictor
12-6
geographic
16-4
geo-location
15-1
gig-default
6-20, 8-3
gslb affinity
6-20
gslb communication
6-21
gslb dns zone-name
6-21
gslb policy
6-22
gslb protocol
6-22
gslb site
6-23
hash-mask
12-6
hash-port-range
12-7
hash-ports
12-7
hd
5-20
healthck
6-23
Note: ServerIronXL only

healthck
6-26
Note: ServerIron 400 and ServerIron 800 only

health-check
16-4
history
19-1
history-group
10-3
host-info
14-1
hostname
6-32
February 2002
3-5

host-range
http-cache-control
12-8
http match-list
6-32
httpredirect
11-3
interface ethernet
6-33
ip access-group
8-4
ip access-list
6-33
ip address (Layer 2)
6-34
8-5
ip-address
10-4
ip default-gateway
6-34
ip dns domain-name
6-35
ip dns server-address
6-35
ip filter
6-35
ip forward
6-35
ipg10
8-9
ipg100
8-9
ipg1000
8-10
ip icmp burst
ip multicast
ip-multicast-disable
3-6
10-3, 11-3
6-36, 8-6
6-36
8-6
ip nat inside
6-36
ip nat pool
6-38
ip nat translation
6-38
ip policy
6-39
ip-policy
8-6
ip-proto
6-46, 9-2
ip rip
8-7
ip rip learn-default
8-7
ip rip poison-reverse
8-8
ip route
6-40
ip show-subnet-length
6-40
ip ssh authentication-retries
6-41
February 2002
Command List

ip ssh key-size
6-41
ip ssh password-authentication
6-41
ip ssh permit-empty-passwd
6-41
ip ssh port
6-42
ip ssh pub-key-file
6-42
ip ssh rsa-authentication
6-43
ip ssh scp
6-43
ip ssh timeout
6-43
ip strict-acl-mode
6-43
ip-subnet
6-46, 9-3
ip tcp burst
6-44, 8-8
ip ttl
6-45
ipx-network
6-47, 9-4
ipx-proto
6-47, 9-4
kill
5-20
l2-fwall
12-8
locate
5-20
lock-address ethernet
6-48
logging
6-48
mac-age-time
6-49
mac filter
6-50
mac filter-group
8-10
mac filter log-enable
6-52
match
17-2
max-conn
10-4
max-tcp-conn-rate
10-5
max-udp-conn-rate
10-5
md
5-21
method
17-2
metric-order
16-4
mirror-port
6-52
mkdir
5-21
module
6-52
February 2002
3-7

monitor
8-11
more
5-22
multicast filter
6-53
multicast limit
6-53, 8-11
ncopy flash primary | secondary slot1 | slot2

<to-name>
5-22
ncopy flash primary | secondary tftp <ip-addr>

<from-name>
5-23
ncopy running slot1 | slot2 <to-name>
5-23
ncopy running-config tftp <ip-addr> <from-name>
5-24
ncopy slot1 | slot2 <from-name> flash primary |

secondary
5-24
ncopy slot1 | slot2 <from-name> running
5-24
ncopy slot1 | slot2 <from-name> slot1 | slot2

[<to-name>]
5-25
ncopy slot1 | slot2 <from-name> start
5-25
ncopy start slot1 | slot2 <to-name>
5-26
ncopy slot1 | slot2 <from-name> tftp <ip-addr>

[<to-name>]
5-26
ncopy startup-config tftp <ip-addr> <from-name>
5-26
ncopy tftp <ip-addr> <from-name> flash primary |

secondary
5-26
ncopy tftp <ip-addr> <from-name> running-config
5-27
ncopy tftp <ip-addr> <from-name> slot1 | slot2

[<to-name>]
5-27
ncopy tftp <ip-addr> <from-name> startup-config
5-28
neg-off
8-11
netbios-proto
6-54
no
6-54
no-group-failover
12-8
no-http-downgrade
12-9
num-session
16-6
num-session tolerance
16-6
other-ip
10-5
other-proto
page-display
3-8
6-54, 9-5
5-28
February 2002
Command List

password-change
6-54
perf-mode
6-56
permit redistribute
20-2
phy-mode
8-12
ping
4-2, 5-28
port
10-5, 11-3
port disable-all
10-8
port unbind-all
10-8
port-name
8-12
predictor
11-7
prefer
13-1
prefer-cnt
12-9
preference
16-7
prefer-router-cnt
12-9
priority
9-6
privilege
6-55
protocol
16-7
pvst-mode
8-12
pwd
5-29
qos-priority
8-13
quit
6-55
radius-server
6-56
rconsole
5-30
rconsole-exit
5-30
rd
5-30
redistribution
20-3
reload
5-31
rename
5-31
relative-utilization
6-56
response-time
10-9
rmdir
5-31
rmon alarm
6-57
rmon event
6-57
February 2002
3-9

rmon history
6-58
round-trip-time
16-7
round-trip-time cache-interval
16-8
round-trip-time cache-prefix
16-8
round-trip-time explore-percentage
16-8
round-trip-time tolerance
16-9
router-interface
3 - 10
9-6
rshow
6-58
server active-active-port
6-59
server allow-sticky
6-59
server backup
6-60
server backup-group
6-60
server backup-port
6-60
server backup-preference
6-61
server backup-timer
6-61
server cache-group
6-61
server cache-name
6-62
server cache-router-offload
6-62
server cache-stateful
6-62
server clock-scale
6-62
server connection-log
6-63
server delay-symmetric
6-63
server force-delete
6-64
server fw-group
6-66
server fw-name
6-66
server fw-port
6-66
server fw-recv-stateful
6-66
server fw-slb
6-67
server fw-stateful
6-67
server fw-strict-sec
6-67
server fw-superzone
6-67
server icmp-message
6-68
server l4-check
6-68
February 2002
Command List

server max-ssl-session-id
6-68
server max-url-switch
6-69
server monitor
6-69
server msl
6-69
server no-fast-bringup
6-69
server no-real-l3-check
6-70
server no-remote-l3-check
6-70
server no-slow-start
6-70
server partner-ports
6-71
server path-group
6-71
server peer-group
6-71
server ping-interval
6-72
server ping-retries
6-72
server policy-hash-acl
6-73
server port
6-73
server predictor
6-78
server real-name
6-78
server reassign-threshold
6-78
server remote-name
6-79
server reverse-nat
6-80
server response-time
6-79
server router-ports
6-81
server session-id-age
6-81
server session-limit
6-81
server slb-fw
6-81
server source-ip
6-82
server source-nat
6-82
server source-nat-ip
6-82
server source-standby-ip
6-83
server sticky-age
6-83
server sym-pdu-rate
6-83
server syn-def
6-84
server syn-limit
6-84
February 2002
3 - 11
3 - 12
server tcp-age
6-85
server transparent-vip
6-85
server udp-age
6-85
server use-simple-ssl-health-check
6-86
server virtual-name
6-86
server vpn-lb
6-86
server vpn-lb-inside
6-87
service password-encryption
6-87
show aaa
21-1
show arp
21-1
show cache-group
21-2
show chassis
21-2
show clock
21-3
show configuration
21-3
show default
21-3
show flash
21-4
show fw-group
21-4
show fw-hash
21-4
show gslb cache
21-5
show gslb default
21-6
show gslb dns detail
21-6
show gslb dns zone
21-7
show gslb global-stat
21-8
show gslb policy
21-8
show gslb resources
21-9
show gslb site
21-10
show healthck
21-11
show healthck statistics
21-12
show http match-list
21-12
show interfaces
21-12
show ip
21-13
show ip cache
21-13
show ip client-public-key
21-14
February 2002
Command List

show ip filter-cache
21-14
show ip interface
21-14
show ip multicast
21-15
show ip nat statistics
21-15
show ip nat translation
21-15
show ip policy
21-16
show ip route
21-16
show ip ssh
21-16
show ip static-arp
21-17
show ip traffic
21-17
show logging
21-18
show mac-address
21-20
show mac-address statistics
21-21
show media
21-21
show module
21-22
show monitor
21-22
show policy-map
21-22
show relative-utilization
21-23
show reload
21-23
show rmon alarm
21-23
show rmon event
21-24
show rmon history
21-24
show rmon statistics
21-24
show running-config
21-25
show server backup
21-25
show server bind
21-25
show server dynamic
21-26
show server fw-path
21-26
show server global
21-26
show server hash
21-27
show server proxy
21-27
show server real
21-27
show server sessions
21-28
February 2002
3 - 13
3 - 14
show server symmetric
21-29
show server traffic
21-29
show server virtual
21-29
show snmp server
21-30
show sntp associations
21-30
show sntp status
21-31
show span
21-32
show span vlan
21-32
show statistics
21-33
show statistics dos-attack
21-34
show tech-support
21-34
show telnet
21-34
show trunk
21-35
show users
21-35
show version
21-35
show vlans
21-36
show web-connection
21-36
show who
21-36
show wsm-map
21-36
show wsm-state
21-37
si-name
15-2
skip-page-display
5-32
snmp-client
6-88
snmp-server community
6-88
snmp-server contact
6-88
snmp-server enable traps
6-89
snmp-server enable vlan
6-89
snmp-server host
6-89
snmp-server location
6-89
snmp-server pw-check
6-90
snmp-server trap-source
6-90
snmp-server view
6-90
sntp
5-32
February 2002
Command List

sntp poll-interval
6-91
sntp server
6-91
source-nat
10-9, 12-10
source-sticky
11-7
spanning-tree
6-91, 8-13, 9-7
spanning-tree <parameter>
6-91
speed-duplex
8-14
spoof-support
12-10
static-mac-address
static-prefix
stop-traceroute
sym-active
sym-priority
sync-standby
6-92, 9-8
16-9
4-3, 5-32
11-8
11-8, 12-11
5-33, 7-2
system-max
6-94
tacacs-server
6-94
tagged
9-9
tag-type
6-95
tcp-port
17-3
telnet <ip-addr> | <name>
5-33
telnet access-group
6-95
telnet client
6-95
telnet login-timeout
6-96
telnet server
6-96
telnet server enable vlan
6-96
telnet timeout
6-97
temperature shutdown
5-33
temperature warning
5-34
tftp client enable vlan
6-97
traceroute
4-3, 5-34
track
11-9
track-group
11-9
transparent-vip
11-9
February 2002
3 - 15

trunk
6-97
undebug access-list
5-34
undebug ip nat
5-35
undelete
5-35
unknown-unicast limit
untagged
6-98, 8-14
9-9
up compound
18-3
uplink-switch
9-10
up simple
18-3
url-host-id
12-11
url-map
12-11, 6-98
url-switch
12-11
username
6-98
virtual-ip
12-12
vlan
6-99
vlan-dynamic-discovery
6-99
vlan max-vlans
6-100
web access-group
6-100
web client
6-100
web-management
6-100
web-management enable vlan
6-101
weight
10-10
whois
5-35
write memory
5-36
write terminal
5-36
wsm boot
6-101
wsm copy flash flash
5-36
wsm copy tftp flash
5-36
wsm wsm-map
6-102
Commands Listed by CLI Level

The following sections contain tables that list the CLI commands within each level of the CLI.
3 - 16
February 2002
Command List
User EXEC Level

There are two different levels of EXEC commands, the User EXEC level and the Privileged EXEC level. The
User level commands are at the top of the CLI hierarchy. These are the first commands that you have access to
when connected to the ServerIron through the CLI. At this level, you can view basic system information and verify
connectivity but cannot make any changes to the ServerIron configuration.
To make changes to the configuration, you must move to other levels of the CLI hierarchy. This is accomplished by
the User EXEC level command enable at initial log-on. This command takes you to the Privileged EXEC level,
from which you can reach the configuration command levels.
The User EXEC commands are listed in the following table.
Table 3.2: User EXEC Commands
enable
4-1
enable <password>
4-1
4-1
fastboot
4-2
ping
4-2
rshow
4-3
show
4-3
stop-traceroute
4-3
traceroute
4-3
Privileged EXEC Level

The Privileged EXEC level commands primarily enable you to transfer and store ServerIron software images and
configuration files between the network and the ServerIron, and review the configuration.
You reach this level by entering enable [<password>] or enable <username> <password> at the User EXEC level.
Table 3.3: Privileged EXEC Commands
append
5-1
attrib
5-1
boot system bootp
5-2
5-2
5-3
5-3
boot system tftp
5-3
cd
5-4
chdir
5-4
clear arp
5-4
5-5
clear ip cache
5-5
February 2002
3 - 17
Table 3.3: Privileged EXEC Commands (Continued)
3 - 18
clear ip nat
5-5
clear ip traffic
5-6
clear logging
5-6
clear mac-address
5-6
clear public-key
5-6
clear rmon
5-6
clear server
5-7
5-7
clear snmp-server
5-8
clear statistics
5-8
5-8
5-8
clock
5-8
configure terminal
5-9
5-9
copy flash flash
5-9
5-10
copy flash tftp
5-10
5-10
5-11
5-11
5-11
5-12
5-12
5-13
5-13
copy tftp flash
5-13
5-14
5-14
5-14
debug access-list
5-18
debug ip nat
5-16
delete
5-16
February 2002
Command List

dir
5-17
erase flash primary
5-18
5-18
5-19
exit
5-19
fastboot
5-19
format
5-19
hd
5-20
kill
5-20
locate
5-20
md
5-21
mkdir
5-21
more
5-22
ncopy flash primary | secondary slot1 | slot2

<to-name>
5-22
ncopy flash primary | secondary tftp <ip-addr>

<from-name>
5-23
5-23
5-24
ncopy slot1 | slot2 <from-name> flash primary |

secondary
5-24
5-24
ncopy slot1 | slot2 <from-name> slot1 | slot2

[<to-name>]
5-25
5-25
5-26
ncopy slot1 | slot2 <from-name> tftp <ip-addr>

[<to-name>]
5-26
5-26
ncopy tftp <ip-addr> <from-name> flash primary |

secondary
5-26
5-27
ncopy tftp <ip-addr> <from-name> slot1 | slot2

[<to-name>]
5-27
5-28
page-display
5-28
February 2002
3 - 19

ping
5-28
pwd
5-29
quit
5-30
rconsole
5-30
rconsole-exit
5-30
rd
5-30
reload
5-31
rename
5-31
rmdir
5-31
rshow
5-32
show
5-32
skip-page-display
5-32
sntp
5-32
stop-traceroute
5-32
sync-standby
5-33
telnet <ip-addr> | <name>
5-33
5-33
temperature warning
5-34
traceroute
5-34
undebug access-list
5-34
undebug ip nat
5-35
undelete
5-35
whois
5-35
write memory
5-36
write terminal
5-36
5-36
wsm copy tftp flash
5-36
CONFIG Commands
CONFIG commands modify the configuration of a Foundry ServerIron product. This reference describes the
following CONFIG CLI levels.
3 - 20
February 2002
Command List
Global Level
The global CONFIG level allows you to globally apply or modify parameters for ports on the switch or router. You
reach this level by entering configure terminal at the privileged EXEC level.
Table 3.4: Global CONFIG Commands
aaa authentication
6-1
aaa authorization
6-2
aaa accounting
6-3
6-3
6-5
all-client
6-7
arp
6-8
atalk-proto
6-8
banner exec
6-9
banner incoming
6-9
banner motd
6-9
boot system bootp
6-10
6-10
6-10
boot system tftp
6-11
broadcast filter
6-11
broadcast limit
6-12
chassis name
6-12
chassis poll-time
6-13
chassis trap-log
6-13
clear
6-13
clock summer-time
6-13
clock timezone
6-13
confirm-port-up
6-14
console
6-14
crypto key
6-15
6-15
decnet-proto
6-15
default-vlan-id
6-16
dhcp-gateway-list
6-16
February 2002
3 - 21
Table 3.4: Global CONFIG Commands (Continued)

enable
6-17
6-17
6-17
6-18
6-18
6-18
6-18
end
6-18
exit
6-19
fast port-span
6-19
fast uplink-span
6-19
flow-control
6-19
gig-default
6-20
gslb affinity
6-20
gslb communication
6-21
gslb dns zone-name
6-21
gslb policy
6-22
gslb protocol
6-22
gslb site
6-23
healthck
6-23
Note: ServerIronXL only

healthck
6-26
Note: ServerIron 400 and ServerIron 800 only
3 - 22
hostname
6-32
http match-list
6-32
interface ethernet
6-33
ip access-list
6-33
6-34
ip default-gateway
6-34
ip dns domain-name
6-35
6-35
ip filter
6-35
ip forward
6-35
February 2002
Command List

ip icmp burst
6-36
ip multicast
6-36
ip nat inside
6-36
ip nat pool
6-38
ip nat translation
6-38
ip policy
6-39
ip route
6-40
6-40
6-41
ip ssh key-size
6-41
6-41
6-41
ip ssh port
6-42
ip ssh pub-key-file
6-42
6-43
ip ssh scp
6-43
ip ssh timeout
6-43
ip strict-acl-mode
6-43
ip tcp burst
6-44
ip tcp conn-rate
6-44
ip tcp conn-rate-change
6-45
ip tcp syn-proxy
6-45
ip ttl
6-45
ip-proto
6-46
ip-subnet
6-46
ipx-network
6-47
ipx-proto
6-47
6-48
logging
6-48
mac-age-time
6-49
mac filter
6-50
6-52
mirror-port
6-52
February 2002
3 - 23

module
6-52
multicast filter
6-53
multicast limit
6-53
netbios-proto
6-54, 9-5
no
6-54
other-proto
6-54
password-change
6-54
perf-mode
6-56
privilege
6-55
quit
6-55
radius-server
6-56
6-56
rmon alarm
6-57
rmon event
6-57
rmon history
6-58
router-interface
3 - 24
9-6
rshow
6-58
6-59
server allow-sticky
6-59
server backup
6-60
server backup-group
6-60
server backup-port
6-60
6-61
server backup-timer
6-61
server cache-group
6-61
server cache-name
6-62
6-62
6-62
server clock-scale
6-62
6-63
6-63
server force-delete
6-64
server fw-group
6-66
February 2002
Command List

server fw-name
6-66
server fw-port
6-66
6-66
server fw-slb
6-67
server fw-stateful
6-67
6-67
server fw-superzone
6-67
server icmp-message
6-68
server l4-check
6-68
server max-conn-trap
6-68
6-68
6-69
server monitor
6-69
6-69
6-70
6-70
6-70
6-71
server path-group
6-71
server peer-group
6-71
6-72
server ping-retries
6-72
6-73
server port
6-73
server predictor
6-78
server real-name
6-78
6-78
server remote-name
6-79
6-79
server reverse-nat
6-80
server router-ports
6-81
6-81
6-81
February 2002
3 - 25
3 - 26
server slb-fw
6-81
server source-ip
6-82
server source-nat
6-82
6-82
6-83
server sticky-age
6-83
server sym-pdu-rate
6-83
server syn-def
6-84
server syn-limit
6-84
server tcp-age
6-85
6-85
server udp-age
6-85
6-86
server virtual-name
6-86
server vpn-lb
6-86
6-87
6-87
show
6-88
snmp-client
6-88
6-88
snmp-server contact
6-88
6-89
6-89
snmp-server host
6-89
6-89
6-90
6-90
snmp-server view
6-90
sntp poll-interval
6-91
sntp server
6-91
spanning-tree
6-91
6-91
static-mac-address
6-92
February 2002
Command List

system-max
6-94
tacacs-server
6-94
tag-type
6-95
telnet access-group
6-95
telnet client
6-95
6-96
telnet server
6-96
6-96
telnet timeout
6-97
6-97
trunk
6-97
6-98
url-map
6-98
username
6-98
vlan
6-99
6-99
vlan max-vlans
6-100
web access-group
6-100
web client
6-100
web-management
6-100
6-101
write memory
6-101
write terminal
6-101
wsm boot
6-101
wsm wsm-map
6-102
February 2002
3 - 27
Redundancy Level
The redundancy CONFIG level allows you to configure parameters on redundant management modules. You
reach this level by entering redundancy at the global CONFIG level.
Table 3.5: Redundancy CONFIG Commands
active-management
7-1
end
7-2
exit
7-2
no
7-2
quit
7-2
show
7-2
sync-standby
7-2
write memory
7-3
write terminal
7-3
Interface Level
The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this
level by entering interface ethernet <portnum> or interface ve <num> at the global CONFIG level.
Table 3.6: Interface Commands
3 - 28
auto-gig
8-1
broadcast limit
8-1
cache-group
8-1
clear
8-2
dhcp-gateway-list
8-2
disable
8-2
enable
8-2
end
8-2
exit
8-3
flow-control
8-3
fw-group
8-3
gig-default
8-3
ip access-group
8-4
8-5
ip icmp burst
8-6
8-6
ip-policy
8-6
February 2002
Command List
Table 3.6: Interface Commands (Continued)

ip rip
8-7
8-7
8-8
ip tcp burst
8-8
ip tcp syn-proxy
8-9
ipg10
8-9
ipg100
8-9
ipg1000
8-10
mac filter-group
8-10
monitor
8-11
multicast limit
8-11
neg-off
8-11
no
8-12
phy-mode
8-12
port-name
8-12
pvst-mode
8-12
qos-priority
8-13
quit
8-13
rshow
8-13
show
8-13
spanning-tree
8-13
speed-duplex
8-14
8-14
write memory
8-14
write terminal
8-14
VLAN Level
The VLAN level allows you to configure VLAN parameters. You reach this level by entering the vlan <vlan-id> by
port command at the Global CONFIG Level.
Table 3.7: VLAN Commands
always-active
9-1
atalk-proto
9-1
decnet-proto
9-2
end
9-2
February 2002
3 - 29
Table 3.7: VLAN Commands (Continued)

exit
9-2
ip-proto
9-2
ip-subnet
9-3
ipx-network
9-4
ipx-proto
9-4
netbios-proto
9-5
no
9-5
other-proto
9-5
priority
9-6
quit
9-6
rshow
9-7
show
9-7
spanning-tree
9-7
static-mac-address
9-8
tagged
9-9
untagged
9-9
uplink-switch
9-10
write memory
9-10
write terminal
9-10
Real Server, Cache Server, and Firewall Level

This level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For
SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the
global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For
FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.
Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands
3 - 30
asymmetric
10-1
backup
10-1
clear
10-1
clone-server
10-2
description
10-2
end
10-2
exceed-max-drop
10-2
exit
10-3
filter-match
10-3
February 2002
Command List
Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands (Continued)
history-group
10-3
host-range
10-3
ip-address
10-4
max-conn
10-4
max-tcp-conn-rate
10-5
max-udp-conn-rate
10-5
no
10-5
other-ip
10-5
port
10-5
port disable-all
10-8
port unbind-all
10-8
quit
10-8
response-time
10-9
rshow
10-9
show
10-9
source-nat
10-9
weight
10-10
write memory
10-10
write terminal
10-11
Virtual Server Level

The virtual server level allows you to assign and configure virtual servers. You reach this level by entering the
server virtual-name <text> <ip-addr> command at the global CONFIG level.
Table 3.9: Virtual Server CONFIG Commands
acl-id
11-1
bind
11-1
cache-enable
11-2
clear
11-2
end
11-2
exit
11-2
host-range
11-3
httpredirect
11-3
no
11-3
port
11-3
February 2002
3 - 31
Table 3.9: Virtual Server CONFIG Commands (Continued)

predictor
11-7
quit
11-7
rshow
11-7
show
11-7
source-sticky
11-7
sym-active
11-8
sym-priority
11-8
track
11-9
track-group
11-9
transparent-vip
11-9
write memory
11-9
write terminal
11-10
Cache Group and Firewall Group Level

This level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level
by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this
level by entering the server fw-group 2 command at the global CONFIG level.
Table 3.10: Cache Group and Firewall Group CONFIG Commands
3 - 32
acl-id
12-1
cache-name
12-1
clear
12-2
dest-nat
12-2
disable
12-2
end
12-2
exit
12-3
failover-acl
12-3
fwall-info
12-3
fwall-zone
12-4
fw-exceed-max-drop
12-4
12-4
12-5
fw-name
12-6
fw-predictor
12-6
hash-mask
12-6
February 2002
Command List
Table 3.10: Cache Group and Firewall Group CONFIG Commands (Continued)
hash-port-range
12-7
hash-ports
12-7
http-cache-control
12-8
l2-fwall
12-8
no
12-8
no-group-failover
12-8
no-http-downgrade
12-9
prefer-cnt
12-9
prefer-router-cnt
12-9
quit
12-10
rshow
12-10
show
12-10
source-nat
12-10
spoof-support
12-10
sym-priority
12-11
url-host-id
12-11
url-map
12-11
url-switch
12-11
virtual-ip
12-12
write memory
12-12
write terminal
12-12
GSLB Affinity Level

This level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb
dns affinity command at the global CONFIG level.
Table 3.11: GSLB Affinity CONFIG Commands
end
13-1
exit
13-1
no
13-1
prefer
13-1
quit
13-2
rshow
13-2
show
13-2
write memory
13-2
February 2002
3 - 33
Table 3.11: GSLB Affinity CONFIG Commands (Continued)

write terminal
13-3
GSLB DNS Zone Level

This level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb
dns zone-name <name> command at the global CONFIG level.
Table 3.12: GSLB DNS Zone CONFIG Commands
end
14-1
exit
14-1
host-info
14-1
no
14-2
quit
14-2
rshow
14-3
show
14-3
write memory
14-3
write terminal
14-3
GSLB Site Level

This level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name>
Table 3.13: GSLB Site CONFIG Commands
3 - 34
end
15-1
exit
15-1
geo-location
15-1
no
15-2
quit
15-2
rshow
15-2
show
15-2
si-name
15-2
write memory
15-3
write terminal
15-3
February 2002
Command List
GSLB Policy Level

This level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy
Table 3.14: GSLB Policy CONFIG Commands
capacity
16-1
capacity threshold
16-1
dns active-only
16-2
dns check-interval
16-2
dns ttl
16-2
end
16-2
exit
16-3
flashback
16-3
16-3
geographic
16-4
health-check
16-4
metric-order
16-4
no
16-6
num-session
16-6
16-6
preference
16-7
protocol
16-7
quit
16-7
round-trip-time
16-7
16-8
16-8
16-8
16-9
rshow
16-9
show
16-9
static-prefix
16-9
write memory
16-10
write terminal
16-10
February 2002
3 - 35
URL Switching Level

This level allows you to configure URL switching policies. You reach this level by entering the url-map <policyname> command at the global CONFIG level.
Table 3.15: URL Switching CONFIG Commands
default
17-1
end
17-1
exit
17-1
match
17-2
method
17-2
no
17-2
quit
17-2
rshow
17-2
show
17-3
tcp-port
17-3
write memory
17-3
write terminal
17-3
HTTP Match List Level

This level allows you to configure matching lists of selection criteria for HTTP content verification health checks.
You reach this level by entering the http match-list <name> command at the global CONFIG level.
Table 3.16: HTTP Match List CONFIG Commands
3 - 36
default
18-1
down compound
18-1
down simple
18-2
end
18-2
exit
18-2
no
18-2
quit
18-2
rshow
18-3
show
18-3
up compound
18-3
up simple
18-3
write memory
18-3
write terminal
18-3
February 2002
Command List

This level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the
server monitor command at the global CONFIG level.
Table 3.17: Server Monitor CONFIG Commands
end
19-1
exit
19-1
history
19-1
no
19-2
quit
19-2
rshow
19-2
show
19-2
write memory
19-2
write terminal
19-2
Routing Information Protocol (RIP) Level

This level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by
entering the router rip command at the global CONFIG level.
Table 3.18: RIP CONFIG Commands
deny redistribute
20-1
end
20-2
exit
20-2
no
20-2
permit redistribute
20-2
quit
20-3
redistribution
20-3
rshow
20-3
show
20-4
write memory
20-4
write terminal
20-4
Show Commands
The show commands display configuration information and statistics. You can enter these commands from any
level of the CLI.
Table 3.19: Show Commands
show aaa
21-1
show arp
21-1
February 2002
3 - 37
Table 3.19: Show Commands (Continued)
3 - 38
show cache-group
21-2
show chassis
21-2
show clock
21-3
show configuration
21-3
show default
21-3
show flash
21-4
show fw-group
21-4
show fw-hash
21-4
show gslb cache
21-5
show gslb default
21-6
21-6
show gslb dns zone
21-7
21-8
show gslb policy
21-8
show gslb resources
21-9
show gslb site
21-10
show healthck
21-11
21-12
21-12
show interfaces
21-12
show ip
21-13
show ip cache
21-13
21-14
21-14
show ip interface
21-14
show ip multicast
21-15
21-15
21-15
show ip policy
21-16
show ip route
21-16
show ip ssh
21-16
show ip static-arp
21-17
show ip traffic
21-17
February 2002
Command List

show logging
21-18
show mac-address
21-20
21-21
show media
21-21
show module
21-22
show monitor
21-22
show policy-map
21-22
21-23
show reload
21-23
show rmon alarm
21-23
show rmon event
21-24
show rmon history
21-24
21-24
show running-config
21-25
show server backup
21-25
show server bind
21-25
show server conn-rate
21-25
show server dynamic
21-26
show server fw-path
21-26
show server global
21-26
show server hash
21-27
show server proxy
21-27
show server real
21-27
21-28
21-29
show server traffic
21-29
show server virtual
21-29
show snmp server
21-30
21-30
show sntp status
21-31
show span
21-32
show span vlan
21-32
show statistics
21-33
February 2002
3 - 39
3 - 40
21-34
show tech-support
21-34
show telnet
21-34
show trunk
21-35
show users
21-35
show version
21-35
show vlans
21-36
show web-connection
21-36
show who
21-36
show wsm-map
21-36
show wsm-state
21-37
February 2002
Chapter 4
User EXEC Commands
enable
At initial startup, you enter this command to access the privileged EXEC level of the CLI. You access subsequent
levels of the CLI using the proper launch commands.
You can assign a permanent password with the enable password command at the global level of the CONFIG
command structure. To reach the global level, enter configure terminal. Until a password is assigned, you have
access only to the user level.
NOTE: You also can configure the ServerIron to authenticate access using a RADIUS or TACACS/TACACS+
server or local user accounts. See the Foundry Security Guide.
EXAMPLE:
ServerIron> enable
Syntax: enable
Possible values: N/A
Default value: No system default
enable <password>
Once a password is defined for the ServerIron, you must enter this command along with the defined password to
access the privileged EXEC Level of the CLI.
Three levels of password access can be assigned at the global CONFIG level.
EXAMPLE:
ServerIron> enable whatever
ServerIron#
Syntax: enable <password>

Possible values: Up to 32 alphanumeric characters can be assigned as the password.
Default value: N/A

If local access control is configured on the ServerIron, you are prompted for a user name and a password. The
user name and password must be configured in a user account on the ServerIron.
EXAMPLE:
ServerIron> enable waldo whereis
February 2002
4-1
ServerIron#
Syntax: enable <username> <password>

Default value: N/A
fastboot
By default, this option is turned off, to provide a three-second pause to allow you to break into the boot prompt, if
necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off
later, enter the command, fastboot off. Fastboot changes will be saved automatically but will not become active
until after a system reset.
To execute an immediate reload of the boot code from the console without a three-second delay, enter the fast
reload command. The fast reload command is found at the privileged level.
EXAMPLE:
ServerIron> fastboot on
Syntax: fastboot [on | off]

Possible values: off
ping
Verifies connectivity to a Foundry device or another device. The command performs an ICMP echo test to confirm
connectivity to the specified device.
NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.
EXAMPLE:
ServerIron> ping 192.22.2.33
Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>]
[quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry Layer 2 or Layer 3 Switch, you can use the host name only if you have already
enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See
the Configuring Basic Features chapter of the Foundry Switch and Router Installation and Basic Configuration
Guide.
The source <ip addr> specifies an IP address to be used as the origin of the ping packets.
The count <num> parameter specifies how many ping packets the device sends. You can specify from 1
4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the
pinged device. You can specify a timeout from 1 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 255. The
default is 64.
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does
not include the header. You can specify from 0 4000. The default is 16.
The no-fragment parameter turns on the dont fragment bit in the IP header of the ping packet. This option is
disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device
and instead only displays messages indicating the success or failure of the ping. This option is disabled by
default.
4-2
February 2002
User EXEC Commands
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the
echo request (the ping). By default the device does not verify the data.
The data <1 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default
data pattern, abcd, in the packets data payload. The pattern repeats itself throughout the ICMP message
(payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed
range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid
value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are
supported:
!
Indicates that a reply was received.
Indicates that the network server timed out while waiting for a reply.
Indicates that a destination unreachable error PDU was received.
Indicates that the user interrupted ping.
Possible values: see above

Default value: see above
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the device. See Show Commands on
page 21-1.
stop-traceroute
Stops an initiated trace on a Foundry device.
EXAMPLE:
ServerIron> stop-traceroute
Syntax: stop-traceroute
Default value: N/A
traceroute
Allows you to trace the path from the current Foundry device to a host address.
The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests
display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the
Foundry device displays up to three responses by default.
EXAMPLE:
ServerIron> traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>]
[source-ip <ip addr>]
February 2002
4-3
Possible and default values:

minttl minimum TTL (hops) value: Possible values are 1 255. Default value is 1 second.
maxttl maximum TTL (hops) value: Possible values are 1 255. Default value is 30 seconds.
timeout Possible values are 1 120. Default value is 2 seconds.
numeric Lets you change the display to list the devices by their IP addresses instead of their names.
source-ip <ip addr> Specifies an IP address to be used as the origin for the traceroute.
4-4
February 2002
Chapter 5
Privileged EXEC Commands
append
Appends a file on a PCMCIA flash card to the end of another file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# append newacls.cfg startup-config.cfg
This command appends a file called newacls.cfg to the end of a file called startup-config.cfg file. This example
assumes that both files are present on the PCMCIA slot and in the subdirectory level that currently have the
management focus.
The following command appends a file in the current subdirectory to the end of a file in another subdirectory:
BigServerIron# append newacls.cfg \TEST\startup-config.cfg
Syntax: append [<from-card> <to-card>] [\<from-dir-path>\]<from-name> [\<to-dir-path>\]<to-name>

The <from-card> and <to-card> parameters specify the source and destination flash cards when you are
appending a file on one flash card to a file located on another flash card.
The [\<from-dir-path>\]<from-name> parameter specifies the file you are adding to the end of another file. If the
file is not located in the current subdirectory (the subdirectory that currently has the management focus), specify
the subdirectory path in front of the file name.
The [\<to-dir-path>\]<to-name> parameter specifies the file to which you are appending the other file. If the file is
not located in the current subdirectory, specify the subdirectory path in front of the file name.
Possible values: See above
Default value: N/A
attrib
Changes the read-write attribute of a file on a flash card in a Management IV modules PCMCIA slot.
The read-write attribute specifies whether a file on a flash card can be changed or deleted.
Read-only You can display or copy the file but you cannot replace (copy over) or delete the file.
Read-write You can replace (copy over) or delete the file. This is the default.
February 2002
5-1
Use the following method to change the read-write attribute of a file.

EXAMPLE:
To protect a file from accidental changes by changing the read-write attribute from read-write to read-only, enter a
command such as the following:
BigServerIron# attrib ro goodcfg.cfg
Syntax: attrib [slot1 | slot2] ro | rw <file-name>

To determine the read-write attribute of a file, use the dir command to list the directory information for the file.
Files set to read-only are listed with R in front of the file name. See dir on page 5-17.
To change all files on a flash card to read-only, enter a command such as the following:
BigServerIron# attrib ro *.*
This command changes the read-write attribute for all files on the flash card that currently has the management
focus to read-only.
Possible values: See above.
Default value: rw (read-write)
boot system bootp

Initiates a system boot from a BootP server. You can specify the preferred initial boot source and boot sequence
in the startup-config file. If upon boot, the user-specified boot source and sequence fails, then by default, the
ServerIron will attempt to load the software image from a different source. The following sources will be tried one
at a time, in the order noted, until a software load is successful.
flash primary
flash secondary
TFTP
BootP
If the image does not load successfully from the above sources, you are prompted to enter alternative locations
from which to load an image:
boot system bootp
boot system tftp
EXAMPLE:
ServerIron# boot system bootp
Syntax: boot system bootp

Default value: N/A

Initiates a system boot from the primary software image stored in flash.
EXAMPLE:
ServerIron(config)# boot system flash primary
Syntax: boot system flash primary

Default value: N/A
5-2
February 2002

Initiates a system boot from the secondary software image stored in flash.
EXAMPLE:
ServerIron(config)# boot system flash secondary
Syntax: boot system flash secondary

Default value: N/A

Initiates a system boot from an image file on a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron with the Management IV module.
EXAMPLE:
To reboot the device using a software image file on the flash card, enter a command such as the following at the
Privileged Exec level of the CLI:
BigServerIron# boot system slot1 BSI07101.bin
The command in this example reboots the device using the image file BSI07101.bin located on the PCMCIA flash
card in slot 1. This example assumes the image file is in the root directory on the flash card. If the image file is in
a subdirectory, specify the subdirectory path. For example, to boot using an image in a subdirectory called BSI,
enter command such as the following:
BigServerIron# boot system slot1 \BSI\BSI07101.bin
Syntax: boot system slot1 | slot2 [\<dir-path>\]<file-name>

The slot1 | slot2 parameter indicates the flash card slot.
The <file-name> parameter specifies the file name. If the file is in a subdirectory, specify the subdirectory path in
front of the file name. If the file name you specify is not a full path name, the CLI assumes that the name (and
path, if applicable) you enter are relative to the subdirectory that currently has the management focus.
Default value: N/A
boot system tftp

Initiates a system boot of the software image from a TFTP server.
EXAMPLE:
ServerIron(config)# boot system tftp 192.22.33.44 current.img
Syntax: boot system tftp <ip-addr> <filename>

Default value: N/A
Before entering the TFTP boot command, you must first assign an IP address, IP mask and default gateway (if
applicable) at the boot prompt as shown.
EXAMPLE:
boot> ip address 192.22.33.44 255.255.255.0
boot> ip default-gateway 192.22.33.1
You now can proceed with the boot system tftp command.
February 2002
5-3
cd
Another form of the chdir command. See chdir on page 5-4.
chdir
Switches the management focus from one flash card in a Management IV modules PCMCIA slot to the other slot.
The effect of file management commands depends on the flash card that has the management focus. For
example, if you enter a command to delete a file, the software deletes the specified file from the flash card that
currently has the management focus.
EXAMPLE:
To switch the focus of the CLI from one flash card to the other, enter a command such as the following:
BigServerIron# cd slot2
BigServerIron#
Syntax: cd | chdir slot1 | slot2

Syntax: cd | chdir <dir-name>
When you enter the cd command, the software changes the management focus to the slot or subdirectory path
you specify, then displays a new command prompt.
If a slot you specify does not contain a flash card, the software displays the message shown in the following
example.
BigServerIron# cd slot2
The system can not find the drive specified
To switch the management focus to a different subdirectory, enter a commands such as the following:
BigServerIron# cd PLOOK
Current directory of slot1 is: \PLOOK
This command changes the focus from the root directory level ( \) to the subdirectory named PLOOK.
If you specify an invalid subdirectory path, the CLI displays a message such as the following:
BigServerIron# cd PLOOK
Path not found
If you are certain the path you specified exists, make sure you are at the correct level for reaching the path. For
example, if you are already at the PLOOK level, the CLI cannot find the subdirectory \PLOOK because it is not a
subdirectory from the level that currently has the management focus.
Default value: N/A
clear arp
Removes all data from the ARP cache.
EXAMPLE:
ServerIron# clear arp
The following command clears all ARP entries for port 2 on the module in slot 3.
ServerIron# clear arp ethernet 3/2
Syntax: clear arp [ethernet <num> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]]
Specify the MAC address mask as fs and 0s, where fs are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
5-4
February 2002
Default value: N/A

Clears health-check policy statistics.
EXAMPLE:
ServerIron(config)# clear healthck statistics
Syntax: clear healthck statistics

Default value: N/A
clear ip cache
Removes all entries from the IP cache.
EXAMPLE:
ServerIron# clear ip cache
Syntax: clear ip cache

Default value: N/A
clear ip nat
Clears entries from the NAT table. The software provides the following clear options:
Clear all entries (static and dynamic)
Clear an entry for a specific NAT entry based on the private and global IP addresses
Clear an entry for a specific NAT entry based on the IP addresses and the TCP or UDP port number. Use this
option when you are trying to clear specific entries created using the Port Address Translation feature.
NOTE: These commands are not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To clear all dynamic entries from the NAT translation table, enter the following command at the Privileged EXEC
level of the CLI:
ServerIron# clear ip nat all
Syntax: clear ip nat all

To clear only the entries for a specific address entry, enter a command such as the following:
ServerIron# clear ip nat inside 209.157.1.43 10.10.10.5
This command clears the inside NAT entry that maps private address 10.10.10.5 to Internet address
209.157.1.43. Here is the syntax for this form of the command.
Syntax: clear ip nat inside <global-ip> <private-ip>

If you use Port Address Translation, you can selectively clear entries based on the TCP or UDP port number
assigned to an entry by the feature. For example, the following command clears one of the entries associated with
Internet address 209.157.1.44 but does not clear other entries associated with the same address.
ServerIron# clear ip nat inside 209.157.1.43 1081 10.10.10.5 80
The command above clears all inside NAT entries that match the specified global IP address, private IP address,
and TCP or UDP ports.
Syntax: clear ip nat <protocol> inside <global-ip> <internet-tcp/udp-port> <private-ip> <private-tcp/udp-port>

The <protocol> parameter specifies the protocol type and can be tcp or udp.
February 2002
5-5

Default value: N/A
clear ip traffic
Clears the IP traffic statistics.
EXAMPLE:
ServerIron# clear ip traffic
Syntax: clear ip traffic

Default value: N/A
clear logging
Removes all entries from the SNMP event log.
EXAMPLE:
ServerIron# clear logging
Syntax: clear logging

Default value: N/A
clear mac-address
Removes all static MAC address entries from the address table.
EXAMPLE:
ServerIron# clear mac-address
Syntax: clear mac-address

Default value: N/A
clear public-key
Clears the public keys from the active configuration.
EXAMPLE:
ServerIron# clear public-key
Syntax: clear public-key

Default value: N/A
clear rmon
Clears packet statistics displayed by the show rmon statistics command. See show rmon statistics on
page 21-24.
EXAMPLE:
ServerIron# clear rmon
Syntax: clear rmon

Default value: N/A
5-6
February 2002
clear server traffic

Clears traffic statistics for real and virtual servers.
EXAMPLE:
ServerIron# clear server traffic
Syntax: clear server traffic

Default value: N/A

Clears all session table entries for a deleted real server.
When you delete a real server, the ServerIron attempts to clear all the session entries for that real server from the
session table. The ServerIron requires all the sessions to be cleared from the table before performing these
operations. If you use the force shutdown option (server force-delete command), the ServerIron ends the
sessions within one minute. Otherwise, the ServerIron allows active sessions to end normally before removing
them.
When you enter the command to delete a real server (no server real <name>), the ServerIron changes the
servers state to "await_delete". The real server remains in this state until all its sessions are cleared from the
session table. Occasionally, the ServerIron cannot clear all of a deleted real servers sessions from the table.
When this occurs, the real server cannot be fully deleted. To complete deletion of the server in this case, enter the
clear server session <name> command after entering the no server real <name> command.
EXAMPLE:
ServerIron(config)# no server real rs1
ServerIron(config)# show server real rs1
Real Servers Info
Name : rs1
IP:1.2.3.4
Least-con Wt:0
Port
---8080
default
State
----unbnd
unbnd
Range:1
State:await_delete
Resp-time Wt:0
Ms
-0
0
CurConn
------0
0
TotConn
------0
0
Rx-pkts
------0
0
Mac-addr: Unknown
Max-conn:1000000
Tx-pkts
------0
0
Server Total
0
0
0
0
ServerIron(config)# clear server session rs1
Rx-octet
-------0
0
Tx-octet
-------0
0
Reas
---0
0
The no server real command deletes real server "rs1". The show server real command displays the states of
the real servers. Notice that rs1 is still listed as a valid real server, and has the state "await_delete". If the no
server real command does not list the deleted server, the server has been completely deleted.
If the server continues to be listed with the "await_delete" state after several minutes, enter the clear server
session command to finish deleting the server. The clear server session command deletes the remaining
sessions for rs1, after which the ServerIron can finish deleting the server. You can enter this command
immediately after entering the no server real command. You do not need to wait for any sessions to end
normally.
Syntax: clear server session <name> [<name> [<name> [<name>]]]

The <name> parameter specifies the name of the real server. You can enter up to four real server names. It can
take up to three minutes for the command to take effect. This command is supported only on the MP (the main
processor management session). The command is not valid if entered in a WSM CPU management session.
NOTE: You cannot undo the clear server session command. If you re-enter the command for the same real
server, the new command is ignored and the original command continues to be processed.
February 2002
5-7
Possible values: up to four real server names

Default value: N/A
clear snmp-server traffic

Clears statistics for SNMP server traffic.
EXAMPLE:
ServerIron# clear snmp-server traffic
Syntax: clear snmp-server traffic

Default value: N/A
clear statistics
Clears packet statistics displayed by the show statistics command. See show statistics on page 21-33.
EXAMPLE:
ServerIron# clear statistics
Syntax: clear statistics

Default value: N/A

Resets counters for ICMP and TCP SYN packet burst thresholds.
EXAMPLE:
ServerIron# clear statistics dos-attack
Syntax: clear statistics dos-attack

Default value: N/A
Clears all Web management interface sessions with the ServerIron. The sessions are immediately ended when
you enter the command.
EXAMPLE:
ServerIron# clear web-connection
Syntax: clear web-connection

Default value: N/A
clock
The system clock can be set for a ServerIron. This command allows you to set the time and date. The time zone
must be set using the clock timezone... command at the global CONFIG level.
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a
SNTP server at power up. This server will then automatically download the correct time reference for the network.
For more details on this capability, reference the sntp command at the privileged EXEC level and the sntp pollinterval and sntp server commands at the global CONFG level.
EXAMPLE:
ServerIron# clock set 10:15:05 10-15-98
5-8
February 2002
Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> | <mm-dd-yyyy>

Default value: N/A
configure terminal
Launches you into the global CONFIG level.
EXAMPLE:
ServerIron# configure terminal
ServerIron(config)#
Syntax: configure terminal

Default value: N/A

Copies files from one PCMCIA flash card on a management module to the other card.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> slot1 | slot2 <to-name>
command. See ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>] on page 5-25.
EXAMPLE:
To copy a file from one flash card to the other, enter the following command:
BigServerIron# copy slot1 slot2 sales.cfg
Syntax: copy <from-card> <to-card> [\<from-dir-path>\]<from-name> [[\<to-dir-path>\]<to-name>]

The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In
this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a
different file name for the copy.
Default value: N/A
copy flash flash

Copies a software image between the primary and secondary flash storage locations.
EXAMPLE:
Suppose you want to copy the software image stored in the primary flash into the secondary storage location. To
do so, enter the following command.
BigServerIron# copy flash flash secondary
If you want to copy the image from the secondary flash to the primary flash, enter the following command.
BigServerIron# copy flash flash primary
In the copy flash flashcommand, the first flash refers to the origin of the image and the second flash in the
command points to the destination flash. Note that in the command above, when primary is entered, the system
automatically knows that the origin flash is the secondary flash location.
Syntax: copy flash flash [primary | secondary]

Default value: N/A
February 2002
5-9

Copies a file from flash memory to a PCMCIA flash card on the management module.
NOTE: This command does the same thing as the ncopy flash primary | secondary slot1 | slot2 <to-name>
command. See ncopy flash primary | secondary slot1 | slot2 <to-name> on page 5-22.
EXAMPLE:
To copy a file from flash memory to a flash card, enter a command such as the following:
BigServerIron# copy flash slot2 BIS07000.bin primary
Flash Card Write (128 KBytes per dot) .......
Write to slot2 BIS07000.bin succeeded
The command in this example copies a software image file from the primary area in flash memory onto the flash
card in slot 2.
If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For
example, the following messages indicate that the copy did not work because the slot specified for the copy does
not contain a flash card.
BigServerIron# copy flash slot2 m4s.car secondary
Write to slot2 m4s.car failed
Syntax: copy flash slot1 | slot2 [\<to-dir-path>\]<to-name> primary | secondary

Default value: N/A
copy flash tftp

Uploads a copy of the primary or secondary software image to a TFTP server.
NOTE: This command does the same thing as the ncopy flash primary | secondary tftp <ip-addr> <fromname> command. See ncopy flash primary | secondary tftp <ip-addr> <from-name> on page 5-23.
EXAMPLE:
BigServerIron# copy flash tftp 192.22.33.4 test.img secondary
Syntax: copy flash tftp <ip-addr> <filename> primary | secondary

Default value: N/A

Copies the devices running-config to a PCMCIA flash card. The running-config contains the devices currently
active configuration information. When you copy the running-config to a flash card, you are making a copy of the
devices current configuration, including any configuration changes you have not saved to the startup-config file.
NOTE: This command does the same thing as the ncopy running slot1 | slot2 <to-name> command. See
ncopy running slot1 | slot2 <to-name> on page 5-23.
EXAMPLE:
To copy the devices running configuration into a file on a flash card, enter a command such as the following:
5 - 10
February 2002
BigServerIron# copy running slot1 runip.1

Write to slot1 run.sw succeeded
Syntax: copy running slot1 | slot2 [\<to-dir-path>\]<to-name>

Default value: N/A

Uploads a copy of the running configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the ncopy running-config tftp <ip-addr> <from-name>
command. See ncopy running-config tftp <ip-addr> <from-name> on page 5-24.
EXAMPLE:
BigServerIron# copy running-config tftp 192.22.3.44 newrun.cfg
Syntax: copy running-config tftp <ip-addr> <filename>

Default value: N/A

Copies a file from a PCMCIA flash card to the primary area in flash memory.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> flash primary |
secondary command. See ncopy slot1 | slot2 <from-name> flash primary | secondary on page 5-24.
EXAMPLE:
To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:
BigServerIron# copy slot1 flash B2P07000.bin primary
BigServerIron# Flash Erase -----------------------------------------Flash Memory Write (8192 bytes per dot) .......................
...............................................................
......code flash copy done
Syntax: copy slot1 | slot2 flash [\<from-dir-path>\]<from-name> primary | secondary

Default value: N/A

Loads ACLs from a running-config file into the devices active configuration.
For example, if the devices configuration includes a large set of Access Control Lists (ACLs), you can configure
the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the
flash card in the Foundry device, then copy the file to the devices running configuration.
February 2002
5 - 11
NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a
running-config file that contains other types of configuration information using this method, the software might
display error messages. This occurs when the devices parser encounters lines in the file that do not correspond
to valid configuration commands.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> running command. See
ncopy slot1 | slot2 <from-name> running on page 5-24.
EXAMPLE:
To copy a running-config file from a flash card, enter a command such as the following:
BigServerIron# copy slot2 running runip.2
Syntax: copy slot1 | slot2 running [\<from-dir-path>\]<from-name>

The command in this example changes the devices active configuration based on the information in the file.
Default value: N/A

Copies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startupconfig in the primary area of flash memory to configure itself when you boot or reload the device.
NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload
from a flash card.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> start command. See
ncopy slot1 | slot2 <from-name> start on page 5-25.
EXAMPLE:
To copy a startup-config file from a flash card to flash memory, enter a command such as the following:
BigServerIron# copy slot1 start test2.cfg
..Write startup-config done.
Syntax: copy slot1 | slot2 start [\<from-dir-path>\]<from-name>

This command copies a configuration file named test2.cfg from the flash card in slot 2 into the devices flash
memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.
Default value: N/A

Copies a file from a PCMCIA flash card to a TFTP server.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]
command. See ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>] on page 5-26.
EXAMPLE:
To copy a file from a flash card to a TFTP server, enter a command such as the following:
5 - 12
February 2002
BigServerIron# copy slot1 tftp 192.168.1.17 notes.txt

Uploading 254 bytes to tftp server ...
Upload to TFTP server done.
Syntax: copy slot1 | slot2 tftp <ip-addr> [\<from-dir-path>\]<from-name> [<to-name>]

Default value: N/A

Copies the devices startup-config file from flash memory onto a PCMCIA flash card.
NOTE: This command does the same thing as the ncopy start slot1 | slot2 <to-name> command. See ncopy
start slot1 | slot2 <to-name> on page 5-26.
EXAMPLE:
To copy the devices startup-config file from flash memory onto a flash card, enter a command such as the
following:
BigServerIron# copy start slot1 mfgtest.cfg
Write to slot1 cfgtest.cfg succeeded
Syntax: copy start slot1 | slot2 [\<to-dir-path>\]<to-name>

Default value: N/A

Uploads a copy of the startup configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the ncopy startup-config tftp <ip-addr> <from-name>
command. See ncopy startup-config tftp <ip-addr> <from-name> on page 5-26.
EXAMPLE:
BigServerIron# copy startup-config tftp 192.22.3.44 new.cfg
Syntax: copy startup-config tftp <ip-addr> <filename>

Default value: N/A
copy tftp flash

Downloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the
primary or secondary storage location.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> flash primary |
secondary command. See ncopy tftp <ip-addr> <from-name> flash primary | secondary on page 5-26.
EXAMPLE:
BigServerIron# copy tftp flash 192.22.33.4 test.img primary
To download into the secondary storage location, enter the command listed below instead:
BigServerIron# copy tftp flash 192.22.33.4 test.img secondary
Syntax: copy tftp flash <ip-addr> <filename> primary | secondary
February 2002
5 - 13

Default value: N/A

Downloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> running-config
command. See ncopy tftp <ip-addr> <from-name> running-config on page 5-27.
EXAMPLE:
BigServerIron# copy tftp running-config 192.22.33.4 newrun.cfg
Syntax: copy tftp running-config <ip-addr> <filename>

Default value: N/A

Copies a file from a TFTP server to a PCMCIA flash card.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]
command. See ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>] on page 5-27.
EXAMPLE:
To copy a file from a TFTP server to a flash card, enter a command such as the following:
BigServerIron# copy tftp slot1 192.168.1.17 notes.txt
Downloading from tftp server ...
Tftp 254 bytes done, copy to slot1 ...
Write to slot1 cfg.cfg succeeded
Syntax: copy tftp slot1 | slot2 <ip-addr> <from-name> [[\<to-dir-path>\]<to-name>]

If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the
following example:
BigServerIron# copy tftp slot1 192.168.1.17 nots.txt
TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.
Error - can't download data from TFTP server, error code 17. Abort!
To simplify troubleshooting, especially when the file is present on your server but the command doesnt find it, the
messages list the complete TFTP path name on your TFTP server.
Default value: N/A

Downloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or
router. To activate this configuration file, reload (reset) the system.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> startup-config
command. See ncopy tftp <ip-addr> <from-name> startup-config on page 5-28.
EXAMPLE:
BigServerIron# copy tftp startup-config 192.22.33.4 new.cfg
5 - 14
February 2002
Syntax: copy tftp startup-config <ip-addr> <filename>

Default value: N/A
February 2002
5 - 15
debug ip nat
Places the device in diagnostic mode for Network Address Translation (NAT).
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron# debug ip nat icmp 0.0.0.0
NAT: icmp src 10.10.100.18 => trans 192.168.2.79 dst 204.71.202.127
NAT: 192.168.2.79 204.71.202.127 ID 35768 len 60 txfid 13 icmp (8/0/512/519)
NAT: 204.71.202.127 10.10.100.18 ID 11554 len 60 txfid 15 icmp (0/0/512/519)
ServerIron# debug ip nat tcp 0.0.0.0
NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53
NAT: 192.168.2.78:8016 192.168.2.158:53 flags S
ID 57970 len 44 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags S A ID 22762 len 44 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
A ID 58226 len 40 txfid 13
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
FA ID 58994 len 40 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
FA ID 23786 len 40 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
ServerIron# debug ip nat udp 0.0.0.0
NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53
NAT: 192.168.2.79:65286 192.168.3.11:53 ID 35512 len 58 txfid 13
NAT: 192.168.3.11:53 10.10.100.18:1560 ID 8453 len 346 txfid 15
ServerIron# debug ip nat transdata
NAT: icmp src 10.10.100.18:2048 => trans 192.168.2.79 dst 204.71.202.127
NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53
NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53
Syntax: debug ip nat icmp | tcp | udp <ip-addr>

Syntax: debug ip nat transdata
The <ip-addr> parameter specifies an IP address. The address applies to packets with the address as the source
or the destination. Specify 0.0.0.0 to enable the diagnostic mode for all addresses.
The following examples show sample output from debug ip nat commands. The first three examples show the
output from the diagnostic mode for ICMP NAT, TCP NAT, and UDP NAT. The fourth command shows the output
for the diagnostic mode for NAT translation requests.
To disable the NAT diagnostic mode, enter a command such as the following:
Syntax: undebug ip nat icmp | tcp | udp | transdata

ServerIron# undebug ip nat tcp
This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types
of packets remain enabled.
Default value: Disabled
delete
Deletes a file from a flash card. This command applies only to management modules with PCMCIA slots.
5 - 16
February 2002

CAUTION: By default, the delete option deletes all files on the flash card. Make sure you specify the files you
want to delete.
CAUTION:
The software does not have an undelete option. Make sure you really want to delete the file.
EXAMPLE:
To delete a file on the flash card that has the management focus, enter a command such as the following:
BigServerIron# delete cfg.cfg
If the command is successful, the CLI displays a new command prompt.
Syntax: delete [slot1 | slot2] [<file-name>]

The command in this example deletes the specified file. To delete all files that contain a specific string of
characters, enter a command such as the following:
BigServerIron# delete test*.*
This command deletes all files whose names start with test. To delete all the files on a flash card, enter a
command such as the following:
BigServerIron# delete slot2
The command in this example deletes all files on the flash card in slot 2. In this example, slot 1 has the
management focus, but the files to be deleted are on the flash card in slot 2.
Default value: Deletes all files on the flash card!
dir
List the files on a flash card in a Management IV modules PCMCIA slot.
NOTE: By default, the software displays the contents of the flash card in the slot that has the management focus.
However, you do not need to change the focus to list the files on another flash card. You can specify the other
flash card when you display the files.
EXAMPLE:
To display a directory of all the files on the flash card that has the management focus, enter the following
command:
BigServerIron# dir
Volume in slot1 has no label
Volume Serial Number is 19ED-1725
Directory of slot1
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
February 2002
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
685935
2157693
184
254
256
1027230
184
1029838
687026
POS.BIN
M4R.BIN
A22.CFG
R CFG.CFG
STR.CFG
M5.BIN
A8.CFG
M4S.BIN
P3R.BIN
5 - 17
01/01/2000
00:00a
1029838
10 File(s)
MM.BIN
6618438 bytes
74180608 bytes free
Syntax: dir [slot1 | slot2] [<file-name>]

To list only files that contain a specific pattern of characters in the name, enter a command such as the following:
BigServerIron# dir *.bin
Volume in slot1 has no label
Volume Serial Number is 19ED-1725
Directory of slot1
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
00:00a
685935
00:00a
2157693
00:00a
1027230
00:00a
1029838
00:00a
687026
00:00a
1029838
6 File(s)
POS.BIN
M4R.BIN
M5.BIN
M4S.BIN
P3R.BIN
MM.BIN
6617560 bytes
74180608 bytes free
The command in this example lists all the image files on the flash card in the slot that has the management focus.
(More specifically, the command lists all the files that end with .bin.)
For information about the commands display, see the Displaying a Directory of the Files on a Flash Card section
in the Using Redundant Management Modules chapter of the Foundry Switching Router Installation and
Configuration Guide.
Default value: Displays all files on the flash card that has the management focus.
debug access-list
Places the device in diagnostic mode for IP access lists. Use this diagnostic mode only if advised to do so by
Foundry Technical Support.
erase flash primary

Erases the image stored in primary flash.
EXAMPLE:
ServerIron# erase flash primary
Syntax: erase flash primary

Default value: N/A

Erases the image stored in secondary flash.
EXAMPLE:
ServerIron# erase flash secondary
Syntax: erase flash secondary

Default value: N/A
5 - 18
February 2002
Erases the configuration stored in the startup-config file.
EXAMPLE:
ServerIron# erase startup-config
Syntax: erase startup-config

Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the user level.
EXAMPLE:
To move from the privileged level, back to the user level, enter the following:
ServerIron# exit
ServerIron>
Syntax: exit
Default value: N/A
fastboot
Provides a configurable option to speed up the system startup time. By default, this option is turned off, providing
a three-second pause to allow a user to break into the boot prompt, if necessary. Use fastboot on to turn this
option on and eliminate the three-second pause. To turn this feature off later, enter the command fastboot off.
Fastboot changes will be saved automatically but will not become active until after a system reset.
To execute an immediate reload from the console of the boot code without a three-second delay, you can enter the
fast reload command.
EXAMPLE:
ServerIron# fastboot on
Syntax: fastboot [on | off]

Possible values: on or off
Default value: off
format
Reformats a flash card in a Management IV modules PCMCIA slot.
EXAMPLE:
To reformat a flash card, enter the following command:
BigServerIron# format slot2
Formatting Flash Card(256 clusters per dot) ....................................
................................................................................
......................................
Verifying Flash Card(256 clusters per dot) ....................................
................................................................................
......................................
80809984 bytes total card space.
80809984 bytes available on card.
February 2002
5 - 19
2048 bytes in each allocation unit.

39458 allocation units available on card.
Flash card format done
As shown in this example, the software formats the sector on the flash card, then verifies the formatting. In this
example, the software did not find any bad sectors, so all the bytes on the card are available.
Syntax: format slot1 | slot2 [<label>]

The slot1 | slot2 parameter specifies the PCMCIA slot that contains the flash card you are formatting.
The <label> parameter specifies the label. You can specify up to 11 alphanumeric characters. You cannot use
special characters or spaces.
Default value: N/A
hd
Displays the data in a file on a flash card in hexadecimal format. This command applies only to management
modules with PCMCIA flash slots.
EXAMPLE:
To display the data in a file in hexadecimal format, enter a command such as the following:
BigServerIron# hd cfg.cfg
Syntax: hd [slot1 | slot2] <file-name>

Each row of hexadecimal output contains the following parts:
The byte offset of the date that is displayed to the right of the offset
A row of hexadecimal data
The ASCII equivalent of the hexadecimal data shown in the row

Default value: N/A
kill
Terminates the specified active CLI session and resets the CONFIG token. Once you know the session ID of a
Telnet connection (using the show who command), you can terminate it with the kill command. If the terminated
session was a console, the console is sent back into User EXEC mode. If the terminated CLI session was a Telnet
session, the Telnet connection is closed.
EXAMPLE:
ServerIron# kill telnet 1
Syntax: kill console | telnet <session-id>

Possible values: Session ID number from show who command
Default value: N/A
locate
Displays or changes the save location for the startup-config file.
5 - 20
February 2002
EXAMPLE:
BigServerIron# locate startup-config
Syntax: locate startup-config

EXAMPLE:
By default, when you save configuration changes, the changes are saved to the startup-config file on the devices
flash memory module. If you want to change the save location to a PCMCIA slot, enter a command such as the
following:
BigServerIron# locate startup-config slot1 router1.cfg
BigServerIron# write memory
The first command in this example sets the device to save configuration changes to the file named router1.cfg in
the flash card in PCMCIA slot 1. The second command saves the running-config to the router1.cfg file on the flash
card in slot 1.
NOTE: In this example, after you save the configuration changes using the write memory command, the
router1.cfg file will include the command that designates PCMCIA slot1 as the save location for configuration
changes.
Syntax: locate startup-config [[slot1 | slot2] <file-name>]

You can specify a relative path name or full path name as part of the file name.
Default value: N/A
md
Another form of the md command. See mkdir on page 5-21.
mkdir
Creates a subdirectory on a PCMCIA flash card.
EXAMPLE:
BigServerIron# mkdir slot1 \TEST
To verify successful creation of the subdirectory, enter a command to change to the new subdirectory level:
BigServerIron# chdir \TEST
Current directory of slot1 is: \TEST
Syntax: md | mkdir [slot1 | slot2] <dir-name>

You can enter either md or mkdir for the command name.
The slot1 | slot2 parameter specifies a PCMCIA slot. If you do not specify a slot, the command applies to the slot
that currently has the management focus.
The <dir-name> parameter specifies the subdirectory name. You can enter a name that contains any combination
of the following characters. Do not enter a backslash / in front of the name.
All upper and lowercase letters
All digits
Spaces
Any of the following special characters:
February 2002
5 - 21
'
&
You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to
specify a subdirectory name that contains spaces, enter a string such as the following: a long subdirectory
name.
A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name
cannot contain more than 263 characters.
The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using
uppercase letters.
Default value: N/A
more
Displays the data in a file on a flash card in a Management IV modules PCMCIA slot.
EXAMPLE:
To display the contents of a file, enter a command such as the following:
BigServerIron# more cfg.cfg
Syntax: more [slot1 | slot2] <file-name>

Default value: N/A
ncopy flash primary | secondary slot1 | slot2 <to-name>

Copies a file from flash memory to a PCMCIA flash card on the management module.
NOTE: This command does the same thing as the copy flash slot1 | slot2 command. See copy flash slot1 |
slot2 on page 5-10.
5 - 22
February 2002
EXAMPLE:
To copy a file from flash memory to a flash card, enter a command such as the following:
BigServerIron# ncopy flash primary slot2 BIS07000.bin
Flash Card Write (128 KBytes per dot) .......
Write to slot2 BIS07000.bin succeeded
The command in this example copies a software image file from the primary area in flash memory onto the flash
card in slot 2.
If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For
example, the following messages indicate that the copy did not work because the slot specified for the copy does
not contain a flash card.
BigServerIron# ncopy flash secondary slot2 m4s.car
Write to slot2 m4s.car failed
Syntax: ncopy flash primary | secondary slot1 | slot2 [\<to-dir-path>\]<to-name>

Default value: N/A
ncopy flash primary | secondary tftp <ip-addr> <from-name>

Uploads a copy of the primary or secondary software image to a TFTP server.
NOTE: This command does the same thing as the copy flash tftp <ip-addr> <filename> primary | secondary
command. See copy flash tftp on page 5-10.
EXAMPLE:
BigServerIron# ncopy flash secondary tftp 192.22.33.4 test.img
Syntax: ncopy flash primary | secondary tftp <ip-addr> <from-name>

Default value: N/A

Copies the devices running-config to a PCMCIA flash card. The running-config contains the devices currently
active configuration information. When you copy the running-config to a flash card, you are making a copy of the
devices current configuration, including any configuration changes you have not saved to the startup-config file.
NOTE: This command does the same thing as the copy running slot1 | slot2 <to-name> command. See copy
running slot1 | slot2 on page 5-10.
EXAMPLE:
To copy the devices running configuration into a file on a flash card, enter a command such as the following:
BigServerIron# ncopy running slot1 runip.1
Write to slot1 run.sw succeeded
Syntax: ncopy running slot1 | slot2 [\<to-dir-path>\]<to-name>

Default value: N/A
February 2002
5 - 23

Uploads a copy of the running configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the copy running-config tftp <ip-addr> <filename> command.
See copy running-config tftp on page 5-11.
EXAMPLE:
BigServerIron# ncopy running-config tftp 192.22.3.44 newrun.cfg
Syntax: ncopy running-config tftp <ip-addr> <from-name>

Default value: N/A
ncopy slot1 | slot2 <from-name> flash primary | secondary

Copies a file from a PCMCIA flash card to the primary area in flash memory.
NOTE: This command does the same thing as the copy slot1 | slot2 flash <from-name> primary | secondary
command. See copy flash slot1 | slot2 on page 5-10.
EXAMPLE:
To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:
BigServerIron# ncopy slot1 B2P07000.bin flash primary
BigServerIron# Flash Erase -----------------------------------------Flash Memory Write (8192 bytes per dot) ........................................
................................................................................
......code flash copy done
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> flash primary | secondary

Default value: N/A

Loads ACLs from a running-config file into the devices active configuration.
For example, if the devices configuration includes a large set of Access Control Lists (ACLs), you can configure
the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the
flash card in the Foundry device, then copy the file to the devices running configuration.
NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a
running-config file that contains other types of configuration information using this method, the software might
display error messages. This occurs when the devices parser encounters lines in the file that do not correspond
to valid configuration commands.
NOTE: This command does the same thing as the copy slot1 | slot2 running <from-name> command. See
copy slot1 | slot2 running on page 5-11.
EXAMPLE:
To copy a running-config file from a flash card, enter a command such as the following:
5 - 24
February 2002
BigServerIron# ncopy slot2 runip.2 running
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> running

The command in this example changes the devices active configuration based on the information in the file.
Default value: N/A
ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]

Copies files from one PCMCIA flash card on a management module to the other card.
NOTE: This command does the same thing as the copy <from-card> <to-card> <from-name> [<to-name>]
command. See copy <from-card> <to-card> on page 5-9.
EXAMPLE:
To copy a file from one flash card to the other, enter the following command:
BigServerIron# ncopy slot1 sales.cfg slot2
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]

The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In
this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a
different file name for the copy.
Default value: N/A

Copies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startupconfig in the primary area of flash memory to configure itself when you boot or reload the device.
NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload
from a flash card.
NOTE: This command does the same thing as the copy slot1 | slot2 start <from-name> command. See copy
slot1 | slot2 start on page 5-12.
EXAMPLE:
To copy a startup-config file from a flash card to flash memory, enter a command such as the following:
BigServerIron# ncopy slot1 test2.cfg start
..Write startup-config done.
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> start

This command copies a configuration file named test2.cfg from the flash card in slot 2 into the devices flash
memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.
Default value: N/A
February 2002
5 - 25

Copies the devices startup-config file from flash memory onto a PCMCIA flash card.
NOTE: This command does the same thing as the copy start slot1 | slot2 <to-name> command. See copy
start slot1 | slot2 on page 5-13.
EXAMPLE:
To copy the devices startup-config file from flash memory onto a flash card, enter a command such as the
following:
BigServerIron# ncopy start slot1 mfgtest.cfg
Write to slot1 cfgtest.cfg succeeded
Syntax: ncopy start slot1 | slot2 [\<to-dir-path>\]<to-name>

Default value: N/A
ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]

Copies a file from a PCMCIA flash card to a TFTP server.
NOTE: This command does the same thing as the copy slot1 | slot2 tftp <ip-addr> <from-name> [<to-name>]
command. See copy slot1 | slot2 tftp on page 5-12.
EXAMPLE:
To copy a file from a flash card to a TFTP server, enter a command such as the following:
BigServerIron# ncopy slot1 notes.txt tftp 192.168.1.17
Uploading 254 bytes to tftp server ...
Upload to TFTP server done.
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> tftp <ip-addr> [<to-name>]

Default value: N/A

Uploads a copy of the startup configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the copy startup-config tftp <ip-addr> <filename> command.
See copy startup-config tftp on page 5-13.
EXAMPLE:
BigServerIron# ncopy startup-config tftp 192.22.3.44 new.cfg
Syntax: ncopy startup-config tftp <ip-addr> <from-name>

Default value: N/A
ncopy tftp <ip-addr> <from-name> flash primary | secondary

Downloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the
primary or secondary storage location.
5 - 26
February 2002
NOTE: This command does the same thing as the copy tftp flash <ip-addr> <filename> primary | secondary
command. See copy tftp flash on page 5-13.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 test.img flash primary
To download into the secondary storage location, enter the command listed below instead:
ServerIron# ncopy tftp 192.22.33.4 test.img flash secondary
Syntax: ncopy tftp <ip-addr> <from-name> flash primary | secondary

Default value: N/A

Downloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.
NOTE: This command does the same thing as the copy tftp running-config <ip-addr> <filename> command.
See copy tftp running-config on page 5-14.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 newrun.cfg running-config
Syntax: ncopy tftp <ip-addr> <from-name> running-config

Default value: N/A
ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]

Copies a file from a TFTP server to a PCMCIA flash card.
NOTE: This command does the same thing as the copy tftp slot1 | slot2 <ip-addr> <from-name> [<to-name>]
command. See copy tftp slot1 | slot2 on page 5-14.
EXAMPLE:
To copy a file from a TFTP server to a flash card, enter a command such as the following:
BigServerIron# ncopy tftp 192.168.1.17 notes.txt slot1
Tftp 254 bytes done, copy to slot1 ...
Write to slot1 cfg.cfg succeeded
Syntax: ncopy tftp <ip-addr> <from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]

If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the
following example:
BigServerIron# ncopy tftp 192.168.1.17 nots.txt slot1
TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.
Error - can't download data from TFTP server, error code 17. Abort!
To simplify troubleshooting, especially when the file is present on your server but the command doesnt find it, the
messages list the complete TFTP path name on your TFTP server.
February 2002
5 - 27
Default value: N/A

Downloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or
router. To activate this configuration file, reload (reset) the system.
NOTE: This command does the same thing as the copy tftp startup-config <ip-addr> <filename> command.
See copy tftp startup-config on page 5-14.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 new.cfg startup-config
Syntax: ncopy tftp <ip-addr> <from-name> startup-config

Default value: N/A
page-display
Enables page-by-page display of the configuration file. When you display or save the file, one "page" (window-full)
of the file is displayed. The following line provides you with options to continue the display or to cancel:
--More--, next page: Space/Return key, quit: Control-c
If you disable the page-display mode, the CLI displays the entire file without interruption.
Page-display mode is enabled by default. To disable it, enter the skip-page-display command.
NOTE: This command is equivalent to the enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron# page-display
Syntax: page-display
Default value: N/A
ping
Verifies connectivity to a Foundry switch or Layer 3 Switch or other device. The command performs an ICMP
echo test to confirm connectivity to the specified device.
EXAMPLE:
ServerIron# ping 192.22.2.33
Syntax: ping <ip-addr> | <hostname> [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [no-fragment]
[quiet] [verify] [data <1 4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry switch or Layer 3 Switch, you can use the host name only if you have already
enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See
ip dns domain-name on page 6-35 and ip dns server-address on page 6-35.
The count <num> parameter specifies how many ping packets the device sends. You can specify from
1 4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the
pinged device. You can specify a timeout from 1 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 255. The
default is 64.
5 - 28
February 2002
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does
not include the header. You can specify from 0 4000. The default is 16.
The no-fragment parameter turns on the "dont fragment" bit in the IP header of the ping packet. This option is
disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device
and instead only displays messages indicating the success or failure of the ping. This option is disabled by
default.
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the
echo request (the ping). By default the device does not verify the data.
The data <1 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default
data pattern, "abcd", in the packets data payload. The pattern repeats itself throughout the ICMP message
(payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed
range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid
value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are
supported:
!
Indicates that a reply was received.
Indicates that the network server timed out while waiting for a reply.
Indicates that a destination unreachable error PDU was received.
Indicates that the user interrupted ping.

pwd
Indicates which flash card in a Management IV modules PCMCIA slot has the management focus.
The management focus determines the default flash card for a file management operation. For example, when
you list a directory of the files on a flash card, the PCMCIA slot parameter is optional. If you do not specify the
slot, the software displays the contents of the flash card in the slot that currently has the management focus. As
another example, the command for deleting a file from a flash card does not require that you specify the PCMCIA
slot. If you do not specify the slot, the command deletes the file from the flash card that has the management
focus.
When you power on or reload a device, if the management module contains only one flash card, the slot that
contains the flash card receives the management focus by default. If both slots contain flash cards, slot 1 receives
the management focus by default.
EXAMPLE:
To display which flash card currently has the management focus, enter the following command:
BigServerIron# pwd
slot1
Syntax: pwd
In this example, the flash card in slot 1 has the management focus.
Default value: N/A
February 2002
5 - 29
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron# quit
ServerIron>
Syntax: quit
Default value: N/A
rconsole
Logs in to a WSM CPU on the Web Switching Management Module.
ServerIron# rconsole 2 1
ServerIron2/1 #
This command changes the management session from the MP to WSM CPU 1 on the Web Switching
Management Module in slot 2. Notice that the end of the command prompt changes to indicate the slot number
and WSM CPU number.
Syntax: rconsole <slotnum> <cpunum>

The <slotnum> parameter specifies the chassis slot that contains the module.
Slots on a four-slot chassis are numbered 1 4, from top to bottom.
Slots on an eight-slot chassis are numbered 1 8, from left to right.
The <cpunum> parameter specifies the WSM CPU. The WSM CPUs are numbered from 1 3.
For more information, see the "Using the Web Switching Management Module" chapter in the Foundry ServerIron
Installation and Configuration Guide.
rconsole-exit
Logs out of a WSM CPU on the Web Switching Management Module.
EXAMPLE:
To log out from a management session with a WSM CPU, enter the following command at the WSM command
prompt:
ServerIron2/1 # rconsole-exit
ServerIron#
Syntax: rconsole-exit
NOTE: You must enter the entire command name (rconsole-exit). The CLI will not accept abbreviated forms of
the command.
Default value: N/A
rd
Another form of the rmdir command. See rmdir on page 5-31.
5 - 30
February 2002
reload
Initiates a system reset. All configuration changes made since the last reset or start of the ServerIron will be
saved to the startup configuration file.
EXAMPLE:
ServerIron# reload
Syntax: reload [after <dd:hh:mm>] | [at <hh:mm:ss> <mm-dd-yy>] | [cancel] [primary | secondary]
Possible values:
after <dd:hh:mm> causes the system to reload after the specified amount of time has passed.
at <hh:mm:ss> <mm-dd-yy> causes the system to reload at exactly the specified time.
cancel cancels the scheduled reload
primary | secondary specifies whether the reload is to occur from the primary code flash module or the
secondary code flash module. The default is primary.
NOTE: The reload command must be typed in its entirety.
Default value: N/A
rename
Renames a file on a flash card in a Management IV modules PCMCIA slot.
EXAMPLE:
To rename a file, enter a command such as the following:
ServerIron# rename oldname newname
Syntax: rename [slot1 | slot2] <old-name> <new-name>

If the command is successful, the CLI displays a new command prompt.
Default value: N/A
rmdir
Removes a subdirectory from a PCMCIA flash card.
EXAMPLE:
BigServerIron# rmdir \TEST
Syntax: rd | rmdir [slot1 | slot2] <dir-name>

You can enter either rd or rmdir for the command name.
The slot1 | slot2 parameter specifies a PCMCIA slot.
The <dir-name> parameter specifies the subdirectory you want to delete. You can enter a path name if the
subdirectory is not in the current directory.
NOTE: You can remove a subdirectory only if the subdirectory does not contain files or other subdirectories.
If you receive a message such as the following, enter the pwd command to verify that the management focus is at
the appropriate level of the directory tree.
February 2002
5 - 31
BigServerIron# rmdir \TEST

File not found
Default value: N/A
rshow
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
skip-page-display
Disables page-display mode. Page-display mode displays the file one page at a time and prompts you to continue
or cancel the display. When page-display mode is disabled, if you display or save the configuration file, the CLI
displays the entire file without interruption.
Page display mode is enabled by default.
NOTE: This command is equivalent to the no enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron> skip-page-display
Syntax: skip-page-display
Default value: Enabled
sntp sync
Synchronizes the devices system clock with the time supplied by the devices SNTP server.
You define the SNTP server using the sntp server... command at the global CONFIG level. You also can define
how often the clock references are validated between the ServerIron and the SNTP server by entering the
sntp poll-interval command at the global CONFIG level.
NOTE: Configure the clock timezone parameter before configuring an SNTP server.
EXAMPLE:
ServerIron# sntp sync
Syntax: sntp sync

Default value: N/A
stop-traceroute
Stops an initiated trace on a ServerIron.
EXAMPLE:
ServerIron# stop-trace-route
Syntax: stop-trace-route
5 - 32
February 2002

Default value: N/A
sync-standby
Immediately synchronizes software between the active and standby management modules. When you
synchronize software, the active module copies the software you specify to the standby module, replacing the
software on the standby module.
NOTE: This command applies only to a BigServerIron with redundant management modules.
EXAMPLE:
To immediately synchronize the boot code on the standby module with the boot code on the active module, enter
the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby boot
Syntax: sync-standby boot

To immediately synchronize the flash code (system software) on the standby module with the boot code on the
active module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby code
Syntax: sync-standby code

To immediately synchronize the running-config on the standby module with the running-config on the active
module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby running-config
Syntax: sync-standby running-config

To immediately synchronize the startup-config file on the standby module with the startup-config file on the active
module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby startup-config
Syntax: sync-standby startup-config

Default value: N/A
telnet
Allows a Telnet connection to a remote ServerIron using the console. Up to five access Telnet sessions can be
supported on a ServerIron at one time. Write access through Telnet is limited to one session and only one
outgoing Telnet sessions is supported on a ServerIron at one time.
To see the number of open Telnet sessions at any time, enter the command show telnet.
EXAMPLE:
ServerIron# telnet 208.96.6.101
Syntax: telnet <ip-addr> | <hostname>

Default value: N/A
Changes the shutdown temperature of a module containing a temperature sensor. If the temperature matches or
exceeds the shutdown temperature, the software sends a Syslog message to the Syslog buffer and also to the
SyslogD server if configured. The software also sends an SNMP trap to the SNMP trap receiver, if you have
configured the device to use one.
February 2002
5 - 33
If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by
the software, the software shuts down the module to prevent damage.
EXAMPLE:
To change the shutdown temperature from 55 to 57 degrees Celsius, enter the following command:
ServerIron# temperature shutdown 57
Syntax: temperature shutdown <value>

The <value> can be 0 125.
Possible values: 0 125 degrees Celsius
Default value: 55
temperature warning
Changes the warning temperature of a module containing a temperature sensor. If the temperature of the module
reaches the warning value, the software sends a Syslog message to the Syslog buffer and also to the SyslogD
server, if configured. In addition, the software sends an SNMP trap to the SNMP trap receiver, if you have
configured the device to use one.
NOTE: You cannot set the warning temperature to a value higher than the shutdown temperature.
EXAMPLE:
To change the warning temperature from 45 to 47 degrees Celsius, enter the following command:
ServerIron# temperature warning 57
Syntax: temperature warning <value>

The <value> can be 0 125.
Possible values: 0 125 degrees Celsius
Default value: 45
traceroute
Allows you to trace the path from the current ServerIron to a host address. This command is not available on
Foundry switches.
EXAMPLE:
ServerIron# traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [minttl <value>] [maxttl <value>] [timeout <value>] [numeric]
minttl minimum TTL (hops) value: Possible values are 1 255. Default value is 1 second.
maxttl maximum TTL (hops) value: Possible values are 1 255. Default value is 30 seconds.
timeout Possible values are 1 120. Default value is 2 seconds.
numeric Lets you change the display to list the devices by their IP addresses instead of their names.
Default value: See above.
undebug access-list
Disables access-list diagnostic mode.
EXAMPLE:
ServerIron# undebug access-list 1
Syntax: undebug access-list <num>

5 - 34
February 2002
Default value: N/A
undebug ip nat
Disables diagnostic mode for NAT.
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To disable the NAT diagnostic mode, enter a command such as the following:
ServerIron# undebug ip nat tcp
Syntax: undebug ip nat icmp | tcp | udp | transdata

This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types
of packets remain enabled.
Default value: N/A
undelete
Recovers a file deleted from a PCMCIA flash card.
NOTE: When you delete a file from a flash card, the CLI leaves the file intact but removes the first letter in the file
name from the file directory. However, if you save file changes or new files that use part of the space occupied by
the deleted file, you cannot undelete the file. The undelete command lists only the files that can be undeleted.
EXAMPLE:
BigServerIron# undelete
Undelete file "?LD.CFG" ? (enter 'y' or 'n'): y
Input one character: O
File recovered successfully and named to OLD.CFG
The command in this example starts the undelete process for the flash card and subdirectory that currently have
the management focus. For each file that can be undeleted, the CLI displays the remaining name entry in the file
directory and prompts you for the first character of the file name. You can enter any valid file name character. You
do not need to enter the character that was used before in the deleted file name.
Once you enter a character and the CLI undeletes the file, the CLI continues with the next file that can be
undeleted. For each file, specify y or n, and specify a first character for the files that you select to undelete.
To end the undelete process, enter the CTRL + C key combination.
Syntax: undelete [slot1 | slot2] [\<to-dir-path>]

Default value: N/A
whois
Performs a whois lookup on a specified domain.
EXAMPLE:
ServerIron# whois boole.com
Syntax: whois <host-ip-addr> | <domain>

Possible values: <host-ip-addr> is a valid IP address; <domain> is a valid domain name.
February 2002
5 - 35
NOTE: A DNS gateway must be defined in order to use this command.

Default value: N/A
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron# write memory
Syntax: write memory

Default value: N/A
write terminal
Displays the running-configuration on the terminal screen.
EXAMPLE:
ServerIron# write terminal
Syntax: write terminal

Default value: N/A

Copies the flash code from the primary flash to the secondary flash for each of the WSM CPUs on the Web
Switching Management Module.
EXAMPLE:
ServerIron# wsm copy flash flash secondary
Syntax: wsm copy flash flash primary | secondary

The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For
each command, the parameter specifies the destination of the copy operation.
Default value: N/A
wsm copy tftp flash

Upgrades the WSM CPUs on the Web Switching Management Module.
EXAMPLE:
ServerIron# wsm copy tftp flash 109.157.22.26 wsp07200.bin primary
This command upgrades the WSM CPUs by copying a flash code image from a TFTP server to the primary flash
for each of the WSM CPUs on the module.
Syntax: wsm copy tftp flash <tftp-server-ip-addr> <image-file-name> primary | secondary

The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For
each command, the parameter specifies the destination of the copy operation.
Default value: N/A
5 - 36
February 2002
Chapter 6
Global CONFIG Commands
aaa authentication
Defines an authentication-method list for access authentication. See the Foundry Security Guide for more
information.
EXAMPLE:
To configure an access method list, enter a command such as the following:
ServerIron(config)# aaa authentication web-server default local
This command configures the device to use the local user accounts to authenticate access to the device through
the Web management interface. If the device does not have a user account that matches the user name and
password entered by the user, the user is not granted access.
To configure the device to consult a RADIUS server first for Enable access, then consult the local user accounts if
the RADIUS server is unavailable, enter the following command:
ServerIron(config)# aaa authentication enable default radius local
Syntax: aaa authentication snmp-server | web-server | enable [implicit-user] | login default <method1>
[<method2>] [<method3>] [<method4>] [<method5>] [<method6>] [<method7>]
The snmp-server | web-server | enable [implicit-user] | login parameter specifies the type of access this
authentication-method list controls. You can configure one authentication-method list for each type of access.
The implicit-user parameter configures the device to prompt for only a password when a user attempts to access
the Privileged EXEC or CONFIG level of the CLI. By default, the device prompts for both a username and a
password. This parameter is valid only with the enable access type.
NOTE: TACACS/TACACS+ and RADIUS are supported only for enable and login.
February 2002
6-1
The <method1> parameter specifies the primary authentication method. The remaining optional <method>
parameters specify the secondary methods to try if an error occurs with the primary method. A method can be
one of the values listed in the Method Value column in the following table.
Table 0.1: Authentication Method Values
Method Value
Description
tacacs
A TACACS/TACACS+ server. You can use either parameter. Each

parameter supports both TACACS and TACACS+. You also must
identify the server to the device using the tacacs-server command.
See tacacs-server on page 6-94.
or
tacacs+
radius
A RADIUS server. You also must identify the server to the device using
the radius-server command. See radius-server on page 6-56.
local
A local user name and password you configured on the device. Local
user names and passwords are configured using the username
command. See username on page 6-98.
line
The password you configured for Telnet access. The Telnet password is
configured using the enable telnet password command. See
enable telnet password on page 6-18.
enable
The super-user enable password you configured on the device. The

enable password is configured using the enable super-userpassword command. See enable on page 6-17.
none
No authentication is used. The device automatically permits access.

Default value: N/A
aaa authorization
Configures authorization for controlling access to management functions in the CLI. Foundry devices support
RADIUS and TACACS+ authorization.
When RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the
RADIUS server during authentication to determine whether a user can execute a command he or she has
entered.
Two kinds of TACACS+ authorization are supported: Exec authorization determines a users privilege level
when they are authenticated; Command authorization consults a TACACS+ server to get authorization for
commands entered by the user
EXAMPLE:
You enable command authorization by specifying a privilege level whose commands require authorization. For
example, to configure the Foundry device to perform RADIUS authorization for the commands available at the
Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa authorization commands 0 default radius
Syntax: [no] aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
6-2
0 Authorization is performed for commands available at the Super User level (all commands)
4 Authorization is performed for commands available at the Port Configuration level (port-config and readonly commands)
5 Authorization is performed for commands available at the Read Only level (read-only commands)
February 2002
NOTE: TACACS+ and RADIUS command authorization is performed only for commands entered from Telnet or
SSH sessions. No authorization is performed for commands entered at the console, the Web management
interface, or IronView.
NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during
authentication, you cannot perform RADIUS authorization without RADIUS authentication.
When TACACS+ exec authorization is configured, the Foundry device consults a TACACS+ server to determine
the privilege level for an authenticated user. To configure TACACS+ exec authorization, on the Foundry device,
enter the following command:
ServerIron(config)# aaa authorization exec default tacacs+
Syntax: [no] aaa authorization exec default tacacs+ | none

Default value: N/A
aaa accounting
Configures RADIUS or TACACS+ accounting for recording information about user activity and system events.
When you configure accounting on a Foundry device, information is sent to an accounting server when specified
events occur, such as when a user logs into the device or the system is rebooted.
EXAMPLE:
To send an Accounting Start packet to a TACACS+ accounting server when an authenticated user establishes a
Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
ServerIron(config)# aaa accounting exec default start-stop tacacs+
Syntax: [no] aaa accounting exec default start-stop radius | tacacs+ | none
You can configure accounting for CLI commands by specifying a privilege level whose commands require
accounting. For example, to configure the Foundry device to perform RADIUS accounting for the commands
available at the Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa accounting commands 0 default start-stop radius
Syntax: [no] aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
0 Records commands available at the Super User level (all commands)
4 Records commands available at the Port Configuration level (port-config and read-only commands)
5 Records commands available at the Read Only level (read-only commands)
You can configure accounting to record when system events occur on the Foundry device. System events include
rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to a TACACS+ accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
ServerIron(config)# aaa accounting system default start-stop tacacs+
Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none
Default value: N/A
Configures standard Access Control Lists (ACLs), which permit or deny packets based on source IP address (in
contrast to extended ACLs, which permit or deny packets based on source and destination IP address and also
based on IP protocol information). You can configure up to 99 standard ACLs. You can configure up to 1024
February 2002
6-3
individual ACL entries. There is no limit to the number of ACL entries an ACL can contain except for the systemwide limitation of 1024 total ACL entries.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 log
ServerIron(config)# access-list 1 deny 209.157.29.12 log
ServerIron(config)# access-list 1 deny host IPHost1 log
ServerIron(config)# access-list 1 permit any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 1 out
ServerIron(config-if-1)# write mem
The commands in this example configure an ACL to deny packets from three source IP addresses from being
forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first
three ACL entries.
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied
(dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry
devices DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the
global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the
<source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packets source address must match the <source-ip>.
Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP
address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of
209.157.22.26 0.0.0.255 as 209.157.22.26/24.
NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if
appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or
209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have
enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at
the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of
whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list
commands.
6-4
February 2002
The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this
parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted
or denied by the access policy.
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which
you apply the ACL.
Default value: N/A
Configures extended ACLs, which permit or deny packets based on the following information:
IP protocol
Source IP address or host name
Destination IP address or host name
Source TCP or UDP port (if the IP protocol is TCP or UDP)
Destination TCP or UDP port (if the IP protocol is TCP or UDP)
EXAMPLE:
To configure an extended ACL that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the
following commands.
ServerIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log
ServerIron(config)# access-list 101 permit ip any any
ServerIron(config-if-1)# ip access-group 101 in
ServerIron(config)# write mem
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>] [log]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]
The <num> parameter indicates the ACL number and can be from 100 199 for an extended ACL.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:
icmp
igmp
igrp
ip
ospf
tcp
udp
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to
match on all source addresses, enter any.
February 2002
6-5
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is
a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask
mean the packets source address must match the <source-ip>. Ones mean any value matches. For example,
the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net
209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a
forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can
enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24.
NOTE: When you save ACL policies to the startup-config file, the software changes your IP address values if
appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or
209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have
enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at
the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of
whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list
commands.
The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the
policy to match on all destination addresses, enter any.
The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter
applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for
HTTP, specify tcp eq http. You can enter one of the following operators:
eq The policy applies to the TCP or UDP port name or number you enter after eq.
gt The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent
of the port name you enter after gt.
lt The policy applies to TCP or UDP port numbers that are less than the port number or the numeric
equivalent of the port name you enter after lt.
neq The policy applies to all TCP or UDP port numbers except the port number or port name you enter after
neq.
range The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name
or number and the second one you enter following the range parameter. The range includes the port names
or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53
(DNS), enter the following: range 23 53. The first port number in the range must be lower than the last
number in the range.
established This operator applies only to TCP packets. If you use this operator, the policy applies to TCP
packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to "1") in the Control Bits field of
the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See
Section 3.1, "Header Format", in RFC 793 for information about this field.
NOTE: This operator applies only to destination TCP ports, not source TCP ports.
The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. The device
recognizes the following well-known names. For other ports, you must specify the port number.
NOTE: The following lists are organized alphabetically. In the CLI, these port names are listed according to
ascending port number.
6-6
February 2002
TCP port names recognized by the software:
bgp
dns
ftp
http
imap4
ldap
mms
nntp
pop2
pop3
pnm
rtsp
smtp
ssl
telnet
UDP port names recognized by the software:
bootps
bootpc
dns
ntp
radius
radius-old
rip
snmp
snmp-trap
tftp
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which
you apply the ACL.
Default value: N/A
all-client
Restricts management access to the Foundry device to the host whose IP address you specify. No other device
except the one with the specified IP address can access the Foundry device through Telnet (CLI), the Web (Web
management interface), or SNMP (IronView).
If you want to restrict access for some of the management platforms but not all of them, use one or two of the
following commands:
snmp-client restricts IronView access and all other SNMP access. See snmp-client on page 6-88.
telnet client restricts Telnet access. See telnet client on page 6-95.
February 2002
6-7
web client restricts web access. See web client on page 6-100.
EXAMPLE:
To restrict all management access to the Foundry device to the host with IP address 209.157.22.26, enter the
following command:
ServerIron(config)# all-client 209.157.22.26
Syntax: [no] all-client <ip-addr>

Possible values: a valid IP address. You can enter one IP address with the command. You can use the
command up to ten times for up to ten IP addresses.
Default value: N/A
arp
Adds a static ARP entry.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3
This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The
entry is for a MAC address connected to ServerIron port 3.
Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]
The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number
of static entries allowed on the device. To determine the maximum number of entries, enter the show default
values command. To increase the maximum, use the system-max static-arp command.
The <ip-addr> command specifies the IP address of the device that has the MAC address of the entry.
The <mac-addr> parameter specifies the MAC address of the entry.
The ethernet <portnum> command specifies the port number attached to the device that has the MAC address of
the entry.
The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. Use this parameter when the
port is a member of more than one port-based VLAN and you want the ARP entry to apply only to a specific
VLAN.
NOTE: The clear arp command clears learned ARP entries but does not remove any static ARP entries.
Default value: None configured
atalk-proto
Creates an AppleTalk protocol VLAN on a Foundry switch or router. When first assigned, all ports are assumed by
default to be members of the VLAN. VLAN membership can be modified using the dynamic, static, or exclude
commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports, enter
the following commands.
ServerIron(config)# atalk-proto
ServerIron(config-atalk-proto)# static e9 e13
ServerIron(config-atalk-proto)# no dynamic
ServerIron(config-atalk-proto)# exit
6-8
February 2002
Syntax: atalk-proto [name <string>]

The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Default value: N/A
banner exec
Configures the Foundry device to display a message when a user enters the Privileged EXEC CLI level.
EXAMPLE:
ServerIron(config)# banner exec $ (Press Return)
Enter TEXT message, End with the character '$'.
You are entering Privileged EXEC level
Dont foul anything up! $
Syntax: [no] banner exec <delimiting-character>

A delimiting character is established on the first line of the banner exec command. You begin and end the
message with this delimiting character. The delimiting character can be any character except (double-quotation
mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in
between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can
consist of multiple lines. To remove the banner, enter the no banner exec command.
Default value: N/A
banner incoming
Configures the Foundry device to display a message on the Console when a user establishes a Telnet session.
This message indicates where the user is connecting from and displays a configurable text message.
EXAMPLE:
ServerIron(config)# banner incoming $ (Press Return)
Incoming Telnet Session!! $
When a user connects to the CLI using Telnet, the following message appears on the Console:
Telnet from 209.157.22.63
Incoming Telnet Session!!
Syntax: [no] banner incoming <delimiting-character>

A delimiting character is established on the first line of the banner incoming command. You begin and end the
consist of multiple lines. To remove the banner, enter the no banner incoming command.
Default value: N/A
banner motd
Configures the Foundry device to display a message on a users terminal when he or she establishes a Telnet CLI
session.
EXAMPLE:
To display the message Welcome to ServerIron! when a Telnet CLI session is established:
ServerIron(config)# banner motd $ (Press Return)
Welcome to ServerIron! $
February 2002
6-9
Syntax: [no] banner <delimiting-character> | [motd <delimiting-character>]

A delimiting character is established on the first line of the banner motd command. You begin and end the
consist of multiple lines. To remove the banner, enter the no banner motd command.
When you access the Web management interface, the banner is displayed on the login panel.
NOTE: The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character>
command.
Default value: N/A
boot system bootp

Configures the device to use BootP as the primary boot source.
NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the
software adds the new boot source as the primary source and changes the previously entered source to be the
secondary source.
EXAMPLE:
ServerIron(config)# boot system bootp
Syntax: boot system bootp

Default value: primary flash

Configures the device to use the primary flash location as the primary boot source. This is the default primary
boot source.
secondary source.
EXAMPLE:
ServerIron(config)# boot system flash primary
Syntax: boot system flash primary


Configures the device to use the secondary flash location as the primary boot source.
secondary source.
EXAMPLE:
ServerIron(config)# boot system flash secondary
Syntax: boot system flash secondary

6 - 10
February 2002

boot system tftp

Configures the device to use a TFTP server as the primary boot source.
secondary source.
EXAMPLE:
ServerIron(config)# boot sys tftp 192.22.33.44 current.img
NOTE: Before entering the TFTP boot command, you must first assign an IP address, IP mask and default
gateway (if applicable) at the boot prompt as shown.
EXAMPLE:
boot> ip address 192.22.33.44 255.255.255.0
boot> ip default-gateway 192.22.33.1
You now can proceed with the boot system tftp command.
Syntax: boot system tftp <ip-addr> <filename>

broadcast filter
Configures a Layer 2 broadcast packet filter. You can filter on all broadcast traffic or on IP UDP broadcast traffic.
EXAMPLE:
To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter
the following commands:
ServerIron(config)# broadcast filter 1 any
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3
ServerIron(config-bcast-filter-id-1)# write mem
EXAMPLE:
To configure two filters, one to filter IP UDP traffic on ports 1 4, and the other to filter all broadcast traffic on port
6, enter the following commands:
ServerIron(config)# broadcast filter 1 ip udp
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4
ServerIron(config-bcast-filter-id-1)# exit
ServerIron(config)# broadcast filter 2 any
ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6
EXAMPLE:
To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to
two ports within the VLAN, enter the following commands:
ServerIron(config)# broadcast filter 4 ip udp vlan 10
February 2002
6 - 11
ServerIron(config-bcast-filter-id-4)# exclude-ports eth 1 eth 3

Syntax: [no] broadcast filter <filter-id> any | ip udp [vlan <vlan-id>]

The <filter-id> specifies the filter number and can be a number from 1 8. The software applies the filters in
ascending numerical order. As soon as a match is found, the software takes the action specified by the filter
(block the broadcast) and does not compare the packet against additional broadcast filters.
You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast
traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being
sent on the specified ports but allows other types of broadcast traffic.
If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to
all broadcast domains (VLANs) on the device.
As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter
you are configuring. You specify the ports to which the filter applies at the filter's configuration level.
Syntax: [no] exclude-ports ethernet <portnum> to <portnum>

Or
Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum>

These commands specify the ports to which the filter applies.
NOTE: This is the same command syntax as that used for configuring port-based VLANs. Use the first
command for adding a range of ports. Use the second command for adding separate ports (not in a range). You
also can combine the syntax. For example, you can enter exclude-ports ethernet 1/4 ethernet 2/6 to 2/9.
Default value: N/A
broadcast limit
Specifies the maximum number of broadcast packets the device can forward each second. By default the device
sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those
devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit
and unknown-unicast limit commands to control these types of traffic. See multicast limit on page 6-53 and
unknown-unicast limit on page 6-98.
EXAMPLE:
ServerIron(config)# broadcast limit 30000
Syntax: broadcast limit <num>

Possible values: 0 4294967295
Default value: N/A
chassis name
Assigns an administrative ID to the device.
NOTE: This command does not change the CLI prompt. To change the CLI prompt, use the hostname
command. See hostname on page 6-32.
EXAMPLE:
ServerIron(config)# chassis name routernyc
6 - 12
February 2002
Syntax: chassis name <text>

Possible values: Up to 32 alphanumeric characters
Default value: Null string
chassis poll-time
Changes the number of seconds between polls of the power supply and fan status.
Use the show chassis command to display the hardware status.
EXAMPLE:
To change the hardware poll time from 60 seconds (the default) to 30 seconds:
ServerIron(config)# chassis poll-time 30
Syntax: chassis poll-time <num>

Default value: 60
chassis trap-log
Disables or re-enables status polling for individual power supplies and fans. When you disable status polling, a
fault in the power supply does not generate a trap in the system log.
EXAMPLE:
To disable polling of power supply 2, enter the following command:
ServerIron(config)# no chassis trap-log ps2
Syntax: [no] chassis trap-log ps1 | ps2 | fan1 | fan2

Default value: all traps enabled
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
clock summer-time
This command will automatically activate and deactivate daylight savings time for the relevant time zones.
EXAMPLE:
ServerIron(config)# clock summer-time
Syntax: clock summer-time

Default value: N/A
clock timezone
Allows you to define the time zone of the clock. This parameter is used in conjunction with the clock set
command or for timestamps obtained from a SNTP server. The clock set...command is configured at the
privileged EXEC level of the CLI.
NOTE: Use this clock command before all others to ensure accuracy of the clock settings.
NOTE: For those time zones that recognize daylight savings time, the clock summer-time command will also
need to be defined.
February 2002
6 - 13
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a
SNTP server at power up. This server will then automatically download the correct time reference for the network.
The local ServerIron will then adjust the time according to its time zone setting. For more details on setting up a
SNTP reference clock, refer to the sntp command at the privileged EXEC level and the sntp poll-interval and
sntp server commands at the global CONFIG level.
EXAMPLE:
ServerIron(config)# clock timezone us eastern
Syntax: clock timezone gmt | us <time-zone>

Possible values: The following time zones can be entered for US or GMT:
US time zones: alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, pacific,
samoa
GMT time zones: gmt+12, gmt+11, gmt+10...fmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12
Default value: gmt + 00
confirm-port-up
Reduces the number of up-status confirmations the software requires before bringing a port up for use. This
command is useful for network interface cards (NICs) that are designed to come up very quickly in certain
applications and are sensitive to the slight delay caused by the Foundry ports as they wait for the multiple status
indications before coming up. You can configure a Foundry device to reduce the number of status indications the
software requires before bringing up a 10/100Base-Tx port.
NOTE: Do not use this command unless advised to do so by Foundry technical support.
By default, Foundry devices wait for multiple indications that a port is good before bringing the port up. Specific
types of networking devices are sensitive to the very slight delay caused by the multiple status indications. In this
case, you can use one of the following methods to reduce the number of status indications the software requires
before bringing up a 10/100Base-Tx port. You can set the parameter globally for all 10/100 ports.
EXAMPLE:
By default, Stackable devices bring a 10/100 Base-Tx port up after receiving ten consecutive up-status indications
for the port. You can reduce this number to as few as one indication.
To reduce the up-status indications required to bring up 10/100 ports on a Stackable device, enter the following
commands:
ServerIron(config)# confirm-port-up 1
ServerIron(config)# write mem
Syntax: [no] confirm-port-up <num>

The <num> parameter specifies the number of indications required by the software and can be from 1 10. The
default for Stackable devices is 10.
Default value: 10
console
Times out idle serial management sessions.
By default, a Foundry device does not time out serial CLI sessions. A serial session remains open indefinitely until
you close it. You can configure the device to time out serial CLI sessions if they remain idle for a specified number
of minutes. You can configure an idle timeout value from 0 240 minutes. The default is 0.
6 - 14
February 2002
NOTE: If a session times out, the device does not close the connection. Instead, the CLI changes to the User
EXEC mode (for example: ServerIron>).
EXAMPLE:
To configure the idle timeout for serial CLI sessions, enter a command such as the following:
ServerIron(config)# console timeout 20
This command configures the idle timeout value to 20 minutes.
Syntax: [no] console timeout <num>

The <num> parameter specifies the number of minutes the serial CLI session can remain idle before it times out.
You can specify from 0 240 minutes. The default is 0 (sessions never time out).
Possible values: 0 240 minutes
Default value: 0 (sessions never time out)
crypto key
Configures a host RSA public and private key pair for SSH. The host RSA key pair is stored in the Foundry
devices system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session
key and encryption method with the SSH clients trying to connect to it.
EXAMPLE 1:
To generate a public and private host RSA key pair for the Foundry device:
ServerIron(config)# crypto key generate rsa
ServerIron(config)# wri mem
A host RSA key pair is stored in the system-config file, and SSH is enabled on the device.
EXAMPLE 2:
To delete the host RSA key pair from the system-config file:
ServerIron(config)# crypto key zeroize rsa
ServerIron(config)# wri mem
The host RSA key pair is deleted from the system-config file, and SSH is disabled on the device.
Syntax: crypto key generate | zeroize rsa

Default value: N/A
Creates a new seed for generating a random number that is used for generating the dynamically created server
RSA key pair for SSH.
EXAMPLE:
ServerIron(config)# crypto random-number-seed generate
Syntax: crypto random-number-seed generate

Default value: N/A
decnet-proto
Creates a Decnet protocol VLAN on a Foundry switch or router. All ports will by default be assigned to the VLAN
when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.
February 2002
6 - 15
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a dynamic
member port (on module 1), enter the following commands.
ServerIron(config)# decnet-proto
ServerIron(config-decnet-proto)# static e 1/15 to 1/16
ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18
Syntax: decnet-proto
Default value: N/A
default-vlan-id
When you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create
additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do
not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always
members of at least one VLAN.
You can change the VLAN ID for the default VLAN by entering the following command at the global CONFIG level
of the CLI:
ServerIron(config)# default-vlan-id 1001
You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do
not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 4095.
NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the
name allows you to use the VLAN ID "1" as a configurable VLAN.
dhcp-gateway-list
This parameter must be defined when the feature, DHCP Assist, is enabled on a Foundry switch. A gateway
address must be defined for each sub-net that will be requesting addresses from a DHCP server. This allows the
stamping process to occur. Each gateway address defined on the switch corresponds to an IP address of the
ServerIron interface or other device involved.
Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When
multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet
in a round robin fashion.
Up to 32 gateway lists can be defined for each switch.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router
Installation and Basic Configuration Guide.
EXAMPLE:
ServerIron(config)# dhcp-gateway-list 1 192.95.5.1
ServerIron(config)# int e 2
ServerIron(config-if-2)# dhcp-gateway-list 1
Syntax: dhcp-gateway-list <num> <ip-addr>

Default value: N/A
6 - 16
February 2002
enable
You can use the enable command to assign three levels of passwords to provide a range of access points for
various users within the network.
The three levels are:
Super user: This user has unlimited access to all levels of the CLI. This level is generally reserved for system
administration. The super user is also the only user that can assign a password access level to another user.
Configure Port: This user has the ability to configure interface parameters only. The user can also view any
show commands.
Read only: A user with this password level is only able to view show commands. No configuration is allowed
with this password access type.
NOTE: You also can secure access using a RADIUS or TACACS/TACACS+ server or local user accounts. See
the Foundry Security Guide.
EXAMPLE:
ServerIron(config)# enable super-user-password Alexis
ServerIron(config)# enable read-only-password Jim
ServerIron(config)# enable port-config-password Bill
Syntax: enable super-user-password | read-only-password | port-config-password <text>

Possible values: Up to 32 alphanumeric characters can be assigned in the text field.
Default value: No system default
By default, passwords are never visible, even in the configuration file. If you want passwords to be visible in the
configuration file, use the enable password-display command. The next time you display the configuration file,
the passwords will be visible along with the commands used to set them. This command takes effect immediately.
EXAMPLE:
ServerIron(config)# enable password-display
Syntax: [no] enable password-display

Removes the stop page display characteristic for the write terminal command. For example, by default, when a
user enters the command write terminal the full configuration will generally involve more than a single page
display. You are prompted to enter the return key to view the next page of information. When this command is
enabled, this page-by-page prompting will be removed and the entire display will roll on the screen until the end is
reached.
To re-enable the stop page display characteristic, enter the no enable skip-page-display.
EXAMPLE:
To remove the page-by-page display of configuration information, enter the following:
ServerIron(config)# enable skip-page-display
Syntax: enable skip-page-display

February 2002
6 - 17

Enables users of IronView or other SNMP management applications to configure RADIUS authentication
parameters on the ServerIron.
EXAMPLE:
To enable IronView users to configure RADIUS authentication parameters on the ServerIron, enter the following:
ServerIron(config)# enable snmp config-radius
Syntax: enable snmp config-radius


Enables users of IronView or other SNMP management applications to configure TACACS/TACACS+
authentication parameters on the ServerIron.
EXAMPLE:
To enable IronView users to configure TACACS/TACACS+ authentication parameters on the Foundry device, enter
the following:
ServerIron(config)# enable snmp config-tacacs
Syntax: enable snmp config-tacacs


Allows you to use local access control or a RADIUS server to authenticate telnet access to the ServerIron.
EXAMPLE:
ServerIron(config)# enable telnet authentication
Syntax: [no] enable telnet authentication


Allows you to assign a password for Telnet session access. To close a Telnet session, enter logout.
EXAMPLE:
ServerIron(config)# enable telnet password secretsalso
Syntax: enable telnet password <text>

Possible values: Up to 32 alphanumeric characters can be assigned as the password.
Default value: No system default.
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
ServerIron(config)# end
ServerIron#
Syntax: end
6 - 18
February 2002
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
ServerIron(config)# exit
ServerIron#
Syntax: exit
Default value: N/A
fast port-span
Configures the Fast Port Span feature, which allows faster STP convergence on ports that are attached to end
stations.
EXAMPLE:
To enable Fast Port Span:
ServerIron(config)# fast port-span
EXAMPLE:
To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally:
ServerIron(config)# fast port-span exclude ethernet 1
Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum> | to <portnum>]
Possible values: Valid port numbers
fast uplink-span
Configures the Fast Uplink Span feature, which reduces the convergence time for uplink ports to another device to
just four seconds (two seconds for listening and two seconds for learning).
EXAMPLE:
To configure a group of ports for Fast Uplink Span, enter the following commands:
ServerIron(config)# fast uplink-span ethernet 1 to 4
Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum> | to <portnum>]

Possible values: Ports that have redundant uplinks on a wiring closet switch.
flow-control
Allows you to turn flow control (802.3x) for full-duplex ports on or off (no). By default, flow control is on. To turn the
feature off, enter the command no flow-control.
EXAMPLE:
ServerIron(config)# no flow-control
To turn the feature back on later, enter the following command:
ServerIron(config)# flow-control
Syntax: [no] flow-control

February 2002
6 - 19
Default value: on
gig-default
Changes the default negotiation mode for Gigabit ports on Chassis devices. You can configure the default Gigabit
negotiation mode to be one of the following:
Negotiate-full-auto The port first tries to perform a handshake with the other port to exchange capability
information. If the other port does not respond to the handshake attempt, the port uses the manually
configured configuration information (or the defaults if an administrator has not set the information). This is
the default for Chassis devices (including the TurboIron/8).
Auto-Gigabit The port tries to perform a handshake with the other port to exchange capability information.
This is still the default for Stackable devices.
Negotiation-off The port does not try to perform a handshake. Instead, the port uses configuration
information manually configured by an administrator.
See the Configuring Basic Features chapter of the Foundry Switch and Router Installation and Basic
Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable
Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See auto-gig on page 8-1.
EXAMPLE:
To change the mode globally to negotiation-off, enter the following command:
ServerIron(config)# gig-default neg-off
To override the global default on an individual Gigabit port, see gig-default on page 8-3.
Syntax: gig-default neg-full-auto | auto-gig | neg-off

Default value: neg-full-auto
gslb affinity
Changes the CLI to the GSLB affinity configuration level. See GSLB Affinity Commands on page 13-1 for
information about the commands at this level.
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinity
ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0
ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22
These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that
uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the
ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the
192.108.22.0/22 prefix to a VIP on slb-1 at the atlanta site, when available. The ServerIron sends all other
clients to a VIP on slb-1 at the sunnyvale site when available.
Syntax: gslb affinity

This command places the CLI at the affinity configuration level.
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address.
Use one of the following parameters:
The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use
this method, you must specify both parameters.
The <si-ip-addr> parameter specifies the site ServerIrons management IP address.
6 - 20
February 2002
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask
from 0.0.0.0 255.255.255.254. If you instead specify a prefix length, you can specify from 0 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a
result, an address that does not match another affinity definition uses the zero affinity definition by default. If you
do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose
addresses are not within a prefix in an affinity definition.
Default value: N/A
gslb communication
Changes the TCP port number used by the GSLB protocol. By default, a GSLB ServerIron uses TCP port 182 to
exchange GSLB information with other ServerIrons, including the site ServerIrons. You can change the GSLB
protocol port if needed. For example, if other devices in the network also use port 182, but for other applications,
you need to change the protocol on those devices or on the ServerIrons.
NOTE: If you change the GSLB protocol port number, you must save the change to the startup-config file and
reload the software to place the change into effect. Also, you must change the port to the same number on all
ServerIrons in the GSLB configuration. If the port number in two GSLB ServerIrons is not the same, those
ServerIrons are not able to properly perform GSLB.
EXAMPLE:
To change the GSLB protocol port number on a ServerIron, enter commands such as the following:
ServerIron(config)# gslb communication 1882
ServerIron(config)# write memory
ServerIron# reload
The first command changes the TCP protocol port from 182 to the specified port number, in this example 1882.
The subsequent commands save the configuration change to the startup-config file and reload the software to
place the change into effect.
Syntax: [no] gslb communication <tcp-portnum>

The <tcp-portnum> parameter specifies the TCP port number you want the ServerIron to use for exchanging
GSLB information with other ServerIrons.
Possible values: a valid TCP port number
Default value: 182
gslb dns zone-name

Changes the CLI to the GSLB zone configuration level. See GSLB DNS Zone Commands on page 14-1 for
EXAMPLE:
To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter
ServerIron(config)# gslb dns zone-name foundrynet.com
ServerIron(config-gslb-dns-foundrynet.com)# host-info www http
ServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp
The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp.
The GSLB ServerIron will provide global SLB for these two hosts within the zone.
Syntax: [no] gslb dns zone-name <name>
February 2002
6 - 21
The <name> parameter specifies the DNS zone name.

NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all
the host names you associated with the zone are deleted.
Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>

The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host
name. Enter only the host portion of the name. For example, if the fully qualified host name is
www.foundrynet.com, do not enter the entire name. Enter only www. The rest of the name is already specified
by the gslb dns zone-name command. You can enter a name up to 32 characters long.
The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global
SLB. You can specify one of the following:
FTP the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name
FTP corresponds to port 21.)
TFTP the well-known name for port 69
HTTP the well-known name for port 80
IMAP4 the well-known name for port 143
LDAP the well-known name for port 389
NNTP the well-known name for port 119
POP3 the well-known name for port 110
SMTP the well-known name for port 25
TELNET the well-known name for port 23
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the
application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4
health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the
ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform
application-specific health checks.
Default value: N/A
gslb policy
Changes the CLI to the GSLB policy configuration level. See GSLB Policy Commands on page 16-1 for
EXAMPLE:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)#
Syntax: gslb policy

Default value: N/A
gslb protocol
Enables the GSLB protocol on a site ServerIron in a GSLB configuration. The GSLB protocol is enabled by default
on the GSLB ServerIron but is disabled by default on the site ServerIrons.
6 - 22
February 2002
NOTE: The ServerIron uses TCP port 182 for the GSLB protocol by default. You can change the port number if
needed. See gslb communication on page 6-21.
EXAMPLE:
ServerIron(config)# gslb protocol
Syntax: [no] gslb protocol

Default value: N/A
gslb site
Changes the CLI to the GSLB site configuration level. See GSLB Site Commands on page 15-1 for information
about the commands at this level.
EXAMPLE:
To identify two server sites, each of which has two ServerIrons, enter the following commands:
ServerIron(config)# gslb site sunnyvale
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209
ServerIron(config)# gslb site atlanta
ServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each
site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are
configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS
replies.
Syntax: [no] gslb site <name>

The <name> parameter is a text string that uniquely identifies the site on the GSLB ServerIron. You can enter a
string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation
marks.
NOTE: If you delete a GSLB site (by entering the no gslb site <name> command), the site and all the
ServerIrons you associated with the site are deleted.
Syntax: [no] si-name [<name>] <ip-addr>

The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16
characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can
enter up to four pairs of ServerIron name and IP address on the same command line. The name is optional.
NOTE: Enter the ServerIrons management IP address, not a virtual IP address (VIP) configured on the
ServerIron or a source IP address added for source NAT.
healthck (ServerIronXL)
Configures a health-check policy on the ServerIronXL. Health-check policies consist of element-action
expressions and logical operators.
Element-action expression In the case of Layer 3 health checks, an element-action expression consists of
the IP protocol to be used (ICMP) and the IP address to be checked.
Logical operator A logical operator is the Boolean operator OR or AND. To configure a health-check policy
that requires a reply from all IP addresses in the policy, use the operator AND. To create a policy that is
successful if at least one of the addresses replies, use OR.
February 2002
6 - 23
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up
to 254 health-check policies. The default maximum number you can configure is 128. You can change the
maximum to a number from 64 254.
To use a health-check policy:
Configure the element-action expressions.
Configure the health-check policy using element-action expressions and the logical operator AND or OR.
Bind logical expressions to application ports on specific VIPs. A health check policy does not take effect until
you bind it to an application port on a VIP.
EXAMPLE:
Here is an example of how to configure and apply a Layer 3 health-check policy.
ServerIron(config)# healthck Rtr2-ck1 icmp
ServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56
ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmp
ServerIron(config)# healthck Router2 boolean
ServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2
ServerIron(config)# server virtual-name VIP1 1.1.1.1
ServerIron(config-vs-VIP1)# port http healthck Router2
These commands configure two element-action expressions, "Rtr2-ck1" and "Rtr2-ck2", and use them in a healthcheck policy called "Router2". The last two commands apply the health-check policy to the HTTP port on VIP1.
For more information, see the following sections.
For Layer 3 health-check policies, an element-action expression contains an IP address. To configure an elementaction expression, enter commands such as the following:
ServerIron(config)# healthck Rtr2-ck1 icmp
ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmp
The commands in this example configure two element-action expressions.
Syntax: [no] healthck <element-name> <protocol>

Syntax: [no] dest-ip <ip-addr>
The <element-name> parameter specifies a name for the element-action expression. The name can be up to 20
characters long. The name cannot contain blanks.
The <protocol> parameter specifies the IP protocol to use for the health. The Layer health checks use ICMP echo
packets. Therefore, you must specify icmp.
The <ip-addr> parameter specifies the IP address to check.
A health-check policy consists of one or more element-action expressions. When a logical expression contains
multiple element-action expressions, the policy also contains the logical operator AND or OR.
You can use a health-check policy as an element-action expression in another policy.
To configure a health-check policy, enter commands such as the following:
ServerIron(config)# healthck Router2 boolean
ServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2
These commands configure a health-check policy that uses the element-action expressions "Rtr2-ck1" and "Rtr2ck2". Since the AND operator is used, the IP addresses in both "Rtr2-ck1" and "Rtr2-ck2" must reply successfully
for the health check to be successful. If only one of the addresses replies, the health check is unsuccessful and
the ServerIron brings the VIP down.
Syntax: [no] healthck <policy-name> boolean
6 - 24
February 2002
Syntax: <element-name>
Or
Syntax: and | or <element-name> <element-name>

The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20
The and | or parameter specifies a logical operator in the health-check policy.
You can specify an element-action without also specifying a logical operator (AND or OR). In this case, the
policy checks the health of the specified element (IP address) and has a true result (the health check is
successful) if the element replies to the health check.
You can enter two element-action expressions along with the logical operator and or or.
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health
check.
If you specify or, the policy is true if at least one of the elements responds to the health check.
If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies
for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy
that tests four IP addresses, enter commands such as the following:
ServerIron(config)# healthck
ServerIron(config-hc-nest1)#
nest1 icmp
dest-ip 1.1.1.10
healthck nest2 icmp
dest-ip 1.1.1.20
healthck nest3 icmp
dest-ip 1.1.1.30
healthck nest4 icmp
dest-ip 1.1.1.40
The commands above configure four element-action expressions, one for each IP address. The following
commands configure two health-check policies, each of which contains two of the IP addresses.
ServerIron(config-hc-nest4)# healthck nested1 boolean
ServerIron(config-hc-nested1)# or nest1 nest2
ServerIron(config-hc-nested1)# healthck nested2 boolean
ServerIron(config-hc-nested2)# or nest3 nest4
The following command creates a health-check policy that contains the two policies configured above. The result
is a single health-check policy for all four IP addresses.
ServerIron(config-hc-nested2)# healthck check1 boolean
ServerIron(config-hc-check1)# or nested1 nested2
In this example, the OR logical operator is used in all the policies. Thus, the "check1" health check is successful if
at least one of the four IP addresses responds. To create more restrictive policies, you can use the AND logical
operator. For example, if the AND operator is used in this configuration instead of OR, the health check is
successful only if all four IP addresses respond.
You also can combine policies that use AND with policies that use OR in nested health-check policies.
After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy
does not take effect until you bind the policy to an application port on a VIP.
To bind a health-check policy to an application port on a VIP, enter commands such as the following:
This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the
health of HTTP (port 80) for the VIP.
Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>
February 2002
6 - 25
The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter
specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the
application port.
healthck (ServerIron 400 and ServerIron 800)

Configures a health-check policy on the ServerIron 400 and ServerIron 800.
Health-check policies enable you to assess the health of any application port using the health-check mechanisms
for ports well-known to the ServerIron. In addition, health-check policies enable you to use multiple checks with
different parameters, and base a ports health on successful completion of all or any one of the individual checks in
the policy.
Depending on the conditions you specify when you configure a health-check policy, the ServerIron will bring the
application port on a server down in one of the following cases:
Any one of the servers fails its health check (individual health checks combined using AND condition) In this
case, all servers in the policy must pass their health checks. Otherwise, the ServerIron considers all of the
servers to have failed the health checks and brings down the application on all servers that are checked by
the policy.
All of the servers fail their health checks (individual health checks combined using OR condition) In this
case, an application port remains up as long as at least one of the servers checked by the policy passes its
health check.
For finer control, you can combine OR and AND conditions.

When you attach a health-check policy to a real servers application port, the ServerIron uses the health-check
policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is
attached, the ServerIron no longer uses the default health check methods for initial bringup and periodic health
checks described in "Health Check Summary" in the "Configuring Port and Health Check Parameters" chapter of
the Foundry ServerIron Installation and Configuration Guide.
Health-check policies consist of element-action expressions and logical expressions.
Element-action expression An element-action expression consists of the IP address of the server, the Layer
4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action
expression can also include Layer 7 application-specific health check information.
Logical expression A logical expression is a set of element-action expressions joined by the Boolean
operators OR and AND.
To create a health-check policy that is successful if at least one of the applications passes its health
check, use OR.
To configure a health-check policy that is successful only if the ServerIron receives a successful reply
from all servers and application ports in the policy, use the operator AND.
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up
to 254 health-check policies.
To use a health-check policy:
Configure the element-action expressions.
Configure the health-check policy using element-action expressions and logical expressions joined by the
operators AND or OR.
Attach logical expressions to application ports on specific real servers. A health check policy does not take
effect until you attach it to an application port on a server.
6 - 26
February 2002
NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the
policy to an application port on a real server.
EXAMPLE:
Configuring an Element-Action Expression
To configure an element-action expression, enter commands such as the following. The commands in this
example specify the IP address of the real server and the application port on the server.
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port http
These commands change the CLI to the configuration level for an element-action expression, then specify the IP
address of the real server and the application port on the server. Since the specified application is well-known to
the ServerIron, the ServerIron automatically associates the default health check parameters for the port with the
element-action expression. In this example, the port is HTTP (80), so the ServerIron associates the default HTTP
health check parameters with the element-action expression. By default, the ServerIron sends a HEAD request
for the default page, 1.0.
NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of
the health check as FALSE (failed).
To configure an element-action expression for a port number that is not well-known to the ServerIron, enter
commands such as the following:
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http
These commands configure an element-action expression for unknown port 8080 and associate the default health
check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port,
add the information with the protocol command, as in the following example:
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http url "GET/sales.html"
The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET
request for a page named "sales.html".
Syntax: [no] healthck <string> tcp | udp

This command begins configuration of the element-action expression. The <string> parameter specifies the name
for the expression and can be up to 20 characters long. The tcp | udp parameter specifies whether you are
configuring an expression for a TCP application port or a UDP application port. There is no default.
Syntax: [no] dest-ip <ip-addr>

This command specifies the IP address of the real server.
Syntax: [no] port <tcp/udp-port>

This command specifies the application port number.
NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of
the health check as FALSE (failed).
You can specify any valid number, or one of the following port names well-known to the ServerIron:
dns port 53
February 2002
6 - 27
ftp port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name ftp corresponds to port
21.)
http port 80
imap4 port 143
ldap port 389
nntp port 119
ntp port 123
pop2 port 109
pop3 port 110
radius port 1812
radius-old the ServerIron name for UDP port 1645, which is used in some older RADIUS implementations
instead of port 1812
smtp port 25
snmp port 161
ssl port 443
telnet port 23
tftp port 69
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron also removes the
protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron. This is because the
ServerIron automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron does not
remove the protocol. You must remove it separately.
Syntax: [no] protocol <tcp/udp-port>

This command specifies a port whose health-check mechanism you want to use for the port specified by the port
command. You need to use this command only if the port specified by the port command is not one of the ports
listed above but the port is the same type as one of the ports listed above. For example, use this command if you
want to use the DNS health-check mechanism for a port other than 53.
NOTE: You must specify the port using the port command before you enter the protocol command. If the port
command specified a port that is well-known to the ServerIron, the ServerIron automatically uses the protocol that
matches the port; you do not need to specify it and cannot change it.
NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will
fail the health check. If you want the ServerIron to use a Layer 4 health check instead, enter the l4-check
command to change the health-check type to Layer 4.
If the port is not well-known to the ServerIron and you do not specify a protocol for the Layer 7 health check, but
Layer 7 health checking is enabled for the port, the port will fail the health check.
See "Changing the Health-Check Type" below.
For some ports, you also can customize the Layer 7 information sent with the health check. Here is the syntax.
Syntax: [no] protocol http | 80

[url [GET | HEAD] [/]<URL-page-name> |
port http status_code <range> [<range>[<range>[<range>]]] |
content-match <matching-list-name>]
6 - 28
February 2002
This command changes one of the following HTTP health-check parameters. To change more than one of these
parameters, enter a separate protocol http or protocol 80 command for each parameter.
url [GET | HEAD] [/]<URL-page-name> This parameter specifies whether the HTTP health check
performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested.
By default, a GET request asks for page 1.0.
port http status_code <range> [<range>[<range>[<range>]]] This parameter changes the HTTP status
codes that the ServerIron will accept as valid responses. Each <range> specifies the low number and high
number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a
single message code for a range, enter the code twice. For example to specify 200 only, enter the following
command: port http status_code 200 200. For SLB, the default status code range is 200 299. If the
servers reply to the health check contains a status code within this range, the ServerIron considers the HTTP
application to be healthy.
content-match <matching-list-name> This parameter attaches a match list for an HTTP content verification
health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in
which the ServerIron examines text in an HTML file sent by a real server in response to an HTTP keepalive
request. The ServerIron searches the text in the HTML file for user-specified selection criteria and
determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria
used in HTTP content verification is contained in a matching list that is attached to one or more real servers.
The following is an example of the commands used to set up a matching list. For information on how to
configure the match lists, see the "Configuring HTTP Content Matching Lists" section in the "Configuring Port
and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Syntax: [no] protocol dns | 53 [addr_query "<name>" | zone <zone-name>]

This command changes one of the following DNS health-check parameters. To change more than one of these
parameters, enter a separate protocol dns or protocol 53 command for each parameter.
addr_query "<name>" This parameter specifies a domain name to be requested from the real server by
the ServerIron. If the server successfully responds with the IP address for the domain name, the server
passes the health check. There is no default.
zone <zone-name> This parameter specifies a DNS zone name. The ServerIron sends a Source-ofAuthority (SOA) request for the zone name. If the server is authoritative for the zone and successfully
responds to the SOA request, the server passes the health check. There is no default.
NOTE: If you do not configure one of these parameters, the DNS port will fail the health check.
Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>]
This command changes one of the following RADIUS health-check parameters. The health check requests values
that are configured on the RADIOS server. To change more than one of these parameters, enter a separate
protocol radius or protocol 1812 command for each parameter.
username <string> This parameter specifies an authentication username on the server.
password <string> This parameter specifies an authentication password on the server.
key <string> This parameter specifies an authentication key on the server.
Syntax: [no] protocol ldap | 389 [<num>]

This command changes the LDAP version. The health check sent by the ServerIron differs depending on the
version. You can specify 2 or 3. The default is 3.
Changing the Health-Check Interval and Retries
By default, the ServerIron performs a health check every 5 seconds. If a reply is not received, the ServerIron will
attempt the health check two more times before concluding that the application has failed the health check. You
can change the number of seconds the ServerIron will wait for a reply to a health check and the number of retries.
February 2002
6 - 29
NOTE: The number of retries is the total number of attempts the ServerIron will make. Thus, if you use the
default interval and retries values, the ServerIron will send up to three health-check packets, at 5-second intervals.
If a server does not respond within 15 seconds of the time the ServerIron sent the first health-check packet, the
server fails the health check and the ServerIron concludes that the server is not available.
To change the interval for a health check, enter a command such as the following at the configuration level for the
element-action expression that contains the health check:
ServerIron(config-hc-check1)# interval 30
Syntax: [no] interval <secs>

You can specify from 2 120 seconds. The default is 5 seconds.
To change the number of retries for a health check, enter a command such as the following at the configuration
level for the element-action expression that contains the health check:
ServerIron(config-hc-check1)# retries 4
Syntax: [no] retries <num>

You can specify from 1 5 retries. The default is 3 retries.
NOTE: You also can globally change the interval and retries for a an application port by editing its port profile.
See the "Adding a TCP or UDP Port, Specifying the Port Type, and Configuring the Keepalive Health Check"
section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and
Changing the Health-Check Type
For TCP application ports, you can change the health-check type between Layer 4 and Layer 7. By default, the
ServerIron performs a Layer 7 health check in the following cases:
The port is one of the following ports well-known to the ServerIron:
FTP port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name FTP corresponds
to port 21.)
HTTP port 80
IMAP4 port 143
LDAP port 389
MMS port 1755
NNTP port 119
PNM port 7070
POP3 port 110
RTSP port 554
SMTP port 25
SSL port 443
TELNET port 23
The port is not well-known to the ServerIron but you used the protocol command to specify the protocol of
one of the well-known ports. By specifying the protocol, you configure the ServerIron to use the protocols
Layer 7 health-check method for the port.
If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the
protocol command), the ServerIron uses the Layer 4 health check for TCP.
6 - 30
February 2002
NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is
RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron uses a Layer 7
health check. Otherwise, the ServerIron uses the Layer 4 health check for UDP.
The Layer 7 health-check methods differ depending on the application, and are described in the "Health Check
Summary" section of the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron
Installation and Configuration Guide. The Layer 4 health checks are as follows:
TCP The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real
server:
The ServerIron sends a TCP SYN packet to the port on the real server.
The ServerIron expects the real server to respond with a SYN ACK.
If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port
is alive.
UDP The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port.
If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port
is not alive.
If the server does not respond at all, the ServerIron assumes that the port is alive and received the
garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect
replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
ServerIron(config-hc-check1)# l4-check
The command in this example configures the ServerIron to use the Layer 4 health check for the application port in
the element-action expression. Since the application port in this element-action expression is HTTP, the
ServerIron will use the Layer 4 health check for TCP.
Syntax: [no] l4-check | l7-check

Changing the Health-Check State
Once you configure an element-action expression, the health check in the expression is enabled by default. To
disable the health check, enter the following command at the configuration level for the element-action expression:
ServerIron(config-hc-check1)# disable
Syntax: [no] disable | enable

NOTE: Health checking (keepalive) also must be enabled on the port profile level or the real server level.
Otherwise, the health-check policy is used during initial bringup of the server but is not used for periodic health
checks after the server is brought up.
NOTE: If the health check for an application on a server is disabled, the ServerIron assumes that the server and
application are healthy and continues to send client requests to the server.
NOTE: If you change the health-check state from within the element-action expression, this state overrides the
health-check state configured in the port profile for the application port or in the real server configuration.
Configuring a Health-Check Policy
A health-check policy consists of one or more element-action expressions. When a logical expression contains
multiple element-action expressions, the policy also contains the logical operator AND or OR.
You can use a health-check policy as an element-action expression in another policy.
To configure a health-check policy, enter commands such as the following:
ServerIron(config)# healthck "httpsrvr" boolean
ServerIron(config-hc-httpsrvr)# and "check1" "check2"
February 2002
6 - 31
These commands configure a health-check policy that uses the element-action expressions "check1" and
"check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully
for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the
ServerIron stops using all the server application ports in the health-check policy "httpsrvr".
Syntax: [no] healthck "<policy-name>" boolean

Syntax: and | or "<element-name>" "<element-name>"
The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20
The and | or parameter specifies a logical operator in the health-check policy. You can enter two element-action
expressions along with the logical operator and or or.
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
If you specify or, the policy is true if at least one of the elements responds to the health check.
Attaching a Health-Check Policy to an Application Port on a Server

After you configure logical expressions, you can attach them to application ports on real servers. The ServerIron
does not begin sending health-check packets until you attach the policy to a real server port.
To attach a health-check policy to an application port on a server, enter commands such as the following:
ServerIron(config)# server real-name R1 10.10.10.50
ServerIron(config-rs-R1)# port 80 healthck check1
This command configures the ServerIron to base the health of application port 80 on real server R1 on the results
of the check1 health-check policy.
hostname
Changes the hostname field to more easily identify the ServerIron within the network. By default, a ServerIron will
be identified as ServerIron in the CLI command prompt.
EXAMPLE:
To change the hostname to TCSserver1 from the ServerIron default, enter the following:
ServerIron(config)# hostname TCSserver1
TCSserver1(config)#
Syntax: hostname <text>

Possible values: Up to 32 alphanumeric characters can be assigned to hostname text string.
Default value: ServerIron
http match-list
This command is used in conjunction with the HTTP content verification health check feature on the ServerIron.
This command assigns a name to an HTTP matching list and enters the HTTP matching list CONFIG level.
EXAMPLE:
To create an HTTP matching list name named m1:
ServerIron(config)# http match-list m1
Syntax: http match-list <matching-list-name>

Possible values: HTTP matching list name
Default value: N/A
6 - 32
February 2002
interface ethernet
Accesses the interface CONFIG level of the CLI. You can define a physical or virtual interface (ve) at this level.
EXAMPLE:
To change the configuration for port 1 on a Stackable device, enter the following:
ServerIron(config)# inter e 1
ServerIron(config-if-1)#
NOTE: To change the port for a Chassis device, you also need to enter the slot number of the module on which
the port resides.
EXAMPLE:
To change the configuration for port 1 on slot 4 of a Chassis device, enter the following:
ServerIron(config)# inter e 4/1
ServerIron(config-if-4/1)#
Syntax: interface ethernet <portnum> | ve <num>

Default value: N/A
ip access-list
Configures a named IP ACL. The commands for configuring named ACL entries are different from the commands
for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The
command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry,
you specify all the command parameters on the same command. When you configure a named ACL, you specify
the ACL type (standard or extended) and the ACL number with one command, which places you in the
configuration level for that ACL. Once you enter the configuration level for the ACL, the command syntax is the
same as the syntax for numbered ACLs.
EXAMPLE:
To configure a named standard ACL entry:
ServerIron(config)# ip access-list standard Net1
ServerIron(config-std-nac1)# deny host 209.157.22.26 log
ServerIron(config-std-nac1)# deny 209.157.29.12 log
ServerIron(config-std-nac1)# deny host IPHost1 log
ServerIron(config-std-nac1)# permit any
ServerIron(config-std-nac1)# exit
ServerIron(config)# int eth 1/1
ServerIron(config-if-1)# ip access-group Net1 out
The commands in this example configure a standard ACL named Net1. The entries in this ACL deny packets
from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is deny, the
last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an
example of how to configure the same entries in a numbered ACL, see the Configuring Standard ACLs section of
the Using Access Control Lists (ACLs) chapter in the Foundry Switch and Router Installation and Basic
Notice that the command prompt changes after you enter the ACL type and name. The std in the command
prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the
command prompt is ext. The nacl indicates that are configuring a named ACL.
EXAMPLE:
To configure a named extended ACL entry:
ServerIron(config)# ip access-list extended block Telnet
ServerIron(config-ext-nac1)# deny tcp host 209.157.22.26 any eq telnet log
February 2002
6 - 33
ServerIron(config-ext-nac1)# permit ip any any

ServerIron(config-ext-nac1)# exit
ServerIron(config-if-1)# ip access-group block Telnet in
Syntax: ip access-list extended | standard <string> | <num>

Syntax: [no] ip access-group <string> in | out
Possible values: The extended | standard parameter indicates the ACL type.
The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can
use blanks in the ACL name if you enclose the name in quotation marks (for example, ACL for Net1). The
<num> parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify
from 1 99 for standard ACLs or 100 199 for extended ACLs.
The options at the ACL configuration level and the syntax for the ip access-group command are the same for
numbered and named ACLs and are described in the Configuring Standard ACLs section of the Using Access
Control Lists (ACLs) chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
Default value: N/A
ip address
Assigns an IP address and mask to a switch to support Telnet and SNMP management. Foundry devices support
both classical IP network masks (Class A, B, and C sub-net masks, and so on) and prefix masks.
To enter a classical network mask, enter the mask in IP address format. For example, enter
"209.157.22.99 255.255.255.0" for an IP address with a Class-C sub-net mask.
To enter a network mask using prefix addressing, enter a forward slash ( / ) and the number of bits in the
mask immediately after the IP address. For example, enter "209.157.22.99/24" for an IP address that has a
network mask with 24 significant ("mask") bits.
NOTE: If you need to add an additional IP address for network address translation (NAT), use the server
source-ip command. See server source-ip on page 6-82.
EXAMPLE:
ServerIron(config)# ip address 192.22.3.44 255.255.255.0
Syntax: ip address <ip-addr> <ip-mask>

or
Syntax: ip address <ip-addr>/<mask-bits>

Default value: N/A
ip default-gateway
Assigns an IP address and mask to a switch to support Telnet and SNMP management.
NOTE: This command is not available on Foundry routers.
EXAMPLE:
ServerIron(config)# ip default-gateway 192.22.33.100
Syntax: ip default-gateway <ip-addr>

Default value: N/A
6 - 34
February 2002
ip dns domain-name
This command is used to define a domain name for a range of addresses on the ServerIron. This will eliminate
the need for a user to type in the domain name. It will automatically be appended to the hostname.
EXAMPLE:
ServerIron(config)# ip dns domain-name newyork.com
Syntax: ip dns domain-name

Default value: N/A
Up to four DNS servers can be defined for each DNS entry. The first entry serves as the primary default address
(207.95.6.199). If a query to the primary address fails to be resolved after three attempts, the next gateway
address will be queried for three times as well. This process will continue for each defined gateway address until
a query is resolved. The order in which the default gateway addresses are polled is tied to the order in which they
are entered when initially defined as shown in the example.
EXAMPLE:
ServerIron(config)# ip dns server-address 207.95.6.199 205.96.7.1 208.95.7.25
201.98.7.15
Syntax: ip dns server-address <ip-addr>

Default value: N/A
ip filter
This command allows you to define layer 4 TCP/UDP filters for switches. Up to 1024 TCP/UDP filters can be
defined on a switch.
NOTE: Foundry plans to remove this command in a later software release and therefore recommends that you
do not use the command. Instead, always use Access Control Lists (ACLs). For ACL configuration information,
see the "Using Access Control Lists (ACLs)" chapter of the Foundry Switch and Router Installation and Basic
Syntax: ip filter <index> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask> | any
<protocol> [established <operator> <port range>] [log]
Possible values: The <protocol> parameter can be ICMP, TCP, UDP, or a protocol number.
Default value: N/A
ip forward
Enables IP forwarding (Layer 3).
For complete configuration information, see the "Configuring IP Forwarding" chapter in the Foundry ServerIron
EXAMPLE:
ServerIron(config)# ip forward
Syntax: [no] ip forward

February 2002
6 - 35
ip icmp burst
Causes the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when
the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets
targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets
are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP
packets for the next 300 seconds (five minutes).
ServerIron(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>

The burst-normal value can be from 1 100000.
The burst-max value can be from 1 100000.
The lockup value can be from 1 10000.
The number of incoming ICMP packets per second are measured and compared to the threshold values as
follows:
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and
measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 100000 packets. The burstnormal value must be smaller than the burst-max value. The lockup value can be between 1 10000 seconds.
Default value: N/A
ip multicast
Enables IP Multicast Traffic Reduction on a Foundry switch. A switch can operate in either an active or passive IP
multicast mode. You must save changes to flash and reset (reload) the switch for the configuration changes to
become active. For more details on this feature, see the Foundry Switch and Router Installation and Basic
If configured to be active, the switch will actively send out host queries to identify IP Multicast groups on the
network and insert this information in the IGMP packet. Routers in the network generally handle this operation
If configured to be passive, the switch will only identify the packet as an IGMP packet and forward it accordingly.
EXAMPLE:
ServerIron(config)# ip multicast passive
ServerIron# reload
Syntax: ip multicast active | passive

Possible values: Active or passive
ip nat inside
Configures and enables Network Address Translation (NAT).
You can use this command to configure static NAT entries and dynamic NAT entries (by referring to an ACL and a
pool), and enable NAT.
6 - 36
February 2002
EXAMPLE:
To configure static NAT for an IP address, enter commands such as the following:
ServerIron(config)# ip nat inside source static 10.10.10.69 209.157.1.69
The commands in this example statically map the private address 10.10.10.69 to the Internet address
209.157.1.69.
Syntax: [no] ip nat inside source static <private-ip> <global-ip>

This command associates a specific private address with a specific Internet address. Use this command when
you want to ensure that the specified addresses are always mapped together.
The inside source parameter specifies that the mapping applies to the private address sending traffic to the
Internet.
The <private-ip> parameter specifies the private IP address.
The <global-ip> parameter specifies the Internet address. The ServerIron supports up to 255 global IP
addresses.
Neither of the IP address parameters needs a network mask.
EXAMPLE:
To configure dynamic NAT, enter commands such as the following at the global CONFIG level of the CLI:
ServerIron(config)# access-list 1 permit 10.10.10.0/24
ServerIron(config)# ip nat pool OutAdds 209.157.1.2 209.157.2.254 prefix-length 24
ServerIron(config)# ip nat inside source list 1 pool OutAdds
These commands configure a standard ACL for the private sub-net 10.10.10.x/24, then enable inside NAT for the
sub-net. Make sure you specify permit in the ACL, rather than deny. If you specify deny, the Foundry device will
not provide NAT for the addresses.
Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> | prefix-length <length>
This command configures the address pool.
The <pool-name> parameter specifies the pool name. The name can be up to 255 characters long and can
contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around
the entire name.
The <start-ip> parameter specifies the IP address at the beginning of the pool range. Specify the lowestnumbered IP address in the range.
The <end-ip> parameter specifies the IP address at the end of the pool range. Specify the highest-numbered IP
address in the range.
NOTE: The address range cannot contain any gaps. Make sure you own all the IP addresses in the range. If the
range contains gaps, you must create separate pools containing only the addresses you own.
The netmask <ip-mask> | prefix-length <length> parameter specifies a classical sub-net mask (example:
netmask 255.255.255.0) or the length of a Classless Interdomain Routing prefix (example: prefix-length 24).
The ServerIron supports up to 255 global IP addresses.
Syntax: [no] ip nat inside source list <acl-name-or-num> pool <pool-name> [overload]
This command associates a private address range with a pool of Internet addresses and optionally enables the
Port Address Translation feature.
The inside source parameter specifies that the translation applies to private addresses sending traffic to the
Internet (inside source).
The list <acl-name-or-num> parameter specifies a standard or extended ACL. You can specify a numbered or
named ACL.
February 2002
6 - 37
NOTE: For complete standard and extended ACL syntax, see the Using Access Control Lists (ACLs) chapter of
the Foundry Switch and Router Installation and Basic Configuration Guide.
The pool <pool-name> parameter specifies the pool. You must create the pool before you can use it with this
command.
The overload parameter enables the Port Address Translation feature. Use this parameter if the IP address pool
does not contain enough addresses to ensure NAT for each private address. The Port Address Translation feature
conserves Internet addresses by mapping the same Internet address to more than one private address and using
a TCP or UDP port number to distinguish among the private hosts. The ServerIron supports up to 50 IP
addresses with this feature enabled.
EXAMPLE:
To enable NAT on the ServerIron, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip policy 1 cache tcp 0 global
ServerIron(config)# ip policy 2 cache udp 0 global
ServerIron(config)# ip nat inside
Syntax: [no] ip policy <policy-num> cache tcp | udp 0 global

The <policy-num> value identifies the policy and can be a number from 1 64.
Each policy affects TCP or UDP traffic, so you must specify tcp or udp.
The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type
(TCP or UDP). In this command, 0 is equivalent to any port number. For NAT, you must specify 0.
Syntax: [no] ip nat inside

This command enables inside NAT.
ip nat pool
Configures an address pool for dynamic NAT. See ip nat inside on page 6-36 for syntax information and a
configuration example.
ip nat translation
Changes the age timer for the specified type of NAT translation entry.
The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is
one that the ServerIron created for a private address when that client at that address sent traffic to the Internet.
NAT performs the following steps to provide an address translation for a source IP address:
The feature looks in the NAT translation table for an active NAT entry for the translation. If the table contains
an active entry for the session, the ServerIron uses that entry.
If NAT does not find an active entry in the NAT translation table, NAT creates an entry and places the entry in
the table. The entry remains in the table until the entry times out.
Each NAT entry remains in the NAT translation table until the entry ages out. NAT translation table entries have
different default timeouts depending on the entry type.
Dynamic timeout This age timer applies to all entries (static and dynamic) that do not use Port Address
Translation. The default is 120 seconds.
UDP timeout This age timer applies to entries that use Port Address Translation based on UDP port
numbers. The default is 120 seconds.
TCP timeout This age timer applies to entries that use Port Address Translation based on TCP port
numbers. The default is 120 seconds.
6 - 38
February 2002
NOTE: This timer applies only to TCP sessions that do not end gracefully, with a TCP FIN or TCP RST.
TCP FIN/RST timeout This age timer applies to TCP FIN (finish) and RST (reset) packets, which normally
terminate TCP connections. The default is 120 seconds.
NOTE: This timer is not related to the TCP timeout. The TCP timeout applies to packets to or from a host
address that is mapped to an global IP address and a TCP port number (Port Address Translation feature).
The TCP FIN/RST timeout applies to packets that terminate a TCP session, regardless of the host address or
whether Port Address Translation is used.
DNS timeout This age timer applies to connections to a Domain Name Server (DNS). The default is 120
seconds.
EXAMPLE:
To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds (one half hour),
enter a command such as the following at the global CONFIG level of the CLI:
ServerIron(config)# ip nat timeout 1800
Syntax: [no] ip nat translation timeout | udp-timeout | tcp-timeout | finrst-timeout | dns-timeout <secs>
Use one of the following parameters to specify the dynamic entry type:
timeout All entries that do not use Port Address Translation. The default is 120 seconds.
udp-timeout Dynamic entries that use Port Address Translation based on UDP port numbers. The default
is 120 seconds.
tcp-timeout Dynamic entries that use Port Address Translation based on TCP port numbers. The default is
120 seconds.
finrst-timeout TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The
default is 120 seconds.
dns-timeout Connections to a Domain Name Server (DNS). The default is 120 seconds.
The <secs> parameter specifies the number of seconds. For each entry type, you can enter a value from 1
3600.
Possible values: 1 3600 seconds
Default value: 120 seconds
ip policy
Enables TCS or firewall load balancing. You can enable these features globally or on individual ports. If you want
to enable them on individual ports, you must also use the ip-policy command at the interface level.
See ip-policy on page 8-6.
EXAMPLE:
To globally enable TCS, enter the following command:
ServerIron(config)# ip policy 1 cache tcp 80 global
EXAMPLE:
To locally enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 1 fw tcp 0 local
ServerIron(config)# ip policy 2 fw udp 0 local
ServerIron(config-if-9)# ip-policy 1
February 2002
6 - 39
ServerIron(config-if-9)# write mem
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter. This
value allows all ports of the specified type (TCP or UDP).
ip route
Configures a static IP route for IP forwarding.
NOTE: This command applies only to IP forwarding (Layer 3 IP). To add a default gateway address if you are not
using IP forwarding, see ip default-gateway on page 6-34.
NOTE: The software places the static route in the IP route table only if the virtual routing interface is up.
EXAMPLE:
ServerIron(config)# ip route 209.157.2.0 255.255.255.0 192.168.2.1
This commands adds a static IP route to the 209.157.2.x/24 sub-net.
Syntax: [no] ip route <dest-ip-addr> <dest-mask> <next-hop-ip-addr> | null0 [<metric>]

or
Syntax: [no] ip route <dest-ip-addr>/<mask-bits> <next-hop-ip-addr> | null0 [<metric>]

The <dest-ip-addr> is the routes destination. The <dest-mask> is the network mask for the routes destination IP
address. Alternatively, you can specify the network mask information by entering a forward slash followed by the
number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24. To
configure a default route, enter 0.0.0.0 for <dest-ip-addr> and 0.0.0.0 for <dest-mask> (or 0 for the <mask-bits> if
you specify the address in CIDR format). Specify the IP address of the default gateway using the <next-hop-ipaddr> parameter.
The <next-hop-ip-addr> is the IP address of the next-hop router (gateway) for the route. If you specify null0
instead of a next hop IP address, the ServerIron discards packets addressed to the routes destination IP address
instead of forwarding them to another device.
NOTE: If you add a default route, the gateway address of the route replaces the default gateway address
configured by the ip default-gateway command. Likewise, if you use the ip default-gateway command to
change the default gateway address, the gateway address in the default route is automatically changed also.
The <metric> parameter specifies the cost of the route and can be a number from 1 16. The default is 1. The
metric is used by RIP. If you do not enable RIP, the metric is not used.
Default value: N/A
Changes display of network mask information from class-based notation (xxx.xxx.xxx.xxx) to Classless
Interdomain Routing (CIDR) notation. By default the ServerIron displays network mask information in class-based
notation.
EXAMPLE:
ServerIron(config)# ip show-subnet-length
Syntax: [no] ip show-subnet-length
6 - 40
February 2002

Sets the number of SSH authentication retries.
EXAMPLE:
The following command changes the number of authentication retries to 5:
ServerIron(config)# ip ssh authentication-retries 5
Syntax: ip ssh authentication-retries <number>

Default value: 3
ip ssh key-size
Sets the SSH key size.
EXAMPLE:
The following command changes the server RSA key size to 896 bits:
ServerIron(config)# ip ssh key-size 896
Syntax: ip ssh key-size <number>

NOTE: The size of the host RSA key that resides in the system-config file is always 1024 bits and cannot be
changed.
Possible values: 512 896 bits
Default value: 768 bits
Disables SSH password authentication.
After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting
client, user authentication takes place. Of the methods of user authentication available in SSH, Foundrys
implementation of SSH supports password authentication only.
With password authentication, users are prompted for a password when they attempt to log into the device (unless
empty password logins are not allowed; see ip ssh permit-empty-passwd). If there is no user account that
matches the user name and password supplied by the user, the user is not granted access.
You can deactivate password authentication for SSH. However, since password authentication is the only user
authentication method supported for SSH, this means that no user authentication is performed at all. Deactivating
password authentication essentially disables the SSH server entirely.
EXAMPLE:
To deactivate password authentication:
ServerIron(config)# ip ssh password-authentication no
Syntax: ip ssh password-authentication no | yes

Enables empty password SSH logins. By default, empty password logins are not allowed. This means that users
with an SSH client are always prompted for a password when they log into the device. To gain access to the
device, each user must have a user name and password. Without a user name and password, a user is not
February 2002
6 - 41
granted access. See the Foundry Switch and Router Installation and Basic Configuration Guide for information on
setting up user names and passwords on Foundry devices.
If you enable empty password logins, users are not prompted for a password when they log in. Any user with an
SSH client can log in without being prompted for a password.
EXAMPLE:
To enable empty password logins:
ServerIron(config)# ip ssh permit-empty-passwd yes
Syntax: ip ssh permit-empty-passwd no | yes

ip ssh port
Changes the TCP port used for SSH. By default, SSH traffic occurs on TCP port 22. You can change this port
number.
EXAMPLE:
The following command changes the SSH port number to 2200:
ServerIron(config)# ip ssh port 2200
Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port.
Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH
port number, Foundry recommends that you change it to a port number greater than 1024.
Syntax: ip ssh port <number>

Possible values: a valid TCP port number
Default value: 22
ip ssh pub-key-file
Causes a public key file to be loaded onto the Foundry device.
EXAMPLE:
To cause a public key file called pkeys.txt to be loaded from the Management IV modules PCMCIA flash card
each time the Foundry device is booted, enter the following command:
ServerIron(config)# ip ssh pub-key-file slot1 pkeys.txt
Syntax: [no] ip ssh pub-key-file slot1 | slot2 <filename>

To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the Foundry device is
booted, enter a command such as the following:
ServerIron(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
Syntax: [no] ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>

To reload the public keys from the file on the TFTP server or PCMCIA flash card, enter the following command:
ServerIron(config)# ip ssh pub-key-file reload
Syntax: [no] ip ssh pub-key-file reload

To make the public keys in the active configuration part of the startup-config file, enter the following commands:
ServerIron(config)# ip ssh pub-key-file flash-memory
Syntax: [no] ip ssh pub-key-file flash-memory

6 - 42
February 2002
Default value: N/A
Disables or re-enables RSA challenge-response authentication.
EXAMPLE:
To disable RSA challenge-response authentication:
ServerIron(config)# ip ssh rsa-authentication no
Syntax: [no] ip ssh rsa-authentication yes | no

Possible values: yes or no
Default value: RSA challenge-response authentication is enabled by default.
ip ssh scp
Disables or re-enables Secure Copy (SCP).
EXAMPLE:
To disable SCP:
ServerIron(config)# ip ssh scp disable
Syntax: [no] ip ssh scp disable | enable

Possible values: disable or enable
Default value: SCP is enabled by default.
NOTE: If you disable SSH, SCP is also disabled.
ip ssh timeout
Changes the SSH timeout value. When the SSH server attempts to negotiate a session key and encryption
method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no
response from the client after 120 seconds, the SSH server disconnects.
EXAMPLE:
ServerIron(config)# ip ssh timeout 60
Syntax: ip ssh timeout <seconds>

Possible values: 1 120 second
ip strict-acl-mode
Enables the strict ACL TCP mode.
By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against
the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control
packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset)
packets.
In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is
established. For example, data packets for a session never occur if the TCP SYN for that session is dropped.
Therefore, by filtering the control packets, the Foundry device also implicitly filters the data packets associated
with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding
data packets without examining them. Since the data packets are present in normal TCP traffic only if a
corresponding TCP control session is established, comparing the packets for the control session to the ACLs is
sufficient for filtering the entire session including the data.
However, it is possible to generate TCP data packets without corresponding control packets, in test or research
situations for example. In this case, the default ACL mode does not filter the data packets, since there is no
February 2002
6 - 43
corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode
compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data
packets.
Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets
against the configured ACLs.
NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the
interfaces before changing the ACL mode.
EXAMPLE:
To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip strict-acl-mode
Syntax: [no] ip strict-acl-mode

This command configures the device to compare all TCP packets against the configured ACLs before forwarding
them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
ServerIron(config)# no ip strict-acl-mode
ip tcp burst
Causes the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case
when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP
SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets
are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN
ServerIron(config)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>

The number of incoming TCP SYN packets per second are measured and compared to the threshold values as
follows:
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are
dropped.
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the
number of seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset and measurement is restarted.
Default value: N/A
ip tcp conn-rate
Configures the ServerIron 400 or ServerIron 800 to log information about the TCP connection rate and attack rate
on the device.
6 - 44
February 2002
EXAMPLE:
ServerIron(config)# ip tcp conn-rate conn-rate 10000 attack-rate 10000
Syntax: ip tcp conn-rate conn-rate <rate> attack-rate <rate>

Possible values: The conn-rate <rate> parameter specifies a threshold for the number of global TCP
connections per second that are expected on the ServerIron. A global TCP connection is defined as any packet
that requires session processing. For example, 1 SLB, 1 TCS, and 1 SYN-Guard connection would equal 3 global
TCP connections, since there are three different connections that require session processing.
The attack-rate <rate> parameter specifies a threshold for the number of TCP SYN attack packets per second
that are expected on the ServerIron.
Syslog entries are generated under the following circumstances:
If the connection rate or attack rate on the ServerIron reaches 80% of the configured threshold.
If the connection rate or attack rate is still between 80% and 100% of the configured threshold 6 minutes after
the last message.
If the connection rate or attack rate exceeds 100% of the configured threshold.
If the connection rate or attack rate exceeds 100% of the configured threshold, and has gone up by the
configured rate change percentage.
One minute after the last message indicating that the connection rate or attack rate still exceeds 100% of the
configured threshold, and has gone up by the configured rate change percentage.
Three minutes after the last message, if the connection rate or attack rate is still between 80% and 100% of
the configured threshold, and has gone up by the configured rate change percentage.
ip tcp conn-rate-change
Configures thresholds for the TCP connection rate and attack rate change, used in conjunction with the ip tcp
conn-rate command on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron(config)# ip tcp conn-rate-change conn-rate 50 attack-rate 100
Syntax: ip tcp conn-rate-change conn-rate <percentage> attack-rate <percentage>

Possible values: The conn-rate <rate> parameter specifies a percentage change threshold for the number of
global TCP connections per second that are expected on the ServerIron.
The attack-rate <rate> parameter specifies a percentage change threshold for the number of TCP SYN attack
packets per second that are expected on the ServerIron.
ip tcp syn-proxy
Activates the SYN-Guard feature, which completes the TCP three-way handshake on behalf of a connecting
client, and sets the amount of time the ServerIron 400 or ServerIron 800 waits for the client to send an ACK.
EXAMPLE:
ServerIron(config)# ip tcp syn-proxy 12
Syntax: ip tcp syn-proxy <threshold>

ip ttl
Sets the maximum time that a packet will live on the network.
EXAMPLE:
ServerIron(config)# ip ttl 25
Syntax: ip ttl <hops>
February 2002
6 - 45
Possible values: 1 255 hops

Default value: 64 hops
ip-proto
This command creates an IP protocol VLAN on a switch or router.
When creating an IP protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP protocol VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
Protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
An IP protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction
is also true for IPX and IPX network VLANs. If you have previously defined an IP sub-net VLAN on the system,
you need to delete it before an IP protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN, enter the following:
ServerIron(config)# ip-proto
ServerIron(config-ip-proto)# static e1 to 2 e6 e8
Syntax: ip-proto
Default value: N/A
ip-subnet
Creates an IP sub-net protocol VLAN on a switch or router. This allows you to provide additional granularity than
that of an IP protocol VLAN, by allowing broadcast domains to be partitioned by sub-net. As with the IP protocol
VLAN, port membership can be modified using the static commands. In creating an IP sub-net VLAN, an IP
address is used as an identifier.
When creating an IP sub-net VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP sub-net VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
sub-net VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
NOTE: An IP Protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This
restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP protocol VLAN on the
system, you need to delete it before an IP sub-net VLAN can be created.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2, enter the following
commands.
ServerIron(config)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-ip-subnet)# static e1 to 2
ServerIron(config-ip-subnet)# exit
Syntax: ip-subnet <ip-addr> <ip-mask>

Default value: N/A
6 - 46
February 2002
ipx-network
Creates an IPX network protocol VLAN on a switch or router. This allows you to provide additional granularity than
that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. The frame type
must also be specified when creating the IPX network VLAN.
When creating an IPX network VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX network VLAN. VLAN port membership must be
assigned using the static command, as shown in the example below. Because no dynamic port assignment is
made for IPX network VLANs on a router, there is no need to exclude any ports, only specify membership with the
static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router.
This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX protocol VLAN on
the system, you need to delete it before an IPX network VLAN can be created.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port
membership of 10 and 14, enter the following commands.
ServerIron(config)# ipx-network 500 ethernet_802.2
ServerIron(config-ipx-proto)# static e10 e14
ServerIron(config-ipx-proto)# exit
Syntax: ipx-network <ipx-network-number> <frame-encapsulation-type> netbios-allow | netbios-disallow

Possible values: Frame encapsulation type values: ethernet_ii, ethernet_802.2, ethernet_802.3, or
ethernet_snap
Default value: N/A
ipx-proto
This command creates an IPX protocol VLAN on a switch or router.
When creating an IPX protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX protocol VLAN. VLAN port membership must be
assigned using the static command, as shown in the example below. Because no dynamic port assignment is
made for IPX protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the
static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router.
This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX network VLAN on
the system, you need to deleted it before an IPX protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol, enter the following:
ServerIron(config)# ipx-proto
ServerIron(config-ipx-proto)# static e1 to 2 e6 e8
ServerIron(config-ipx-proto)# exit
Syntax: ipx-proto
Default value: N/A
February 2002
6 - 47
Allows you to limit the number of devices that have access to a specific port. Access violations are reported by
SNMP traps.
EXAMPLE:
ServerIron(config)# lock e2 addr 15
ServerIron(config-if)# end
ServerIron# write memory
Syntax: lock-address ethernet <portnum> [addr-count <num>]

Possible values: Address count: 1 2048
Default value: Address count: 8
logging
The logging commands enable or disable logging, configure the size of the local log buffer, and specify a SyslogD
server.
EXAMPLE:
To disable logging of SNMP traps to a locally saved event log, enter the following command:
ServerIron(config)# no logging on
To re-enable logging, enter the following command:
ServerIron(config)# logging on
Syntax: [no] logging on [<udp-port>]

Default value: Enabled; UDP port 514
EXAMPLE:
To specify two third-party SyslogD servers to receive Syslog messages in addition to the devices local Syslog
buffer, enter commands such as the following:
ServerIron(config)# logging 10.0.0.99
ServerIron(config)# logging 209.157.23.69
Syntax: logging <ip-addr> | <server-name>

EXAMPLE:
To change the logging facility from the default facility user to local7, enter the following command:
ServerIron(config)# logging local7
Syntax: logging facility <facility-name>

Possible values:
kern kernel messages
user random user-level messages
mail mail system
daemon system daemons
auth security/authorization messages
syslog messages generated internally by syslogd
lpr line printer subsystem
news netnews subsystem
6 - 48
February 2002
uucp uucp subsystem
sys9 cron/at subsystem
sys10 reserved for system use
cron cron/at subsystem
local0 reserved for local use
Default value: user

EXAMPLE:
To disable logging of debugging and informational messages, enter the following commands:
ServerIron(config)# no logging buffered debugging
ServerIron(config)# no logging buffered informational
Syntax: [no] logging buffered <level> | <num-entries>

Possible values: <level> can be alerts, critical, debugging, emergencies, errors, informational, notifications, or
warnings. All message levels are enabled by default. You can disable message levels individually.
<num-entries> can be 1 100.
Default value: all message levels are logged; default local buffer capacity is 50 entries.
EXAMPLE:
By default, a message is logged whenever a user logs into or out of the CLIs User EXEC or Privileged EXEC
mode. If you want to disable logging of users CLI access, enter the following command:
ServerIron(config)# no logging enable user-login
Syntax: [no] logging enable user-login

Default value: User logins are logged by default.
mac-age-time
Sets the aging period for all address entries in the switch or router address table.
EXAMPLE:
ServerIron(config)# mac-age 600
Syntax: mac-age-time <value>

Possible values: 0 65535 seconds. If you specify 0, the entries do not age.
February 2002
6 - 49
mac filter
Allows you to define filters for Layer 2 filtering on MAC addresses. After you define the filters, you can apply them
to individual interfaces using the mac filter-group command. See mac filter-group on page 8-10.
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use ACLs. See
the "Using Access Control Lists (ACLs)" chapter in the Foundry Switch and Router Installation and Basic
Configuration Guide. The standard and extended ACLs described in that chapter are supported on the
ServerIron.
EXAMPLE:
To configure and apply a MAC filter, enter commands such as the following:
ServerIron(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
ServerIron(config)# mac filter 1024 permit any any
ServerIron(config)# int e 1/1
ServerIron(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with 3565 to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask> | any
etype | IIc | snap eq | gt | lt | neq <frame-type>
Possible values:
The <filter-num> is 1 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using fs
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.
In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.
The MAC filter allows for you to filter on the following encapsulation types:
etype (Ethertype) a two byte field indicating the protocol type of the frame. This can range from 0x0600 to
0xFFFF.
llc (IEEE 802.3 LLC1 SSAP and DSAP) a two byte sequence providing similar function as the EtherType
but for an IEEE 802.3 frame.
snap (IEEE 802.3 LLC1 SNAP) a specific LLC1 type packet.
To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet
packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an
IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are
0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.
For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs
include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are
the same.
6 - 50
February 2002
NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC
1042 for a complete listing of SAP numbers.
SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03.
Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the
MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside
the SNAP header that you want to filter on.
The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq
(not equal).
The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is
806.
Default value: N/A
Additional Examples of Layer 2 MAC Filter Definitions

ServerIron(config)# mac filter 1 permit any any etype eq 0800
This filter configures the device to permit (forward) any inbound packet with the Ethertype field set to 0800 (IP).
ServerIron(config)# mac filter 2 deny 0080.0020.000 ffff.ffff.0000 any etype eq 0800
This filter configures the device to deny an inbound packet with the first four bytes set to 0800.0020.xxxx and an
EtherType field set to 0800 (IP). The destination field does not matter.
ServerIron(config)# mac filter 3 deny any 00e0.5200.1234 ffff.ffff.ffff snap eq 0800
This filter configures the device to deny any inbound IEEE 802.3 packet with a destination set to 00e0.5200.1234
and a SNAP EtherType set to 0800. The source address does not matter.
ServerIron(config)# mac filter 32 permit any any
This filter permits all packets. This filter is used as the last filter assigned in a filter-group that has previous deny
filters in the group.
Abbreviating the Address or Mask

Address and Mask abbreviations are allowed. However, be careful when configuring them. The default fill
character is a 0 and it will fill a byte range as left justified. This applies only to the MAC address and mask. A
range of frame types cannot be filtered. Each frame type must be entered. Here are some examples.
ServerIron(config)# mac filter 1 deny 0800.0700 ffff.ff00 any
This command expands to the following: mac filter 1 deny 0800.0700.0000 ffff.ff00.0000
The filter shown above denied forwarding of an inbound frame that has the source address set to 080007 as the
first three bytes. All other information is not significant.
Here is another example of the fill feature.
ServerIron(config)# mac filter 2 deny 0260.8C00.0102 0.0.ffff any
This command expands to the following: mac filter 1 deny 0260.8C00.0102 0000.0000.ffff any
Since the fill character is 0's and the fill is left justified, certain filters will not allow for abbreviations. For example,
suppose you want to deny an inbound packet that contained a broadcast destination address. Enter the following
command:
ServerIron(config)# mac filter 5 deny any ff ff
This command contains a destination of address all F's and mask of F's. The command expands to the following:
ServerIron(config)# mac filter 1 deny any 00ff.0000.0000 00ff.0000.0000
Here is another example for DSAP and SSAP.
ServerIron(config)# mac filter 10 deny any any llc eq F0
February 2002
6 - 51
This command expands to the following: mac filter 2 deny any any llc eq 00f0
If you want to filter on both the SSAP and DSAP, then the following example shows this:
ServerIron(config)# mac filter 4 deny any 0020.0010.1000 ffff.ffff.0000 llc eq e0e0

Enables logging of packets that are denied by Layer 2 MAC filters. When you enable this feature, the device
generates Syslog entries and SNMP traps for denied packets.
EXAMPLE:
ServerIron(config)# mac filter log-enable
Syntax: mac filter log-enable

mac-age-time
Sets the aging period for all address entries in the ServerIron address table.
EXAMPLE:
ServerIron(config)# mac-age 600
Syntax: mac-age-time <value>

Possible values: 0 65535 seconds. If you specify 0, the entries do not age.
mirror-port
Enables and assigns a specific port to operate as a mirror port for other ports on a ServerIron. Once enabled, you
can connect an external traffic analyzer to the port for traffic analysis.
You also need to enable the monitor command on a port for it to be mirrored by this port.
EXAMPLE:
To assign port 1 as the mirror port and port 5 as the port to be monitored, enter the following:
ServerIron(config)# mirror-port e 1
ServerIron(config)# interface e 5
ServerIron(config-if)# monitor on
To define a mirror port on a Chassis device, define a slot number in addition to the port number as seen in the
syntax below.
Syntax: mirror-port ethernet <portnum>

Default value: Undefined
module
Adds a hardware module to a Foundry Chassis device.
EXAMPLE:
To add an 8-port Gigabit Ethernet management module to slot 3 in a ServerIron 800, enter the following
command:
ServerIron(config)# module 3 bi-8-port-gig-management-module
Syntax: module <slot-num> <module-type>

The <slot-num> parameter indicates the chassis slot number.
6 - 52
February 2002
Slots on the ServerIron 400 are numbered 1 4, from top to bottom.
Slots on the ServerIron 800 are numbered 1 8, from left to right.
The <module-type> parameter specifies the module. For a list of the valid module types, enter
module <slot-num> ? at the CLI prompt.
Default value: N/A
multicast filter
Configures a Layer 2 filter for multicast packets. You can filter on all multicast packets or on specific multicast
groups.
EXAMPLE:
To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8,
enter the following commands:
ServerIron(config)# multicast filter 1 any
ServerIron(config-mcast-filter-id-1)# exclude-ports ethernet 2/4 to 2/5 ethernet 2/8
ServerIron(config-mcast-filter-id-1)# write mem
EXAMPLE:
To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200
0100.5e00.52ff on port 4/8, enter the following commands:
ServerIron(config)# multicast filter 2 any 0100.5e00.5200 ffff.ffff.ff00
ServerIron(config-mcast-filter-id-2)# exclude-ports ethernet 4/8
ServerIron(config-mcast-filter-id-2)# write mem
The software calculates the range by combining the mask with the multicast address. In this example, all but the
last two bits in the mask are significant bits (ones). The last two bits are zeros and thus match on any value.
Syntax: [no] multicast filter <filter-id> any | ip udp mac <multicast-address> | any [mask <ip-mask>] [vlan <vlanid>]
The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter
command requires the mac <multicast-address> | any parameter, which specifies the multicast address. Enter
mac any to filter on all multicast addresses. Enter mac followed by a specific multicast address to filter only on
that multicast address.
To filter on a range of multicast addresses, use the mask <ip-mask> parameter. For example, to filter on multicast
groups 0100.5e00.5200 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs).
You can leave the mask off if you want the filter to match on all bits in the multicast address.
Default value: N/A
multicast limit
Specifies the maximum number of multicast packets the device can forward each second. By default the device
sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those
devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit
and unknown-unicast limit commands to control these types of traffic. See broadcast limit on page 6-12 and
February 2002
6 - 53
EXAMPLE:
ServerIron(config)# multicast limit 30000
Syntax: multicast limit <num>

Default value: N/A
netbios-proto
This command creates a NetBIOS protocol VLAN on a Foundry switch or router. All ports of the system are
assumed, by default, to be members of the VLAN when initially created. VLAN Membership can be modified
using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN on an 18 port device with permanent port membership of 4 and 5 and ports 8
through 12 as dynamic member ports, enter the following commands.
ServerIron(config)# netbios-proto
ServerIron(config-netbios-proto)# static e4 e5
ServerIron(config-netbios-proto)# exclude e1 to 3 e6 e7 e13 to 18
ServerIron(config-netbios-proto)# exit
Syntax: netbios-proto [<name>]

Default value: N/A
no
This command is used to disable many commands. To do so, place the word no before the command.
other-proto
Creates an Other protocol VLAN on the system. All ports of the switch are by default dynamically assigned to the
newly created VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.
You can use this option to define a protocol-based VLAN for protocols that are not specified as supported protocol
VLANs on a switch or router, or do not require dedicated, separate broadcast domains.
EXAMPLE:
On a 16 port ServerIron, ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to
separate traffic by protocol into separate broadcast domains. Instead, create an Other Protocol VLAN with just
those ports as members.
ServerIron(config)# other-proto
ServerIron(config-other-proto)# static e13 to 16
ServerIron(config-other-proto)# exclude e1 to 12
ServerIron(config-other-proto)# exit
Syntax: other-proto [<name>]

Default value: N/A
password-change
This command allows you to define those access points from which the system password can be defined. Options
are serial-port-only, telnet-only, or any. Any would allow the password to be modified from a serial port, telnet
session or through IronView.
6 - 54
February 2002
EXAMPLE:
To allow password changes from a serial port connection only, enter the following command:
ServerIron(config)# password-change cli
Syntax: password-change any | cli | console-cli | telnet-cli

Possible values: any, cli, console-cli, telnet-cli
Default value: None
privilege
This command augments the default access privileges for an access level. When you configure a user account,
you can give the account one of three privilege levels: full access, port-configuration access, and read-only
access. Each privilege level provides access to specific areas of the CLI by default:
Full access provides access to all commands and displays.
Port-configuration access gives access to:
The User EXEC and Privileged EXEC levels, and the port-specific parts of the CONFIG level
All interface configuration levels
Read-only access gives access to:
The User EXEC and Privileged EXEC levels
EXAMPLE:
To enhance the port-configuration privilege level so users also can enter ip commands at the global CONFIG level
(useful for adding IP addresses for multinetting), enter the following command:
ServerIron(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of
the CLI. The level 4 parameter indicates that the enhanced access is for privilege level 4 (port-configuration). All
users with port-configuration privileges will have the enhanced access. The ip parameter indicates that the
enhanced access is for the IP commands. Users who log in with valid port-configuration level user names and
passwords can enter commands that begin with "ip" at the global CONFIG level.
Syntax: [no] privilege <cli-level> level <privilege-level> <command-string>

The <cli-level> parameter specifies the CLI level and can be one of the following values:
exec EXEC level; for example, ServerIron> or ServerIron#
configure CONFIG level; for example, ServerIron(config)#
interface interface level; for example, ServerIron(config-if-6)#
port-vlan Port-based VLAN level; for example, ServerIron(config-vlan)#
protocol-vlan Protocol-based VLAN level; for example, ServerIron(config-vlan)#
The <privilege-level> indicates the privilege level you are augmenting.

The level parameter specifies the privilege-level. You can specify one of the following:
0 Full access (super-user)
4 Port-configuration access
5 Read-only access
The <command-string> parameter specifies the command you are allowing users with the specified privilege level
to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt and press
Return.
quit
February 2002
6 - 55
EXAMPLE:
ServerIron(config) quit
ServerIron>
Syntax: quit
Default value: N/A
perf-mode
Allows you to define the performance mode as 'high' to allow flow control to activate at an earlier stage, when
heavy congestion exists on the network. This feature must be saved to memory and the system reset before it
becomes active.
EXAMPLE:
ServerIron(config)# perf-mode hi
Syntax: perf-mode normal | hi

Possible values: hi
Default value: normal
radius-server
Identifies a RADIUS server and sets other RADIUS parameters.
EXAMPLE:
ServerIron(config)# radius-server host 209.157.22.99
Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number>] [acct-port <number>]

<ip-addr> | <server-name> is either an IP address or an ASCII text string.
<auth-port> is the Authentication port number; it is an optional parameter. The default is 1645.
<acct-port> is the Accounting port number; it is an optional parameter. The default is 1646.
Syntax: radius-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key <key-string> parameter is the encryption key; valid key string length is from 1 16.
The timeout <number> is how many seconds to wait before declaring a RADIUS server timeout for the
authentication request. The default timeout is 3 seconds. The range of possible timeout values is from 1 15.
The retransmit <number> is the maximum number of retransmission attempts. When an authentication request
timeout, the Foundry software will retransmit the request up to the maximum number of retransmissions
configured. The default retransmit value is 3 seconds. The possible retransmit value is from 1 5.
The dead-time parameter is not used in this software release. When the software allows multiple authentication
servers, this parameter will specify how long the Foundry device waist for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can
be from 1 5 seconds. The default is 3.
Allows you to configure uplink utilization lists that display the percentage of a given uplink ports bandwidth that is
used by a specific list of downlink ports. The percentages are based on 30-second intervals of RMON packet
statistics for the ports. Both transmit and receive traffic is counted in each percentage.
6 - 56
February 2002
NOTE: This feature is intended for ISP or collocation environments in which downlink ports are dedicated to
various customers traffic and are isolated from one another. If traffic regularly passes between the downlink
ports, the information displayed by the utilization lists does not provide a clear depiction of traffic exchanged by the
downlink ports and the uplink port.
Each uplink utilization list consists of the following:
Utilization list number (1, 2, 3, or 4)
One or more uplink ports
One or more downlink ports
Each list displays the uplink port and the percentage of that ports bandwidth that was utilized by the downlink
ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists.
EXAMPLE:
To configure a link utilization list with port 1 as the uplink port and ports 2 and 3 as the downlink ports:
ServerIron(config)# relative-utilization 1 uplink eth 1 downlink eth 2 to 3
Syntax: [no] relative-utilization <num> uplink ethernet <portnum> [to <portnum> | <portnum>]
downlink ethernet <portnum> [to <portnum> | <portnum>]
Possible values: The <num> parameter specifies the list number. You can configure up to four lists. Specify a
number from 1 4.
The uplink ethernet parameters and the port number(s) you specify after the parameters indicate the uplink
port(s).
The downlink ethernet parameters and the port number(s) you specify after the parameters indicate the downlink
port(s).
Default value: N/A
rmon alarm
The RMON alarm command defines what MIB objects are monitored, the type of thresholds will be monitored
(falling, rising or both), the value of those thresholds, and the sample type (absolute or delta).
An alarm event will be reported each time that a threshold is exceeded. The alarm entry also defines the action
(event) to take should the threshold be exceeded.
A sample CLI alarm entry and its syntax is shown below:
EXAMPLE:
ServerIron(config)# rmon alarm 1 ifInOctets.6 10 delta rising-threshold 100 1
falling threshold 50 1 owner nyc02
Syntax: rmon alarm <entry-number> <MIB-object.interface-number> <sampling-time> <sample-type>

<threshold-type> <threshold-value> <event-number> <threshold-type> <threshold-value> <event-number> owner
<text>
Possible values:
Threshold type: rising-threshold or falling threshold
Sample type: delta or absolute
Default value: N/A
rmon event
There are two elements to the RMON event group 9, the event control table and the event log table.
The event control table defines the action to be taken when an alarm is reported. Defined events can be found by
entering the CLI command, show event.
The event log table collects and stores reported events for retrieval by an RMON application.
February 2002
6 - 57
EXAMPLE:
ServerIron(config)# rmon event 1 description testing a longer string log-and-trap
public owner nyc02
Syntax: rmon event <event-entry> description <text-string> log | trap | log-and-trap owner <rmon-station>
Default value: N/A
rmon history
All active ServerIron ports by default will generate two RMON history (group 2) control data entries. If a port
becomes inactive, then the two entries will automatically be deleted.
Two history entries are generated for each switch by default:
a sampling of statistics every 30 seconds
a sampling of statistics every 30 minutes
You can modify how many of these historical entries are saved in an event log (buckets) as well as how often these
intervals are taken. The station (owner) that collects these entries can also be defined.
To review the control data entry for each port or interface, enter the show rmon history command.
EXAMPLE:
ServerIron(config)# rmon history 1 interface 1 buckets 10 interval 10 owner nyc02
Syntax: rmon history <entry-number> interface <portnum> buckets <number> interval <sampling-interval> owner
<text-string>
Possible values: Buckets: 1 50 entries.
Default value: N/A
router rip
Enables the Routing Information Protocol (RIP).
NOTE: This command applies only to IP forwarding (Layer 3 IP).
NOTE: You also must enable RIP locally on the virtual routing interface. See ip rip on page 8-7.
EXAMPLE:
To enable RIP globally, enter the following command:
ServerIron(config)# router rip
ServerIron(config-rip-router)#
Notice that the command also changes the CLI to RIP configuration level. See Routing Information Protocol
(RIP) Commands on page 20-1.
Syntax: [no] router rip

rshow
6 - 58
February 2002
Provides redundancy for NAT or the SYN-Guard feature when not used with FWLB or SLB. This command
specifies the ServerIron port connected to the other ServerIron in the configuration.
EXAMPLE:
ServerIron(config)# server active-active-port ethernet 4/5
This command configures the active-active link on port 4/5.
ServerIron(config)# server active-active-port ethernet 4/5 300
This command configures the active-active link on port 4/5 on VLAN 300 only. The active-active traffic is not
forwarded to the other VLANs that port 3/5 is in.
Syntax: [no] server active-active-port ethernet <portnum> [<vlan-id>]

The <portnum> parameter is the first port MAC address where the peer ServerIron resides. This is the MAC
address displayed as the "Boot Prom MAC" in the output of the show chassis command on the peer ServerIron.
You must add a static MAC entry for this MAC address.
The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use this
parameter if the port is a tagged member of multiple VLANs.
NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will
carry data traffic.
Default value: N/A
server allow-sticky
Accepts new connections on a real server whose sticky port has been unbound.
When you unbind an application port from a server, the ServerIron temporarily places the port in the aw_unbnd
(awaiting unbind) state. If you delete an application port, the ServerIron temporarily places the port in the aw_del
(awaiting delete) state. These temporary states allow open sessions on the port to be completed before the port
is unbound or removed.
By default, when the ServerIron receives a new request associated with a sticky port in the aw_unbnd state, the
ServerIron establishes the session on another real server, not the real server from which you are unbinding the
port.
This command configures the ServerIron to accept new sessions for the same real server for a sticky port, even
under the following conditions:
The real server port is in the aw_unbnd state.
The real server port is in the aw_del state.
The real server port is disabled.
EXAMPLE:
ServerIron(config)# server allow-sticky
Syntax: [no] server allow-sticky [refresh-age]

The refresh-age parameter configures the ServerIron to reset the age of a sticky session on the port whenever a
new connection associated with the sticky port is established. This parameter ensures that the session stays up
indefinitely until it is no longer needed.
By default, the ServerIron does not reset the age of the session when new connections are established. Instead,
the session times out after the sticky age expires.
If you use the refresh-age parameter, the ServerIron resets the age of the session to the value of the sticky age.
For example, if the sticky age is five minutes (the default), when the ServerIron establishes a new session on the
February 2002
6 - 59
sticky port, the ServerIron resets the age time for the session to five minutes. Each time the ServerIron receives
another connection request associated with the sticky session, the ServerIron resets the session age again.
server backup
The server backup command sets up the server load balancing redundancy on ServerIron switches. The two
switches used in the configuration must be configured with the same MAC address. The MAC address used for
the two switches can be any MAC address supported on either of the switches.
EXAMPLE:
ServerIron(config)# server backup ethernet 13 00e0.5201.0c72
Syntax: server backup ethernet <portnum> <HHHH.HHHH.HHHH>

Default value: N/A
server backup-group
Configures a hot-standby group ID. Use the group ID when you are configuring more than one pair of ServerIrons
for SLB hot standby within the same Layer 2 broadcast domain.
Configure a backup group ID on each of the ServerIrons, so that both ServerIrons in a given pair have the same
ID. The backup group ID uniquely identifies the pair.
When you configure a backup group ID, both ServerIrons in a hot-standby pair use the ID when exchanging
backup information. If a ServerIron receives a backup information packet but the packets backup group ID does
not match the ServerIrons backup group ID, the ServerIron discards the packet.
If the broadcast domain contains multiple hot-standby pairs, you must configure backup group IDs on all pairs. If
the broadcast domain contains only one hot-standby pair, you do not need to configure a backup group ID.
EXAMPLE:
ServerIron(config)# server backup-group 1
Syntax: [no] server backup-group <num>

The <num> parameter specifies the backup group ID and can be a number from 0 7. Enter the same ID on both
ServerIrons in a hot-standby pair. Do not enter the same ID on a ServerIron that is not one of the ServerIrons in
the hot-standby pair.
Default value: N/A
server backup-port
Configures the active-active (synchronization) port for SSLB. The active-active port connects the ServerIron to its
SSLB partner.
EXAMPLE:
ServerIron(config)# server backup-port ethernet 3/5
This command configures the active-active link on port 3/5.
ServerIron(config)# server backup-port ethernet 3/5 200
This command configures the active-active link on port 3/5 on VLAN 200 only. The active-active traffic is not
forwarded to the other VLANs that port 3/5 is in.
Syntax: [no] server backup-port ethernet <portnum> [<vlan-id>]

The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use the
<vlan-id> parameter if the port is a tagged member of more than one VLAN.
6 - 60
February 2002
NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will
carry data traffic.
Default value: N/A
Configures a ServerIron in an active-standby pair to always be the active ServerIron. Without the backup
preference, ServerIrons in a hot-standby pair elect the active ServerIron based on a random timer on each
ServerIron.
NOTE: This command does not apply to FWLB.
EXAMPLE:
To configure a ServerIron in an active-standby pair to always be the active ServerIron, enter the following
command at the global CONFIG level of the CLI:
ServerIron(config)# server backup-preference 5
Syntax: server backup-preference <wait-time>

The <wait-time> parameter specifies how long the ServerIron waits before assuming the active role. The
ServerIron does not immediately become the active ServerIron but instead waits the number of minutes you
specify.
Default value: None
server backup-timer
Changes the backup timer on a ServerIron in an active-standby pair. The timer specifies how long a backup
ServerIron will wait for a Hello message or synchronization data from the active ServerIron before assuming the
active ServerIron is no longer available, and then taking over the active role.
NOTE: This command does not apply to FWLB.
EXAMPLE:
ServerIron(config)# server backup-timer 50
This command sets the backup timer to 5 seconds (50 * 100 milliseconds).
Syntax: server backup-timer <time>

The <time> parameter specifies how long this ServerIron, when it is the backup ServerIron, will wait for a Hello
message or synchronization data from the active ServerIron before assuming the active ServerIron is no longer
available.
Possible values: 5 (one half second) 100 (10 seconds), in units of 100 milliseconds each
Default value: 10 (one second)
server cache-group
TCS requires that all cache servers be assigned to a cache-group. By default, all cache servers are assigned to
cache group 1. To assign cache servers to a different cache group, use this command.
EXAMPLE:
To assign cache servers server1 and server2 to cache group 2, enter the following:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# cache-name server1
February 2002
6 - 61
ServerIron(config-tc-1)# cache-name server2
Syntax: server cache-group 1

Default value: N/A
server cache-name
This command is used to assign a name and IP address to a cache server.
EXAMPLE:
To identify a cache-server with an IP address of 207.95.5.19 as web2, enter the following:
ServerIron(config)# server cache-name web2 207.95.5.19
Syntax: server cache-name <text> <ip-addr>

Default value: N/A
This command enables the ServerIron Cache Route Optimization feature, which redirects HTTP traffic from a
cache server directly toward the clients. Use this command when the ServerIron sits between a remote access
server (RAS) and a border access router (BAR) and the cache servers default gateway is the BAR.
For more information, see the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron
EXAMPLE:
To enable Cache Route Optimization on a switch operating with TCS, enter the following:
ServerIron(config)# server cache-router-offload
Syntax: [no] server cache-router-offload

Default value: N/A
Disables stateful TCS. In stateful TCS, the ServerIron creates session table entries for the client connections
redirected to cache servers. If you disable stateful TCS, the ServerIron does not create session table entries for
the load-balanced traffic, but instead uses hash-based redirection on a packet by packet basis. In addition, the
ServerIron uses the return traffic as one means to assess the health of a cache server. If you disable stateful
TCS, the ServerIron does not monitor the return traffic.
NOTE: Stateful TCS provides more benefit than stateless TCS in almost all TCS configurations. Do not disable
stateful TCS unless advised to do so by Foundry Networks Technical Support.
EXAMPLE:
To disable stateful TCS, enter the following command:
ServerIron(config)# no server cache-stateful
Syntax: [no] server cache-stateful

server clock-scale
Provides a clock multiplier for the TCP age and UDP age timers, which are used to age out the entries in the
session table. This command is useful for configurations that require TCP or UDP timeouts longer than the
6 - 62
February 2002
maximum configurable value (60 minutes). For example, if you set the clock scale to 2, the TCP and UDP age
timer values are multiplied by 2. Thus, a TCP age of 60 would then be equivalent to 120 minutes instead of 60
minutes.
EXAMPLE:
ServerIron(config)# server clock-scale 2
Syntax: server clock-scale <multiplier>

Default value: 1
Enables TCP/UDP session logging. When TCP/UDP session logging is enabled, the ServerIron sends a
message to the external Syslog servers when the software creates a session table entry.
EXAMPLE:
To enable session logging for all TCP and UDP ports, enter a command such as the following:
ServerIron(config)# server connection-log all
The command in this example enables logging for all new session table entries. To enable logging only for new
sessions that are used for Source NAT, enter the following command:
ServerIron(config)# server connection-log src-nat
Syntax: server connection-log all | src-nat [url] [cookie]

The all parameter enables logging for all sessions.
The src-nat parameter enables logging only for sessions that are used for Source NAT.
The url parameter enables logging of URL information for sessions that contain a URL.
The cookie parameter enables logging of Cookie information for sessions that contain a Cookie.
NOTE: The URL logging option applies only when URL switching is enabled. The Cookie logging option applies
only when Cookie switching is enabled.
To enable session logging for a specific TCP or UDP port, enter commands such as the following:
ServerIron(config)# server port 80
ServerIron(config-port-80)# connection-log all url cookie
Syntax: connection-log all | src-nat [url] [cookie]

The parameter values are the same as the values for globally enabling logging.
Delays reactivation of a failed ServerIron in an SSLB configuration following the ServerIrons recovery. By
delaying reactivation of a recovered ServerIron, you provide time for sessions created by the standby ServerIron to
terminate normally.
NOTE: This command applies only to active-standby SSLB in software release 07.1.x. Software 07.2.x uses
active-active SSLB instead. See the "Active-Standby SSLB" section in the "Configuring Symmetric SLB and
SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.
When you enable session synchronization in a ServerIronXL SSLB configuration, the active ServerIron for a VIP
sends session synchronization information to the standby ServerIron. If the VIPs active ServerIron becomes
February 2002
6 - 63
unavailable, the open sessions for the VIP fail over to the other ServerIron, which provides uninterrupted service
for the sessions.
The active ServerIron sends session synchronization information to a VIPs standby ServerIron when the session
is created. Following a failover, when the standby ServerIron for a VIP has taken over, the standby ServerIron can
create new sessions for the VIP. However, because the ServerIron with the higher priority for the VIP is
unavailable, the standby ServerIron cannot send synchronization information for the newly created sessions. As a
result, when the other ServerIron becomes available again, it resumes service for the VIP but cannot continue the
sessions that were created by the standby ServerIron.
EXAMPLE:
To enable reactivation delay following recovery of a ServerIron, enter the following command at the global
CONFIG level of the CLI:
ServerIron(config)# server delay-symmetric
Syntax: [no] server delay-symmetric [<mins>]

The <mins> parameter specifies the number of minutes you want the recovered ServerIron to wait before
becoming active again. You can specify from 2 120 minutes. The default is 60 minutes.
NOTE: You must enter the same command using the same number of minutes on both ServerIrons in the
configuration.
Default value: See above
server force-delete
This command allows you to force termination of existing server load balancing connections when the supporting
server or service is disabled or deleted.
By default, when a service is disabled or deleted, the ServerIron does not send new connections the real servers
for that service. However, the ServerIron does allow existing connections to complete normally, however long that
may take.
You can use the server force-delete command to force the existing connections to be terminated within two
minutes.
NOTE: If you disable or delete a service, do not enter an additional command to reverse the command you used
to disable or delete the service, while the server is in graceful shutdown.
NOTE: For important information about shutting down services or servers, see the "Configuring Server Load
Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To force the shutdown of all deleted servers on a ServerIron, enter the following:
ServerIron(config)# server force-delete
NOTE: Once enabled, this feature controls all future deletions. To see whether force delete is active, enter the
show configuration command. If active, this option will appear in the summary of global parameters. Because
the server force-delete command is a global command, there is no need to specify real server 15. It will
automatically end the connections of all servers or services awaiting deletion.
NOTE: To display active sessions for a specific server, enter the show sessions real server <number>
command and a display as seen below will appear. Notice that the display below shows the Telnet connection on
server 15 as awaiting unbinding. Without the server force-delete command, this feature will stay in this state until
the session ends naturally.
6 - 64
February 2002
ServerIron(config-vs-building)# show server real s15

Real Servers Info
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Name: s15
IP: 207.95.18.15
CurConn TotConns
Tx-pkts
Wt: 1
Max-conn: 1000000
Port
State
http
active
1711509
1206
82402
ftp
active
telnet aw_unbnd
388
default unbnd
Server
1711511
Total
Rx-pkts
State: 6
Rx-octet Tx-octet Reas
374
23618
22452 0
388
1580
23618
104854
Because the binding is awaiting deletion, it will also still be seen as an active binding, if you enter the show
session bind command, as seen below:
ServerIron(config-vs-building)# show server bind
Virtual Server Name: building,
IP: 207.95.5.130
http -------> s21: 207.95.18.21, http
s15: 207.95.18.15, http
s50: 207.95.18.50, http
ftp -------> s50: 207.95.18.50, ftp
s21: 207.95.18.21, ftp
s15: 207.95.18.15, ftp
telnet -------> s15: 207.95.18.15, telnet
s21: 207.95.18.21, telnet
s50: 207.95.18.50, telnet
Once force delete is enabled, the unbinding will occur within two minutes and the show session real server s15
will show that connection as unbound, as seen below:
ServerIron(config)# show session real s15
Real Servers Info
Name: s15
IP: 207.95.18.15
Port
State
CurConn
http
active
1711509
ftp
active
unbnd
default unbnd
Server
telnet
Total
TotConns
1711511
Rx-pkts
State: 6
Tx-pkts
1206
Wt: 1
Max-conn: 1000000

0
82402
406
385
24700
23112
406
1591
105514
24700
NOTE: The binding for the real server will also be eliminated from the show server bind display.
Syntax: server force-delete

Possible values: enabled or disabled
February 2002
6 - 65
Default value: disabled
server fw-group
Changes the CLI to the Firewall Group level. At this level, you can configure parameters for firewall load
balancing. For information about this feature, see the Foundry ServerIron Firewall Load Balancing Guide.
The default firewall group is 2. This is the only firewall group supported. All ServerIron ports are in this firewall
group by default.
EXAMPLE:
To change the CLI to the Firewall Group level for firewall group 2, enter the following command:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)#
Syntax: server fw-group 2

Possible values: 2
Default value: N/A
server fw-name
Adds a firewall for firewall load balancing.
EXAMPLE:
To define a firewall called FW1, enter the following command:
ServerIron(config)# server fw-name FW1 209.157.22.3
Syntax: fw-name <string> <ip-addr>

NOTE: When you add a firewall name, the CLI level changes to the Firewall level.

Possible values: a string up to 32 characters long; a valid IP address
Default value: N/A
server fw-port
If you are configuring the ServerIron for IronClad Firewall Load Balancing, this command identifies the port that
connects this ServerIron to its partner. If you configure a trunk group for the link between the two partners, specify
the first port (the primary port for the group) in the trunk group. On the 8-port, 16-port, and 24-port ServerIrons,
you can configure a trunk group with two or four members and the lead ports are the odd-numbered ports.
EXAMPLE:
ServerIron(config)# server fw-port 5
Syntax: fw-port <portnum>

Default value: N/A
Enables receive stateful FWLB for application traffic coming from the firewalls to the ServerIron. For information,
see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-recv-stateful
Syntax: [no] server fw-recv-stateful

6 - 66
February 2002
server fw-slb
Enables FWLB-to-SLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server fw-slb
Syntax: [no] server fw-slb

server fw-stateful
Enables stateful FWLB for application traffic coming from the ServerIron to the firewalls. For information, see the
Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-stateful
Syntax: [no] server fw-stateful

Configures the ServerIron to forward a TCP data packet only if the ServerIron has already received a TCP SYN for
the packet's traffic flow (source and destination addresses). This command provides tighter security. For
example, with the tighter security enabled, the ServerIron does not forward a TCP data packet to 1.1.1.1 unless
the ServerIron has already received a TCP SYN for the session between the packet's source and 1.1.1.1.
By default, the ServerIron sends a properly addressed TCP data packet to a firewall regardless of whether the
ServerIron has received a TCP SYN for the traffic flow. For example, if the ServerIron receives a TCP packet
addressed to TCP port 8080 on IP address 1.1.1.1, the ServerIron forwards the packet to firewall connected to
1,1.1.1 regardless of whether the ServerIron has received a TCP SYN for the session between the packet's
source and 1.1.1.1.
EXAMPLE:
ServerIron(config)# server fw-strict-sec
Syntax: [no] server fw-strict-sec

The feature applies globally to all TCP traffic received for FWLB.
server fw-superzone
Enables the superzone FWLB feature.
NOTE: This command does not enable FWLB. The command only enables superzone support.
EXAMPLE:
ServerIron(config)# server fw-superzone
Syntax: [no] server fw-superzone

February 2002
6 - 67
server icmp-message
Enables the ICMP message feature. This feature configures the ServerIron to send ICMP Destination
Unreachable messages to clients who request HTTP ports that are unavailable. Generally, a port is unavailable if
all the real servers that contain the port are busy or are down, or the port is not configured on the servers.
EXAMPLE:
To enable the ICMP message feature, enter the following command:
ServerIron(config)# server icmp-message
Syntax: [no] server icmp-message

server l4-check
Globally disables or re-enables Layer 4 TCP or UDP health checks for servers. The Layer 4 health checks are
enabled by default.
If you are configuring the ServerIron to load balance traffic to multiple servers on the other side of routers and you
want to load-balance the traffic according to TCP or UDP application, use the no server l4-check command to
disable the Layer 4 health checks. If you do not disable the health checks in this type of configuration, the routers
will fail the health checks (because the target applications for the health checks are not on the routers themselves)
and the ServerIron will stop forwarding traffic to those servers.
NOTE: If you are using the ServerIron to load-balance TCP and UDP traffic through routers, you also must add
each router as a real server and disable the HTTP port on each of the real servers. HTTP is enabled by default on
all real servers.
NOTE: This command also disables all Boolean health-check policies when entered on a ServerIron 400 or
ServerIron 800.
EXAMPLE:
To disable the Layer 4 TCP and UDP health checks, enter the following command:
ServerIron(config)# no server l4-check
Syntax: [no] server l4-check

Default value: enabled
server max-conn-trap
Specifies the number of seconds that elapse between traps for logging information about the TCP connection rate
and attack rate on the device.
EXAMPLE:
ServerIron(config)# server max-conn-trap 30
Syntax: server max-conn-trap <seconds>

Changes the number of entries associating a session_id with a real server that the ServerIron can store in its
database.
6 - 68
February 2002
EXAMPLE:
To change the maximum number of database entries from 8,192 to 64,000:
ServerIron(config)# server max-ssl-session-id 64000
Syntax: server max-ssl-session-id <number>

Possible values: On the ServerIronXL and ServerIronXL/G, the number of database entries can range from
8,192 to 64,000. On the ServerIron 400 and ServerIron 800, the number of database entries can range from
8,192 to 256,000.
Default value: 8,192
Changes the maximum number of concurrent web switching connections.
EXAMPLE:
To change the maximum number of concurrent web switching connections from 100,000 to 160,000:
ServerIron(config)# server max-url-switch 160000
Syntax: server max-url-switch <number>

Possible values: On the ServerIronXL and ServerIronXL/G, the number of concurrent web switching connections
can range from 100,000 to 160,000. On the ServerIron 400 and ServerIron 800, the number of concurrent web
switching connections can range from 100,000 to 512,000.
Default value: 100,000
server monitor
Enters the Layer 4 monitor CLI level.
EXAMPLE:
ServerIron(config)# server monitor
Syntax: server monitor

Default value: N/A
server msl
Sets the amount of time sessions for ports configured with the udp-fast-age command stay in the delete queue
before being deleted.
EXAMPLE:
ServerIron(config)# server msl 2
Syntax: server msl <seconds>

Enables the health-checking procedure for application ports used in releases prior to 7.1.05.
In releases prior to 7.1.05, the ServerIron performed a Layer 4 health check on a port on a real server,
followed by a Layer 7 health check, if one was enabled on the port. If the port passed both health checks, it
was then marked ACTIVE.
Starting with release 7.1.05, by default when a port passes a Layer 4 health check, it is then marked ACTIVE.
The ServerIron then performs a Layer 7 health check, if one is enabled on the port. Based on the result of the
Layer 7 health check (if enabled), the port is then marked ACTIVE or FAILED.
February 2002
6 - 69
This change was made so that ports could be brought up more quickly. You can optionally change the default
behavior so that a port is not marked ACTIVE until it passes both the Layer 4 and (if one is enabled) Layer 7 health
checks.
EXAMPLE:
To enable the health-checking procedure that existed in releases prior to 7.1.05:
ServerIron(config)# server no-fast-bringup
Syntax: [no] server no-fast-bringup

Default value: N/A
Globally disables the initial Layer 3 health check for local real servers. When you disable the health check, the
ServerIron sends an ARP request for the default gateway and makes the servers state ACTIVE as long as the
ARP entry is present in the ServerIrons ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check
(IP ping) to determine the servers reachability. If the real server responds to the ping, the ServerIron changes the
servers state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to local real servers (servers added using the server real-name command).
EXAMPLE:
ServerIron(config)# server no-real-l3-check
Syntax: [no] server no-real-l3-check

Default value: Health check is enabled
Globally disables the initial Layer 3 health check for remote real servers. When you disable the health check, the
ServerIron sends an ARP request for the default gateway and makes the remote servers state ACTIVE as long as
the ARP entry is present in the ServerIrons ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check
(IP ping) to determine the servers reachability. If the real server responds to the ping, the ServerIron changes the
servers state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to remote servers (servers added using the server remote-name
command).
EXAMPLE:
ServerIron(config)# server no-remote-l3-check
Syntax: [no] server no-remote-l3-check

Default value: Health check is enabled
Globally disables the slow-start mechanism. When you disable the slow-start mechanism, the ServerIron can
immediately send up to the maximum number of connections specified for the real server when the server comes
up. Disabling slow-start does not remove the slow-start configuration information from the real servers. To
reactive slow-start, globally re-enable the feature.
6 - 70
February 2002
EXAMPLE:
ServerIron(config)# server no-slow-start
Syntax: [no] server no-slow-start

To globally re-enable slow-start, enter the following command:
ServerIron(config)# no server no-slow-start
Enables the standby ServerIron in an IronClad FWLB configuration that uses the always-active feature to learn the
MAC addresses of hosts whose packets pass through the active ServerIron to reach the standby ServerIron.
For more information about the use of this command, see the "Preventing Unnecessary Broadcasts in an AlwaysActive IronClad Configuration" section in the "Using the Always-Active Feature for Simplified Topologies" appendix
of the Foundry ServerIron Firewall Load Balancing Guide.
NOTE: This command applies only to IronClad FWLB configurations that use the always-active option.
EXAMPLE:
ServerIron(config)# server partner-ports 5
Syntax: [no] server partner-ports <portnum>...

The <portnum> parameter specifies the port(s) that are in the always-active VLAN. This is the VLAN that contains
the data link between the two ServerIrons.
On the ServerIronXL, ServerIron 400, and ServerIron 800 you can specify up to eight ports on the same
command line. Use a space after each port number to separate them.
On the ServerIronXL/G, you can specify one port on the same command line. However, you can enter the
command multiple times for multiple ports.

server path-group
This command is for a specific configuration. Do not use this command unless advised to do so by Foundry
Networks technical staff.
server peer-group
Configures stateless health checking. Use stateless health checking when you configure multiple ServerIrons to
load balance for a common set of TCP or UDP application ports. For example, a transparent VIP configuration
that uses stateless application ports can benefit from stateless health checking. A stateless application port is one
for which the ServerIron does not create session table entries.
EXAMPLE:
To configure a stateless health check group, enter a command such as the following on each ServerIron in the
group.
ServerIronA(config)# server peer-group 1 192.168.3.9 192.168.4.9
This command configures group 1 to contain two ServerIrons.
Syntax: [no] server peer-group <num> <ip-addr>...

The <num> parameter specifies the stateless health check group ID. You can specify a number from 1 16.
There is no default.
February 2002
6 - 71
The <ip-addr>... parameter specifies a list of ServerIron management IP addresses. You can specify up to four
addresses with the command. Separate each address with a space. You can configure up to 16 ServerIron
management IP addresses. To do so, enter the command four times and specify different addresses each time.
NOTE: Make sure you add the management IP address for each of the other ServerIrons in the group. Do not
include the ServerIrons own management address in the list.
To configure a ServerIrons stateless health check priority, enter a command such as the following on each
ServerIron in the stateless health check group.
NOTE: If you do not set the stateless health check priority on a ServerIron, that ServerIron does not participate
in stateless health checking. If you set the same priority on all the ServerIrons, their priorities are based on their
management IP addresses instead. In this case, a higher management IP address has more priority than a lower
management IP address.
ServerIronA(config)# server peer-group 1 self-priority 16
This command sets the stateless health check priority on ServerIron A to 16, the highest priority.
Syntax: [no] server peer-group <num> <priority>

The <priority> parameter specifies the ServerIrons priority for stateless health checks. You can specify a number
from 1 (lowest) 16 (highest). The ServerIron with the highest stateless health check priority in the group
becomes the master for stateless health checks.
To set the priority on ServerIron B, enter a command such as the following:
ServerIronB(config)# server peer-group 1 self-priority 1
This command sets the stateless health check priority on ServerIron B to 1, the lowest priority.
In a client server environment, if a server does not respond within five seconds to active traffic, then that server will
be marked suspect and the switch will send out a ping to the server. The number of times the server is pinged by
the switch is defined by the server ping-retries command. The interval between the pings is defined by this
command, the server ping-interval.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
To modify the interval between ping retries to 8 seconds from the default value of 2 seconds, enter the following
command:
ServerIron(config)# server ping-interval 8
Syntax: server ping-interval <value>

server ping-retries
This command configures how often the server is pinged before placing the server in a failed state. Possible
values are between 2 and 10 with a default value of 4.
EXAMPLE:
To modify how often a switch pings a server before declaring the server down to a value of 7 from the default
value of 4, enter the following command:
6 - 72
February 2002
ServerIron(config)# server ping-retries 7
Syntax: server ping-retries <value>

Possible values: 2 10 retries
Default value: 4 retries
Overrides the global hash mask for all traffic that matches the source and destination information in the specified
ACL.
EXAMPLE:
ServerIron(config)# access-list 100 permit ip any 192.168.1.16 0.0.0.15
ServerIron(config)# server fw-group-2
ServerIron(config-tc-2)# hash-mask 255.255.255.255 0.0.0.0
ServerIron(config-tc-2)# policy-hash-acl 100 255.255.255.255 255.255.255.255
In this example, FWLB will use the hash mask 255.255.255.255 0.0.0.0 for all traffic except the traffic that
matches ACL 100.
Syntax: [no] server policy-hash-acl <acl-id> <src-mask> <dst-mask>

This command overrides the global hash mask for all traffic that matches the source and destination information in
the specified ACL.
The <acl-id> parameter specifies a standard or extended ACL. Configure each entry in the ACL to permit the
addresses for which you want to override the global hash mask.
The <src-mask> parameter species the source mask.
The <dst-mask> parameter species the destination mask.
Default value: N/A; the global hash values are used
server port
Configures a port profile for a TCP/UDP port. The port profile globally defines the following attributes for the port.
NOTE: For additional information, see the "Configuring a Port Profile" section in the "Configuring Port and Health
Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Table 6.1: Port Profile Attributes

Attribute
Description
Port type (TCP or

UDP)
This attribute applies only to ports for which the ServerIron does not already
know the type. For example, if a real server uses port 8080 for HTTP (a TCP
port), you can globally identify 8080 as a TCP port. The ServerIron assumes that
ports for which it does not know the type are UDP ports.
Note: To display a list of the ports for the ServerIron already knows the type,
enter the server port ? command at the global CONFIG level of the CLI.
February 2002
6 - 73
Table 6.1: Port Profile Attributes (Continued)

Attribute
Description
Keepalive interval and

retries
The number of seconds between health checks and the number of times the
ServerIron re-attempts a health check to which the server does not respond. You
can specify from 2 120 seconds for the interval. You can specify from 1 5
retries.
Keepalive state
Whether the ServerIrons health check for the port is enabled or disabled.
Recurring Layer 4 and Layer 7 health checks are disabled by default. When you
configure a port profile, the software automatically globally enables the health
check for the application. You also can explicitly disable or re-enable the
keepalive health check at this level.
Note: If you are configuring a port profile for a port that is known to the
ServerIron, the keepalive parameters affect Layer 7 health checks. For other
ports, the keepalive parameters affect Layer 4 health checks.
Keepalive port
By default, the ServerIron bases the health of an application port on the port
itself. You can specify a different application port for the health check. In this
case, the ServerIron bases the health of an application port on the health of the
other port you specify.
Note: You cannot base the health of a port well-known to the ServerIron on the
health of another port, whether the port is well-known or not well-known.
Source of health for

alias port
By default, the ServerIron performs independent health checks on an alias port

and its master port. You can configure the ServerIron to base the health of an
alias port on the state of its master port.
TCP or UDP age
The number of minutes a TCP or UDP session table entry can remain inactive
before the ServerIron times out the entry. This parameter is set globally for all
TCP or UDP ports but you can override the global setting for an individual port by
changing that ports profile. You can set the TCP or UDP age from 2 60
minutes. The default TCP age is 30 minutes. The default UDP age is five
minutes.
Note: Since UDP is a connectionless protocol, the ServerIron does not remove a
UDP session from its session table until the session times out. TCP is a
connection-based protocol. Thus, for TCP sessions, the ServerIron removes the
session as soon as the client or server closes the session.
Session
synchronization
In Symmetric SLB configurations, this attribute provides failover for individual

sessions on the application port. Normally, existing sessions are not carried over
from one ServerIron to another during failover.
Connection logging
You can enable logging for session table entries created for this port.
Slow start
Configures the ServerIron to control the rate of new connections to the

application port to allow the server to ramp up.
Smooth factor
If you plan to use server response time as a load-balancing method, you can
adjust the amount of preference the ServerIron gives the most recent response
time compared to the previous response time.
Server cluster support
Configures the ServerIron to stop sending requests to a server when the

requested application is down on the server. This feature is useful for server
cluster applications such as NFS.
EXAMPLE:
To add port 8080 and specify that it is a TCP port, enter the following command:
6 - 74
February 2002

ServerIron(config-port-8080)# tcp
Syntax: server port <tcp/udp-portnum>

Syntax: tcp | udp [keepalive [<interval> <retries>]]
Syntax: tcp | udp [keepalive [disable | enable]]
Default values: interval 5, retries 2
If you do not specify the port type (TCP or UDP), the ServerIron assumes that the port type is UDP.
EXAMPLE:
To override the default TCP age and set the age for TCP port 80 to 15 minutes, enter the following commands:
ServerIron(config-port-80)# tcp 15

Syntax: tcp | udp <2-60>
Default values: 30 minutes for TCP; 5 minutes for UDP
EXAMPLE:
To change the HTTP (TCP port 80) keepalive interval to 15 seconds and the retries to 5, enter the following
commands:
ServerIron(config-port-80)# tcp keepalive 15 5

Syntax: tcp | udp keepalive <interval> <retries>
Possible values: You can specify from 2 120 seconds for the interval. You can specify from 1 5 retries.
Default values: interval 5; retries 2
EXAMPLE:
To enable session synchronization for port 80, enter the following commands:
ServerIron(config-port-80)# session-sync
Syntax: [no] server port <tcp/udp-portnum>

Syntax: [no] session-sync
In Symmetric SLB configurations, if the active ServerIron becomes unavailable, service for the VIPs that
ServerIron was load balancing is assumed by the backup ServerIron. By default, open sessions on the ServerIron
that becomes unavailable are not carried over to the standby ServerIron. Instead, the sessions end and must be
re-established by the clients or servers.
You can configure session failover on an individual TCP or UDP port basis by enabling session synchronization \in
the ports profile.
EXAMPLE:
You can configure the ServerIron to base the health of a port that is not well-known to the ServerIron on the health
of one of the following ports that are well-known to the ServerIron:
DNS the well-known name for port 53
February 2002
6 - 75
To base a ports health on the health of another port, enter a command such as the following:
ServerIron(config-port-1234)# tcp keepalive port 80
Syntax: tcp | udp keepalive port <TCP/UDP-portnum>

The command in this example configures the ServerIron to base the health of port 1234 on the health of port 80
(HTTP). If the health of port 80 changes, the ServerIron applies the change to port 1234.
NOTE: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether
the port is well-known or not well-known.
EXAMPLE:
To configure an unknown TCP port to use the Layer 7 health check for a well-known TCP application, enter
ServerIron(config-port-999)# tcp keepalive protocol smtp
These commands configure port profile parameters for port 999. The second command in the example makes the
port a TCP port and assigns the SMTP Layer 7 health check to the port.
Syntax: [no] server port <TCP-portnum>

Syntax: [no] tcp keepalive protocol <TCP-port>
The protocol <TCP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can
specify one of the following:
ftp or 21
imap4 or 143
ldap or 389
pop3 or 110
smtp or 25
telnet or 23
EXAMPLE:
To configure an unknown UDP port to use a DNS Layer 7 health check, enter commands such as the following:
ServerIron(config-port-999)# udp keepalive protocol dns
Syntax: server port <UDP-portnum>

Syntax: udp keepalive protocol <UDP-portnum>
The protocol <UDP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can
specify dns or 53.
6 - 76
February 2002
EXAMPLE:
You can globally disable a Layer 4 port on the ServerIron. The port can be disabled for all real servers, all virtual
servers or all real and virtual servers. After you disable a port globally, you can enable the port on individual real
or virtual servers as necessary. By default, all real and virtual ports are enabled.
When the ServerIron is booted, if the command to globally disable a real or virtual port exists in the startup-config
file, the specified port is disabled at startup. When a real or virtual port is created, and the port has been disabled
globally, the real or virtual port is disabled as well. You must enable the port explicitly.
To disable all real HTTP ports:
ServerIron(config-port-http)# disable real
ServerIron(config-port-http)#
To disable all virtual HTTP ports:
ServerIron(config-port-http)# disable virtual
To disable all real and virtual HTTP ports:
ServerIron(config-port-http)# disable
Syntax: disable [real | virtual]

EXAMPLE:
To configure an alias ports health to be based on its master ports health, edit the alias ports profile by entering
ServerIron(config-port-8080)# tcp keepalive use-master-state
Syntax: [no] tcp keepalive use-master-state

NOTE: You can base an alias ports health on the health of a TCP port that is well-known to the ServerIron. You
cannot base an alias ports health on the health of a UDP port or a port that is not well-known to the ServerIron.
NOTE: The health checks for the alias ports must be enabled. Otherwise, the ServerIron will not check the
master ports state, and the alias port will not go down when the master port goes down.
EXAMPLE:
NOTE: This section applies only to the ServerIron 400 and ServerIron 800.
To configure the ServerIron to stop sending requests to a real server for an application that is down on the server,
enter the following command at the configuration level for the ports profile:
ServerIron(config-port-80)# reset-port-on-reset
Syntax: [no] reset-port-on-reset

By default, if an application on a real server becomes unavailable but the real server itself is still up, the ServerIron
continues to include the real server in its load balancing decisions for the application. For example, if the HTTP
application on a real server stops responding to Layer 4 health checks but the real server continues to respond to
Layer 3 health checks (IP pings) from the ServerIron, the ServerIron continues to forward HTTP requests to the
real server.
In some configurations, such as those that use a cluster of servers for an application, you might want to configure
the ServerIron to stop sending requests to a server when the requested application is down on the server. For
example, this feature is useful in an NFS configuration.
February 2002
6 - 77
When you enable this feature, the ServerIron does one of the following in addition to redirecting future requests
away from the real server:
UDP For an unavailable UDP application, the ServerIron terminates the connection.
TCP For an unavailable TCP application, the ServerIron resets the connection.

Default values: See above
server predictor
This command is used to select the load-balancing method. By default, the least connections method is enabled.
EXAMPLE:
To change the server load-balancing method from the default value of least connections to the round-robin
method, enter the following:
ServerIron(config)# server predictor round-robin
Syntax: [no] server predictor least-conn | response-time | round-robin | weighted

Default value: least-conn
NOTE: When you assign the weighted percentage metric, you must configure both the virtual and real servers
involved. Each real server is assigned a weight from 0 64000.
server real-name
This command assigns a name and IP address to the real server. The server name is used to bind the server IP
address, so that the real server name can be used to represent the server. The server name can be any
alphanumeric string of up to 32 characters.
This command is used in conjunction with the server load balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached to the ServerIron at Layer 2. If the server is attached
through one or more router hops, use the server remote-name command instead. See server remote-name on
page 6-79.
EXAMPLE:
ServerIron(config)# server real-name Wolalak_Wuwanich 192.168.1.159
Syntax: server real-name <text> <ip-addr>

Possible values: a string up to 32 alphanumeric characters long
Default value: N/A
This command modifies the number of contiguous unacknowledged TCP SYN ACKs the ServerIron allows to
accumulate for a real server, before determining that the server is down and marking it FAILED.
If the server responds to a TCP SYN, the counter returns to zero.
EXAMPLE:
ServerIron(config)# server reassign-threshold 215
Syntax: server reassign-threshold <6-254>

Default value: 20
6 - 78
February 2002
server remote-name
This command assigns a name and IP address to a remote real server. When you add a real server using the
server remote-name command instead of the server real-name command, the ServerIron does not include the
server in the predictor (load-balancing method). Instead, the ServerIron sends traffic to the remote server only if
all local real servers (added using the server real-name command) are unavailable.
The server name is used to bind the server IP address, so that the real server name can be used to represent the
server. The server name can be any alphanumeric string of up to 32 characters.
This command is used in conjunction with the Server Load Balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached through one or more router hops. If the server is
attached to the ServerIron at Layer 2, use the server real-name command instead. See server real-name on
page 6-78.
EXAMPLE:
ServerIron(config)# server remote-name webfailover 209.157.22.37
Syntax: server remote-name <text> <ip-addr>

Default value: N/A
Globally configures response-time warning and shutdown thresholds for all real servers.
You can specify a warning threshold and a shutdown threshold:
Warning If an applications average response time is longer than the number of milliseconds of the warning
threshold, the software generates a Syslog message and an SNMP trap.
Shutdown If an applications average response time is longer than the number of milliseconds of the
shutdown threshold, the software generates a Syslog message and an SNMP trap and also shuts down the
application port on the real server. Other application ports on the real server are not affected.
By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can
specify a threshold value from 0 (disabled) 65535 milliseconds (65 seconds).
You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured
on an individual real server override the globally configured thresholds. After bringing down the application port,
the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For
information, see the "Application Port States" section in the "Configuring Port and Health Check Parameters"
chapter of the Foundry ServerIron Installation and Configuration Guide.
NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not
enabled, the ServerIron does not apply the response thresholds you configure.
NOTE: This feature applies only to TCP ports.
EXAMPLE:
ServerIron(config)# server response-time 200 300
The command in this example configures the ServerIron to generate a warning message for an application port if
its average response time is longer than 200 milliseconds. The command also configures the ServerIron to shut
down a port if its average response time is longer than 300 milliseconds.
Syntax: [no] server response-time <warning-threshold> [<shutdown-threshold>]

The <warning-threshold> parameter specifies the average number of milliseconds within which an application port
must respond to avoid a warning message. You can specify from 0 65535 milliseconds (65 seconds). There is
no default. If you specify 0, the warning threshold is disabled.
February 2002
6 - 79
The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application
port must respond to avoid being shut down. You can specify from 0 65535 milliseconds (65 seconds). There is
no default. If you specify 0, the shutdown threshold is disabled.
If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an
application port, configure the warning threshold but not the shutdown threshold. Here is an example:
ServerIron(config)# server response-time 100
To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as
shown in the following example:
ServerIron(config)# server response-time 0 300
Possible values: 0 65535 milliseconds (65 seconds)
Default value: not configured
server reverse-nat
This command enables Reverse NAT. Reverse NAT allows the ServerIron to change the source IP address of
some traffic initiated by a real server. Specifically, the feature causes the ServerIron to change the source IP
address for traffic that the real server initiates on TCP or UDP ports that are bound to a VIP.
By default, the ServerIron does not perform address translation for any traffic initiated by the real server. However,
if you enable Reverse NAT, the ServerIron does perform address translation for connections that the server
initiates on ports that are bound to a VIP on the ServerIron.
Reverse NAT works with any port number you use for binding the real server to the VIP. However, TCP and UDP
traffic initiated by a real server usually uses a port that is chosen by the server when the traffic is sent. As a result,
it is not easy to predict the port numbers the real server will use. You can ensure that the ServerIron translates the
source address of the traffic by binding the real server to a VIP using the default port. For example, if you
configure VIP1 and bind it to real server RS1 using the default port, the ServerIron translates the source IP
address in all TCP and UDP traffic initiated by RS1 from the real servers IP address into the VIP address.
Even when Reverse NAT is enabled, the ServerIron does not translate the source address for traffic that the real
server initiates over ports that are not bound to a VIP.
If you bind a real server to more than one VIP, the ServerIron will use the address of the VIP that is bound to the
server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same
server to VIP2 using the default port, the ServerIron always uses VIP2 for Reverse NAT.
NOTE: Reverse NAT does not affect reply traffic from the server. The feature applies only to traffic initiated by
the server. In addition, the feature applies only to traffic on the TCP and UDP ports that are used to bind the real
server to a VIP configured on the ServerIron. If the real server and VIP are bound using the default port, Reverse
NAT applies to all TCP and UDP traffic initiated by the server.
Reverse NAT is disabled by default. If you need to enable reverse NAT, use one of the following methods.
EXAMPLE:
ServerIron(config)# server real-name R1 10.10.10.1
ServerIron(config-rs-RS1)# port http
ServerIron(config-rs-RS1)# exit
ServerIron(config-vs-VIP1)# bind http RS1 http
ServerIron(config-rs-RS1)# exit
ServerIron(config-vs-VIP1)# bind default RS1 default
ServerIron(config)# server reverse-nat
The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP
port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the
ServerIron translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron uses VIP2s IP
address instead of VIP1s IP address for Reverse NAT because VIP2 is bound using the default port.
6 - 80
February 2002
Syntax: [no] server reverse-nat

server router-ports
This command is used to identify ports on a ServerIron switch that are connected to a router. Use this command
when multiple ports on the switch are attached to routers.
This command is used in conjunction with the SLB feature on the ServerIron switch.
NOTE: The command is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server router-ports 8
Syntax: server router-ports <1-26>

Default value: N/A
This command is used in conjunction with the SSL session ID switching feature on the ServerIron. By default, the
ServerIron keeps the entry associating an SSL session ID with a real server in its database for 30 minutes. After
30 minutes, the entry ages out of the database. Use this command to change the length of time the ServerIron
keeps the entry in the database.
EXAMPLE:
To change the aging period to 10 minutes:
ServerIron(config)# server session-id-age 10
Syntax: server session-id-age <minutes>

Default value: 30 minutes
This command is used to limit the maximum number of active sessions allowed on a ServerIron. An active
session is a session entry in the ServerIrons session table. Thus, a UDP or TCP session that has become idle
but has not yet timed out (according to the UDP or TCP age timer) is an active session in this table.
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switches.
EXAMPLE:
ServerIron(config)# server session-limit 550000
Syntax: server session-limit <value>

Possible values: The <value> for ServerIron 400 and ServerIron 800 systems can be from 32,768 2,000,000.
On 32M ServerIron systems, the <value> can be from 32,768 1,000,000. On 8M ServerIron systems, the
<value> can be from 32,768 160,000.
Default value: for 32MB systems: 524,288; for 8MB systems: 131,072.
server slb-fw
Enables SLB-to-FWLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server slb-fw
February 2002
6 - 81
Syntax: [no] server slb-fw

server source-ip
Adds an IP address to the ServerIron for use by the real servers as their default gateway address. Source IP
addresses, when used with the source NAT feature, enable you to place the ServerIron in a multinetted
environment.
You can configure up to 64 source IP addresses on a ServerIronXL running software release 07.3.00 or later. You
can configure up to 40 source IP addresses on other models running 07.1.x or 07.2.x software.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same
source IP address as the real servers default gateway on each ServerIron, use the server source-standby-ip
command instead. See server source-standby-ip.
EXAMPLE:
ServerIron(config)# server source-ip 209.157.22.28 255.255.255.0 209.157.22.1
Syntax: [no] server source-ip <ip-addr> <ip-mask> <default-gateway>

NOTE: The gateway parameter is required. If you do not want to specify a gateway, enter "0.0.0.0".
Default value: N/A
server source-nat
Enables the ServerIron to change the source IP address for traffic the ServerIron forwards to a real server. When
source NAT is enabled, the ServerIron translates the source IP address from the clients into a source IP address
you have configured.
Source NAT is disabled by default.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same
source IP address on each ServerIron, use the server source-nat-ip command instead. See server source-natip.
EXAMPLE:
ServerIron(config)# server source-nat
Syntax: [no] server source-nat

In a hot-standby (active-standby) SLB configuration, configures a shared source IP address for NAT. Enter the
same command with the same source IP address on each of the ServerIrons. The address is active only on one
ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for use by the real servers as their default gateway, use
the server source-standby-ip address instead. See server source-standby-ip.
6 - 82
February 2002
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-nat-ip 10.10.10.5 255.255.255.0 0.0.0.0
Syntax: [no] server source-nat-ip <ip-addr> <ip-mask> <default-gateway>

In a hot-standby (active-standby) SLB configuration, configures a shared source IP address for use by the real
servers as their default gateway. Enter the same command with the same source IP address on each of the
ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for NAT, use the server source-nat-ip command
instead. See server source-nat-ip.
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-standby-ip 10.10.10.5 255.255.255.0 0.0.0.0
Syntax: [no] server source-standby-ip <ip-addr> <ip-mask> <default-gateway>

server sticky-age
This command is used in conjunction with the SLB on the ServerIron switch. It allows you to modify the aging out
parameter for inactive sticky server connections.
Sticky connections are defined on the virtual server port of a ServerIron for those instances when sequential TCP/
UDP port connections must be service by the same server.
EXAMPLE:
To set a sticky age of 25 minutes, enter the following:
ServerIron(config)# server sticky-age 25
Syntax: server sticky-age

server sym-pdu-rate
Changes the interval and wait time for SSLB discovery packets.
A ServerIron in an SSLB configuration uses SSLB discovery packets to request SSLB information from the other
ServerIrons. SSLB discovery packets are proprietary Layer 2 broadcast packets and are sent on all ports in all
port-based VLANs.
February 2002
6 - 83
By default, a ServerIron in an SSLB configuration sends SSLB discovery packets at 200-millisecond intervals.
The ServerIron will wait up to 20 equivalent intervals to receive an SSLB discovery packet from another
ServerIron. If the ServerIron does not receive an SSLB discovery packet from the other ServerIron within the 20
intervals, the ServerIron concludes that its partner ServerIron is unavailable and assumes control of the VIPs
being managed by that ServerIron. For example, if the interval for sending SSLB discovery packets is 200
milliseconds (the default), the ServerIron will wait 20 x 200 milliseconds (four seconds) to receive an SSLB
discovery packet from another ServerIron.
You can change the discovery interval multiplier and the wait time multiplier.
The discovery interval is equal to 200 milliseconds multiplied by the discovery interval multiplier. The default
discovery interval multiplier is 1, so the default discovery interval is 200 milliseconds. You can specify a
multiplier from 1 60.
The wait time interval is equal to the discovery interval multiplied by the wait time multiplier. The default wait
time multiplier is 20. Assuming the discovery interval is 200 milliseconds (the default), the default wait time is
four seconds (20 x 200 milliseconds).
NOTE: The SSLB timer affects the rate at which the ServerIron sends SSLB protocol packets to its SSLB
partners. The timer does not affect client or server traffic to or from a VIP.
NOTE: All the ServerIrons in your configuration must use the same SSLB discovery interval and wait time. If you
change the interval and wait time on one ServerIron, make the same change on all the other ServerIrons in the
SSLB configuration.
EXAMPLE:
To change the SSLB discovery interval multiplier and wait time multiplier, enter a command such as the following:
ServerIron(config)# server sym-pdu-rate 2 30
This command changes the interval at which the ServerIron sends SSLB discovery packets to once every 400
milliseconds, and changes the maximum amount of time the ServerIron will wait for an SSLB discovery packet
from another ServerIron to 12 seconds (30 x 400 milliseconds).
Syntax: [no] server sym-pdu-rate <disc-mult> <wait-time-mult>

Possible values: <disc-mult> 1 60; <wait-time-mult> 1 60
Default value: <disc-mult> 1; <wait-time-mult> 20
server syn-def
Protects against TCP SYN attacks by setting a threshold for the amount of time it takes for a connecting host to
send back an ACK packet. If this threshold is exceeded, the ServerIron removes the entry for the connection from
its session table, and a TCP RESET packet is sent to the destination real server, causing it to remove the entry
from its session table as well.
EXAMPLE:
To configure the ServerIron to remove an entry from its session table if the connection remains incomplete for 6 or
more seconds:
ServerIron(config)# server syn-def 6
Syntax: server syn-def <threshold>

Possible values: The threshold parameter can be between 0 16 seconds. A threshold of 0 disables this feature.
Foundry recommends a threshold above 5 seconds.
server syn-limit
This command is used to limit the maximum number of TCP SYN requests on a per-second basis per server.
6 - 84
February 2002
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server syn-limit 2000
Syntax: server syn-limit <value>

Default value: 65535
server tcp-age
This command allows you to modify the aging out parameter for inactive TCP server connections.
If you change the TCP age, the change affects only new TCP sessions that start after you make the change. The
maximum age for sessions that are already in the session table does not change.
EXAMPLE:
To modify the server TCP age to 20 minutes from the default value of 30 minutes, enter the following command:
ServerIron(config)# server tcp-age 20
Syntax: server tcp-age <value>

Enables the transparent VIP feature.
NOTE: After you enabling the ServerIron for transparent VIP, you still must enable individual VIPs for the feature.
See transparent-vip on page 11-9.
EXAMPLE:
ServerIron(config)# server transparent-vip
ServerIron(config)# ip policy 1 cache tcp 80 local
ServerIron(config)# interface ethernet 1
These commands enable transparent VIP globally for TCP port 80 (HTTP), then configure a cache redirection
policy and apply it locally to the ServerIron port(s) connected to the clients. The cache redirection policy identifies
the application port(s) on the VIP that you want to load balance.
Syntax: [no] server transparent-vip

server udp-age
This command allows you to modify the aging out parameter for inactive UDP server connections. Possible values
are between 2 and 60 minutes with a default value of 5 minutes.
EXAMPLE:
To modify the server UDP age to 20 minutes from the default value of 5 minutes, enter the following command:
ServerIron(config)# server udp-age 20
Syntax: server udp-age <value>

February 2002
6 - 85
Configures the ServerIronXL to use the SSL health check method from software releases earlier than 07.1.18.
By default, the ServerIronXL uses the following method for SSL health checks.
The ServerIron initiates an SSL connection with the server on TCP port 443, a secure link is negotiated, and
encrypted data is transferred across it. After the SSL connection is established, the ServerIron sends the SSL
server an HTTP GET or HEAD request. The GET or HEAD request specifies a page containing the URL of a
page on the server. By default, the ServerIron sends a HEAD request for the default page, 1.0, although this can
be changed with the port ssl url command.
If the server responds with an acceptable status code, the ServerIron resets the connection and marks the
port ACTIVE.
If the server does not respond, the ServerIron retries the health check up to the number of times configured
(the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED
and removes the server from the load-balancing rotation for SSL service.
All other ServerIron models use the following health check method.
The ServerIron sends an SSL client hello with the SSL SID set to 0:
If the server responds, then the ServerIron resets the connection and marks the port ACTIVE.
If the server does not respond, the ServerIron retries the health check up to the number of times configured
(the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED
and removes the server from the load-balancing rotation for SSL service.
The server use-simple-ssl-health-check command configures the ServerIronXL to also use this method.
EXAMPLE:
ServerIron(config)# server use-simple-ssl-health-check
Syntax: [no] server use-simple-ssl-health-check

server virtual-name
This command is used to define the virtual server name and IP address. The virtual server name can be any
alphanumeric text string of up to 32 characters.
EXAMPLE:
ServerIron(config)# server virtual-name noi 192.168.1.10
Syntax: server virtual-name <text> [<ip-addr>]

Possible values: a string up to 32 alphanumeric characters long
Default value: N/A
server vpn-lb
Configures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall1. Use this command to enable VPN load balancing on the ServerIron that is on the Internet side of the firewalls.
NOTE: This commands optional parameters apply only to site-to-site VPN, not to SecureRemote-to-site VPN.
From the ServerIrons perspective, the difference between these two types of VPN is as follows:
Site-to-site VPN All Internet Security Association and Key Management Protocol (ISAKMP) packets are
addressed to the Cluster IP address. ISAKMP is used by Check Point firewalls and is described in RFC 2408.
SecureRemote-to-site VPN Only the first ISAKMP packet is addressed to the Cluster IP address.
Subsequent ISAKMP packets are to a firewall.
6 - 86
February 2002
EXAMPLE:
ServerIron(config)# server vpn-lb
Syntax: [no] server vpn-lb [tunnel-mode [load-balance round-robin | source-ip | spi]]

The tunnel-mode parameter enables site-to-site VPN load balancing.
The load-balance round-robin | source-ip | spi parameter specifies the load balancing method.
round-robin Encrypted VPN traffic is load balanced in round robin fashion, regardless of source or
destination IP address. You can use this method if the firewalls are synchronized.
NOTE: When this load balancing method is used, the ServerIron does not maintain sessions for the traffic.
A session would associate a given pair of source and destination IP addresses with a specific firewall, but the
round robin method does not associate the traffics addresses with a specific firewall.
source-ip Encrypted VPN traffic to the firewalls is load balanced based on the source IP address of the
traffic. Once the software selects a firewall for the first packet from a given IP address, all subsequent packets
from the same address go to the same firewall. This is the default.
NOTE: In a site-to-site VPN load balancing configuration, this load balancing method can result in all the
VPN traffic going to the same firewall, since all the traffic from a given site has the same source IP address.
spi Encrypted VPN traffic to the firewalls is load balanced based on the Security Parameter Index (SPI) of
the traffic. The SPI is a unique value associated with the tunnel between each pair of source and destination
sites or hosts. You can configure the Check Point firewalls to establish multiple tunnels to exchange traffic. If
you configure the firewalls this way, the spi option enables the ServerIron to load balance the tunnels across
multiple firewalls even though the tunnels appear to be originated by the same source IP address.

Configures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall1. Use this command to enable VPN load balancing on the ServerIron that is on the private side of the firewalls.
EXAMPLE:
ServerIron(config)# server vpn-lb-inside
Syntax: [no] server vpn-lb-inside

This command enables password encryption. When encryption is enabled, users cannot learn the devices
passwords by viewing the configuration file. Password encryption is enabled by default.
NOTE: Password encryption does not encrypt the password in Telnet packets sent to the device. This feature
applies only to the configuration file.
EXAMPLE:
ServerIron(config)# no service password-encryption
Syntax: [no] service password-encryption

February 2002
6 - 87
show
snmp-client
Restricts SNMP management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry device through IronView or any other
SNMP application.
If you want to restrict access from Telnet or the Web, use one or two of the following commands:
telnet client restricts Telnet access. See telnet client on page 6-95.
web client restricts Web access. See web client on page 6-100.
If you want to restrict all management access, you can use the commands above and the snmp-client command
or you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict SNMP access (which includes IronView) to the Foundry device to the host with IP address
209.157.22.26, enter the following command:
ServerIron(config)# snmp-client 209.157.22.26
Syntax: [no] snmp-client <ip-addr>

Default value: N/A
Assigns a SNMP community string for the system. It will register to the configuration file, a user-specified network
community string and an access type of either:
read-only (public)
read-write (private)
EXAMPLE:
ServerIron(config)# snmp-server community planet1 ro
Syntax: snmp-server community <string> ro | rw

Possible values: Up to 32 alphanumeric characters for the community string.
Default value: The default read-only community string is public. There is no default read-write community
string.
snmp-server contact
Identifies a system contact. You can designate a contact name for the ServerIron and save it in the configuration
file for later reference. You can later access contact information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server contact Noi Lampa
Syntax: snmp-server contact <text>

Possible values: up to 32 alphanumeric characters for the system contact text string.
Default value: N/A
6 - 88
February 2002

When the command is preceded with the word no, the command is used to stop certain traps from being
generated by a system. The following SNMP Traps are collected by default: authentication key, cold-start, link-up,
link-down, new-root, topology-change, power-supply-failure and locked-address-violation.
EXAMPLE:
To stop reporting incidences of links that are down, enter the following commands:
ServerIron(config)# no snmp-server enable traps link-down
Syntax: [no] snmp-server enable traps <trap>

Possible values: trap type (for example, cold-start, new-root, etc.)
Default value: All of the following SNMP traps are enabled and will be generated by default for a system:
authentication key, cold-start, link-up, link-down, new-root, topology-change, power-supply-failure and lockedaddress-violation
To disable a fan failure trap or power supply trap, use one of the following values: ps1 | ps2 | ps3 | ps4 | fan1 | fan2
| fan3 | fan4.

Allows SNMP access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow SNMP access only to clients connected to ports within portbased VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
ServerIron(config)# snmp-server enable vlan 40
Syntax: [no] snmp-server enable vlan <vlan-id>

Default value: N/A
snmp-server host
Assigns or removes a station as SNMP trap receiver. To assign the trap receiver, use the command:
snmp-server host. To later remove the trap receiver feature, enter no snmp-server host.
EXAMPLE:
To disable a station as a SNMP trap receiver, enter the following:
ServerIron(config)# no snmp-server host 192.22.3.33 public
Syntax: [no] snmp-server host <ip-addr> <community-string>

Possible values: IP address of trap receiver station, community string
Default value: no system default
Identifies a system location for the ServerIron. This information is saved in the configuration file for later reference.
You can later access system location information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server location pulchritude_lane
Syntax: snmp-server location <text>

Possible values: up to 32 alphanumeric characters for the location text string
Default value: N/A
February 2002
6 - 89
Disables password checking for SNMP set requests. If a third-party SNMP management application does not add
a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry
device rejects the request. You can disable this password checking with the no snmp-server pw-check
command.
EXAMPLE:
ServerIron(config)# no snmp-server pw-check
Syntax: [no] snmp-server pw-check

Default value: N/A
Specifies a port or virtual interface whose first configured IP address the Foundry device must use as the source
for all SNMP traps sent by the device.
EXAMPLE:
ServerIron(config)# snmp trap-source ethernet 4
Syntax: snmp-server trap-source ethernet <portnum> | ve <num>

Possible values: The ethernet <portnum> parameter specifies a physical port on the device. Alternatively, you
can specify a virtual interface using the ve <num> parameter, where <num> is the number of a virtual interface
configured on the device.
Default value: N/A
snmp-server view
Configures an SNMP view. You can use an SNMP view as an argument with other commands.
SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access
for viewing and modification of SNMP statistics and system configuration. SNMP views can also be used with
other commands that take SNMP views as an argument. SNMP views reference MIB objects using object names,
numbers, wildcards, or a combination of the three. The numbers represent the hierarchical location of the object
in the MIB tree. You can reference individual objects in the MIB tree or a subset of objects from the MIB tree.
NOTE: The snmp-server view command supports the MIB objects as defined in RFC 1445.
EXAMPLE:
To add an SNMP view, use the following CLI method:
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
snmp-server view Maynes system included

snmp-server view Maynes system.2 excluded
snmp-server view Maynes 2.3.*.6
write mem
Syntax: [no] snmp-server view <name> <mib_tree> included | excluded

The <name> parameter can be any alphanumeric name you choose to identify the view. The names cannot
contain spaces.
The <mib_tree> parameter is the name of the MIB object or family. MIB objects and MIB sub-trees can be
identified by name or by the numbers representing the position of the object or sub-tree in the MIB hierarchy. You
can use a wildcard (*) in the numbers to specify a sub-tree family.
The included | excluded parameter specifies whether the MIB objects identified by the <mib_family> parameter
are included in the view or excluded from the view.
To delete a view, use the no parameter before the command.
6 - 90
February 2002
Default value: N/A
sntp poll-interval
This parameter sets how often clock updates are requested from a SNTP server.
EXAMPLE:
To configure the ServerIron to poll for clock updates from a SNTP server every 15 minutes, enter the following:
ServerIron(config)# sntp poll-interval 900
Syntax: sntp poll-interval <1-65535>

sntp server
This command allows you to define the SNTP server that will be used for clock synchronization for the ServerIron.
You can either enter the SNTP servers IP address or its hostname.
Up to three SNTP server entries can be defined.
EXAMPLE:
To define the SNTP server (IP address 192.1.4.69) that will be polled by the ServerIron for time updates, enter:
ServerIron(config)# sntp server 192.1.4.69
Syntax: sntp server <ip-addr> | <hostname> [<version>]

The <version> parameter specifies the SNTP version the server is running and can be from 1 4. The default
is 1. You can configure up to three SNTP servers by entering three separate sntp server commands.
Default value: N/A
spanning-tree
Enables or disables (no) Spanning Tree on the switch. This change can be viewed by the show spanning tree
command.
For switches, this feature is enabled by default.
For routers, this feature is disabled by default.
To disable this feature, enter no spanning-tree. To later re-enable spanning tree on the router, enter spanningtree.
EXAMPLE:
To disable spanning tree, enter the following:
ServerIron(config)# no spanning-tree
EXAMPLE:
To enable spanning tree, enter the following:
ServerIron(config)# spanning-tree
Syntax: [no] spanning-tree

Default value: Enabled on switches. Disabled on routers.
Spanning Tree bridge and port parameters are configurable using one CLI command. When no port-based
VLANs are active on the system, spanning tree parameters are set at the Global CONFIG Level.
February 2002
6 - 91
When port-based VLANs are active on the system, spanning tree protocol bridge and port parameters can be
configured globally at the VLAN Level. Additionally, you can disable or enable STP on an interface basis.
NOTE: If VLANs are active on a switch or router, spanning-tree will not be seen as an option at the Global
CONFIG Level of the CLI but will be an option of the VLAN Level.
All bridge and port parameters have default values and do not need to be modified unless required to match
network needs. Additionally, all values will be globally applied to the switch or router. By default this feature is
enabled on switches and disabled on routers.
You can modify the following STP Parameters:
1.
Modify bridge parametersforward delay, maximum age, hello time and priority
2.
Modify port parameterspriority and path cost
EXAMPLE:
Suppose you want to enable spanning tree on a system in which no port-based VLANs are active and change the
hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority
costs for port 5 only. To do so, enter the following commands.
ServerIron(config)# span hello-time 8
ServerIron(config)# span ethernet 5 path-cost 15 priority 64
Syntax: span [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value>
maximum-age <time> priority <value>
Possible values: see below
Bridge Parameters:
Forward-delay: Possible values: 4 30 seconds. Default is 15 seconds.
Max-age: Possible values: 6 40 seconds. Default is 20 seconds.
Hello-time: Possible values: 1 10 seconds. Default is 2 seconds.
Priority: Possible values: 1 65,535. Default is 32,768. A higher numerical value means a lower priority;
thus, the highest priority is 0.
Port Parameters:
Path: Possible values: 1-65,535. Default: Auto
NOTE: The default value Auto means that the port will adjust the default value automatically based on the port
speed. The default value is based on the following formula:
Half-duplex ports: 1000/port speed
Full-duplex ports: (1000/port speed)/2
Priority: possible values are 0-255. Default is 128. A higher numerical value means a lower priority; thus, the
highest priority is 0.
static-mac-address
Defines a static MAC addresses on an individual switch or switching port to ensure it is not aged out. The
parameter option, router-type or host-type, is not available for the FastIron Workgroup switch or Stackable Layer 3
Switchs.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
6 - 92
February 2002
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports,
include only the primary port of the trunk group. If you include all the trunk groups ports, the ServerIron uses all
the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
ServerIron(config)# static-mac-address 1145.5563.67FF e12 7 router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron.
Syntax for chassis devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]

Syntax for stackable devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>]

[normal-priority | high-priority] [host-type | router-type | fixed-host]
The priority can be 0 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or highpriority for stackable devices.
NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for
Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents
other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB
configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.
To create a static MAC entry that is associated with multiple ports, enter a command such as the following:
ServerIron(config)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5
This command creates a static MAC entry that is associated with port 1 and ports 3 5. The ServerIron forwards
traffic addressed to aaaa.bbbb.cccc out all the ports you specify, in this case 1, 3, 4, and 5.

Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software
automatically creates a static MAC entry when you create a static ARP entry.
NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry
unless you first delete the static ARP entry.
To create a static ARP entry for a static MAC entry, enter a command such as the following:
ServerIron(config)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static
MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static
MAC entry.
Default value: host-type and 0 or normal priority
February 2002
6 - 93
system-max
Allows you to modify the default settings for parameters that use system memory. The configurable parameters
and their defaults and maximums differ depending on the device. To display the configurable parameters, their
defaults, and the maximum configurable values for each, enter the following command at any level of the CLI:
show default values. See show default on page 21-3.
EXAMPLE:
To increase the number of real servers available on the ServerIron:
ServerIron(config)# system-max l4-real 2048
Syntax: system-max l4-real-server <real-servers>

The <real-servers> value can be from 64 2048
To increase the number of virtual servers available on the ServerIron:
ServerIron(config)# system-max l4-virtual-server 512
Syntax: system-max l4-virtual-server <virtual-servers>

The <virtual-servers> value can be from 64 512
To increase the number of TCP/UDP ports available on the ServerIron:
ServerIron(config)# system-max l4-server-port 4096
Syntax: system-max l4-server-port <number-of-ports>

The <number-of-ports> value can be from 256 4096
To increase the number of TCP buffers available on the ServerIron:
ServerIron(config)# system-max tcp-buffer 2048
Syntax: system-max tcp-buffer <number-of-buffers>

The ServerIron uses TCP buffers for TCP sessions. Applications such as GSLB use many TCP buffers, since
buffers are required for TCP health checks as well as client connections with real servers. If you receive a
message that the ServerIron cannot perform a health check or other TCP tasks, you might need to allocate more
memory for TCP buffers.
The <number-of-buffers> value can be from 128 2048
Possible values: These depend on the device you are configuring. See the System Parameters section in the
show default values display. The CLI will display the acceptable range if you enter a value that is outside the
range.
tacacs-server
Identifies a TACACS or TACACS+ server and sets other TACACS/TACACS+ parameters for authenticating access
to the Foundry device.
EXAMPLE:
ServerIron(config)# tacacs-server host 209.157.22.99
Syntax: tacacs-server host <ip-addr> | <server-name> [auth-port <number>]

The only required parameter is the IP address or host name of the server.
NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the
ip dns server-address <ip-addr> command at the global CONFIG level. See the Configuring Basic Features
chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
The auth-port parameter specifies the UDP port number of the authentication port on the server. The default port
number is 49.
6 - 94
February 2002
Syntax: tacacs-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key parameter specifies the value that the Foundry device sends to the server when trying to authenticate
user access. The TACACS/TACACS+ server uses the key to determine whether the Foundry device has authority
to request authentication from the server. The key can be from 1 16 characters in length.
The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/
TACACS+ server before either retrying the authentication request or determining that the TACACS/TACACS+
server is unavailable and moving on to the next authentication method in the authentication-method list. The
timeout can be from 1 15 seconds. The default is 3 seconds.
The retransmit parameter specifies how many times the Foundry device will re-send an authentication request
when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 5 times. The default
is 3 times.
The dead-time parameter is not used in this software release. When the software allows multiple authentication
servers, this parameter will specify how long the Foundry device waits for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can
be from 1 5 seconds. The default is 3.
tag-type
This parameter defines the value that will be sent out on a packet to indicate it as tagged VLAN port. The 802.1q
standard recognizes the value of 8100 for this purpose. Other values can be assigned to this parameter but are
not recommended.
EXAMPLE:
ServerIron(config)# tag-type 8100
Syntax: tag-type <value>

Possible values: 1-65535
Default value: 8100
telnet access-group
Applies an ACL to control Telnet access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Telnet access. The device
will allow Telnet access to all IP addresses except those listed in ACL 10.
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
access-list 10 deny host 209.157.22.32 log

access-list 10 deny 209.157.23.0 0.0.0.255 log
access-list 10 deny 209.157.25.0/24 log
access-list 10 permit any
telnet access-group 10
write mem
Syntax: telnet access-group <num>

Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 99.
Default value: N/A
telnet client
Restricts Telnet management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry devices CLI through Telnet.
If you want to restrict access from SNMP or the Web, use one or two of the following commands:
February 2002
6 - 95
snmp-client restricts SNMP access (including IronView). See snmp-client on page 6-88.
web client restricts web access. See web client on page 6-100.
If you want to restrict all management access, you can use the commands above and the telnet client command
or you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict Telnet access (which includes IronView) to the Foundry device to the host with IP address
209.157.22.26, enter the following command:
ServerIron(config)# telnet client 209.157.22.26
Syntax: [no] telnet client <ip-addr>

Default value: N/A
Changes the login timeout period for Telnet sessions.
EXAMPLE:
To change the login timeout period for Telnet sessions to 5 minutes:
ServerIron(config)# telnet login-timeout 5
Syntax: [no] telnet login-timeout <minutes>

Default value: 1 minute
telnet server
This command enables or disables Telnet access to a ServerIron. By default, Telnet access is allowed on a
system.
EXAMPLE:
To disable Telnet access to a switch, enter the following:
ServerIron(config)# no telnet server
Syntax: [no] telnet server

Possible values: Enabled or disabled

Allows Telnet access only to clients in a specific VLAN.
EXAMPLE:
The following command configures the device to allow Telnet management access only to clients connected to
ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management
access.
ServerIron(config)# telnet server enable vlan 10
Syntax: [no] telnet server enable vlan <vlan-id>

Default value: N/A
6 - 96
February 2002
telnet timeout
This parameter defines how long a Telnet session can remain idle before it is timed out. By default, Telnet
sessions do not time out.
EXAMPLE:
ServerIron(config)# telnet timeout 120
Syntax: telnet timeout <0-240>

Default value: 0 seconds (no timeout)

Allows TFTP access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow TFTP access only to clients connected to ports within portbased VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
ServerIron(config)# tftp client enable vlan 40
Syntax: [no] tftp client enable vlan <vlan-id>

Default value: N/A
trunk switch | server ethernet

This command allows you to add a trunk group to a switch, router or server for high-speed connections.
NOTE: On the ServerIron 400 or ServerIron 800, you must use the default trunk type, which is "switch". The
"server" parameter is not supported.
EXAMPLE:
To assign ports 1, 2 and 3 to a trunk group on the system, enter the following command:
ServerIron(config)# trunk switch e 1 to 3
A trunk group must then also be configured on the connecting Foundry Networks switch or router at the other end
of the trunk group. The term switch in the above command can refer to either a Foundry Networks switch,
ServerIron, or router.
If you are going to connect to a server, then enter the following command:
ServerIron(config)# trunk server e1 to 3
This will connect a trunk group of ports 1, 2 and 3 to a server.
Summary of Trunk Group Rules
The trunk type must be "switch" on the ServerIron 400 and ServerIron 800, and "server" on all other models.
Up to four trunk groups may be assigned (up to three for a TurboIron).
Trunk group port assignment should always start with the lead port, i.e. 1, 5, 9, 13 or 17. (1, 3 or 5 for a
TurboIron).
Port assignment must be contiguous
Ports cannot be assigned across multiple trunk group boundaries; for example, ports 4 and 5 cannot be in the
same trunk group.
All of the trunk group member properties must match the lead port of the trunk group with respect to the
following parameters:
port tag type (untagged or tagged port)
February 2002
6 - 97
port speed and duplex
QoS priority
Syntax: trunk server | switch ethernet <portnum> to <portnum>

Possible values: Port or port ranges
Specifies the maximum number of unknown-unicast packets the device can forward each second. By default the
device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the
hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this
command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the
broadcast limit and multicast limit commands to control these types of traffic. See broadcast limit on page 612 and multicast limit on page 6-53.
EXAMPLE:
ServerIron(config)# unknown-unicast limit 30000
Syntax: unknown-unicast limit <num>

Default value: N/A
url-map
This command is used in conjunction with the URL switching feature on the ServerIron. This command assigns a
name to a URL switching policy and enters the URL switching policy CONFIG level.
EXAMPLE:
To create a URL switching policy named p1:
ServerIron(config)# url-map p1
Syntax: url-map <policy-name>

Possible values: URL switching policy name
Default value: N/A
username
This command configures a local user account. For each user account, you specify the user name. You also can
specify the following parameters:
A password
The privilege level, which can be one of the following:
Full access (super-user). This is the default.
Port-configuration access
Read-only access
EXAMPLE:
To configure a user account, enter a command such as the following at the global CONFIG level of the CLI.
ServerIron(config)# username wonka password willy
This command adds a user account for a super-user with the user name "wonka" and the password "willy", with
privilege level super-user. This user has full access to all configuration and display features.
6 - 98
February 2002
NOTE: If you configure user accounts, you must add a user account for super-user access before you can add
accounts for other access levels. You will need the super-user account to make further administrative changes.
ServerIron(config)# username waldo privilege 5 password whereis
This command adds a user account for user name "waldo", password "whereis", with privilege level read-only.
Waldo can look for information but cannot make configuration changes.
Syntax: [no] username <user-string> privilege <privilege-level> password | nopassword <password-string>

The privilege parameter specifies the privilege-level. You can specify one of the following:
0 Full access (super-user)
4 Port-configuration access
5 Read-only access
The default privilege level is 0. If you want to assign full access to the user account, you can enter the command
without "privilege 0", as shown in the command example above.
The password | nopassword parameter indicates whether the user must enter a password. If you specify
password, enter the string for the user's password.
NOTE: You must be logged on with super-user access (privilege level 0, or with a valid Enable password for
super-user access) to add user accounts or configure other access parameters.
vlan
Creates or changes the CLI focus to a port-based VLAN.
EXAMPLE:
ServerIron(config)# vlan 200 by port
ServerIron(config)# vlan 200 name WebMgr
Syntax: vlan <num> by port

Syntax: vlan <num> name <string>
NOTE: The second command is optional and also creates the VLAN if the VLAN does not already exist. You can
enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI.
Possible values: VLAN ID 1 1024; VLAN name can be a string up to 16 characters. You can use blank spaces
in the name if you enclose the name in double quotes (for example, Tanya Inman.)
Default value: N/A
Disables or re-enables dynamic discovery of protocol VLANs on switch-to-switch links. This feature enables
switch-to-switch links to be automatically included in protocol VLANs that have dynamic port membership.
EXAMPLE:
To disable the feature, enter the following command:
ServerIron(config)# no vlan-dynamic-discovery
Syntax: [no] vlan-dynamic-discovery

Possible values: Enabled or disabled
February 2002
6 - 99
vlan max-vlans
Allows you to assign a set number of VLANs to be supported on a ServerIron. This allows you to set a smaller
value than the default to preserve memory on the system.
EXAMPLE:
ServerIron(config)# vlan max-vlans 200
Syntax: vlan max-vlans <value>

Default value: 32
web access-group
Applies an ACL to control Web access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Web access. The device will
allow Web access to all IP addresses except those listed in ACL 10.
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
access-list 10 deny host 209.157.22.32 log

access-list 10 deny 209.157.25.0/24 log
access-list 10 permit any
web access-group 10
write mem
Syntax: web access-group <num>

Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 99.
Default value: N/A
web client
Restricts Web management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry devices Web management interface.
If you want to restrict access from SNMP or Telnet, use one or two of the following commands:
snmp-client restricts SNMP access (including IronView). See snmp-client on page 6-88.
telnet client restricts Telnet access to the CLI. See telnet client on page 6-95.
If you want to restrict all management access, you can use the commands above and the web client command or
you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict Web access to the Foundry device to the host with IP address 209.157.22.26, enter the following
command:
ServerIron(config)# web client 209.157.22.26
Syntax: [no] web client <ip-addr>

Default value: N/A
web-management
This command enables or disables the Web management interface on a ServerIron. By default this feature is
enabled on a system.
6 - 100
February 2002
EXAMPLE:
ServerIron(config)# no web-management
Syntax: [no] web-management

Possible values: Enabled, Disabled

Allows Web management access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow Web management access only to clients connected to ports
within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
ServerIron(config)# web-management enable vlan 10
Syntax: [no] web-management enable vlan <vlan-id>

Default value: N/A
write memory
EXAMPLE:

Default value: N/A
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config)# write terminal

Default value: N/A
wsm boot
Changes the default boot source for the Web Switching Management Module.
By default, the Web Switching Management Modules processors boot from the primary flash areas on the
module. Each processor boots from its own primary flash. The MP boots first, then the WSM CPUs boot.
You can change the default boot source to one of the following:
Primary flash (the default)
Secondary flash
Interactive
The interactive option pauses during bootup of the WSM CPUs to allow you to select the boot source for the WSM
CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, this method
is used for troubleshooting.
February 2002
6 - 101
EXAMPLE:
To change the default boot source, enter commands such as the following at the global CONFIG level of the CLI:
ServerIron(config)# wsm boot secondary
This command configures the module to boot from the secondary flash by default.
NOTE: The write memory command saves the change to the startup-config file. You must save the
configuration change for the change to remain in effect after you reboot.
Syntax: wsm boot primary | secondary | interactive

The primary and secondary parameters specify a flash memory location. The interactive parameter causes the
device to pause during bootup to allow you to specify the boot source for the WSM CPUs. You must use this
method if you want to boot the WSM CPUs from a TFTP server. Otherwise, the interactive parameter is used for
troubleshooting.
To configure the module to pause during booting to allow you to specify the boot source, enter the following
command:
ServerIron(config)# wsm boot interactive
After you set the boot source to interactive and reboot, enter a command such as the following at the Privileged
EXEC level of the CLI to boot the WSM CPUs:
ServerIron# wsm boot tftp 192.168.1.170 wsp07200.bin
This command copies the WSM CPU flash code image from the specified TFTP server to a WSM CPU address
space from which the WSM CPU can boot.
Syntax: wsm boot primary | secondary | tftp <ip-addr> <image-file-name>

Default value: primary
wsm wsm-map
Remaps processing for a forwarding module to a specific WSM CPU.
NOTE: Foundry recommends that you change slot allocations only if Foundry technical support advises the
change or the documentation for a feature states that the change is required.
EXAMPLE:
ServerIron(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1
This command remaps processing for the forwarding module in slot 3 to WSM CPU 1 on the Web Switching
Management Module in slot 2.
Syntax: wsm wsm-map <from-slotnum> wsm-slot <to-slotnum> wsm-cpu <cpunum>

The <from-slotnum> parameter specifies the slot that contains the forwarding module.
The <to-slotnum> parameter specifies the slot that contains the Web Switching Management Module.
The <cpunum> parameter specifies the WSM CPU on <to-slotnum> that will perform the processing. The WSM
CPUs are numbered from 1 3.
6 - 102
February 2002
Chapter 7
Redundant Management Module
CONFIG Commands
active-management
In chassis containing redundant management modules, changes the default assignment of the active
management module. By default, the redundant management module in the lower slot number becomes the
active redundant management module. You must use this command to override the default and make the
redundant management module in the higher slot number the default active module.
NOTE: This command applies only to devices containing redundant management modules.
NOTE: The change does not take effect until you reload the system. If you save the change to the active
module's system-config file before reloading, the change persists across system reloads. Otherwise, the change
affects only the next system reload.
EXAMPLE:
To override the default and specify the active redundant management module, enter the following commands:
BigServerIron(config)# redundancy
BigServerIron(config-redundancy)# active-management 5
This command overrides the default and makes the redundant management module in slot 5 the active module
following the next reload. The change affects only the next reload and does not remain in effect for future reloads.
Syntax: active-management <slot-num>

NOTE:
Slots in a four-slot chassis are numbered 1 4, from top to bottom.
Slots in an eight-slot chassis are numbered 1 8, from left to right.
To make the change permanent across future reloads, enter the write memory command to save the change to
the startup-config file, as shown in the following example:
BigServerIron(config)# redundancy
BigServerIron(config-redundancy)# active-management 5
BigServerIron(config-redundancy)# write memory
NOTE: If you do not save the change to the startup-config file, the change affects only the next reload.
February 2002
7-1
end
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
BigServerIron(config-redundancy)# end
BigServerIron#
Syntax: end
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
BigServerIron(config-redundancy)# exit
BigServerIron#
Syntax: exit
Default value: N/A
no
Disables other commands. To disable a command, place the word no before the command.
quit
Returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
BigServerIron(config-redundancy)# quit
BigServerIron>
Syntax: quit
Default value: N/A
show
Displays a variety of configuration and statistical information about the switch or router. See Show Commands
on page 21-1.
sync-standby
Automates synchronization of software between active and standby redundant management modules.
EXAMPLE:
To change the automatic synchronization setting, use one of the following commands:
Syntax: [no] sync-standby boot

Syntax: [no] sync-standby code
Syntax: [no] sync-standby startup-config
Syntax: [no] sync-standby running-config [<num>]
7-2
February 2002
Redundant Management Module CONFIG Commands
To disable automatic synchronization of the boot code, flash code, or startup-config file, enter no in front of the
command.
The <num> parameter with the sync-standby running-config command specifies the synchronization interval.
You can specify from 4 20 seconds. The default is 10 seconds. To disable automatic synchronization of the
running-config, set the synchronization interval (the <num> parameter) to 0.
Default value: Automatic synchronization of the flash code, running-config, and system-config file is enabled by
default. Automatic synchronization of the boot code is disabled by default. The default synchronization interval for
the running-config is 10 seconds.
write memory
Saves the running configuration into the startup-config file.
EXAMPLE:
BigServerIron(config-redundancy)# write memory

Default value: N/A
write terminal
Displays the running configuration of the Foundry switch or router on the terminal screen.
NOTE: This command is equivalent to the show running-config command.
EXAMPLE:
BigServerIron(config-redundancy)# write terminal

Default value: N/A
February 2002
7-3
7-4
February 2002
Chapter 8
Interface Commands
auto-gig
Enables auto-negotiating on a gigabit interface in accordance with the flow control specification 802.3x. Both
sides of the circuit need to be configured with this feature.
EXAMPLE:
ServerIron(config-if-1)# auto-gig
Syntax: [no] auto-gig

Possible values: on or off
broadcast limit
Specifies the maximum number of broadcast packets the device can forward each second. By default the device
sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those
devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit
and unknown-unicast limit commands to control these types of traffic. See multicast limit on page 8-11 and
EXAMPLE:
ServerIron(config-if-6)# broadcast limit 30000
Syntax: broadcast limit <num>

Default value: N/A
cache-group
Applies the port to a TCS cache group. The ports membership in a cache group allows client traffic received on
the port to be redirected to the cache servers in the cache group.
EXAMPLE:
ServerIron(config-if-6)# cache-group 1
February 2002
8-1
Syntax: cache-group 1
Possible values: 1
Default value: 1
clear
dhcp-gateway-list
This parameter assigns a defined DHCP gateway list to a specific interface on a Foundry switch. DHCP gateway
lists must be defined at the Global Level and the DHCP Assist feature enabled to support assignment of this
feature on switches.
NOTE: This feature is not supported on Foundry routers.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router
EXAMPLE:
To assign a defined DHCP gateway list (1) to interface 2/5, enter the following:
ServerIron(config-if-2)# dhcp-gateway-list 1
Syntax: dhcp-gateway-list <number>

Default value: N/A
disable
Disables a specific port.
EXAMPLE:
ServerIron(config-if-1)# disable
Syntax: disable
Default value: N/A
enable
Enables a specific port. All ports are enabled at initial startup. This command is only necessary if a port has been
disabled, as all ports are by default enabled at system startup.
EXAMPLE:
ServerIron(config-if-1)# enable
Syntax: enable
Default value: All ports are enabled at system startup.
end
Moves activity to the privileged level from any level of the CLI with the exception of the User level.
8-2
February 2002
Interface Commands
EXAMPLE:
To move to the privileged level, enter the following:
ServerIron(config-if-5)# end
ServerIron#
Syntax: end
Default value: N/A
exit
Moves activity up one level from the current level of the CLI. This command is available at all levels.
EXAMPLE:
To move from the interface level, back to the global level, enter the following:
ServerIron(config-if-4)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
flow-control
Allows you to turn flow control (802.3x) for full-duplex ports on or off (no). Flow control is configured on, by default.
EXAMPLE:
To turn the feature off, enter the following:
ServerIron(config)# int e5
ServerIron(config-if-5)# no flow control
To turn the feature on after being turned off, enter the following:
ServerIron(config-if-5)# flow-control
Syntax: [no] flow-control

Default value: on
fw-group
Assigns a port to a firewall group.
EXAMPLE:
To assign port 5 to firewall group 2:
ServerIron(config-if-5)# fw-group 2
Syntax: fw-group 2
Possible values: 2
Default value: All ports are assigned to firewall group 2 by default.
gig-default
Overrides the global default setting for Gigabit negotiation mode. You can configure the Gigabit negotiation mode
for a port to be one of the following:
Default The port uses the negotiation mode that was set at the global level.
February 2002
8-3
Negotiate-full-auto The port first tries to perform a handshake with the other port to exchange capability
information. If the other port does not respond to the handshake attempt, the port uses the manually
configured configuration information (or the defaults if an administrator has not set the information). This is
the default for Chassis devices (including the TurboIron/8).
Auto-Gigabit The port tries to perform a handshake with the other port to exchange capability information.
This is still the default for Stackable devices.
Negotiation-off The port does not try to perform a handshake. Instead, the port uses configuration
information manually configured by an administrator.
See the Configuring Basic features chapter of the Foundry Switch and Router Installation and Basic
Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable
Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See auto-gig on page 8-1.
EXAMPLE:
To override the global setting and set the negotiation mode to auto-Gigabit for ports 4/1 4/4, enter the following
commands:
ServerIron(config)# int ethernet 4/1 to 4/4
ServerIron(config-mif-4/1-4/4)# gig-default auto-gig
Syntax: gig-default neg-full-auto | auto-gig | neg-off

Default value: neg-full-auto
ip access-group
Applies an ACL to an interface.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config-if-1)# ip access-group 1 out
The commands in this example configure an ACL to deny packets from three source IP addresses from being
forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first
three ACL entries.

The <num> parameter is the access list number and can be from 1 99.
EXAMPLE:
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:
ServerIron(config)# vlan 10 name IP-subnet-vlan
ServerIron(config-vlan-10)# untag ethernet 1/1 to 2/12
ServerIron(config-vlan-10)# router-interface ve 1
ServerIron(config-vlan-10)# exit
ServerIron(config)# interface ve 1
8-4
February 2002
Interface Commands
ServerIron(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/

1 to 2/4
The commands in this example configure port-based VLAN 10, add ports 1/1 2/12 to the VLAN, and add virtual
routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1.
Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.
Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum>

Default value: N/A
ip address
Configures an IP interface for use with IP forwarding. You must configure the IP interface on a virtual routing
interface. You cannot configure the interface on a physical port. See router-interface on page 9-6.
NOTE: This command applies only to Layer 3 IP interfaces for use with IP forwarding. To configure the
ServerIrons management IP address, see ip address on page 6-34.
EXAMPLE:
To add an IP interface, enter commands such as the following:
ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0
The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip
address command adds an IP interface.
Syntax: [no] ip address | nat-address | standby-address <ip-addr> <ip-mask>

or
Syntax: [no] ip address | nat-address | standby-address <ip-addr>/<mask-bits>

The address | nat-address | standby-address parameter identifies the type of IP interface you are adding.
The address parameter adds a standard IP interface. This option is applicable in most cases.
The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP
interface for use with SLB source NAT. Enter the same command with the same IP address on each of the
ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron
that is currently active) at a time.
NOTE: SLB source NAT is different from standard Network Address Translation (NAT).
The standby-address parameter applies to active-standby configurations and allows both ServerIrons to
share the same router interface. One of the ServerIrons actively supports the interface while the other
ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can
use the shared interface as their default gateway. Enter the same command with the same IP address on
each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the
ServerIron that is currently active) at a time.
The <ip-addr> parameter specifies the IP address.

The <ip-mask> parameter specifies a class-based (or Classical) IP sub-net mask.
The <mask-bits> parameter specifies the number of significant bits in a Classless Interdomain Routing (CIDR)
sub-net mask.
You can use either format to configure the interface. For example, both the following commands are valid and
produce the same result:
ip address 10.10.10.1 255.255.255.0
ip address 10.10.10.1/24
February 2002
8-5

Default value: N/A
ip icmp burst
Causes the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when
the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets
targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets
are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP
ServerIron(config-if-e100-1)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>

The number of incoming ICMP packets per second are measured and compared to the threshold values as
follows:
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and
measurement is restarted.
Default value: N/A
Disables disable Internet Group Membership Protocol (IGMP) queries from being sent or received on the port.
EXAMPLE:
To disable IGMP queries on an interface, enter commands such as the following:
ServerIron(config-if-5)# ip-multicast-disable
To re-enable the IGMP queries on the interface, enter the following command:
ServerIron(config-if-5)# no ip-multicast-disable
Syntax: [no] ip-multicast-disable

Default value: IGMP queries are enabled.
ip-policy
Locally enables TCS or firewall load balancing on the interface. Use this command if you did not enable TCS or
firewall load balancing globally. See ip policy on page 6-39.
NOTE: You must use the ip policy command to configure the policy before using the ip-policy command.
See ip policy on page 6-39.
8-6
February 2002
Interface Commands
NOTE: This command does not configure permit and deny filters. To configure this type of filter, see ip filter
on page 6-35.
See the following for more information:
The "Configuring Transparent Cache Switching" chapter of the Foundry ServerIron Installation and
Configuration Guide
The Foundry ServerIron Firewall Load Balancing Guide
EXAMPLE:
To enable transparent cache switching of HTTP traffic for port 18 only, as opposed to globally on all of the ports,
enter the following commands:
ServerIron(config)# ip policy 2 cache tcp 80 local
EXAMPLE:
To enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 3 fw
ServerIron(config)# ip policy 4 fw
ServerIron(config-if-9)# ip-policy
ServerIron(config-if-9)# ip-policy
tcp 0 local
udp 0 local
3
4
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
Syntax: ip-policy <index>
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter of the
ip policy command. This value allows all ports of the specified type (TCP or UDP).
Default value: N/A
ip rip
Enables the Routing Information Protocol (RIP) version on a virtual routing interface.
EXAMPLE:
ServerIron(config-rip-router)# interface ve 1
ServerIron(config-vif-1)# ip rip v1-only
This command changes the CLI to the configuration level for virtual routing interface 1 and enables RIP version 1
on the interface. You must specify the version.
Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only

Default value: Disabled; no version specified
Enables the ServerIron to learn RIP default routes.
February 2002
8-7
EXAMPLE:
ServerIron(config-vif-1)# ip rip learn-default
Syntax: [no] ip rip learn-default

Changes the method of loop prevention that RIP uses.
RIP can use one of the following loop-prevention methods:
Split horizon The ServerIron does not advertise a route on the same interface as the one on which the
ServerIron learned the route.
Poison reverse The ServerIron assigns a cost of 16 (infinite or unreachable) to a route before advertising
it on the same interface as the one on which the ServerIron learned the route. This is the default.
NOTE: These methods are in addition to RIPs maximum valid route cost of 15.
EXAMPLE:
To enable split horizon, enter commands such as the following:
ServerIron(config-vif-1)# no ip rip poison-reverse
Syntax: [no] ip rip poison-reverse

Default value: Poison reverse
ip tcp burst
Causes the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case
when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP
SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets
are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN
ServerIron(config-if-e100-1)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>

The number of incoming TCP SYN packets per second are measured and compared to the threshold values as
follows:
8-8
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are
dropped.
February 2002
Interface Commands
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the
number of seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset and measurement is restarted.
Default value: N/A
ip tcp syn-proxy
Enables the SYN-Guard feature on individual ports on the ServerIron 400 or ServerIron 800. This feature can be
applied to inbound SYN requests (for Web site traffic) and/or outbound SYN requests (for ISP and institution
outgoing traffic).
EXAMPLE:
To use the SYN-Guard feature for inbound SYN requests on interface 3/1:
ServerIron(config)# interface e 3/1
ServerIron(config-if-3/1)# ip tcp syn-proxy in
Syntax: ip tcp syn-proxy in | out

When applied to inbound SYN requests, the SYN-Guard feature can be used with all ServerIron features,
including TCS, FWLB, and SLB. However, when applied to outbound SYN requests, the SYN-Guard feature is the
only process that can act on the packet.
Default value: N/A
iipg10
This command allows you to modify the inter-packet gap (delay) between packets on a 10Mbps Ethernet segment.
By default, the delay between packets will be 12 bytes or 9.6 microseconds.
Use this command only to adjust the inter-packet gap to match older adapters that do not meet the default IPG
requirements for Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.8 microseconds for packets on a
10Mbps segment, so the following equation can be used:
IPG10 = 9.6 microseconds + (value *.8), where value is the number of bytes by which you want to increase the
inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the
value of 4 (4*.8 =3.2 microseconds).
ServerIron(config-if-4)# ipg10 4
Syntax: ipg10 <value>

Possible values: 0 100 bytes
Default value: 12 bytes or ipg10 0
NOTE: Entering the value of 0 within the ipg10, ipg100, and ipg1000 commands restore the inter-packet gap
(IPG) to the default of 12 bytes.
ipg100
This command allows you to modify the inter-packet gap (delay) between packets on a 100Mbps Ethernet
segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or 0.96 microseconds.
February 2002
8-9
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default
IPG requirements for Fast Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.08 microseconds for packets on a
100Mbps segment, so the following equation can be used:
IPG100 = 0.96 microseconds + (value *.08), where value is the number of bytes by which you want to increase the
inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the
value of 40(40*.08 =3.2 microseconds)

ipg1000
This command allows you to modify the inter-packet gap (delay) between packets on a 1000Mbps Gigabit
Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or.096
microseconds.
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default
IPG requirements for Gigabit Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.008 microseconds for packets on
a 1000Mbps segment, so the following equation can be used:
IPG1000 =.096 microseconds + (value *.008), where value is the number of bytes by which you want to increase
the inter-packet gap.
EXAMPLE:
To increase the delay between packets by.32 microseconds, first enter the port to be modified and then enter the
value of 40(40*.008 =.32 microseconds)

mac filter-group
Applies a group of MAC filters to an interface. You can configure one filter group on each interface.
NOTE: You must define the filters at the global CONFIG level using the mac filter command (see mac filter on
page 6-50) before you can apply them in a filter group.
NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they
must all appear on the same command line.
NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply
the filter group again containing all the filters you want to apply to the port.
8 - 10
February 2002
Interface Commands
NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced
by the new filter group.
EXAMPLE:
To apply MAC filters 1, 2, 3, and 1024 to interface 6, enter the following command:
ServerIron(config-if-6)# mac filter-group 1 2 3 1024
Syntax: mac-filter-group <filter-list>

Default value: N/A
monitor
This allows you to select a port to be diagnosed by a designated mirror port. You can configure incoming,
outgoing or both incoming and outgoing traffic to be monitored on the port.
EXAMPLE:
To monitor both incoming and outgoing traffic on interface 5:
ServerIron(config)# interface e5
ServerIron(config-if-5)# monitor both
Syntax: monitor input | output | both

multicast limit
Specifies the maximum number of multicast packets the device can forward each second. By default the device
sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those
devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit
and unknown-unicast limit commands to control these types of traffic. See broadcast limit on page 8-1 and
EXAMPLE:
ServerIron(config-if-5)# multicast limit 30000
Syntax: multicast limit <num>

Default value: N/A
neg-off
Overrides the default negotiation mode for a Gigabit port on Chassis devices. When you invoke this command,
the port does not try to perform a handshake. Instead, the port uses configuration information manually
configured by an administrator.
EXAMPLE:
To change the negotiation mode for the port to negotiation-off:
ServerIron(config-if-3)# neg-off
Syntax: neg-off
February 2002
8 - 11

Default value: N/A
no
This command disables other commands. To disable a command, place the word no before the command.
phy-mode
If a port on a ServerIron is to be attached to a Bay Networks 28000 switch, enter this command at the Interface
Level as shown below.
This command helps the ServerIron to adjust to interoperability requirements of the 28000.
EXAMPLE:
ServerIron(config-if-3)# phy-mode 28k
Syntax: phy-mode 28k

Possible values: 28k
Default value: Option is turned off.
port-name
Assignment of a name to an interface provides additional identification for a segment on the network.
EXAMPLE:
ServerIron(config-if-1)# port-name marketing-funk
Syntax: port-name <text>

Default value: N/A
pvst-mode
Statically enables support for Cisco Systems Per VLAN Spanning Tree (PVST).
PVST/PVST+ support is automatically enabled on a port if the port receives a BPDU in PVST/PVST+ format.
However, you can statically enable PVST/PVST+ support on a port if desired. In this case, the support is enabled
immediately and support for Foundry tagged BPDUs is disabled at the same time.
NOTE: When PVST/PVST+ support is enabled on a port, support for Foundry BPDUs is disabled.
For more information, see the "Configuring Spanning Tree Protocol (STP) and IronSpan" chapter in the Foundry
Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable PVST/PVST+ support on a port, enter commands such as the following:
ServerIron(config)# interface ethernet 1/1
ServerIron(config-if-1/1)# pvst-mode
Syntax: [no] pvst-mode

NOTE: If you disable PVST/PVST+ support, the software still automatically enables PVST/PVST+ support if the
port receives an STP BPDU with PVST/PVST+ format.
Default value: Enabled automatically when a PVST/PVST+ BPDU is received on the port
8 - 12
February 2002
Interface Commands
qos-priority
Sets the Quality-of-Service (QoS) priority level for a port, VLAN, static MAC address, or Layer 4 session. You can
select the normal queue or the high-priority queue. All traffic is in the normal queue by default. When you allocate
a port, VLAN, static MAC address, or Layer 4 session to the high-priority queue, all traffic queued up for that item
is processed before any traffic in the normal queue for the same item is processed.
QoS applies to outbound traffic only.
EXAMPLE:
To allocate port 6 traffic to the high-priority queue, enter the following command:
ServerIron(config-if-6)# qos-priority high
Syntax: qos-priority normal | high

Possible values: normal or high
Default value: normal
quit
EXAMPLE:
ServerIron(config-if-6)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
show
spanning-tree
Spanning tree can be disabled or enabled on an interface basis.
EXAMPLE:
To disable spanning tree on physical port 4 of a system with no VLANs operating, enter the following:
ServerIron(config)# interface ethernet 4
ServerIron(config-if-4) no spanning-tree
EXAMPLE:
To disable spanning tree on physical port 4 of a system within VLAN 2, enter the following:
ServerIron(config)# vlan 2
ServerIron(config-vlan-2) no spanning-tree
Syntax: spanning-tree
February 2002
8 - 13
speed-duplex
Modifies port speed and duplex. It defines the speed and duplex mode for a 10BaseT and 100BaseTx ports.
Gigabit (1000BaseSx and 1000BaseLx) and 100BaseFx ports operate at a fixed speed and mode (full-duplex)
and cannot be modified.
EXAMPLE:
ServerIron(config-if-8)# speed-duplex 10-full
Syntax: speed-duplex <value>

Possible values: 10-full, 10-half, 100-full, 100-half, auto
Default value: 10/100 autosense
Specifies the maximum number of unknown-unicast packets the device can forward each second. By default the
device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the
hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this
command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the
broadcast limit and multicast limit commands to control these types of traffic. See broadcast limit on page 81 and multicast limit on page 8-11.
EXAMPLE:
ServerIron(config-if-8)# unknown-unicast limit 30000
Syntax: unknown-unicast limit <num>

Default value: N/A
write memory
EXAMPLE:
ServerIron(config-if-8)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-if-8)# write terminal

Default value: N/A
8 - 14
February 2002
Chapter 9
VLAN Commands
always-active
Configures a link between active and standby ServerIrons in some FWLB configurations to forward Layer 2 traffic
without causing loops. See the Foundry ServerIron Firewall Load Balancing Guide.
atalk-proto
This command creates an AppleTalk protocol VLAN within a ServerIron port-based VLAN when entered at the
VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN
membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports within
an already defined port-based VLAN 2, enter the following commands.
ServerIron(config-vlan-2)# atalk-proto
ServerIron(config-vlan-atalk-proto)# static e 9 e 13
ServerIron(config-vlan-atalk-proto)# no dynamic
NOTE: If configuring this on a switch, enter vlan 2 by port at the CONFIG Level versus vlan 2, as shown in the
example above.
Syntax: atalk-proto [<name>]

To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last
arguments in the command. For example, to name an AppleTalk VLAN, enter the following command:
ServerIron(config)# atalk-proto name AppleVLAN1
To name an IP VLAN, enter the following commands:
ServerIron(config)# ip-proto 192.75.5.0/24 name "Ship and Recv"
This example shows how to specify a name that contains a blank. Use double quotation marks before and after
the name.
Default value: N/A
February 2002
9-1
decnet-proto
This command creates a Decnet protocol VLAN within a ServerIron port-based VLAN, when entered at the VLAN
Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN
membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as dynamic
member port, within VLAN 5, enter the following commands.
ServerIron(config-vlan-5)# decnet-proto
ServerIron(config-vlan-decnet-proto)# exclude e 1 to 14 e18
example above.
Syntax: decnet-proto [<name>]

Syntax: atalk-proto [<name>]
arguments in the command. The name can contain blank spaces if you use double quotation marks before and
after the name.
Default value: N/A
end
EXAMPLE:
ServerIron(config-vlan-decnet-proto)# end
ServerIron#
Syntax: end
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the port-based VLAN level
if configuring a protocol VLAN. If configuring a poet-based VLAN, activity would be moved to the global level.
EXAMPLE:
ServerIron(config-vlan-decnet-proto)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
ip-proto
This command creates an IP protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN
Level.
9-2
February 2002
VLAN Commands
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are
not dynamically allocated to IP protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN within VLAN 7, enter the following:
ServerIron(config-vlan-7)# ip-proto
ServerIron(config-vlan-ip-proto)# static e 1 to 2 e 6 e 8
example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate on a ServerIron at the same
time. This restriction is also true for IPX and IPX network VLANs.
Syntax: ip-proto [<name>]

Default value: N/A
ip-subnet
This command creates an IP sub-net protocol VLAN on a ServerIron within a port-based VLAN, when entered at
the VLAN Level. This allows you to define additional granularity than that of an IP protocol VLAN, by partitioning
the broadcast domains by sub-net. In creating an IP sub-net VLAN, an IP address is used as identifier.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command.
Ports are not dynamically allocated to IP sub-net VLANs.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2 (module 2), within
VLAN 10, enter the following commands.
ServerIron(config-vlan-10)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-vlan-ip-subnet)# static e 1 to 2
NOTE: If configuring this on a switch, enter vlan 10 by port at the CONFIG Level versus vlan 10, as shown in
the example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate simultaneously on a Foundry
switch or router. This restriction is also true for IPX and IPX Network VLANs.
Syntax: ip-subnet <ip-addr> <ip-mask> [<name>]

February 2002
9-3
after the name.
Default value: N/A
ipx-network
This command creates an IPX network VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level. This allows you to define additional granularity than that of the IPX protocol VLAN, by partitioning the
broadcast domains by IPX network number. In creating an IPX network VLAN, an IPX network number is used as
identifier. The frame type must also be specified.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command.
Ports are not dynamically allocated to IPX network VLANs.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port
membership of 10 and 14 within port-based VLAN 15, enter the following commands.
ServerIron(config-vlan-15)# ipx-network 500 ethernet_802.2
ServerIron(config-vlan-ipx-proto)# static e 10 e 14
Syntax: ipx-network <ipx-network-number> <frame-type> [<name>]

the example above.
NOTE: An IPX network and IPX protocol VLAN cannot both be configured to operate simultaneously on a
Foundry switch or router. This restriction is also true for IP protocol and IP sub-net VLANs.
Possible values: Frame type: ethernet_ii, ethernet_802.2, ethernet_802.3, ethernet_snap
The <name> parameter can be up to 16 characters long and can contain blanks. The name appears in VLAN
show displays.
Default value: N/A
ipx-proto
This command creates an IPX protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are
not dynamically allocated to IPX protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol VLAN within port-based VLAN 22, enter the following:
ServerIron(config-vlan-22)# ipx-proto
ServerIron(config-vlan-ipx-proto)# static e 1 to 2 e 6 e 8
9-4
February 2002
VLAN Commands
the example above.
NOTE: An IPX protocol and IPX network VLAN cannot both be configured to operate simultaneously on a
Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs.
Syntax: ipx-proto [<name>]

after the name.
Default value: N/A
netbios-proto
This command creates a NetBIOS protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
All ports are dynamically allocated to a NetBIOS VLAN when it is created. VLAN Membership can be modified
using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN with permanent port membership of 4 and 5 and ports 8 through 12 as
dynamic member ports, within port-based VLAN 25, enter the following commands.
ServerIron(config-vlan-25)# netbios-proto
ServerIron(config-vlan-netbios-proto)# static e 2 e 2
ServerIron(config-vlan-netbios-proto)# exclude e 2 to 2 e 2 e 2 e 2 to 2
the example above.
Syntax: netbios-proto [<name>]

after the name.
Default value: N/A
no
This command is used to disable other commands. To do so, place the word no before the command.
other-proto
This command creates an other-protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
All ports of the ServerIron are by default dynamically assigned to a newly created other protocol VLAN. VLAN
Membership can be modified using the dynamic, static, or exclude commands.
February 2002
9-5
You can use this option to define a protocol-based VLAN for protocols that do not require a singular protocol
broadcast domain or are not currently supported on the ServerIron.
EXAMPLE:
On a 16 port switch ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate
traffic by protocol into separate broadcast domains. Instead, create an other-protocol VLAN, with just those ports
as members, within port-based VLAN 50.
ServerIron(config-vlan-50)# other-proto
ServerIron(config-vlan-other-proto)# static e13 to 16
ServerIron(config-vlan-other-proto)# exclude e1 to 12
the example above.
Syntax: other-proto [<name>]

after the name.
Default value: N/A
priority
This assigns a higher priority to a VLAN so that in times of congestion, it will receive precedence over other
transmissions. Up to eight levels of priority can be assigned to a VLAN.
EXAMPLE:
ServerIron(config-vlan-25)# priority high
Syntax: priority normal | high

Default value: N/A
quit
EXAMPLE:
ServerIron(config-vlan-6)# quit
ServerIron>
Syntax: quit
Default value: N/A
router-interface
Configures a virtual routing interface for use with IP forwarding. After you add the virtual routing interface, you can
configure IP addresses on the routing interface.
EXAMPLE:
9-6
February 2002
VLAN Commands
ServerIron(config-vlan-1)# router-interface ve 1
The vlan 1 command changes the CLI to the configuration level for VLAN 1. The router-interface ve 1 command
adds virtual routing interface 1.
Syntax: [no] router-interface ve <num>

The <num> parameter specifies the interface ID and can be from 1 24.
Default value: N/A
rshow
show
spanning-tree
Spanning Tree bridge and port parameters are configurable using one command set at the global level for VLANs.
NOTE: When port-based VLANs are not operating on the system, spanning tree is set on a system level at the
Global CONFIG Level.
EXAMPLE:
Suppose you want to change the hello-time value of VLAN 3 from the default value. Additionally, you want to
change the path and priority costs for port 5, a member of VLAN 3. Enter the following commands:
ServerIron(config-vlan-3)# span hello-time 8
ServerIron(config-vlan-3)# span ethernet 5 path-cost 15 priority 64
NOTE: You do not need to configure values for the spanning tree parameters. All parameters have default
values as noted below. Additionally, all values will be globally applied to all ports on the system or port-based
VLAN for which they are defined.
To configure a specific path-cost or priority value for a given Ethernet port, enter those values using the key words
found in the brackets [ ] shown in the syntax summary below. If you do not want to specify any specific values for
any given Ethernet port, this portion of the command is not required.
Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value>
hello-time <value> maximum-age <time> priority <value>
Bridge STP Parameters (applied to all ports within a VLAN)
Forward Delay: the period of time a bridge will wait (the listen and learn period) before forwarding data
packets. Possible values: 4 30 seconds. Default is 15.
Maximum Age: the interval a bridge will wait for receipt of a hello packet before initiating a topology change.
Possible values: 6 40 seconds. Default is 20.
Hello Time: the interval of time between each configuration BPDU sent by the root bridge.
Possible values: 1 10 seconds. Default is 2.
Priority: a parameter used to identify the root bridge in a network. The bridge with the lowest value has the
highest priority and is the root. Possible values: 0 255. Default is 128.
February 2002
9-7
Port Parameters (applied to a specified port within a VLAN)
Path Cost: a parameter used to assign a higher or lower path cost to a port. Possible values: 1 65535.
Default is (1000/Port Speed) for Half-Duplex ports and is (1000/Port Speed)/2 for Full-Duplex ports.
Priority: value determines when a port will be rerouted in relation to other ports. Possible values: 0 255.
Default is 128.
static-mac-address
This command allows you to define a static MAC addresses for a port on a ServerIron to ensure the device is not
aged out. When defining the MAC address entry, you can also define the ports priority and whether or not it is a
router-type or host-type.
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports,
include only the primary port of the trunk group. If you include all the trunk groups ports, the ServerIron uses all
the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
To enter a static MAC address entry for port 5, that is also resident in port-based VLAN 4, enter the following:
ServerIron(config-vlan-4)# static-mac-address 023.876.735 ethernet 5 high-priority
router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron.
Syntax for chassis devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]

Syntax for stackable devices:

The priority can be 0 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or highpriority for stackable devices.
NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for
Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents
other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB
configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.
To create a static MAC entry that is associated with multiple ports, enter a command such as the following:
ServerIron(config-vlan-4)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3
to 5
This command creates a static MAC entry that is associated with port 1 and ports 3 5. The ServerIron forwards
traffic addressed to aaaa.bbbb.cccc out all the ports you specified, in this case 1, 3, 4, and 5.

9-8
February 2002
VLAN Commands
Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software
automatically creates a static MAC entry when you create a static ARP entry.
NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry
unless you first delete the static ARP entry.
To create a static ARP entry for a static MAC entry, enter a command such as the following:
ServerIron(config-vlan-4)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static
MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static
MAC entry.
tagged
Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a portbased VLAN, either the tagged or untagged command is used. When a port is tagged, it can be a member of
multiple port-based VLANs.
When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common
use for this might be to place an email server that multiple groups may need access to on a tagged port, that in
turn, is resident in all VLANs that members need access to the server.
EXAMPLE:
Suppose you want to make port 5 (module 5), a member of port-based VLAN 4, a tagged port, enter the following:
ServerIron(config-vlan-4)# tagged ethernet 3/5
Syntax: tagged ethernet <portnum> [to <portnum> [ethernet <portnum>]]

Possible values: see above.
Default value: N/A
untagged
Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a portbased VLAN, either the tagged or untagged command is used. When a port is untagged it can only be a
member of one VLAN.
EXAMPLE:
Suppose you want to assign all ports on a 16-port ServerIron except port 5 (module 3) as untagged to a VLAN. To
assign ports 1-4 and 6-16 to VLAN 4, enter the following:
ServerIron(config-vlan-4)# untagged ethernet 3/1 to 3/4 e 3/6 to 3/16
Syntax: untagged ethernet <portnum> [to <portnum> ethernet <portnum>]

Default value: N/A
February 2002
9-9
uplink-switch
Configures a set of ports within a port-based VLAN as uplink ports for the VLAN. All broadcast and unknownunicast traffic goes only to the uplink ports, not to the other ports in the VLAN.
For more information, see the "Configuring Virtual LANs (VLANs)" chapter in the Foundry Switch and Router
EXAMPLE:
To configure a port-based VLAN containing uplink ports, enter commands such as the following:
ServerIron(config-vlan-10)#
by port
untag ethernet 1/1 to 1/24
untag ethernet 2/1 to 2/2
uplink-switch ethernet 2/1 to 2/2
Syntax: [no] uplink-switch ethernet <portnum> [to <portnum> | ethernet <portnum>]

In this example, 24 ports on a 10/100 module and two Gigabit ports on a Gigabit module are added to port-based
VLAN 10. The two Gigabit ports are then configured as uplink ports.
Default value: N/A
write memory
EXAMPLE:
ServerIron(config-vlan-4)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-vlan-4)# write terminal

Default value: N/A
9 - 10
February 2002
Chapter 10
Real Server Commands
asymmetric
Overrides the ServerIrons default mechanism for checking the health of cache servers. Normally, the ServerIron
uses cache responses forwarded back though the ServerIron as indications of a cache servers health. However,
in some topologies, the cache responses do not pass through the ServerIron.
EXAMPLE:
ServerIron(config-rs-realserver1)# asymmetric
Syntax: asymmetric
backup
Designates a real server to be a backup server.
By default, the virtual server uses the locally attached real servers (added using the server real-name command)
as the primary load-balancing servers and uses the remotely attached servers (added using the server remotename command) as backups.
NOTE: This command applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or
later.
EXAMPLE:
ServerIron(config-rs-R3)# backup
Syntax: [no] backup

You also need to configure virtual servers to use the primary and backup servers you designate. See port on
page 11-3.
Default value: Primary if locally attached; backup if remotely attached
clear
February 2002
10 - 1
clone-server
Makes a copy ("clone") of a real servers configuration. When you clone a real server, you make a copy of the real
servers configuration information under a new name. The copy includes the port bindings to the virtual server.
EXAMPLE:
ServerIron(config)# server real rs1 1.2.3.4
ServerIron(config-rs-rs1)# clone-server rs2 5.6.7.8
The first command changes the CLI to the configuration level for the real server you want to copy. The second
command creates a clone of real server rs1. The clone is named "rs2" and has IP address 5.6.7.8.
Syntax: clone-server <name> <ip-addr>

The <name> parameter specifies the name of the clone.
The <ip-addr> parameter specifies the IP address of the clone.
NOTE: To delete a server clone, you must manually edit the startup-config file to remove the command. The
"no" option is not supported for this command.
Default value: N/A
description
Adds a description to a real server, virtual server, firewall, or cache. The description appears in the output of
show commands and in the running-config and startup-config files.
EXAMPLE:
ServerIron(config)# server real RS20 1.2.3.4
ServerIron(config-rs-RS20)# description "Real Server # 20"
Syntax: description <"text">

Default value: N/A
end
EXAMPLE:
ServerIron(config-rs-webland)# end
ServerIron#
Syntax: end
Default value: N/A
exceed-max-drop
Drops HTTP requests when all the real servers in a server group have reached their maximum number of
connections.
EXAMPLE:
ServerIron(config)# server real-name server1 207.95.7.1
ServerIron(config-rs-server1)# exceed-max-drop
ServerIron(config-rs-server1)# exit
Syntax: exceed-max-drop
10 - 2
February 2002

Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-rs-webland)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
filter-match
This command enables policy-based caching, which selectively caches web sites on specific cache servers. For
example, an ISP can use a ServerIron configured for policy-based caching to redirect HTTP traffic to a series of
web cache servers made by different vendors with different caching criteria.
To take advantage of policy-based caching, you also need to define IP access policy filters.
EXAMPLE:
ServerIron(config-rs-fixedcontent)# filter-match
Syntax: filter-match
Default value: N/A
history-group
This command is used with the Layer 4 statistics monitoring function on the ServerIron. This command binds a
history list to a real server. You can bind up to 8 history lists to a real server or port on a real server.
EXAMPLE:
To bind history list 1 to port 80 (HTTP) on real server aaa:
ServerIron(config)# server real aaa
ServerIron(config-rs-aaa)# port http history-group 1
Syntax: history-group <entry-numbers>

Possible values: You can bind up to 8 history lists to a real server or port on a real server
Default value: N/A
host-range
Creates a range of contiguous virtual IP addresses (VIPs) based on the VIP address of the virtual server. The
ServerIron creates the range by creating the number of VIPs that you specify with this command. You do not
specify a range; you specify the number of hosts in the range. The beginning address in the range is always the
VIP.
NOTE: The IP addresses must be contiguous on the real server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server real-name r1 10.4.4.4
ServerIron(config-rs-r1)# host-range 500
February 2002
10 - 3
ServerIron(config-rs-r1)# exit
ServerIron(config)# server real-name r2 10.4.4.5
ServerIron(config-rs-r2)# host-range 500
ServerIron(config-rs-r2)# exit
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99
ServerIron(config-vs-lotsofhosts)# host-range 500
ServerIron(config-vs-lotsofhosts)# exit
Syntax: host-range <range>

Default value: N/A
ip-address
Changes a real servers IP address.
You can change the IP address even when the real server is active. This capability is useful when you want to
perform some maintenance on the real server (either the server itself or the servers configuration on the
ServerIron) or when the network topology has changed.
By default, when you change a servers IP address, the ServerIron performs the change gracefully, as follows:
Existing connections are allowed to continue on the old IP address until they terminate normally.
New client requests are sent to the new IP address.
Optionally, you can force all existing connections to be reset instead of waiting for them to terminate normally.
When you force the connections to be reset, the ServerIron immediately resets a connection when it receives
client data for the connection.
EXAMPLE:
ServerIron(config)# server real rs1
ServerIron(config-rs-rs1)# ip-address 5.6.7.8
Syntax: [no] ip-address <ip-addr> [force-shutdown]

The <ip-addr> parameter specifies the real servers new IP address.
The force-shutdown parameter immediately resets a clients connection to the IP address when the ServerIron
receives TCP data from the client. By default, the ServerIron allows existing connections to terminate normally
following the address change.
Possible values: valid IP address
Default value: the address you specified when you configured the server
max-conn
Allows you to specify the maximum number of sessions the ServerIron will maintain in its session table for a
specific real server.
NOTE: The configured value cannot exceed the maximum value configured for active sessions using the server
session-limit command at the global level.
EXAMPLE:
ServerIron(config)# server real-name web2
ServerIron(config-rs-web2)# max-conn 1000
Syntax: max-conn <value>

Possible values: 1 1,000,000
10 - 4
February 2002
Default value: 1,000,000
max-tcp-conn-rate
Configures Connection Rate Limiting (CRL) for a TCP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-tcp-conn-rate 1000
The command in this example specifies a maximum TCP connection rate of 1000 connections per second on
firewall FW1.
Syntax: [no] max-tcp-conn-rate <num>

The <num> parameter specifies the maximum number of connections per second and can be a number from 1
max-udp-conn-rate
Configures Connection Rate Limiting (CRL) for a UDP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-udp-conn-rate 800
The command in this example specifies a maximum UDP connection rate of 800 connections per second on
firewall FW1.
Syntax: [no] max-udp-conn-rate <num>

The <num> parameter specifies the maximum number of connections per second and can be a number from 1
no
other-ip
Configures a second IP address for certain multihomed devices. This command can be used in some FWLB
configurations where a pair of ServerIrons is configured as an active-standby pair and the firewalls are
multihomed. In this type of configuration, the other-ip command identifies the IP address of the firewall interface
connected to the other ServerIron in the pair.
port
Allows you to override global port attributes set in the ports profile. In addition, this command allows you to
configure application-specific health check parameters for HTTP, DNS, and RADIUS ports.
EXAMPLE:
To disable a port, enter commands such as the following:
ServerIron(config)# server real-name web2
ServerIron(config-rs-web2)# port http disable
Syntax: [no] port <port> [disable | enable]

EXAMPLE:
To locally enable a TCP/UDP health check, enter a command such as the following at the Real Server level of the
CLI:
ServerIron(config-rs-jet)# port dns keepalive
February 2002
10 - 5
Syntax: [no] port <port> [keepalive]

If you use the "no" parameter in front of the command, you are locally disabling the health check. The health
checks are locally disabled by default.
The <port> parameter can have one of the following values:
dns the well-known name for port 53

NOTE: If you are configuring Global SLB, you must use the proxy parameter following dns; for example,
port dns proxy. For more information, see the "Configuring Global Server Load Balancing" chapter in the
Foundry ServerIron Installation and Configuration Guide.
ftp the well-known name for port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name
ftp corresponds to port 21.)
http the well-known name for port 80
imap4 the well-known name for port 143
ldap the well-known name for port 389
mms the well-known name for port 1755
nntp the well-known name for port 119
ntp the well-known name for port 123
pnm the well-known name for port 7070
pop2 the well-known name for port 109
radius the well-known name for udp port 1812
smtp the well-known name for port 25
snmp the well-known name for port 161
ssl the well-known name for port 443
rtsp the well-known name for port 554
telnet the well-known name for port 23
tftp the well-known name for port 69
<number>
NOTE: Specify the port number if the port is not one of the well-known names listed above.
EXAMPLE:
To configure the HTTP keepalive request to send a HEAD request for sales.html, enter the following commands:
ServerIron(config)# server real Jet 207.96.3.251
ServerIron(config-rs-jet)# port http url "/sales.html"
ServerIron(config-rs-jet)# exit
ServerIron(config)# server virtual NiceServer 207.96.4.250
ServerIron(config-vs-NiceServer)# port http
ServerIron(config-vs-NiceServer)# bind http Jet http
Syntax: port http url [GET | HEAD] [/]<URL-page-name>
10 - 6
February 2002
GET or HEAD is an optional parameter that specifies the request type. By default, HTTP keepalive uses HEAD to
retrieve the URL page. You can override the default and configure the ServerIron to use GET to retrieve the URL
page.
The slash ( / ) is an optional parameter. If you do not set the GET or HEAD parameter, and the slash is not in the
configured URL page, then ServerIron automatically inserts a slash before retrieving the URL page.
EXAMPLE:
To configure the domain name for address-based DNS health checking, enter the following command:
ServerIron(config-rs-jet)# port dns addr_query "abc.zone1.com"
Syntax: [no] port dns addr_query "<name>"

To configure the zone name for zone-based DNS health checking, enter the following command:
ServerIron(config-rs-jet)# port dns zone foundrynet.com
Syntax: [no] port dns zone <zone-name>

EXAMPLE:
To configure the parameters for a RADIUS health check, enter commands such as the following at the Real Server
level of the CLI:
ServerIron(config-rs-jet)# port radius username willy
ServerIron(config-rs-jet)# port radius password wonka
ServerIron(config-rs-jet)# port radius key chklt
Syntax: [no] port radius username <string>

Syntax: [no] port radius password <string>
Syntax: [no] port radius key <string>
EXAMPLE:
In a web switching configuration, to specify the server group(s) to which the real server belongs:
ServerIron(config-rs-jet)# port http group-id 1 5
Syntax: [no] port http group-id <server-group-id-pairs>

Possible values: The server group is expressed as a pair of numbers, indicating a range of real server group IDs.
The first number is the lowest-numbered server group ID, and the second is the highest-numbered server group
ID. For example, if a real server belongs only to the server group with ID = 1, the last two numbers in the port http
group-id command would be 1 1. (Note the space between the two numbers.) If a real server belongs to server
groups 1 10, the last two numbers in the command would be 1 10. To include a real server in groups that are
not consecutively numbered, you can enter up to four server group ID pairs. Valid numbers for server group IDs
are 0 1023.
Default value: N/A
EXAMPLE:
To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as
the following at the firewall configuration level of the CLI:
ServerIron(config-rs-FW1)# port http no-health-check
The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.
Syntax: [no] no-health-check

EXAMPLE:
To limit the rate of new connections for a specific application port, enter commands such as the following:
February 2002
10 - 7
ServerIron(config-rs-RS1)# port http

ServerIron(config-rs-RS1)# port http max-tcp-conn-rate 600
These commands add port HTTP (80) to the real server and limit the rate of new connections to the port to 600.
Syntax: port <TCP/UDP-portnum> max-tcp-conn-rate <num>

Syntax: port <TCP/UDP-portnum> max-udp-conn-rate <num>
The port <TCP/UDP-portnum> parameter specifies the application port.
The <num> parameter specifies the maximum number of connections per second.
Default value: Follows the global state of the Layer 4 path health check. See fw-health-check tcp | udp on
page 12-5.
port disable-all
Disables all the application ports on a real server.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
ServerIron(config-rs-R1)# port disable-all
To re-enable all the application ports, enter the following command:
ServerIron(config-rs-R1)# no port disable-all
Syntax: [no] port disable-all

port unbind-all
Unbinds all of a real servers application ports from all virtual servers.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
To unbind a real servers application ports, enter the following command at the configuration level for the server:
ServerIron(config-rs-R1)# port unbind-all
Syntax: port unbind-all

NOTE: Once you unbind the ports, you can rebind them only on an individual virtual server and port basis.
To re-bind an application port, you must use the bind command at the configuration level for the virtual server. For
example, if server R1 has two application ports, 80 and 8080, enter the following commands to rebind the ports to
virtual server VIP1. This example assumes that the VIP uses two real servers (R1 and R2) for the application
ports.
ServerIron(config-vs-VIP1)# bind http R1 http R2 http
ServerIron(config-vs-VIP1)# bind 8080 R1 8080 R2 8080
Default value: Bound to the virtual servers to which you bound them
quit
10 - 8
February 2002
EXAMPLE:
ServerIron(config-rs-test)# quit
ServerIron>
Syntax: quit
Default value: N/A
response-time
Configures server response-time warning and shutdown thresholds for an individual server.
For information about response-time thresholds, see server response-time on page 6-79.
EXAMPLE:
ServerIron(config-rs-R1)# response-time 50 75
This command sets the warning threshold to 50 milliseconds and the shutdown threshold to 75 milliseconds, for
this real server only.
NOTE: The threshold values you configure on an individual real server override the globally configured
thresholds.
Syntax: [no] response-time <warning-threshold> [<shutdown-threshold>]

The <warning-threshold> parameter specifies the average number of milliseconds within which an application port
must respond to avoid a warning message. You can specify from 0 65535 milliseconds (65 seconds). There is
no default. If you specify 0, the warning threshold is disabled.
The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application
port must respond to avoid being shut down. You can specify from 0 65535 milliseconds (65 seconds). There is
no default. If you specify 0, the shutdown threshold is disabled.
If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an
application port, configure the warning threshold but not the shutdown threshold. Here is an example:
ServerIron(config-rs-R1)# response-time 100
To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as
shown in the following example:
ServerIron(config-rs-R1)# response-time 0 300
Possible values: 0 65535 milliseconds (65 seconds)
Default value: not configured
rshow
show
source-nat
In an SLB configuration, configures the ServerIron to translate the source address of client requests the
ServerIron forwards to real servers. The ServerIron changes the address to a source IP address you have
configured on the ServerIron.
February 2002
10 - 9
Add source IP addresses and enable source NAT if the ServerIron and real server are in different sub-nets. See
the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config-rs-june)# source-nat
Syntax: [no] source-nat

weight
Allows you to assign a performance weight to each server. Servers assigned a larger or higher weight receive a
larger percentage of connections.
EXAMPLE:
To set the weight for a server to 5 from the default value of 1, enter the following command:
ServerIron(config)# server real web5
ServerIron(config-rs-web5)# weight 5
Syntax: weight <least-connections-weight> [<response-time-weight>]

The <least-connections-weight> parameter specifies the real servers weight relative to other real servers in terms
of the number of connections on the server. More precisely, this weight is based on the number of session table
entries the ServerIron has for TCP or UDP sessions with the real server. You can specify a value from 0 65000.
The default is 1. This parameter is required. However, if you want to use a weight value only for the Server
Response Time but not for the number of connections, specify 0 for this parameter.
The <response-time-weight> parameter specifies the real servers weight relative to other real servers in terms of
the servers response time to client requests sent to the server. You can specify a value from 0 65000. The
default is 0 (disabled). This weight is applicable only when the server response time load-balancing method is
enabled.
If you enter a value for <response-time-weight>, the ServerIron adds the two weight values together when
selecting a real server. If you specify equal values for each parameter, the ServerIron treats the weights equally.
The number of connections on the server is just as relevant as the servers response time. However, if you set one
parameter to a higher value than the other, the ServerIron places more emphasis (weight) on the parameter with
the higher value. For example, if you specify a higher server response time weight than the weight for the number
of connections, the ServerIron pays more attention to the servers response time than to the number of
connections it currently has when considering the real server for a new connection.
NOTE: If you use the server response time method, you also can modify the smooth factor on individual
application ports. See the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and
Default value: 0
write memory
EXAMPLE:
ServerIron(config-rs-web5)# write memory

Default value: N/A
10 - 10
February 2002
write terminal
EXAMPLE:
ServerIron(config-rs-web5)# write terminal

Default value: N/A
February 2002
10 - 11
10 - 12
February 2002
Chapter 11
Virtual Server Commands
acl-id
Contact Foundry engineering for information about using this command as part of a virtual server configuration.
bind
Allows you to bind virtual server service to real server services. A virtual server service can bind one or more realserver services.
EXAMPLE:
To bind a virtual server to HTTP services on real servers web1 and web2, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1
ServerIron(config-vs-www.foundrynet.com)# bind http web1 http web2 http
Syntax: bind <tcp/udp-port-number> <real-server-name> <tcp/udp-port-number>

EXAMPLE:
TCP/UDP port numbers:
default all the well-known names listed below
dns the well-known name for port 53
ftp the well-known name for port 21. (Ports 20 and 21 both are ftp ports but on the ServerIron, the
name ftp corresponds to port 21.)
http the well-known name for port 80
imap4 the well-known name for port 143
ldap the well-known name for port 389
mms the well-known name for port 1755
nntp the well-known name for port 119
ntp the well-known name for port 123
pnm the well-known name for port 7070
radius the well-known name for udp port 1812
smtp the well-known name for port 25
February 2002
11 - 1
snmp the well-known name for port 161
ssl the well-known name for port 443
rtsp the well-known name for port 554
telnet the well-known name for port 23
tftp the well-known name for port 69
Virtual server name: any previously defined virtual server
Default value: N/A
cache-enable
Enables the Active Cache feature, which configures the ServerIron to try resolving a client request using a cache
server first, then using a load balanced server if the cache does not contain the requested content. For an
example of how to use this feature, see the "Configuring Server Load Balancing" chapter in the Foundry
NOTE: By default, this command enables combined TCS and SLB service only for the HTTP port (port 80). To
enable combined TCS and SLB service for other ports, you must specify the port name or number.
EXAMPLE:
To enable Active Cache for VIP Foundry, enter the following command:
ServerIron(config-vs-Foundry)# cache-enable
To enable Active Cache for the SSL port (port 443) on VIP Foundry, enter the following command:
ServerIron(config-vs-Foundry)# port ssl cache-enable
Syntax: [no] cache-enable

Syntax: [no] port <tcp/udp-port> cache-enable
clear
end
EXAMPLE:
ServerIron(config-vs-www.rumors.com)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-vs-www.rumors.com)# exit
ServerIron(config)#
Syntax: exit
11 - 2
February 2002

Default value: N/A
host-range
Enables you to define a range of virtual IP addresses (VIPs) simply by defining a base VIP and the number of
hosts in the range.
NOTE: The VIPs must be contiguous and must map to a contiguous range of real IP addresses on the real
server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99
ServerIron(config-vs-lotsofhosts)# host-range 500
ServerIron(config-vs-lotsofhosts)# exit
ServerIron(config)# server virtual-name cache1 10.4.4.4
ServerIron(config-rs-cache1)# host-range 500
ServerIron(config-rs-cache1)# exit
Syntax: host-range <range>

Default value: N/A
httpredirect
In configurations that use remote failover servers, the remote server sends replies back to the ServerIron or
directly to the client:
If you configure a source IP address and enable source NAT, the remote server sends the response back to
the ServerIron.
If you do not use source NAT (whether you have configured a source IP address or not), the remote real
server sends the response directly to the client. In this case, the client refuses the connection request
because the client believes it is talking to the virtual IP address, not the real server IP address. In this case,
you can configure the ServerIron to send an HTTP redirect message to the client so that the client redirects
its HTTP connection to the real servers IP address instead of the VIP.
EXAMPLE:
To enable HTTP redirect, enter the following command:
ServerIron(config-vs-lotsofhosts)# httpredirect
Syntax: httpredirect
no
port
Allows you to add a TCP/UDP port to a VIP. If you are using the SwitchBack feature, you can use the dsr
parameter to enable SwitchBack for the port.
NOTE: SwitchBack also requires that you configure a loopback interface on each real server. The loopback
interface must have the same address as the VIP. See the "Configuring Symmetric SLB and SwitchBack" chapter
of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.
February 2002
11 - 3
NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent.
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web1, enter the following command:
ServerIron(config-vs-Web1)# port http
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web69 and enable SwitchBack for the port, enter the following command:
ServerIron(config-vs-Web69)# port http dsr
Syntax: port <tcp/udp-port> [dsr]

EXAMPLE:
To disable port 8080 on VIP Web69, enter the following command:
ServerIron(config-vs-Web69)# port 8080 disable
Syntax: port <tcp/udp-port> [disable]

EXAMPLE:
To configure port 80 on VIP Web69 to support concurrent connections from a client, enter the following command:
ServerIron(config-vs-Web69)# port 8080 concurrent
Syntax: port <tcp/udp-port> [concurrent]

EXAMPLE:
To make port 80 on VIP Web69 "sticky" so that subsequent requests for the port from the same client go to the
same real server, enter the following command:
ServerIron(config-vs-Web69)# port 8080 sticky
Syntax: port <tcp/udp-port> [sticky]

EXAMPLE:
To disable port translation for port 180 on VIP2, thus allowing many-to-one port binding for the port, enter the
following commands.
NOTE: Port translation is enabled by default. Do not disable it unless you are configuring the "many-to-one"
feature. See the "Many-To-One TCP/UDP Port Binding" application example in the "Configuring Server Load
Balancing" chapter of the Foundry ServerIron Installation and Configuration Guide. Also make sure you follow the
configuration rules in that section. Improper configuration can result in unexpected and difficult-to-diagnose
results.
ServerIron(config-vs-VIP1)# port http
ServerIron(config-vs-VIP1)# bind http r1 http r2 http
ServerIron(config-vs-VIP1)# exit
ServerIron(config-vs-VIP2)# port http
ServerIron(config-vs-VIP2)# no port http translate
ServerIron(config-vs-VIP2)# bind http r1 180 r2 180
Syntax: port <tcp/udp-port> [translate]

EXAMPLE:
To enable URL switching on a virtual server, enter the following commands.
ServerIron(config)# server virtual-name mysite 209.157.22.63
ServerIron(config-vs-mysite)# port http
ServerIron(config-vs-mysite)# port http url-map p1
11 - 4
February 2002
ServerIron(config-vs-mysite)#
port
bind
bind
bind
exit
http
http
http
http
url-switch
rs1 http
rs2 http
rs3 http
Syntax: port http

Syntax: port http url-map <policy-name>
Syntax: port http url-switch
Syntax: bind http <real-server-name> http
EXAMPLE:
To configure session persistence in a proxy environment, configure a standard IP ACL containing the addresses,
then use the sticky-acl option with the application ports on the virtual server. The sticky-acl option configures the
Virtual Source feature.
In a Virtual Source configuration, the ServerIron sends all client traffic from a specified range of IP addresses to
the same real server for the application ports you specify. To specify the IP addresses, configure a standard IP
ACL. Use this command in configurations where a proxy device allocates IP addresses to client traffic before
sending the traffic to the VIP. In some configurations, the proxy device assigns different IP addresses to traffic
from the same client. Unless you configure the addresses to go to the same real server, the ServerIron might load
balance the client traffic to different servers. This makes applications that require continued access to the same
real server unusable.
ServerIron(config)# access-list 1 permit 209.157.22.0
ServerIron(config)# server virtual fromproxy 1.1.1.1
ServerIron(config-vs-fromproxy)# port 80 sticky-acl 1
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] port <tcp/udp-port> sticky-acl <num>
NOTE: This feature is different from the sticky feature, which you can associate with ports on the virtual server
level. The sticky attribute ensures that subsequent packets from the same client during the same TCP session go
to the same real server. In this case, the ServerIron knows the packets are from the same client based on the
source IP address. When a proxy is used, subsequent packets from the same client can have different IP
addresses.
For standard IP ACL configuration information, see the Configuring Standard ACLs section in the Using Access
Control Lists (ACLs) chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To configure an application port to be stateless, enable the stateless parameter on the port in the virtual server.
Here is an example:
ServerIron(config)# server real R1 10.10.10.1
ServerIron(config-rs-R1)# port http
ServerIron(config-rs-R1)# exit
ServerIron(config)# server real R2 10.10.11.1
ServerIron(config-rs-R2)# port http
ServerIron(config-rs-R2)# exit
ServerIron(config)# server virtual StatelessHTTP 192.168.4.69
ServerIron(config-vs-StatelessHTTP)# port http stateless
ServerIron(config-vs-StatelessHTTP)# bind http R1 http
ServerIron(config-vs-StatelessHTTP)# bind http R2 http
Syntax: [no] port <tcp/udp-port> stateless
February 2002
11 - 5
The <tcp/udp-port> parameter specifies the application port you want to make stateless.
EXAMPLE:
By default, stateless SLB uses a hashing algorithm to select a real server. The ServerIron calculates a hash value
for a given client request based on the requests source IP address and source TCP/UDP port. The request is
sent to a real server corresponding to this hash value.
For UDP connections consisting of one client packet and one server response packet, you can disable the
stateless SLB hashing algorithm. When the stateless SLB hashing algorithm is disabled for UDP ports, the
ServerIron uses the round-robin load balancing method to select a real server for the request. In this case, the
ServerIron load balances UDP packets destined for the VIP without creating a session and without calculating
hash values based on UDP port number and source IP address.
DNS is an example of a UDP port where this feature can be used. The advantage of disabling the stateless SLB
hashing algorithm is that a new real server can be selected immediately after it is brought up.
For example, to disable the stateless SLB hashing algorithm for the DNS port (UDP port 53):
ServerIron(config)# server virtual Stateless 192.168.4.69
ServerIron(config-vs-Stateless)# port dns stateless no-hash
Syntax: [no] port <udp-portnum> stateless no-hash

The <udp-port> parameter specifies the UDP application port you want to make stateless.
EXAMPLE:
This example applies to health-check policies (see healthck (ServerIronXL) on page 6-23). After you configure
logical expressions, you can bind them to application ports on VIPs. A health-check policy does not take effect
until you bind the policy to an application port on a VIP.
To bind a health-check policy to an application port on a VIP, enter commands such as the following:
This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the
health of HTTP (port 80) for the VIP.
Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>

The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter
specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the
application port.
EXAMPLE:
When fast aging for UDP sessions is configured, a client request causes the ServerIron to add an entry to its
session table; when a response is detected, the ServerIron immediately deletes the session table entry.
When this feature is configured, if the ServerIron detects a server response to a client request, and the response
is not fragmented, the session table entry is deleted immediately. If the response is fragmented, the SI waits for
the last fragment to arrive, forwards it to the client, and then sends the session to the delete queue. The session
stays in the delete queue for 8 seconds by default before being deleted. You can change the amount of time the
session stays in the delete queue to between 1 40 seconds.
To activate this feature for port 1234:
ServerIron(config)# server virtual vs1 192.168.1.2
ServerIron(config-vs-vs1)# port 1234 udp-fast-age
Syntax: port <udp-portnum> udp-fast-age

EXAMPLE:
NOTE: This example applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or
later.
11 - 6
February 2002
To enable a VIP to use the servers designated as backups only as backups, and use the other servers as the
primary load-balancing servers, enter the following command at the configuration level for the VIP:
ServerIron(config-vs-VIP1)# port http lb-pri-servers
This command enables VIP1 to use the backup and primary servers for application port HTTP.
To configure the VIP and application port to continue using the backup servers even after the primary servers
become available again, use the backup-stay-active parameter, as in the following example:
ServerIron(config-vs-VIP1)# port http lb-pri-servers backup-stay-active
Syntax: [no] port <tcp/udp-port> lb-pri-servers [backup-stay-active]

You also must explicitly designate the backup real servers as backups. See backup on page 10-1.
Default value: N/A
predictor
This command is used to select the session's distribution algorithm that will be used on the specified virtual server.
This command will override any globally configured value for a virtual server. By default, the least connections
method is enabled.
EXAMPLE:
To change the virtual server predictor method from the default value of least connections to the round-robin
method, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1
ServerIron(config-vs-www.foundrynet.com)# predictor round-robin
Syntax: [no] predictor least-conn | response-time | round-robin | weighted

Default value: least-conn
quit
EXAMPLE:
ServerIron(config-vs-Foundry)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
show
source-sticky
Allows you to disable or re-enable this feature. Use this command only if advised to do so by Foundry technical
support.
February 2002
11 - 7
sym-active
Enables active-active Symmetric SLB on a VIP.
EXAMPLE:
ServerIronA(config)# server virtual-name VIP1 1.1.1.1
ServerIronA(config-vs-VIP1)# port 80
ServerIronA(config-vs-VIP1)# sym-priority 69
ServerIronA(config-vs-VIP1)# sym-active
This example configures VIP1 by adding port 80, enabling SSLB, then enabling active-active SSLB. The sympriority command enables SSLB. The command requires a number from 1 255 to enable SSLB. Once you
enter the sym-active command to enable active-active SSLB, the software ignores the priority value you
specified.
Syntax: [no] sym-active

sym-priority
Assigns a Symmetric SLB priority to a virtual IP address (VIP). The priority determines which ServerIron in a
Symmetric SLB configuration is the default active ServerIron for the VIP. The priority can be from 0 (disabled)
255 (highest priority).
NOTE: Foundry recommends that you specify 2 (instead of 1) as a low priority or 254 (instead of 255) as a high
priority. This way, you can easily force failover of the high priority ServerIron to the low priority ServerIron by
changing the priority on just one of the ServerIrons. For example, you can force a failover by changing the priority
on the high priority ServerIron from 254 to 1. Since the priority on the low priority ServerIron is 2, the low priority
ServerIron takes over for the VIP. Likewise, you can force the low priority ServerIron to take over by changing its
priority to 255, since the priority on the high priority ServerIron is only 254.
See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and
Configuration Guide for more information about this feature.
EXAMPLE:
To configure VIPs V1 and V2 on two ServerIrons for Symmetric SLB, enter the following commands. After you
enter these commands, the first ServerIron is the active ServerIron for VIP V1 (1.1.1.1) and is the backup
ServerIron for VIP2 (2.2.2.2). The second ServerIron is the active ServerIron for VIP V2 (2.2.2.2) and the backup
ServerIron for VIP1 (1.1.1.1).
Commands for the first ServerIron:
ServerIron(config)# server virtual-name V1 1.1.1.1
ServerIron(config-vs-V1)# sym-priority 2
ServerIron(config-vs-V1)# exit
ServerIron(config-vs-V2)# write mem
Commands for the second ServerIron:
ServerIron(config-vs-V1)# exit
ServerIron(config-vs-V2)# write mem
Syntax: sym-priority <num>

Possible values: 0 255; setting the priority to 0 removes the priority setting
11 - 8
February 2002
Default value: N/A
track
Configures up to four TCP/UDP ports to track another, primary TCP/UDP port. This feature enables the
ServerIron to group applications. After the ServerIron sends a request for the master TCP/UDP port to a real
server, requests from the same client for the ports that track the master port also go to the same real server.
For more information about the feature, see the "Configuring Server Load Balancing" chapter in the Foundry
EXAMPLE:
To configure TCP/UDP ports 8080 and 9090 to track port 80, enter the following command
ServerIron(config-vs-Foundry)# track 80 8080 9090
Syntax: track <primary-port> <tcp/udp-port> [<tcp/udp-port>[<tcp/udp-port>[<tcp/udp-port>]]]

Possible values: a TCP or UDP port number.
Default value: N/A
track-group
Causes the ServerIron to use the same server for applications associated with a set of grouped ports, as long as
the all the ports in the group are active. After the ServerIron sends a client to a real server for any of the grouped
ports, subsequent requests from that client for any of the grouped ports go to the same real server.
EXAMPLE:
To group the HTTP port (80), Telnet port (23), and TFTP port (69) together:
ServerIron(config-vs-v1)# track-group 80 69 23
Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are
active before granting the connection.
NOTE: The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in
the group.
Possible values: a TCP or UDP port number. Up to eight ports can be grouped together using the track group
function. A port can be part of only one group. The track-group and track commands for a port are mutually
exclusive.
Default value: N/A
transparent-vip
Enables an individual VIP for transparent VIP. Transparent VIP applies only to the VIPs on which you enable it.
NOTE: You must globally enable transparent VIP support in addition to enabling the feature on individual VIPs.
See server transparent-vip on page 6-85.
EXAMPLE:
ServerIron(config-vs-TransVIP)# transparent-vip
Syntax: [no] transparent-vip

write memory
EXAMPLE:
ServerIron(config-vs-Foundry)# write memory
February 2002
11 - 9

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-vs-Foundry)# write terminal

Default value: N/A
11 - 10
February 2002
Chapter 12
Cache Group Commands
acl-id
Identifies an IP ACL for use with your configuration. For example, you can use the command to identify an ACL for
denying FWLB for a specific TCP or UDP application port.
EXAMPLE:
To deny FWLB for TCP port 80 (HTTP) but allow FWLB for all other TCP and UDP application ports, enter
ServerIronA(config)# access-list 101
ServerIronA(config)# server fw-group
ServerIronA(config-tc-2)# acl-id 101
deny tcp any any eq http

permit tcp any any
permit udp any any
2
The first three commands configure three ACL entries. The first entry denies FWLB for packets addressed to TCP
port 80 (HTTP). The second ACL permits FWLB for all TCP applications. Packets that do not match the first ACL
entry match the second ACL entry and are provided with FWLB. The third ACL permits FWLB for all UDP
applications. The last two commands change the CLI level to the firewall group configuration level and apply ACL
101 to the firewall group.
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>]
[precedence <name> | <num>] [tos <name> | <num>] [log]
Syntax: [no] acl-id <num>
For detailed information about the ACL syntax, see the Using Access Control Lists (ACLs) chapter in the
Foundry Switch and Router Installation and Basic Configuration Guide.
Possible values: The ID of a configured IP ACL.
Default value: N/A
cache-name
This command assigns a cache server to the cache group. The cache server must already be configured. (See
server cache-name on page 6-62.)
NOTE: A cache server can be in only one cache group. If you add a cache server to a cache group, the
ServerIron automatically removes the cache server from the cache group the cache server was already in.
February 2002
12 - 1
EXAMPLE:
To assign a cache server named web2 to cache group 2, enter the following:
ServerIron(config-tc-2)# cache-name web2
Syntax: server cache-name <text>

Default value: N/A
clear
dest-nat
This command enables destination NAT for TCS.
By default, the ServerIron translates the destination MAC address of a client request into the MAC address of the
cache server. However, the ServerIron does not translate the IP address of the request to the cache servers IP
address. Instead, the ServerIron leaves the destination IP address untranslated.
This behavior assumes that the cache server is operating in promiscuous mode, which allows the cache server to
receive requests for any IP address so long as the MAC address in the request is the cache servers. This
behavior works well in most caching environments. However, if your cache server requires that the client traffic
arrive in directed IP unicast packets, you can enable destination NAT.
Destination NAT is disabled by default.
NOTE: This option is rarely used. If your cache server operates in promiscuous mode, you probably do not need
to enable destination NAT. Otherwise, enable destination NAT. Consult your cache server documentation if you
are unsure whether you need to enable destination NAT.
EXAMPLE:
To enable destination NAT for cache group 1, enter the following command:
ServerIron(config-tc-1)# dest-nat
Syntax: dest-nat
disable
This command disables the cache group.
EXAMPLE:
To disable cache group 2, enter the following command.
ServerIron(config-tc-1)# disable
Syntax: [no] disable

Possible values: Disabled or Enabled
end
EXAMPLE:
ServerIron(config-tc-1)# end
12 - 2
February 2002
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-tc-1)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
failover-acl
Contact Foundry engineering for information about this command.
fwall-info
Configures a path for firewall load balancing.
EXAMPLE:
To configure paths for two firewalls, enter the following commands. See the Foundry ServerIron Firewall Load
Balancing Guide for complete configuration examples.
ServerIron(config-tc-2)# fwall-info 1 3 209.157.23.3 209.157.22.3
ServerIron(config-tc-2)# fwall-info 2 5 209.157.23.3 209.157.22.4
Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip> [path-group-id <num>]

[remote-id <num>]
The <path-num> parameter specifies the path ID.
The path ID A number that identifies the path. In basic FWLB configurations, the paths go from one ServerIron
to the other through the firewalls. In IronClad FWLB, additional paths go to routers. On each ServerIron, the path
IDs must be contiguous (with no gaps), starting with path ID 1.
The <portnum> parameter specifies the number of the port that connects the ServerIron to the firewall or router.
The <other-ServerIron-ip> parameter specifies the IP address of the device at the other end of the path. For
firewall paths, specify the management address or source IP address of the ServerIron on the other side of the
firewall. For router paths, specify the routers IP interface with the ServerIron.
On the external ServerIrons, specify the internal ServerIrons management addresses for the trusted zone but
specify the source IP addresses for the other zones.
On the internal ServerIrons, specify the external ServerIrons management addresses for the non-trusted
zone, which is the only zone on the external ServerIrons.
The <next-hop-ip> parameter specifies the IP address of the next hop in the path. For firewall paths, specify the IP
address of the firewall interface connected to this ServerIron. For router paths, specify the routers IP interface
with the ServerIron.
The path-group-id <num> parameter specifies the number that indicates the firewall through which the paths go.
NOTE: Router paths do not use path IDs.
February 2002
12 - 3
The remote-id <num> parameter is a number (1 or 2) representing the ServerIron at the remote end of the path in
a superzone FWLB configuration. Specify 1 for a basic configuration. Specify 1 and 2 for the two ServerIrons in a
high-availability configuration.
NOTE: The remote-id <num> parameter applies only to superzone FWLB. See the "Configuring Superzone
FWLB" chapter in the Foundry ServerIron Firewall Load Balancing Guide.
Default value: N/A
fwall-zone
Configures a firewall zone. Use this command when configuring multi-zone FWLB. For a complete configuration
example, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To configure an ACL and a firewall zone that uses the ACL, enter commands such as the following:
Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Zone1-SI(config)# server fw-group 2
Zone1-SI(config-tc-2)# fwall-zone Zone2 2 2
Syntax: [no] fwall-zone <string> <zonenum> <acl-id>

The <string> parameter specifies the zone name.
The <zonenum> parameter specifies the zone number. You can specify a value from 1 10.
The <acl-id> field specifies the ACL that defines the range of IP addresses in the zone.
Default value: N/A
fw-exceed-max-drop
Configures the ServerIron to drop the traffic instead of load balancing it using the hashing mechanism.
By default, if the ServerIron receives traffic that it needs to forward to a firewall, but the firewall already has the
maximum number of sessions open or has exceeded its maximum connection rate, the ServerIron uses a hashing
mechanism to select another firewall. The hashing mechanism selects another firewall based on the source and
destination IP addresses and application port numbers in the packet.
The ServerIron drops traffic only until the firewall again has available sessions.
EXAMPLE:
ServerIron(config-tc-2)# fw-exceed-max-drop
Syntax: [no] fw-exceed-max-drop

Changes the number of times the ServerIron attempts a Layer 3 health check of an FWLB path before concluding
that the path is unhealthy.
By default, the ServerIron checks the health of each firewall and router path by sending an ICMP ping on the path
every 400 milliseconds.
If the ServerIron receives one or more responses within 1.2 seconds, the ServerIron concludes that the path
is healthy.
Otherwise, the ServerIron reattempts the health check by sending another ping. By default, the ServerIron
reattempts an unanswered path health check up to three times before concluding that the path is unhealthy.
12 - 4
February 2002
You can change the maximum number of retries to a value from 3 31 (ServerIron 400 and ServerIron 800) or 8
31 (all other ServerIron models).
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check icmp 20
Syntax: [no] fw-health-check icmp <num>

The <num> parameter specifies the maximum number of retries and can be a number from 3 31 (ServerIron 400
and ServerIron 800) or 8 31 (all other ServerIron models). The default is 3.
Possible values: 3 31 (ServerIron 400 and ServerIron 800) or 8 31 (all other ServerIron models)
Default value: 3

You can configure the ServerIrons in an FWLB configuration to use Layer 4 health checks instead of Layer 3
health checks for firewall paths.
By default, the ServerIron performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health
checks of the paths. When you configure a Layer 4 health check, the Layer 3 (ICMP) health check, which is used
by default, is disabled.
NOTE: The Layer 4 health check applies only to firewall paths. The ServerIron always uses a Layer 3 (ICMP)
health check to test the path to the router.
When you configure a Layer 4 health check for firewall paths, the ServerIron sends Layer 4 health checks and also
responds at Layer 4 to health checks from the ServerIron at the other end of the firewall path.
To configure a Layer 4 health check, specify the protocol (TCP or UDP). Optionally, you also can specify the port.
UDP The ServerIron sends and listens for path health check packets on the port you specify. If you do not
specify a port, the ServerIron uses port 7777 by default. The port number is used as both the source and
destination UDP port number in the health check packets.
TCP The ServerIron listens for path health check packets on the port you specify, but sends them using a
randomly generated port number. If you do not specify a port, the ServerIron uses port 999 as the destination
port by default.
NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB
configuration. Otherwise, the paths will fail the health checks.
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check udp
The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall
path health checks to UDP port 7777 and listens for health checks on UDP port 7777.
Syntax: [no] fw-health-check udp | tcp [<tcp/udp-portnum> <num>]

The <tcp/udp-portnum> parameter specifies the TCP or UDP port and can be a number from 1 65535.
The <num> parameter specifies the maximum number of retries and can be a number from 8 31. The default is
3.
You can disable the Layer 4 health checks on individual firewalls if needed. To disable the Layer 4 health check for
an individual application on an individual firewall, enter a command such as the following at the firewall
configuration level of the CLI:
ServerIron(config-rs-FW1)# port http no-health-check
The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.
Syntax: [no] no-health-check

February 2002
12 - 5
fw-name
Adds a firewall to the firewall group for firewall load balancing.
EXAMPLE:
To add a firewall named FW99 to firewall group 2, enter the following commands:
ServerIron(config-tc-2)# fw-name FW99
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the
fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this
example.

Default value: N/A
fw-predictor
Configures the ServerIron to load balance based on the lowest number of connections for the traffic flows
application. By default, the ServerIron load balances firewall traffic flows by selecting the firewall with the lowest
number of total connections.
For example, suppose a configuration has two firewalls (FW1 and FW2), and each firewall has two application
ports defined (HTTP and SMTP). Also assume the following:
FW1 has 10 HTTP connections and 80 SMTP connections.
FW2 has 60 HTTP connections and 10 SMTP connections.
Using the default load balancing method, traffic for a new flow is load balanced to FW2, since this firewall has
fewer total connections. This is true regardless of the application in the traffic. However, using the load balancing
by application method, a new traffic flow carrying HTTP traffic is load balanced to FW1 instead of FW2, because
FW1 has fewer HTTP connections. A new traffic flow for SMTP is load balanced to FW2, since FW2 has fewer
SMTP connections.
EXAMPLE:
ServerIron(config-tc-2)# fw-predictor per-service-least-conn
Syntax: [no] fw-predictor total-least-conn | per-service-least-conn

The total-least-conn parameter load balances traffic based on the total number of connections only. This is the
default.
The per-service-least-conn parameter load balances traffic based on the total number of connections for the
traffics application. This is valid for TCP or UDP applications.
Default value: total-least-conn
hash-mask
This command defines how requests are distributed among multiple web cache servers or firewalls within a cache
group or firewall group.
EXAMPLE:
To direct all web queries destined for the same web site (such as www.rumors.com) to the same cache server for
processing, enter the following hash-mask command:
12 - 6
February 2002
NOTE: This is useful for networks that have many users accessing the same web site locations. It may be more
useful to use only the first three octets of the Destination IP address (255.255.255.0) for web sites that may return
multiple web server addresses (for example www.rumors1.com and "www.rumors2.com") in response to
www.rumors.com queries.
EXAMPLE:
To direct all users from the same Class B sub-net (255.255.0.0) to either server1 or server2 and to direct all
redundant requests destined to the same web site (255.255.255.0) to the same web cache server, enter the
following hash-mask command:
EXAMPLE:
To configure a hash mask for firewall load balancing, enter the following command:
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the
fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this
example.
Syntax: hash-mask <destination-mask> <source-mask>

Possible values: valid IP addresses
Default value: destination mask 255.255.255.0, source mask 0.0.0.0.
hash-port-range
Specifies a range of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in
environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance
the traffic across more than one firewall.
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but
disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a list of ports, in which case the software hashes based on the combined set of
ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and
destination application ports of a packet to hash, if the packets source or destination application port is one of the
ports in the specified list or the specified range.
EXAMPLE:
To specify a range of application ports, enter a command such as the following at the firewall group configuration
level of the CLI:
ServerIron(config-tc-2)# hash-port-range 69 80
Syntax: [no] hash-port-range <start-num> <end-num>

The <start-num> parameter specifies the starting port number in the range. Specify the port number at the lower
end of the range.
The <end-num> parameter specifies the ending port number in the range. Specify the port number at the higher
end of the range.
Default value: N/A
hash-ports
Specifies a list of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in
environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance
the traffic across more than one firewall.
February 2002
12 - 7
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but
disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a range of ports, in which case the software hashes based on the combined set of
ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and
destination application ports of a packet to hash, if the packets source or destination application port is one of the
ports in the specified list or the specified range.
EXAMPLE:
To specify a list TCP/UDP ports to include in the hash calculations for firewall load balancing:
ServerIron(config-tc-2)# hash-ports 69 80
Syntax: [no] hash-ports <num> [<num...>]

Possible values: The <num> parameters specify TCP or UDP port numbers. You can specify up to eight port
numbers on the same command line.
Default value: N/A
http-cache-control
This command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This
command ensures that HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have
a Cache-Control header containing a no-cache directive are sent to the Internet. This is the default behavior. You
can use the no form of this command to configure the ServerIron to ignore the pragma:no-cache or Cache-Control
header in an HTTP request.
EXAMPLE:
To configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request:
ServerIron(config-tc-1)# no http-cache-control
Syntax: [no] http-cache-control

Default value: HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have a
Cache-Control header containing a no-cache directive are sent to the Internet.
l2-fwall
Enables Layer 2 FWLB for Layer 2 firewalls and for static route configurations.
EXAMPLE:
To enable the L2-fwall option on a ServerIron, enter the following commands:
ServerIron(config-tc-2)# l2-fwall
Syntax: l2-fwall
no
no-group-failover
Causes requests to be dropped if a URL switching policy directs the requests to a server group, but none of the
cache servers in the server group are available. Without this command, if none of the cache servers in a server
group are available, the requests are directed to one of the other server groups configured on the device.
12 - 8
February 2002
EXAMPLE:
ServerIron(config-tc-1)# no-group-failover
ServerIron(config-tc-1)# exit
Syntax: no-group-failover
Default value: N/A
no-http-downgrade
Prevents the ServerIron from downgrading the HTTP version in a request to 1.0.
In a content aware cache switching configuration, when the ServerIron receives an HTTP request from a client, it
determines to which cache server it should send the request. The ServerIron then establishes a TCP connection
with the selected cache server and sends it the request.
If the request sent from the client to the ServerIron uses HTTP version 1.1, the ServerIron downgrades the HTTP
version to 1.0 when it sends the request to the cache server. If you want to use HTTP 1.1 for the connection
between the ServerIron and the cache servers, you can prevent the ServerIron from downgrading the HTTP
version to 1.0.
EXAMPLE:
ServerIron(config-vs-tc-1)# no-http-downgrade
ServerIron(config-vs-tc-1)# exit
Syntax: no-http-downgrade
Default value: N/A
prefer-cnt
Specifies a path link tolerance for firewall paths. The default failover tolerance for firewall paths is one half the
configured firewall paths.
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For
example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must
configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config-tc-2)# prefer-cnt 3
This example specifies that a minimum of three firewall paths must be available for the ServerIron to remain active.
Thus, if the ServerIron has three firewall paths, one path can be unavailable and the ServerIron will remain the
active ServerIron.
Syntax: prefer-cnt <num>

Possible values: The <num> parameter specifies the minimum number of paths required.
Default value: half the configured paths
prefer-router-cnt
Specifies a path link tolerance for router paths. The default tolerance for router ports is one half the configured
router ports.
February 2002
12 - 9
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For
example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must
configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config-tc-2)# prefer-router-cnt 3
This example specifies that a minimum of three router paths must be available for the ServerIron to remain active.
Thus, if the ServerIron has three router paths, one path can be unavailable and the ServerIron will remain the
active ServerIron.
Syntax: prefer-router-cnt <num>

Possible values: The <num> parameter specifies the minimum number of paths required.
Default value: half the configured router ports
quit
EXAMPLE:
ServerIron(config-tc-1)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
show
spoof-support
Configures the ServerIron to support TCS using cache servers that send requests to the Internet using the
requesting client's IP address as the source (known as cache server spoofing).
EXAMPLE:
ServerIron(config-tc-1)# spoof-support
Syntax: [no] spoof-support

Default value: Cache server spoofing support is disabled by default.
source-nat
Configures the ServerIron to translate the source address of client requests the ServerIron forwards to cache
servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.
12 - 10
February 2002
Add source IP addresses and enable source NAT if the ServerIron and cache server are in different sub-nets. For
information, see the "Configuring Network Address Translation" chapter of the Foundry ServerIron Installation and
EXAMPLE:
ServerIron(config-tc-1)# source-nat
Syntax: [no] source-nat

sym-priority
Specifies the priority of this ServerIron with respect to the other ServerIron for the firewalls in the firewall group.
The ServerIron with the higher priority is the default active ServerIron for the firewalls within the group.
EXAMPLE:
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# sym-priority 254
Syntax: sym-priority <priority>

Possible values: 0 255; setting the priority to 0 removes the priority setting from the configuration
Default value: N/A
url-host-id
command causes HTTP requests for a specified host to be evaluated by a specified URL switching policy.
EXAMPLE:
To cause HTTP requests for www.mysite.com to be evaluated by policyA.
ServerIron(config-tc-1)# url-host-id www.mysite.com policyA
Syntax: url-host-id <host> <policy-name>

Possible values: Host name, URL switching policy name
Default value: N/A
url-map
command specifies a URL switching policy to be active for this cache group. If you configure more than one URL
switching policy, the policies must be linked together.
EXAMPLE:
To specify a URL switching policy to be active for a cache group:
ServerIron(config-tc-1)# url-map p1
Syntax: url-map <policy-name>

Possible values: URL switching policy name
Default value: N/A
url-switch
Activates Content Aware Cache Switching for this cache group. You must have already defined the URL switching
policies before entering this command.
EXAMPLE:
To activate Content Aware Cache Switching for a cache group:
February 2002
12 - 11
ServerIron(config-tc-1)# url-switch
Syntax: url-switch
Default value: N/A
virtual-ip
This command configures the ServerIron for either of the following features:
Policy-based Cache Failover. See the "Configuring Transparent Cache Switching" chapter in the Foundry
FWLB for VPN firewalls. See the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To add virtual IP address 209.157.22.26 to cache group 1, enter the following command:
ServerIron(config-tc-1)# virtual-ip 209.157.22.26
EXAMPLE:
To enable the VPN Load Balancing feature and specify the FireWall-1 Cluster IP address, enter the following
commands. These commands apply to the ServerIron that is connected to the Internet side of the firewalls.
ServerIron(config)# server vpn-lb
ServerIron(config-tc-2)# virtual-ip 10.10.1.10
Syntax: virtual-ip <ip-addr>

You do not need to enter a network mask.
Default value: N/A
write memory
EXAMPLE:
ServerIron(config-tc-1)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-tc-1)# write terminal

Default value: N/A
12 - 12
February 2002
Chapter 13
GSLB Affinity Commands
end
EXAMPLE:
ServerIron(config-gslb-affinity)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-gslb-affinity)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
no
prefer
Configures a GSLB affinity definition. The GSLB Affinity feature configures the GSLB ServerIron to always prefer
a specific site ServerIron for queries from clients whose addresses are within a given IP prefix. For more
information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinity
February 2002
13 - 1
ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0

ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22
These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that
uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the
ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the
192.108.22.0/22 prefix to a VIP on slb-1 at the atlanta site, when available. The ServerIron sends all other
clients to a VIP on slb-1 at the sunnyvale site when available.
Syntax: gslb affinity

This command places the CLI at the affinity configuration level.
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address.
Use one of the following parameters:
The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use
this method, you must specify both parameters.
The <si-ip-addr> parameter specifies the site ServerIrons management IP address.
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask
from 0.0.0.0 255.255.255.254. If you instead specify a prefix length, you can specify from 0 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a
result, an address that does not match another affinity definition uses the zero affinity definition by default. If you
do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose
addresses are not within a prefix in an affinity definition.
Default value: N/A
quit
EXAMPLE:
ServerIron(config-gslb-affinity)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
show
write memory
13 - 2
February 2002
GSLB Affinity Commands
EXAMPLE:
ServerIron(config-gslb-affinity)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-gslb-affinity)# write terminal

Default value: N/A
February 2002
13 - 3
Chapter 14
GSLB DNS Zone Commands
end
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
host-info
Configures DNS zone and host information for GSLB.
EXAMPLE:
To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter
ServerIron(config)# gslb dns zone-name foundrynet.com
ServerIron(config-gslb-dns-foundrynet.com)# host-info www http
ServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp
The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp.
The GSLB ServerIron will provide global SLB for these two hosts within the zone.
February 2002
14 - 1
GSLB DNS Zone Commands
Syntax: [no] gslb dns zone-name <name>

The <name> parameter specifies the DNS zone name.
NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all
the host names you associated with the zone are deleted.
Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>

The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host
name. Enter only the host portion of the name. For example, if the fully qualified host name is
www.foundrynet.com, do not enter the entire name. Enter only www. The rest of the name is already specified
by the gslb dns zone-name command. You can enter a name up to 32 characters long.
The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global
SLB. You can specify one of the following:
TFTP the well-known name for port 69
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the
application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4
health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the
ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform
application-specific health checks.
Default value: N/A
no
quit
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# quit
ServerIron>
Syntax: quit
Default value: N/A
February 2002
14 - 2
rshow
show
write memory
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write terminal

Default value: N/A
14 - 3
February 2002
Chapter 15
GSLB Site Commands
end
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
geo-location
Explicitly identifies the geographic location of a GSLB site. By default, the GSLB ServerIron uses a sites IP
address to determine its geographic location.
EXAMPLE:
To explicitly identify Sunnyvales geographic location as North America, enter the following commands:
ServerIron(config-gslb-site-sunnyvale)# geo-location n-america
Syntax: [no] geo-location asia | europe | n-america | s-america

Default value: the region associated with the sites IP address
February 2002
15 - 1
no
quit
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
show
si-name
Specifies the remote ServerIrons in a GSLB site.
EXAMPLE:
To identify two server sites, each containing two ServerIrons, enter the following commands:
ServerIron(config)# gslb site atlanta
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each
site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are
configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS
replies.
Syntax: [no] si-name [<name>] <ip-addr> [<preference>]

The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16
characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can
enter up to four pairs of ServerIron names and IP addresses on the same command line. The name is optional.
NOTE: Enter the ServerIrons management IP address, not a virtual IP address (VIP) configured on the
ServerIron or a source IP address added for source NAT.
The <preference> parameter sets the administrative preference for the site. When you enable the administrative
preference as a GSLB metric, the administrative preference can be used by the GSLB policy when comparing this
site with other sites. You can specify a preference from 0 255. The default preference is 128. The GSLB policy
prefers high preference values over low preference values. If you specify 0, the site is administratively removed
from selection by the GSLB policy but remains connected to the network.
15 - 2
February 2002
GSLB Site Commands
For example, to set the administrative preference for a site ServerIron to 255, enter a command such as the
following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.20 255
To change the preference for a site ServerIron you have already configured, use the same command syntax. You
do not need to reconfigure other site parameters when you change the preference. For example, to change the
preference for a site ServerIron from the default (128) to 200, enter a command such as the following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210 200
NOTE: The administrative preference metric is disabled by default, which means it is not used by the GSLB
policy. The GSLB policy uses the preference values only if you enable this metric.
By default, the GSLB ServerIron uses a sites IP address to determine its geographic location. Alternatively, you
can explicitly identify the location. To do so, use the following command.
Syntax: [no] geo-location asia | europe | n-america | s-america

For example, to explicitly identify Sunnyvales geographic location as North America, enter the following
commands:
ServerIron(config-gslb-site-sunnyvale)# geo-location n-america
Default value: N/A
write memory
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write terminal

Default value: N/A
February 2002
15 - 3
15 - 4
February 2002
Chapter 16
GSLB Policy Commands
capacity
Disables or re-enables the capacity threshold GSLB metric. This metric represents a site ServerIrons available
TCP/UDP session capacity. This metric is enabled by default, which means the GSLB ServerIron uses this metric
when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no capacity
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# capacity
Syntax: [no] capacity

capacity threshold
Specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be
eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site
becomes congested. The default value for the threshold is 90%. Thus a site ServerIron is eligible to be the best
site only if its session utilization is below 90%.
EXAMPLE:
To change the session-table capacity metric, enter commands such as the following:
ServerIron(config-gslb-policy)# capacity threshold 99
Syntax: [no] capacity threshold <num>

The <num> parameter specifies the maximum percentage of a site ServerIrons session table that can be in use.
If the ServerIrons session table utilization if greater than the specified percentage, the GSLB ServerIron prefers
other sites over this site. You can specify a percentage from 0 100. The default is 90.
Default value: 90
February 2002
16 - 1
dns active-only
Configures the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check.
The ServerIron removes the addresses that fail the check so long as the DNS query still contains at least one
address that passes the health check.
NOTE: A site must pass all applicable health checks (Layer 4 and Layer 7) to avoid being removed.
EXAMPLE:
To configure the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check,
enter the following commands.
ServerIron(config-gslb-policy)# dns active-only
Syntax: [no] dns active-only

dns check-interval
Changes the refresh interval for DNS queries to refresh verify zone and host information. The GSLB ServerIron
sends the queries to the DNS for which it is configured to be a proxy.
EXAMPLE:
To change the refresh interval, enter commands such as the following:
ServerIron(config-gslb-policy)# dns check-interval 50
Syntax: [no] dns check-interval <num>

The <num> parameter specifies the interval and can be from 0 1000000000 seconds. The default is 30
seconds.
dns ttl
Specifies the value to which the GSLB ServerIron changes the TTL of each DNS record contained in DNS replies
received from the DNS for which the ServerIron is a proxy.
EXAMPLE:
To change the TTL, enter commands such as the following:
ServerIron(config-gslb-policy)# dns ttl 45
Syntax: [no] dns ttl <num>

The <num> parameter specifies the TTL and can be from 0 1000000000 seconds. The default is 10 seconds.
For all GSLB features except DNS cache proxy, the command no dns ttl configures the ServerIron to use the TTL
from the DNS. If you are using DNS cache proxy, this command resets the TTL to 10.
end
EXAMPLE:
16 - 2
February 2002
ServerIron(config-gslb-policy)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-gslb-policy)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
flashback
Disables or re-enables the FlashBack GSLB metric. This metric indicates how quickly the GSLB ServerIron
receives Layer 4-7 health check results. This metric is enabled by default, which means the GSLB ServerIron
uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
ServerIron(config-gslb-policy)# no flashback
ServerIron(config-gslb-policy)# flashback
Syntax: [no] flashback


Modifies the following FlashBack parameters:
Application tolerance
TCP tolerance
The GSLB ServerIron uses a tolerance value when comparing the FlashBack speeds of different sites. The
tolerance value specifies the percentage by which the FlashBack speeds of the two sites must differ in order for
the ServerIron to choose one over the other. The default FlashBack tolerance is 10%. Thus, if the FlashBack
speeds of two sites are within 10% of one another, the ServerIron considers the sites to be equal. However, if the
speeds differ by more than 10%, the ServerIron prefers the site with the lower FlashBack speed.
FlashBack speeds are measured at Layer 4 for all TCP/UDP ports. For the application ports known to the
ServerIron, the FlashBack speed of the application is also measured.
When the ServerIron compares the FlashBack speeds, it compares the Layer 7 (application-level) FlashBack
speeds first, if applicable. If the application has a Layer 7 health check and if the FlashBack speeds are not equal,
the ServerIron is through comparing the FlashBack speeds. However, if only the Layer 4 health check applies to
the application, or if further tie-breaking is needed, the ServerIron then compares the Layer 4 FlashBack speeds.
February 2002
16 - 3
EXAMPLE:
To change the tolerances for the response times of TCP and application health checks, when used as a metric for
selecting a site, enter commands such as the following:
ServerIron(config-gslb-policy)# flashback application tolerance 30
ServerIron(config-gslb-policy)# flashback tcp tolerance 50
Syntax: [no] flashback application | tcp tolerance <num>

The application | tcp parameter specifies whether you are modifying the tolerance for the Layer 4 TCP health
check or the Layer 7 application health checks. You can change one or both and the values do not need to be the
same. For each, you can specify from 0 100. The default for each is 10.
Default value: 10
geographic
Disables or re-enables the geographic GSLB metric. This metric indicates the geographic location of a site. This
metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a
DNS reply to choose the best site.
EXAMPLE:
ServerIron(config-gslb-policy)# no geographic
ServerIron(config-gslb-policy)# geographic
Syntax: [no] geographic

health-check
Disables or re-enables the health-check GSLB metric. This metric indicates whether the site has passed the
Layer 4 and (if applicable) Layer 7 health checks. The GSLB ServerIron uses this metric when evaluating the sites
in a DNS reply to choose the best site.
EXAMPLE:
ServerIron(config-gslb-policy)# no health-check
ServerIron(config-gslb-policy)# health-check
Syntax: [no] health-check

metric-order
Changes the order in which the GSLB ServerIron applies the policy metrics. To change the order, specify the
metrics in the desired order.
16 - 4
February 2002
NOTE: Foundry Networks recommends that you always use the health check as the first metric. Otherwise, it is
possible that the GSLB policy will not select a "best choice, and thus send the DNS reply unchanged. For
example, if the first metric is geographic location, and the DNS reply contains two sites, one in North America and
the other in South America, for clients in South America the GSLB policy favors the South American site after the
first comparison. However, if that site is down, the GSLB policy will find that none of the sites in the reply is the
best one, and thus send the reply unchanged.
You cannot disable or change the position of the Least Response Selection metric. The GSLB ServerIron uses
this metric as a tie-breaker if the other comparisons do not result is selection of a best site.
EXAMPLE:
To specify a new GSLB policy order, enter a command such as the following:
ServerIron(config-gslb-policy)# metric-order set round-trip-time capacity
num-session flashback
This command changes the GSLB policy to the following:
The round-trip time between the remote ServerIron and the DNS client
The site ServerIrons session capacity threshold
The site ServerIrons available session capacity
The site ServerIrons FlashBack speed (how quickly the GSLB receives the health check results)
The Least Response selection (the site ServerIron that has been selected less often than others)
Two of the metrics, server health and geographic location, are not specified. As a result, these metrics are not
used when evaluating site IP addresses in the DNS responses.
To display the GSLB policy after you change it, enter the show gslb policy command. For more information, see
the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration
Guide.
Syntax: [no] metric-order set <list>

The <list> parameter is a list of the metrics you want to use, in the order you want the GSLB ServerIron to use
them. The GSLB uses the metrics in the order you specify them. You can specify one or more of the following:
capacity The site ServerIrons available session capacity
flashback The site ServerIrons FlashBack speed (how quickly the GSLB receives the health check results)
geographic The geographic location of the server
health-check The Layer 4 and application health checks
num-session The site ServerIrons session capacity threshold
preference The administratively configured preference for the site ServerIron
round-trip-time The round-trip time between the remote ServerIron and the DNS client
There is no parameter for the Least Response Selection. This metric is always enabled and is always the last one
in the policy.
To reset the order of the GSLB policy metrics to the default (and also re-enable all disabled metrics), enter the
following command:
ServerIron(config-gslb-policy)# metric-order default
Syntax: metric-order default

The no metric-order set command also resets the order and re-enables all disabled metrics. This command is
equivalent to metric-order default.
February 2002
16 - 5
Possible values: any combination or order

Default value: The GSLB ServerIron applies the metrics in the following order:
health-check
num-session
round-trip-time
geographic
capacity
flashback
administrative preference (when enabled; this metric is disabled by default)
least-response (this metric is a tie-breaker and is always enabled and always last; you cannot disable or reorder this metric)
no
num-session
Disables or re-enables the GSLB metric for the site ServerIrons session capacity threshold. The capacity
threshold specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be
and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site
before the site becomes congested. The GSLB ServerIron uses this metric when evaluating the sites in a DNS
reply to choose the best site.
EXAMPLE:
ServerIron(config-gslb-policy)# no num-session
ServerIron(config-gslb-policy)# num-session
Syntax: [no] num-session

Specifies the percentage by which the number of available sessions on the site ServerIron can differ from the
number of available sessions on another site ServerIron and still be considered an equally good site.
EXAMPLE:
To change the session-table tolerance metric, enter commands such as the following:
ServerIron(config-gslb-policy)# num-session tolerance 20
Syntax: [no] num-session tolerance <num>

The <num> parameter specifies the maximum percentage by which the session table utilization on ServerIrons at
different sites can differ without the GSLB ServerIron selecting one over the other based on this metric. You can
specify a tolerance from 0 100. The default is 10.
Default value: 90
16 - 6
February 2002
preference
Enables the administrative preference GSLB metric.
To assign preference values for individual site ServerIrons, see si-name on page 15-2.
EXAMPLE:
ServerIron(config-gslb-policy)# preference
protocol
Enables the GSLB protocol on a site ServerIron.
For security, remote ServerIrons do not listen to TCP port 182 (the GSLB protocol port) by default. This means
the GSLB protocol is disabled on remote site ServerIrons by default. For a remote ServerIron to use the protocol,
you must enable the protocol on the remote ServerIron.
NOTE: Enter this command on the site ServerIron, not on the GSLB ServerIron.
NOTE: You also can secure access to a ServerIron by configuring Access Control Lists (ACLs). For example,
you can configure ACLs to control access to the device on TCP port 182. See the Using Access Control Lists
(ACLs) chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable a remote ServerIron to use the GSLB protocol, enter the following command:
ServerIron(config)# gslb protocol
Syntax: [no] gslb protocol

quit
EXAMPLE:
ServerIron(config-gslb-policy)# quit
ServerIron>
Syntax: quit
Default value: N/A
round-trip-time
Disables or re-enables the GSLB metric for the round-trip time between the remote ServerIron and the DNS client.
The Round-trip time (RTT) is the amount of time that passes between when the remote site initiates a TCP
connection (sends a TCP SYN) to the client and when the remote site receives the clients acknowledgment of the
connection request (sends a TCP ACK). The GSLB ServerIron learns the RTT information from the site
ServerIrons through the Foundry GSLB protocol and uses the information as a metric when comparing site IP
addresses. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best
site.
EXAMPLE:
February 2002
16 - 7
ServerIron(config-gslb-policy)# no round-trip-time
ServerIron(config-gslb-policy)# round-trip-time
Syntax: [no] round-trip-time

Changes the RTT cache interval, which specifies how often the site ServerIrons use the Foundry GSLB protocol
to send RTT information to the GSLB ServerIron. The GSLB ServerIron stores this information in a cache. The
GSLB ServerIron uses the entries in the cache when using the RTT metric to evaluate IP addresses in a DNS
reply.
EXAMPLE:
To change the RTT cache interval, enter commands such as the following:
ServerIron(config-gslb-policy)# round-trip-time cache-interval 30
The command in this example changes the RTT cache interval from 10 seconds to 30 seconds.
Syntax: [no] round-trip-time cache-interval <num>

The <num> parameter specifies the aging interval and can be from 10 300 seconds. The default is 10 seconds.
Changes the RTT cache prefix, which specifies the level of aggregation that occurs in the GSLB ServerIrons RTT
cache. The entries in the RTT cache include IP address information for the clients. To avoid overflowing the
cache, cache entries are aggregated based on the IP information. For example, if the GSLB ServerIron receives
RTT information for clients at 192.21.4.69 and 192.21.4.18, and the cache prefix is 31 bits, both addresses go in
as separate entries. However, if the prefix is 16 bits, the GSLB ServerIron aggregates the addresses. In this case,
only one entry, 192.21.x.x goes in the cache.
EXAMPLE:
To change the RTT cache prefix, enter commands such as the following:
ServerIron(config-gslb-policy)# round-trip-time cache-prefix 16
The command in this example changes the RTT cache prefix from 20 bits to 16 bits.
Syntax: [no] round-trip-time cache-prefix <num>

The <num> parameter specifies the number of significant bits in the prefix and can be from 1 31. The default is
20.
Default value: 20
Changes the RTT explore percentage, which prevents the GSLB ServerIron from unfairly biasing selection of the
best site based on previous RTT responses.
Site ServerIrons send RTT information only for the sessions that clients open with them. These are clients
referred to the site ServerIron by the GSLB ServerIron. If the metrics that come before this one (based on the
GSLB policy order) do not select a best site, the ServerIron selects a site based on RTT.
16 - 8
February 2002
Since the only RTT information received by the GSLB ServerIron comes from the site ServerIrons to which the
GSLB ServerIron has referred clients, it is possible for the GSLB ServerIron to continually bias its selection toward
the first site ServerIron that sent RTT information. To prevent this from occurring, the GSLB ServerIron
intentionally ignores the RTT metric for a specified percentage of the requests from a given client network. You
can specify an RTT explore percentage from 0 100. The default is 5. By default, the GSLB ServerIron ignores
the RTT for 5% of the client requests from a given network.
EXAMPLE:
To change the RTT explore percentage, enter commands such as the following:
ServerIron(config-gslb-policy)# round-trip-time explore-percentage 10
The command in this example changes the RTT explore percentage from 5% to 10%.
Syntax: [no] round-trip-time explore-percentage <num>

The <num> parameter specifies the explore percentage and can be from 0 100. The default is 5.
Default value: 5
Changes the RTT tolerance. When the GSLB ServerIron compares two site IP addresses based on RTT, the
GSLB ServerIron favors one site over the other only if the difference between the RTT values is greater than the
specified percentage. This percentage is the RTT tolerance. You can set the RTT tolerance to a value from
0 100. The default is 10%.
EXAMPLE:
To change the RTT tolerance, enter commands such as the following:
ServerIron(config-gslb-policy)# round-trip-time tolerance 70
The command in this example changes the RTT tolerance from 10% to 70%.
Syntax: [no] round-trip-time tolerance <num>

The <num> parameter specifies the percentage above which the RTTs of two sites must differ for the GSLB
ServerIron to favor one site over the other based on the RTT. You can specify a value from 0 100. The default is
10%.
Possible values: 0 100%
Default value: 10%
rshow
show
static-prefix
Adds static prefix information to the cache. For example, you can add static cache entries with longer prefix
information than the dynamic cache entries to ensure that RTT information is stored under the static entries
instead of dynamic cache entries with shorter prefixes. This is useful when you want to ensure that certain
prefixes are always present in the cache regardless of how often the GSLB ServerIron receives RTT data for
them. Static prefixes do not age out.
February 2002
16 - 9
NOTE: The GSLB ServerIron uses the most exact match when more than one prefix entry can apply to the same
site address. To ensure that the GSLB ServerIron uses a static entry instead of certain dynamic entries for a given
address, make sure prefix of the static entry is longer than the prefix for dynamic entries.
NOTE: Since RTT information is stored under individual domain names that are queried, the RTT information
reported from remote ServerIrons are not recorded under the static records until the GSLB ServerIron receives
the first DNS query or response.
EXAMPLE:
To add a static prefix cache entry, enter commands such as the following:
ServerIron(config-gslb-policy)# static-prefix 61.1.1.1/20
Syntax: static-prefix <ip-addr>/<prefix-length>

The <ip-addr> specifies the address of the cache entry. This is not necessarily the address of a remote site. The
address you specify here is combined with the prefix length to result in a network prefix (network portion of an IP
address). The prefix length can be from 1 31.
NOTE: The prefix length 0 is not applicable to this feature and is ignored by the software.
You can enter more than one prefix on the same command line. Separate each prefix with a space. You can
configure up to 250 static prefixes on a ServerIron.
The command in this example configures an entry for address 61.1.1.1 with a prefix of 20 bits. (Due to the prefix
length, the value actually stored in the cache is 61.1.0.0.20.) When the GSLB ServerIron receives RTT
information for an address within the specified prefix, the GSLB ServerIron stores the information in the static
prefix entry configured above, instead of creating a dynamic entry.
Default value: N/A
write memory
EXAMPLE:
ServerIron(config-gslb-policy)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-gslb-policy)# write terminal

Default value: N/A
16 - 10
February 2002
Chapter 17
URL Switching Commands
default
Specifies what happens when the URL string does not meet any of the selection criteria in a URL switching
policys match command(s).
EXAMPLE:
The following commands define a URL switching policy called p1.
ServerIron(config)# url-map p1
ServerIron(config-url-p1)# method prefix
ServerIron(config-url-p1)# match "/home" 1
ServerIron(config-url-p1)# default p2
ServerIron(config-url-p1)# exit
Syntax: default <server-group-id> | <policy-name>

Possible values: Either a real server group ID number or another URL switching policy
Default value: N/A
end
EXAMPLE:
ServerIron(config-url-p1)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-url-p1)# exit
ServerIron(config)#
Syntax: exit
February 2002
17 - 1

Default value: N/A
match
Specifies the selection criteria in a URL switching policy and indicates what to do when the URL string matches
the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# match "/home" 1
Syntax: match "<selection-criteria>" <server-group-id> | <policy-name>

Possible values:
The selection criteria can be up to 80 characters in length. A URL switching policy can contain multiple match
statements, each with different selection criteria. You can also use an asterisk (*) as a wildcard character to
specify one or more characters at the end of a URL string.
The second part of the match statement must refer to a server group configured on the ServerIron or to another
URL switching policy. In a Content Aware Cache Switching configuration, specifying 0 as the second part of the
match statement causes requests meeting the selection criteria to be directed to the Internet, rather than to a
cache server.
Default value: N/A
method
Specifies what kind of matching the URL switching policy does on the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# method prefix
Syntax: method prefix | suffix | pattern

Possible values:
Three kinds of matching methods are supported:
prefix compares the selection criteria to the beginning of the URL string.
suffix compares the selection criteria to the end of the URL string.
pattern looks for the selection criteria anywhere within the URL string.
Default value: N/A
no
quit
EXAMPLE:
ServerIron(config-url-p1)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
17 - 2
February 2002
URL Switching Commands
show
tcp-port
Specifies a TCP port where HTTP requests evaluated by the URL switching policy are sent.
EXAMPLE:
ServerIron(config-url-urlmap3)# tcp-port 8081
Syntax: tcp-port <port-number>

Possible values: TCP port number
Default value: 80
write memory
EXAMPLE:
ServerIron(config-url-p1)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-url-p1)# write terminal

Default value: N/A
February 2002
17 - 3
17 - 4
February 2002
Chapter 18
HTTP Match List Commands
default
Specifies what happens if none of the HTML text in the HTTP response message meets the selection criteria in
the matching list: either mark port 80 on the real server FAILED or ACTIVE.
EXAMPLE:
To cause port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP
response message:
ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" log
ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" log
ServerIron(config-http-ml-m4)# default down
ServerIron(config-http-ml-m4)# exit
Syntax: default down | up

Possible values: The down parameter causes port 80 on the real server to be marked FAILED if none of the
selection criteria are found in the HTTP response message; the up parameter causes port 80 on the real server to
be marked ACTIVE if none of the selection criteria are found in the HTTP response message.
Default value: up
down compound
Specifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends
with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is
marked FAILED.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with 500 and ends with Internal Server Error,
the port is marked FAILED:
ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" log
Syntax: down compound <start> <end> [log]

Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log
parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
February 2002
18 - 1
down simple
Specifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is
marked FAILED.
EXAMPLE:
To specify that if the HTML file contains the text File Not Found, the port is marked FAILED:
ServerIron(config-http-ml-m1)# down simple "File Not Found"
Syntax: down simple <text> [log]

Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning
message to be logged when the selection criteria is met:
Default value: N/A
end
EXAMPLE:
ServerIron(config-http-ml-listname)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-http-ml-listname)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
no
quit
EXAMPLE:
ServerIron(config-http-ml-listname)# quit
ServerIron>
Syntax: quit
Default value: N/A
18 - 2
February 2002
HTTP Match List Commands
rshow
show
up compound
Specifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends
with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is
marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with monkey see and ends with monkey do, the
port is marked ACTIVE:
ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" log
Syntax: up compound <start> <end> [log]

Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log
parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
up simple
Specifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is
marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains the text File Not Found, the port is marked FAILED:
ServerIron(config-http-ml-m1)# up simple "elephant"
Syntax: up simple <text> [log]

Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning
message to be logged when the selection criteria is met:
Default value: N/A
write memory
EXAMPLE:
ServerIron(config-http-ml-listname)# write memory

Default value: N/A
write terminal
February 2002
18 - 3
EXAMPLE:
ServerIron(config-http-ml-listname)# write terminal

Default value: N/A
18 - 4
February 2002
Chapter 19
Server Monitor Commands
end
EXAMPLE:
ServerIron(config-slb-mon)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-slb-mon)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
history
Configures a history list for the Layer 4 statistics monitoring function.
EXAMPLE:
ServerIron(config)# server monitor
ServerIron(config-slb-mon)# history 1 buckets 5 interval 30 owner rkwong
Syntax: history <entry-number> buckets <number> interval <sampling-interval> owner <text-string>

Possible values:
<entry-number>
February 2002
Is the index number for the history list. This can be a number from 1 100.
19 - 1
buckets <number>
Is the number of rows allocated to a data table for this history list. This can be a
number from 1 65535. This number of samples are stored in the data table. For
example, if you specify 10 buckets, the most recent 10 samples are stored in the
data table.
interval <sampling-interval> Is the sampling interval in seconds. The sampling interval can be from 1 3600
seconds.
owner <text-string>
Specifies the owner of the history list.
Default value: N/A
no
quit
EXAMPLE:
ServerIron(config-slb-mon)# quit
ServerIron>
Syntax: quit
Default value: N/A
rshow
console. For more information, see the Configuring Global Server Load Balancing chapter in the Foundry
show
write memory
EXAMPLE:
ServerIron(config-slb-mon)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-slb-mon)# write terminal

Default value: N/A
19 - 2
February 2002
Chapter 20
Routing Information Protocol (RIP) Commands
NOTE: The RIP configuration level applies only to IP forwarding (Layer 3 IP).
deny redistribute
Configures a redistribution filter to deny redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes
from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is still permit, even after you configure and apply redistribution filters to
the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last
filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0
255.255.0.0
This command denies redistribution of all 207.92.x.x IP static routes.
Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask>

[match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 64. The software uses the filters
in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not
redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address.
Use 0 to specify any. For example, 207.92.0.0 255.255.0.0 means any 207.92.x.x sub-net. However, to
specify any sub-net (all sub-nets match the filter), enter address 255.255.255.255 255.255.255.255.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible
values are from 1 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
The following command denies redistribution of a 207.92.x.x IP static route only if the routes metric is 5.
February 2002
20 - 1

255.255.0.0 match-metric 5
The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x:
255.255.255.255
ServerIron(config-rip-router)# permit redistribute 1 static address 10.10.10.0
255.255.255.0
255.255.255.0
Default value: All routes are permitted to be redistributed
end
EXAMPLE:
ServerIron(config-rip-router)# end
ServerIron#
Syntax: end
Default value: N/A
exit
EXAMPLE:
ServerIron(config-rip-router)# exit
ServerIron(config)#
Syntax: exit
Default value: N/A
no
permit redistribute
Configures a redistribution filter to permit redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to permit certain routes
to be redistributed into RIP, configure permit filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is permit, even after you configure and apply redistribution filters to the
virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter
(filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
255.255.0.0
20 - 2
February 2002
Routing Information Protocol (RIP) Commands
This command permits redistribution of all 207.92.x.x IP static routes.
Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask>

[match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 64. The software uses the filters
in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not
redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address.
Use 0 to specify any. For example, 207.92.0.0 255.255.0.0 means any 207.92.x.x sub-net. However, to
specify any sub-net (all sub-nets match the filter), enter address 255.255.255.255 255.255.255.255.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible
values are from 1 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
Default value: All routes are permitted to be redistributed
quit
EXAMPLE:
ServerIron(config-rip-router)# quit
ServerIron>
Syntax: quit
Default value: N/A
redistribution
Enables redistribution of routes into RIP.
NOTE: When you enable redistribution, all routes are redistributed by default. To control redistribution, configure
redistribution filters first, then enable redistribution. See deny redistribute on page 20-1 and permit redistribute
on page 20-2.
EXAMPLE:
To enable RIP redistribution, enter the following command:
ServerIron(config-rip-router)# redistribution
Syntax: [no] redistribution

rshow
February 2002
20 - 3
show
write memory
EXAMPLE:
ServerIron(config-rip-router)# write memory

Default value: N/A
write terminal
EXAMPLE:
ServerIron(config-rip-router)# write terminal

Default value: N/A
20 - 4
February 2002
Chapter 21
Show Commands
The following commands are found at all levels of the CLI for the ServerIron, except where noted. For simplicity,
they are summarized in this section as well in the individual sections.
show aaa
Displays information about all TACACS+ and RADIUS servers identified on the device.
EXAMPLE:
ServerIron# show aaa
Tacacs+ key: foundry
Tacacs+ retries: 1
Tacacs+ timeout: 15 seconds
Tacacs+ dead-time: 3 minutes
Tacacs+ Server: 207.95.6.90 Port:49:
opens=6 closes=3 timeouts=3 errors=0
packets in=4 packets out=4
no connection
Radius
Radius
Radius
Radius
Radius
key: networks
retries: 3
timeout: 3 seconds
dead-time: 3 minutes
Server: 207.95.6.90 Auth Port=1645 Acct Port=1646:
opens=2 closes=1 timeouts=1 errors=0
packets in=1 packets out=4
no connection
Syntax: show aaa

Default value: N/A
show arp
Displays the ARP cache of the ServerIron. For switches, the show arp command will not display the 'type'
column, but will display a VLAN ID column.
EXAMPLE:
ServerIron(config)# show arp
IP
Mac
10.10.10.10
February 2002
00d0.0958.9b07
Type
Static
Port Age VlanId

9
21 - 1
192.168.2.14
0050.04bb.81fa
192.168.2.1
00e0.5205.9056
192.168.2.157
00e0.2972.2ab5
192.168.2.15
0010.5ad1.3701
192.168.2.77
00e0.5202.de72
Total Arp Entries : 6
Static
Static
Dynamic
Dynamic
Dynamic
15
15
15
15
15
0
0
0
0
0
1
1
1
1
1
Syntax: show arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx> [<mask>]]
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and
network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask>
parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter
for displaying multiple MAC addresses that have specific values in common.
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display
entries for multiple MAC addresses. Specify the MAC address mask as fs and 0s, where fs are significant
bits.
Here are some examples of how to use these commands.
The following command displays all ARP entries for MAC addresses that begin with abcd:
ServerIron# show arp mac-address a.b.c.d ffff.0000.0000
The following command displays all IP address entries for IP addresses that begin with "209.157":
ServerIron# show arp 209.157.0.0 255.255.0.0
Default value: N/A
show cache-group
Displays configuration information for the TCS cache groups.
EXAMPLE:
ServerIron# show cache-group 1
Cache-group 1 has 1 members Admin-status = Enabledi Active = 0
Hash_info: Dest_mask = 255.255.255.0 Src_mask = 0.0.0.0
Cache Server Name
HTTP Traffic
Admin-status Hash-distribution
From <-> to
Name: aa
Web-Caches
IP: 1.2.3.4
State: 1
Groups =
Syntax: show cache-group [<cache-group-number> | <cache-server-name>]

Possible values: Valid cache group number or cache server name.
Default value: N/A
show chassis
Displays the presence and status of power supplies and fans in the chassis.
21 - 2
February 2002
Show Commands
EXAMPLE:
ServerIron# show chassis
power supply 1 ok
power supply 2 not present
fan 1 ok
fan 2 ok
Syntax: show chassis

Default value: N/A
show clock
Displays the current settings for the on-board time counter and Simple Network Time Protocol (SNTP) clock, if
configured.
EXAMPLE:
ServerIron# show clock
Syntax: show clock [detail]

Default value: N/A
show configuration
Lists the operating configuration of a ServerIron. This command allows you to check configuration changes before
saving them to flash.
EXAMPLE:
ServerIron# show configuration
Syntax: show configuration

Default value: N/A
show default
Displays the defaults for system parameters.
If you specify "default" but not the optional "values", the default states for parameters that can either be enabled or
disabled are displayed. If you also specify "values", the default values for parameters that take a numeric value are
displayed.
EXAMPLE:
ServerIron# show default
snmp ro community public
auto sense port speed
no username assigned
system traps enabled
ip multicast disabled
spanning tree enabled

port untagged
no password assigned
sntp disabled
fast port span enabled

port flow control on
boot sys flash primary
radius disabled
EXAMPLE:
ServerIron# show default values
sys log buffers:50
mac age time:300 sec
telnet sessions:5
System Parameters
l4-real-server
February 2002
Default
1024
Maximum
2048
mac entries:8K
Current
1024
21 - 3
l4-virtual-server
l4-server-port
256
2048
512
4096
256
2048
Syntax: show default [values]

Default value: N/A
show flash
Displays the version of the software image saved in the primary and secondary flash of a ServerIron.
EXAMPLE:
ServerIron# show flash
Syntax: show flash

Default value: N/A
show fw-group
Displays To display configuration information, state information, and traffic statistics for the firewall group. See the
Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.
EXAMPLE:
ServerIron(config)# show fw-group
Firewall-group 2 has 2 members Admin-status = Enabled
Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255
Firewall Server Name
fw1
fw2
Admin-st
1
6
Hash-distribution
0
0
Traffic From<->to Firewall Servers

=====================================
Name: fw1
Firewall
Total
IP: 10.10.0.1
State CurConn TotConn

active
0
0
0
0
Name: fw2
Firewall
Total
State: 1
Host->Firewall
Packets
Octets
0
0
0
0
IP: 10.10.0.2
State CurConn TotConn

active
0
0
0
0
Groups =
State: 6
Firewall->Host
Packets
Octets
0
0
0
0
Groups =
Host->Firewall
Packets
Octets
0
0
0
0
Firewall->Host
Packets
Octets
0
0
0
0
Syntax: show fw-group

Default value: N/A
show fw-hash
Displays the firewall that the hashing algorithm selected for a given pair of source and destination addresses.
EXAMPLE:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2
fw3
21 - 4
February 2002
Show Commands
In this example, the command output indicates that the FWLB hashing algorithm selected firewall "fw3" for traffic
to IP address 1.1.1.1 from IP address 2.2.2.2.
Syntax: show fw-hash <dst-ip-addr> <src-ip-addr> <fwall-group-id>

[<protocol> <dst-tcp/udp-port> <src-tcp/udp-port>]
The <dst-ip-addr> parameter specifies the destination IP address.
The <src-ip-addr> parameter specifies the source IP address.
The <fwall-group-id> parameter specifies the FWLB group ID. Normally, the FWLB group ID is 2.
The <protocol> parameter specifies the protocol number for TCP or UDP. You can specify one of the following:
6 TCP
17 UDP
The <dst-tcp/udp-port> specifies the destination TCP or UDP application port number.
The <src-tcp/udp-port> specifies the source TCP or UDP application port number.
If you configured the ServerIron to hash based on source and destination TCP or UDP application ports as well as
IP addresses, the ServerIron might select more than one firewall for the same pair of source and destination IP
addresses, when the traffic uses different pairs of source and destination application ports. Use the optional
parameters to ensure that the commands output distinguishes among the selected firewalls based on the
application ports. Here is an example:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 8080
fw2
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 9000
fw3
Default value: N/A
show gslb cache

Displays RTT prefix cache entries.
The GSLB ServerIron maintains a cache of RTT information received from the site ServerIrons through the GSLB
protocol. You can display the RTT information the GSLB ServerIron has related to a client IP address.
EXAMPLE:
ServerIron(config)# show gslb cache 209.156.100.100
prefix length = 20, prefix = 209.157.0.0, region = N-AM
prefix source =
client query
foundrynet.com:
site = sunnyvale, SI = slb-1(209.157.22.209), rtt = 5 (x100 usec)
site = atlanta, SI = slb-1(192.108.22.112), rtt = 10 (x100 usec)
The command in this example shows the RTT prefix information the GSLB ServerIron has related to client IP
address 209.156.100.100. In this case, the GSLB ServerIron has two RTT entries for zone www.foundrynet.com.
Syntax: show gslb cache <ip-addr>

The <ip-addr> command specifies a site address.
Here is another example. In this example, a statically generated entry that the GSLB ServerIron created is
displayed. The statically generated entries have an 8-bit prefix, whereas the prefix for dynamic entries is 20 bits
long by default.
ServerIron(config)# show gslb cache 61.1.1.1
prefix length = 8, prefix = 60.0.0.0, region = ASIA
prefix source = geographic
February 2002
21 - 5
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron
Default value: N/A
show gslb default

Displays the default GSLB policy parameters.
EXAMPLE:
To display the default GSLB policy, enter the following command:
ServerIron(config)# show gslb default
Default metric order: ENABLE
Metric processing order:
1-Server health check
2-Remote SI's session capacity threshold
3-Round trip time between remote SI and client
4-Geographic location
5-Remote SI's available session capacity
6-Server flashback speed
7-Least response selection
DNS active-only: DISABLE, Modify DNS response TTL: ENABLE
DNS TTL: 10 (sec), DNS check interval: 30 (sec)
Session capacity threshold: 90%, session capacity tolerance: 10%
Round trip time tolerance: 10%, round trip time explore percentage: 5%
Round trip time cache prefix: 20, round trip time cache interval: 120 (sec)
Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%
Syntax: show gslb default

Default value: N/A

Displays all the information displayed by the show gslb dns zone command plus information about the site and
the ServerIron on which a VIP is configured.
This command is especially useful for sites that are configured for Symmetric Server Load Balancing. For
information about this load balancing feature, see the "Configuring Symmetric SLB and SwitchBack" chapter of
EXAMPLE:
ServerIron(config)# show gslb dns detail
ZONE: foundrynet.com
HOST: www:
Flashback
delay
(x100us)
TCP APP
* 209.157.22.227: dns
v-ip
ACTIVE N-AM.
6
60
site: sunnyvale, SI: slb-1 (209.157.22.209)
session util:
0%, avail. sessions: 524287
preference: 128
21 - 6
DNS resp.
selection
percentage
(%)
40
February 2002
Show Commands
* 209.157.22.228: dns
v-ip
ACTIVE N-AM.
3
30
60
site: atlanta, SI: slb-1 (192.108.22.111)
session util:
preference: 128
* 210.224.100.5: dns
real-ip DOWN
ASIA
--0
* 201.100.100.6: dns
real-ip DOWN
S-AM.
--0
* 213.34.100.4:
dns
real-ip DOWN
EUROPE
--0
HOST: ftp:
Flashback
delay
(x100us)
TCP APP
* 209.157.22.103: dns
v-ip
ACTIVE N-AM.
6
60
site: sunnyvale, SI: slb-2 (209.157.22.210)
session util:
preference: 128
* 209.157.22.104: dns
v-ip
ACTIVE N-AM.
3
30
site: atlanta, SI: slb-2 (192.108.22.112)
session util:
preference: 128
* 210.224.100.7: dns
real-ip DOWN
ASIA
--* 201.100.100.8: dns
real-ip DOWN
S-AM.
--* 213.34.100.9:
dns
real-ip DOWN
EUROPE
---
DNS resp.
selection
percentage
(%)
40
60
0
0
0
Syntax: show gslb dns detail

Default value: N/A
show gslb dns zone

Displays information about all the DNS zones and host applications configured on the GSLB ServerIron.
EXAMPLE:
ServerIron(config)# show gslb dns zone
ZONE: foundrynet.com
HOST: www:
209.157.22.100:
209.157.22.101:
210.224.100.5:
201.100.100.6:
213.34.100.4:
dns
dns
dns
dns
dns
v-ip
v-ip
real-ip
real-ip
real-ip
ACTIVE
ACTIVE
DOWN
DOWN
DOWN
N-AM.
N-AM.
ASIA
S-AM.
EUROPE
Flashback
delay
(x100us)
TCP APP
6
60
3
30
-------
DNS resp.
selection
percentage
(%)
40
60
0
0
0
N-AM.
N-AM.
ASIA
S-AM.
EUROPE
Flashback
delay
(x100us)
TCP APP
6
60
3
30
-------
DNS resp.
selection
percentage
(%)
40
60
0
0
0
HOST: ftp:
209.157.22.103:
209.157.22.104:
210.224.100.7:
201.100.100.8:
213.34.100.9:
February 2002
dns
dns
dns
dns
dns
v-ip
v-ip
real-ip
real-ip
real-ip
ACTIVE
ACTIVE
DOWN
DOWN
DOWN
21 - 7
Syntax: show gslb dns zone [<name>]

The <name> parameter specifies the zone name.
To display GSLB information for a specific DNS zone, enter a command such as the following:
ServerIron(config)# show gslb dns zone foundrynet.com
The information is the same as the information displayed when you do not specify a zone name, except the ZONE
field is unneeded and thus does not appear.
Default value: N/A

Displays statistics for transparent DNS query intercept and for DNS cache proxy.
EXAMPLE:
To display the statistics, enter the following command at any level of the CLI:
ServerIron(config)# show gslb global-stat
DNS cache proxy stat:
Direct response
=
10
DNS query intercept stat:
Redirect
=
10
Direct response
Syntax: show gslb global-stat

The Direct response field, under DNS cache proxy stat, lists how many DNS queries the GSLB ServerIron has
responded to using the DNS cache proxy feature instead of forwarding the queries to the DNS. In this example,
the GSLB ServerIron has responded directly to client queries ten times with the best site address among those
cached on the ServerIron itself, instead of forwarding the request to the DNS.
The Redirect field shows the number of queries the ServerIron has redirected to an alternative (proxy) DNS or
another ServerIron.
The Direct response field shows the number of queries to which the ServerIron has directly responded using a
transparent DNS query intercept IP address configured on the ServerIron itself.
Default value: N/A
show gslb policy

Displays the current GSLB policy parameter settings.
NOTE: If you have changed any of the settings from their default values, you can use this command along with
the show gslb default command to identify the settings you have changed. For more information, see the
"Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration
Guide.
EXAMPLE:
To display the user-configured GSLB policy, enter the following command:
ServerIron(config)# show gslb policy
Default metric order: DISABLE
21 - 8
February 2002
Show Commands

5-Remote SI's preference value
DNS active-only: DISABLE
DNS best-only: DISABLE
DNS override: DISABLE
Modify DNS response TTL: ENABLE
Remote SI status update period: 30 (sec)
Syntax: show gslb policy

In this example, the default order of the policy metrics is in effect. In the following example, the order has been
changed and two of the metrics have been disabled.
ServerIron(config)# show gslb policy
Default metric order: DISABLE
DNS active-only: DISABLE, Modify DNS response TTL: ENABLE
Default value: N/A
show gslb resources

Displays the current GSLB resource utilization and the ServerIron capacity for each GSLB resource.
For GSLB parameters, you can display the number of currently configured items and the maximum number of
items you can configure on the ServerIron.
EXAMPLE:
To display GSLB resource information, enter the following command at any level of the CLI:
ServerIron(config)# show gslb
GSLB resource usage:
Current
sites
1
SIs
2
SIs' VIPs
2
dns zones
2
dns hosts
2
health-checks app. 2
dns IP addrs.
5
affinities
0
February 2002
resources
Maximum
100
200
2000
200
400
600
2000
50
21 - 9
static prefixes
prefix cache
RTT entries
4
104
1
250
5050
10000
The values in the Current column indicate how many of each GSLB configuration or data item are currently on the
GSLB ServerIron. The values in the Maximum column list the maximum number of each item the GSLB
ServerIron can hold.
Default value: N/A
show gslb site

Displays information for all the configured sites.
EXAMPLE:
ServerIron(config)# show gslb site
SITE: sunnyvale
SI: slb-1 209.157.22.209:
state: CONNECTION ESTABLISHED
Current num.
sessions
500000
Session
util(%)
50
CPU load
(%)
35
Virtual IPs:
209.157.22.227(A)
Preference
Location
128
N-AM
209.157.22.103(A)
SI: slb-2 209.157.22.210:

Current num.
sessions
1
Session
util(%)
0
CPU load
(%)
16
Preference
Location
128
N-AM
Preference
Location
128
N-AM
Virtual IPs:
209.157.22.227(S)
SITE: atlanta
SI: slb-1 192.108.22.111:
Current num.
sessions
750000
Session
util(%)
75
CPU load
(%)
41
Virtual IPs:
209.157.22.227(A)
209.157.22.104(A)
SI: slb-1 192.108.22.111:

Current num.
sessions
1
Session
util(%)
0
CPU load
(%)
16
Preference
Location
128
N-AM
Virtual IPs:
209.157.22.227(S)
Syntax: show gslb site [<name>]

The <name> parameter specifies a site name.
21 - 10
February 2002
Show Commands
To display information about the GSLB site called sunnyvale and the ServerIrons providing SLB within those
sites, enter the following command:
ServerIron(config)# show gslb site sunnyvale
SITE: sunnyvale
SI: slb-1 209.157.22.209:
Current num.
sessions
500000
Session
util(%)
50
CPU load
(%)
35
Location
N-AM
Virtual IPs:
209.157.22.227(A)
SI: slb-2 209.157.22.210:
Current num.
sessions
1
Session
util(%)
0
CPU load
(%)
16
Location
N-AM
Virtual IPs:
209.157.22.227(B)
Default value: N/A
show healthck
Displays a list of the configured health-check policies and their current status. For information about the fields in
this display, see one of the following:
ServerIronXL the "Configuring Boolean Health-Check Policies (ServerIronXL)" section in the "Configuring
Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
ServerIron 400 and ServerIron 800 the "Configuring Boolean Health-Check Policies (ServerIron 400 and
ServerIron 800)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry
EXAMPLE:
Here is an example for the ServerIronXL.
ServerIron(config)# show healthck
Total nodes: 4; Max nodes: 128
Name
Value
Type
--------------------------------------------Rtr1-ck1
N/B
icmp 10.168.2.46
Rtr1-ck2
N/B
icmp 10.168.2.47
Router1
N/B
or Rtr1-ck1 Rtr1-ck2
Rtr2-ck1
TRUE
icmp 10.168.2.56
Rtr2-ck2
TRUE
icmp 10.168.2.57
Router2
TRUE
and Rtr2-ck1 Rtr2-ck2
Rtr3-ck1
FALSE
icmp 10.168.2.66
Rtr3-ck2
TRUE
icmp 10.168.2.67
Router3
FALSE
and Rtr3-ck1 Rtr3-ck2
EXAMPLE:
Here is an example for the ServerIron 400 or ServerIron 800.
ServerIron(config-hc-check1)# show healthck
February 2002
21 - 11
Total nodes: 6; Max nodes: 128

Name
Value
Enable
Type
Dest-IP
Port
Proto
Layer
-------------------------------------------------------------------------------check1
TRUE
YES
tcp
10.10.10.50
http
http
l4-chk
check2
TRUE
YES
tcp
10.10.10.40
http
http
l7-chk
check3
TRUE
NO
udp
10.10.10.30
http
http
l4-chk
check4
TRUE
NO
udp
10.10.10.40
http
http
l4-chk
check5
N/A
NO
udp
dns
dns
l4-chk
httpsrvr
TRUE
YES
and
check1 check2
nested1
N/A
na
and
check1 check2
nested2
N/A
na
or
check3 check4
Syntax: show healthck

Default value: N/A

Displays health-check policy statistics. For information about the fields in this display, see the "Displaying HealthCheck Policy Information" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry
EXAMPLE:
ServerIron(config)# show healthck statistics
Ping Statistics:
Sent: 1524
Received: 1524
Invalid Replies: 0
Dropped Replies: 0
Syntax: show healthck statistics

Default value: N/A

Displays information about HTTP content verification matching lists. For information about this health-check
feature, see the "Configuring Port and Health Check Parameters" in the Foundry ServerIron Installation and
EXAMPLE:
ServerIron# show http match-list
http match-list m1
down simple "404"
down simple "File Not Found"
http match-list m4
default down
up compound "monkey see" "monkey do" log
down compound "500" "Internal Server Error" log
down compound "503" "Service Unavailable" log
Syntax: show http match-list

Default value: N/A
show interfaces
Displays all port interfaces of the ServerIron and their state, duplex mode, STP state, priority and MAC address.
EXAMPLE:
ServerIron# show interfaces e 1
21 - 12
February 2002
Show Commands
FastEthernet1 is down
Hardware is FastEthernet, address is 00e0.5202.8bc6 (bia 00e0.5202.8bc6)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
STP configured to ON, priority is high, flow control enabled
mirror disabled, monitor disabled
Not member of any active trunks
Member of configured trunk ports 1-3, primary port
No port name
5 minute input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
5 minute output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 ignored
0 multicast
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
Syntax: show interfaces [ethernet <portnum>]

Possible values: Valid port number
Default value: N/A
show ip
Displays IP configuration information.
EXAMPLE:
ServerIron(config)# show ip
Disabled : IP_Forwarding
Disabled : RIP
RIP-Redist
Switch IP address: 192.168.2.100

Subnet mask: 255.255.255.0
Default router address:
TFTP server address:
Configuration filename:
Image filename:
192.168.2.1
None
None
None
For information about the fields in this display, see the "Displaying the IP Forwarding State" section in the
"Configuring IP Forwarding" chapter of the Foundry ServerIron Installation and Configuration Guide.
Syntax: show ip
Default value: N/A
show ip cache
Displays the IP host table showing indexes to MAC addresses and the IP address of the next hop for ServerIrons
configured to operate in a multinetted environment.
EXAMPLE:
ServerIron#[ 1] sh ip cache
IP
Mac
209.157.20.1
February 2002
0000.0000.0000
Port Age VlanId

6
3144
Cam CamF
0
Hw FCnt
0
21 - 13
Syntax: show ip cache [<ip-addr> [<ip-addr>]]

Default value: N/A
Displays the currently loaded public keys.
EXAMPLE:
ServerIron# show ip client-public-key
1024 65537 162566050678380006149460550286514061230306797782065166110686648548574
94957339232259963157379681924847634614532742178652767231995746941441604714682680
00644536790333304202912490569077182886541839656556769025432881477252978135927821
67540629478392662275128774861815448523997023618173312328476660721888873946758201
user@csp_client
1024 35 152676199889856769693556155614587291553826312328095300428421494164360924
76207475545234679268443233762295312979418833525975695775705101805212541008074877
26586119857422702897004112168852145074087969840642408451742714558592361693705908
74837875599405503479603024287131312793895007927438074972787423695977635251943 ro
ot@unix_machine
There are 2 authorized client public keys configured
Syntax: show ip client-public-key

Default value: N/A
Displays all active IP filter definitions for a Foundry switch operating with Layer 3 switching.
EXAMPLE:
ServerIron# show ip filter-cache
Syntax: show ip filter-cache [<ip-addr>]

Default value: N/A
show ip interface
Displays information about the IP interfaces configured on virtual routing interfaces.
EXAMPLE:
ServerIron(config)# show ip interface
Interface
IP-Address
OK? Method
Ve 1
192.168.2.1
YES manual
Ve 1
10.10.10.1
YES manual
Ve 1
20.20.20.1
YES manual
Ve 10
120.120.120.1
YES manual
Ve 10
130.130.130.1
YES manual
Status
up
up
up
down
down
Protocol
up
up
up
up
up
Syntax: show ip interface

Default value: N/A
21 - 14
February 2002
Show Commands
show ip multicast
Indicates if IP multicast is active on a Foundry switch or not, and notes its operating modeactive or passive.
EXAMPLE:
ServerIron# show ip multicast
Syntax: show ip multicast

Default value: N/A

Displays Network Address Translation (NAT) statistics.
NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM
CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In
to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron
EXAMPLE:
To display the NAT statistics, enter the following command at any level of the CLI:
ServerIron(config)# show ip nat statistics
Total translations: 2 (1 static, 1 dynamic)
Hits: 2 Misses: 2
Expired translations: 4
Dynamic mappings:
pool OutAdds: netmask 255.255.255.0
start 209.157.1.2 end 209.157.1.254
total addresses 252
Syntax: show ip nat statistics

For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation
Default value: N/A

Displays currently active NAT entries.
NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM
CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In
to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron
EXAMPLE:
To display the currently active NAT translations, enter the following command at any level of the CLI:
ServerIron(config)# show ip nat translation
Pro Inside global
Inside local
Outside local
--- 209.157.1.69
10.10.10.69
207.195.2.12
--- 209.157.1.72
10.10.10.2
207.195.4.69
Outside global
207.195.2.12
207.195.4.69
Syntax: show ip nat translation

For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation
February 2002
21 - 15

Default value: N/A
show ip policy
Displays the configured global and local session policies defined via the ip policy command.
EXAMPLE:
Index
1
2
Priority
high
high
Protocol
tcp
udp
Socket
pop3
dns
Type
global
global
Syntax: show ip policy

Default value: N/A
show ip route
Displays the IP route table.
EXAMPLE:
ServerIron(config)# show ip route
Total number of IP routes: 9
Start index: 1 D:Connected S:Static *:Candidate default
Destination
NetMask
Gateway
1
10.10.10.0
255.255.255.0
0.0.0.0
2
20.20.20.0
255.255.255.0
0.0.0.0
3
50.50.50.0
255.255.255.0
20.20.20.10
4
60.60.60.0
255.255.255.0
20.20.20.10
5
70.70.70.0
255.255.255.0
120.120.120.10
6
120.120.120.0
255.255.255.0
0.0.0.0
7
130.130.130.0
255.255.255.0
0.0.0.0
8
192.168.2.0
255.255.255.0
0.0.0.0
9
0.0.0.0
0.0.0.0
192.168.2.1
Port
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
Cost
1
1
1
1
1
1
1
1
1
Type
D
D
S
S
S
D
D
D
S

Default value: N/A
show ip ssh
Displays information about the SSH management sessions in effect on the device. Up to five SSH connections
can be active on the Foundry device. For information about this display and about using SSH, see the
Configuring Secure Shell chapter.
EXAMPLE:
ServerIron#show ip ssh
Connection
Version
1
1.5
2
1.5
3
1.5
4
1.5
5
1.5
Encryption
ARCFOUR
IDEA
3DES
none
none
State
0x82
0x82
0x82
0x00
0x00
Username
neville
lynval
terry
Syntax: show ip ssh

Default value: N/A
21 - 16
February 2002
Show Commands
show ip static-arp
Displays the static ARP entries.
EXAMPLE:
ServerIron(config)# show ip static-arp
Static ARP table size: 64, configurable from 64 to 128
Index
IP Address
MAC Address
Port
1
10.10.10.10
00d0.0958.9b07
9
2
192.168.2.1
00e0.5205.9056
15
3
192.168.2.157
00e0.2972.2ab5
15
4
192.168.2.14
0050.04bb.81fa
15
5
192.168.2.15
0010.5ad1.3701
15
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and
network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask>
parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter
for displaying multiple MAC addresses that have specific values in common.
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display
entries for multiple MAC addresses. Specify the MAC address mask as fs and 0s, where fs are significant
bits.
Default value: N/A
show ip traffic
Displays IP (ICMP, UDP, TCP, and RIP) traffic statistics for a ServerIron.
EXAMPLE:
ServerIron# show ip traffic
IP Statistics
587 received, 593 sent, 14 forwarded
0 fragmented, 0 reassembled, 0 bad header
489 no route, 0 unknown proto, 0 no buffer, 9 other errors
ICMP Statistics
Received:
0 total, 0 errors, 0 unreachable, 0 time exceed
0 parameter, 0 source sequence, 0 redirect, 0 echo,
0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask
0 addr mask reply, 0 irdp advertisement, 0 irdp solicitation
Sent:
54 total, 0 errors, 0 unreachable, 0 time exceed
0 parameter, 0 source sequence, 0 redirect, 0 echo,
0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask
0 addr mask reply, 54 irdp advertisement, 0 irdp solicitation
February 2002
21 - 17
NOTE: This example is an excerpt, not a complete display.
Syntax: show ip traffic

Default value: N/A
show logging
Displays the SNMP event log.
EXAMPLE:
This example shows some common Syslog messages.
ServerIron# show logging
Syslog logging: enabled (0 messages dropped, 0
Buffer logging: level ACDMEINW, 7 messages
level code: A=alert C=critical D=debugging
I=informational N=notification
flushes, 0 overruns)
logged
M=emergency E=error
W=warning
Log Buffer (50 entries):

00d05h44m28s:info:Interface e3/11, state up
00d05h44m28s:info:Bridge topology change, vlan 1, interface 3/11, changed state
to forwarding
00d04h45m49s:info:Interface e3/11, state down
to forwarding
00d01h45m13s:info:Interface e3/11, state down
to forwarding
00d00h00m00s:info:Warm start
Syntax: show logging

Default value: N/A
EXAMPLE:
This example shows log entries for authentication failures. If someone enters an invalid community string when
attempting to access the SNMP server on the Foundry device, the device generates a trap in the device's syslog
buffer. (If you have configured the device to use a third-party SyslogD server, the device also sends a log entry to
the server.)
Here is an example of a log that contains SNMP authentication traps. In this example, someone attempted to
access the Foundry device three times using invalid SNMP community strings. The unsuccessful attempts
indicate either an authorized user who is also a poor typist, or an unauthorized user who is attempting to access
the device.
ServerIron(config)# show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 1 overruns)
Buffer logging: level ACDMEINW, 50 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
21 - 18
February 2002
Show Commands
00d01h45m13s:info:SNMP Authentication failure, intruder IP: 207.95.6.55

EXAMPLE:
This example shows a log entry for an IP address conflict between the Foundry device and another device on the
network.
In addition to placing an entry in the log, the software sends a log message to the SyslogD server, if you have
configured one, and sends a message to each open CLI session.
00d01h45m13s:warning:Duplicate IP address 209.157.23.188 detected,sent from MAC

address 00e0.5201.3bc9 coming from port 7/7
EXAMPLE:
Here are some examples of log entries for packets denied by Access Control Lists (ACLs).
NOTE: On devices that also use Layer 2 MAC filters, both types of log entries can appear in the same log. Only
ACL log entries are shown in this example.
21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18
0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a
Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL
timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets
during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled
for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
February 2002
21 - 19
In this example, the two-line message at the bottom is the first entry, which the software immediately generates
the first time an ACL entry permits or denies a packet. In this case, an entry in ACL 101denied a packet. The
packet was a TCP packet from host 209.157.22.198 and was destined for TCP port 80 (HTTP) on host
198.99.4.69.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log
entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for
denied packets.
In this example, the software generates the second log entry five minutes later. The second entry indicates that
the same ACL denied two packets.
The time stamp for the third entry is much later than the time stamps for the first two entries. In this case, no ACLs
denied packets for a very long time. In fact, since no ACLs denied packets during the five-minute interval following
the second entry, the software stopped the ACL log timer. The software generated the third entry as soon as the
ACL denied a packet. The software restarted the five-minute ACL log timer at the same time. As long as at least
one ACL entry permits or denies a packet, the timer continues to generate new log entries and SNMP traps every
five minutes.
EXAMPLE:
Here are some examples of log messages for CLI access.
ServerIron(config)# show logging
Oct
Oct
Oct
Oct
15
15
15
15
18:01:11:info:dg
17:59:22:info:dg
17:38:07:info:dg
17:38:03:info:dg
logout from USER EXEC mode

logout from PRIVILEDGE EXEC mode
login to PRIVILEDGE EXEC mode
login to USER EXEC mode
The first message (the one on the bottom) indicates that user dg logged in to the CLIs User EXEC level on
October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged in to the Privileged EXEC level
four seconds later.
The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the
CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to
access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
show mac-address
Displays all MAC addresses on a ServerIron.
EXAMPLE:
To display all MAC addresses on a ServerIron, enter the following:
ServerIron(config)# show mac-address
Total entries from all ports = 75
MAC
Port
Age CamF CIDX0 CIDX1 CIDX2 CIDX3 CIDX4 CIDX5
0000.0300.0000 10 17293 00H
0
0
0
0
0
0
0060.089f.8086
1
12 0bH
23
15
0
6
0
0
0060.9709.914b 16
2130 00H
0
0
0
0
0
0
00a0.249a.0163 16
130 00H
0
0
0
0
0
0
0060.979d.41a5 11
475 00H
0
0
0
0
0
0
00a0.24c5.01d1 11
0 0cH
0
0
20
14
0
0
0060.979d.41df 11
570 00H
0
0
0
0
0
0
0060.9759.4226 16
240 00H
0
0
0
0
0
0
0060.9759.4235 16
130 00H
0
0
0
0
0
0
0800.208f.725b
2
135 00H
0
0
0
0
0
0
21 - 20
February 2002
Show Commands
0060.9759.4264 16
0 0aH
0
14
0
21
00a0.24c5.02a1 16
15 09H
5
0
0
33
0000.c02c.a2bf
7
11 03H
27
5
0
0
00a0.24c5.02f8
4
135 00H
0
0
0
0
00a0.24c5.02fc
6
0 06H
0
8
31
0
0800.207e.c312
2
2 0dH
25
0
24
13
0800.208f.5331
2
135 00H
0
0
0
0
00e0.5200.0385 10
5160 00H
0
0
0
0
--More--, next page: Space/Return key, quit: Control-c
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
NOTE: The information displayed in columns with headings CamF, and CIDX0 through CIDX5, is not relevant for
day-to-day management of the ServerIron. The information is used by engineering and technical support staff for
debug purposes.
Syntax: show mac-address [ethernet <portnum> | <mac-addr> | session]

Possible values: The session keyword causes information about MAC session entries to be displayed.
Default value: N/A

Displays the total number of MAC addresses currently active on a ServerIron. This command serves as a
numerical summary of the detailed summary provided by the command show mac-addresses.
For each port, the number of learned MAC addresses is displayed.
EXAMPLE:
ServerIron(config)# show mac-address-statistics
Total entries
= 41
Port
11
Port
10
11
12
1
13
14
15
16
Syntax: show mac-address-statistics

Default value: N/A
show media
Shows the types of ports active on a Chassis device.
EXAMPLE:
ServerIron(config)# show media
1/1:SX 1/2:SX 1/3:SX 1/4:SX
2/1:SX 2/2:SX 2/3:SX 2/4:SX 2/5:SX 2/6:SX 2/7:SX 2/8:SX
February 2002
21 - 21
Syntax: show media

Default value: N/A
show module
Shows the types of modules installed on a Chassis device.
EXAMPLE:
Here is an example of the commands display output on a ServerIron 800.
ServerIron# show module
Module
Status
Ports Starting MAC
S1: B8GM Fiber Management Module
OK
00e0.52f0.5a00
S2: B24E Copper Switch Module
OK
24
00e0.52f0.5a20
OK
24
00e0.52f0.5a40
OK
24
00e0.52f0.5a60
S5: B8G Fiber Switch Module
OK
00e0.52f0.5a00
OK
24
00e0.52f0.5aa0
OK
00e0.52f0.5a00
OK
00e0.52f0.5a00

Default value: N/A
show monitor
Displays the current port mirroring and monitoring configuration.
EXAMPLE:
ServerIron(config)# show monitor
Mirror Interface:
ethernet 4/1
Monitored Interfaces:
Both
Input
Output
--------------------------------------------------ethernet 4/3
Syntax: show monitor

In this example, port 4/1 is the mirror interface, to which the software copies (mirrors) the traffic on port 4/3. In
this case, both directions of traffic on the monitored port are mirrored to port 4/1.
If only the incoming traffic is mirrored, the monitored interface is listed under Input. If only the outbound traffic is
mirrored, the monitored interface is listed under Output.
Default value: N/A
show policy-map
Displays information about the URL switching policies configured on the ServerIron.
21 - 22
February 2002
Show Commands
EXAMPLE:
ServerIron# show policy-map p1
Current Policy: 3
Created: 8
Deleted: 5
Table slot 210
------------------------------------------------Name
: p1
Valid
Tree root
: Yes
Method
Key
--default
/home
Type
---Map Policy
Group ID
: Yes
: prefix
Data
---p2
1
Syntax: show policy-map [<policy-map-name>]

Possible values: <policy-map-name> is the name of a URL switching policy. If you omit this parameter,
information about all URL switching policies is displayed.
Default value: N/A
Displays an uplink utilization list, which allows you to observe the percentage of the uplinks bandwidth that each
of the downlink ports used during the most recent 30-second port statistics interval. The number of packets sent
and received between the two ports is listed, as well as the ratio of each individual downlink ports packets relative
to the total number of packets on the uplink.
EXAMPLE:
To display an uplink utilization list:
ServerIron(config)# show relative-utilization 1
uplink: ethe 1
30-sec total uplink packet count = 3011
packet count ratio (%)
1/ 2:60
1/ 3:40
In this example, ports 2 and 3 are sending traffic to port 1. Port 2 and port 3 are isolated (not shared by multiple
clients) and typically do not exchange traffic with other ports except for the uplink port, port 1.
Syntax: show relative-utilization <num>

Possible values: The <num> parameter specifies the list number.
Default value: N/A
show reload
Displays the time and date for scheduled system reloads.
EXAMPLE:
ServerIron# show reload
Syntax: show reload

Default value: N/A
show rmon alarm

This command will display any reported RMON alarms for the system.
EXAMPLE:
ServerIron# show rmon alarm
Alarm table is empty
February 2002
21 - 23
Syntax: show rmon alarm [<alarm-table-entry>]

Default value: N/A
show rmon event

This command will display any reported RMON events for the system.
EXAMPLE:
ServerIron# show rmon event
Event table is empty
Syntax: show rmon event [<event-table-entry>]

Default value: N/A
show rmon history

This command will display the RMON history for the system.
EXAMPLE:
ServerIron# show rmon history
History 1 is active, owned by monitor
Monitors interface 1 (ifIndex 1) every 30 seconds
25 buckets were granted to store statistics



Syntax: show rmon history [<control-table-entry>]

Default value: N/A

Displays detailed statistics for each port.
EXAMPLE:
ServerIron# show rmon statistics
Syntax: show rmon statistics [ethernet <portnum>] | [<num>]
21 - 24
February 2002
Show Commands
The ethernet <portnum> parameter displays the RMON port statistics for the specified port.
The <num> parameter displays the specified entry. Entries are numbered beginning with 1.
Default value: N/A
show running-config
Displays the running configuration of the ServerIron on the terminal screen.
NOTE: This command is equivalent to the write terminal command.
EXAMPLE:
ServerIron# show running-config
Syntax: show running-config

Default value: N/A
show server backup

Displays the backup configuration and the current backup status of the ServerIron.
NOTE: This command applies only to hot standby configurations. If you are using Symmetric SLB, see show
server symmetric on page 21-29.
show server bind

Displays the services binding between virtual servers and real servers.
EXAMPLE:
ServerIron(config)# show server bind
Virtual Server Name: v100,
http -------> s43:
s60:
ftp -------> s43:
s60:
70 -------> s43:
s60:
Virtual Server Name: v105,
telnet -------> s60:
ftp -------> s60:
http -------> s60:
dns -------> s60:
tftp -------> s60:
IP: 209.157.23.100
209.157.23.43, http
209.157.23.60, 8080
209.157.23.43, ftp
209.157.23.60, ftp
209.157.23.43, 70
209.157.23.60, 70
IP: 209.157.23.105
209.157.23.60, 300
209.157.23.60, 200
209.157.23.60, 100
209.157.23.60, 400
209.157.23.60, 500
Syntax: show server bind

For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in
Default value: N/A
show server conn-rate

Shows the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command
reports global connection rate information for the ServerIron as well as for each real server.
February 2002
21 - 25
EXAMPLE:
ServerIron# show server conn-rate
Avail. Sessions
=
524286 Total Sessions
=
524288
Total C->S Conn
=
0 Total S->C Conn
=
0
Total Reassign
=
0 Unsuccessful Conn
=
0
last conn rate
=
0 max conn rate
=
0
last TCP attack rate =
0 max TCP attack rate =
0
SYN def RST
=
0 SYN flood
=
0
Real Server
rs1
State
3
CurrConn
0
TotConn
0
LastRate
0
CurrRate
0
MaxRate
0
Syntax: show server conn-rate

For descriptions of the information shown in this display, see the "Protecting Against Denial of Service Attacks"
chapter in the Foundry ServerIron Installation and Configuration Guide.
Default value: N/A
show server dynamic

Shows dynamic real server and virtual server port bindings. These are bindings that the ServerIron builds
automatically. Use this command if you are working with Foundry technical support to resolve a Global SLB
configuration issue.
show server fw-path

Shows information for paths configured for firewall load balancing. See the Foundry ServerIron Firewall Load
Balancing Guide for information about the fields in this display.
EXAMPLE:
To display path information for firewall load balancing, enter the following command at any level of the CLI:
ServerIron(config)# show server fw-path
Firewall Server Path Info
Number of Fwall = 2
Target-ip
Next-hop-ip Port Path
195.188.123.221
10.10.0.1
1
1
195.188.123.221
10.10.0.2
2
2
Status Tx Rx
0 0 0
0 0 0
Syntax: show server fw-path

Default value: N/A
show server global

Displays global server configuration parameters.
EXAMPLE:
ServerIron(config)# show server global
Server Load Balancing - global parameters
Predictor =
least-conn
Force-deletion =
1
Reassign-threshold = 100
Reassign-limit =
3
Ping-interval =
8
Ping-retries =
7
Session ID age =
35
21 - 26
February 2002
Show Commands
TCP-age =
30
UDP-age =
5
Sticky-age =
30
TCP-syn-limit =
65535
TCP-total conn =
4337
Unsuccessful conn = 0
ICMP-message = Disabled
Syntax: show server global

For descriptions of the fields in this display, see the "Configuring Server Load Balancing" chapter in the Foundry
Default value: N/A
show server hash

Displays information about hashing bucket assignments and the number of hits each bucket has received.
EXAMPLE:
ServerIron# show server hash
Syntax: show server hash

Default value: N/A
show server proxy

Displays web switching statistics.
EXAMPLE:
ServerIron# show server proxy
Slot alloc
Slot freed
Pkt stored
Pkt freed
Session T/O
Session del
DB cleanup cnt
Serv RST to SYN
URL not in 1st pkt
URL not complete
Sess T/O rev Sess 0
Dup SYN Sess diff
Curr slot used
=
=
=
=
=
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
0
0
0
0
0
0
Curr free slot

Slot alloc fail
Max slot alloc
Fwd Stored pkt
Sess T/O pkt free
Sess del pkt free
DB cleanup pkt free
Send RST to C
Cookie not in 1st pk
Cookie not complete
Sess T/O Sess diff
=
=
=
=
=
=
=
=
=
=
=
99999
0
0
0
0
0
0
0
0
0
0
Curr pkt stored
Syntax: show server proxy

Default value: N/A
show server real

Displays real IP servers' state information and statistics.
EXAMPLE:
ServerIron(config)# show server real
Real Servers Info
February 2002
21 - 27

Name:rs1
IP: 209.157.23.60:4
State:1
Wt:1
Max-conn:1000000
Src-nat (cfg:op) = 0: 0 Dest-nat-(cfg:op) = 0: 0
Remote server: No
Dynamic: No
Port State
Ms CurConn TotConns
Rx-pkts
Tx-pkts
pop2 enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled
radiusenabled 0
0
0
0
0
0
0 0
Keepalive: Disabled, Username : "reza"
Password : "QA", Key : "arvind"
imap4 enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled
ldap enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled, LDAP Version : 3
70
enabled 0
0
0
0
0
0
0 0
Keepalive: Enabled
dns
enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled, Zone : "foundrynet.com", Addr Query : ""
snmp enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled
http enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled, status code(s) default (200-299, 401)
HTTP URL: "HEAD /"
600
unbnd
0
0
0
0
0
0
0 0
Keepalive: Disabled
500
enabled 0
0
0
0
0
0
0 0
Keepalive: Disabled
defaulunbnd
0
0
0
0
0
0
0 0
Server
Total
Syntax: show server real [<name> [detail]]

Syntax: show server real [dns | ftp | http | imap4 | ldap | nntp | pop3 | radius | smtp | telnet]
Possible values: The optional keywords display keepalive and bring up statistics for the specified function.
Default value: N/A

Displays the free and active sessions.
EXAMPLE:
ServerIron(config)# show server sessions
Avail. Sessions
=
524287 Total Sessions
=
524288
Total C->S Conn
=
4233 Total S->C Conn
=
0
Total Reassign
=
0 Unsuccessful Conn
=
0
Real Server
s60
s43
State
CurrConn
1
1
0
0
TotConn TotRevConn
0
4233
0
0
CurrSess
PeakConn
0
0
0
39
Syntax: show server sessions
21 - 28
February 2002
Show Commands
For descriptions of the information shown by this display, see the "Configuring Server Load Balancing" chapter in
Default value: N/A

Displays configuration information for Symmetric SLB.
EXAMPLE:
ServerIron# show server symmetric
Syntax: show server symmetric

For descriptions of the information this command shows, see the "Configuring Symmetric SLB and SwitchBack"
chapter in the Foundry ServerIron Installation and Configuration Guide.
Default value: N/A
show server traffic

Displays global IP server statistics.
EXAMPLE:
ServerIron(config)# show server traffic
Client->Server
Drops
Fw_drops
FIN_or_RST
Disable_drop
Stale_drop
=
=
=
=
=
=
26753
4
0
8429
0
14
Server->Client
Aged
Rev_drops
old-conn
Exceed_drop
Unsuccessful
=
=
=
=
=
=
24817
38
0
0
0
0
Syntax: show server traffic

Default value: N/A
show server virtual

Displays virtual IP servers state information and statistics.
EXAMPLE:
ServerIron(config)# show server virtual
Virtual Servers Info
Server Name: v100
IP : 209.157.23.100 :
4
Status: enabled Predictor: least-conn TotConn: 4233
Dynamic: No
HTTP redirect: disabled
Sym: group = 1 state = 5 priority =
2 keep =
0
Activates =
4, Inactive= 3
Port
State
Sticky Concur
CurConn
TotConn
radius-oenabled
http
enabled
ftp
enabled
telnet enabled
February 2002
NO
NO
NO
NO
NO
NO
NO
NO
0
0
0
0
0
4233
0
0
PeakConn
0
39
0
0
21 - 29
ssl
smtp
nntp
ntp
dns
pop2
pop3
tftp
imap4
snmp
ldap
70
default
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
YES
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
information for remaining virtual servers omitted for brevity...

Syntax: show server virtual [<virtual-server-name>]
Default value: N/A
show snmp server

Lists system administrative informationcontact name, system location, community strings and traps enabled for
a ServerIron.
EXAMPLE:
ServerIron# show snmp server
Contact: Jack Sphatt
Location: HMB x1031
Community(ro): public
Community(rw): private
Traps
Cold start: Enable
Link up: Enable
Link down: Enable
Authentication: Enable
[ ..........]
L4 switch standby: Enable
Total Trap-Receiver Entries: 4
Trap-Receiver IP Address
Community
1
207.95.6.211
2
207.95.5.21
Syntax: show snmp server

Default value: N/A

Displays information about SNTP associations.
EXAMPLE:
ServerIron# show sntp associations
address
ref clock
st
~207.95.6.102
0.0.0.0
16
~207.95.6.101
0.0.0.0
16
* synced, ~ configured
21 - 30
when
202
202
poll
4
0
delay
0.0
0.0
disp
5.45
0.0
February 2002
Show Commands
The following table describes the information displayed by the show sntp associations command.
This Field...
Displays...
(leading character)
One or both of the following:

*
Synchronized to this peer
~ Peer is statically configured

address
IP address of the peer
ref clock
IP address of the peers reference clock
st
NTP stratum level of the peer
when
Amount of time since the last NTP packet was received from the peer
poll
Poll interval in seconds
delay
Round trip delay in milliseconds
disp
Dispersion in seconds
Syntax: show sntp associations

Default value: N/A
show sntp status

Displays information about SNTP status.
EXAMPLE:
ServerIron# show sntp status
Clock is unsynchronized, stratum = 0, no reference clock
precision is 2**0
reference time is 0
.0
clock offset is 0.0
msec, root delay is 0.0 msec
root dispersion is 0.0 msec, peer dispersion is 0.0 msec
The following table describes the information displayed by the show sntp status command.
This Field...
Indicates...
unsynchronized
System is not synchronized to an NTP peer.
synchronized
System is synchronized to an NTP peer.
stratum
NTP stratum level of this system
reference clock
IP Address of the peer (if any) to which the unit is synchronized
precision
Precision of this system's clock (in Hz)
reference time
Reference time stamp
clock offset
Offset of clock to synchronized peer
root delay
Total delay along the path to the root clock
root dispersion
Dispersion of the root path
February 2002
21 - 31
This Field...
Indicates...
peer dispersion
Dispersion of the synchronized peer
Syntax: show sntp status

Default value: N/A
show span
Displays spanning tree statistics for a ServerIron such as root cost, root port and priority.
EXAMPLE:
ServerIron# show span
Global STP Parameters:
VLAN Root
Root Root Prio
ID
ID
Cost Port rity
Hex
1 800000e052801400 0
Root 8000
Max
Age
sec
20
Hello
sec
2
Hold
sec
2
Fwd
dly
sec
15
Last
Chang
sec
0
Chg
cnt
Bridge
Address
00e052801400
Port STP Parameters:

VLAN Port Prio
ID Num rity
Hex
1 1/1 80
1 1/2 80
1 2/1 80
1 2/3 80
1 2/5 80
Path State
Cost
Fwd
Trans
Design Design
Cost
Root
Design
Bridge
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
800000e052801400
0000000000000000
0000000000000000
0000000000000000
0000000000000000
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
800000e052801400
0000000000000000
0000000000000000
0000000000000000
0000000000000000
Syntax: show span

Default value: N/A
show span vlan

Displays global and port STP for a given VLAN for a ServerIron.
EXAMPLE:
ServerIron# show span vlan 2
Global Bridge Parameters:
VLAN Root
Root
Root
Prio
ID ID
Cost
Port
rity
Max
Age
Hex
8000
2
800000e0520002f5 0
Root
00e0520002f5
Port STP Parameters:
VLAN Port Prio Path State
Fwd
ID
Num
rity
Cost
Trans
Hex
2
1
0080
0
0000000000000000
0000000000000000
2
2
0080
0
0000000000000000
0000000000000000
2
3
0080
0
0000000000000000
0000000000000000
2
4
0080
0
21 - 32
He- Ho- Fwd

llo ld
dly
sec
sec
20
2
Design
Cost
Last
Chg
Chang cnt
sec
2
15
Design
Root
Bridge
Address
0
Design
Bridge
DISABLED
DISABLED
DISABLED
DISABLED
February 2002
Show Commands
0000000000000000
2
5
0000000000000000
0000000000000000
0080
0
0000000000000000
DISABLED
Syntax: show span vlan <vlan-id> [ethernet <portnum>]

Default value: N/A
show statistics
Displays port statistics for a ServerIron(transmit, receive, collisions, errors).
EXAMPLE:
ServerIron# show statistics
Buffer Manager
Queue
[Pkt Receive Pkt Transmit]
0
0
Port Counters: Packets
Collisions
Port
[Receive Transmit] [Receive Transmit]
1/1
15935
5443
0
0
1/2
0
0
0
0
1/3
0
0
0
0
1/4
0
0
0
0
2/1
0
0
0
0
2/2
0
0
0
0
2/3
0
0
0
0
2/4
0
0
0
0
2/5
0
0
0
0
2/6
0
0
0
0
2/7
0
0
0
0
2/8
0
0
0
0
[Align
0
0
0
0
0
0
0
0
0
0
0
0
Errors
FCS
Giant
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Short]
0
0
0
0
0
0
0
0
0
0
0
0
Syntax: show statistics [ethernet <portnum>] | [slot <slot-num>]

The pos <portnum> parameter displays statistics for a specific POS port.
The ethernet <portnum> parameter displays statistics for a specific Ethernet port.
The slot <slot-num> parameter displays statistics for a specific chassis slot.
NOTE: The slot <slot-num> parameter applies only to Chassis devices.
NOTE: The pos <portnum> parameter applies only to the POS modules.
This display shows the following information for each port.
Table 21.1: CLI Display of Port Statistics

This Field...
Displays...
Packet counters
Receive
The number of packets received on this interface.
Transmit
The number of packets transmitted on this interface.
Collision counters
Receive
February 2002
The number of collisions that have occurred when receiving packets.
21 - 33
Table 21.1: CLI Display of Port Statistics (Continued)

This Field...
Displays...
Transmit
The number of collisions that have occurred when sending packets.
Packet Errors
These fields show statistics for various types of packet errors. The device drops packets that contain one of
these errors.
Align
The number of packets that contained frame alignment errors.
FCS
The number of packets that contained Frame Check Sequence errors.
Giant
The number of packets that were longer than the configured MTU.
Short
The number of packets that were shorter than the minimum valid
length.

Default value: statistics for all ports are displayed

Displays information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded.
EXAMPLE:
ServerIron# show statistics dos-attack
---------------------------- Local Attack Statistics -------------------------ICMP Drop Count
ICMP Block Count
SYN Drop Count
SYN Block Count
--------------------------------------------------------0
0
0
0
--------------------------- Transit Attack Statistics ------------------------Port
ICMP Drop Count
ICMP Block Count
SYN Drop Count
SYN Block Count
----- ---------------------------------------------------------
Syntax: show statistics dos-attack

Default value: N/A
show tech-support
Shows technical details to you for assistance in troubleshooting issues when working with technical support. The
information show is a sub-set of all the available information.
Syntax: show tech-support

Default value: N/A
show telnet
Shows the IP address of the station with the active Telnet session. Up to five read access Telnet sessions can be
supported on the ServerIron at one time. Write access through Telnet is limited to one session.
EXAMPLE:
ServerIron# show telnet
Console connections:
established, active
14 seconds in idle
Telnet connections:
21 - 34
February 2002
Show Commands
established,
7 seconds in
2
established,
3 seconds in
3
closed
4
closed
5
closed
SSH connections:
1
closed
2
closed
3
closed
4
closed
5
closed
client ip address 192.168.1.234

idle
client ip address 192.168.1.234
idle
Syntax: show telnet

Default value: N/A
show trunk
Displays trunk groups and their port membership for ServerIrons.
EXAMPLE:
ServerIron(config-if)# show trunk
Configured trunks:
Trunk Group
Ports
Operational trunks:
Trunk Group
Ports
Duplex
1 2 3
Full
Speed
100M
Tag
No
Priority
High
Syntax: show trunk

Default value: N/A
show users
Lists the user accounts configured on the ServerIron. See the Foundry Security Guide.
EXAMPLE:
ServerIron# show users
Syntax: show users

Default value: N/A
show version
Lists software, hardware and firmware details for a ServerIron.
EXAMPLE:
ServerIron# show version
Syntax: show version

Default value: N/A
February 2002
21 - 35
show vlans
Displays all VLANs configured on the system, their member ports, assigned priority and STP status. To view a
specific VLAN, enter VLAN ID after the show vlans command.
EXAMPLE:
ServerIron(config)# show vlans
Syntax: show vlans [<vlan-id>]

Default value: N/A
show web-connection
Displays the access levels and IP addresses of the devices that currently have Web management interface
sessions with the ServerIron.
To clear all sessions displayed by this command, see clear web-connection on page 5-8.
EXAMPLE:
ServerIron(config)# show web-connection
User
set
Privilege
0
IP address
192.168.1.234
Syntax: show web-connection

Default value: N/A
show who
The show who command lists the active console and Telnet CLI sessions. This command can be used in
conjunction with the kill command, which lets you terminate an active CLI session.
EXAMPLE:
To display the active console and Telnet CLI sessions:
ServerIron# show who
Console connections:
established
Telnet connections:
1 established, client ip address 209.157.22.63
2 closed
3 closed
4 closed
5 closed
Syntax: show who

Default value: N/A
show wsm-map
Displays the WSM CPU allocations for the forwarding modules in the chassis.
EXAMPLE:
To display the slot allocations for the WSM CPUs, enter the following command at any CLI level:
ServerIron(config)# show wsm-map
slot 2 (weight 24 x 100M) is processed by WSM 1/2 (weight 24)
21 - 36
February 2002
Show Commands
Syntax: show wsm-map

This example shows the slot allocations for a four-slot chassis. Each row shows the following information:
The chassis slot (slot 2 in the first row of the example above)
The weight of the module in the slot (weight 24 x 100M in the first row of the example above)
The chassis slot that contains the Web Switching Management Module and the WSM CPU to which the
forwarding module described by this row is allocated (is processed by WSM 1/2). The 1 in this example
indicates the Web Switching Management Module is in chassis slot 1. The 2 in this example indicates that
WSM CPU 2 is handling Layer 4 7 processing for the forwarding module in slot 2.
The total weight assigned to the WSM CPU (weight 24 in the first row of this example)

Default value: N/A
show wsm-state
Displays general information for a Web Switching Management Module.
EXAMPLE:
ServerIron(config)# show wsm-state
==================================================
WSM MODULE (6) App CPU
0 MB SHM, 3 Application Processors
CPU 0 in state of WSM_STATE_RUNNING
--------------Module 6 App CPU 1, SW: Version 07.2.00T71
Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3b
DRAM 268M, BRAM 262K, FPGA Version 0050
Code Flash 4M: Primary (880346 bytes, 07.2.00T71),
Secondary (871842 bytes, 07.0.00T71)
Boot Flash 131K, Boot Version 06.00.00
The system uptime is 0 day 1 hour 54 minute 17 second
General Status: 0 ipc msg rec, 2 ipc msg sent
Syntax: show wsm-state

This command displays the state of the modules in the chassis, the software version running on the modules, and
detailed information for each processor on the modules.
February 2002
21 - 37
Default value: N/A
21 - 38
February 2002

Server Iron

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Server Iron

Uploaded by

Copyright:

Available Formats

Foundry ServerIron Switch

Command Line Interface Reference

2100 Gold Street

Foundry ServerIron Command Line Interface Reference

ACCESSING THE CLI ...................................................................................................................................2-4

Foundry ServerIron Command Line Interface Reference

highlights a CLI command.

highlights a term that is being defined.

highlights a link on the Web management interface.

NOTE: A note emphasizes an important fact or calls your attention to a dependency.

Foundry ServerIron Command Line Interface Reference

To order additional copies of these manuals, do one of the following:

Send email to info@foundrynet.com.

How to Get Help

1-877-TURBOCALL (887-2622) United States

Outside the United States

Moves to the first character on the command line.

Moves the cursor back one character.

Foundry ServerIron Command Line Interface Reference

Table 2.1: CLI Line-Editing Commands (Continued)

Escapes and terminates command prompts and

Deletes the character at the cursor.

Moves to the end of the current command line.

Moves the cursor forward one character.

Deletes all characters from the cursor to the end of

Repeats the current command line on a new line.

Enters the next command line in the history buffer.

Enters the previous command line in the history

Deletes all characters from the cursor to the

Deletes the last word you typed.

Moves from any CONFIG level of the CLI to the

Using the Command Line Interface

Real Server, Cache Server, and Firewall Level

Virtual Server Level

Cache Group and Firewall Group Level

Global Affinity Level

Global SLB DNS Zone Level

Global SLB Site Level

Global SLB Policy Level

URL Switching Policy Level

Foundry ServerIron Command Line Interface Reference

HTTP Matching List Level

Server Monitor Level

Routing Information Protocol (RIP) Level

Accessing the CLI

User Level EXEC commands

ServerIron# configure terminal

Privileged Level EXEC commands

Global Level CONFIG commands

User EXEC level

Privileged EXEC level

Global CONFIG level

Redundant Management Module CONFIG level

Global SLB Affinity level

Global SLB DNS Zone level

Global SLB Policy level

Using the Command Line Interface

Global SLB Site level

Interface CONFIG level

Virtual Interface CONFIG level

Port-based VLAN level

Protocol VLAN level

Cache Group level

Firewall Group level