ArrayOS APV 8.2 CLI Handbook - Index of
ArrayOS APV 8.2 CLI Handbook - Index of ArrayOS APV 8.2 CLI Handbook - Index of
ArrayOS APV 8.2 CLI Handbook
- Page 2 and 3: All Rights Reserved ©2011 Array Ne
- Page 4 and 5: Table of Contents ©2011 Array Netw
- Page 6 and 7: ©2011 Array Networks, Inc. All Rig
- Page 8 and 9: Chapter 1 CLI Basics ©2011 Array N
- Page 10 and 11: CLI Shortcuts Operation Esc-f Move
- Page 12 and 13: ©2011 Array Networks, Inc. All Rig
- Page 14 and 15: ©2011 Array Networks, Inc. All Rig
- Page 16 and 17: show interface [interface_name] ©2
- Page 18 and 19: ©2011 Array Networks, Inc. All Rig
- Page 20 and 21: ©2011 Array Networks, Inc. All Rig
- Page 22 and 23: ©2011 Array Networks, Inc. All Rig
- Page 24 and 25: ©2011 Array Networks, Inc. All Rig
- Page 26 and 27: ©2011 Array Networks, Inc. All Rig
- Page 28 and 29: This command is used to remove any
- Page 30 and 31: ©2011 Array Networks, Inc. All Rig
- Page 32 and 33: ipv6 natpt prefix ©2011 Array Net
- Page 34 and 35: ©2011 Array Networks, Inc. All Rig
- Page 36 and 37: accesslist permit icmp echorequest
- Page 38 and 39: ©2011 Array Networks, Inc. All Rig
- Page 40 and 41: ©2011 Array Networks, Inc. All Rig
- Page 42 and 43: ©2011 Array Networks, Inc. All Rig
- Page 44 and 45: ©2011 Array Networks, Inc. All Rig
- Page 46 and 47: ©2011 Array Networks, Inc. All Rig
- Page 48 and 49: ©2011 Array Networks, Inc. All Rig
- Page 50 and 51: ©2011 Array Networks, Inc. All Rig
<strong>ArrayOS</strong> <strong>APV</strong> <strong>8.2</strong><br />
<strong>CLI</strong> <strong>Handbook</strong>
All Rights Reserved<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
All Rights Reserved<br />
Copyright©2011 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, California 95035,<br />
USA. All rights reserved.<br />
This document is protected by copyright and distributed under licenses restricting its use,<br />
copying, distribution, and compilation. No part <strong>of</strong> this document may be reproduced in<br />
any form by any means without prior written authorization <strong>of</strong> Array Networks, Inc.<br />
Documentation is provided “as is” without warranty <strong>of</strong> any kind, either express or<br />
implied, including any kind <strong>of</strong> implied or express warranty <strong>of</strong> non-infringement or the<br />
implied warranties <strong>of</strong> merchantability or fitness for a particular purpose.<br />
Array Networks, Inc., reserves the right to change any products described herein at any<br />
time, and without notice. Array Networks, Inc. assumes no responsibility or liability<br />
arising from the use <strong>of</strong> products described herein, except as expressly agreed to in writing<br />
by Array Networks, Inc. The use and purchase <strong>of</strong> this product does not convey a license<br />
to any patent copyright, or trademark rights, or any other intellectual property rights <strong>of</strong><br />
Array Networks, Inc.<br />
Warning: Modifications made to the Array Networks unit, unless expressly<br />
approved by Array Networks, Inc., could void the user’s authority to operate the<br />
equipment.<br />
Declaration <strong>of</strong> Conformity<br />
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035, 1-866-992-7729;<br />
declare under our sole responsibility that the product(s) Array Networks, Inc., Array<br />
Appliance complies with Part 15 <strong>of</strong> FCC Rules. Operation is subject to the following two<br />
conditions: (1) this device may not cause harmful interference, and (2) this device must<br />
accept any interference received, including interference that may cause undesired<br />
operation.<br />
Warning: This is a Class A digital device, pursuant to Part 15 <strong>of</strong> the FCC rules.<br />
These limits are designed to provide reasonable protection against harmful<br />
interference when the equipment is operated in a commercial environment. This<br />
equipment generates, uses, and can radiate radio frequency energy, and if not<br />
installed and used in accordance with the instruction manual, may cause harmful<br />
interference to radio communications. In a residential area, operation <strong>of</strong> this<br />
equipment is likely to cause harmful interference in which case the user may be<br />
required to take adequate measures or product. In a domestic environment this<br />
product may cause radio interference in which case the user may be required to take<br />
adequate measures.<br />
I
About Array Networks<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
About Array Networks<br />
Array Networks Inc. is a global leader in enterprise secure application delivery and<br />
universal access solutions for the rapidly growing SSL VPN and application delivery<br />
controller (ADC) markets. More than 5,000 customers worldwide – including enterprises,<br />
service providers, government and vertical organizations in healthcare, finance, insurance<br />
and education – rely on Array to provide anytime, anywhere secure and optimized<br />
application access. Industry leaders including Deloitte, Red Herring, Gartner, and Frost<br />
and Sullivan have recognized Array as a market and technology leader.<br />
Contacting Array Networks<br />
Please use the following information to contact us at Array Networks:<br />
� Website:<br />
http://www.arraynetworks.net/<br />
� Telephone:<br />
1-877-99-Array (1-877-992-7729)<br />
408-240-8700<br />
408-240-8753 (Fax)<br />
Telephone access to Array Networks, Inc. is available Monday through Friday, 9 A.M. to<br />
5 P.M. PST.<br />
� Address:<br />
1371 McCarthy Boulevard<br />
Milpitas, California 95035, USA<br />
II
Table <strong>of</strong> Contents<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Table <strong>of</strong> Contents<br />
All Rights Reserved .................................................................................................... I<br />
Declaration <strong>of</strong> Conformity .......................................................................................... I<br />
About Array Networks............................................................................................... II<br />
Contacting Array Networks ....................................................................................... II<br />
Table <strong>of</strong> Contents .................................................................................................... III<br />
Chapter 1 <strong>CLI</strong> Basics................................................................................................. 1<br />
Login <strong>APV</strong> Appliance ........................................................................................ 1<br />
Levels <strong>of</strong> Global Access Control ........................................................................ 2<br />
ShortHand ......................................................................................................... 2<br />
Chapter 2 Basic System Operations ........................................................................... 4<br />
Chapter 3 Advanced System Operations .................................................................. 19<br />
Chapter 4 WebWall .................................................................................................. 28<br />
Access Groups ................................................................................................. 28<br />
Access List ...................................................................................................... 28<br />
WebWall .......................................................................................................... 29<br />
Chapter 5 Server Load Balancing ............................................................................ 32<br />
Basic SLB Commands ..................................................................................... 32<br />
Adding Real Services....................................................................................... 34<br />
Adding HC Checker and HC Checker List ....................................................... 45<br />
Adding Virtual Services ................................................................................... 55<br />
Adding Port Range for Virtual Service ............................................................. 58<br />
Adding SLB Group Services ............................................................................ 60<br />
Adding IP Pool ................................................................................................ 70<br />
Adding Real Services to Groups ...................................................................... 71<br />
III
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Table <strong>of</strong> Contents<br />
Other SLB Group Commands .......................................................................... 72<br />
SLB Policy Settings ......................................................................................... 74<br />
Other SIP Commands ...................................................................................... 88<br />
Compatibility Check ........................................................................................ 89<br />
Proxy Mode ..................................................................................................... 90<br />
Statistics .......................................................................................................... 91<br />
URL Rewrite/Redirect HTTP/HTTPS .............................................................. 94<br />
URL Filtering ................................................................................................ 100<br />
SLB Summary ............................................................................................... 107<br />
Chapter 6 Link Load Balancing .............................................................................. 110<br />
Chapter 7 Reverse Proxy Cache ............................................................................. 122<br />
Cache Commands .......................................................................................... 122<br />
HTTP Commands .......................................................................................... 132<br />
Chapter 8 DNS Cache ........................................................................................... 150<br />
Chapter 9 HTTP Compression ............................................................................... 152<br />
Chapter 10 Secure Sockets Layer (SSL) ................................................................ 156<br />
Chapter 11 Clustering ............................................................................................ 173<br />
Chapter 12 Global Server Load Balancing ............................................................. 181<br />
Basic SDNS Commands ................................................................................ 181<br />
SDNS Member .............................................................................................. 182<br />
SDNS Disaster Recovery (DR) Group ........................................................... 183<br />
SDNS Site ..................................................................................................... 185<br />
SDNS Proximity ............................................................................................ 186<br />
SDNS Overflow Chain .................................................................................. 187<br />
SDNS Region ................................................................................................ 188<br />
IV
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Table <strong>of</strong> Contents<br />
SDNS Bandwidth .......................................................................................... 189<br />
SDNS Alias ................................................................................................... 190<br />
SDNS Pool .................................................................................................... 191<br />
SDNS IANA .................................................................................................. 195<br />
SDNS Host .................................................................................................... 195<br />
SDNS Backup................................................................................................ 196<br />
SDNS Full DNS ............................................................................................ 197<br />
SDNS DPS (Dynamic Proximity System) ...................................................... 198<br />
SDNS Statistics ............................................................................................. 203<br />
Chapter 13 Logging ............................................................................................... 206<br />
Chapter 14 Link Aggregation ................................................................................. 212<br />
Chapter 15 Quality <strong>of</strong> Service (QoS) ..................................................................... 214<br />
QoS Queue .................................................................................................... 214<br />
QoS Filter Rule .............................................................................................. 217<br />
Other QoS Commands ................................................................................... 218<br />
Chapter 16 Administrative Tools ............................................................................ 219<br />
Configuration Management Commands ......................................................... 219<br />
Configuration Synchronization Commands .................................................... 229<br />
SDNS Configuration Synchronization Commands ......................................... 231<br />
SNMP Commands ......................................................................................... 232<br />
Troubleshooting Commands .......................................................................... 235<br />
Debug Commands ......................................................................................... 236<br />
Remote Access Commands ............................................................................ 242<br />
Chapter 17 Monitoring .......................................................................................... 244<br />
Assigning Graph Items via the <strong>CLI</strong> ................................................................ 244<br />
V
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Table <strong>of</strong> Contents<br />
Default Legend String .................................................................................... 245<br />
Appendix I SNMP OID List .................................................................................. 250<br />
VI
Chapter 1 <strong>CLI</strong> Basics<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 1 <strong>CLI</strong> Basics<br />
The <strong>APV</strong> Command Line Interface (<strong>CLI</strong>) is designed to maximize the functionality and<br />
performance <strong>of</strong> the <strong>APV</strong> appliance by allowing administrators to configure and control<br />
key functions <strong>of</strong> the <strong>APV</strong> appliance directly.<br />
This <strong>CLI</strong> <strong>Handbook</strong> covers the proper use and execution <strong>of</strong> each command available to<br />
the <strong>APV</strong> appliance administrator and user alike. The commands covered in this handbook<br />
will adhere to these general conventions:<br />
Style Convention<br />
Bold typeface The body <strong>of</strong> a <strong>CLI</strong> command is in Boldface.<br />
Italic <strong>CLI</strong> parameters are in Italic.<br />
< > Parameters in angle brackets < > are required.<br />
[ ]<br />
Parameters in square brackets [ ] are optional.<br />
Subcommand such as “no”, “show” and “clear”.<br />
{ x | y | … }<br />
Alternative items are grouped in braces and separated by vertical bars.<br />
[ x | y | … ]<br />
One should be selected.<br />
Optional alternative items are grouped in square brackets and separated by<br />
vertical bars. One or none is selected.<br />
Note: If a string we input for configuring a parameter starts with figure, or the<br />
string contains spaces, we must put the configuration string within double quotes to<br />
make sure that we can configure the command correctly.<br />
Login <strong>APV</strong> Appliance<br />
After getting connected to the <strong>APV</strong> appliance successfully via SSH or Console<br />
connection, the administrator will be prompted for a login username and a password. The<br />
default/first time login username is “array”, and the first time password is “admin”.<br />
To recover the login password, administrators will need the aid <strong>of</strong> the Array Customer<br />
Satisfaction personnel at support@arraynetworks.net. To recover the login password,<br />
administrators will be required to do the following:<br />
1. Establish a console connection with the <strong>APV</strong> appliance.<br />
2. Input the command “recovery” in the <strong>CLI</strong>.<br />
3. The <strong>APV</strong> appliance will present the administrator with a challenge, which consists<br />
<strong>of</strong> a series <strong>of</strong> randomly generated characters. The following line displays the prompt<br />
“response:”.<br />
4. The administrator will need to “copy” and “paste” the challenge charatcters into an<br />
email to the Array Customer Satisfaction personnel at support@arraynetworks.net.<br />
5. The Customer Satisfaction personnel will return to the administrator a valid response<br />
that corresponds to the challenge previously received. The response begins with<br />
“--begin--” and ends with “--end--”.<br />
1
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 1 <strong>CLI</strong> Basics<br />
6. Administrators need to copy the complete response and paste it after the “response:”<br />
prompt in <strong>CLI</strong>, making sure that no leading or trailing spaces are included. And the<br />
press “Enter”.<br />
7. The password <strong>of</strong> “array” will be reset to the default “admin”.<br />
Note: The “username recovery” function will not work if the user “array” is deleted.<br />
Levels <strong>of</strong> Global Access Control<br />
The <strong>APV</strong> appliance <strong>of</strong>fers three levels or modes for global configuration and access to the<br />
<strong>ArrayOS</strong>. Each mode is designated by a unique cursor prompt. The <strong>CLI</strong> prompt consists<br />
<strong>of</strong> the host name <strong>of</strong> the <strong>APV</strong> appliance followed by either “>”, “#” or “(config)#”.<br />
� User Mode<br />
The first level is User Mode. Here, the user is only authorized<br />
to execute some very basic operations and non-critical<br />
functions. The User Mode prompt appears as “AN>” in the<br />
<strong>CLI</strong>.<br />
� Enable Mode<br />
Users in this mode have access to a majority <strong>of</strong> view only<br />
commands such as “show log config”. Commands from both<br />
the User and Enable modes can be executed. Once accessing<br />
the Enable mode successfully, the <strong>CLI</strong> prompt changes from<br />
“AN>” to “AN#”.<br />
� Config Mode<br />
The final level is Config mode. It is at this level that users can<br />
make changes to any part <strong>of</strong> the <strong>APV</strong> appliance configuration.<br />
No two users may access the Config mode at the same time.<br />
The <strong>CLI</strong> prompt will change from “AN#” to “AN(config)#”.<br />
Note: In the <strong>ArrayOS</strong>, users can be assigned with Enable or Config access privilege.<br />
The Enable users cannot access the Config mode. To allow an Enable user to access<br />
the Config mode, administrators need to first change this user’s access privilege by<br />
using the command “user [enable|config]”.<br />
ShortHand<br />
The <strong>ArrayOS</strong> has been designed with Shorthand to make interaction user friendly by<br />
allowing the <strong>APV</strong> appliance to intuitively complete <strong>CLI</strong> commands based on the first<br />
letters entered. Other user shortcuts are listed below:<br />
<strong>CLI</strong> Shortcuts Operation<br />
^a/^e Move the cursor to the beginning/end <strong>of</strong> a line.<br />
^f/^b Move the cursor forward/backward one character.<br />
2
<strong>CLI</strong> Shortcuts Operation<br />
Esc-f Move the cursor forward one word.<br />
Esc-b Move the cursor backward one word.<br />
^d Delete the character under the cursor.<br />
^k Delete from the cursor to the end <strong>of</strong> the line.<br />
^u Delete the entire line.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 1 <strong>CLI</strong> Basics<br />
Note: The symbol “^” indicates holding down the Control (Ctrl) Key while pressing<br />
the letter that appears after the symbol.<br />
3
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
Chapter 2 Basic System Operations<br />
The System Operation portion <strong>of</strong> the <strong>CLI</strong> focuses on the specifics <strong>of</strong> your <strong>APV</strong> appliance.<br />
The commands in this chapter provide the ability to assign an IP address and netmask to<br />
the Appliance as well as to view the current parameters for the network interfaces and<br />
s<strong>of</strong>tware.<br />
help<br />
This command is used to display all commands based on level and function. This<br />
command may be executed at any time, at any level while configuring the <strong>APV</strong><br />
appliance.<br />
enable [recovery]<br />
This command is used to gain access to the Enable level <strong>of</strong> the <strong>ArrayOS</strong>. After entering<br />
this command in <strong>CLI</strong>, the system will prompt the user to supply the Enable level<br />
password. The default password is null (empty).<br />
If users forget the assigned password, they may execute the “enable” command with the<br />
optional parameter “recovery” to reset the Enable level’s default password as follows:<br />
1. Enter “enable recovery” at the User level prompt, e.g. AN>enable recovery.<br />
2. A challenge string will be displayed.<br />
3. Email the challenge string to Customer Support at support@arraynetworks.net.<br />
4. The response code will be returned via email by the Customer Support personnel.<br />
5. Cut and paste the response code in the <strong>CLI</strong>, and press “Enter”. The password <strong>of</strong> the<br />
Enable level will be reset to empty.<br />
disable<br />
This command allows users to return the operator to the User mode from the current<br />
privileged mode.<br />
exit<br />
This command returns the operator to the lower-level mode from the current privileged<br />
mode. If users are in the User mode, this command allows them to exit out <strong>of</strong> the shell<br />
system.<br />
quit<br />
This command allows users to leave the <strong>CLI</strong>. It can be executed at any time throughout<br />
the configuration process.<br />
show tech<br />
4
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command allows users to capture and view essential system information in real time.<br />
show system warning<br />
This command allows users to check the instant system warning message.<br />
The yellow LED on the appliance will be activated when one <strong>of</strong> the following hardware<br />
errors occurs. Then, users can execute this command to check whether one <strong>of</strong> the<br />
following errors happens:<br />
1. The CPU fan stopped working;<br />
2. The CPU overheated (over 85℃);<br />
3. The system overheated (over 75℃ on 1U appliances, or 85℃ on 2U appliances);<br />
4. One <strong>of</strong> the dual power supplies failed (If redundant power supply applies to the<br />
appliance).<br />
Note: If the error is recovered, the warning message will be cleared. But it still can<br />
be traced in system logs.<br />
ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname}<br />
<br />
This command allows users to set the IP address and netmask <strong>of</strong> the system interface,<br />
MNET interface, VLAN interface or bond interface.<br />
system_ifname Specify the system interface name, which is port1, port2,<br />
port3, port4, …, or port14 by default. (Administrators can<br />
self-define the system interface name by using the<br />
command “interface name”.)<br />
mnet_ifname Specify the MNET interface name, which should be an<br />
alphanumeric string.<br />
vlan_ifname Specify the VLAN interface name, which should be an<br />
alphanumeric string.<br />
bond_ifname Specify the bond interface name, which should be an<br />
alphanumeric string. The default bond interface name is<br />
bond1, bond2, bond3, and bond4.<br />
ip_address Specify the IP address <strong>of</strong> the interface.<br />
netmask Specify the netmask appropriately.<br />
Example:<br />
5
AN(config)#ip address inside 209.120.10.1 255.255.255.0<br />
no ip address <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command is used to remove the specified IP address from the configuration.<br />
show ip address<br />
This command is used to display system IP address along with the assigned netmask.<br />
clear ip address<br />
This command is used to remove the configured IP address.<br />
interface mac <br />
This command is used to configure MAC address for the specified system interface.<br />
interface_name Specify the system interface name. The interface here<br />
cannot be VLAN, MNET and Bond interface. If the IP<br />
address <strong>of</strong> the interface has been configured on VLAN,<br />
MNET, Bond or SLB virtual services, its MAC address<br />
cannot be changed.<br />
mac_address Specify the MAC address <strong>of</strong> the system interface.<br />
no interface mac <br />
This command is used to restore MAC address <strong>of</strong> the specified system interface to the<br />
default value.<br />
interface_name Specify the system interface name.<br />
clear interface mac<br />
This command is used to restore the MAC address <strong>of</strong> all system interfaces to the default<br />
value.<br />
ip host <br />
This command allows users to preset a DNS host name and corresponding IP address.<br />
no ip host [ip]<br />
This command allows users to remove a configured DNS host name.<br />
clear ip host<br />
6
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command allows users to remove all configured DNS host names from the running<br />
configuration.<br />
show ip host<br />
This command is used to display the configured DNS host names and the subsequent IP<br />
addresses.<br />
ip arp <br />
This command allows users to create an ARP entry to the <strong>ArrayOS</strong>. The IP address and<br />
MAC address (XX:XX:XX:XX:XX:XX) are required.<br />
ip route default <br />
This command allows users to set a default gateway IP address into the configuration <strong>of</strong><br />
the <strong>APV</strong>A appliance. Only one default route is permitted to be configured. The default<br />
gateway IP must be entered in dotted IP format.<br />
ip route static <br />
This command is used to modify the network’s routing table as used by the <strong>APV</strong><br />
appliance. Multiple static routes are permitted to be configured. Typically the<br />
“destination” parameter is the network IP address.<br />
no ip route static <br />
This command allows users to remove the static route from the running configuration.<br />
no ip route default <br />
The command allows users to remove the default IP route from the <strong>APV</strong> appliance.<br />
show ip route<br />
This command allows users to display the static routing table.<br />
show statistics ip [ip_address]<br />
This command is used to display the gathered information for the specific IP address. If<br />
no IP address is assigned, this command displays all relevant statistics for all configured<br />
IP addresses.<br />
clear statistics ip [ip_address]<br />
This command will clear the statistics for a specific IP address. If no IP address is<br />
assigned, this command will clear all.<br />
interface mtu <br />
7
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command allows users to set the largest frame size that can be transmitted over the<br />
network.<br />
interface_id Default Ethernet ID (port1, port2, port3, port4, port5, …,<br />
port14) for the physical interfaces on the <strong>ArrayOS</strong>. The<br />
number <strong>of</strong> the physical interfaces supported by the <strong>APV</strong><br />
appliance depends on the appliance model. At most 14<br />
interfaces are supported now.<br />
mtu_size The MTU (Maximum Transmission Unit) size preference.<br />
This is the largest frame size that can be transmitted over<br />
the network. The default size is 1500 bytes. Each interface<br />
used by TCP/IP may have different MTU values.<br />
interface name <br />
This command allows users to set the interface name.<br />
interface_id Default interface ID (port1, port2, port3, port4, …, port14)<br />
for the physical interfaces on the <strong>ArrayOS</strong>. The number <strong>of</strong><br />
the physical interfaces supported by the <strong>APV</strong> appliance<br />
depends on the appliance model. At most 14 interfaces are<br />
supported now.<br />
interface_name Specify unique name for the physical interface, which<br />
should be an alphanumeric string <strong>of</strong> up to 32 characters.<br />
The default interface name is port1, port2, port3, port4, …,<br />
port14.<br />
interface speed <br />
This command allows users to set the interface speed. The interface speed <strong>of</strong> a 10G port<br />
can only be set to “auto”.<br />
interface_id Default port ID (port1, port2, port3, port4, port5, …,<br />
port14) for the physical interfaces on the <strong>ArrayOS</strong>. The<br />
number <strong>of</strong> the physical interfaces supported by the <strong>APV</strong><br />
appliance depends on the appliance model. At most 14<br />
interfaces are supported now.<br />
speed_option 10half (10 Mbps Ethernet half duplex communications),<br />
100half (100 Mbps Ethernet half duplex communications),<br />
100full (100 Mbps full duplex communications), 1000full<br />
(1000 Mbps Ethernet full duplex communications) or auto.<br />
Note: The <strong>ArrayOS</strong> sets the interface speeds to auto by<br />
default. If any interface is setup to be connected to a<br />
8
show interface [interface_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
device, such as a router or switch with a specific speed and<br />
duplex mode, users will need to set the <strong>APV</strong> appliance to<br />
match those requirements. Employing the “show<br />
interface” command will allow users to view the current<br />
speed setting.<br />
This command is used to display the statistical information for all the system interfaces.<br />
If a specific interface name is input, the system will only display the statistical<br />
information for this interface.<br />
interface_name Specify the physical interface name, which should be an<br />
alphanumeric string <strong>of</strong> up to 32 characters. The default<br />
interface name is port1, port2, port3, port4, …, port14.<br />
Note: If IP statistics function is <strong>of</strong>f, the number <strong>of</strong> the WebWall permit or drop<br />
packages will be 0 in the output <strong>of</strong> the command “show interface”. The IP statistics<br />
function is <strong>of</strong>f by default, and you can turn it <strong>of</strong>f via the command “ip statistics <strong>of</strong>f”.<br />
clear interface name<br />
This command is used to reset all the interface names to the default.<br />
clear interface speed {interface_id|all}<br />
This command is used to restore the specified interface’s speed and duplex mode. “all”<br />
means all the interfaces.<br />
interface_id Default port ID (port1, port2, port3, port4, …, port14) for<br />
the physical interface on the <strong>ArrayOS</strong>. The number <strong>of</strong> the<br />
physical interfaces supported by the <strong>APV</strong> appliance<br />
depends on the appliance model. At most 14 interfaces are<br />
supported now.<br />
clear interface mtu {interface_id|all}<br />
This command is used to remove the specified interface’s (e.g. port1) size setting <strong>of</strong> MTU.<br />
“all” means all the interfaces.<br />
no interface name <br />
This command is used to reset the specified interface (e.g.port1) name to the default.<br />
show system tune<br />
9
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command is used to display the user-defined system tuning parameters.<br />
show system attackfilter<br />
This command is used to show the statistics information <strong>of</strong> the attack packets which have<br />
been dropped by the <strong>APV</strong> appliance.<br />
clear system tune<br />
This command is used to reset the defined system tuning parameters.<br />
system tune defraglimit <br />
This command consolidates packet data requiring less memory frames. Users set the<br />
“smallest_object_size”, measured in bytes, for packets received for defragmentation. For<br />
example; an object with 10K size and the server MTU is 1K. Roughly, the Array receives<br />
10 packets where 10 frames are used to cache the object. If “system tune defraglimit 512”<br />
is configured, the <strong>APV</strong> appliance will consolidate the 10K data from 10 frames onto 5<br />
frames (2K data/frame) to fully utilize the frame memory.<br />
[no] system tune hwcksum {on|<strong>of</strong>f}<br />
This command is used to enable/disable hardware checksums on network cards. The<br />
default setting is on.<br />
[no] system tune tcpidle <br />
This command allows users to establish the maximum time, in seconds, before<br />
terminating a TCP connection. The default idle timeout is 300 seconds. The idle timeout<br />
ranges from 60 seconds to 7200 seconds.<br />
[no] system tune attackfilter {level_0|1|2}<br />
This command is used to set the level to filter some invalidate IP packets. The<br />
“level_0|1|2” parameter specifies the level which is used in <strong>APV</strong> appliance system. Its<br />
default value is 0.<br />
0 Disable the internal filter for IP packets. That’s to say, it<br />
will permit any packets to Ethernet card into our system.<br />
1 <strong>APV</strong> appliance will drop the packets which match the<br />
following cases:<br />
Source IP or destination IP is 0.0.0.0<br />
Source IP is 255.255.255.255<br />
Source IP is 224.x.x.x<br />
10
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
TCP port or UDP port is zero. This requires the WebWall<br />
on the specific interface.<br />
2 <strong>APV</strong> appliance will drop the packets which match the<br />
following cases:<br />
Source IP or destination IP is 0.0.0.0<br />
Source IP is 255.255.255.255<br />
Source IP is 224.x.x.x<br />
system tune tcp retransmit timeout <br />
TCP port or UDP port is zero. This requires the WebWall<br />
on the specific interface.<br />
Source IP is the local IP address, but the packets are<br />
received by Ethernet interfaces.<br />
This command allows users to set the timeout for retransmissions. The default setting is<br />
1000ms. It is recommended that the default settings not be changed without contacting<br />
Array Support.<br />
system tune tcp retransmit dupacks <br />
This command allows users to set the number <strong>of</strong> duplicate ACKs to start TCP fast<br />
transmission. The default setting is 3. It is recommended that default settings not be<br />
changed without contacting Array Support.<br />
system tune tcp retransmit policy {newreno|adaptive}<br />
This command allows users to change the default algorithm from NewReno to Adaptive<br />
for starting TCP fast retransmission. It is recommended that default settings not be<br />
changed without contacting Array Support.<br />
system tune tcp slowstart {on|<strong>of</strong>f}<br />
It is recommended that default settings not be changed without contacting Array Support.<br />
The default status is ON.<br />
system tune tcp delack count <br />
This command is used to configure the maximum delay ACK count. “count” defines the<br />
maximum packets that can be delay ACK. It defaults to 4. 0 means no delay ACK.<br />
system tune tcp delack timeout <br />
11
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command configures the maximum timeout (in ms) for delay ACK. “timeout”<br />
defines the maximum timeout (in ms) for delay ACK, and its value must be the multiple<br />
<strong>of</strong> 10. Its default is 100ms.<br />
system tune tcp syntimeout <br />
This command is used to set the minimum timeout for TCP SYN packets, in seconds.<br />
no system tune tcp delack<br />
This command is used to reset the TCP delay ACK to the default setting.<br />
no system tune tcp retransmit {timeout|dupacks|policy}<br />
This command is used to reset the TCP retransmit settings for the specified (timeout,<br />
dupacks or policy) to the default setting.<br />
no system tune tcp slowstart<br />
This command is used to reset the slowstart to the default setting (on).<br />
system tune ip randomid {on|<strong>of</strong>f}<br />
This command allows users to enable or disable the feature <strong>of</strong> setting a random number<br />
for an IP packet. By default, this feature is disabled and the identification <strong>of</strong> an IP packet<br />
will be sequentially increased. If “randomid” is on, the IP packet’s identification will be a<br />
random number.<br />
system tune tcp pktdropopt <br />
This command is used to control packet drop behaviour when TCP packets are received<br />
and dropped on a closed TCP port. This function is useful to slow down anyone who is<br />
port scanning a system, attempting to detect vulnerable services on a system. It could<br />
potentially also slow down someone who is attempting a DoS attack.<br />
packet_drop_option Its value can be 0, 1 or 2.<br />
� 0: return a TCP RST.<br />
� 1: silently drop TCP SYN, and return TCP RST for all<br />
other TCP packets.<br />
� 2: silently drop all TCP packets.<br />
system tune udp pktdropopt <br />
This command is used to control packet drop behavior when UDP packets are received<br />
and dropped on a closed UDP port. This function is useful to slow down anyone who is<br />
12
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
port scanning a system, attempting to detect vulnerable services on a system. It could<br />
potentially also slow down someone who is attempting a DoS attack.<br />
packet_drop_option Its value can be 0 or 1.<br />
no system tune tcp pktdropop<br />
� 0: return an ICMP port unreachable message.<br />
� 1: silently drop all UDP packets.<br />
This command is used to reset TCP packet drop behaviour to default.<br />
no system tune udp pktdropop<br />
This command is used to reset UDP packet drop behaviour to default.<br />
ip nameserver <br />
This command allows users to establish up to three name servers. Users may enter only<br />
one name server IP address, in standard dotted format, at a time. If a user attempts to<br />
enter a fourth name server, the <strong>APV</strong> appliance will instruct the user to delete one <strong>of</strong> the<br />
previously entered name server addresses before accepting the new data.<br />
show ip nameserver<br />
This command allows users to display the IP addresses for the name servers.<br />
no ip nameserver <br />
This command allows users to remove a name server from the configuration protocols.<br />
[no] fwd mode {nontransparent|transparent}<br />
This command allows users to set the mode <strong>of</strong> operation. The <strong>APV</strong> appliance will use<br />
Array’s management IP (nontransparent) or client’s IP (transparent) as source IP in port<br />
forward connection.<br />
Note: Port Forwarding feature cannot support FTP, users are recommended to use<br />
SLB feature instead.<br />
system date <br />
In the event that a network does not rely on an NTP server, users may set the date within<br />
the <strong>APV</strong> appliance by employing this command. The values for each parameter may be<br />
entered as one or two digits as necessary. For example, if a user wants to enter the date<br />
October 20, 2010, the input will be as follows:<br />
AN(config)#system date 10 10 20<br />
13
show date<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command allows users to view the running date and time for the appliance.<br />
system time <br />
In the event that a network does not rely on an NTP server, users may set the time within<br />
the <strong>APV</strong> appliance by employing this command. The values for each parameter may be<br />
entered as one or two digits as necessary (Note: The <strong>APV</strong> appliance runs on a twenty-four<br />
hour/military standard clock.). For example, if a user wants to enter the time as 11:33:51<br />
PM, the input will be as follows:<br />
AN(config)#system time 23 33 51<br />
system timezone [timezone_string]<br />
This command allows users to set the system time zone. When this command is executed,<br />
the <strong>APV</strong> appliance will present the user with a three-step menu driven process to set the<br />
correct time zone. The first step/menu in the process is to choose the correct continent (i.e.<br />
Asia, Europe or North America). After the desired continent is entered, the next menu<br />
will <strong>of</strong>fer the list <strong>of</strong> support countries within the specified continent (i.e. China, Hong<br />
Kong, Japan, South Korea, Singapore or Taiwan). The final step is to choose the specific<br />
time zone region from the <strong>APV</strong> appliance generated list. Note: At any time during the<br />
time zone setup, users may enter “0” to return to the previous option (i.e. entering “0” on<br />
the country list page will return users to the continent page).<br />
show system timezone<br />
This command is used to display current timezone.<br />
clear system timezone<br />
This command is used to set system timezone to default, and the default system timezone<br />
is “GMT”.<br />
ntp {on|<strong>of</strong>f}<br />
This command activates or deactivates synchronizing the <strong>APV</strong> appliance clock with the<br />
NTP server. NTP server settings and NTP time setting received by the <strong>APV</strong> appliance will<br />
preempt <strong>CLI</strong> date and time settings. The “ntp server” command must be configured<br />
before the NTP function can be enabled.<br />
ntp server [version]<br />
This command allows the <strong>APV</strong> appliance to act as a client to a specified NTP server.<br />
Users may choose a specific NTP protocol version if so desired. The default is “Version<br />
4”. NTP will get turned <strong>of</strong>f if the time difference between NTP server and Array box is<br />
greater than 1000 seconds (16 minutes approx) sanity limit. If the time difference is<br />
14
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
greater than 1000 seconds, it has to be adjusted to a closer value by using “system time”<br />
command.<br />
show ntp<br />
This command allows users to view the current NTP configuration. This command will<br />
also display the time dispersion and association <strong>of</strong> the current server.<br />
clear ntp<br />
This command removes the NTP configuration.<br />
show statistics tcp<br />
This command displays TCP connections in detail. The number <strong>of</strong> TCP connections in<br />
each state is counted:<br />
AN#show statistics tcp<br />
LISTEN: 1<br />
SYN_SENT: 0<br />
SYN_RCVD: 0<br />
ESTABLISHED: 0<br />
CLOSE_WAIT: 0<br />
FIN_WAIT_1: 0<br />
CLOSING: 0<br />
LAST_ACK: 0<br />
FIN_WAIT_2: 0<br />
TIME_WAIT: 432<br />
Compared with the “show memory” output, “TIME_WAIT” figure is the same as<br />
“USED” TCP small pcb. All the rest, from “LISTEN” figure to “FIN_WAIT” figure add<br />
up to “USED” TCP pcb.<br />
hostname <br />
This command allows users to set or change the given name for an <strong>APV</strong> appliance, even<br />
though a specified appliance may not be running (the name will be saved in all other<br />
running configurations and later when the newly named machine is up and running, the<br />
master will notify the new machine <strong>of</strong> the newly assigned name). A name may be entered<br />
as a single set <strong>of</strong> continuous alphanumeric characters or a set <strong>of</strong> alphanumeric characters<br />
housed within double quotation marks. Currently, the maximum length for a host name is<br />
64 characters.<br />
show hostname<br />
This command is used to display the given host name for an <strong>APV</strong> appliance.<br />
no hostname<br />
15
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command clears an <strong>APV</strong> appliance’s host name. After the host name is cleared, the<br />
default name “AN” will be used as the host name.<br />
[no] system mail from <br />
For certain configured events (URL filtering and logging alerts), the <strong>APV</strong> appliance sends<br />
emails to the configured addresses. This command can be used to configure the value <strong>of</strong><br />
the "From" header in the mail being sent out. Essentially, this is used to configure the<br />
from email address. Default for is “%h alert@log.domain”.<br />
% An escape character in both strings.<br />
%h Full host name defined by the “hostname” command.<br />
%q Doublequote (”).<br />
%% A literal percent.<br />
[no] system mail hostname <br />
For certain configured events (URL filtering and logging alerts), the <strong>APV</strong> appliance sends<br />
emails to configured addresses. This command can be used to configure the value <strong>of</strong> the<br />
host name from which the mail is recorded as sent. The default for is<br />
“%l.alert_pseudo_domain”.<br />
% An escape character in both strings.<br />
%h Full host name defined by the “hostname” command.<br />
%l First part <strong>of</strong> the host name (up to the first “.”).<br />
[clear|show] system mail<br />
This command allows users to view or clear the system mail configuration.<br />
system mail relay server <br />
This command allows users to create a new system mail relay server.<br />
host_name The assigned name <strong>of</strong> the domain name.<br />
relay_server The IP address or the server name.<br />
system mail relay {on|<strong>of</strong>f}<br />
16
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command is used to turn on/turn <strong>of</strong>f the system mail relay service. Followings are<br />
the <strong>CLI</strong> examples to set up mail relay server.<br />
AN(config)#system mail relay server “arraynertworks.com.cn” “relay.com”<br />
AN(config)#system mail relay on<br />
<strong>APV</strong> appliance will send mails using “relay.com”, with the host name <strong>of</strong><br />
"arraynetworks.com.cn". But firstly, we should make sure that the <strong>APV</strong> appliance can<br />
find the relay server “relay .com” or the DNS can find it.<br />
show system relay<br />
This command is used to display the configuration and the status <strong>of</strong> the relay service.<br />
clear system relay<br />
This command is used to remove all the relay servers and turn <strong>of</strong>f mail relay.<br />
no system mail relay server <br />
This command is used to delete the record <strong>of</strong> system mail relay server configuration.<br />
system interactive on<br />
This command is used to turn on <strong>CLI</strong> command interactive mode. If this command is<br />
used, more command result messages will be displayed.<br />
system interactive <strong>of</strong>f<br />
This command is used to turn <strong>of</strong>f <strong>CLI</strong> command interactive mode. Less command result<br />
messages will be displayed. This is the default setting.<br />
show system interactive<br />
This command is used to display the current system interactive setting (on|<strong>of</strong>f).<br />
system command timeout <br />
This command is used to set the command execution timeout when the system boots up<br />
or users execute the “config file|config memory” command. Fastlog and syslog will log<br />
the timeout command for troubleshooting.<br />
timeout Specify the timeout value in seconds (30-65535). The<br />
default value is 0.<br />
show system command timeout<br />
This command is used to display the command execution timeout value.<br />
17
setup<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 2 Basic System Operations<br />
This command allows users to login a wizard navigation, in which users can be navigated<br />
to setup the <strong>APV</strong> appliance step by step.<br />
18
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
Chapter 3 Advanced System Operations<br />
[no|show|clear] mnet {system_ifname|bond_ifname} <br />
This command allows users to create an MNET (mutil-netting) interface for the specified<br />
system interface or bond interface. <strong>ArrayOS</strong> supports creating at most 16 MNET<br />
interfaces.<br />
The “no” version <strong>of</strong> this command is used to delete the specified MNET interface, and<br />
the “show|clear” versions <strong>of</strong> this command are respectively used to display or remove<br />
configurations about all MENT interfaces.<br />
system_ifname Specify the system interface name, which is port1, port2,<br />
port3, port4, …, or port14 by default. (Administrators can<br />
self-define the system interface name by using the<br />
command “interface name”.)<br />
bond_ifname Specify the bond interface name, which should be an<br />
alphanumeric string.<br />
user_interface_name Self-define the MNET interface name, which should be an<br />
alphanumeric string and contain at most 32 characters.<br />
[no|show|clear] vlan {system_ifname|bond_ifname} <br />
<br />
This command allows users to create a VLAN (Virtual Local Area Network) interface for<br />
the specified system interface or bond interface. <strong>ArrayOS</strong> supports creating at most 250<br />
VLAN interfaces.<br />
The “no” version <strong>of</strong> this command is used to delete the specified VLAN interface, and<br />
the “show|clear” versions <strong>of</strong> this command are respectively used to display or remove<br />
configurations about all VLAN interfaces.<br />
system_ifname Specify the system interface name, which is port1, port2,<br />
port3, port4, …, or port14 by default. (Administrators can<br />
self-define the system interface name by using the<br />
command “interface name”.)<br />
bond_ifname Specify the bond interface name, which should be an<br />
alphanumeric string.<br />
user_interface_name Self-define the VLAN interface name, which should be an<br />
alphanumeric string.<br />
vlan_tag Specify the ID for the VLAN interface being created,<br />
19
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
which should be any integer from 1 to 4094.<br />
fwd tcp [timeout]<br />
This command allows users to assign a port on the <strong>APV</strong> appliance to a network IP/port<br />
pair. All TCP traffic to a specific local IP and port received by the <strong>APV</strong> appliance will be<br />
routed to a specified remote IP and port. <strong>ArrayOS</strong> supports creating at most 584 “fwd<br />
tcp|udp” configurations.<br />
local_ip The local IP address to forward.<br />
local_port The port to forward into the network server farm.<br />
remote_ip The IP address <strong>of</strong> the server that the appliance will forward<br />
to the backend server.<br />
remote_port The destination port corresponding to the remote IP<br />
address.<br />
timeout Optional timeout setting in seconds; it defaults to 300<br />
seconds.<br />
fwd udp [timeout]<br />
This command allows user to forward UDP packets. All UDP traffic to a specific local IP<br />
and port will be routed to a specified remote IP and port. <strong>ArrayOS</strong> supports creating at<br />
most 584 “fwd tcp|udp” configurations.<br />
local_ip The local IP address to forward.<br />
local_port The UDP port to forward.<br />
remote_ip The IP address <strong>of</strong> the server, in standard dotted format.<br />
remote_port The destination port corresponding to the IP address.<br />
timeout Optional timeout setting in seconds; it defaults to 300<br />
seconds.<br />
no fwd tcp <br />
no fwd udp <br />
These commands are used to disable the specified port-forwarding configuration.<br />
clear fwd<br />
20
This command is used to remove any configured port forwarding.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
nat port {pool_name|vip} [timeout] [gateway]<br />
This command is used to enable network address translation (NAT) along with port<br />
translation. NAT converts the address <strong>of</strong> each server or device on the inside network into<br />
one IP address or IP addresses in the pre-defined IP pool for the Internet, and vice versa.<br />
It also serves as a WebWall by keeping individual IP addresses hidden from the outside<br />
world. The appliance will check for subnet overlap or verify that the configured virtual IP<br />
exists. Data packets will be NATTed if and only if:<br />
� The source IP address should be in the range <strong>of</strong> the configured “network_ip” and<br />
“netmask”.<br />
� The configured “gateway” should be the same as the route gateway. If the “gateway”<br />
is set to the default value 0.0.0.0, the “VIP/IP pool” and the route gateway should be<br />
within the same network segment.<br />
Up to 512 “nat port” configurations are allowed on one <strong>APV</strong> appliance.<br />
pool_name|vip A supplied virtual IP address or IP pool name.<br />
network_ip The network IP to perform the network translation on.<br />
netmask The netmask for the network performing the NAT.<br />
timeout Optional timeout setting in seconds; and it defaults to 60<br />
seconds.<br />
gateway The gateway IP address, to which the data packets were<br />
routed after NATTed. It defaults to 0.0.0.0.<br />
no nat port {pool_name|vip} <br />
This command is used to remove the specified virtual IP address or IP pool from the NAT<br />
configuration.<br />
show nat port<br />
This command is used to display all NAT configurations.<br />
clear nat port<br />
This command stops and removes the NAT configuration.<br />
nat static [timeout] [gateway]<br />
21
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
This command allows users to establish the static NAT route. Data packets will be<br />
NATTed if and only if:<br />
� The source IP address should be in the range <strong>of</strong> the configured “network_ip”.<br />
� The configured “gateway” should be the same as the route gateway (The route<br />
gateway is configured by using the command “ip route default”). If the “gateway”<br />
is set to the default value 0.0.0.0, the “vip” and the route gateway should be within<br />
the same network segment.<br />
Up to 512 “nat static” configurations are allowed on one <strong>APV</strong> appliance.<br />
vip A supplied virtual IP address.<br />
network_ip The network IP to perform the network translation on.<br />
timeout Timeout value in seconds; it defaults to 60 seconds.<br />
gateway The gateway IP address, to which the data packets were<br />
routed after NATTed. It defaults to 0.0.0.0.<br />
no nat static <br />
This command is used to remove the specified virtual IP address from the static NAT<br />
configuration.<br />
show nat static<br />
This command is used to display all static NAT configurations.<br />
clear nat static<br />
This command is used to stop and remove the static NAT configuration.<br />
nat protocol pptp [port]<br />
This command is used to enable NAT traversal for PPTP tunnels. This function is enabled<br />
by default.<br />
port Specify the port number <strong>of</strong> the PPTP server. It defaults to<br />
1723.<br />
no nat protocol pptp<br />
This command is used to disable NAT traversal for PPTP tunnels.<br />
show nat protocol<br />
22
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
This command is used to display the configurations <strong>of</strong> NAT traversal for PPTP tunnels.<br />
show nat table<br />
This command displays the existing network translations for incoming and outgoing<br />
traffic and the statistics <strong>of</strong> GRE tunnels.<br />
Example:<br />
AN(config)#show nat table<br />
From 172.16.74.201(1534)through 172.16.2.11(35940) to 172.16.2.226(1723)<br />
PPTP GRE NAT table statistics.<br />
Current GRE tunnel: 2<br />
Total Out Packets: 277<br />
Total In Packets: 205<br />
Total Out Bytes: 100808<br />
Total In Bytes: 12199<br />
From(ip:call id) Through(ip:call id) To(ip:call id) Out Packets In Packets<br />
172.16.74.201:16384 172.16.2.11:1025 172.16.2.226:33767 231 164<br />
172.16.74.201:32769 172.16.2.11:1026 172.16.2.226:998 46 41<br />
rip {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f RIP.<br />
rip version {1|2}<br />
This command is used to set the RIP version to be RIPv1 or RIPv2. Its default setting is<br />
RIPv2.<br />
[no] rip network <br />
This command is used to enable/disable RIP interfaces which have address matching with<br />
the parameter “ip_address”.<br />
show rip status<br />
This command is used to display the status <strong>of</strong> RIP.<br />
show rip settings<br />
This command is used to display the current settings <strong>of</strong> RIP.<br />
ospf {on|<strong>of</strong>f}<br />
This command is used to enable/disable OSPF.<br />
[no] ospf network <br />
23
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
This command is used to enable or disable the OSPF interfaces and define an area ID for<br />
those interfaces.<br />
area_id The identification number (0-4294967295) assigned to the<br />
interfaces.<br />
show ospf status<br />
This command is used to display running status <strong>of</strong> OSPF.<br />
show ospf settings<br />
This command is used to display the current settings <strong>of</strong> OSPF.<br />
ipv6 address [prefix_length]<br />
This command is used to set the IPv6 address for a specified system interface. Only one<br />
IPv6 address can be configured for each system interface.<br />
interface_name The name <strong>of</strong> the system interface.<br />
v6_address The IPv6 address, which should be a global unicast<br />
address, in the format <strong>of</strong> “2000::2”.<br />
prefix_length The prefix length <strong>of</strong> the IPv6 address. It ranges from 1 to<br />
128, and defaults to 64.<br />
no ipv6 address <br />
This command is used to remove the IPv6 address <strong>of</strong> the specified system interface.<br />
clear ipv6 address<br />
This command is used to clear the IPv6 addresses configured for all system interfaces.<br />
show ipv6 address<br />
This command is used to display the IPv6 addresses configured for all system interfaces.<br />
ipv6 natpt {on|<strong>of</strong>f}<br />
This command is used to enable or disable the NAT-PT translation.<br />
show ipv6 natpt status<br />
This command is used to display the status (on or <strong>of</strong>f) <strong>of</strong> IPv6 NAT-PT.<br />
24
ipv6 natpt prefix <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
This command is used to set the prefix <strong>of</strong> IPv6 address for NAT-PT translating. The<br />
destination IPv6 address with this prefix will be translated by the <strong>APV</strong> appliance.<br />
prefix The prefix <strong>of</strong> IPv6 address, in the format <strong>of</strong> “3001::”.<br />
no ipv6 natpt prefix<br />
This command is used to remove the IPv6 prefix configurations for NAT-PT translating.<br />
ipv6 natpt v6v4 <br />
This command is used to set a dynamic IPv6-to-IPv4 translation rule. Any source IPv6<br />
addresses will be translated into the IPv4 address specified by the parameter “v4_addr”,<br />
and the port will be also remapped. Only one IPv6-to-IPv4 translation rule is supported.<br />
The port number should be between 1025 and 65535.<br />
no ipv6 natpt v6v4<br />
This command is used to remove the IPv6-to-IPv4 translation rule.<br />
ipv6 natpt v4v6 <br />
This command is used to set an IPv4-to-IPv6 static translation rule. Each IPv4 address is<br />
mapped into an IPv6 address.<br />
v4_addr The IPv4 address.<br />
v6_addr The IPv6 address, which should be a global unicast<br />
address.<br />
no ipv6 natpt v4v6 <br />
This command is used to remove the IPv4-to-IPv6 translation rule associated with the<br />
specified IPv4 address.<br />
clear ipv6 natpt v4v6<br />
This command is used to clear all the configured IPv4-to-IPv6 translation rules.<br />
show ipv6 natpt config<br />
This command is used to display the IPv6 NAT-PT configurations.<br />
clear ipv6 natpt all<br />
25
This command is used to clear all the IPv6 NAT-PT configurations.<br />
show ipv6 natpt translations<br />
This command is used to display the NAT-PT translation table.<br />
ipv6 route default <br />
This command is used to set the IPv6 default route.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
gateway_ip The gateway IP address <strong>of</strong> IPv6 default route, which should<br />
be a global unicast IPv6 address.<br />
no ipv6 route default<br />
This command is used to remove the IPv6 default route.<br />
ipv6 route static <br />
This command is used to set the IPv6 static route.<br />
dst_ip The destination IP address, which must be a global unicast<br />
IPv6 address.<br />
prefix_length The prefix length, which ranges from 1 to 128.<br />
gateway_ip The gateway IP address, which must be a global unicast<br />
IPv6 address.<br />
no ipv6 route static <br />
This command is used to remove the IPv6 static route.<br />
show ipv6 route<br />
This command is used to display the IPv6 default route and static route.<br />
clear ipv6 route<br />
This command is used to remove the IPv6 default route and static route.<br />
ip pool [end_ip]<br />
This command is used to create an IP pool and add an IP segment into the IP pool. This<br />
command can also be used to only add an IP segment into an IP pool. Multiple IP<br />
segments can be added into a pool. If the IP pool input does not exist, <strong>ArrayOS</strong> will<br />
26
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 3 Advanced System Operations<br />
create a new IP pool. The maximum number <strong>of</strong> IP pools supported on <strong>APV</strong> appliance is<br />
32, and the maximum number <strong>of</strong> IP addresses allowed for each IP pool is 256.<br />
pool_name The name <strong>of</strong> the IP pool. If the assigned name begins with<br />
a numeric character, then the string needs to be framed in<br />
double quotes.<br />
start_ip The starting IP address <strong>of</strong> the IP segment.<br />
end_ip The end IP address <strong>of</strong> the IP segment. It’s an optional<br />
parameter. If it is not assigned, only the “start_ip” will be<br />
added into the IP pool.<br />
no ip pool [start_ip]<br />
The command is used to remove an IP segment from the specified IP pool.<br />
pool_name The name <strong>of</strong> the IP pool.<br />
start_ip The starting IP address <strong>of</strong> the IP segment to be removed.<br />
With the start IP configured, the IP segment that begins<br />
with this IP address will be removed.<br />
clear ip pool [pool_name]<br />
This parameter is optional. If not specified, the specified IP<br />
pool will be removed.<br />
This command is used to remove the specified IP pool. If the parameter “pool_name” is<br />
not assigned, the command will remove all the IP pools.<br />
show ip pool [pool_name]<br />
This command is used to display configurations about the specified IP pool. If the<br />
parameter “pool_name” is not assigned, the command will show configurations about all<br />
the IP pools.<br />
27
Chapter 4 WebWall<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 4 WebWall<br />
The Access Control List (ACL) allows you to perform administration on WebWall or<br />
firewall style <strong>of</strong> security rules. The commands in this chapter dictate those who may gain<br />
access to your system based on their location in the Internet, and the network interface<br />
used to contact the appliance.<br />
Access Groups<br />
accessgroup <br />
This command allows users to assign access list members to a specific group and a<br />
specific interface.<br />
accesslist_id The identification number (1-999) assigned to this group <strong>of</strong><br />
members. This value should match the value established<br />
for the access list member created with the “accesslist”<br />
command.<br />
interface The associated interface for this access group, which can<br />
be the system interface, bond interface, VLAN interface or<br />
MNET interface.<br />
Example:<br />
AN(config)#accessgroup 250 port1<br />
no accessgroup <br />
This command allows users to remove an access group from the associated interface.<br />
show accessgroup<br />
This command is used to display all access groups.<br />
clear accessgroup<br />
This command is used to remove all the group entries created by using the<br />
“accessgroup” command. No TCP, UDP or ICMP packets will be allowed through the<br />
WebWall nor will users be able to access the appliance by way <strong>of</strong> the WebUI unless<br />
WebWall is disabled.<br />
Access List<br />
accesslist permit icmp echoreply <br />
<br />
28
accesslist permit icmp echorequest <br />
<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 4 WebWall<br />
accesslist permit tcp <br />
<br />
accesslist permit udp <br />
<br />
accesslist deny icmp echoreply <br />
<br />
accesslist deny icmp echorequest <br />
<br />
accesslist deny tcp <br />
<br />
accesslist deny udp <br />
<br />
These commands are used to either permit or deny access. Access is disabled at boot time,<br />
and rules control access to the appliance and network. There are two forms <strong>of</strong> the<br />
command, one permitting access rules for a specific IP address and port number, and one<br />
denying the access rules. The access list ID ranges from 1-999. This command works in<br />
conjunction with the “accessgroup” command. Once an access list has been created, the<br />
user has to run the “accessgroup” command to bind the newly created access list ID to an<br />
interface (NIC). The IP addresses and netmasks specify the source subnet and destination<br />
subnet for the rules that may be any classless subnets. Port number “0” can be used as the<br />
wildcard for the source and destination port number fields. To remove any <strong>of</strong> the above<br />
access list configurations, simply use the “no” version <strong>of</strong> the appropriate commands.<br />
show accesslist<br />
This command is used to display permitted IP addresses and denied source IP addresses<br />
for the interfaces <strong>of</strong> the <strong>APV</strong> appliance.<br />
clear accesslist<br />
This command is used to remove all permit or deny WebWall rules.<br />
Important: If the permit rules are cleared, no TCP, UDP and ICMP packets will be<br />
passed through the WebWall.<br />
WebWall<br />
webwall on [mode]<br />
29
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 4 WebWall<br />
This command allows users to turn on the WebWall function on a specified interface.<br />
interface Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
mode This parameter is used to control WebWall behavior.<br />
webwall <strong>of</strong>f<br />
� 0: Normal mode. All the packets will follow ACL<br />
rules.<br />
� 1: Ack mode. In this mode, WebWall is backward<br />
compatible in that all the ACK TCP packets will be<br />
permitted by default.<br />
The default value is 0 for security consideration.<br />
This command allows users to turn <strong>of</strong>f the WebWall function on a specified interface.<br />
By turning <strong>of</strong>f the WebWall, the <strong>APV</strong> appliance will allow packets to travel freely<br />
through the system. Users should only turn <strong>of</strong>f the WebWall for diagnostic purposes since<br />
it will disable all access list filters. Users also have the choice to enable or disable the<br />
WebWall function for a specific interface, including the system interface, bond interface,<br />
VLAN interface or MNET interface. Users who are using the Array clustering technology<br />
should consult the clustering section <strong>of</strong> this manual before setting up the WebWall<br />
functionality. The command does not reset any <strong>of</strong> the configured parameters. The<br />
WebWall function is always <strong>of</strong>f by default.<br />
Example:<br />
AN(config)#webwall port2 <strong>of</strong>f<br />
show statistics webwall [interface]<br />
This command is used to display the current WebWall running information pertaining to<br />
all interfaces (with the WebWall function enabled). If an interface is specified, this<br />
command will only show the running information for this interface.<br />
show webwall<br />
This command is used to display the current configuration <strong>of</strong> the WebWall.<br />
clear statistics webwall [interface]<br />
30
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 4 WebWall<br />
This command is used to clear current statistics pertaining to the WebWall on the<br />
specified interface. If no interface is specified, this command will clear the statistics for<br />
all interfaces with WebWall on.<br />
31
Chapter 5 Server Load Balancing<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
Server Load Balancing (SLB) improves server utilization, scalability, and failover<br />
redundancy. The <strong>APV</strong> appliance monitors the available content servers, and directs client<br />
requests to the most appropriate server based on one <strong>of</strong> several available algorithms.<br />
Basic SLB Commands<br />
show slb all<br />
This command is used to display the entire SLB configuration, including real and virtual<br />
services, policies, groups and group members.<br />
clear slb all<br />
This command is used to remove the SLB configurations.<br />
slb timeout <br />
This command is used to specify a custom TCP connection timeout value for all<br />
connections to a virtual service. By default, connections to a virtual service use the<br />
standard TCP timeout value.<br />
virtual_name The name <strong>of</strong> the virtual service.<br />
timeout The TCP timeout value, in seconds. The maximum value is<br />
999999 seconds.<br />
slb mode ircookie {plainname|hexname}<br />
This command is used to set the SLB insert/rewrite cookie mode. If the mode is<br />
“plainname”, an ASCII value <strong>of</strong> the real server’s name will be set as the cookie value, e.g.<br />
name=aTc8acd!?9; if the mode is set to “hexname”, a hexadecimal value <strong>of</strong> the real<br />
server’s name will be set as the cookie value, e.g. name=456143!?04.<br />
Note: “!?” is the end <strong>of</strong> the rewriting part.<br />
slb mode icookie {always|onlyone}<br />
This command is used to control SLB insert cookie behavior to fit different client<br />
browsers. If the mode is “always”, the <strong>APV</strong> appliance will always insert cookie no matter<br />
whether the client’s request already contains inserted cookie or not. If the mode is set to<br />
“onlyone”, the <strong>APV</strong> appliance will insert a cookie only when the client’s request doesn’t<br />
contain any inserted cookies.<br />
[no] slb mode packetbased <br />
32
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to configure UDP packet based load balancing for a specified<br />
virtual service. With this configuration, the packets <strong>of</strong> one client connection can be<br />
scattered to several different servers according to specified SLB algorithms.<br />
The “no” version <strong>of</strong> this command is used to remove the packet-based load balancing<br />
configuration <strong>of</strong> a specified virtual service.<br />
virtual_name The name <strong>of</strong> the virtual service.<br />
clear slb mode packetbased<br />
This command is used to remove all the configurations about packet-based load<br />
balancing.<br />
slb directfwd {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the DirectFWD function. It is <strong>of</strong>f initially.<br />
slb directfwd syncache {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f DirectFWD module’s syncache function. This<br />
function can avoid synflood attacking effectively. It is <strong>of</strong>f initially.<br />
slb mode activeclose {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the L4 TCP connection actively closing feature. The<br />
default value is <strong>of</strong>f. When the feature is on, the system will close L4 related TCP<br />
connections when the IP, TCP or TCPS real service goes down. When the feature is <strong>of</strong>f,<br />
L4 TCP connections will not be closed until connection timeout. The client request in the<br />
existent connections will be sent to the original real service though it may have become<br />
down.<br />
<strong>APV</strong> appliance supports two modes to close L4 TCP connection:<br />
� Actively closing: <strong>APV</strong> appliance will actively close the L4 TCP connections when<br />
the corresponding real service goes down. It is useful to close the long connections<br />
in time, and need to be turned on/<strong>of</strong>f by using this command.<br />
� Passively closing: For the spliced TCP connection, <strong>APV</strong> appliance checks the health<br />
status <strong>of</strong> the real service by examining each packet to the real service. If the real<br />
service becomes down, <strong>APV</strong> appliance will reset the connections. And this feature<br />
will always work no matter the active closing mode is on or <strong>of</strong>f.<br />
slb mode regexcase {on|<strong>of</strong>f} [virtual_service|vlink_name]<br />
This command is used to enable or disable the SLB regexcase mode, i.e. to configure<br />
whether or not the <strong>APV</strong> appliance will distinguish the uppercase or lowercase letters in<br />
the strings that users input for some specific SLB settings. The default status is “<strong>of</strong>f”,<br />
33
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
which means the <strong>APV</strong> appliance will distinguish the uppercase or lowercase letters<br />
(case-sensitive).<br />
on|<strong>of</strong>f If this value is “<strong>of</strong>f”, the <strong>APV</strong> appliance will distinguish<br />
the uppercase or lowercase letters (case-sensitive).<br />
If this value is “on”, the <strong>APV</strong> appliance will not<br />
distinguish the uppercase or lowercase letters<br />
(case-insensitive). The <strong>APV</strong> appliance will automatically<br />
change the uppercase letters in the string into lowercase<br />
letters.<br />
virtual_service|vlink_name This parameter is optional. It is used to enable or disable<br />
the SLB regexcase mode for a specified virtual service or<br />
vlink.<br />
If this parameter is null, the SLB regexcase mode will be<br />
enabled or disabled for all the virtual services and vlinks,<br />
i.e. it’s a global setting.<br />
If this parameter is set for a virtual service or vlink, the<br />
global setting will be ignored on this virtual service or<br />
vlink.<br />
Note: This feature will take effect on the following commands: “slb policy regex”,<br />
“slb policy header”, “http rewrite request url”, “http rewrite response url” and “slb<br />
policy redirect”. If the SLB regexcase mode is not set before executing these<br />
commands, the global setting will apply.<br />
Adding Real Services<br />
slb real http [port] [max_conn]<br />
[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down]<br />
slb real tcp [max_conn]<br />
[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns|ldap] [hc_up] [hc_down]<br />
slb real ftp [port] [max_conn]<br />
[tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down]<br />
slb real udp [max_conn] [hc_up] [hc_down] [timeout]<br />
[icmp|script-tcp|script-udp|radius-auth|radius-acct|dns]<br />
slb real https [port] [max_conn]<br />
[https|tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up]<br />
[hc_down]<br />
34
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
slb real tcps [max_conn]<br />
[tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up]<br />
[hc_down]<br />
slb real dns [max_conn]<br />
[dns|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down] [timeout]<br />
slb real siptcp [port] [max_conn]<br />
[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up] [hc_down]<br />
slb real sipudp [port] [max_conn]<br />
[icmp|script-tcp|script-udp|radius-auth|radius-acct|sip-tcp|sip-udp|dns|none]<br />
[hc_up] [hc_down] [timeout]<br />
slb real rtsp [port] [max_conn]<br />
[rtsp-tcp|tcp|icmp|script-tcp|script-udp|dns] [hc_up] [hc_down] [timeout]<br />
slb real rdp real_name [port] [maxconn] [tcp|icmp] [hc_up] [hc_down]<br />
These commands allow users to assign specific parameters for your real services.<br />
Inclusion <strong>of</strong> two different real services with the same name is not permitted. The real<br />
service must be established before it can be added to any SLB group.<br />
real_name An alpha-numeric string for the real service name. Note: If<br />
the assigned name begins with a numeric character, then<br />
the string needs to be framed in double quotes.<br />
ip The real service’s IP address.<br />
port The port number that the real service will answer incoming<br />
requests. The default value is 80 for HTTP, 21 for FTP, 53<br />
for DNS, 443 for HTTPS and TCPS, 554 for RTSP, 3389<br />
for RDP and 5060 for SIP TCP and SIP UDP. There is no<br />
default port setting for TCP or UDP. When the port is 0, it<br />
is a port range real service, and its port range is considered<br />
all-port.<br />
max_conn Sets the maximum number <strong>of</strong> open connections per real<br />
server. Default is 1000.<br />
http|tcp|icmp|tcps<br />
|dns|srcipt-tcp|script-udp<br />
|radius-auth|radius-acct<br />
|sip-tcp|sip-udp|rtsp-tcp<br />
|https|script-tcps|ldap<br />
Health check type performed to determine real service<br />
availability. The default value is icmp for UDP, tcp for FTP,<br />
HTTP, TCP, HTTPS, TCPS, dns for DNS, rtsp-tcp for<br />
RTSP, sip-tcp for SIP TCP and sip-udp for SIP UDP. When<br />
the port is 0, the real service can only use “icmp” or “none”<br />
health check.<br />
The ldap health check can only be configured for TCP real<br />
35
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
services.<br />
Chapter 5 Server Load Balancing<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
timeout Optional. Timeout period measured in seconds. This<br />
parameter is only required when establishing a real service<br />
through UDP. The default timeout setting for an UDP real<br />
service is sixty seconds.<br />
slb real ip [max_conn] [icmp|none] [hc_up] [hc_down]<br />
[udp_timeout]<br />
This command is for L3 IP load balancing. It allows users to add a new real service,<br />
whose type is “IP”. The real service must be established before it can be added to any<br />
SLB group. The real service <strong>of</strong> L3 load balancing can support TCP and UDP protocols at<br />
the same time. And the real service TCP session will obey the global setting by the<br />
command “system tune tcpidle ”.<br />
max_conn Optional. Set the maximum number <strong>of</strong> both TCP and UDP<br />
connections per real service. Default is 1000.<br />
icmp|none Optional. The check type to determine real service<br />
availability. Default is “icmp”.<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
udp_timeout The real service UDP session time out value (in seconds).<br />
slb real l2ip <br />
This command allows users to create L2IP based real services for load balancing<br />
operations and protocols.<br />
real_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
36
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
real service. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
real_ip The real server’s IP address, in traditional dotted IP format.<br />
slb real l2mac <br />
This command allows users to create L2 MAC based real services for load balancing<br />
operations and protocols.<br />
real_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
real service. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
real_mac The real server’s MAC address, in the format <strong>of</strong><br />
AB:CD:EF:GH:IJ:KL.<br />
output_interface The output interface <strong>of</strong> the real service.<br />
health ipreflect [protocol]<br />
It is used to configure a reflector for L2 SLB TCP health check. This health check<br />
reflector is set up and runs on another <strong>APV</strong> appliance.<br />
reflector_name The name <strong>of</strong> the reflector, which supports at most 40<br />
characters.<br />
ip_address The IP address to bind with the reflector. 0.0.0.0 means any<br />
IP address on the <strong>APV</strong> appliance.<br />
port The port that the health check reflector listens upon.<br />
protocol The health check type. Only TCP is supported for now.<br />
no health ipreflect <br />
This command is used to remove the specified reflector configuration.<br />
clear health ipreflect<br />
This command is used to clear all the reflector configurations.<br />
show health ipreflect<br />
37
This command is used to display all the reflector configurations.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
no slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}<br />
<br />
This command is used to delete the real service with the given name. If the real service is<br />
a member <strong>of</strong> any groups, it will be removed from those groups.<br />
show slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}<br />
[real_name]<br />
This command is used to display the real service with the given name and protocol. If no<br />
real service name is given, this command will display all real services with the given<br />
protocol.<br />
show slb real all<br />
This command is used to display all defined real services and all associated parameters.<br />
clear slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}<br />
This command is used to delete all configured real services <strong>of</strong> the specified protocol.<br />
no slb real ip <br />
This command is used to delete the L3 IP based real service with the given name. If the<br />
real service is a member <strong>of</strong> any groups, it will be removed from those groups.<br />
show slb real ip [real_name]<br />
This command is used to display all the defined L3 real services or the specified real<br />
service.<br />
clear slb real ip<br />
This command is used to remove all the defined L3 real services.<br />
no slb real l2ip <br />
This command is used to delete the L2 IP based real service with the given name. If the<br />
real service is a member <strong>of</strong> any groups, it will be removed from those groups.<br />
no slb real l2mac <br />
This command is used to delete the L2 MAC based real service with the given name. If<br />
the real service is a member <strong>of</strong> any groups, it is removed from those groups.<br />
show slb real {l2ip|l2mac} [real_name]<br />
38
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command displays all the defined L2 real services or the specified real service.<br />
clear slb real {l2ip|l2mac}<br />
This command removes all the defined L2 real services.<br />
slb real enable <br />
This command is used to activate a real service, so that traffic can be directed to it. This is<br />
the default state <strong>of</strong> a real service.<br />
slb real activation [warm-up_time]<br />
This command is used to set the recovery and warm-up time for a real service.<br />
real_name An alpha-numeric string for the real service name. Note: If<br />
the assigned name begins with a numeric character, then<br />
the string needs to be framed in double quotes.<br />
recovery_time A period <strong>of</strong> time in seconds. When a real service’s<br />
operational status is changed from inactive to active, it is<br />
not eligible to receive any client requests for this period <strong>of</strong><br />
time. Once this time is reached, the <strong>APV</strong> appliance will<br />
send client requests to this real service.<br />
warm-up_time Optional. A period <strong>of</strong> time in seconds, after a real service is<br />
recovered to be active, during which the client requests are<br />
slowly sent to the real service, so that the real service can<br />
reach its capacity gradually. Until the time is reached, the<br />
real service’ capacity can reach its maximum connections.<br />
If the value <strong>of</strong> the parameter is set to 0 (default), the real<br />
service will reach its maximum capacity immediately after<br />
the recovery time.<br />
The administrator can use the command “show statistics slb real” to check the status <strong>of</strong> a<br />
real service which has been just enabled. As shown in the following example, after the<br />
real service named “service is enabled, its status will be first displayed as “UP (s<strong>of</strong>tup)”,<br />
which means it is in the recovery time. In this period, no connection request will be<br />
forwarded to this real service.<br />
AN(config)#show statistics slb real service<br />
Real service service 192.168.10.10 80 UP (s<strong>of</strong>tup) ACTIVE<br />
Main health check: 192.168.10.10 80 tcp ACTIVE<br />
Max Conn Count: 1000<br />
Current Connection Count: 0<br />
Outstanding Request Count: 0<br />
Total Hits: 0<br />
Total Bytes In: 0<br />
39
Total Bytes Out: 0<br />
Total Packets In: 0<br />
Total Packets Out: 0<br />
Average Response time: 0.000 ms<br />
no slb real activation <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove the recovery and warm-up time settings <strong>of</strong> the specified<br />
real service.<br />
show slb real activation <br />
This command is used to display the recovery and warm-up time settings <strong>of</strong> the specified<br />
real service.<br />
slb real disable <br />
This command is used to disable a real service.<br />
By default, when a real service is disabled or deleted, the <strong>APV</strong> appliance SLB shall not<br />
send session requests to the real services that have been disabled. However, for the real<br />
services using cookie-based group method and load balancing polices, such as PC<br />
(Persistent Cookie), IC (Insert Cookie), RC (Rewrite Cookie), SLB will still send the<br />
existing session requests that match the cookie to the disabled real service to ensure<br />
service persistence. While the new session requests will be sent to other working real<br />
services. This function is called “Graceful Shutdown”.<br />
The following gives an example <strong>of</strong> Graceful Shutdown:<br />
AN(config)#slb real disable service<br />
After disabling the real service named “service”, users can check the status <strong>of</strong> the real<br />
service by using the command “show statistics slb real”.<br />
AN(config)#show statistics slb real service<br />
Real service service 10.8.6.42 80 DOWN INACTIVE(waiting)<br />
Main health check: 10.8.6.42 80 tcp DOWN<br />
Max Conn Count: 1000<br />
Current Connection Count: 4572<br />
Outstanding Request Count: 4215<br />
Total Hits: 311<br />
Total Bytes In: 39431<br />
Total Bytes Out: 53466<br />
Total Packets In: 7541<br />
Total Packets Out: 3252<br />
Average Response time: 32.000 ms<br />
As shown in the above output information, the status <strong>of</strong> “service” is displayed as<br />
“INACTIVE(waiting)”, which means the real service is still processing connection<br />
40
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
requests, i.e., it is in the process <strong>of</strong> “Gracefully Shutdown”. During this process, the<br />
session requests that match the cookie will be forwarded to this real service, while the<br />
connection requests from new clients will be forwarded to other working real services.<br />
After a while, users can run the command “show statistics slb real” again to check the<br />
status <strong>of</strong> the real service.<br />
AN(config)#show statistics slb real service<br />
Real service service 192.168.10.10 80 DOWN INACTIVE(suspend)<br />
Main health check: 192.168.10.10 80 tcp DOWN<br />
Max Conn Count: 1000<br />
Current Connection Count: 0<br />
Outstanding Request Count: 0<br />
Total Hits: 0<br />
Total Bytes In: 0<br />
Total Bytes Out: 0<br />
Total Packets In: 0<br />
Total Packets Out: 0<br />
Average Response time: 0.000 ms<br />
As shown in the above output information, the status <strong>of</strong> “service” now is displayed as<br />
“INACTIVE(suspend)”, which means it has been shut down completely.<br />
health interval <br />
This command is used to set the interval time between health checks and health check<br />
timeout time.<br />
interval Specify the health check interval as measured in seconds,<br />
which ranges from 1 to 100000.<br />
server_timeout Optional, which specifies how long for health check to wait<br />
for the real server/service to reply the health check request.<br />
It ranges from 1 to 100000 and defaults to 5.<br />
health request <br />
This command is used to add the specified “request_string” at the specified index in the<br />
Health Check Request Table. The string may be any valid character string up to 510<br />
characters in length. Remember that any string with blank spaces in it requires that string<br />
to be framed with double quotation marks. The value <strong>of</strong> the index must be within 0 to 999.<br />
To overwrite an existing request string, just enter a new command. To remove an entry,<br />
the “no health request” command should be used.<br />
no health request <br />
This command is used to return the health request at the specified index in the Health<br />
Check Request Table to the default request, which is “HEAD / HTTP/1.0\r\n\r\n”.<br />
41
show health request [request_index]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display the Health Request Table. The value <strong>of</strong> the request<br />
index must be within 0 to 1000.<br />
clear health request<br />
This command is used to revert all the health requests in the Health Request Table to the<br />
default request, which is “HEAD / HTTP/1.0\r\n\r\n”.<br />
health response <br />
This command is used to add the specified “response_string” at the specified index in the<br />
Health Check Response Table. The string may be any valid character string up to 510<br />
characters in length. Remember that any string with blank spaces in it requires that string<br />
to be framed with double quotation marks. The value <strong>of</strong> the index must be within 0 to 999.<br />
The response string should be the response that is to be expected from the request set by<br />
the “health server” command.<br />
Example:<br />
AN(config)#health response 5 “200 OK”<br />
The string “200 OK” has been placed in the Response Table, row five.<br />
no health response <br />
This command is used to return the health response at the specified index in the Health<br />
Check Response Table to the default response, which is “200 OK”.<br />
show health response [response_index]<br />
This command is used to display the Health Response Table. The value <strong>of</strong> the response<br />
index must be within 0 to 1000.<br />
clear health response<br />
This command is used to revert all the health responses in the Health Response Table to<br />
the default response, which is “200 OK”.<br />
health server {real_name|add_hc_name} <br />
This command is used to associate a real server with specific indices (request_index and<br />
response_index) in the Request Response Table. The HTTP health check for this real<br />
server will pick the request and response at these indices in the Request Response Table.<br />
The command only takes effects on the real service or additional health check with the<br />
type <strong>of</strong> http/https health check. Otherwise, this configuration will not work.<br />
42
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
real_name|add_hc_name The real server name. The maximum length <strong>of</strong> the name is<br />
40 characters.<br />
request_index A specific request line index in the Request Response<br />
Table.<br />
response_index A specific response line index in the Request Response<br />
Table.<br />
no health server {real_name|add_hc_name}<br />
This command is used to revert the request and response to the default for the specified<br />
health server, including additional health check server.<br />
show health server [server_name]<br />
This command is used to show all ACTIVE real servers’ health status. The<br />
“server_name” parameter is optional. If a server name is given, the specified real server’s<br />
health status is shown. If a real service is deactivated via the command “slb real disable”,<br />
its health status will not be displayed by this command.<br />
Example:<br />
AN(config)#show health server<br />
----------------------------------- Server Status --------------------------<br />
real server name status<br />
r1 UP<br />
r2 UP<br />
r3 DOWN<br />
----------------------------------- Health Check ---------------------------<br />
real server name ip :port status hct rqr rpr checklist<br />
----------------------------------------------------------------------------<br />
r1 172.16.63.201 :80 UP tcp<br />
r2 172.16.63.200 :80 UP tcp<br />
r3 172.163.25.1 :80 DOWN tcp<br />
clear health server<br />
This command is used to revert the request and response to the default for all health<br />
servers.<br />
health import request <br />
This command is used to import a health request file from a remote URL.<br />
index The index for the newly imported request file.<br />
url The URL which the file should be imported from.<br />
43
health import response <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to import a health response file from a remote URL.<br />
index The index for the newly imported response file.<br />
url The URL which the file should be imported from.<br />
health load request <br />
This command is used to load an imported health request file into memory.<br />
index The index for the request file to be loaded.<br />
health load response <br />
This command is used to load an imported health response file into memory.<br />
index The index for the request file to be loaded.<br />
show health import request [output_mode]<br />
This command is used to display the imported request file with a specified index.<br />
output_mode Optional. It can be “binary” or “text”, and defaults to<br />
“binary”.<br />
show health import response [output_mode]<br />
This command is used to display the imported response file with a specified index.<br />
output_mode Optional. It can be “binary” or “text”, and defaults to<br />
“binary”.<br />
no health import request <br />
This command is used to delete the imported request file with a specified index.<br />
no health import response <br />
This command is used to delete the imported response file with a specified index.<br />
clear health import request<br />
This command is used to remove all the imported request files.<br />
44
clear health import response<br />
This command is used to remove all the imported response files.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
slb real activation [warm-up_time]<br />
This command is used to set the recovery and warm-up time for a real service.<br />
real_name An alpha-numeric string for the real service name. Note: If<br />
the assigned name begins with a numeric character, then<br />
the string needs to be framed in double quotes.<br />
recovery_time A period <strong>of</strong> time in seconds. When a real service’s<br />
operational status is changed from inactive to active, it is<br />
not eligible to receive any client requests for this period <strong>of</strong><br />
time. Once this time is reached, the <strong>APV</strong> appliance will<br />
send client requests to this real service.<br />
warm-up_time Optional. A period <strong>of</strong> time in seconds, after a real service is<br />
recovered to be active, during which the client requests are<br />
slowly sent to the real service, so that the real service can<br />
reach its capacity gradually. Until the time is reached, the<br />
real service’ capacity can reach its maximum connections.<br />
If the value <strong>of</strong> the parameter is set to 0 (default), the real<br />
service will reach its maximum capacity immediately after<br />
the recovery time.<br />
no slb real activation <br />
This command is used to remove the recovery and warm-up time <strong>of</strong> the specified real<br />
service.<br />
show slb real activation <br />
This command is used to display the recovery and warm-up time <strong>of</strong> the specified real<br />
service.<br />
Adding HC Checker and HC Checker List<br />
health {on|<strong>of</strong>f}<br />
This command allows users to turn on or turn <strong>of</strong>f health check function. It defaults to on.<br />
45
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
Note: With the health check function disabled, to execute the command “health on”<br />
will reset the health check early warning counter.<br />
health checker [timeout]<br />
[flag]<br />
This command allows users to create a health checker.<br />
checker_name The assigned name <strong>of</strong> the checker. The limited length <strong>of</strong><br />
the name is 20 characters. If the name begins with a<br />
number, the name should be quoted.<br />
request_index The index to request table element, which contains the<br />
message to be sent; the range is from 0 to 999.<br />
response_index The index to response table element, which contains<br />
expected response pattern; the range is 0-999.<br />
timeout The timeout interval <strong>of</strong> this HC checker. The default value<br />
is 3 seconds.<br />
flag Success/fail flag, binary/ASCII flag. Its value can be 0, 1, 2<br />
or 3. The default setting is 1.<br />
no health checker <br />
0 means when the response contains a string that matches<br />
the predefined string from command "health response",<br />
HC will mark the server as DOWN. Both request and<br />
response strings should be input in ASCII.<br />
1 means the response need to match the expected response<br />
mode, HC succeeds and the request and response should be<br />
input in ASCII.<br />
2 means when the response contains a string that matches<br />
the predefined string from command "health response",<br />
HC will mark the server as DOWN. Both request and<br />
response strings should be input in HEX.<br />
3 means the response need to match the expected response<br />
mode, HC succeeds and the request and response should be<br />
input in HEX.<br />
This command allows users to remove the specified health checker.<br />
46
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
checker_name The assigned name <strong>of</strong> the health checker. The limited<br />
length <strong>of</strong> the checker name is 20 characters. If the name<br />
begins with a number, the name should be quoted.<br />
show health checker [checker_name]<br />
This command is used to display the specified HC checker. If no HC checker name is<br />
given, display all the HC checkers.<br />
clear health checker<br />
This command is used to remove all the configured HC checkers.<br />
slb real health <br />
[http|https|tcp|icmp|dns|ldap|script-tcp|script-udp|script-tcps|radius-auth|radius-ac<br />
ct|sip-tcp|sip-udp|rtsp-tcp] [hc_up] [hc_down]<br />
The command is used to define additional health check for existing real servers.<br />
add_hc_name The name <strong>of</strong> the additional health check.<br />
real_name An alphanumeric string for the real service name. If the<br />
assigned name begins with a numeric character, then the<br />
string needs to be framed in double quotes.<br />
ip The IP address for the additional health check.<br />
port The port number for the additional health check. For L2<br />
SLB health check or “icmp” health check type, the port<br />
number must be set to 0.<br />
http|tcp|icmp|tcps|dns|<br />
ladp|srcipt-tcp|script-udp<br />
|radius-auth|radius-acct<br />
|sip-tcp|sip-udp|rtsp-tcp<br />
|https|script-tcps<br />
The type <strong>of</strong> additional health check. The default value is<br />
tcp.<br />
The ldap additional health check can only be configured<br />
for TCP real services.<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
no slb real health <br />
47
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove specified additional health check configuration.<br />
show slb real health [real_name]<br />
This command is used to display the SLB additional health check configurations about a<br />
specified real service. And if no real service is specified, all SLB additional health check<br />
configurations will be displayed.<br />
clear slb real health [real_name]<br />
This command is used to remove the SLB additional health check configurations about a<br />
specified real service. And if no real service is specified, all SLB additional health check<br />
configurations will be removed.<br />
show health template {ftp|telnet|smtp|ldap|radius-auth|radius-acct|all}<br />
This command is used to display application health check configuration sample<br />
information. If the application protocol is specified, only the sample <strong>of</strong> that protocol will<br />
be displayed. "all" means displaying all the samples. Currently, the following application<br />
health check types are supported: ftp, telnet, smtp, ldap, radius-auth, and radius-acct.<br />
health list <br />
This command is used to designate a new HC checker list.<br />
list_name The assigned name <strong>of</strong> a HC checker list. The limited length<br />
<strong>of</strong> the list name is 20 characters. If the list name begins<br />
with a number, a quotation mark should be added.<br />
no health list <br />
This command allows users to delete the specified HC checker list.<br />
list_name The assigned name <strong>of</strong> a HC checker list. The limited length<br />
<strong>of</strong> the list name is 20 characters. If the list name begins<br />
with a number, a quotation mark should be added.<br />
clear health list<br />
This command is used to remove all the configured HC checker lists.<br />
health member [place_index]<br />
This command is used to add a checker to an HC checker list. The maximum number <strong>of</strong><br />
members in a list is 10. If the “place index” unspecified, the HC checker will be added to<br />
the last entry <strong>of</strong> the HC checker list; if the “place index” is larger than the number <strong>of</strong> the<br />
checkers in a checker list, the HC checker will also be added to the last entry <strong>of</strong> the HC<br />
48
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
checker list; otherwise, the HC checker will be added at the specified place <strong>of</strong> the HC<br />
checker list.<br />
list_name The assigned name <strong>of</strong> a HC checker list. The limited length<br />
<strong>of</strong> the list name is 20 characters. If the list name begins<br />
with a number, a quotation mark should be added.<br />
checker_name The assigned name <strong>of</strong> the checker. The limited length <strong>of</strong><br />
the checker name is 20 characters. If the name begins with<br />
a number, the name should be quoted.<br />
place_index Optional, the specified place <strong>of</strong> the checker list. The default<br />
setting is 0. The range is from 0 to 10. If not specified, the<br />
new checker will be added to the last entry <strong>of</strong> the HC<br />
checker list. To view the sequence <strong>of</strong> the HC checker list,<br />
use the command “show health list”. Note: the value <strong>of</strong><br />
the “place index” parameter will not be stored in<br />
configuration.<br />
no health member <br />
This command is used to remove the specified HC checker from the specified HC<br />
checker list <strong>of</strong> AppHC. When the HC checker is removed, the HC checkers behind it will<br />
move forward a place automatically.<br />
clear health member <br />
This command is used to delete all the HC checkers in the specified HC checker list.<br />
show health list [list_name]<br />
This command is used to display the specified check list and all the HC checkers in this<br />
checker list. If no HC checker list name is given, display all the checker lists and all the<br />
HC checkers in all the checker lists.<br />
health app {real_name|add_hc_name} [frequency] [hc_localip]<br />
[hc_localport]<br />
This command allows users to attach a health check to the specified HC checker list. If<br />
one health check (which is configured by using the “slb real” command) is a nonempty<br />
HC checker list, it will do health check according to the HC checker in the checker list;<br />
otherwise it will do health check according to the request and response configured by the<br />
“health server” command or the default request and response. The command only<br />
applies to the real service or additional health check with script health check such as<br />
script-tcp, script-udp and script-tcps. Otherwise, this configuration will not work.<br />
49
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
real_name|add_hc_name The name <strong>of</strong> the real server or the additional health<br />
checker, less than 40 characters.<br />
list_name The assigned name <strong>of</strong> a HC checker list. The limited length<br />
<strong>of</strong> the list name is 40 characters.<br />
frequency Optional, which specifies the HC frequency <strong>of</strong> the health<br />
check. The default value <strong>of</strong> the frequency is 2, in seconds.<br />
hc_localip &<br />
hc_localport<br />
Optional. The local IP and port which are used when doing<br />
health check. If “hc localip” and/or “hc localport” are not<br />
given, the system will determine the local IP and port.<br />
no health app {real_name|add_hc_name} <br />
This command allows users to delete the association between the specified health checker<br />
list and health check.<br />
show health app [real_name|add_hc_name]<br />
This command is used to display the specified health check information.<br />
clear health app<br />
This command is used to delete all the associations between health checker list and health<br />
check.<br />
health radius auth {real_name|add_hc_name} <br />
[resp_code] [attr_list]<br />
This command is used to configure authentication health check for the Radius server.<br />
Array <strong>APV</strong> appliance sends authentication request packets to the Radius, if the Radius<br />
server returns expected authentication response by a collection <strong>of</strong> handshake <strong>of</strong> Radius<br />
protocol, then the Radius server is working well; else it is out <strong>of</strong> work. The command<br />
only applies to the real service or additional health check with the type <strong>of</strong> radius-auth<br />
health check. Otherwise, this configuration will not work.<br />
real_name|add_hc_name The name <strong>of</strong> the real server or the additional health<br />
checker, less than 40 characters.<br />
secret_string The secret string is used as the key to encrypt password. It<br />
should be obtained from the real server beforehand.<br />
resp_code Optional. Set the expected response code returned by the<br />
Radius server, which can be used to determine the health<br />
status <strong>of</strong> the Radius server. It can be set to 2 or 3. The<br />
default value is 2.<br />
50
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
2: Radius Access-Accept. When you set the value <strong>of</strong><br />
“resp_code” to 2 and the username and password you<br />
provide are both correct, if the response code returned by<br />
the Radius server is 2, then the Radius server is marked as<br />
UP; else it is marked as DOWN.<br />
3: Radius Access-Reject. When you set the value <strong>of</strong><br />
“resp_code” to 3 and the password is wrong, if the<br />
response code returned by Radius server is 3, then the<br />
Radius server is marked as UP; else it is marked as<br />
DOWN.<br />
attr_list Optional. By now, only two attributes “NAS-IP-Address”<br />
and “NAS-Port” are supported. You can configure the<br />
attribute list string by following this format:<br />
“attribute-name1=attribute-value1,attribute-name2=attribut<br />
e-value2”<br />
In this string, blank character is not allowed, and each<br />
value length must be less than 32 characters. The key/value<br />
pairs must be separated by the character ‘,’.<br />
For example:<br />
“NAS-IP-Address=192.168.1.2,NAS-Port=2012”.<br />
no health radius auth {real_name|add_hc_name}<br />
This command is used to remove the specified Radius authentication health check<br />
configuration.<br />
clear health radius auth<br />
This command is used to remove all the Radius authentication health check<br />
configurations.<br />
show health radius auth [real_name|add_hc_name]<br />
This command is used to show the Radius authentication health check configurations. If<br />
no real service name or additional health check name is specified, all Radius<br />
authentication health check configurations will be displayed.<br />
health radius acct {real_name|add_hc_name} [resp_code]<br />
This command is used to configure Radius accounting health check for the Radius server.<br />
The command only applies to the real service or additional health check with the type <strong>of</strong><br />
radius-acct health check. Otherwise, this configuration will not work.<br />
51
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
real_name|add_hc_name The real server name. The maximum length <strong>of</strong> the name is<br />
40 characters.<br />
secret_string The secret string is used as the key to encrypt password. It<br />
should be obtained from the real server beforehand.<br />
resp_code Optional. Set the expected response code returned by the<br />
Radius server, which can be used to determine the health<br />
status <strong>of</strong> the Radius server. Its default value is 5.<br />
5: Radius Accounting-Response. When you set the value <strong>of</strong><br />
“resp_code” to 5, if the response code returned by Radius<br />
server is 5, then the Radius server is marked as UP; else it<br />
is marked as DOWN.<br />
no health radius acct {real_name|add_hc_name}<br />
This command is used to remove the specified Radius accounting health check<br />
configuration.<br />
clear health radius acct<br />
This command is used to remove all Radius accounting health check configurations.<br />
show health radius acct [real_name|add_hc_name]<br />
This command is used to show the Radius accounting health check configurations. If no<br />
real service name or additional health check name is specified, all Radius accounting<br />
health check configurations will be displayed.<br />
clear health radius all<br />
This command is used to remove all the Radius accounting and authentication health<br />
check configurations.<br />
health ldap {real_name|add_hc_name} [bind_dn] [password] [search_dn]<br />
[filter_keyword]<br />
This command is used to add an LDAP health check configuration to a specified real<br />
server. The LDAP additional health check is only supported for TCP real services.<br />
Besides, the command only applies to the real service or additional health check with the<br />
type <strong>of</strong> ldap health check. Otherwise, this configuration will not work.<br />
real_name|add_hc_name The name <strong>of</strong> the real server or the additional health<br />
checker, no more than 40 characters.<br />
bind_dn The LDAP DN (Distinguished Name) to perform binding<br />
52
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
operation, no more than 255 characters.<br />
Chapter 5 Server Load Balancing<br />
password The password <strong>of</strong> the specified DN, no more than 255<br />
characters.<br />
search_dn The DN to perform search operation, no more than 255<br />
characters.<br />
filter_keyword The filter keyword to search, no more than 255<br />
characters. With the filter keyword configured, the LDAP<br />
server will return the result set matching the filter. If null,<br />
all the results matching “search_dn” will be returned. It is<br />
recommended to specify the parameter “search_dn” more<br />
accurately to reduce related network traffic.<br />
no health ldap {real_name|add_hc_name}<br />
This command is used to remove a specified LDAP health check configuration.<br />
real_name|add_hc_name The name <strong>of</strong> the real server or the additional health<br />
checker.<br />
clear health ldap<br />
This command is used to clear all the LDAP health check configurations.<br />
show health ldap [real_name|add_hc_name]<br />
This command is used to display LDAP health check configurations. If no real service<br />
name or additional check name is specified, all existing LDAP configurations will be<br />
displayed.<br />
real_name|add_hc_name The name <strong>of</strong> the real server or the additional health<br />
checker.<br />
health relation <br />
This command is used to set the relationship (and/or) among different health check<br />
configurations. When the relationship is AND, if any one <strong>of</strong> the health checks (including<br />
both original and additional health check configurations) fails, the real service is down.<br />
When the relationship is OR, the real service will be down if, and only if, all the health<br />
checks fail. For a new real service, the default health check relationship is AND.<br />
real_name The real service’s name, string type.<br />
53
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
relationship The relationship among different health check<br />
configurations, either AND or OR.<br />
show health relation <br />
This command is used to display the health check relationship <strong>of</strong> a real service.<br />
health failover {enable|disable}<br />
This command is used to turn on/<strong>of</strong>f the automatic failover when all backend real servers<br />
are down. When the setting is enabled, the master cluster will fail over to the backup<br />
cluster when all real servers are down. If all real servers configured in an <strong>APV</strong> appliance<br />
are marked DOWN by Health Check, Clustering function will be disabled in this <strong>APV</strong><br />
appliance and other <strong>APV</strong> appliances will take over the traffic. As long as at least one real<br />
server configured in an <strong>APV</strong> appliance is marked UP by Health Check, Clustering<br />
function will be enabled in this <strong>APV</strong> appliance again and the <strong>APV</strong> appliance will take<br />
over the traffic again if its mode is preemptive.<br />
health failover retires <br />
This command is used to set the number <strong>of</strong> retries before failover. The default number <strong>of</strong><br />
retries is 3.<br />
health earlywarning <br />
This command is used to enable the health early warning feature on the <strong>APV</strong> appliance<br />
by setting a global threshold for the response time <strong>of</strong> all real servers. If the response time<br />
<strong>of</strong> a real server exceeds the threshold, it means the real server is very slow, and it might<br />
be in abnormal status.<br />
With the feature enabled, the <strong>APV</strong> appliance will detect the event that real servers’<br />
response time exceeds the threshold, and set a counter to record the times that the event<br />
occurs. Based on these records, the <strong>APV</strong> appliance will create “Warning” logs to notify<br />
the administrators <strong>of</strong> the real server’s abnormal status.<br />
By default, this feature is <strong>of</strong>f. For the real servers without health check configured, this<br />
feature is not available.<br />
threshold Set the response time threshold, in milliseconds. It ranges<br />
from 0 to 60000. 0 means this feature will be disabled.<br />
54
Note:<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
1. Only when the recorded times that a real servers’ response time consecutively<br />
exceeds the threshold is the power <strong>of</strong> 2 (1, 2, 4, 8...), will the <strong>APV</strong> appliance record<br />
“Warning” logs. Once the response time returns to the normal level, i.e. not<br />
exceeding the threshold, related old records will be cleared. The counter will begin<br />
to collect new records.<br />
2. At most 1024 records are allowed on the counter. If the number <strong>of</strong> records exceeds<br />
1024, the counter will be reset to 0 and start to recount.<br />
clear health earlywarning<br />
This command is used to reset the early warning threshold, and reset the early warning<br />
counter.<br />
show health earlywarning<br />
This command is used to display the configuration about early warning threshold.<br />
Note: With the health check function disabled, to execute the command “health on”<br />
will reset the early warning counter.<br />
Adding Virtual Services<br />
slb virtual http [vport] [arp|noarp] [max_conn]<br />
slb virtual https [vport] [arp|noarp] [max_conn]<br />
slb virtual tcp [arp|noarp] [max_conn]<br />
slb virtual tcps [arp|noarp] [max_conn]<br />
slb virtual ftp [vport] [max_conn]<br />
slb virtual ftps [vport] [max_conn]<br />
slb virtual udp [arp|noarp] [max_conn]<br />
slb virtual dns [vport] [arp|noarp] [max_conn]<br />
slb virtual sipudp [vport] [arp|noarp] [max_conn]<br />
slb virtual siptcp [vport] [arp|noarp] [max_conn]<br />
slb virtual rtsp [vport] [mode] [arp|noarp] [max_conn]<br />
slb virtual rdp [vport] [arp|noarp] [max_conn]<br />
55
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
These commands allow users to create virtual services for load balancing operations and<br />
protocols. For bond or VLAN interfaces, only the virtual service whose IP address<br />
belongs to their subset can be allowed to be created.<br />
virtual_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
virtual service. Note: If the assigned name begins with a<br />
numeric character, then the string should be framed in<br />
double quotes.<br />
vip The virtual server IP address, in traditional dotted IP<br />
format. Note: If the VIP is not in the subnet <strong>of</strong> any<br />
interface, it will be bound with the first interface (port1)<br />
and a warning message will be prompted.<br />
vport The virtual server port. The default port setting is 80 for<br />
HTTP, 443 for HTTPS, 53 for DNS, 21 for FTP, 554 for<br />
RTSP, 5060 for SIP, 3389 for RDP and 990 for FTPS. This<br />
is a required parameter for TCP and UDP. When the port is<br />
0, the virtual service is a virtual service with all-port range<br />
and this port range may be narrowed down by using the<br />
“slb virtual port” command.<br />
mode This parameter is designed for RTSP SLB. It can be<br />
“redirect” or “nat”. It defaults to “redirect”.<br />
arp|noarp If this parameter is provided, a “noarp” SLB virtual service<br />
is defined. A “noarp” SLB virtual service doesn’t have its<br />
virtual IP address added in the network interfaces.<br />
Therefore, the virtual IP addresses <strong>of</strong> a “noarp” SLB virtual<br />
service can’t be pinged or ARPed. This enables the client to<br />
send packets to the real service’s IP address directly<br />
without knowing any new virtual IP address. In this case,<br />
<strong>APV</strong> appliance should be set as the client’s gateway. The<br />
<strong>APV</strong> appliance will forward the traffic to the real servers<br />
after some kinds <strong>of</strong> SLB processing, e.g.: SSL acceleration.<br />
It defaults to “arp”.<br />
max_conn Set the maximum number <strong>of</strong> open connections per VIP.<br />
Default is 0.<br />
slb virtual ip <br />
This command allows users to create SLB virtual services for L3 load balancing<br />
operations and protocols. This type <strong>of</strong> the virtual service can support TCP and UDP<br />
protocol at the same time.<br />
slb virtual l2ip [gateway_ip]<br />
56
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command allows users to create L2 virtual services for load balancing operations.<br />
virtual_name The assigned name, in the form <strong>of</strong> a character string, to a<br />
virtual service. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
vip The virtual server’s IP address, in traditional dotted IP<br />
format. Note: If the VIP is not in the subnet <strong>of</strong> any<br />
interface, it will be bound with the first interface (port1)<br />
and a warning message will be prompted.<br />
gateway_ip The gateway IP address relative to the virtual IP address, in<br />
traditional dotted IP format. 0.0.0.0 is a wildcard. Default is<br />
0.0.0.0.<br />
no slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}<br />
<br />
This command allows users to remove the specified virtual service from load balancing<br />
protocols along with all associated policies.<br />
no slb virtual l2ip <br />
This command allows users to remove the specified L2 virtual services for load balancing<br />
protocols along with all associated policies.<br />
show slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}<br />
[virtual_name]<br />
This command is used to display the given virtual service, or all virtual services <strong>of</strong> the<br />
given protocol if no name is specified.<br />
show slb virtual all<br />
This command is used to display all defined virtual services and all associated<br />
parameters.<br />
show slb virtual l2ip [virtual_name]<br />
This command is used to display all defined L2 virtual services or the specified virtual<br />
service.<br />
clear slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}<br />
This command is used to remove all virtual services <strong>of</strong> the given protocol type.<br />
no slb virtual ip <br />
57
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to delete the L3 IP based virtual service with the given name.<br />
show slb virtual ip [real_name]<br />
This command is used to display all the defined L3 virtual services or the specified<br />
virtual service.<br />
clear slb virtual ip<br />
This command is used to remove all the defined L3 virtual services.<br />
slb virtual {enable|disable} <br />
This command is used to toggle the status <strong>of</strong> a virtual service. When a virtual service is<br />
disabled, it cannot be used for SLB.<br />
slb virtual health {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the health check on virtual services. When the<br />
function is on, if all the real services associated with the virtual service are down, the<br />
<strong>APV</strong> appliance will reset the coming connections.<br />
Adding Port Range for Virtual Service<br />
slb virtual portrange [protocol] [dst|src]<br />
This command allows users to define a port range for the virtual service specified by the<br />
“virtual name” parameter. The port range is from “min_port” to “max_port”. No<br />
duplicated port range <strong>of</strong> one IP is allowed. This command is shared by both L2 and<br />
portrange SLB. If a port range is attached to an SLB virtual service, only network traffic<br />
in the port range will be balanced. Otherwise, the traffic will be simply routed as<br />
pass-through traffic.<br />
virtual_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
virtual service. Note: If the assigned name begins with a<br />
numeric character, then the string should be framed in<br />
double quotes.<br />
protocol Optional. It can be chose from “all|tcp|udp”. It defaults to<br />
“all”. It is useful only when the virtual service is L2 virtual<br />
service.<br />
dst|src Optional. It is the destination or source port. It defaults to<br />
“dst”.<br />
no slb virtual portrange [protocol]<br />
58
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command allows users to remove filtering port range from the L2 virtual service.<br />
ftp passive portrange <br />
This command allows users to set the port range for data connection in passive<br />
FTP/FTPS. The begin port and end port should be in the range <strong>of</strong> 1024-65535, and users<br />
can define 20 to 1000 ports for a port range. The port range is global and can be used for<br />
all FTP/FTPS virtual services.<br />
start port The start port number.<br />
end port The end port number.<br />
clear ftp passive portrange<br />
This command allows users to remove a port range.<br />
show ftp passive portrange<br />
This command allows user to view a port range.<br />
ftp passive externalip <br />
Please note that the difference between end port and start<br />
port number should be greater than 19 but less than 999.<br />
For example, if the start port is 2000, the end port should<br />
be configured as 2019 at least, and 2999 at most.<br />
This command is used to specify the external IP addressfor FTP/FTPS virtual services.<br />
virtual_name The name <strong>of</strong> virtual service. Note: If the assigned name<br />
begins with a numeric character, then the string should be<br />
framed in double quotes.<br />
ip<br />
The external IP address.<br />
no ftp passive externalip [virtual_name]<br />
This command is used to remove the external IP address.<br />
virtual_name The name <strong>of</strong> virtual service. Optional, and the default value<br />
is “all”, which means the external IP address <strong>of</strong> all<br />
FTP/FTPS virtual services will be cleared.<br />
show ftp passive externalip [virtual_name]<br />
59
This command is used to display the external IP address.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
virtual_name The name <strong>of</strong> virtual service. Optional, and the default value<br />
is “all”, which means the external IP address <strong>of</strong> all<br />
FTP/FTPS virtual services will be displayed.<br />
Adding SLB Group Services<br />
The following command sequences are the necessary steps to establish and assign a load<br />
balancing protocol to groups <strong>of</strong> servers.<br />
slb group method [algorithm]<br />
This command allows users to create an SLB group. The group is used to assign a<br />
specific load-balancing algorithm to a set <strong>of</strong> real services. A group method must be<br />
established before the user may assign real or virtual servers to a group.<br />
group_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
group service. Note: If the assigned name begins with a<br />
non-alphabetic character, then the string should be framed<br />
in double quotes.<br />
algorithm The algorithm used to balance load among real services<br />
that are members <strong>of</strong> the group. This parameter is optional,<br />
with a default value <strong>of</strong> Round Robin (“rr”). Depending on<br />
the algorithm used, additional parameters may need to be<br />
specified. The following shows the algorithms available<br />
with the <strong>APV</strong> appliance. Methods requiring additional<br />
parameters are designated with “*”.<br />
� rr Round Robin<br />
� pc Persistent Cookie*<br />
� pi Persistent IP*<br />
� hi Hash IP*<br />
� hc Hash Cookie*<br />
� ph Persistent Hostname*<br />
� pu Persistent URL<br />
� ic Insert Cookie*<br />
� rc Rewrite Cookie*<br />
� ec Embed Cookie*<br />
� lc Least Connections*<br />
60
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
� sr Shortest Response<br />
� hh Hash Header*<br />
� sslsid SSL Session ID*<br />
� chi Consistent Hash IP*<br />
� prox Proximity*<br />
Chapter 5 Server Load Balancing<br />
� snmp Simple Network Management Protocol*<br />
� sipcid SIP CallID*<br />
� sipuid SIP UserID*<br />
� chh Consistent Hash Header*<br />
� hq Hash Query*<br />
� hip Hash (IP + Port)*<br />
� rdprt RDP Routing Token<br />
Following describes the above algorithms in more details.<br />
slb group method {rr|pu|sr}<br />
Round Robin (rr): Each server takes a turn based on its weight, if any. For example, with<br />
a weight <strong>of</strong> 3, each server will be chosen for 3 requests before the next one in the list is<br />
selected.<br />
Shortest Response (sr): Server selection is based on lowest latency.<br />
Persistent URL (pu): Based on a URL value. A group <strong>of</strong> this method must be associated<br />
to a virtual service using the Persistent URL policy.<br />
slb group method hc [rr|sr|lc] [weight|threshold]<br />
Based on cookie Name=Value pair can only be used in conjunction with QoS Cookie and<br />
Persistent Cookie policies. The “rr|sr|lc” argument can be called the “first choice method”.<br />
If a client request does not yet have an assigned real service, this method will be used to<br />
choose a real service for that client, based on the request properties appropriate to the<br />
group method. The default value is rr. The “threshold” argument only applies if the “first<br />
choice method” is lc, and is the same as the group method lc threshold parameter.<br />
slb group method ic [cookie_name] [add_path] [rr|sr|lc]<br />
[threshold]<br />
When Insert Cookie (ic) is specified as the group’s algorithm, use this command structure,<br />
where users can provide the optional parameter “cookie_name”, “add_path”, “rr|sr|lc”<br />
and “threshold”.<br />
61
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
cookie_name The name <strong>of</strong> the insert cookie. If no cookie name is<br />
provided, the <strong>APV</strong> appliance will generate a cookie name.<br />
add_path The path attribute <strong>of</strong> the cookie. Setting the “add_path”<br />
parameter to 1 will insure that inserted cookie will have the<br />
path attribute “/”, while 0 means no path will be included<br />
in the cookie. The default setting is 0.<br />
rr|sr|lc The “rr|sr|lc” parameter can be called the “first choice<br />
method”. If a client request does not yet have an assigned<br />
real service, this method will be used to choose a real<br />
service for that client, based on the request properties<br />
appropriate to the group method. The default value is rr.<br />
threshold The “threshold” parameter only applies if the “first choice<br />
method” is lc, and is the same as the group method lc<br />
threshold parameter.<br />
Note: The configuration <strong>of</strong> the command "slb group option ic" takes higher priority<br />
than "slb group method ic".<br />
If "slb group options ic" is not configured, the system will determine whether to<br />
insert “/” into the cookie according to the “add_path” setting in the command "slb<br />
group method ic".<br />
If "slb group options ic" is configured:<br />
1. If "slb group option ic" has defined "path", the path value will be inserted into<br />
the cookie, and the path defined in the command "slb group method <br />
ic " will be ignored.<br />
2. If "slb group option ic" has not defined "path", the path value will not be<br />
inserted into the cookie, and the path defined in the command "slb group method<br />
ic " will also be ignored.<br />
slb group option ic {expires|path|domain|secure|httponly}<br />
Inserts cookie method allows <strong>APV</strong> to maintain persistence to a server. This command is<br />
used to define the properties <strong>of</strong> the cookie including “expires”, “path”, “domain”,<br />
“secure” and “httponly”.<br />
Note: To configure this command, the parameter<br />
“expires|path|domain|secure|httponly” must be enclosed in double quotes; otherwise,<br />
the command cannot be executed.<br />
group_name The real service group name.<br />
62
expires|path|domain|secu<br />
re|httponly<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
The property <strong>of</strong> the cookie.<br />
Chapter 5 Server Load Balancing<br />
� “expires” is used to define the expiration time <strong>of</strong> the<br />
cookie. It ranges from 0 to 5256000, in minutes, i.e.<br />
3650 days. “expires” should be in the format <strong>of</strong><br />
“expires=day:hour:minue”. For example, “expires=3”<br />
indicates the expiration time is 3 minutes,<br />
“expires=2:3” indicated the expiration time is 123<br />
minutes (2 hours and 3 minutes) and “expires=1:2:3”<br />
indicates the expiration time is 1563 minutes (1 day, 2<br />
hours and 3 minutes).<br />
� “path” is used to specify the path <strong>of</strong> the Web page<br />
associated with the cookie. The string length ranges<br />
from 1 to 128 characters. “path” should be in the<br />
following format: “path=string”.<br />
� “domain” is used to define the domain name. Servers<br />
coming from different domains can access this cookie<br />
via the “domain” parameter. The string length ranges<br />
from 1 to 128 characters. “domain” should be in the<br />
following format: “domain=string”.<br />
� “secure” is used to define the transfer mode <strong>of</strong> the<br />
cookie. It should be in the format <strong>of</strong> “secure=yes|no”.<br />
If “secure=yes”, cookie will be transferred via<br />
browsers and servers deploying HTTPS or other<br />
security protocols. If “secure=no”, cookie will only be<br />
transferred via the HTTP protocol.<br />
� “httponly” is used to define if the cookie can be<br />
accessed through client-end scripts. It should be in the<br />
format <strong>of</strong> “httponly=yes|no”.<br />
Note: The strings defined via the parameter “path” and<br />
“domain” will be inserted into the cookie without any<br />
change. The strings are case sensitive, and spaces are<br />
allowed in the strings.<br />
63
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
Note: The configuration <strong>of</strong> the command "slb group option ic" takes higher priority<br />
than "slb group method ic".<br />
If "slb group options ic" is not configured, the system will determine whether to<br />
insert “/” into the cookie according to the “add_path” setting in the command "slb<br />
group method ic".<br />
If "slb group options ic" is configured:<br />
1. If "slb group option ic" has defined "path", the path value will be inserted into<br />
the cookie, and the path defined in the command "slb group method <br />
ic " will be ignored.<br />
2. If "slb group option ic" has not defined "path", the path value will not be<br />
inserted into the cookie, and the path defined in the command "slb group method<br />
ic " will also be ignored.<br />
show slb group option ic [group_name]<br />
This command is used to display the cookie property configuration <strong>of</strong> the specified group.<br />
If no group name is specified, cookie property configurations <strong>of</strong> all groups will be<br />
displayed.<br />
clear slb group option ic [group_name]<br />
This command is used to clear the cookie property <strong>of</strong> the specified group. If no group<br />
name is specified, cookie property configurations <strong>of</strong> all groups will be cleared.<br />
slb group method rc [cookie_name] [<strong>of</strong>fset] [rr|sr|lc] [threshold]<br />
For Rewrite Cookie (rc), use the command structure where “cookie_name” is required as<br />
is the “<strong>of</strong>fset” value. (The “<strong>of</strong>fset” value is the number <strong>of</strong> protected bytes in a backend<br />
server generated cookie.) Users must allow at least four (4) bytes <strong>of</strong> free space within the<br />
server cookie value for the <strong>APV</strong> appliance to perform this task. The default value is zero<br />
(0). The “rr|sr|lc” argument can be called the “first choice method”. If a client request<br />
does not yet have an assigned real service, this method will be used to choose a real<br />
service for that client, based on the request properties appropriate to the group method.<br />
The default value is rr. The “threshold” argument only applies if the “first choice method”<br />
is lc, and is the same as the group method lc threshold parameter.<br />
slb group method pc [option]<br />
For the SLB method Persistent Cookie (pc), the “option” parameter will correspond to the<br />
cookie value <strong>of</strong>fset. The default value for cookie value <strong>of</strong>fset is 0. A group <strong>of</strong> this method<br />
must be associated to a virtual service using the Persistent Cookie policy.<br />
slb group method lc [threshold] [yes|no]<br />
When Least Connections (lc) is used as the group’s algorithm, two additional parameters<br />
can be specified. The parameter “threshold” is the threshold granularity <strong>of</strong> the algorithm<br />
64
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
which defines how much the response time or active connection count for two real<br />
services must differ before they are treated as different by the algorithm. This parameter<br />
is optional, with a default value <strong>of</strong> 10. The parameter “yes|no” specifies whether SLB<br />
should use round robin among all <strong>of</strong> the real services that are at the same active<br />
connection count or response time threshold. A value <strong>of</strong> “yes” means that Round Robin<br />
should be used, and a value <strong>of</strong> “no” means that Round Robin should not be used. This<br />
parameter is optional, with a default value <strong>of</strong> “no”.<br />
slb group method sslsid [timeout]<br />
For load balancing based on SSLSID, employ this version <strong>of</strong> the command structure.<br />
Please note that only TCP real servers are allowed as members <strong>of</strong> an SSLSID group and<br />
only TCP virtual services will be allowed to be associated with this group. The optional<br />
parameter refers to the length <strong>of</strong> time (in minutes, and defaults to 5 minutes) that a<br />
session may be open before it can be replaced. A group deploying this method may only<br />
be assigned as a default group.<br />
slb group method pi [hash_bits] [rr|sr|lc] [threshold]<br />
This command calls for the additional (optional) parameter “hash bits”. The optional<br />
“hash_bits” field controls how many bits <strong>of</strong> the source IP are used in generating the hash.<br />
It can be compared to a netmask, which is applied to the IP before it is hashed. The value<br />
range for this parameter is 0-32 inclusive, with a default setting <strong>of</strong> 32. The “rr|sr|lc”<br />
argument can be called the “first choice method”. If a client request does not yet have an<br />
assigned real service, this method will be used to choose a real service for that client,<br />
based on the request properties appropriate to the group method. The default value is rr.<br />
The “threshold” argument only applies if the “first choice method” is lc, and is the same<br />
as the group method lc threshold parameter.<br />
slb persistence timeout [group_name]<br />
This command allows users to set “pi” group method timeout value globally or per group.<br />
If this value is set to “0”, it means that “pi” timeout function is closed; otherwise, it<br />
means, that in a “pi” group if a IP address idle time exceeds the timeout value, it will be<br />
treated as a new IP address and rechoose one member in the group.<br />
timeout_minutes The value defaults to 0, which means OFF. The max value<br />
is 50000 minutes. (43200 minutes = 1 month)<br />
group_name Optional. It is set to null by default, which means the<br />
timeout is a global setting.<br />
no slb persistence timeout [group_name]<br />
This command is used to remove “pi” group method timeout value. If “group_name” is<br />
null, the system will only delete the global timeout. If “group_name” is given, only the<br />
timeout <strong>of</strong> the specified group will be deleted.<br />
65
show slb persistence timeout [group_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display “pi” group method timeout value. If “group_name” is<br />
null, only the global timeout is displayed. If “group_name” is given, only the timeout <strong>of</strong><br />
the specified group is displayed.<br />
slb group method ph [rr|sr|lc] [threshold]<br />
This command allows users to define the method on persistent host name. The “rr|sr|lc”<br />
argument can be called the “first choice method”. If a client request does not yet have an<br />
assigned real service, this method will be used to choose a real service for that client,<br />
based on the request properties appropriate to the group method. The default value is rr.<br />
The “threshold” argument only applies if the “first choice method” is lc, and is the same<br />
as the group method lc threshold parameter.<br />
slb group method hi [hash_bits]<br />
The Hash IP (hi) load balancing method maps incoming traffic to real services based<br />
upon the source IP <strong>of</strong> the traffic. The Hash IP algorithm is consistent across multiple <strong>APV</strong><br />
appliances, as long as the Hash IP groups on each <strong>APV</strong> appliance are configured the same.<br />
The optional “hash_bits” field controls how many bits <strong>of</strong> the source IP are used in<br />
generating the hash. Note that if a real service in a Hash IP group goes down, the existing<br />
persistence will be disrupted.<br />
slb group method hh [rr|sr|lc] [threshold] [prefix]<br />
[delimiter]<br />
For balancing based on Hash Header (hh), users must define an available header. Users<br />
can hash an entire HTTP header or just hash a part <strong>of</strong> an HTTP header. “prefix” and<br />
“delimiter” arguments are configured to match the part to be hashed. If the configured<br />
prefix string is not matched, the entire HTTP header will be hashed. If the configured<br />
prefix is matched but no configured delimiter is matched, the entire string starting after<br />
the configured prefix will be hashed. This command only matches the string between the<br />
prefix and the delimiter, not including the prefix and the delimiter. If one configured<br />
prefix appears more than once in an HTTP header, only the first prefix will be matched.<br />
header_name Specify a name for an HTTP header. It must be a<br />
non-standard HTTP header (e.g. “Accept”, “Content-Type”<br />
and “Content-Length”).<br />
rr|sr|lc This argument is also called the “first choice method”. If a<br />
client request does not yet have an assigned real service,<br />
this method will be used to choose a real service for that<br />
client. The default value is rr.<br />
threshold It only applies if the “first choice method” is “lc”. If and<br />
only if the difference <strong>of</strong> two servers’ respective connection<br />
numbers is larger than the threshold, Array system will<br />
66
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
consider that the connection numbers <strong>of</strong> two servers are<br />
different, so that “lc” method can work. It defaults to 10. If<br />
the “first choice method” is “rr” or “sr”, users must enter<br />
an arbitrary integer to continue the latter parameters.<br />
prefix Optional. If the configured prefix is not the beginning<br />
string (a string closely following the header name, not<br />
including a blank), it will be matched only when it follows<br />
the configured delimiter (blanks and TAB are allowed<br />
between the prefix and the delimiter). For example, if the<br />
configured delimiter is “y”, the configured prefix<br />
“username” can match “myusername” and “my username”.<br />
The prefix string is case-sensitive. It can be (or not be) in<br />
double quotes.<br />
delimiter Optional. This argument indicates where the part to be<br />
hashed in an HTTP header should end. The end <strong>of</strong> the part<br />
to be hashed in an HTTP header is the last character before<br />
the delimiter. It is case-sensitive, and must be in double<br />
quotes.<br />
slb group method chi [hash_bits]<br />
This command creates a Consistent Hash IP (chi) group with the given group name. The<br />
chi algorithm maps client requests to servers by hashing the source IPs <strong>of</strong> the requests.<br />
The optional “hash_bits” field controls how many bits <strong>of</strong> the source IP are used in<br />
generating the hash. The value <strong>of</strong> “hash_bits” can be any number between 0 and 32<br />
inclusive, with a default <strong>of</strong> 32.<br />
slb group method prox [rr|sr|lc] [threshold]<br />
This command creates a Proximity (prox) group with the given group name. The “rr|sr|lc”<br />
argument can be called the “first choice method”. If a client request does not yet have an<br />
assigned real service according SDNS proximity rules, this method will be used to choose<br />
a real service for that client, based on the request properties appropriate to the group<br />
method. The default value is rr. The “threshold” argument only applies if the “first choice<br />
method” is lc, and is the same as the group method lc threshold parameter.<br />
slb group method snmp [weight|cpu] [community] [oidcount]<br />
[oid1] [oidweight1] [oid2] [oidweight2] [check_interval]<br />
This command creates an SLB group with snmp group method.<br />
weight|cpu Mode value. CPU mode can meet most customer<br />
requirements; weight mode supports customization for<br />
OIDs and check interval settings. In CPU mode, only<br />
community parameter needs to be configured and a fixed<br />
67
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
interval <strong>of</strong> 60 seconds will be applied.<br />
community The community field <strong>of</strong> SNMP server.<br />
Chapter 5 Server Load Balancing<br />
oidcount 1 or 2, which specifies the number <strong>of</strong> OIDs in weight<br />
mode.<br />
oid1 The first OID <strong>of</strong> weight mode.<br />
oidweight1 The weight <strong>of</strong> the first OID in weight mode.<br />
oid2 The second OID <strong>of</strong> weight mode.<br />
oidweight2 The weight <strong>of</strong> the second OID in weight mode.<br />
check interval The SNMP check interval for weight mode.<br />
slb group method ec [rr|sr|lc] [threshold]<br />
The first HTTP request without cookie may hit the group associated with the default<br />
policy and the <strong>APV</strong> appliance will choose a real service according to “rr|sr|lc” method.<br />
When the <strong>APV</strong> appliance gets the response from the server with the configured cookie<br />
name, a string containing the real server’s information will be embedded at the head <strong>of</strong><br />
the cookie by the <strong>APV</strong> appliance. Then the modified response will be forwarded to the<br />
client. Subsequent client requests will have the modified cookie value from which the<br />
<strong>APV</strong> appliance can know the persistent real service. The <strong>APV</strong> appliance will remove the<br />
embedded real service’s information from the cookie value and forward the request with<br />
the original cookie value to the server. So only the cookie value between the client and<br />
the <strong>APV</strong> appliance is alternated, and the cookie value between the <strong>APV</strong> appliance and the<br />
real service keeps unchanged. The “rr|sr|lc” argument can be called the “first choice<br />
method”. The default value is rr. The “threshold” argument only applies if the “first<br />
choice method” is lc, and is the same as the group method lc threshold parameter.<br />
slb group method {sipcid|sipuid} [rr|sr|lc] [threshold]<br />
This command is used to configure an SLB group <strong>of</strong> SIP servers for which SIP call ID<br />
persistence (parse the Call-ID header) or SIP user ID persistence (parse the User-ID<br />
header) are required. Please notice: Besides sipcid and sipuid methods, SLB groups <strong>of</strong><br />
SIP real services may use other L4 methods, such as rr, lc, sr, etc. But groups not for SIP<br />
real services can’t use sipcid and sipuid methods.<br />
group_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
group service. Note: If the assigned name begins with a<br />
numeric or otherwise non-alphabetical character, then the<br />
string should be framed in double quotes.<br />
68
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
rr|sr|lc For balancing based on SIP call ID or user ID persistence.<br />
The “rr|sr|lc” argument can be called the “first choice<br />
method”. If the client request does not yet have an assigned<br />
real service, this method will be used to choose a real<br />
service for that client, based on the request properties<br />
appropriate to the group method. The default value is rr.<br />
threshold It only applies if the “first_choice_method” is lc, and is the<br />
same as the group method lc threshold parameter.<br />
slb group method chh <br />
This command is used to add a Consistent Hash Header (chh) SLB group. “chh” method<br />
maintains persistency by applying hash functions on the specified HTTP request header.<br />
“chh” method will hash the specified HTTP request header at most 3 times until an<br />
available real service in the group is selected. If all the 3 hash values point to<br />
out-<strong>of</strong>-service real services, a healthy real service will be chosen in round robin manner.<br />
group_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
group service. Note: If the assigned name begins with a<br />
numeric or otherwise non-alphabetical character, then the<br />
string needs to be framed in double quotes.<br />
header_ name The name <strong>of</strong> an HTTP request header. Both standard and<br />
extended headers are supported. If HTTP URL (without<br />
host name portion) is going to be used, just set the header<br />
name to be “url”.<br />
slb group method hq [rr|sr|lc]<br />
This command is used to create a Hash Query (hq) SLB group. “hq” method maintains<br />
persistency by hashing the specified tag value in the query <strong>of</strong> the HTTP requests. This<br />
method must work with persistent URL policy together. The specified tag is defined in<br />
persistent URL policy. The “rr|sr|lc” argument can be called the “first_choice_method”<br />
and it defaults to rr.<br />
slb group method hip [hash_bits]<br />
The HIP load balancing method maps incoming traffic to real services based upon the<br />
source IP and port <strong>of</strong> the traffic. The HIP algorithm maintains persistency by hashing the<br />
source IP and port <strong>of</strong> the traffic. The optional “hash_bits” field controls how many bits <strong>of</strong><br />
the source IP are used in generating the hash. Note: If a real service in a Hash IP and port<br />
group goes down, the existing persistence will be disrupted.<br />
slb group method rdprt [rr|sr|lc]<br />
69
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to create an SLB group that uses the “rdprt” (RDP Routing Token)<br />
algorithm.<br />
group_name The real service group name.<br />
rr|sr|lc This argument is also called the “first choice method”. If a<br />
client request does not yet have an assigned real service,<br />
this method will be used to choose a real service for that<br />
client. The default value is rr.<br />
The following command is used to set L2 SLB groups.<br />
slb group method {hi|rr|chi} [route|direct]<br />
This command defines an L2 SLB group. L2 SLB supports three kinds <strong>of</strong> group methods:<br />
Round Robin (rr), Hash IP (hi) and Consistent Hash IP (chi).<br />
route|direct Specify the route mode, which determines how the traffic<br />
initiated from the real servers will be routed.<br />
Adding IP Pool<br />
[no] slb proxyip global <br />
� route: The traffic will be routed by normal routing<br />
rules.<br />
� direct: The traffic will be routed from the interface<br />
associated with the L2 virtual service.<br />
This parameter is optional. By default, the “direct” mode is<br />
used.<br />
This command is used to assign a pre-defined IP pool for all SLB real servers as the<br />
global IP pool. The “no” version <strong>of</strong> this command is used to remove a specified global IP<br />
pool.<br />
pool_name The name <strong>of</strong> the IP pool, which can be pre-defined via the<br />
command “ip pool [end_ip]”. If<br />
the pool name begins with a numeric character, then the<br />
string needs to be framed in double quotes.<br />
[no] slb proxyip group <br />
This command is used to assign a pre-defined IP pool for a specified SLB group. The<br />
“no” version <strong>of</strong> this command is used to remove a specified IP pool for an SLB group.<br />
70
Note: The priority <strong>of</strong> group IP pools is higher than global IP pools.<br />
clear slb proxyip [group_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to clear the IP pool configurations <strong>of</strong> a specified group. If no<br />
group name is specified, the IP pool configurations <strong>of</strong> all SLB groups will be cleared.<br />
show slb proxyip [group_name]<br />
This command is used to display the IP pool configurations <strong>of</strong> a specified group. If no<br />
group name is specified, the IP pool configurations <strong>of</strong> all SLB groups will be displayed.<br />
show statistics slb proxyip [group_name]<br />
This command is used to display the IP pool statistics <strong>of</strong> a specified group. If no group<br />
name is specified, the IP pool statistics <strong>of</strong> all SLB groups will be displayed.<br />
clear statistics slb proxyip [group_name]<br />
This command is used to clear IP pool statistics <strong>of</strong> a specified group. If no group name is<br />
specified, the IP pool statistics <strong>of</strong> all SLB groups will be cleared.<br />
Adding Real Services to Groups<br />
slb group member <br />
This command is used to add a real service to a group. This generic command may be<br />
used to assign real services to groups employing Shortest Response, Insert Cookie, Hash<br />
Cookie, Hash Header, Persistent IP, or Persistent Hostname balancing methods.<br />
group_name Specify which group to assign the real service to.<br />
real_name Specify the real service name.<br />
If users want to assign a real service to a group employing the round robin balancing<br />
scheme, a slight modification <strong>of</strong> the command may be used. To add a real service to a<br />
group balanced via Round Robin, use this command.<br />
slb group member [weight]<br />
If users want to assign a real service to a group employing the Round Robin or Least<br />
Connection balancing method, a slight modification <strong>of</strong> the command may be used. To add<br />
a real service to a group balanced via Round Robin or Least Connection, use this<br />
command.<br />
group_name Specify which group to assign the real service to.<br />
71
eal_name Specify the real service name.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
weight Optional parameter for weighted round robin and least<br />
connection. The default value is 1.<br />
slb group member [priority]<br />
When users wish to assign a real service to a group employing the Persistent URL or<br />
Persistent Cookie balancing scheme, an associate string value must also be specified. To<br />
add a real service to a group balanced via PC or PU, use this command.<br />
group_name Specifies which group to assign the real service to.<br />
real_name Real service name.<br />
param_string For persistent URL values, this string consists <strong>of</strong> the<br />
characters that follow the “=” in a specified URL (see<br />
the “slb policy persistent url” command). For persistent<br />
cookies, the string refers to the cookie value from the<br />
associated PC policy.<br />
priority Set the priority <strong>of</strong> group members. The greater the value,<br />
the higher the priority. It defaults to 0.<br />
no slb group member <br />
This command is used to remove a real service from a group.<br />
show slb group member [group_name]<br />
This command is used to display all the members <strong>of</strong> the specified group. If the group<br />
name is not specified, display the members <strong>of</strong> all the groups.<br />
clear slb group member<br />
This command is used to remove the members <strong>of</strong> all the groups.<br />
Other SLB Group Commands<br />
no slb group method <br />
This command is used to delete the specified group. This command will also remove all<br />
associated policies and group memberships.<br />
show slb group method [group_name]<br />
72
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display group information including the method <strong>of</strong> balancing<br />
for the specified group.<br />
clear slb group method<br />
This command is used to delete all defined groups, including all relationships with real<br />
and virtual services.<br />
show slb group protocol <br />
The <strong>ArrayOS</strong> assigns a protocol to a real group based on the user’s configuration (TCP,<br />
HTTP, etc.) to prevent real services from being assigned to an incompatible group. This<br />
command allows users to see which protocol has been assigned to the specified group.<br />
slb group flush <br />
This command allows administrators to clear a persistent table for the specified group.<br />
This command will also eliminate any existing persistence already established, so caution<br />
is recommended when employing this command. Users who have already established a<br />
persistent connection will be forced to reestablish a persistent connection. The<br />
“group_name” parameter must refer to hc, hh, ph or pi groups.<br />
slb group activation <br />
This command allows users to activate health real services in a group based on their<br />
priorities. Among the health real services in a group, only those with the highest priority<br />
can be activated. If the number <strong>of</strong> health real services with the highest priority is smaller<br />
than the number <strong>of</strong> real services to be activated, the health real services with the second<br />
highest priority will be activated.<br />
group_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
group service. Note: If the assigned name begins with a<br />
numeric or otherwise non-alphabetical character, then the<br />
string needs to be framed in double quotes.<br />
num_<strong>of</strong>_rs The number <strong>of</strong> real services to be activated. If the<br />
parameter is set to 2, two healthy real services in a group<br />
with the highest priority will be activated, and the coming<br />
requests can only be distributed to the two active real<br />
services.<br />
no slb group activation <br />
This command allows users to unset the configured number <strong>of</strong> real services to be<br />
activated.<br />
show slb group activation <br />
73
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display the number <strong>of</strong> real services to be activated and the status<br />
<strong>of</strong> all the real services in a specified group.<br />
Example:<br />
AN(config)#show slb group activation group1<br />
Group activation presetting: 1<br />
real server priority active reason<br />
r1 1 NO HEALTH<br />
r2 2 NO Priority<br />
r3 3 YES<br />
SLB Policy Settings<br />
In SLB, a policy links a virtual service to a group according to a specific rule. There are<br />
16 different policies. A virtual service can be associated with multiple policies <strong>of</strong> each<br />
type (with a few exceptions). Policies have precedence between policy types, as well as<br />
within policy types. Virtual services using a cookie based policy (such as insert cookie,<br />
rewrite cookie, etc.) need to assign the configured group as the default group as well so<br />
that the cookie may be set for a client’s initial request. Multiple SLB policies’<br />
precedences are configurable. The default precedence between policy types is as follows:<br />
1. redirect<br />
2. static<br />
3. qos client port<br />
4. qos network<br />
5. persistent url<br />
6. rewrite cookie<br />
7. insert cookie<br />
8. persistent cookie<br />
9. qos cookie<br />
10. qos hostname<br />
11. qos url<br />
12. regex<br />
13. header<br />
14. hash url<br />
15. default<br />
16. backup<br />
(The italic policies’ precedences are configurable.)<br />
74
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
During policy lookup for a specific VIP, each type is checked in the order given above. At<br />
each type, all possible matches for that type are collected. The match with the highest<br />
precedence within that type is then used to resolve to the associated group. Below are the<br />
available commands for configuring the <strong>APV</strong> appliance to establish balancing policies.<br />
show slb policy all<br />
This command allows users to display all policies currently configured within the <strong>APV</strong><br />
appliance.<br />
slb policy order <br />
This command is used to set the specified policy’s precedence in the order template<br />
named by the “order_template_name” parameter. If the specified order template name<br />
already exists, this command will override it; otherwise, the command will create a new<br />
order template based on the default order. 100 order templates can be created at most. If<br />
one policy is moved forward to a place, all the policies in between will be moved one<br />
place backward. On the other hand, if one policy is moved backward to a place, all the<br />
policies in between will be moved one place forward. For L4 SLB, only five policies<br />
(static, qos clientport, qos network, default and backup) can be used in the policy order<br />
template.<br />
order_template_name Customer defined order template name; the name can<br />
contain 1 to 64 characters; up to 100 individual order<br />
templates can be defined.<br />
policy_type The policy type, such as header, ic, qos-cookie, etc.<br />
precedence 1 to 12.<br />
no slb policy order <br />
This command is used to remove the specified SLB policy order template.<br />
clear slb policy order<br />
This command is used to remove all the SLB policy order templates.<br />
show slb policy order [order_template_name] [policy_type]<br />
If the policy type is specified, display its index in the specified order template; otherwise<br />
display all the policies in the configured order in this order template. If the order template<br />
name is not specified, display all the policies in the configured order in all defined order<br />
templates, and the default order will be displayed at first.<br />
slb vlink <br />
This command is used to create a vlink.<br />
75
show slb vlink [vlink_name]<br />
This command is used to display one or all the defined vlinks.<br />
no slb vlink <br />
This command is used to remove a specified vlink.<br />
clear slb vlink<br />
This command is used to delete all the defined vlinks.<br />
show statistics slb vlink [vlink_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display the statistics about a vlink or all <strong>of</strong> the defined vlinks.<br />
clear statistics slb vlink [vlink_name]<br />
This command is used to remove the statistics about a vlink or all <strong>of</strong> the defined vlinks.<br />
slb policy static <br />
This command allows users to establish a static connection between a virtual service and<br />
a real service, thus any requests calling on the virtual service will be redirected to the<br />
corresponding real service. You may only have one static policy for each virtual service.<br />
virtual_name The name <strong>of</strong> the virtual server.<br />
real_name The name <strong>of</strong> the real server.<br />
Example:<br />
AN(config)#slb policy static leadbelly acen<br />
no slb policy static <br />
This command is used to delete the static policy for a virtual service.<br />
show slb policy static [virtual_name]<br />
This command is used to display the static connection between a specified virtual service<br />
and the associated real service. If no virtual service name is specified, all defined static<br />
policies are displayed.<br />
clear slb policy static<br />
76
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove all static connections between virtual services and real<br />
servers. If users want to remove a single, static connection between a virtual service and a<br />
real server, the “no slb policy static” command should be employed.<br />
slb policy persistent url {virtual_name|vlink_name}<br />
<br />
This command allows users to set a Persistent URL policy to associate a virtual service or<br />
a vlink with a Persistent URL (pu) group.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name The name <strong>of</strong> the group.<br />
url_tag The “tag” string that the appliance will match against.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other Persistent URL policies.<br />
no slb policy persistent url <br />
This command is used to delete a Persistent URL policy.<br />
show slb policy persistent url [policy_name]<br />
This command is used to display the given Persistent URL related policy, or all Persistent<br />
URL policies if no name is specified.<br />
clear slb policy persistent url<br />
This command is used to delete all Persistent URL policies.<br />
slb policy rcookie {virtual_name|vlink_name} <br />
<br />
This command allows users to set a Rewrite Cookie policy to associate a virtual service<br />
or a vlink with a group.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name This group should be configured with the Rewrite Cookie<br />
(rc) method and Embed Cookie (ec).<br />
77
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other Rewrite Cookie policies.<br />
no slb policy rcookie <br />
This command is used to remove the specified SLB policy from the running<br />
configuration.<br />
show slb policy rcookie [policy_name]<br />
This command is used to display all Rewrite Cookie policies currently defined in the<br />
running configuration.<br />
clear slb policy rcookie<br />
This command is used to remove all Rewrite Cookie policies from the running SLB<br />
configuration.<br />
slb policy icookie {virtual_name|vlink_name} <br />
<br />
This command allows users to set an Insert Cookie policy to associate a virtual service or<br />
a vlink with a group.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name This group must be configured with the Insert Cookie (ic)<br />
method.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other Insert Cookie policies.<br />
no slb policy icookie <br />
This command is used to remove the specified SLB policy from the running<br />
configuration.<br />
show slb policy icookie [policy_name]<br />
This command is used to display all Insert Cookie policies.<br />
clear slb policy icookie<br />
This command is used to remove all Insert Cookie policies from the running SLB<br />
configuration.<br />
78
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
slb policy persistent cookie {virtual_name|vlink_name}<br />
<br />
This command allows users to set a Persistent Cookie policy to associate a virtual service<br />
or a vlink with a group. This policy can only be used with Hash Cookie or Persistent<br />
Cookie group balancing methods.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name The name <strong>of</strong> the group.<br />
cookie_name Assigned cookie name.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other persistent cookie policies.<br />
no slb policy persistent cookie <br />
This command is used to delete the specified Persistent Cookie policy.<br />
show slb policy persistent cookie [policy_name]<br />
This command is used to display the specified Persistent Cookie policy. If no name is<br />
given, all Persistent Cookie policies will be displayed.<br />
clear slb policy persistent cookie<br />
This command is used to remove all Persistent Cookie policies.<br />
slb policy qos clientport {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
<br />
This command is used to create a QoS Client Port policy to associate a virtual service or a<br />
vlink with a group or another vlink. When a packet hits a virtual service, its source IP and<br />
source port will be checked. If the source IP belongs to the defined subnet and the source<br />
port falls into the defined port range, the packet will hit the policy.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
network_ip The specified network IP address.<br />
79
network_mask The subnet mask.<br />
low_port The low value <strong>of</strong> the port range.<br />
high_port The high value <strong>of</strong> the port range.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other QoS Client Port policies.<br />
no slb policy qos clientport <br />
This command is used to remove the specified QoS Client Port policy.<br />
show slb policy qos clientport [policy_name]<br />
This command is used to display the associated QoS Client Port policy.<br />
clear slb policy qos clientport<br />
This command is used to remove all configured QoS Client Port policies.<br />
slb policy qos cookie {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
This command is used to create a QoS Cookie policy to associate a virtual service or a<br />
vlink with a group or another vlink.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
cookie_name=cookie_value The assigned cookie name bound to a specific value.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other QoS Cookie policies.<br />
no slb policy qos cookie <br />
This command is used to delete the specified QoS Cookie policy.<br />
show slb policy qos cookie [policy_name]<br />
This command is used to display the specified QoS Cookie policy.<br />
clear slb policy qos cookie<br />
80
This command is used to remove all QoS Cookie policies.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
slb policy qos hostname {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
This command allows users to set a server load balancing policy to associate a virtual<br />
service or a vlink with a group or another vlink. It may also be used with any balancing<br />
method except Persistent Cookie and Persistent URL.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
host_name Assigned host name.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other QoS Host Name policies.<br />
no slb policy qos hostname <br />
This command is used to remove the specified QoS Host Name policy.<br />
show slb policy qos hostname [policy_name]<br />
This command is used to display the associated QoS Host Name policy.<br />
clear slb policy qos hostname<br />
This command is used to remove all configured QoS Host Name policies.<br />
slb policy qos network {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
This command is used to create a QoS Network policy to associate a virtual service or a<br />
vlink with a group or another vlink.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
network_ip The specified network IP address.<br />
network_mask The subnet mask.<br />
81
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other QoS Network policies.<br />
no slb policy qos network <br />
This command is used to remove the specified QoS Network policy.<br />
show slb policy qos network [policy_name]<br />
This command is used to display the associated QoS Network policy.<br />
clear slb policy qos network<br />
This command is used to remove all configured QoS Network policies.<br />
slb policy qos url {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
This command is used to create a QoS URL policy to associate a virtual service or a vlink<br />
with a group or another vlink.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
qos_string String to match requested URLs against.<br />
precedence A value between 0 and 65535 inclusive, which specifies the<br />
policy’s precedence relative to other QoS URL policies.<br />
The lower the value is, the higher the policy precedence<br />
will be.<br />
no slb policy qos url <br />
This command is used to delete the specified QoS URL policy.<br />
show slb policy qos url [policy_name]<br />
This command is used to display the specified QoS URL policy.<br />
clear slb policy qos url<br />
This command is used to remove all QoS URL policies.<br />
82
slb policy regex {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command allows users to create a Regular Expression policy to associate a virtual<br />
service or a vlink with a group or another vlink.<br />
policy_name User specified name for the policy being configured.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or vlink.<br />
regex String in the form <strong>of</strong> :[^] string1[*string2[*stringN]][$];<br />
where “^” matches the beginning <strong>of</strong> the URL, “*” means<br />
any sequence <strong>of</strong> 0 or more characters and “$” matches the<br />
end <strong>of</strong> the URL.<br />
Note: This string is case-sensitive. Administrators can<br />
configure whether to distinguish the uppercase or<br />
lowercase letters in this command via the command “slb<br />
mode regexcase {on|<strong>of</strong>f}”.<br />
precedence A value between 0 and 65535 inclusive. The policy’s<br />
precedence is relative to other Regex policies.<br />
no slb policy regex <br />
This command is used to delete the specified Regex policy.<br />
show slb policy regex [policy_name]<br />
This command is used to display the specified Regex policy.<br />
clear slb policy regex<br />
This command is used to remove all Regex policies.<br />
slb policy header {virtual_name|vlink_name}<br />
{group_name|vlink_name} <br />
This command allows users to create a Header policy to associate a virtual service or a<br />
vlink with a group or another vlink. A Header policy is applied to the headers in incoming<br />
HTTP requests. If the “header_name” parameter <strong>of</strong> a Header policy is the same as the<br />
name <strong>of</strong> a header in an HTTP request, and the value <strong>of</strong> the header in the request matches<br />
the pattern specified in the “header_pattern” parameter, then the Header policy matches<br />
the request.<br />
83
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
policy_name The name identifying the policy. It can be an alphanumeric<br />
string with 1 to 20 characters. If the first character <strong>of</strong> the<br />
name is a number, then the name must be enclosed in<br />
double quotes.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
header_name The name <strong>of</strong> the HTTP header to match in requests.<br />
header_pattern A pattern specifying which header values match the policy.<br />
String in the form <strong>of</strong> :[^] string1[*string2[*stringN]][$];<br />
where “^” matches the beginning <strong>of</strong> the URL, “*” means<br />
any sequence <strong>of</strong> 0 or more characters and “$” matches the<br />
end <strong>of</strong> the URL.<br />
Note: This string is case-sensitive. Administrators can<br />
configure whether to distinguish the uppercase or<br />
lowercase letters in this command via the command “slb<br />
mode regexcase {on|<strong>of</strong>f}”.<br />
precedence The precedence <strong>of</strong> this policy is relative to other Header<br />
policies for the same virtual service.<br />
no slb policy header <br />
This command is used to delete the specified Header policy.<br />
show slb policy header [policy_name]<br />
This command is used to display the Header policy with the given name, or all<br />
configured Header policies if no policy name is given.<br />
clear slb policy header<br />
This command is used to delete all Header policies.<br />
slb policy hashurl {virtual_name|vlink_name}<br />
{group_name|vlink_name}<br />
This command allows users to create an SLB Hash URL policy to associate a virtual<br />
service or a vlink with a group or another vlink. The SLB Hash URL policy supports<br />
recoverable persistency. When a downed real service is up again, the original clients it<br />
served before will be balanced back to it. The Hash URL policy priority is just higher<br />
than default policy. The requests to a virtual service will be hashed into one <strong>of</strong> the groups<br />
84
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
associated with the virtual service through some hashing function. If the hashed group<br />
has no real service available, default group will be used.<br />
policy_name The name identifying the policy. It can be an alphanumeric<br />
string with 1 to 20 characters. If the first character <strong>of</strong> the<br />
name is a number, then the name must be enclosed in<br />
double quotes.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or vlink.<br />
slb policy default {virtual_name|vlink_name} {group_name|vlink_name}<br />
This command allows users to set a default policy to associate a virtual service or a vlink<br />
with a group or another vlink. You may only have one default policy per virtual service or<br />
vlink.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
group_name|vlink_name The name <strong>of</strong> the group or the vlink. The Persistent Cookie<br />
(pc) and Persistent URL (pu) methods cannot be assigned<br />
as the default group policy.<br />
no slb policy default {virtual_name|vlink_name}<br />
This command is used to remove the default policy from a specified virtual service.<br />
show slb policy default [virtual_name|vlink_name]<br />
This command is used to display the default group for a virtual service.<br />
clear slb policy default<br />
This command is used to remove the default policy from all virtual services.<br />
slb policy backup {virtual_name|vlink_name} {group_name|vlink_name}<br />
This command allows users to set a backup policy to associate a virtual service or a vlink<br />
with a group or another vlink. You may only have one backup policy per virtual service<br />
or vlink. The group assigned to the virtual service or the vlink using the backup policy<br />
will be used only if there is at least one successful match in a prior policy, but all real<br />
services in all matches are down or overflowed.<br />
virtual_name|vlink_name The name <strong>of</strong> the virtual service or the vlink.<br />
85
group_name|vlink_name The name <strong>of</strong> the group or the vlink.<br />
no slb policy backup {virtual_name|vlink_name}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove the backup policy from the virtual service.<br />
show slb policy backup [virtual_name|vlink_name]<br />
This command is used to display the backup group for a virtual service.<br />
clear slb policy backup<br />
This command is used to remove all backup policies.<br />
slb policy redirect <br />
<br />
This command allows users to create a redirect policy between a virtual service and a<br />
group. A redirect policy is applied to the URL host in incoming HTTP requests. If the<br />
“redirected_from_host” parameter <strong>of</strong> a redirect policy is the same as the host name <strong>of</strong> the<br />
URL in an HTTP request, then the redirect policy matches the request.<br />
policy_name The name identifying the policy. It can be an alphanumeric<br />
string with 1 to 20 characters. If the first character <strong>of</strong> the<br />
name is a number, then the name must be enclosed in<br />
double quotes.<br />
virtual_name The name <strong>of</strong> the virtual service.<br />
group_name The name <strong>of</strong> the group.<br />
redirected_from_host The host name in the HTTP request URL.<br />
show slb policy redirect [policy_name]<br />
Note: This string is case-sensitive. Administrators can<br />
configure whether to distinguish the uppercase or<br />
lowercase letters in this command via the command “slb<br />
mode regexcase {on|<strong>of</strong>f}”.<br />
This command is used to display the redirect policy with the given name, or all<br />
configured redirect policies if no policy name is given.<br />
no slb policy redirect <br />
This command is used to delete the specified redirect policy.<br />
86
clear slb policy redirect<br />
This command is used to delete all the redirect policies.<br />
show slb policy group <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display all the policies associated with a specified group. An<br />
SLB policy is used to map an SLB virtual service to a group. An SLB group may be<br />
mapped with single or multiple virtual services through multiple policies. This command<br />
helps to find all the policies concerned with the specified SLB group.<br />
clear slb policy group <br />
This command is used to remove all the policies concerned with the specified SLB group.<br />
After executing this command, all the SLB virtual services will be unmapped from the<br />
specified SLB group if they have been previously mapped.<br />
[no] slb virtual order <br />
This command is used to associate the specified order template to an SLB virtual service.<br />
The policy precedence for the virtual service will go by the order defined in the order<br />
template. Each SLB virtual service can only have one order template. If no order template<br />
is specified, the default precedence order is used. If another order template has been set<br />
for the virtual service, this command will modify it.<br />
show slb virtual order [order_template_name]<br />
This command is used to display the configured association between virtual services and<br />
the specified policy order template. If no order template name is specified, this command<br />
will display all configured association between virtual services and order templates.<br />
clear slb virtual order [order_template_name]<br />
This command is used to remove the configured association between virtual services and<br />
the specified policy order template. If the name <strong>of</strong> the order template is not specified,<br />
clear all association between virtual services and order templates from the system.<br />
slb policy filetype <br />
This command allows the users to establish a policy or rule for filetype.<br />
policy_name User specified name for the policy being configured.<br />
vs_name The name <strong>of</strong> the virtual service.<br />
group_name The name <strong>of</strong> the group.<br />
filetype The file extension.<br />
87
no slb policy filetype <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove the filetype policy with the given name.<br />
show slb policy filetype [policy_name]<br />
This command is used to display the filetype policy with the given name. If no policy<br />
name is given, display all the defined filetype policies.<br />
Other SIP Commands<br />
sip nat [udp|tcp] [timeout]<br />
[persistence_mode]<br />
This command allows users to configure an SIP NAT rule for an SIP real service. All the<br />
packets from the real service will be translated to the virtual service address.<br />
virtual_ip The source IP will be transferred to this IP.<br />
virtual_port The source port will be transferred to this port. 0 means<br />
using the old source port.<br />
real_ip The source IP <strong>of</strong> the packet.<br />
real_port The source port <strong>of</strong> the packet. 0 means all ports.<br />
udp|tcp The protocol <strong>of</strong> the packets to be translated. Optional, and<br />
the default value is “udp”.<br />
timeout Timeout value in seconds. It's optional, and the default<br />
value is 60.<br />
persistence_mode SIP NAT session persistence mode. It can be “callid” or<br />
“userid”. The optional default value is “callid”.<br />
no sip nat [udp|tcp]<br />
This command is used to delete the SIP NAT rules for the specified real service.<br />
clear sip nat<br />
This command is used to delete all the SIP NAT rules.<br />
show sip nat<br />
This command is used to display all configured SIP NAT rules.<br />
show statistics sip nat<br />
88
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display the statistics information <strong>of</strong> all the SIP NAT rules.<br />
clear statistics sip nat<br />
This command is used to clear the statistics information <strong>of</strong> all the SIP NAT rules.<br />
sip multireg {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the feature <strong>of</strong> SIP register packet forwarding. When<br />
“multireg” is on, a client registration request is served by only one real server, but all the<br />
other real servers in the same SIP server group will get a copy <strong>of</strong> the same client request<br />
forwarded by an <strong>APV</strong> appliance for registration data synchronization.<br />
Compatibility Check<br />
There are different types <strong>of</strong> real and virtual services. There are also various kinds <strong>of</strong> SLB<br />
policies and groups. We may refer to all <strong>of</strong> them as “SLB objects”. The relationships<br />
among all the SLB objects are complicated. Not all the SLB objects may be connected<br />
with all other objects. There are some compatibility issues among them depending on the<br />
objects, categories and types. The following commands help to clarify the compatibilities.<br />
show slb group compatible real <br />
This command is used to display all the existing groups compatible with a given real<br />
service. If a real service is compatible with an SLB group, it may be defined as a member<br />
<strong>of</strong> the group.<br />
Example:<br />
AN(config)#show slb group compatible real r1<br />
Output: “g1”<br />
show slb group compatible virtual <br />
This command is used to display all the groups compatible with a given virtual service. If<br />
a virtual service is compatible with an SLB group, it may be connected with this group by<br />
some types <strong>of</strong> SLB policies.<br />
show slb policy compatible <br />
This command is used to display all the policy types which can be used to connect the<br />
given SLB virtual service with the given SLB group.<br />
Example:<br />
AN(config)#show slb policy compatible g1 v1<br />
qos clientport<br />
qos network<br />
qos cookie<br />
89
qos hostname<br />
qos url<br />
regex<br />
header<br />
default<br />
backup<br />
redirect<br />
show slb real compatible groups <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display all the existing real services compatible with a given<br />
group. If a real service is compatible with an SLB group, it may be defined as a member<br />
<strong>of</strong> the group.<br />
show slb virtual compatible groups <br />
This command is used to display all the existing virtual services compatible with a given<br />
group. If a virtual service is compatible with an SLB group, it may be connected with this<br />
group by some types <strong>of</strong> SLB policies.<br />
show slb real compatible healthcheck <br />
This command is used to display the corresponding health check types compatible with a<br />
given real service type. If the parameter “real_type” is set to “all”, the command will<br />
display the corresponding health check types compatible with all the real service types<br />
supported by <strong>APV</strong> appliance.<br />
Example:<br />
AN(config)#show slb real compatible healthcheck all<br />
tcp:icmp/tcp/script-tcp/none<br />
tcps:icmp/tcp/tcps/script-tcps/none<br />
http:icmp/tcp/http/script-tcp/none<br />
https:icmp/tcp/tcps/https/script-tcps/none<br />
dns:icmp/dns/script-udp/none<br />
ftp:icmp/tcp/script-tcp/none<br />
udp:icmp/script-udp/radius-auth/radius-acct/none<br />
ip:icmp/none<br />
rtsp:icmp/tcp/rtsp-tcp/script-tcp/none<br />
siptcp:icmp/tcp/sip-tcp/script-tcp/none<br />
sipudp:icmp/sip-udp/script-udp/none<br />
l2ip:arp/none<br />
l2mac:none<br />
Proxy Mode<br />
system mode reverse [virtual_name]<br />
90
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to set the proxy mode <strong>of</strong> a virtual service to be reverse mode if the<br />
optional parameter “virtual_name” is provided. Otherwise, the global proxy mode will be<br />
changed to be reverse mode.<br />
system mode transparent [virtual_name]<br />
This command is used to set the proxy mode <strong>of</strong> a virtual service to be transparent mode if<br />
the optional parameter “virtual_name” is provided. Otherwise, the global proxy mode<br />
will be changed to be transparent mode.<br />
system mode triangle [virtual_name]<br />
This command is used to set the proxy mode <strong>of</strong> a virtual service to be triangle<br />
transmission mode if the optional parameter “virtual_name” is provided. Otherwise, the<br />
global proxy mode will be changed to be triangle transmission mode. Only TCP, UDP<br />
and IP virtual services are supported in triangle mode.<br />
[no] show system mode [virtual_name]<br />
This command is used to display the proxy mode setting <strong>of</strong> a virtual service if the<br />
optional parameter “virtual_name” is provided. Otherwise, the global proxy mode setting<br />
will be displayed.<br />
clear system mode<br />
This command is used to undo all the virtual services’ proxy mode setting.<br />
Statistics<br />
Below are a series <strong>of</strong> commands to allow users to poll various statistics relating to Server<br />
Load Balancing. Each command focuses on a particular element <strong>of</strong> the SLB protocol.<br />
show statistics slb real<br />
{dns|ftp|http|https|ip|l2ip|l2mac|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}<br />
[real_name]<br />
This command is used to display current statistics for one or all <strong>of</strong> the real services.<br />
clear statistics slb real<br />
{dns|ftp|http|https|ip|l2ip|l2mac|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}<br />
[real_name]<br />
This command is used to reset the statistics for one or all <strong>of</strong> the real services.<br />
show statistics slb group [group_name]<br />
91
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display current statistics for groups <strong>of</strong> real services. For SNMP<br />
SLB groups, the MIB values <strong>of</strong> each real service will be displayed for monitoring<br />
purpose.<br />
clear statistics slb group [group_name]<br />
This command is used to reset current statistics for groups <strong>of</strong> real services.<br />
show statistics slb virtual<br />
{dns|ftp|ftps|http|https|ip|l2ip|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}<br />
[virtual_name]<br />
This command is used to display the statistics information <strong>of</strong> one or all <strong>of</strong> the virtual<br />
services.<br />
clear statistics slb virtual<br />
{dns|ftp|ftps|http|https|ip|l2ip|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}<br />
[virtual_name]<br />
This command is used to clear the statistics information <strong>of</strong> one or all the defined virtual<br />
services.<br />
show statistics slb policy static [virtual_name]<br />
This command is used to display how many times the static policy <strong>of</strong> the specified virtual<br />
service has matched a request. If no virtual service name is given, this command will<br />
show match counts for the static policies <strong>of</strong> all configured virtual services.<br />
show statistics slb policy virtual [virtual_name|vlink_name]<br />
This command is used to display the statistics <strong>of</strong> all policies associated to the defined<br />
virtual services or Vlink.<br />
show statistics slb policy filetype [policy_name]<br />
This command is used to display how many times the specified policy <strong>of</strong> RTSP filetype<br />
has matched a request. If no policy name is given, the command will display the match<br />
counts for all the defined policies <strong>of</strong> RTSP filetype.<br />
clear statistics slb policy filetype [policy_name]<br />
This command is used to reset the match counts <strong>of</strong> the specified policy <strong>of</strong> RTSP filetype.<br />
If no policy name is given, the command will reset the match counts for all the defined<br />
policies <strong>of</strong> RTSP filetype.<br />
show statistics slb policy header [policy_name]<br />
show statistics slb policy redirect [policy_name]<br />
92
show statistics slb policy default [virtual_name]<br />
show statistics slb policy backup [virtual_name]<br />
show statistics slb policy persistent url [policy_name]<br />
show statistics slb policy persistent cookie [policy_name]<br />
show statistics slb policy icookie [policy_name]<br />
show statistics slb policy rcookie [policy_name]<br />
show statistics slb policy qos url [policy_name]<br />
show statistics slb policy qos hostname [policy_name]<br />
show statistics slb policy qos cookie [policy_name]<br />
show statistics slb policy regex [policy_name]<br />
show statistics slb policy qos network [policy_name]<br />
show statistics slb policy qos network [policy_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
The above commands are respectively used to display the match counts <strong>of</strong> different types<br />
<strong>of</strong> policies. For the “show statistics slb policy default” and “show statistics slb policy<br />
backup” commands, if no virtual service name is given, the commands will respectively<br />
show match counts for default or backup policies <strong>of</strong> all configured virtual services. For<br />
other commands, if no policy name is given, the commands will respectively show match<br />
counts for all policies <strong>of</strong> the specified type.<br />
clear statistics slb policy header [policy_name]<br />
clear statistics slb policy redirect [policy_name]<br />
clear statistics slb policy default [virtual_name]<br />
clear statistics slb policy backup [virtual_name]<br />
clear statistics slb policy persistent url [policy_name]<br />
clear statistics slb policy persistent cookie [policy_name]<br />
clear statistics slb policy icookie [policy_name]<br />
clear statistics slb policy rcookie [policy_name]<br />
clear statistics slb policy qos url [policy_name]<br />
93
clear statistics slb policy qos hostname [policy_name]<br />
clear statistics slb policy qos cookie [policy_name]<br />
clear statistics slb policy regex [policy_name]<br />
clear statistics slb policy qos network [policy_name]<br />
clear statistics slb policy qos network [policy_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
The above commands are respectively used to reset the match counts <strong>of</strong> different types <strong>of</strong><br />
policies.<br />
URL Rewrite/Redirect HTTP/HTTPS<br />
http redirect url <br />
<br />
<br />
This command allows users to redirect any request with URL that has path matching<br />
specified regex and host matching specified host to URL that includes new host and new<br />
path. Redirection is achieved by generation <strong>of</strong> 301 or 302 responses with location header<br />
containing modified URL.<br />
The maximum number <strong>of</strong> HTTP redirect rules allowed varies with the system memory:<br />
for the appliances with 1G or 2G memory, a maximum <strong>of</strong> 200 rules can be configured;<br />
for the appliances with 4G or 8G memory, a maximum <strong>of</strong> 400 rules are allowed.<br />
virtual_name The name <strong>of</strong> the assigned virtual service.<br />
policy_name The name <strong>of</strong> the HTTP redirect policy.<br />
priority The priority <strong>of</strong> rule; the larger, the higher.<br />
original_host The exact string <strong>of</strong> “Host:” header. This parameter supports<br />
part match mode, i.e. users can input part <strong>of</strong> the host name.<br />
For example, if a user sets this parameter as “sample”, all<br />
host names in the requests (responses) containing the string<br />
“sample” will be selected to be replaced. This parameter<br />
supports the wildcards “^”, “*” and “$” to match the host<br />
name. “^” matches the beginning <strong>of</strong> the host name, “*”<br />
means any sequence <strong>of</strong> 0 or more characters and “$”<br />
matches the end <strong>of</strong> the host name.<br />
path_regex The regular expression to match with the path <strong>of</strong> the<br />
request.<br />
94
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
new_protocol The scheme <strong>of</strong> redirected response, either HTTP or<br />
HTTPS.<br />
new_host The host part <strong>of</strong> redirected response.<br />
path_replacement The string to replace the part matching Path Regex.<br />
response_code HTTP status code to send back response with, either 301 or<br />
302.<br />
Example:<br />
AN(config)#http redirect url “vhost” “redirectpolicy” 10 “www.arraynetworks.com.cn”<br />
“/market” https “arraynetworks.com.cn” “/support” 301<br />
With this command the matching substring is “/market” and the replaced string is<br />
“/support”. So at the end the original URL<br />
http://www.arraynetworks.com.cn/market/faq/index.html will be redirected to<br />
https://arraynetworks.com.cn/support/faq/index.html.<br />
no http redirect url <br />
This command is used to remove a specified HTTP redirect policy from an HTTP virtual<br />
service configuration.<br />
show http redirect url [virtual_name]<br />
This command is used to display HTTP redirect policy for a specified virtual service or<br />
for all virtual services.<br />
clear http redirect url <br />
This command is used to remove all HTTP redirect policies for a specified virtual service<br />
or remove all HTTP redirect policies.<br />
http redirect https <br />
This command is used to configure HTTP to HTTPS redirects for a virtual service. It<br />
allows users to redirect any request for the virtual service to URL that “http” is replaced<br />
with “https”. Redirection is achieved by generation <strong>of</strong> 301 or 302 responses with location<br />
header containing modified URL. There is no limitation <strong>of</strong> total HTTPS redirect rules,<br />
but the number <strong>of</strong> virtual services is limited.<br />
no http redirect https <br />
This command is used to remove a specified HTTP-HTTPS redirect policy from an<br />
HTTP virtual service configuration.<br />
95
show http redirect https<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to display HTTP-HTTPS redirect policy for all virtual services.<br />
clear http redirect https<br />
This command is used to remove all HTTP-HTTPS redirect policies.<br />
http rewrite request url <br />
<br />
This command allows users to modify the “Host:” header and the path in the HTTP<br />
method line by rewriting the request before that request is sent to the backend.<br />
The maximum number <strong>of</strong> rewrite HTTP request rules allowed varies with the system<br />
memory: for the appliances with 1G or 2G memory, a maximum <strong>of</strong> 200 rules can be<br />
configured; for the appliances with 4G or 8G memory, a maximum <strong>of</strong> 400 rules are<br />
allowed.<br />
virtual_name The name <strong>of</strong> the assigned virtual service.<br />
policy_name The name <strong>of</strong> the HTTP rewrite policy.<br />
priority The priority <strong>of</strong> rule, larger is higher.<br />
original_host The exact string <strong>of</strong> “Host:” header. This parameter supports<br />
part match mode, i.e. users can input part <strong>of</strong> the host name.<br />
For example, if a user sets this parameter as “sample”, all<br />
host names in the requests (responses) containing the string<br />
“sample” will be selected to be replaced. This parameter<br />
supports the wildcards “^”, “*” and “$” to match the host<br />
name. “^” matches the beginning <strong>of</strong> the host name, “*”<br />
means any sequence <strong>of</strong> 0 or more characters and “$”<br />
matches the end <strong>of</strong> the host name.<br />
path_regex The regular expression to match with the path <strong>of</strong> the<br />
request.<br />
Note: This string is case-sensitive. Administrators can<br />
configure whether to distinguish the uppercase or<br />
lowercase letters in this command via the command “slb<br />
mode regexcase {on|<strong>of</strong>f}”.<br />
new_host The string to replace the host part <strong>of</strong> the matched requests.<br />
Using “%r” as the new host means that the host part <strong>of</strong> the<br />
marched requests will be rewritten as “ip:port” <strong>of</strong> the<br />
selected real service. If the selected real service is a<br />
port-range real service (whose port is 0), the port, on which<br />
96
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
<strong>APV</strong> appliance connects to the real service, will be used.<br />
path_replacement The string to replace the part matching Path Regex.<br />
no http rewrite request url <br />
This command is used to remove a specified HTTP rewrite request URL policy from an<br />
HTTP virtual service configuration.<br />
show http rewrite request url [virtual_name]<br />
This command is used to display HTTP rewrite request URL policies for a specified<br />
virtual service or for all virtual services.<br />
clear http rewrite request url <br />
This command is used to remove all HTTP rewrite request URL policies for a specified<br />
virtual service or removes all HTTP rewrite request URL policies.<br />
http rewrite response url <br />
<br />
<br />
This command allows users to take the “Location:” header content from the backend and<br />
rewrite it.<br />
The maximum number <strong>of</strong> rewrite HTTP response rules allowed varies with the system<br />
memory: for the appliances with 1G or 2G memory, a maximum <strong>of</strong> 200 rules can be<br />
configured; for the appliances with 4G or 8G memory, a maximum <strong>of</strong> 400 rules are<br />
allowed.<br />
virtual_name The name <strong>of</strong> the assigned virtual service.<br />
policy_name The name <strong>of</strong> the HTTP redirect policy.<br />
priority The priority <strong>of</strong> rule; the larger, the higher.<br />
original_protocol The scheme <strong>of</strong> original response either http, https or both.<br />
original_host The exact host string in the response “Location:” header.<br />
This parameter supports part match mode, i.e. users can<br />
input part <strong>of</strong> the host name. For example, if a user sets this<br />
parameter as “sample”, all host names in the requests<br />
(responses) containing the string “sample” will be selected<br />
to be replaced. This parameter supports the wildcards “^”,<br />
“*” and “$” to match the host name. “^” matches the<br />
beginning <strong>of</strong> the host name, “*” means any sequence <strong>of</strong> 0<br />
or more characters and “$” matches the end <strong>of</strong> the host<br />
97
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
name.<br />
Chapter 5 Server Load Balancing<br />
Note: This parameter does not take regex, and there is no<br />
need to configure the port number for it.<br />
path_regex The regular expression to match with the path in the<br />
“Location:” header.<br />
Note: This string is case-sensitive. Administrators can<br />
configure whether to distinguish the uppercase or<br />
lowercase letters in this command via the command “slb<br />
mode regexcase {on|<strong>of</strong>f}”.<br />
new_protocol The scheme <strong>of</strong> redirected response, either http or https.<br />
new_host The host part <strong>of</strong> redirected response. The special format<br />
“%h” means the host in client request will be used.<br />
path_replacement The string to replace the part matching Path Regex.<br />
Example:<br />
AN(config)#http rewrite response url v1 re1 2 http “www.a.com” “/” http “www.b.com” “/”<br />
no http rewrite response url <br />
This command is used to remove a specified HTTP rewrite response URL policy from an<br />
HTTP virtual service configuration.<br />
show http rewrite response url [virtual_name]<br />
This command is used to display HTTP rewrite response URL policies for a specified<br />
virtual service or for all virtual services.<br />
clear http rewrite response url <br />
This command is used to remove all HTTP rewrite response URL policies for a specified<br />
virtual service or removes all HTTP rewrite response URL policies.<br />
http rewrite response https <br />
This command is used to configure rewrite <strong>of</strong> HTTP redirects to HTTPS for a virtual<br />
service. Each response for this virtual service will be rewritten to an HTTPS response,<br />
and an HTTPS response will be rewritten to the HTTP response.<br />
no http rewrite response https <br />
98
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to remove a specified HTTP-HTTPS rewrite policy from an HTTP<br />
virtual service configuration.<br />
show http rewrite https<br />
This command is used to display HTTP-HTTPS rewrite policies for all virtual services.<br />
clear http rewrite https<br />
This command is used to remove all HTTP-HTTPS rewrite policies.<br />
http rewrite request removeheader <br />
This command is used to add an HTTP rewrite policy to remove an HTTP header field<br />
from all the client requests for the specified virtual service.<br />
virtual_service An HTTP or HTTPS virtual service.<br />
header_name The header field to be removed.<br />
no http rewrite request removeheader <br />
This command is used to delete an HTTP rewrite policy <strong>of</strong> removing an HTTP header<br />
field from all the client requests for the specified virtual service.<br />
show http rewrite request removeheader [virtual_service]<br />
This command is used to display the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the client requests for a specified virtual service. If the parameter<br />
“virtual_service” is null, display the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the client requests for all the virtual services.<br />
clear http rewrite request removeheader [virtual_service]<br />
This command is used to remove the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the client requests for a specified virtual service. If the parameter<br />
“virtual_service” is null, remove the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the client requests for all the virtual services.<br />
http rewrite response removeheader <br />
This command is used to add an HTTP rewrite policy to remove an HTTP header field<br />
from all the server responses for the specified virtual service.<br />
virtual_service An HTTP or HTTPS virtual service.<br />
header_name The header field to be removed.<br />
99
no http rewrite response removeheader <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command is used to delete an HTTP rewrite policy <strong>of</strong> removing an HTTP header<br />
field from all the server responses for the specified virtual service.<br />
show http rewrite response removeheader [virtual_service]<br />
This command is used to display the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the server responses for a specified virtual service. If the parameter<br />
“virtual_service” is null, display the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the server responses for all the virtual services.<br />
clear http rewrite response removeheader [virtual_service]<br />
This command is used to remove the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the server responses for a specified virtual service. If the parameter<br />
“virtual_service” is null, remove the HTTP rewrite policies <strong>of</strong> removing an HTTP header<br />
field from all the server responses for all the virtual services.<br />
http requestbody {enable|disable}<br />
This command is used to turn on/<strong>of</strong>f the support <strong>of</strong> the HEAD/GET request with body.<br />
The function is <strong>of</strong>f by default.<br />
URL Filtering<br />
The <strong>ArrayOS</strong> also <strong>of</strong>fers the additional security mechanism <strong>of</strong> URL Filtering, protecting<br />
against buffer overflow attacks, parser evasion attacks, directory traversal attacks, as well<br />
as other hacker strategies. The commands set to implement the <strong>ArrayOS</strong> URL Filtering<br />
protocols are listed below. Note: The URL filtering mechanism must work together with<br />
L7 SLB.<br />
filter vip [virtual_service_name]<br />
This command allows users to create the URL filtering for a specified virtual service. The<br />
parameter “virtual_service_name” defaults to “global” which denotes global setting.<br />
filter mode {passive|active} [virtual_service_name]<br />
This command allows users to set what action the <strong>APV</strong> appliance will take if a bad URL<br />
request is received by the <strong>ArrayOS</strong>. The “passive” setting will allow the request to pass<br />
through the appliance while keeping a transaction record <strong>of</strong> the violation. The “active”<br />
setting will instruct the appliance to drop any request that violates the URL filtering<br />
protocols as configured by the user. By default, the active mode is used. The parameter<br />
“virtual_service_name” defaults to “global” which denotes global setting.<br />
[no] filter url character <br />
[virtual_service_name]<br />
100
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
This command allows users to establish various ASCII values to deny access to the<br />
backend servers. The parameter “virtual_service_name” defaults to “global” which<br />
denotes global setting.<br />
filter url keyword match [virtual_service_name]<br />
This command is used to check whether the string matches one <strong>of</strong> configured regular<br />
expressions for URL filter rules. It ensures that the configured regular expression rules<br />
are written correctly so that the matched strings are really what customers want to deny or<br />
permit. The parameter “virtual_service_name” defaults to “global” which denotes global<br />
setting.<br />
filter url keyword default {permit|deny} [virtual_service_name]<br />
This command allows users to set the default rule for URL filtering for virtual service. In<br />
conjunction with the “filter url keyword” command, this command provides the<br />
flexibility to define black and white lists for URL keyword filtering. Since this command<br />
depends on the “filter url keyword” command, it is required that no deny or permit rules<br />
for URL keyword filtering are present when user changes the default filter setting (default<br />
is permit). The parameter “virtual_service_name” defaults to “global” which denotes<br />
global setting.<br />
[no] filter url keyword {permit|deny} [virtual_service_name]<br />
This command allows users to set a specific keyword or string to alert the <strong>APV</strong> appliance<br />
as to the potential unwanted server request. This command is in conjunction with the<br />
“filter url keyword default” command.<br />
� If the “filter url keyword default” command is set to “permit”, users should choose<br />
“deny” option <strong>of</strong> this command. Such configuration will result in rejecting requests<br />
with URLs that match configured keywords.<br />
� If the “filter url keyword default” command is set to “deny”, users should choose<br />
“permit” option <strong>of</strong> this command. Then, all the requests will be rejected unless<br />
URLs match specified keywords.<br />
permit|deny Permit or deny a specific keyword.<br />
string The parameter “string” can take regular expression which<br />
is compatible with PERL’s. Note: “*” means matching the<br />
ahead subexpression for 0 or n times, which is different<br />
from “*” in the wildcard expression. If the character “*”<br />
needs to be matched, “\*” is used to meet the need, and the<br />
character “\*” is used to transfer the meaning. Typical<br />
formats are: “/upload/” matching any URL which includes<br />
the “/upload/” keyword, “\.exe” matching all the exe files<br />
and “/image/.” “*\.jpg” matching all jpg files under<br />
“/image” directory. If two or more matching rules match<br />
the same URL, cache filter will select the rule with the<br />
101
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
longest match.<br />
Chapter 5 Server Load Balancing<br />
Note: The parameter URL only supports the regular<br />
expressions which are compatible with PERL’s. The<br />
meaning <strong>of</strong> “*” in the regular expressions differs from “*”<br />
in wildcard expression. Single “*” must be avoided to<br />
appear in a cache filter. Single “*” is meaningless in the<br />
regular expressions. (For example: cache filter rule<br />
“www.sina.com.cn” “*” “cache=yes” is not allowed). In<br />
the <strong>ArrayOS</strong> system, “.*” is used as the wildcard to match<br />
all URLs. The meaning <strong>of</strong> “.*” in regular expression is the<br />
same as that <strong>of</strong> “*” in the wildcard expressions.<br />
virtual_service_name The name <strong>of</strong> the virtual servive. It defaults to “global”<br />
which denotes global setting.<br />
[no] filter type {integer|string} [virtual_service_name]<br />
This command allows users to configure filtering requests by the type <strong>of</strong> the variable in<br />
the URL query (the section after the “?” in the URL). <strong>APV</strong> appliance will allow or deny<br />
requests depending on whether the value <strong>of</strong> URL query variable provided by the<br />
“variable_name” parameter is <strong>of</strong> type “integer” or “string”. The parameter<br />
“virtual_service_name” defaults to “global” which denotes global setting.<br />
filter length {url|query|queryvariable|querydata|header|request} <br />
[virtual_service_name]<br />
This command allows users to set various filtering parameters concerning separate<br />
aspects <strong>of</strong> the request being made to the network. The parameter “virtual_service_name”<br />
defaults to “global” which denotes global setting. Default filter lengths are as follows:<br />
� URL 1024<br />
� query 1024<br />
� queryvariable 128<br />
� querydata 512<br />
� header 1024<br />
� request 10,000<br />
filter alert [virtual_service_name]<br />
This command allows users to enable or disable email notification/alert related to a<br />
specified virtual service. The “email_address” parameter must be framed with quotation<br />
marks; and the DNS name lookup <strong>of</strong> this email address depends upon the command “ip<br />
nameserver ”. The “threshold” parameter is to set the number <strong>of</strong> drop requests<br />
102
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
needed to issue an email alert. The parameter “virtual_service_name” defaults to “global”<br />
which denotes global setting.<br />
filter request controlchar {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the control characters filtering feature. By default,<br />
the control character-based filtering is on. When this feature is on, all the characters<br />
following a “%”(escape character) will be translated. However, if the translation fails, the<br />
whole URL is denied. When this feature is <strong>of</strong>f, all the characters following a “%” (escape<br />
character) will be translated too. Different from the “on” mode, when the translation fails,<br />
the translation will be ignored and the whole URL is accepted.<br />
Permitted escaping patterns include:<br />
%XX : XX is 00~FF, not including 00~1F and 7F<br />
%uXXXX : XXXX is 0000~FFFF<br />
Some translation examples are provided in the following table:<br />
URL\Mode On Off<br />
http://abc.com http://abc.com http://abc.com<br />
http://abc.com/%30<br />
http://abc.com/0 (translates<br />
successfully)<br />
http://abc.com/0 (translates<br />
successfully)<br />
http://abc.com/%00<br />
……..<br />
http://abc.com/%1F<br />
Deny. (fails to translate<br />
since %00~%1F are control<br />
characters)<br />
http://abc.com/%00<br />
http://abc.com/%1F<br />
(fails to translate, but keeps the<br />
characters)<br />
http://abc.com/%7F<br />
Deny. (fails to translate since %7F<br />
is a control character)<br />
http://abc.com/%7F (fails to<br />
translate, but keeps the<br />
characters)<br />
Deny. (fails to translate since “%” http://abc.com/%p (fails to<br />
http://abc.com/%p<br />
can only be followed by a HEX translate, but keeps the<br />
byte, e.g.: %5B)<br />
http://abc.com/%u1234<br />
characters)<br />
http://abc.com/%u1234<br />
(%u is a special case which follows<br />
by two HEX bytes, e.g. %u5B5B.<br />
No translation is needed)<br />
http://abc.com/%u1234<br />
http://abc.com/%upq (fails to<br />
http://abc.com/%upq Deny. (fails to translate)<br />
translate, but keeps the<br />
characters)<br />
http://abc.com http://abc.com http://abc.com<br />
http://abc%30.com<br />
http://abc0.com (translates<br />
successfully)<br />
http://abc0.com (translates<br />
successfully)<br />
http://abc%00.com<br />
……..<br />
http://abc%1F.com<br />
Deny. (fails to translate<br />
since %00~%1F are control<br />
characters)<br />
http://abc%00.com<br />
http://abc%1F.com<br />
(fails to translate, but keeps the<br />
characters)<br />
http://abc%7F.com<br />
Deny. (fails to translate since %7F<br />
is a control character)<br />
http://abc%7F.com (fails to<br />
translate, but keeps the<br />
characters)<br />
103
http://abc%p.com<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
URL\Mode On Off<br />
http://abc%u1234.com<br />
Deny. (fails to translate since “%”<br />
can only be followed by a HEX<br />
byte, e.g.: %5B)<br />
http://abc%u1234.com<br />
(%u is a special case which follows<br />
by two HEX bytes, e.g. %u5B5B.<br />
No translation is needed)<br />
http://abc%upq.com Deny. (fails to translate)<br />
show filter all<br />
http://abc%p.com (fails to<br />
translate, but keeps the<br />
characters)<br />
http://abc%u1234.com<br />
http://abc%upq.com (fails to<br />
translate, but keeps the<br />
characters)<br />
This command is used to display global setting and the current configuration for each<br />
URL filtering protocol.<br />
show filter mode [virtual_service_name]<br />
This command is used to display whether the <strong>APV</strong> appliance will operate in passive or<br />
active mode with regards to dropping and logging suspect network queries. The<br />
parameter “virtual_service_name” defaults to “all” which will display all filter mode<br />
settings in the system; and “global” means to display the global URL filter mode setting.<br />
show filter vip [virtual_service_name]<br />
show filter length [virtual_service_name]<br />
show filter type {interger|string} [virtual_service_name]<br />
show filter url keyword [virtual_service_name]<br />
show filter url character [virtual_service_name]<br />
show filter alert [virtual_service_name]<br />
These commands are used to display the specific configurations regarding the filter<br />
parameters indicated. The parameter “virtual_service_name” defaults to “all” which will<br />
display all the related settings; and “global” means to display the related global setting.<br />
clear filter vip [virtual_service_name]<br />
This command is used to remove virtual service’s URL filter setting, including the global<br />
setting. The parameter “virtual_service_name” defaults to “all” which will remove all the<br />
related configurations in the system; and “global” means to remove the related global<br />
setting.<br />
clear filter mode [virtual_service_name]<br />
clear filter length [virtual_service_name]<br />
104
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
These commands are used to return the URL filter mode or the filter length to the default<br />
settings respectively. The parameter “virtual_service_name” defaults to “all” which will<br />
reset all the related URL filter settings to the default value; and “global” means to return<br />
the global setting to the default value.<br />
clear filter type {interger|string} [virtual_service_name]<br />
clear filter url keyword [virtual_service_name]<br />
clear filter url character [virtual_service_name]<br />
clear filter alert [virtual_service_name]<br />
These commands are used to remove the related URL filter settings.<br />
show statistics filter url keyword default [virtual_service_name]<br />
This command is used to display total default hits for a particular virtual IP address. The<br />
parameter “virtual_service_name” defaults to “all” which will display all the related<br />
statistics; and “global” means to display the related global statistics.<br />
show statistics filter url keyword {deny|permit} [keyword]<br />
[virtual_service_name]<br />
This command is used to display keyword filter statistics for a particular keyword.<br />
clear statistics filter url keyword default [virtual_service_name]<br />
This command is used to clear the statistics <strong>of</strong> the total default hits.<br />
clear statistics filter url keyword {deny|permit} [keyword]<br />
[virtual_service_name]<br />
This command is used to clear keyword filter statistics for a particular keyword string.<br />
show connection [protocol] [content_type] [ip]<br />
The command is used to display active connection(s) with protocol, content type and IP<br />
address as filters.<br />
protocol The connections’ protocol type: TCP, UDP or all (both TCP<br />
and UDP). This parameter is optional and the default value<br />
is “all”.<br />
content_type The data or count. Data means detail information <strong>of</strong><br />
matched connections. Count means only the number <strong>of</strong><br />
matched connections that will be displayed.<br />
105
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
ip The IP address matching either the local or remote IP<br />
addresses <strong>of</strong> active connections.<br />
Example:<br />
AN(config)#show connection tcp data 10.3.21.14<br />
Proto Local Address Foreign Address state Interface<br />
-----------------------------------------------------------------------<br />
TCP 10.3.21.2:443 10.3.21.14:2470 ESTABLISHED em0<br />
TCP 10.3.21.1:26491 10.3.21.14:80 ESTABLISHED em0<br />
no connection [local_ip] [local_port] [remote_ip] [remote_port]<br />
This command is used to remove active connection(s) with protocol, IP and port filters:<br />
protocol TCP, UDP or all (both TCP and UDP).<br />
local_ip The local IP. Optional, and the default value is 0.0.0.0<br />
which means all the IP addresses.<br />
local_port The local port. Optional, and the default value is 0 which<br />
means all the port values.<br />
remote_ip The remote IP. Optional, and the default value is 0.0.0.0<br />
which means all the IP addresses.<br />
remote_port The remote port. Optional, and the default value is 0 which<br />
means all the port values.<br />
106
SLB Summary<br />
SLB Type<br />
L7<br />
HTTP/HTTP<br />
S<br />
Priority<br />
(1 is highest)<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
2<br />
L7 DNS 2<br />
L7 FTP 2<br />
L7 SIP 2<br />
L7 RTSP 2<br />
Virtual<br />
Service<br />
IP + Port<br />
+ proto<br />
(HTTP,<br />
HTTPS)<br />
IP + Port<br />
+ proto<br />
(DNS)<br />
IP + Port<br />
+ proto<br />
(FTP)<br />
IP + Port<br />
+ proto<br />
(SIP-TCP,<br />
SIP-UDP)<br />
IP + Port<br />
+ proto<br />
(RTSP)<br />
Real<br />
Service<br />
IP + Port +<br />
proto<br />
(HTTP,<br />
HTTPS)<br />
IP + Port +<br />
proto<br />
(DNS)<br />
IP + Port +<br />
proto<br />
(FTP)<br />
IP + Port +<br />
proto<br />
(SIP-TCP,<br />
SIP-UDP)<br />
IP + Port +<br />
proto<br />
(RTSP)<br />
L4 2 IP + port IP + Port<br />
Port range<br />
(for L7)<br />
3<br />
L7 VS +<br />
Port range<br />
L7 RS<br />
L7 RS (0<br />
port)<br />
Chapter 5 Server Load Balancing<br />
Health<br />
check<br />
None<br />
HTTP<br />
HTTPS<br />
TCP<br />
TCPS<br />
ICMP<br />
Additional<br />
Script<br />
None<br />
DNS<br />
ICMP<br />
Additional<br />
Script<br />
None<br />
TCP<br />
ICMP<br />
Additional<br />
Script<br />
None<br />
TCP<br />
TCPS<br />
ICMP<br />
Additional<br />
Script<br />
SIP-TCP<br />
SIP-UDP<br />
None<br />
TCP<br />
ICMP<br />
Additional<br />
Script<br />
RTSP-TCP<br />
None<br />
TCP<br />
TCPS<br />
ICMP<br />
Additional<br />
Script<br />
Non-zero<br />
port RS:<br />
L7 health<br />
check<br />
Zero port<br />
RS:<br />
ICMP<br />
Scenarios<br />
1. Balance traffic<br />
according to<br />
application protocol<br />
headers. e.g. HTTP<br />
headers.<br />
2.Cache feature is<br />
needed.<br />
DNS requests<br />
DNS cache feature<br />
can be applied for<br />
better performance.<br />
FTP traffic.<br />
Balance VOIP traffic.<br />
Balance real time<br />
media traffic.<br />
1. Balance traffic<br />
according to<br />
TCP/UDP headers.<br />
2. TCP port or UDP<br />
port is specified to<br />
determine a particular<br />
service.<br />
In addition to L7 SLB,<br />
cross-port and<br />
dynamic port<br />
application traffic<br />
balance is supported.<br />
107
SLB Type<br />
Port range<br />
(for L4)<br />
Priority<br />
(1 is highest)<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
3<br />
Virtual<br />
Service<br />
L4 VS +<br />
Port range<br />
L3 4 IP IP<br />
L2 1<br />
IP + port<br />
ranges<br />
Real<br />
Service<br />
L4 RS<br />
L4 RS (0<br />
port)<br />
IP, MAC<br />
Chapter 5 Server Load Balancing<br />
Health<br />
check<br />
Additional<br />
Non-zero<br />
port RS:<br />
L4 health<br />
check<br />
Zero port<br />
RS:<br />
ICMP<br />
Additional<br />
None<br />
ICMP<br />
Additional<br />
ARP<br />
Additional<br />
(only<br />
ICMP)<br />
Scenarios<br />
In addition to L4 SLB,<br />
cross-port and<br />
dynamic port<br />
application traffic<br />
balance is supported.<br />
In addition to port<br />
range SLB,<br />
cross-protocol<br />
application traffic<br />
balance is supported.<br />
Currently, only TCP<br />
and UDP protocol are<br />
supported.<br />
1.The backend real<br />
services don’t have<br />
usable IP addresses so<br />
that the traffic can’t<br />
be balanced according<br />
to IP addresses;<br />
2. The backend real<br />
services are not the<br />
destination <strong>of</strong> the<br />
input traffic (e.g. virus<br />
scanners check every<br />
packet before<br />
forwarding it to the<br />
real destination).<br />
108
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 5 Server Load Balancing<br />
109
Chapter 6 Link Load Balancing<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
For users who would prefer to deploy multiple firewall devices or protocols, it will<br />
become necessary to load balance the traffic passing back and forth between these<br />
devices.<br />
ip eroute <br />
[weight]<br />
This command allows the administrator to provide the method necessary to allow<br />
end-users to direct outbound traffic to a preferred route based on the IP (source and<br />
destination), port (source and destination) and protocol type. Eroute priority is higher<br />
than the priority <strong>of</strong> the default and static routes. Default routes will have priority 1 and<br />
static routes 101-132 depending on the netmask; i.e. static route with netmask 24 bits will<br />
have priority 124 and with netmask 32 bits will have priority 132. Routes that correspond<br />
to the interfaces will have priority 2000. The routes created based on the traffic coming<br />
from the local subnet are called droutes (Direct Route) and will have priority 2000.<br />
Droutes are created dynamically and will expire after 1 hour.<br />
The <strong>APV</strong> appliance supports at most 5000 eroutes (including normal eroutes and ISP<br />
routes), among which at most 500 normal eroutes are supported. ISP routes are the routes<br />
whose source subnet is all 0, port is 0 and protocol is “any”.<br />
name Policy identifier (mostly used for “no” and “show” version<br />
commands).<br />
priority The priority number, 1001 through 1999 (inclusive). 1999<br />
is the highest.<br />
srcip/srcmask Dotted IP notation for source subnet (e.g., 10.2.41.0 and<br />
255.255.255.0). 0.0.0.0 for IP or netmask is a full wildcard.<br />
srcport Source port. 0 is a wildcard. Ignored unless the protocol is<br />
TCP or UDP.<br />
dstip/dstmask See “srcip/srcmask” above.<br />
dstport See “srcport” above.<br />
proto TCP, UDP or any.<br />
gatewayip Gateway IP address.<br />
weight Weight to be used for weighted round robin. Optional, and<br />
the default is 1.<br />
no ip eroute <br />
110
This command is used to remove the configured extended routing policy.<br />
clear ip eroute<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
This command is used to remove all extended routing policy configurations.<br />
show ip eroute [all]<br />
This command is used to display all extended routing policy configurations. If the<br />
parameter “all” is typed, all the manual eroutes and IP region created eroutes are<br />
displayed in details.<br />
[show|clear] statistics eroute<br />
This command is used to display or remove the running statistics related to extended<br />
routing policy. This command will also clear droute, IPflow and RTS statistics.<br />
ipregion table import <br />
This command is used to import an IP region table. Array <strong>APV</strong> supports importing IP<br />
region tables via HTTP or FTP URL. Administrators can also import local IP region table<br />
files via WebUI.<br />
ipregion_name Specify the name <strong>of</strong> IP region.<br />
url Specify the HTTP/FTP URL <strong>of</strong> the remote host to import<br />
the IP region table.<br />
Note:<br />
1. By default, there are three predefined IP region tables including<br />
“predefined_cernet”, “predefined_cnc” and “predefined_ct”. It is recommended not<br />
to use the same name with the default predefined IP region tables.<br />
2. The routes and proximity rules configured for IP region exist as a whole in the<br />
system. Administrators cannot change or remove a single route or a rule.<br />
show ipregion name<br />
This command is used to display the name <strong>of</strong> all existing IP regions in the system.<br />
show ipregion table <br />
This command is used to display the entries <strong>of</strong> a specified IP region table.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
no ipregion table <br />
111
This command is used to remove a specified IP region table.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
clear ipregion table<br />
This command is used to clear all IP region tables.<br />
ipregion route [priority] [weight]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
This command is used to set route for specified IP region. If the destination IP address <strong>of</strong><br />
outbound traffic hits any entry in the IP region, it will be directed to the corresponding<br />
gateway.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
gateway Gateway IP address.<br />
priority This is an optional parameter. It is used to define the route<br />
priority, and the default value is 1999.<br />
weight This is an optional parameter. It is used to define the<br />
weight for WRR method, and the default value is 1.<br />
show ipregion route<br />
This command is used to display route configurations about all IP regions.<br />
no ipregion route <br />
This command is used to remove route configurations for a specified IP region.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
clear ipregion route<br />
This command is used to clear route configurations about all IP regions.<br />
ip ipflow {on|<strong>of</strong>f}<br />
This command enables or disables the IPflow feature, which defines a mapping <strong>of</strong><br />
particular source and destination addresses to some gateway. By default, the IPflow<br />
feature is <strong>of</strong>f.<br />
ip ipflow priority <br />
112
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
This command allows users to set a priority for a persistent mapping <strong>of</strong> particular source<br />
and destination addresses to some gateway. This priority is used in conjunction with the<br />
eroute settings to determine the flow order. The priority value ranges from 1000 through<br />
1999 (inclusive) where 1999 ranks as the highest. The default value is 1000. The base<br />
priority value <strong>of</strong> eroute is 1001 and the highest is 1999. By default, eroute has high<br />
priority over ipflow. But ipflow priority value can be increased, once the priority value is<br />
equal to or higher than the priority value <strong>of</strong> eroute, ipflow will get higher priority over<br />
eroute.<br />
ip ipflow expire [timeout]<br />
This command is used to set the timeout value <strong>of</strong> IPflow, in seconds. Once the time<br />
period elapses, the persistent mapping <strong>of</strong> source and destination address to a particular<br />
gateway is destroyed. Default is 60 seconds<br />
clear ip ipflow<br />
This command is used to reset the configuration for IPflow and clear the IPflow table.<br />
show ip ipflow<br />
This command is used to display the configuration for IPflow.<br />
show statistics ipflow<br />
This command is used to display the running statistics related to IPflow.<br />
ip statistic {on|<strong>of</strong>f}<br />
This command is used to turn on/turn <strong>of</strong>f IP statistics function. The default value is <strong>of</strong>f.<br />
Turning <strong>of</strong>f IP statistic will improve the performance. However it will affect some other<br />
features, such as SDNS and flight deck.<br />
ip rts on [all|gateway]<br />
This command is used to enable the RTS function. The RTS protocol insures that the<br />
transactions that pass through a particular router to a server will return through the same<br />
router. By default,the “all” mode applies.<br />
all RTS records all external senders that send packets to the<br />
unit. All the packets will be sent back along the route<br />
which they came from.<br />
gateway RTS records external senders as configured gateways. Only<br />
the packets coming from these gateways will be sent back<br />
along the route which they came from.<br />
Note: The “gateway” should be set as the gateway<br />
113
ip rts <strong>of</strong>f<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
configured via the commands “ip route default”, “ip<br />
eroute” and “ip route static”.<br />
This command is used to disable the RTS function. The RTS function is disabled by<br />
default.<br />
ip rts expire [seconds]<br />
This command allows users to set the timeout value <strong>of</strong> RTS, in seconds, that an RTS<br />
entry will be stored in an unused state before it expires. The default setting is 60 seconds.<br />
clear ip rts<br />
This command is used to reset the RTS configurations.<br />
show ip rts<br />
This command is used to display the RTS configurations.<br />
show statistics rts<br />
This command is used to display the running statistics related to RTS.<br />
Example:<br />
AN(config)#show statistics rts<br />
RTS Statistics:<br />
0 rts hits<br />
0 ERT gateway matched<br />
0 unknown gateway matched<br />
4 failed for unknown gateway in gateway mode<br />
0 failed for unknown gateway allocation<br />
Use "clear statistics eroute" command to clear RTS statistics<br />
Note: The maximum number <strong>of</strong> RTS entries allowed on the <strong>APV</strong> appliance varies<br />
with different system memories. Please see the table below for details (each RTS<br />
entry takes about 264 bytes memory).<br />
Sytem Memory Max RTS Entries Memory Usage<br />
1G 10000 2.5M<br />
2G 20000 5M<br />
4G 40000 10M<br />
llb statistics link {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f LLB link statistics function. This function allows<br />
users to monitor LLB link status and network traffic.<br />
114
[show|clear] statistics llb link [link_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
This command is used to display or delete the statistics <strong>of</strong> all LLB links, including the<br />
statistics <strong>of</strong> LLB link health checks and the statistics <strong>of</strong> LLB bandwidth. If the link name<br />
is specified, display or remove the statistics <strong>of</strong> the specified LLB link only.<br />
The <strong>APV</strong> appliance identifies links based on the logical port and peer MAC address. The<br />
statistics <strong>of</strong> LLB links are also collected based on the logical port and peer MAC address.<br />
[no|show|clear] llb link route [weight] [hc_srcip]<br />
[banwidth_threshold]<br />
This command allows users to add an LLB link. The maximum number <strong>of</strong> LLB links<br />
allowed on the <strong>APV</strong> appliance is 32.<br />
By employing the “no” version <strong>of</strong> this command, users can delete an LLB link.<br />
By employing the “show” version <strong>of</strong> this command, users can view the current LLB link<br />
configuration.<br />
By employing the “clear” version <strong>of</strong> this command without any parameters, users can<br />
remove all the existing LLB links.<br />
link_name A unique name given to an LLB link. All the link-related<br />
configurations will be defined upon the link name.<br />
route_ip The gateway IP address <strong>of</strong> this LLB link. After executing<br />
this command, the system will automatically create an<br />
eroute with the “route_ip” as its gateway, and the priority<br />
<strong>of</strong> the eroute is 2.<br />
weight Optional parameter for weighted round robin. The default<br />
value is 1. The larger the number is, the more chances the<br />
link will be selected for link load balance.<br />
hc_srcip The IP address assigned as the source IP <strong>of</strong> the LLB health<br />
check packets. It defaults to the interface IP which is in the<br />
same subnet with the eroute gateway.<br />
banwidth_threshold The maximum bandwidth allowed for this link. This value<br />
is not a strict limit. If the real traffic load exceeds the<br />
allowed maximum bandwidth, the packets will not be lost;<br />
they will be forwarded via other links.<br />
Example:<br />
AN(config)#llb link route “link1” 10.191.2.100 1 10.191.2.105<br />
115
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
The following commands are used to configure ICMP, TCP-based and DNS-based<br />
additional health checks respectively. At most 8 additional health checks can be<br />
configured for each LLB link.<br />
llb link health checker icmp [hc_interval] [timeout] [hc_up]<br />
[hc_down]<br />
This command is used to add an additional LLB health check <strong>of</strong> ICMP type for an<br />
existing link.<br />
link_name A unique name given to an LLB link. All the link-related<br />
configurations will be defined upon the link name.<br />
host Additional health check host name or IP address to which<br />
<strong>APV</strong> sends ICMP request for link health check.<br />
hc_interval Optional. The time interval (in seconds) <strong>of</strong> health check.<br />
The default value is 10.<br />
timeout Optional. The timeout (in seconds) <strong>of</strong> health check. The<br />
default value is 5. Note: The timeout setting cannot be<br />
larger than the interval setting.<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
Example:<br />
AN(config)#llb link health checker icmp “link1” “10.191.2.130” 3 3 3 3<br />
AN(config)#llb link health checker icmp “link1” “10.191.2.131” 3 3 3 3<br />
no llb link health checker icmp <br />
This command is used to remove the ICMP additional health check configuration about a<br />
specified link.<br />
llb link health checker tcp [hc_interval] [timeout]<br />
[hc_up] [hc_down]<br />
This command is used to add an additional LLB health check based on TCP for an<br />
existing link.<br />
116
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
link_name A unique name given to an LLB link. All the link-related<br />
configurations will be defined upon the link name.<br />
host Additional health check host name or IP address, to which<br />
<strong>APV</strong> sends TCP request for link health check.<br />
port Additional health check host port, which is used to listen<br />
upon TCP requests sent by <strong>APV</strong>.<br />
hc_interval Optional. The time interval (in seconds) <strong>of</strong> health check.<br />
The default value is 10.<br />
timeout Optional. The timeout (in seconds) <strong>of</strong> health check. The<br />
default value is 5. Note: The timeout setting cannot be<br />
larger than the interval setting.<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
Example:<br />
AN(config)#llb link health checker tcp “link1” “www.xyz.com” 80 10 5 3 3<br />
AN(config)#llb link health checker tcp “link1” “10.191.2.141” 21 10 5 3 3<br />
no llb link health checker tcp <br />
This command is used to remove the TCP additional health check configuration about a<br />
specified link.<br />
llb link health checker dns [interval]<br />
[timeout] [hc_up] [hc_down]<br />
This command is used to add an additional LLB health check based on DNS for an<br />
existing link.<br />
link_name A unique name given to an LLB link. All the link-related<br />
configurations will be defined upon the link name.<br />
host DNS host name or IP address used by additional health<br />
check.<br />
domain_name Domain name for additional health check. Get link status<br />
117
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
based on the resolution results.<br />
Chapter 6 Link Load Balancing<br />
hc_interval Optional. The time interval (in seconds) <strong>of</strong> health check.<br />
The default value is 10.<br />
timeout Optional. The timeout (in seconds) <strong>of</strong> health check. The<br />
default value is 5. Note: The timeout setting cannot be<br />
larger than the interval setting.<br />
hc_up The number <strong>of</strong> health checks to be performed with a<br />
positive result before marking the service as “up”. The<br />
default value is 3.<br />
hc_down The number <strong>of</strong> health checks to be performed with a<br />
negative result before determining the service as “down”.<br />
The default value is 3.<br />
Example:<br />
AN(config)#llb link health checker dns “link1” “10.191.2.150” “www.test.com” 20 5 3 3<br />
AN(config)#llb link health checker dns “link1” “10.191.2.151” “www.test.com” 20 5 3 3<br />
no llb link health checker dns <br />
This command is used to remove the DNS additional health check configuration about a<br />
specified link.<br />
clear llb link health checker<br />
This command is used to remove all existing configurations about LLB additional health<br />
check.<br />
show llb link health checker<br />
This command is used to display all existing configurations about LLB additional health<br />
check.<br />
llb link statistics on<br />
This command is used to turn on the LLB link statistics.<br />
llb link statistics <strong>of</strong>f<br />
This command is used to turn <strong>of</strong>f the LLB link statistics.<br />
show llb link status [detail]<br />
This command is used to display the LLB link status information.<br />
118
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
detail Optional. The parameter is used to show the recent<br />
additional health check configurations and related<br />
summary information, such as success number, failure<br />
number <strong>of</strong> health check request and so on.<br />
show llb link bandwidth<br />
This command is used to display the bandwidth information <strong>of</strong> inbound and outbound<br />
links.<br />
llb link health {on|<strong>of</strong>f}<br />
This command is used to enable or disable link health check.<br />
llb link enable <br />
This command is used to enable an LLB link. When a link is enabled, it will be used for<br />
outgoing traffic and incoming traffic (by LLB DNS resolving).<br />
llb link disable <br />
This command is used to disable an LLB link. When a link is disabled, it will NOT be<br />
used for outgoing traffic and incoming traffic (by LLB DNS resolving).<br />
Note:<br />
Mostly, the network traffic will not be in and out a disabled link. However there are<br />
some exceptions which are out <strong>of</strong> control:<br />
1. If the incoming traffic doesn’t follow LLB DNS resolving, it might get in from a<br />
disabled link;<br />
2. If RTS feature is turned on and the incoming traffic gets in from a disabled link,<br />
the related outgoing traffic will also go through the disabled link since RTS has<br />
higher priority.<br />
llb method inbound {rr|wrr|proximity}<br />
This command allows users to define the inbound LLB method, which can be Round<br />
Robin (rr), Weighted Round Robin (wrr) or proximity. The default setting is “rr”.<br />
Note: To use the “proximity” method for inbound load balancing, please first make<br />
configurations about “ip eroute”.<br />
llb method outbound {rr|wrr|sr|dd} [time_interval] [count_interval]<br />
This command allows users to define the outbound LLB method, including Round Robin<br />
(rr), Weighted Round Robin (wrr), Shortest Response (sr) or Dynamic Detecting (dd).<br />
119
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
The default setting is “rr”. If “dd” method is selected, you need to further set the<br />
following two parameters:<br />
time_interval The interval between two dynamic detections. It defaults to<br />
300 seconds and ranges from 60 to 7200.<br />
count_interval The number <strong>of</strong> connection requests between two dynamic<br />
detections. It defaults to 1000 seconds and ranges from 10<br />
to 5,000,000.<br />
Note: The LLB DD method should work with NAT configuration. If there is no NAT<br />
configuration related with LLB link route, the DD method could not work normally.<br />
show statistics llb method outbound [dst_net] [mask]<br />
This command is used to display the statistics <strong>of</strong> Dynamic Detecting (dd) method <strong>of</strong> the<br />
specified net.<br />
method_name The name <strong>of</strong> outbound LLB method, dd (dynamic<br />
detecting).<br />
dst_net Destination IP address or net.<br />
mask The mask <strong>of</strong> the destination IP address.<br />
show llb method<br />
This command is used to display the configuration for inbound and outbound balancing<br />
methods.<br />
llb dns host [weight] [port] [link_name]<br />
This command is used to add a DNS A record for the specified host. Based on the IP and<br />
port in this command, SDNS will try to match the VS or RS configured in SDNS system<br />
at specified interval (defined by the command “sdns interval report”). If any match is<br />
found, SDNS reporter process will set the VS or RS’ health check status as the status <strong>of</strong><br />
the IP configured in this command; if no match is found, the status <strong>of</strong> the IP configured in<br />
this command is set to “UP”. SDNS only resolves the “UP” IP to the users. At last, SDNS<br />
reporter process will report the configured IP, its status and the specified weight to SDNS<br />
servers.<br />
Up to 2048 SDNS hosts can be configured on each <strong>APV</strong> appliance, up to 128 VIPs can be<br />
configured for each SDNS host, and up to 65536 VIPs can be configured for each <strong>APV</strong><br />
appliance.<br />
host name The name <strong>of</strong> the host which SDNS system serves.<br />
120
ip The IP to be reported to SDNS servers.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 6 Link Load Balancing<br />
weight The weight or priority <strong>of</strong> the specified IP used by SDNS<br />
servers in VWGRR or IPO algorithm. Its valid value<br />
ranges from 1 to 65535 and it defaults to 1.<br />
port The port used to match a virtual service or a real service. If<br />
“port” is set to 0, the system will firstly try to match the<br />
first virtual service whose IP is the same as the configured<br />
“IP”; if no virtual service is matched, it will then try to<br />
match the first real service whose IP is the same as the<br />
configured “IP” and port is 0 (ip/l2ip/l2mac real service); if<br />
still no real server is matched, it will try to match the first<br />
real service whose IP is the same as the configured “IP”. It<br />
ranges from 0 to 65535, and defaults to 0.<br />
link_name The name <strong>of</strong> the LLB link (defined by “llb link route”) it<br />
belongs to. This parameter is optional, and the default<br />
value is empty, which means the system will find the<br />
corresponding old link for it.<br />
no llb dns host <br />
This command is used to remove a DNS A record for the specified host.<br />
clear llb dns host<br />
This command is used to clear all the configurations about LLB DNS hosts.<br />
show llb dns host [host_name]<br />
This command is used to show the information about configured LLB DNS hosts.<br />
[show] llb dns ttl [seconds]<br />
This command is used to set the TTL <strong>of</strong> an inbound host DNS entry (0 second means no<br />
cache). The “host name” parameter is required to be in the format <strong>of</strong> “www.xyz.com”.<br />
The “show” version <strong>of</strong> this command is used to display the TTL configuration about the<br />
specified inbound host DNS entry.<br />
show statistics droute<br />
This command is used to display the statistics <strong>of</strong> a droute.<br />
clear droute<br />
This command is used to delete a droute table.<br />
121
Chapter 7 Reverse Proxy Cache<br />
Cache Commands<br />
cache {on|<strong>of</strong>f} <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to enable or disable the Reverse Proxy Cache for a specified<br />
virtual service. By default, the cache is turned <strong>of</strong>f. Turning the cache <strong>of</strong>f will not change<br />
the current cache configuration or contents in the system.<br />
show cache status<br />
This command is used to display the current status (on or <strong>of</strong>f) <strong>of</strong> the cache function.<br />
cache settings objectsize <br />
This command is used to set the maximum size for an object to be cached. The size must<br />
be specified in kilobytes. The default value is 5120KB. The minimum size allowed is<br />
1KB. And the maximum size allowed depends on different system memories <strong>of</strong> the <strong>APV</strong><br />
appliances:<br />
System Memory Max Size <strong>of</strong> Cache Object<br />
4GB 10240KB (10MB)<br />
8GB 20480KB (20MB)<br />
16GB 40960KB (40MB)<br />
cache settings expire {hh:mm:ss|seconds}<br />
This command is used to set the global (for all objects in cache) expiration time. The<br />
default value is 82,800 seconds (23 hours). The expiration time must be specified either<br />
in the format “hh:mm:ss”, or in seconds enclosed in double quotes.<br />
The global expiration time will be used as the expiration time for an object in cache only<br />
if it is not possible to calculate the expiration time using the Expiration Model specified<br />
in Section 13.2 <strong>of</strong> RFC 2616.<br />
If the expiration time is specified in seconds, the acceptable value is from “0” to<br />
“2147483647” seconds. “0” means the contents will expire at once after it is stored in<br />
cache.<br />
Three types <strong>of</strong> cache expiration time are involved during the cache process:<br />
� The expiration time defined by the “Expires” field in the HTTP header;<br />
� The global cache expiration time configured via the command “cache settings<br />
expire”;<br />
� The TTL time specified by the “ttl” parameter in the command “cache filter rule”.<br />
122
The priorities <strong>of</strong> the three expiration times are as follows:<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
1. The expiration time configured in “cache filter rule” will be used first.<br />
2. If the “ttl” parameter is not specified, the global expiration time specified by “cache<br />
settings expire” command will apply.<br />
3. For the cache content that does not match any cache filter rule, the expiration time<br />
defined in the HTTP header will be applied.<br />
4. If no “Expires” field is available in the HTTP header to define the expiration time,<br />
just follow the configuration <strong>of</strong> “cache settings expire”.<br />
show cache settings<br />
This command is used to display the current configurations <strong>of</strong> the cache, including the<br />
expiration time <strong>of</strong> the objects in cache (cache settings expire) and the maximum size <strong>of</strong><br />
an object in cache (cache settings objectsize).<br />
show statistics cache [virtual_service]<br />
This command is used to display all the current HTTP cache statistics. If a virtual service<br />
is provided, the cache statistics for this virtual service will be displayed.<br />
Note: The cache statistics is only available for HTTP and HTTPS virtual services.<br />
Example:<br />
AN(config)#show statis cache<br />
Reverse Proxy Cache Global Statistics:<br />
Basic Statistics:<br />
Requests received: 3601254<br />
Requests with GET method: 3601254<br />
Requests with HEAD method: 0<br />
Requests with PURGE method: 0<br />
Requests with POST method: 0<br />
Number <strong>of</strong> open client connections: 115<br />
Number <strong>of</strong> open server connections: 115<br />
Requests redirected to HTTPS: 0<br />
Requests redirected based on regex match: 0<br />
Requests forwarded with rewritten url: 0<br />
Locations rewritten to HTTPS: 0<br />
Locations rewritten based on regex match: 0<br />
Cache skip, cache <strong>of</strong>f: 3601254<br />
Cache hit, reply using cache: 0<br />
Cache hit, reply with "Not Modified": 0<br />
Cache hit, reply with "Precondition Failed": 0<br />
Cache hit, revalidate: 0<br />
Cache miss, noncacheable requests: 3601254<br />
Cache miss, create new entry: 0<br />
Cache miss, create new entry, resp noncacheable: 0<br />
Hit ratio: 0.00%<br />
123
(Notice: the real server's time should be in sync with this machine.<br />
Otherwise, the time difference could expire the cachable objects<br />
resulting in low cache hit ratio.)<br />
Advanced Statistics:<br />
Number <strong>of</strong> cache objects: 0<br />
Number <strong>of</strong> cache frames: 0<br />
Successful cache probes:0<br />
Why were certain requests sent to the server?<br />
a) We had to revalidate the cached object due to:<br />
Request with "no-cache": 0<br />
Requset with "maxage=0": 0<br />
Cached object had "no-cache": 0<br />
Cache object expired: 0<br />
b) We had to bypass cache for some requests because:<br />
Cache was filling when request was made: 0<br />
Revalidation failed due to IMS mismatched: 0<br />
Client has newer copy, cannot send from cache: 0<br />
Object in cache is chunked, cannot give to 1.0 client: 0<br />
Network memory utilization was too high: 0<br />
c) Request cannot be served from cache because:<br />
Cache filter denied caching: 0<br />
Requests with "no-store": 0<br />
Requests with "authorization": 0<br />
Requests with cookies: 0<br />
Requests with range: 0<br />
Requests non GET, non HEAD: 0<br />
Requests URL too long: 0<br />
Requests host too long: 0<br />
d) Error occurred while doing cache lookup<br />
Network memory shortage when cache hit (200, 304): 0<br />
Cache was not accessible: 0<br />
Fail to send cache lookup to cache: 0<br />
Fail to find url and host: 0<br />
Fail to parse cache specific http request headers: 0<br />
Fail to create a new cache object: 0<br />
Noncacheble requests due to other errors: 3601254<br />
Why were certain responses not stored in cache?<br />
a) HTTP directive in response told us not to cache<br />
HTTP response code not 200, 300 or 301: 0<br />
Response had a "no-store": 0<br />
Response had a "private": 0<br />
Response had a "set-cookie": 0<br />
Response had a "vary": 0<br />
b) The response did not meet our guidelines for cacheability<br />
Response noncacheable too big: 0<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
124
c) Error occurred when trying to cache response<br />
Cache storage limit exceeded based on header data: 0<br />
Cache storage limit exceeded based on payload: 0<br />
Network memory shortage when storing response body: 0<br />
Cache object was deleted before response arrived: 0<br />
Fail to parse cache specific http response headers: 0<br />
Fail to store response headers in cache: 0<br />
Fail to store response body in cache: 0<br />
Cache object was aborted due to connection reset: 0<br />
Noncacheble responses due to other errors: 0<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
The following contents are explanations about the items in above output information.<br />
� Basic Statistics<br />
Output Item Description<br />
Requests received Total requests received by the <strong>APV</strong> appliance.<br />
Requests with GET method Total GET requests received by the <strong>APV</strong> appliance.<br />
Requests with HEAD method Total HEAD requests received by the <strong>APV</strong> appliance.<br />
Number <strong>of</strong> open client connections Total number <strong>of</strong> open connections with clients.<br />
Number <strong>of</strong> open server connections Total number <strong>of</strong> open server connections.<br />
Count <strong>of</strong> times the cache table has been searched, no<br />
matching entry has been found and a new entry is<br />
created. However, note that sometimes, an entry is<br />
Cache miss, new entry created<br />
created temporarily (i.e. for an IMS<br />
(if_modified-source) request resulting in a 304) and is<br />
deleted after sending it out to the client (delayed delete).<br />
Cache miss, noncacheable requests<br />
Cache revalidate<br />
Cache hit, reply using cache<br />
Cache hit, reply with "Not Modified"<br />
This request does not result in a cache table search.<br />
Something in the request makes the <strong>APV</strong> appliance<br />
deem it non-cacheable (i.e. very long URL, a<br />
“Cache-Control: no-store” header etc.)<br />
The requested object has been found in the cache.<br />
However, the request requires revalidation (due to client<br />
generated revalidate, proxy generated revalidate or<br />
proxy generated forced miss).<br />
The <strong>APV</strong> appliance has found the requested URL in the<br />
cache. The object is fresh and the <strong>APV</strong> appliance does<br />
not have to revalidate. The object is served from our<br />
cache.<br />
The <strong>APV</strong> appliance receives an IMS<br />
(if_modified-source) header in the request. The <strong>APV</strong><br />
appliance validates the timestamp and decides that the<br />
client’s copy <strong>of</strong> this object is fresh. The <strong>APV</strong> appliance<br />
generates a 304 response and sends it out to the client.<br />
125
Hit ratio<br />
� Advanced Statistics<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Output Item Description<br />
Chapter 7 Reverse Proxy Cache<br />
Cache hit reply using cache + cache hit reply with “not<br />
modified”.<br />
Output Item Description<br />
Number <strong>of</strong> cache frames Number <strong>of</strong> network buffers used by the cache.<br />
Number <strong>of</strong> times the <strong>APV</strong> appliance has searched the<br />
cache table and found something. Note that this does<br />
not imply a cache hit. The <strong>APV</strong> appliance may have<br />
Successful cache probes<br />
found a stale object; the request may have cookies etc.<br />
resulting in our not using the object we have found in<br />
the cache.<br />
Requested object has been found in the cache but the<br />
request has a “Cache-Control: no-cache” header. So the<br />
Cache revalidate, request with “no-cache” <strong>APV</strong> appliance forwards the request to the backend<br />
server and updates our cache with the response<br />
received.<br />
Request has an IMS (if_modified-source) header, object<br />
has been found in the cache but it is stale. The <strong>APV</strong><br />
appliance forwards the original request to the backend<br />
Cache revalidate, client IMS forward server and updates the cached object when the response<br />
comes back (Note: This may only involve updating the<br />
timestamps on our cached response if we get a 304 not<br />
modified response).<br />
Request does not have an IMS (if_modified-source)<br />
header, object has been found in the cache but it was<br />
stale. So the <strong>APV</strong> appliance inserts an IMS header in<br />
the request (if the <strong>APV</strong> appliance can assemble on with<br />
Cache revalidate, proxy IMS forward<br />
information contained in the other request headers else<br />
we treat this as a cache miss) and sends this request to<br />
the backed server. When a response comes back, the<br />
<strong>APV</strong> appliance updates our cache entry.<br />
When the <strong>APV</strong> appliance receives a “304 Not<br />
Modified” response, the <strong>APV</strong> appliance will increment<br />
Cache revalidate, not modified<br />
this counter (irrespective <strong>of</strong> whether the request that has<br />
generated this response is an IMS from the client or one<br />
generated by us).<br />
The requested object has been found in the cache.<br />
However, the request contains cookies. We forward the<br />
Cache miss, requests with cookies<br />
request to the backend server. The cache will not be<br />
updated.<br />
The requested object has been found in the cache.<br />
However, the request contains a range header. We<br />
Cache miss, requests with range<br />
forward the request to the backend server. The cache<br />
will not be updated.<br />
Cache miss, HTTP version mismatch This counter should always be zero.<br />
126
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
Output Item Description<br />
The <strong>APV</strong> appliance receives an IMS<br />
(if_modified-source) header in the request. The <strong>APV</strong><br />
appliance validates the timestamp and decides that the<br />
Cache miss, IMS mismatch<br />
client’s copy <strong>of</strong> this object is stale. So the <strong>APV</strong><br />
appliance forwards the request to the backend server<br />
(essentially, we treat this as a cache miss).<br />
Cache miss, server driven negotiation<br />
Cache miss, negative entry hit<br />
The requested object has been found in the cache.<br />
However, the cached response contains a “vary” header<br />
forcing comparison <strong>of</strong> certain request headers. This<br />
comparison fails and the <strong>APV</strong> appliance treats this as a<br />
cache miss. The <strong>APV</strong> appliance will forward the request<br />
to the backend server. The cache will not be updated.<br />
The request results in a negative cache hit. Negative<br />
Caching is when the <strong>APV</strong> appliance cache’s HTTP<br />
responses <strong>of</strong> HTTP error codes; for example, 404, 302,<br />
503, etc.<br />
Requests redirected to HTTPS The request that have been redirected to HTTPS.<br />
clear statistics cache [virtual_service|all]<br />
This command is used to clear the cache statistics, including the statistics for the number<br />
<strong>of</strong> cache hits, and the number <strong>of</strong> requests. If a virtual service is provided, cache statistics<br />
for this virtual service will be cleared. If “all” keyword is used, the statistics for all HTTP<br />
and HTTPS virtual services will be cleared. If no argument is provided, the global cache<br />
statistics will be cleared.<br />
show cache content <br />
This command is used to display the information about the cache objects that match the<br />
specified host name and URL regex.<br />
host_name Specify the host name <strong>of</strong> the objects.<br />
url_regex Specify the regular expression for the URLs <strong>of</strong> the objects.<br />
clear cache content<br />
This command is used to remove all cache objects from cache. This operation will not<br />
change the current cache configuration in the system.<br />
cache filter {on|<strong>of</strong>f}<br />
This command is used to enable or disable the cache filter function. By default, the cache<br />
filter is turned <strong>of</strong>f.<br />
cache filter rule {force_cache|urlquery|ttl}<br />
127
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to create a cache filter rule to define the cache behavior <strong>of</strong> the<br />
<strong>APV</strong> appliance for the objects matched with the “host name” and “url”. The parameters<br />
“host name” and “url” define the host and URL address to impose cache filter on. The<br />
host name does not take any regular expression, and must be a complete keyword. In<br />
“url”, you can use any meaningful regular expression which is compatible with PERL’s to<br />
construct powerful regular expression. The “force_cache” parameter seeks a<br />
“force_cache=yes” or “force_cache=no” input to decide whether to cache the matched<br />
objects. The “urlquery” parameter seeks a “urlquery=yes” or “urlquery=no” input to<br />
decide whether to ignore the URL query string in user request. The parameter “ttl” (Time<br />
to Live) decides how long to cache the object.<br />
host_name “host_name” and “url” are used to define the address we<br />
want to impose the cache filter rule on.<br />
url URL can take regular expression which is compatible with<br />
PERL’s. For example, “*” means matching the ahead<br />
subexpression for 0 or n times, which is different from “*”<br />
in the wildcard expression. If the character “*” needs to be<br />
matched, “\*” is used to meet the need, and the character<br />
“\*” is used to transfer the meaning. Typical formats are:<br />
“/upload/” matching any URL which includes the<br />
“/upload/” keyword, “\.exe” matching all the exe files and<br />
“/image/.” “*\.jpg” matching all jpg files under “/image”<br />
directory. If two or more matching rules match the same<br />
URL, cache filter will select the rule with the longest<br />
match.<br />
Note: The parameter “url” only supports the regular expressions which are<br />
compatible with PERL’s. The meaning <strong>of</strong> “*” in the regular expressions differs from<br />
“*” in wildcard expression. Single “*” must be avoided to appear in a cache filter.<br />
Single “*” is meaningless in the regular expressions. (For example: cache filter rule<br />
“www.sina.com.cn” “*” “force_cache=yes” is not allowed). In the Array system, “.*”<br />
is used as the wildcard to match all URLs. The meaning <strong>of</strong> “.*” in regular expression<br />
is the same as that <strong>of</strong> “*” in the wildcard expressions.<br />
force_cache|urlquery|ttl “force_cache=yes|no” means whether to cache the matched<br />
objects or not. If “force_cache=yes”, the matched objects<br />
will be cached and the information in the cache control<br />
header will be ignored.<br />
“urlquery=yes|no” means whether to ignore the URL query<br />
string in user request. The default value is “urlquery=no”,<br />
which means do not ignore the URL query string.<br />
“ttl=n”. TTL defines the freshness time in seconds <strong>of</strong> cache<br />
contents, i.e. how long a cached object can be used before<br />
the <strong>APV</strong> appliance must re-fetch or refresh the object.<br />
128
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
(Note: For this parameter, at least one option should be<br />
used. You can configure two or all the three options. The<br />
configured values must be all enclosed in double quotes.<br />
For details, please refer to the examples below.)<br />
Cache filter rules will change the cache system behavior. The table below lists the<br />
behavior <strong>of</strong> the cache system after cache filter rules are configured.<br />
Control<br />
Keyword<br />
force_cache<br />
urlquery<br />
ttl<br />
Configuration Behavior<br />
The request will be served from cache even with these cache<br />
control fields:<br />
request with cache-control no-store<br />
request with cache-control no-cache<br />
request with authorization<br />
request with cookie<br />
yes<br />
The response with the following cache control fields can be<br />
cached:<br />
response with cache-control no-store<br />
response with cache-control no-cache<br />
response with cache-control private<br />
response with set-cookie<br />
no Force no cache if matched.<br />
not set Follow the configuration in the caching control header.<br />
yes Cache will ignore the query string in url.<br />
no Cache will not ignore the query string in url.<br />
not set Cache will not ignore the query string in url.<br />
new_ttl_value Matched cache object will use the new_ttl_value.<br />
not set<br />
Additional configuration and usage notes:<br />
Use the default TTL value configured by using “cache setting<br />
expire” or use the TTL specified in cache control filed.<br />
“cache=yes” means the request will be served from cache even with these cache control<br />
fields:<br />
� request with cache-control no-store<br />
� request with cache-control no-cache<br />
� request with authorization<br />
� request with cookie<br />
The response with the following cache control fields can be cached:<br />
� response with cache-control no-store<br />
� response with cache-control no-cache<br />
� response with cache-control private<br />
129
� response with set-cookie<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
“cache=no” means the user will force the object not to be cached regardless <strong>of</strong> whether<br />
the headers allow objects to be cached or not.<br />
If “cache” is not specified, cache filter will follow the configuration in the caching<br />
control header.<br />
In cache filters, TTL can be used in two ways:<br />
cache filter rule “force_cache=yes” “ttl =n”<br />
In this case, all objects matched with the host name and URL regular expression will be<br />
forced to be cached for TTL seconds. After TTL seconds, the <strong>APV</strong> appliance must refresh<br />
or revalidate the objects before they can be used again.<br />
cache filter rule “ttl =n”<br />
In this case, all the objects matched with the host name and URL regular expression<br />
should first obey the freshness time specified in the objects, if the objects contain the TTL<br />
related control directives. Otherwise, the objects will use the TTL value specified in the<br />
rule.<br />
Examples:<br />
1. Cache specific types <strong>of</strong> files; and others files follow the server’s cache-directives.<br />
AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=yes”<br />
2. Cache all “jpg” files for the host “www.xyz.com”.<br />
AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=yes” “ttl=200000”<br />
Cache all “gif” files for host “www.xyz.com”. Override its TTL value to 200000 seconds.<br />
3. Cache specific types <strong>of</strong> files; other files should NOT be cached.<br />
AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=yes”<br />
AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=yes” “ttl=200000”<br />
AN(config)#cache filter rule www.xyz.com “.*\.html” “cache=yes” “ttl=200000”<br />
AN(config)#cache filter rule www.xyz.com “/” “cache=no”<br />
4. Do not cache specific types <strong>of</strong> files; other files follow the server’s cache-directives.<br />
AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=no”<br />
AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=no”<br />
5. Do not cache specific types <strong>of</strong> files; other files should be cached.<br />
AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=no”<br />
AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=no”<br />
AN(config)#cache filter rule www.xyz.com “/” “cache=yes”<br />
130
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
6. Specify a file type. The files <strong>of</strong> this type will follow the TTL defined in cache filter;<br />
other files follow the TTL defined in cache control header.<br />
AN(config)#cache filter rule www.xyz.com “.*\.jpg” “ttl=200000”<br />
AN(config)#cache filter rule www.xyz.com “.*\.gif” “ttl=200000”<br />
AN(config)#cache filter rule www.xyz.com “/” “cache=yes”<br />
7. Specify a file type. The files <strong>of</strong> this type will ignore the cache query string in URL;<br />
other files use the whole URL.<br />
AN(config)#cache filter rule www.xyz.com “.*\.html*” “urlquery=yes”<br />
show cache filter status<br />
This command allows users to display the cache filter configuration.<br />
show cache filter hostname <br />
This command is used to display all the cache filters relating to the specified host name.<br />
show cache filter all<br />
This command is used to display all cache filter rules.<br />
cache filter match <br />
This command is used to show all the configured cache filter rules matching the specified<br />
host name and URL regular expression. Administrators can use this command to test the<br />
correctness <strong>of</strong> cache filter rules configured previously.<br />
no cache filter rule <br />
This command is used to remove a cache filter matched with the specified “host name”<br />
and “url”.<br />
clear cache filter hostname <br />
This command is used to clear the cache filter matched with the specified host.<br />
clear cache filter all<br />
This command is used to clear all the cache filters.<br />
show statistics cachefilter <br />
This command is used to display the statistical information from the cache filter<br />
configuration related to the specified host name and URL regular expression.<br />
clear statistics cachefilter [host_name|all]<br />
131
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to clear the cache filter statistics. If a host name is specified, the<br />
cache filter statistics about the host will be cleared. “all” means all cache filter statistics<br />
will be cleared. If no argument is provided, the global cache filter statistics will be<br />
cleared.<br />
HTTP Commands<br />
There are commands to manipulate how the <strong>APV</strong> appliance will process special HTTP<br />
traffic and requests. The first deals with “X-Forwarding”, a process where users may<br />
configure an option to insert an “X-Forwarded-For” header into all HTTP and HTTPS<br />
requests. This allows for client-IP visibility at the real server. The second function allows<br />
users to configure an option for the <strong>ArrayOS</strong> to parse non-ASCII characters or such<br />
characters occupying more than one byte. Xforwardedfor commands support transferring<br />
client IP address to the backend server through HTTP header, URL parameter or both.<br />
The configuration is virtual service oriented. Details on both command sets are below.<br />
http xforwardedfor on [vs_name] [mode] [customized_name]<br />
This command is used to turn on the insertion <strong>of</strong> the host IP address into HTTP header,<br />
URL request or HTTP cookie forwarded to the backend server. The parameters in the<br />
command are optional. If no parameter is specified, the command is global. For this<br />
function, the global setting is <strong>of</strong>f by default while the setting <strong>of</strong> per virtual service is on<br />
by default.<br />
http xforwardedfor <strong>of</strong>f<br />
http xforwardedfor on vs1<br />
( these are default settings)<br />
http xforwardedfor on<br />
http xforwardedfor on vs1<br />
http xforwardedfor on<br />
http xforwardedfor <strong>of</strong>f vs1<br />
Settings Behaviors<br />
The host IP address will not be inserted into vs1’s HTTP<br />
header, URL request and HTTP cookie forwarded to the<br />
backend server, as the global setting is <strong>of</strong>f.<br />
The host IP address will be inserted into vs1’s HTTP header,<br />
URL request and HTTP cookie forwarded to the backend<br />
server. Only when the global and per virtual service settings<br />
are on, can the host IP address be inserted into vs1’s HTTP<br />
header, URL request and HTTP cookie.<br />
vs_name The SLB virtual service name<br />
The host IP address will not be inserted into vs1’s HTTP<br />
header, URL request and HTTP cookie forwarded to the<br />
backend server, as the per virtual service setting is <strong>of</strong>f.<br />
mode It can be header, url, cookie or all. All means HTTP header,<br />
URL request and HTTP cookie will include the client IP<br />
address.<br />
customized_name Specify a new name for the IP address in HTTP header,<br />
URL request and HTTP cookie.<br />
132
http xforwardedfor <strong>of</strong>f [vs_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to turn <strong>of</strong>f the insertion <strong>of</strong> the host IP address into HTTP header,<br />
URL request and HTTP cookie forwarded to the backend server. If no parameter is<br />
specified, the command is global.<br />
show http xforwardedfor<br />
This command is used to display the current status (on/<strong>of</strong>f) <strong>of</strong> X-Forwarded-For header<br />
insertion in the request forwarded to the backend server.<br />
http xclientcert virtual [insert_mode] [content_type]<br />
When the SSL client authentication is enabled, the <strong>APV</strong> appliance can use this command<br />
to forward the received client certificate to the backend server through HTTP header or<br />
HTTP cookie. If and only if the “ssl settings clientauth” command is configured<br />
successfully, the <strong>APV</strong> appliance will forward the client certificate to the backend server.<br />
insert_mode It includes two modes: “header” and “cookie”. If<br />
“insert_mode” is header, the client certificate will be<br />
inserted in the header <strong>of</strong> the request forwarded to the<br />
server. The default insert mode is “header”.<br />
content_type It has two certificate encoding content formats: “PEM” and<br />
“body”. “body” means that the <strong>APV</strong> appliance forwards the<br />
BASE64 encoding value <strong>of</strong> the digital certificates to the<br />
backend server, while “PEM” means that the <strong>APV</strong><br />
appliance forwards the encoding value <strong>of</strong> the client<br />
certificate to the backend server in an OpenSSL internal<br />
encoding format. The OpenSSL internal encoding format<br />
has the begin/end header line (“-----BEGIN<br />
CERTIFICATE-----“and”-----END CERTIFICATE-----”)<br />
and has a separator “;” every 64 bits. The parameter<br />
defaults to “body”. (Note: The encoding certificates in the<br />
OpenSSL internal format use “;” as a separator and cookie<br />
also uses “;” as a separator, so please make sure whether<br />
the <strong>APV</strong> appliance can use the encoding to forward the<br />
certificate to the backend server.)<br />
show http xclientcert virtual<br />
This command is used to display all the virtual services for which the insertion <strong>of</strong><br />
X-Client-Cert header, in the request forwarded to the server, is enabled.<br />
no http xclientcert virtual <br />
133
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to disable the insertion <strong>of</strong> X-Client-Cert header, in the request<br />
forwarded to the server, for the specified virtual service.<br />
clear http xclientcert virtual<br />
This command is used to disable the insertion <strong>of</strong> X-Client-Cert header, in the request<br />
forwarded to the server, for all the virtual services.<br />
http xclientcert header [header_name]<br />
This command is used to configure client certificate header name. The default name is<br />
X-Client-Cert.<br />
http xclientcert plaintext <br />
[customized_name] [format_opt]<br />
This command is used to enable or disable forwarding the specified certificate field, with<br />
the customized header name if it is defined, in HTTP header, URL request or HTTP<br />
cookie to the backend server. Users can use the option “customized name” to customize<br />
the field name which can be accepted by the backend server. If the customized name is<br />
NULL, the system will use the field’s default value. Supported fields include: subject,<br />
issuer, validity, NotBefore, NotAfter, CommonName, PublicKey, serial (for serial number)<br />
and customized RDN.<br />
mode The way to pass client certificate information; following<br />
methods are supported:<br />
� header: By inserting http header.<br />
� url: By appending to the URL.<br />
� cookie: By inserting cookie.<br />
� all: Enable all <strong>of</strong> the above three methods.<br />
field_name A certificate field name. Following certificate section<br />
names are supported: subject, issuer, validity, serial (for<br />
serial number), NotBefore, NotAfter, CommonName,<br />
Publickey and relative RDNs C, CN, etc. or OID) in a<br />
certificate.<br />
� Subject: Transfer the subject DN <strong>of</strong> a client certificate<br />
to the backend server.<br />
� Issuer: Transfer the Issuer DN <strong>of</strong> a client certificate to<br />
the backend server.<br />
� Validity: Transfer the certificate’s Validity to the<br />
backend server. Its format is “From To<br />
”.For example, “From Dec 19 5:54:42<br />
2007 GMT To Dec 19 5:54:42 2008 GMT”.<br />
134
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
� Serial: Transfer the certificate’s serial number to the<br />
backend server.<br />
� NotBefore: Transfer the certificate’s NotBefore time to<br />
the backend server.<br />
� NotAfter: Transfer the certificate’s NotAfter time to<br />
the backend server.<br />
� CommonName: Transfer the certificate’s<br />
CommonName <strong>of</strong> the subject to the backend server.<br />
� PublicKey: Transfer the publickey <strong>of</strong> a certificate to<br />
the backend server. The publickey is transferred in<br />
HEX mode. For example, the publickey “0x00 0x43<br />
0x78 0xed” is transferred to the backend server in the<br />
form <strong>of</strong> “00 43 78 ed” (ASCII value).<br />
� RDN: Transfer one <strong>of</strong> the standard RDNs in Subject<br />
and Issuer DN to the backend server.<br />
To define the RDN which will be sent to the backend server, the formal format should be:<br />
.<br />
Or<br />
<br />
For scope:<br />
Scope Description<br />
Subject<br />
The value <strong>of</strong> symbol or specific OID will be searched in client certificate’s subject<br />
DN<br />
Issuer<br />
The value <strong>of</strong> symbol or specific OID will be searched in client certificate’s issuer<br />
DN<br />
Ext<br />
The value <strong>of</strong> symbol or specific OID will be searched in client certificate’s external<br />
field. This required the client certificate should be in version 2 or 3.<br />
The value <strong>of</strong> specific OID will be searched in client certificate’s TBS. TBS means<br />
OID or the certificate’s customer information. When the scope is null, the dot shouldn’t<br />
appear in this formal format.<br />
For symbol:<br />
OID Symbol Standard Name<br />
2.5.4.6 C Country Name<br />
2.5.4.8 ST State or Province Name<br />
2.5.4.7 L Locality Name<br />
2.5.4.10 O Organization Name<br />
2.5.4.11 OU Organizational Unit Name<br />
135
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
OID Symbol Standard Name<br />
2.5.4.3 CN Common Name<br />
2.5.4.5 SN Serial Number<br />
2.5.4.46 dnQualifier DN Qualifier<br />
2.5.4.65 Pseudonym Pseudonym<br />
2.5.4.12 Title Title<br />
2.5.4.44 GQ Generation Qualifier<br />
2.5.4.43 Initials Initials<br />
2.5.4.41 Name Name<br />
2.5.4.42 givenName Given Name<br />
2.5.4.4 Surname Surname<br />
0.9.2342.19200300.100.1.25 DC Domain Component<br />
1.2.840.113549.1.9.1 emailAddress Email Address<br />
{OID expression} OID information, for example: 1.2.3.4<br />
Note: When there is one more value to the same symbol in the specific scope, the<br />
<strong>APV</strong> appliance will transfer all <strong>of</strong> them to the backend server, and one digital<br />
number will be appended to the customized name from the second symbol. The<br />
digital number is increased from 1.<br />
For example:<br />
One configuration on <strong>APV</strong> appliance:<br />
AN(config)#http xclientcert plaintext cookie “Subject.OU” vs1 “OU” positive<br />
And the client certificate has following subject DN:<br />
C=CN, ST=Beijing, L=Beijing, O=ArrayNetworks Inc., OU=Dev, OU=TM, CN=abc,<br />
emailAddress=abc@arraynetworks.net<br />
Then the backend server will received following cookie:<br />
Cookie: OU=Dev, OU1=TM<br />
virtual_service Specify SLB virtual service name, which has been defined.<br />
customized_name Optional. Specify a name for the field to replace the<br />
standard field name defined in previous parameter.<br />
format_opt<br />
Optional. Specify the format <strong>of</strong> the “field” forwarded to the<br />
backend application.<br />
For Subject, Issuer: Sequence order format option which<br />
136
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
should be:<br />
Chapter 7 Reverse Proxy Cache<br />
� Positive: (Default) Start from the small scope. (See the<br />
following example.)<br />
� Reverse: Start from the large scope.<br />
� Original: The original order parsed from the client<br />
certificate.<br />
Example for Subject format option:<br />
If a client certificate has the following subject DN:<br />
C=CN,O=Array,OU=TM,ST=BJ,CN=abc,EmailAddress=abc@array<br />
networks.net<br />
If “format_opt” is “positive”, the subject will be transferred<br />
in the following order:<br />
EmailAddress=abc@arraynetworks.net,CN=abc,OU=TM,O<br />
=Array,ST=BJ,C=CN<br />
If “format_opt” is “reverse”, he subject will be transferred in<br />
the following order:<br />
C=CN,ST=BJ,O=Array,OU=TM,CN=abc,EmailAddress=ab<br />
c@arraynetworks.net<br />
If “format_opt” is “original”, the subject will be transferred<br />
137
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
in the following order:<br />
Chapter 7 Reverse Proxy Cache<br />
C=CN,O=Array,OU=TM,ST=BJ,CN=abc,EmailAddress=ab<br />
c@arraynetworks.net<br />
For Validity, NotBefore, NotAfter: Date/time format option<br />
should be:<br />
� Digital: (Default) All the date and time numbers are<br />
used the digital number, except the GMT expression.<br />
� Latin: Month will be expressed in English word.<br />
� W3C: Standard time formal format. Use the local time<br />
zone information from the client certificate.<br />
Example for Validity format option:<br />
Latin: From Jan 31 15:35:5 2008 GMT To Jan 30 15:35:5 2009 GMT<br />
Digital: Valid from 2008-01-01 20:01:01 GMT to 2010-0101<br />
20:01:00 GMT<br />
W3C: From 2008-01-31T15:35:05Z To 2009-01-30T15:35:05Z<br />
For ext.: The format option should be: unparsed or<br />
parsed.<br />
X509 certificate’s extensions are defined as follow:<br />
Extension::= SEQUENCE {<br />
extnID OBJECT IDENTIFIER,<br />
critical BOOLEAN DEFAULT FALSE,<br />
extnValue OCTET STRING }<br />
Among which:<br />
extnID: The OID <strong>of</strong> the extension;<br />
critical: The criticality flag;<br />
extnValue: The extension value.<br />
� Unparsed: (Default) Only the entire value <strong>of</strong> the<br />
extnValue will be forwarded to the backend server. For<br />
DER, one object is expressed by three parts: type,<br />
length and value. The extnValue is encoded in DER.<br />
Therefore, the extnValue consists <strong>of</strong> its type, length and<br />
value.<br />
138
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
� Parsed: The value <strong>of</strong> the extnValue is also encoded in<br />
DER, so that it includes three parts: type, length and<br />
value. When this option is enabled, only the value in<br />
the value <strong>of</strong> the extnValue will be forwarded to the<br />
backend server.<br />
When the type in the value <strong>of</strong> the extnValue is one <strong>of</strong> the<br />
following, no matter the option is unparsed or parsed, the<br />
value <strong>of</strong> the extnValue will be forwarded to the backend<br />
server:<br />
SEQUENCE<br />
SET<br />
Untagged data<br />
For example, the following is an extension <strong>of</strong> which the type<br />
in the value is SEQUENCE:<br />
404 30 31: SEQUENCE {<br />
406 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29<br />
18)<br />
411 04 24: OCTET STRING, encapsulates {<br />
413 30 22: SEQUENCE {<br />
415 86 20: [6] 'http://www.nist.gov/'<br />
: }<br />
: }<br />
: }<br />
For the two commands “http xclientcert plaintext header<br />
"ext.2.5.29.18" vs1 "url1" "parsed"” and “http<br />
xclientcert plaintext header "ext.2.5.29.18" vs1 "url1"<br />
"unparsed"”, the same result “0x30 0x22 0x86 0x20…”<br />
will be sent to backend server.<br />
When the type <strong>of</strong> the value in the value <strong>of</strong> the extnValue is<br />
time string, <strong>ArrayOS</strong> will transfer its content to DIGITAL<br />
format:<br />
Generalized Time<br />
UTC tim<br />
139
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Example for ext. format option:<br />
Chapter 7 Reverse Proxy Cache<br />
In this example, the extension OID is 0.1.2.3, and the value<br />
<strong>of</strong> the extnValue is "0x0c 0x06 0x36 0x35 0x34 0x33 0x32<br />
0x31". "0c" represents the type in the value <strong>of</strong> extnValue<br />
and "06" represents the length in the value <strong>of</strong> the extnValue.<br />
If “format_opt” is “unparsed”, “0x0c 0x06 0x36 0x35 0x34<br />
0x33 0x32 0x31” will be forwarded.<br />
If “format_opt” is “parsed”, “0x36 0x35 0x34 0x33 0x32<br />
0x31” will be forwarded.<br />
http xclientcert dnencoding [encoding]<br />
This command is used to specify the encoding format for client certificate’s DN<br />
(Distinguished Name) transferred from the specified SLB virtual service to the backend<br />
server.<br />
virtual_service Specify the SLB virtual service name.<br />
encoding Optional. Specify the encoding format for multibyte<br />
characters. UTF-8, GB2312, GBK and GB18030 are<br />
supported. The default format is UTF-8.<br />
show http xclientcert dnencoding [virtual_service]<br />
This command is used to display the DN encoding configuration.<br />
virtual_service Specify the SLB virtual service name. Optional. If no<br />
virtual service is specified, the DN encoding configuration<br />
for all SLB virtual services will be displayed.<br />
no http xclientcert dnencoding <br />
This command is used to restore the DN encoding configuration for the specified virtual<br />
service to default.<br />
virtual_service Specify the SLB virtual service name.<br />
clear http xclientcert dnencoding<br />
This command is used to reset the DN encoding configurations for all virtual services.<br />
http owa {on|<strong>of</strong>f}<br />
140
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to enable or disable the subsystem, which inserts OWA (Outlook<br />
Web Access) specific header, FRONT-END-HTTPS: on, in the requests forwarded to<br />
backend servers. When this subsystem is turned on, the header insertion will be done only<br />
for the virtual services configured using the “http owa virtual” command. When this<br />
subsystem is turned <strong>of</strong>f, the header insertion will not be done even if there are virtual<br />
services configured using the “http owa virtual” command. The default setting is <strong>of</strong>f.<br />
show http owa status<br />
This command is used to display the status (on/<strong>of</strong>f) <strong>of</strong> the OWA subsystem.<br />
http owa virtual <br />
This command is used to enables the insertion <strong>of</strong> FRONT-END-HTTPS: on header in the<br />
requests forwarded to the backend servers for the specified virtual service.<br />
show http owa virtual<br />
This command is used to display all the virtual services for which the insertion <strong>of</strong><br />
FRONT-END-HTTPS: on header, in the requests forwarded to the backend servers, is<br />
enabled.<br />
no http owa virtual <br />
This command is used to disable the insertion <strong>of</strong> FRONT-END-HTTPS: on header, in the<br />
requests forwarded to the backend servers, for the specified virtual service.<br />
clear http owa virtual<br />
This command is used to disable the insertion <strong>of</strong> FRONT-END-HTTPS: on header, in the<br />
requests forwarded to the backend servers, for all the virtual services.<br />
http mask server {on|<strong>of</strong>f}<br />
This command allows users to "hide" the identity <strong>of</strong> the backend server from the client.<br />
The “Server” header will be removed if it is set to “on”. The default value is “<strong>of</strong>f”.<br />
http mask via {on|<strong>of</strong>f}<br />
This command allows users to prevent the client Web browser from knowing that the<br />
responses have been proxied through the <strong>APV</strong> appliance. The “Via” header will be<br />
removed if it is set to “on”. The default value is “<strong>of</strong>f”.<br />
show http mask<br />
This command is used to display the current status (on/<strong>of</strong>f) for the HTTP mask server and<br />
HTTP mask via functions.<br />
http serverconnreuse {on|<strong>of</strong>f}<br />
141
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to turn on or <strong>of</strong>f the reuse <strong>of</strong> server connections for multiple<br />
transactions. Setting to “<strong>of</strong>f” makes every server connection to be used only for a single<br />
transaction after which the connection is terminated. Setting to “on” makes every server<br />
connection to be used for multiple transactions. The default setting is “on”.<br />
[no] http serverconnreuse real <strong>of</strong>f<br />
This command is used to force every server connection to be used for a single transaction<br />
for the specified real service.<br />
real_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
real service. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
[show|clear] http serverconnreuse<br />
This command is used to display or clear the current status (on/<strong>of</strong>f), regarding the use <strong>of</strong><br />
server connections for multiple transactions.<br />
http serverpersist {on|<strong>of</strong>f}<br />
This command is used to enable or disable the use <strong>of</strong> persistent connections for<br />
communication with the backend servers. By default, the use <strong>of</strong> persistent connections is<br />
turned on. When connection reuse is enabled, enabling connection persistence ensures<br />
that all transactions from the same client connection are forwarded to the same back end<br />
server. If connection reuse is enable but connection persistence is disabled, then<br />
transactions from the same client connection may be forwarded to different backend<br />
server connections.<br />
[no] http serverpersist real <strong>of</strong>f<br />
This command is used to disable the use <strong>of</strong> persistent connections for communication<br />
with the backend servers for the specified real service.<br />
real_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
real service. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
[show|clear] http serverpersist<br />
This command is used to display or clear the status (on/<strong>of</strong>f) regarding the use <strong>of</strong><br />
persistent connections concerning the communication with backend servers.<br />
http shuntreset {on|<strong>of</strong>f}<br />
142
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to enable or disable resetting non-reusable server connections.<br />
Enabling this option forces the <strong>APV</strong> appliance to reset non-reusable server connections.<br />
By default this option is disabled.<br />
show http shuntreset<br />
This command is used to display the status for the handling <strong>of</strong> non-reusable server<br />
connections.<br />
http buffer nomsglen {on|<strong>of</strong>f}<br />
This command is used to enable (on) or disable (<strong>of</strong>f) the cache to accept and cache some<br />
non-RFC compliant responses. When enabled, responses that do not possess an “end <strong>of</strong><br />
response” HTTP message length indicator within the headers will still be cached before<br />
returning the information to the client. By default this is enabled.<br />
show http buffer nomsglen<br />
This command is used to display the status <strong>of</strong> caching those responses that do not possess<br />
an “end <strong>of</strong> response” HTTP message length indicator.<br />
http rewrite request insertheader <br />
This command is used to insert arbitrary header-string in HTTP request received for the<br />
specified virtual service. The header-string will be inserted verbatim except % sign,<br />
which can be used for escaping. %n represents a line separator (replaced by \r\n), %q is a<br />
double quote (“) and %% is the percent itself. Limit <strong>of</strong> the header-string length is 500<br />
bytes. For example, for a header string FRONT-END-HTTPS: on%n, the administrator<br />
will enter “FRONT-END-HEADER: on%n” with the entire string framed in double<br />
quotes when entering via the <strong>CLI</strong>; no quotes necessary when entering the string via the<br />
WebUI.<br />
no http rewrite request insertheader <br />
This command is used to disable the insertion <strong>of</strong> the custom HTTP header for the<br />
specified virtual service.<br />
show http rewrite request insertheader [virtual_service]<br />
This command is used to display the status <strong>of</strong> the arbitrary HTTP header insertion for a<br />
virtual service. If the keyword “all” is used, the HTTP header insertion configuration for<br />
all virtual services will be displayed. Default is “all”.<br />
clear http rewrite request insertheader <br />
This command is used to clear the HTTP header insertion function for the specified<br />
virtual service. If the keyword “all” is used, the HTTP header insertion function for all<br />
virtual services will be cleared.<br />
143
http rewrite response cookie secure {on|<strong>of</strong>f}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to enable or disable the placement <strong>of</strong> a secure clause within the<br />
HTTP Set-Cookie header preventing the client forwarding <strong>of</strong> the cookie on an insecure<br />
connection. The default status is “on”.<br />
http rewrite response cookie secure icookie {on|<strong>of</strong>f}<br />
This command is used to enable or disable the support <strong>of</strong> secure cookies for HTTPS<br />
clients. The default status is “on”. This command is added for not inserting “secure” tag<br />
to Set-Cookie header when the “http rewrite response cookie secure” command is<br />
enabled.<br />
show http rewrite response cookie secure<br />
This command is used to display the running status <strong>of</strong> the secure cookie in the response.<br />
clear http rewrite response cookie<br />
This command is used to reset the rewrite response to the default setting “on”.<br />
http rewrite response port <br />
This command is used to modify the port number contained in the Location header in the<br />
responses for the HTTP requests received by the specified virtual service.<br />
virtual_service Specify the virtual service name.<br />
modify_action Specify the modification action. Now, only “remove”<br />
action is supported.<br />
no http rewrite response port <br />
This command is used to disable the port number modification function for the specified<br />
virtual service.<br />
show http rewrite response port [virtual_service]<br />
This command is used to display the port number modification settings for all virtual<br />
services. If a virtual service is specified, this command will only display the port<br />
modification setting <strong>of</strong> the virtual service.<br />
clear http rewrite response port <br />
This command is used to reset the port number modification setting for the specified<br />
virtual service.<br />
144
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
virtual_service Specify the virtual service name. If the keyword “all” is<br />
used, the port number modification settings for all virtual<br />
services will be reset.<br />
http rewrite response https <br />
This command allows users to configure the rewrite <strong>of</strong> HTTP redirects to HTTPS for the<br />
specified HTTP or HTTPS virtual service. This is accomplished by rewriting HTTP<br />
location header content to use HTTPS scheme in the URL.<br />
show http rewrite response https<br />
This command is used to display all the virtual services for which the rewrite <strong>of</strong> HTTP<br />
redirects to HTTPS redirects is configured.<br />
no http rewrite response https <br />
This command is used to disable the rewrite <strong>of</strong> HTTP redirects to HTTPS redirects for<br />
the specified virtual service.<br />
clear http rewrite response https<br />
This command is used to disable the rewrite <strong>of</strong> HTTP redirects to HTTPS redirects for all<br />
the virtual services.<br />
http redirect https <br />
This command allows users to configure redirection <strong>of</strong> all HTTP request to HTTPS.<br />
This is accomplished by generating a 301 (Moved permanently) response with location<br />
header containing HTTPS scheme in the URL. This command can only be applied to<br />
HTTP virtual services.<br />
show http redirect https<br />
This command is used to display all the virtual services for which the HTTP to HTTPS<br />
redirects are configured.<br />
no http redirect https <br />
This command is used to disable the HTTP to HTTPS redirects for the specified virtual<br />
service.<br />
clear http redirect https<br />
This command is used to disables the HTTP to HTTPS redirects for all the virtual<br />
services.<br />
145
http import error <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command allows users to import a customized HTTP error page from a remote<br />
server. The "error_code" refers to the HTTP error code, the “host name” refers to the<br />
desired destination that has generated the error, and the "url" points to the location <strong>of</strong> the<br />
customized error page. The supported HTTP error codes for importing customized error<br />
pages are 400 (Bad Request), 403 (Forbidden), 412 (Precondition Failed), 416<br />
(Requested Range Not Satisfiable), 502 (Bad Gateway) and 503 (Service Unavailable).<br />
show http import error [error_code] [host_name]<br />
This command is used to display the list <strong>of</strong> HTTP error codes and host names for which a<br />
custom error page is imported. If the “error_code” and “host name” are specified, the<br />
content <strong>of</strong> the imported error page (if present) is displayed.<br />
clear http import error [error_code] [host_name]<br />
This command is used to remove all the imported error pages. If “error_code” and “host<br />
name” are specified, then the corresponding error page will be removed.<br />
http error <br />
This command is used to activate the imported error page for the specified “error_code”<br />
and “host name”.<br />
show http error [error_code] [host_name]<br />
This command is used to display all the HTTP error codes and host names for which a<br />
custom error page is activated. If the “error_code” and “host name” parameters are<br />
specified, the content <strong>of</strong> the activated error page (if present) is displayed.<br />
clear http error [error_code] [host_name]<br />
This command is used to deactivate all the activated error pages. If the “error_code” and<br />
“host name” parameters are specified, only the corresponding error page is deactivated.<br />
http permit host <br />
This command is used to add the specified host name to the list <strong>of</strong> permitted host names.<br />
By default all host names are permitted. The moment at least one host name is configured<br />
by using this command, only the configured host names are permitted and the rest are<br />
denied.<br />
show http permit host<br />
This command is used to display the list <strong>of</strong> permitted host names.<br />
no http permit host <br />
146
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to remove the specified host name from the list <strong>of</strong> permitted host<br />
names, if present. After this host name is removed, if there are no more host names in the<br />
list, all the host names will be permitted.<br />
clear http permit host<br />
This command is used to remove all the host names from the list <strong>of</strong> permitted host names.<br />
The moment this is done, all the host names will be permitted.<br />
[no] http permit method [vip]<br />
This command is used to add or delete the specified method to/from the list <strong>of</strong> permitted<br />
HTTP methods. The possible methods are get, post, put, delete, trace, connect, options,<br />
head, propfind, proppatch, mkcol, copy, move, lock, unlock and purge. By default, all the<br />
methods are permitted and no commands <strong>of</strong> this kind are configured. The moment at least<br />
one method is configured using this command, only the configured methods are permitted<br />
and the rest are denied. When no methods are configured using this command, all the<br />
methods are permitted. If the “vip” parameter is none or 0.0.0.0, this command is<br />
configured at global level. Otherwise, it is configured at VIP level.<br />
show http permit method [vip]<br />
This command is used to display the list <strong>of</strong> permitted and denied HTTP methods. If the<br />
“vip” parameter is 0.0.0.0, this command shows the global configuration. If the “vip”<br />
parameter is not provided, this command shows all the settings, including global settings<br />
and all the per-vip settings. If the VIP is given, only the specified VIP setting will be<br />
displayed.<br />
clear http permit method [vip]<br />
This command is used to remove all the methods from the list <strong>of</strong> permitted HTTP<br />
methods. The moment this is done, all the HTTP methods will be permitted. If the “vip”<br />
parameter is 0.0.0.0, this command clears the global permit method. If the “vip”<br />
parameter is not provided, this command clears all permit methods, including the global<br />
settings and all the per-VIP settings. If the VIP is given, only the specified VIP permit<br />
method will be cleared.<br />
http modifyheader http10 {on|<strong>of</strong>f}<br />
This command allows users to change the HTTP version in response from 1.1 to 1.0 and<br />
add “connection: keep-alive” to response header at the same time. If the HTTP version is<br />
1.1, the <strong>APV</strong> appliance will change it to 1.0. If the “connection” field does not exist or<br />
connection field is “connection: close”, the <strong>APV</strong> appliance will add this field or change it<br />
to “connection: keep-alive”. The default setting is “<strong>of</strong>f”.<br />
show http modifyheader http10<br />
This command is used to display the configuration <strong>of</strong> modify header.<br />
147
[no] http acl url [level_0|1|2]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to define an ACL rule for particular network resource <strong>of</strong> an SLB<br />
virtual service.<br />
The maximum number <strong>of</strong> the configured ACL rules depends on the system memory size:<br />
� In the system with 1G memory, the maximum number <strong>of</strong> the configured ACL rules is<br />
100;<br />
� In the system with 2G memory, the maximum number <strong>of</strong> the configured ACL rules is<br />
200;<br />
� In the system with 4G or 8G memory, the maximum number <strong>of</strong> the configured ACL<br />
rules is 1000.<br />
virtual_service Specify the SLB virtual service name, which has been<br />
defined.<br />
path Define a network resource by its URL which needs to<br />
be protected through access level. If the coming SSL<br />
request fails to satisfy the access level “0|1|2”, the<br />
“HTTP 403” error will be returned.<br />
level_0|1|2 The following are all the cases:<br />
Option Value Description<br />
0 The resource can be accessed through both HTTP and HTTPS.<br />
The resource can only be accessed through HTTPS with or without client<br />
1 certificate authentication. However, if SSL mandatory authentication is set,<br />
client certificate authentication is needed as in level “2”.<br />
The resource can only be accessed through HTTPS and client certificate<br />
2<br />
authentication is mandatory.<br />
http serverconnip [header_name]<br />
This command is used to set a server connection IP rule for a specified virtual service.<br />
The server connection IP setting tells the <strong>APV</strong> appliance to obtain the IP address from the<br />
specified HTTP request header and use it as the source IP to connect the backend server.<br />
virtual_service Specify the name <strong>of</strong> an HTTP or HTTPS virtual service.<br />
header_name A case-insensitive HTTP request header name (can’t be a<br />
standard HTTP header). This is an optional parameter and<br />
the default value is “X-Forwarded-For”. Its maximum<br />
length is 100 characters.<br />
148
no http serverconnip <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 7 Reverse Proxy Cache<br />
This command is used to remove a server connection IP setting for a specified virtual<br />
service.<br />
virtual_service Specify the name <strong>of</strong> an HTTP or HTTPS virtual service.<br />
show http serverconnip [virtual_service]<br />
This command is used to display a server connection IP setting for a specified virtual<br />
service. If no virtual service is specified, all the server connection IP settings will be<br />
displayed.<br />
clear http serverconnip<br />
This command is used to remove all the server connection IP settings.<br />
149
Chapter 8 DNS Cache<br />
dns cache {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f DNS cache. The default value is <strong>of</strong>f.<br />
dns cache expire <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 8 DNS Cache<br />
This command is used to configure DNS cache expiration time. If TTL (Time to Live) <strong>of</strong><br />
DNS response is shorter than the Min seconds setting, the expiration will take place after<br />
Min seconds. “0” indicates no limit to the minimum TTL. The default value is 60. If TTL<br />
<strong>of</strong> DNS response is longer than the Max seconds, cache will expire after Max seconds.<br />
“0” configures no limit to the maximum TTL. The default value is 3600.<br />
dns cache host <br />
This command is used to add static entry to cache.<br />
no dns host <br />
This command is used to remove a static entry from cache.<br />
show dns cache setting<br />
This command is used to display DNS cache setting, including “dns cache on|<strong>of</strong>f” and<br />
“dns cache expire” status.<br />
show dns cache host<br />
This command is used to display all static DNS cache entries.<br />
show statistics dns cache<br />
This command is used to display statistics concerning the DNS cache.<br />
clear dns cache content<br />
This command is used to clear all dynamic DNS cache entries.<br />
clear dns host<br />
This command is used to clear all static DNS cache entries.<br />
clear dns all<br />
This command is used to clear the DNS cache configuration and return the <strong>APV</strong><br />
appliance default status.<br />
150
clear statistics dns cache<br />
This command is used to clear all the DNS cache statistics.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 8 DNS Cache<br />
151
Chapter 9 HTTP Compression<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 9 HTTP Compression<br />
The following section covers the commands for configuring various parameters for HTTP<br />
data compression.<br />
http compression {on|<strong>of</strong>f} [virtual_name]<br />
This command allows users to enable/disable HTTP data compression using gzip. If the<br />
virtual service name is specified, this command enables/disables HTTP compression<br />
feature for that specified virtual service. The global HTTP compression feature will be set<br />
when no virtual service is specified. Only when both the global HTTP compression and<br />
the per virtual service HTTP compression features are both enabled, does the <strong>APV</strong><br />
appliance compress the HTTP data <strong>of</strong> a virtual service.<br />
show http compression settings<br />
This command is used to display the current state <strong>of</strong> the compression feature<br />
(enabled/disabled).<br />
[no] http compression policy useragent <br />
{js|css|pdf|ppt|xls|doc}<br />
This command allows users to configure JavaScript, CSS, PDF, PPT, XLS and DOC to be<br />
served to the configured user agents. The “user_agent_string” parameter must be encased<br />
within quotation marks, e.g. http compression policy useragent “IE 5.5” pdf. However,<br />
TEXT, XML and HTML <strong>of</strong> HTTP compression are default values, so they do not need to<br />
be configured by the command “http compression policy useragent”. The<br />
“user_agent_string” parameter need only be a sub-string for comparison purposes<br />
performed by the <strong>APV</strong> appliance.<br />
Deploying the “no” version <strong>of</strong> this command will remove the configuration (no http<br />
compression policy useragent).<br />
http compression advanced useragent on<br />
This command is used to turn on the Java Script and CSS type compression for the<br />
following four types <strong>of</strong> explorers (user agents): IE 6, IE 7, IE 8 and Mozilla 5.0.<br />
http compression policy urlexclude <br />
This command is used to add a url-exclude compression rule for a virtual service. If the<br />
URL <strong>of</strong> a client request to that virtual service matches the configured<br />
“wildcard_expression”, the textual contents in the response will not be compressed even<br />
if HTTP compression is on. This command has higher priority than the “http<br />
compression policy useragent” command.<br />
show http compression policy urlexclude [vhost]<br />
152
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 9 HTTP Compression<br />
This command is used to show all the HTTP compression policy urlexclude rules for the<br />
virtual service specified by the “vhost” parameter. If the virtual service name is not<br />
provided, show all the HTTP compression policy urlexclude rules.<br />
no http compression policy urlexclude <br />
This command is used to remove an HTTP compression policy urlexclude rule specified<br />
by the virtual service name and wildcard expression.<br />
clear http compression policy urlexclude [vhost]<br />
This command is used to remove all the HTTP compression policy urlexclude rules for a<br />
specified virtual service or all virtual services.<br />
show http compression policy useragent<br />
This command is used to show HTTP compression policies for configured user agents.<br />
clear http compression policy useragent<br />
This command is used to remove all the HTTP compression policies for the configured<br />
user agents.<br />
show statistics compression [virtual_name]<br />
This command is used to display various statistics for compression. Specifying a virtual<br />
name will display the statistics for a particular SLB virtual service. To view the statistics<br />
for all configured layer 7 virtual services, issue the above command without specifying<br />
the virtual name.<br />
Example:<br />
AN(config)#show statistics compression<br />
Global Compression Statistics:<br />
Throughput Statistics:<br />
29003769 Total bytes sent out to client<br />
16423821 Total bytes sent to compression<br />
23412681 Total bytes rcvd from compression<br />
0 Sent bytes/second<br />
0 Rcvd bytes/second<br />
33746 Peak Sent bytes/second<br />
48049 Peak Rcvd bytes/second<br />
0 Currently active transactions<br />
Content Statistics:<br />
349443 HTML's compressed<br />
0 TEXT's compressed<br />
0 XML's compressed<br />
0 DOC's compressed<br />
0 PPT's compressed<br />
153
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
0 XLS's compressed<br />
0 CSS's compressed<br />
0 JS's compressed<br />
0 PDF's compressed<br />
349443 requests attempted<br />
349443 content length transactions<br />
0 chunk encoding transactions<br />
0 fin terminated transactions<br />
0 Http 1.0 response<br />
349443 Http 1.1 response<br />
Compression Ratio Statistics:<br />
0% compression ratio <strong>of</strong> compressible data<br />
Chapter 9 HTTP Compression<br />
The following contents are explanations about the items in above output information.<br />
� Throughput Statistics<br />
Statistics Description<br />
Total bytes sent to<br />
compression<br />
Total bytes recvd from<br />
compression<br />
Sent bytes/second<br />
Rcvd bytes/second<br />
Peak Sent bytes/second<br />
Peak Rcvd bytes/second<br />
Currently active<br />
transactions<br />
� Content Statistics<br />
The total compressed data in bytes, which is the length <strong>of</strong> the result after<br />
compression, either by s<strong>of</strong>tware compression or by hardware<br />
compression.<br />
The total original data to be compressed in bytes, either by s<strong>of</strong>tware<br />
compression or by hardware compression.<br />
The total compressed data in the last second. This is calculated by:<br />
current total_bytes_sent_out – total_bytes_sent_out one second ago.<br />
The total original data to be compressed in the last second. This is<br />
calculated by: current total_bytes_recvd - total_bytes_recvd one second<br />
ago.<br />
The maximum number <strong>of</strong> bytes sent per second from the beginning to<br />
now. If the new sent_bytes_per_second> peak_sent_bytes_per_second,<br />
then peak_sent_bytes_per_second = new sent_bytes_per_second.<br />
The maximum number <strong>of</strong> bytes received per second from the beginning<br />
to now. If the new recvd_bytes_per_second><br />
peak_recvd_bytes_per_second, then peak_bytes_per_second = new<br />
recvd_bytes_per_second.<br />
The number <strong>of</strong> active HTTP connections in which the response data to<br />
be compressed, which should be equal to or bigger than 0.<br />
Statistics Description<br />
HTML’s compressed<br />
The total number <strong>of</strong> compressed HTTP responses whose types are<br />
HTML.<br />
TEXT’s compressed<br />
The total number <strong>of</strong> compressed HTTP responses whose types are<br />
TEXT.<br />
XML’s compressed<br />
The total number <strong>of</strong> compressed HTTP responses whose types are<br />
XML.<br />
DOC’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are DOC.<br />
PPT’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are PPT.<br />
XLS’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are XLS.<br />
CSS’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are CSS.<br />
JS’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are JS<br />
154
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 9 HTTP Compression<br />
Statistics Description<br />
PDF’s compressed The total number <strong>of</strong> compressed HTTP responses whose types are PDF.<br />
requests attempted<br />
The total number <strong>of</strong> compressed HTTP responses. It equals to the sum<br />
<strong>of</strong> all the individual types <strong>of</strong> compressed responses.<br />
content length transactions The total number <strong>of</strong> compressed HTTP responses in HTTP length.<br />
chunk encoding<br />
The total number <strong>of</strong> compressed HTTP responses which have<br />
transactions<br />
chunk-encoding header.<br />
fin terminated transactions<br />
The total number <strong>of</strong> compressed HTTP responses which are<br />
Fin-terminated.<br />
Http 1.0 response The total number <strong>of</strong> compressed HTTP 1.0 responses.<br />
Http 1.1 response The total number <strong>of</strong> compressed HTTP 1.1 responses.<br />
clear statistics compression [virtual_name]<br />
This command is used to clear the statistics <strong>of</strong> compression. Specifying a virtual name<br />
will clear the statistics for a particular SLB virtual service. To clear the statistics for all<br />
configured layer 7 virtual services, issues the above command without specifying the<br />
virtual name.<br />
155
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
show ssl status<br />
This command is used to display the current status <strong>of</strong> all configured SSL virtual and real<br />
hosts.<br />
show ssl host<br />
This command is used to display all currently configured SSL hosts and the SLB service<br />
to which it is paired.<br />
show statistics ssl [host]<br />
This command is used to generate a display <strong>of</strong> all the current SSL statistics for the<br />
specified host. If no host is specified, data relating to all configured hosts will be<br />
displayed.<br />
clear statistics ssl [host]<br />
This command is used to clear all relative statistics for the specified host. If no particular<br />
host is specified, then the statistics for all configured hosts will be cleared.<br />
[no] ssl host {real|virtual} <br />
This command is used to create an SSL host and binds that host to a particular SLB<br />
service, whether virtual or real. The SLB service assigned to an SSL host must be <strong>of</strong><br />
HTTPS or TCPS type. It is required that an SLB service be established prior to the<br />
creation <strong>of</strong> an SSL host. Please note that multiple SLB service may be assigned to a host<br />
by invoking this command with different SLB service names. Now up to 64 SLB services<br />
can share the same SSL virtual host. The “no” version <strong>of</strong> the command will disassociate<br />
the relationship between the host and the SLB service.<br />
real|virtual Alert the <strong>ArrayOS</strong> to whether the assigned binding between<br />
an SSL host and an SLB service is a virtual connection or a<br />
real one. If an SSL host is associated with an SLB virtual<br />
service, the newly created virtual SSL host will act as an<br />
SSL server, while if it is associated with an SLB real<br />
service, the newly created SSL real host will act as an SSL<br />
client. An SSL host which is associated with SLB virtual<br />
service is referred as an SSL virtual host from here onward,<br />
while an SSL host that is associated with an SLB real<br />
service is referred as an SSL real host from here onward.<br />
SSL virtual host and SSL real host are two different entities<br />
and have different configuration parameters. These options<br />
are explained in each individual command.<br />
156
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
host_name The name assigned to the newly configured SSL host.<br />
slb_service The SLB host name for which the SSL host has been<br />
created and bound to.<br />
ssl csr [key_length]<br />
This command is used to generate a CSR (Certificate Signing Request) for the specified<br />
host. After this command is employed, users will be led through a series <strong>of</strong> prompts in<br />
order to properly receive a CSR. Administrators will have the option to make this key<br />
exportable and to protect this exportable key with an encrypted password for future use.<br />
In addition, this command also generates a “test” certificate for the host. When you start<br />
the host with this test certificate, you will get a warning message on console about<br />
incomplete certificate chain.<br />
host_name The SSL virtual host name.<br />
key_length Specify the length <strong>of</strong> the generated SSL key pair. The<br />
length <strong>of</strong> the SSL key pair can be 1024 bits or 2048 bits. It<br />
defaults to 1024 bits.<br />
The requested data, via the prompts, are as follows:<br />
AN(config)#ssl csr www.foo.com<br />
We will now gather some required information about your ssl virtual host,<br />
This information is encoded into your certificate<br />
Two character country code for your organization (eg. US):<br />
State or province:<br />
Location or local city:<br />
Organization Name:<br />
Organizational Unit:<br />
Do you want to use the virtual host name "vh1" as the Common Name (recommended)?(Y/N):<br />
Email address <strong>of</strong> administrator:<br />
Do you want the private key to be exportable [Yes/(No)]:<br />
Enter passphrase for the private key:<br />
Confirm passphrase for the private key:<br />
Once the above information has been provided, the <strong>APV</strong> appliance will supply users with<br />
a data message that should be copied over to an email message to be sent to a certifying<br />
body. The lengths <strong>of</strong> these subject fields in the CSR should conform to the following<br />
limits:<br />
� Two Character Country Code: 2 bytes<br />
� Common Name: 64 bytes<br />
� State or Province: 64 bytes<br />
� Location or Local City: 64 bytes<br />
157
� Organization Name: 64 bytes<br />
� Organizational Unit: 64 bytes<br />
� Email Address for Administrator: 80 bytes<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
Warning: The test certificate generated by the “ssl csr” command should not be<br />
used for production systems, rather only for testing purposes.<br />
show ssl csr <br />
This command is used to display the CSR <strong>of</strong> the specified virtual host.<br />
no ssl csr <br />
This command is used to remove the existing CSR for a particular virtual host.<br />
ssl backup certificate <br />
This command allows users to backup the certificate and the private key <strong>of</strong> the specified<br />
SSL host into a PFX file. If necessary, it will transfer the PFX file to the specified TFTP<br />
server. If anyone wants to access this PFX file, he or she must enter the correct password.<br />
host_name The name assigned to the specified SSL host.<br />
file_name The designated name specified by an alphanumeric string.<br />
Local format: the specified valid local file name, stored<br />
locally. TFTP format: tftp://server/filename.<br />
password The string that allows access to the specified file. Should<br />
users desire keystroke symbols, such as “!” or “$”, the<br />
entire password must be enclosed within quotation marks.<br />
show ssl backup certificate <br />
This command is used to display the file that the certificate and the private key <strong>of</strong> the<br />
specified host are backed up into.<br />
no ssl backup certificate <br />
This command is used to remove the specified file that the certificate and the private key<br />
<strong>of</strong> the specified host are backed up into.<br />
ssl import certificate [tftp_ip] [filename]<br />
This command allows users to input a certificate to <strong>ArrayOS</strong> from a TFTP server or <strong>CLI</strong>.<br />
The parameter that is required with every command is “host_name” where the TFTP<br />
server IP is required only if certificates are being imported via TFTP. The optional<br />
parameter “filename” allows you to specify the filename <strong>of</strong> the certificate on the TFTP<br />
158
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
server. The default filename is .crt. Once the user has received the certificate<br />
via an email, he or she simply needs to “cut and paste” the certificate supplied by the<br />
certification authority into the <strong>CLI</strong>, if the certificate is in PEM format. <strong>ArrayOS</strong> has the<br />
capability <strong>of</strong> importing certificates in PEM and DER formats and the certificates used by<br />
IIS 5, IIS 4, Netscape iPlanet and Apache Web servers, via TFTP. To import the<br />
certificate using TFTP, the optional parameter (TFTP server IP) should be specified.<br />
show ssl certificate <br />
This command allows users to view the certificate that has been issued for the specified<br />
virtual host.<br />
display_mode It can be “complete” mode or “simple” mode. The default<br />
mode is “complete”.<br />
ssl restore certificate <br />
The command allows users to restore the certificate and the private key <strong>of</strong> the specified<br />
SSL host from a PFX file, which can be stored in a local storage or remote TFTP server.<br />
The password string MUST be identical to the string entered when this file is produced<br />
by using the command “ssl backup”.<br />
host_name The name assigned to the specified SSL host.<br />
file_name The designated name specified by an alphanumeric string.<br />
Local format: the specified valid local file name, stored<br />
locally. TFTP format: tftp://server/filename.<br />
password The string that allows access to the specified file. Should<br />
users desire keystroke symbols, such as “!” or “$”, the<br />
entire password must be enclosed within quotation marks.<br />
ssl import key [tftp_ip] [filename]<br />
This command allows users to input a key to <strong>ArrayOS</strong> from a TFTP server or <strong>CLI</strong>. The<br />
parameter that is required with every command is “host_name” (virtual host name) where<br />
the TFTP server IP is required only if keys are being imported via TFTP. The optional<br />
parameter “filename” allows you to specify the filename <strong>of</strong> the key on the TFTP server.<br />
The default filename is .key. Once the user has received the key via an email,<br />
he or she simply needs to "cut and paste" the key supplied by the certification authority<br />
into the <strong>CLI</strong>. <strong>ArrayOS</strong> has the capability <strong>of</strong> importing key formats used by IIS 5, IIS 4,<br />
Netscape iPlanet and Apache Web servers, via TFTP. To import the key via TFTP, the<br />
optional parameter “tftp_ip” (TFTP server IP) should be specified. Note that this<br />
command can import unencrypted private keys in PEM format also by TFTP but this can<br />
be very insecure and should be avoided.<br />
159
ssl export key <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command only allows users to export the private key produced while generating<br />
CSR for a specified host from <strong>ArrayOS</strong>.<br />
show ssl rootca [host_name] [display_mode]<br />
This command is used to view the trusted CA certificate that has been issued for the<br />
virtual host.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com” or “ALL”.<br />
“ALL” means the global root CA will be displayed. It<br />
defaults to “ALL”.<br />
display_mode It can be “complete” mode or “simple” mode. The default<br />
mode is “complete”.<br />
no ssl rootca [certificate_number]<br />
This command is used to remove the specified trusted CA certificate that is issued for the<br />
specified virtual host.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com” or “ALL”.<br />
“ALL” means the global root CA will be deleted.<br />
certificate_number The serial number <strong>of</strong> the certificate which will be removed.<br />
Users can find the serial number <strong>of</strong> the certificates via the<br />
“show ssl certificate” command.<br />
ssl import rootca [host_name] [tftp_ip] [filename]<br />
If you enable SSL client authentication for an SSL virtual host, you must provide a<br />
trusted CA Certificate. The “host_name” parameter is optional, and its default is “ALL”<br />
which means a trusted CA certificate will be imported to the global root CA list. This will<br />
be utilized for the verification <strong>of</strong> client certificates. This command allows users to import<br />
the certificate for the Trusted Certificate Authority from TFTP server or <strong>CLI</strong>. The<br />
<strong>ArrayOS</strong> has the default list <strong>of</strong> CAs preinstalled, and this command will import the new<br />
certificate and append the existing list. This operation is for SSL virtual hosts only. Users<br />
can simply “cut and paste” the root CA certificate into the <strong>CLI</strong>, if the certificate is in<br />
PEM format. <strong>ArrayOS</strong> has the capability <strong>of</strong> importing certificates in PEM and DER<br />
formats <strong>of</strong> a Certificate Authority, via TFTP. To import the certificate using TFTP, the<br />
optional parameter “tftp_ip” (TFTP server IP) should be specified. The optional<br />
parameter “filename” is used to specify the filename <strong>of</strong> root CA certificate on the TFTP<br />
server. The default filename is .crt.<br />
ssl import interca [tftp_ip] [filename]<br />
160
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command allows users to import the certificate <strong>of</strong> an Intermediate Certificate<br />
Authority. This command is used when users need to configure a certificate chain for an<br />
SSL virtual host from TFTP server or <strong>CLI</strong>. This operation is for SSL virtual hosts only.<br />
Once the user has received the certificate via an email, he or she simply needs to “cut and<br />
paste” the certificate supplied by the certification authority into the <strong>CLI</strong>, if the certificate<br />
is in PEM format. <strong>ArrayOS</strong> has the capability <strong>of</strong> importing certificates in PEM and DER<br />
formats <strong>of</strong> an Intermediate Certificate Authority, via TFTP. To import the certificate using<br />
TFTP, the optional parameter “tftp_ip” (TFTP server IP) should be specified. The<br />
optional parameter “filename” is used to specify the filename <strong>of</strong> intermediate CA<br />
certificate on the TFTP server. The default filename is .crt.<br />
show ssl interca [display_mode]<br />
This command is used to view the intermediate CA certificate that is issued for the<br />
specified virtual host.<br />
display_mode It can be “complete” mode or “simple mode”. The default<br />
mode is “complete”.<br />
no ssl interca [certificate_number]<br />
This command is used to remove the specified intermediate CA certificate that is issued<br />
for the specified virtual host.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com”.<br />
url The serial number <strong>of</strong> the certificate which will be removed.<br />
ssl import clientkey <br />
This command is used to import an SSL client private key for the specified SSL virtual<br />
host, to be used to contact with other SSL servers with client authentication, for example,<br />
OCSP responder over SSL with client authentication. That's to say, this private key is not<br />
limited to the OCSP and it can also be used for CRL server over LDAP server with client<br />
authentication.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com”.<br />
url Specify HTTP, FTP or TFTP URL <strong>of</strong> the remote host to<br />
import the client private key.<br />
ssl import clientcert <br />
This command is used to import an SSL client certificate for the specified SSL virtual<br />
host, to be used to contact with other SSL servers with client authentication, for example,<br />
OCSP responder over SSL with client authentication. That’s to say, this certificate is not<br />
161
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
limited to the OCSP and it can also be used for CRL server over LDAP server with client<br />
authentication.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com”.<br />
url Specify HTTP, FTP or TFTP URL <strong>of</strong> the remote host to<br />
import the client certificate.<br />
ssl import crlca [host_name] [tftp_ip] [filename]<br />
If you enable SSL CRL for an SSL virtual host, you must provide a CRL signature<br />
certificate to verify the CRL signature. The “host_name” parameter is optional, and its<br />
default is “ALL” which means the certificate for the global CDP will be imported. This<br />
command allows users to import the CRL signature certificate in DER/PEM format from<br />
TFTP server. This operation is for SSL virtual hosts only. To import the certificate using<br />
TFTP, the optional parameter “tftp_ip” (TFTP server IP) should be specified. The<br />
optional parameter “filename” is used to specify the full filename <strong>of</strong> CRL signature<br />
certificate on the TFTP server. If the “host_name” parameter defaults to “ALL”, the<br />
default filename is gcrlca.crt; otherwise, the default file name is .cca.<br />
show ssl crlca <br />
This command is used to view the CRL signature certificate that is issued for the<br />
specified virtual host.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com” or “ALL”.<br />
“ALL” means the global CRL signature certificate will be<br />
displayed. It defaults to “ALL”.<br />
display_mode It can be “complete” mode or “simple” mode. The default<br />
mode is “complete”.<br />
no ssl crlca [certificate_number]<br />
This command is used to remove the specified CRL signature certificate that is issued for<br />
the specified virtual host.<br />
host_name The host name in the format <strong>of</strong> “www.xyz.com” or “ALL”.<br />
“ALL” means the global CRL signature certificate will be<br />
deleted.<br />
certificate_number The serial number <strong>of</strong> the CRL signature certificate which<br />
will be removed. Users can find the serial number <strong>of</strong> the<br />
certificates via the “show ssl certificate” command.<br />
ssl start <br />
162
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command allows users to enable a configured SSL host or re-enable a previously<br />
stopped SSL host. All SLB services associated with this specified SSL host will be<br />
affected. <strong>ArrayOS</strong> will check the certificate chain for the SSL virtual host when starting<br />
the virtual host. A warning message, stating that the certificate chain is incomplete, will<br />
be printed on console if the certificate chain cannot be formed using the intermediate CA<br />
file and global trusted CA file.<br />
Note: Users cannot make changes to an SSL host settings with the “ssl start”<br />
engaged. To make changes to a host, the “ssl stop” command must be used for the<br />
specified SSL host first.<br />
ssl stop <br />
This command is used to disable the specified SSL host, but will not remove the<br />
associated information such as key and certificate. Note: Users cannot make changes to<br />
an SSL host with the “ssl start” engaged. To make changes to a host, the “ssl stop”<br />
command must be used for the specified SSL host. Note: All SLB services associated<br />
with this specified SSL host will be affected.<br />
clear ssl <br />
This command is used to remove the configuration <strong>of</strong> the specified SSL host, including<br />
the key and certificate pair. If this command is employed, there is no manner to retrieve<br />
the key even if there is a copy <strong>of</strong> the CSR. To reconfigure SSL for this host, a new key<br />
and a replacement certificate will have to be created. Note: All SLB services associated<br />
with this specified SSL host will be affected.<br />
show ssl settings <br />
This command allows users to view the various settings concerning the specified SSL<br />
host, including the host name, designated port, origin server IP, origin port, CipherSuite<br />
and current SSL version. Note: Users cannot make changes to an SSL host with “ssl start”<br />
engaged. To make changes to a host, the “ssl stop” command must be used for the<br />
specified SSL host.<br />
ssl settings acceptchain <br />
This command is used to enable the specified SSL host to utilize the certificate chain sent<br />
by the peer in SSL handshake when verifying that peer’s certificate. By doing so, the SSL<br />
host will try to use the certificate chain from peer to form the certificate chain until it<br />
finds one CA certificate in its own trust CA list (global trust list for SSL real). For SSL<br />
virtual hosts, this command will only take effect when client authentication is enabled.<br />
no ssl settings acceptchain <br />
This command is used to disable the accept chain setting.<br />
ssl settings minimum <br />
163
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command is used to set the minimum strength <strong>of</strong> the browser that is required to<br />
access the specified virtual host. If any browser connecting to this virtual host does not<br />
support encryption strength specified by “key_size” (ranging from 0 to 512 bits), it will<br />
be redirected to the URL specified by the “url” parameter. This command should only be<br />
used with virtual hosts doing HTTPS. This operation is for SSL virtual hosts only.<br />
no ssl settings minimum <br />
This command is used to turn <strong>of</strong>f the minimum key size feature.<br />
ssl settings protocol <br />
This command allows users to set the SSL protocol for the specified SSL host. The Array<br />
appliance supports two types <strong>of</strong> protocols: SSLv3 and TLSv1.<br />
host_name Specify the SSL host.<br />
version Set the SSL protocol version. You may enter either <strong>of</strong> the<br />
protocols SSLv3 and TLSv1.To use both the two protocols,<br />
just input “ALL” for this parameter.<br />
For example:<br />
AN(config)#ssl settings protocol vhost1 SSLv3<br />
AN(config)#ssl settings protocol ALL<br />
ssl settings clientauth [subject_filter]<br />
This command allows users to establish client authentication for the specified SSL host.<br />
If the host is an SSL virtual host, all SSL clients connecting to this virtual host will be<br />
required to present a client certificate before communication will be allowed to continue.<br />
If the host is an SSL real host, it will present a certificate to the server when requested for<br />
further communication.<br />
In addition to basic client certificate validation, client certificate authentication is<br />
extended to filter the client certificate “Subject” fields as well. A client certificate will be<br />
checked against the configured filter information. If no match is made, the client access<br />
will be rejected.<br />
host_name Specify the SSL host.<br />
subject_filter Configure filter rules for the “Subject” fields. The<br />
configured rules must be enclosed in double quotes, such<br />
as “/C=US”. Multiple filter rules can be configured via one<br />
command, and these rules are in “AND” relation (i.e. all<br />
must be matched) and must be separated by “/”. If no<br />
setting is made, the system will not perform filtering on the<br />
164
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
“Subject” fields.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
The filter rules can be configured with any <strong>of</strong> the supported RDNs on the <strong>APV</strong> appliances,<br />
including:<br />
RDN Standard Name OID<br />
C Country Name 2.5.4.6<br />
ST State or Province Name 2.5.4.8<br />
L Locality Name 2.5.4.7<br />
O Organization Name 2.5.4.10<br />
OU Organizational Unit Name 2.5.4.11<br />
CN Common Name 2.5.4.3<br />
SN Serial Number 2.5.4.5<br />
dnQualifier DN Qualifier 2.5.4.46<br />
Pseudonym Pseudonym 2.5.4.65<br />
Title Title 2.5.4.12<br />
GQ Generation Qualifier 2.5.4.44<br />
Initials Initials 2.5.4.43<br />
Name Name 2.5.4.41<br />
givenName Given Name 2.5.4.42<br />
Surname Surname 2.5.4.4<br />
DC Domain Component 0.9.2342.19200300.100.1.25<br />
emailAddress Email Address 1.2.840.113549.1.9.1<br />
{OID expression} OID information, for example: 1.2.3.4<br />
For example:<br />
AN(config)#ssl settings clientauth vhost<br />
“/C=US/O=Array/OU=QA/emailAddress=admin@arraynetworks.net”<br />
In this example, all client certificates with the “C” entry “US”, the “O” entry “Array”, the<br />
“OU” entry “QA”, and the “emailAddress” entry “admin@arraynetworks.net” will pass<br />
the subject filter.<br />
AN(config)#ssl settings clientauth vhost “/2.5.4.6=JP”<br />
In this example, the OID “2.5.4.6” means “Country Name”. With this command executed,<br />
the client certificate whose Subject contains OID “2.5.4.6” and its value equals to “JP”<br />
will pass the subject filter.<br />
no ssl settings clientauth <br />
This command is used to disengage the client authentication feature for the specified<br />
host.<br />
[no] ssl settings crl online <br />
165
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command allows users to verify the client certificate via CRL (Certificate<br />
Revocation Lists). These lists are downloaded from the CRL Distribution Point (CDP)<br />
specified in the client certificate during SSL handshake. This command operates for<br />
virtual hosts only and works only after enabling client authentication.<br />
[no] ssl settings crl <strong>of</strong>fline <br />
[time_interval] [delay_time]<br />
This command allows users to verify the client certificate via CRL (Certification<br />
Revocation Lists). These lists are downloaded from the configured CRL Distribution<br />
Point (CDP) at the desired time interval. HTTP, FTP and LDAP are supported protocols<br />
to fetch the CRL files. For each virtual host, administrators can configure ten CDPs. This<br />
command operates for virtual hosts only and works only after enabling client<br />
authentication.<br />
Note: To configure CRL for an SSL virtual host, please import the CRL signature<br />
certificate via the “ssl import crlca” command firstly.<br />
crldp_name The assigned name to CRL Distribution Point.<br />
crldistribution_point The URL from where Certification Revocation Lists are<br />
downloaded.<br />
time_interval An integer (in minutes) that indicates the time interval<br />
between two downloads. It defaults to 1440 minutes.<br />
delay_time Optional. Its value must be equal to or greater than zero. It<br />
defaults to 0. When it is greater than zero, the <strong>APV</strong><br />
appliance checks whether the CRL file is expired after<br />
downloading the CRL file. If the current time is greater<br />
than the sum <strong>of</strong> the next update time and delay time, the<br />
CRL file is expired, which means that the <strong>APV</strong> appliance<br />
will refuse all SSL connections which need authenticate the<br />
client certificate via the CRL; if the current time is less<br />
than or equal to the sum <strong>of</strong> the next update time and delay<br />
time, the CRL file is unexpired. When the delay time is<br />
equal to zero, the <strong>APV</strong> appliance will not check whether<br />
the CRL file is expired after downloading the CRL file.<br />
ssl settings ocsp <br />
This command allows users to validate the certificate online via OCSP server. After<br />
executing this command, the <strong>APV</strong> appliance will validate the certificate online via the<br />
OCSP server specified in the client certificate. If this validation via the OCSP server<br />
specified in the client certificate fails, then the <strong>APV</strong> appliance will go on to validate the<br />
certificate online via the OCSP server configured in this command. If OCSP server is<br />
configured, CRL check will be disabled automatically.<br />
166
no ssl settings ocsp <br />
This command is used to remove the OCSP configuration.<br />
ssl settings reuse <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command allows users to take advantage <strong>of</strong> the <strong>APV</strong> appliance’s SSL session reuse<br />
functionality. By default, the SSL session reuse function is active.<br />
no ssl settings reuse <br />
This command disengages the SSL session reuse function.<br />
ssl settings servername <br />
This command provides an expected SSL server common name for the specified SSL real<br />
host. After the server certificate is successfully verified, the SSL real host still checks the<br />
common name in server certificate to see whether it matches the one given in this<br />
command. If it doesn’t match, SSL real host will reject the SSL server certificate. The<br />
command will only take effect when the SSL global settings for the verification the server<br />
certificate is on. If it is <strong>of</strong>f, the server certificate will not be verified and so the common<br />
name in the certificate will not be checked either.<br />
no ssl settings servername <br />
This command is used to remove the SSL settings servername configuration.<br />
ssl globals ignoreclosenotify {on|<strong>of</strong>f}<br />
This command is used to instruct the <strong>APV</strong> appliance to ignore the SSL close notify error<br />
when a client does not terminate the SSL connection correctly (or terminates an SSL<br />
connection without sending Close Notify Alert). This command is ON by default. If this<br />
feature is OFF, the <strong>APV</strong> appliance will require the connection to be closed with Close<br />
Notify Alert and if a client doesn’t send Close Notify Alert before closing a connection,<br />
the SSL session pertaining to that connection will be marked as invalid and will be<br />
flushed. If this feature is ON, the <strong>APV</strong> appliance will ignore the improper closing <strong>of</strong> SSL<br />
connection and will keep on reusing the SSL session pertaining to this connection even if<br />
the client has closed the connection without sending Close Notify Alert. This command is<br />
global and applies to all configured SSL virtual hosts and SSL real hosts.<br />
ssl globals sessiontimeout <br />
This command allows users to set SSL session cache timeout, in seconds, ranging from<br />
60 to 86400.<br />
ssl globals verifycert {on|<strong>of</strong>f}<br />
This command allows users to turn on or <strong>of</strong>f the certificate verification function.<br />
167
on Enable certificate verification.<br />
<strong>of</strong>f Disable certificate verification.<br />
ssl settings ciphersuite <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command allows users to set the desired cipher suite. Below is a list <strong>of</strong> the supported<br />
cipher suites.<br />
Note: Only experienced administrators should employ this command. If you have<br />
any questions regarding these settings, please call customer support BEFORE<br />
implementing this command.<br />
Supported Cipher methods include:<br />
� DES-CBC3-SHA *<br />
� DES-CBC-SHA<br />
� RC4-SHA *<br />
� RC4-MD5 *<br />
� EXP-DES-CBC-SHA<br />
� EXP-RC4-MD5<br />
� AES128-SHA *<br />
� AES256-SHA *<br />
The cipher suites followed with “*” can be used for both SSL virtual hosts and SSL real<br />
hosts. While the other cipher suites can be used only with SSL virtual hosts.<br />
ssl settings authmandatory <br />
This command is used to enable client mandatory authentication mode for the specified<br />
SSL virtual host.<br />
vhost SSL virtual host name.<br />
no ssl settings authmandatory <br />
This command is used to disable client mandatory authentication mode for the specified<br />
SSL virtual host. After executing this command, the specific SSL virtual host is in<br />
non-mandatory mode.<br />
vhost SSL virtual host name.<br />
168
ssl import error <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command is used to import a customized static error page to the <strong>APV</strong> appliance<br />
system disk from the administrator’s remote host. The administrator can define the error<br />
code for different types <strong>of</strong> error pages. The error pages should be static HTML without<br />
pictures and flashes.<br />
error_code Specify the code <strong>of</strong> customized error pages, as follows.<br />
� 901: SSL virtual host requires the client certificate;<br />
� 903: The SSL client certificate is not trusted;<br />
� 904: The SSL client certificate is expired;<br />
� 905: The SSL client certificate isn’t valid yet;<br />
� 906: The SSL client certificate has been revoked.<br />
url Specify HTTP or FTP URL <strong>of</strong> the remote host to retrieve<br />
the static error page. For example, the administrator sets an<br />
error page called “error.html” on his computer whose IP<br />
address is 10.3.50.100, so the URL in this command should<br />
be “http://10.3.50.100/error.html”.<br />
ssl load error <br />
This command is used to load an SSL customized error page into the <strong>APV</strong> appliance<br />
system memory. The loaded error page should have been imported into the <strong>APV</strong><br />
appliance system disk by using the command “ssl import error”. After the administrator<br />
executes this command, this SSL customized error page will be displayed to SSL clients<br />
when client authentication fails.<br />
error_code Specify the code <strong>of</strong> customized error pages, as follows:<br />
ssl load crl<br />
� 901: SSL virtual host requires the client certificate;<br />
� 903: The SSL client certificate is not trusted;<br />
� 904: The SSL client certificate is expired;<br />
� 905: The SSL client certificate isn’t valid yet;<br />
� 906: The SSL client certificate has been revoked.<br />
This command is used to re-download all CRL files immediately from the CDPs defined<br />
in the system.<br />
show ssl import error <br />
169
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
This command is used to display the imported error page <strong>of</strong> the error code which is<br />
specified by “error_code”.<br />
no ssl import error <br />
This command is used to delete the imported error page <strong>of</strong> the error code which is<br />
specified by “error_code”.<br />
show ssl load error <br />
This command is used to display the loaded error page <strong>of</strong> the error code which is<br />
specified by “error_code”.<br />
no ssl load error <br />
This command is used to delete the loaded error page <strong>of</strong> the error code which is specified<br />
by “error_code”.<br />
[no] http xclientcert rdnsep [separator] [pre|post]<br />
This command is used to configure the DN field separator for an HTTPS virtual service.<br />
The “no” version <strong>of</strong> this command removes a DN filed separator for an HTTPS virtual<br />
service.<br />
vs_name HTTPS SLB virtual service name.<br />
separator A customized separator, default value is “,”.<br />
pre|post The position where the field separator is put. “pre” means<br />
before each DN field and “post” means after each DN<br />
field. This parameter is optional and the default value is<br />
“post”.<br />
show http xclientcert rdnsep [vs_name]<br />
This command is used to display DN separator customizations for one or all SLB virtual<br />
services.<br />
vs_name The virtual service for which the DN separator is<br />
configured. This parameter is optional and the default<br />
value is “all”.<br />
show ssl crlstatus [cdp_name]<br />
This command is used to display one or all SSL CRL (Certificate Revoked List) files for<br />
an SSL virtual host, including CDP name, update time and its status. A CRL file can have<br />
3 states: success, failed and downloading.<br />
170
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
host SSL virtual host name for which CRL files will be<br />
displayed.<br />
cdp_name Optional. Default is “all”, meaning all the CRL files for the<br />
virtual host will be displayed. Otherwise, only the CRL<br />
associated with the CDP will be displayed.<br />
The following is a sample output:<br />
AN(config)#show ssl crlstatus<br />
CDP Name Update Time Status<br />
cfca Fri Oct 29 14:01:20 2010 Downloading<br />
bjc Fri Oct 29 13:57:38 2010 Success<br />
ssl globals sendclosenotify {on|<strong>of</strong>f}<br />
This command is used to enable/disable the function <strong>of</strong> sending SSL close notification.<br />
[no] ssl globals crl host <br />
This command is used to associate the global CRL with the specified virtual host or to<br />
disassociate the global CRL from the specified virtual host.<br />
cdp_name The assigned name to CRL Distribution Point.<br />
vhost The SSL virtual host name.<br />
[no] ssl globals crl cdp [time_interval]<br />
[delay_time]<br />
This command allows users to configure or remove global CRL Distribution Point (CDP).<br />
These lists can be downloaded from the specified CDP at the desired time interval. HTTP,<br />
FTP and LDAP are supported protocols to fetch the CRL files. Note: To configure CRL<br />
for an SSL virtual host, please import the CRL signature certificate via the “ssl import<br />
crlca” command firstly.<br />
cdp_name The assigned name to CRL Distribution Point.<br />
crl_distribution_point_url The URL from where Certification Revocation Lists are<br />
downloaded.<br />
time_interval An integer (in minutes) that indicates the time interval<br />
between two downloads. It defaults to 1440 minutes.<br />
delay_time Optional. Its value must be equal to or greater than zero.<br />
It defaults to 0. When it is greater than zero, the <strong>APV</strong><br />
appliance checks whether the CRL file is expired after<br />
171
ssl globals fastcrl {on|<strong>of</strong>f}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 10 Secure Sockets Layer (SSL)<br />
downloading the CRL file. If the current time is greater<br />
than the sum <strong>of</strong> the next update time and delay time, the<br />
CRL file is expired; if the current time is less than or<br />
equal to the sum <strong>of</strong> the next update time and delay time,<br />
the CRL file is unexpired. When the delay time is equal<br />
to zero, the <strong>APV</strong> appliance will not check whether the<br />
CRL file is expired after downloading the CRL file.<br />
This command is used to enable or disable CRL (Certificate Revocation Lists) memory.<br />
When FastCRL function is enabled, the CRL files on disk will be loaded into memory<br />
immediately.<br />
ssl globals renegotiation {on|<strong>of</strong>f}<br />
This command is used to enable/disable global SSL renegotiation. SSL renegotiation<br />
function is disabled by default.<br />
[no] ssl settings reneg <br />
This command is used to enable/disable SSL renegotiation per SSL virtual host. To<br />
enable SSL renegotiation per SSL virtual host, users must first enable the global settings.<br />
172
Chapter 11 Clustering<br />
show cluster virtual status [interface_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 11 Clustering<br />
The command is used to output the status <strong>of</strong> the cluster feature for the <strong>APV</strong> appliance<br />
(either on or <strong>of</strong>f), followed by the state <strong>of</strong> each configured virtual cluster (either in<br />
incomplete, initialize, backup, or master state), and the name and link status <strong>of</strong> the<br />
interfaces specified for each virtual cluster.<br />
If an interface name is specified, the system will only display the cluster status<br />
information about this interface.<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
Example:<br />
AN(config)#show cluster virtual status<br />
ffo cable status: remote no power<br />
discreet mode enabled<br />
ifname= outside<br />
vcid <strong>of</strong>f/on vc state<br />
1 on master<br />
ifname= inside<br />
vcid <strong>of</strong>f/on vc state<br />
1 on master<br />
ifname= mnet1<br />
vcid <strong>of</strong>f/on vc state<br />
1 on master<br />
cluster virtual {on|<strong>of</strong>f} [cluster_id|0] [interface_name]<br />
This command is used to enable or disable the virtual clustering capabilities for the <strong>APV</strong><br />
appliance. The minimum value <strong>of</strong> a virtual cluster ID is 1 and the maximum decimal<br />
value is 255. It defaults to 0, which means all clusters will be activated. Also with this<br />
command, users must specify the appropriate interface name. If no cluster ID or interface<br />
name is supplied, all clusters will be activated.<br />
cluster virtual ffo {on|<strong>of</strong>f}<br />
This command is used to enable or disable the Fast Failover (FFO) feature. The default<br />
value is <strong>of</strong>f.<br />
cluster virtual ffo interface carrier loss timeout <br />
173
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 11 Clustering<br />
This command is used to configure how long an <strong>APV</strong> appliance waits before failover (if<br />
necessary) when it detects interface carrier loss (in milliseconds). If network carrier<br />
recovers in the timeout value, no action will be taken. This timeout value ranges from 0<br />
to 65535, in milliseconds. 0 means no wait while 65535 means no failover.<br />
system test failover port<br />
This command allows users to test the status <strong>of</strong> the FFO port on the <strong>APV</strong> appliance with<br />
active console connected. To use this command, users should follow these steps:<br />
1. Execute “cluster virtual ffo <strong>of</strong>f” to turn <strong>of</strong>f the Fast Failover functionality;<br />
2. Execute “system test failover port” and the system will prompt the following<br />
message:<br />
Connect the console cable to the failover port then press the ‘Enter’ key.<br />
3. Unplug the Console cable from the Console port and plug it to the FFO port;<br />
4. Press the Enter key;<br />
5. The system will display “The failover port is ok.” if the status <strong>of</strong> the FFO port is<br />
normal, while system will prompt nothing if there is anything wrong with the FFO<br />
port;<br />
6. Plug the Console cable back to the Console port.<br />
Note:<br />
1. Before using this command to test the FFO port, first please make certain that<br />
you have turned <strong>of</strong>f the Fast Failover function by executing the “cluster virtual ffo<br />
<strong>of</strong>f” command.<br />
2. This command also applies to the FFO USB port.<br />
show cluster virtual config [interface_name]<br />
This command is used to display the current virtual cluster configuration or the virtual<br />
cluster configuration <strong>of</strong> all the interfaces. If an interface name is specified, the system<br />
will only display the cluster status information about this interface.<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface. The default value is all.<br />
Example:<br />
AN(config)#show cluster virtual config inside<br />
cluster virtual ifname “inside” 1<br />
cluster virtual vip “inside” 1 10.30.0.30<br />
cluster virtual auth “inside” 1 1 “myString”<br />
cluster virtual interval “inside” 1 10<br />
174
cluster virtual preempt “inside” 1 0<br />
cluster virtual priority “inside” 1 200<br />
show cluster virtual ffo<br />
This command is used to display the current fast failover configurations.<br />
cluster virtual ifname <br />
This command is used to define a virtual cluster ID for specific interface.<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 11 Clustering<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
cluster_id A virtual cluster ID where the minimum decimal value is 1<br />
and the maximum decimal value is 255.<br />
Note: As too many virtual cluster IDs (VCID) might cause unnecessary system<br />
overload, it is suggested not to configure too many VCIDs in the system. If many<br />
virtual IP addresses are needed, administrators can configure multiple IP addresses<br />
within one VCID, instead <strong>of</strong> configuring one VCID for each IP address.<br />
show cluster virtual interface<br />
This command allows users to view declared interface names configured via the “cluster<br />
virtual ifname” command.<br />
clear cluster virtual {interface_name|all} {cluster_id|0}<br />
This command is used to remove virtual clusters from the specified system interface.<br />
interface_name|all Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface. “all” means all existing interfaces.<br />
cluster_id|0 Specify the virtual cluster ID to be removed, which ranges<br />
from 1 to 255. “0” means all virtual clusters.<br />
cluster virtual vip <br />
This command is used to set the virtual IP address for a virtual cluster on specified<br />
interface..<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
175
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
interface.<br />
Chapter 11 Clustering<br />
cluster_id A virtual cluster ID where the minimum decimal value is 1<br />
and the maximum decimal value is 255. A cluster ID can<br />
have up to 255 virtual IP addresses. The same virtual IDs,<br />
located on different interfaces, are treated as different<br />
virtual IDs. All the virtual IP addresses with the same<br />
virtual ID will have the same status (master or backup).<br />
vip A virtual IP address may be any IP address on the Internet<br />
in IP dot format, excluding 0.0.0.0 and 255.255.255.255.<br />
All IPs are valid barring reserved IP addresses such as loop<br />
back, multicast, and other commonly known specialized<br />
ranges. Each virtual IP address entered must be unique.<br />
cluster virtual auth {0|1} [password]<br />
This command is used to configure virtual cluster authentication.<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
cluster_id A virtual cluster ID where the minimum decimal value is 1<br />
and the maximum decimal value is 255.<br />
0|1 Authentication type with a value <strong>of</strong> “0” specifies that no<br />
password will be used, and authentication type with a value<br />
<strong>of</strong> “1” has a password field specified in simple text.<br />
password The password consists <strong>of</strong> up to eight alphanumeric<br />
characters. (Note: All numeric strings must be in quotes.)<br />
cluster virtual preempt {1|0}<br />
This command is used to configure virtual cluster preemption. (Note: Exception is a<br />
cluster that has been configured with a priority 255.)<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
cluster_id The assigned identification number for the virtual cluster.<br />
1|0 The value “1” allows preemption <strong>of</strong> a higher priority<br />
master, while the value “0” prohibits preemption <strong>of</strong> a<br />
176
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
higher priority master.<br />
cluster virtual interval <br />
Chapter 11 Clustering<br />
This command is used to set the advertisement interval for the specified cluster.<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
cluster_id The assigned identification number for the virtual cluster.<br />
seconds Specify the advertisement interval, which ranges from<br />
three (3) to sixty (60) seconds. The default interval time is<br />
five (5) seconds. Any state transition <strong>of</strong> the virtual cluster<br />
will be approximately three (3) times to the interval value.<br />
cluster virtual priority <br />
[synconfig_peer_name]<br />
This command is used to set the virtual cluster priority. The priority can be from 1 to 255,<br />
where 255 is defined as the highest priority.<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
interface.<br />
cluster_id The assigned identification number for the virtual cluster.<br />
priority Set this parameter to determine the priority for redundancy.<br />
The greater the value, the higher the priority. The value<br />
ranges from 1 to 255.<br />
synconfig_peer_name Optional parameter. Default value is “Primary”. Except for<br />
the default value (“Primary”), this parameter can be any<br />
synconfig peer defined via the command “synconfig peer<br />
”. When it is set to “Primary”, the<br />
command applies to the local node. When it is set to an<br />
actual synconfig peer name, the command applies to the<br />
node the synconfig peer name refers to. It can also be a<br />
synconfig peer defined for the local node. In this case, the<br />
command applies to the local node.<br />
no cluster virtual vip <br />
177
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 11 Clustering<br />
This command is used to remove the VIP from the specified cluster ID and interface<br />
name.<br />
no cluster virtual auth <br />
This command is used to reset cluster authentication to default setting (false).<br />
no cluster virtual interval <br />
This command is used to reset advertisement interval to default (5 seconds).<br />
no cluster virtual preempt <br />
This command is used to reset cluster preemption mode to default (true).<br />
no cluster virtual priority <br />
[synconfig_peer_name]<br />
This command is used to reset cluster priority to default value (100).<br />
cluster virtual discreet {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the discreet backup mode. In this mode, the system<br />
determines whether a status transition is needed for the devices based on their status<br />
information detected through a heartbeat cable. This mode makes the status transition<br />
more reliable, and any VRRP packet loss will not result in double-master status. This<br />
mode is “<strong>of</strong>f” by default. Note: in discreet backup mode, the system utilizes the heartbeat<br />
cable to collect the status information, so that please make sure the heartbeat cable<br />
between the devices is well connected and turned on by “cluster virtual ffo on”<br />
command firstly (Heartbeat cable and FFO cable are one cable).<br />
show cluster virtual discreet<br />
This command is used to display the discreet backup mode configuration.<br />
Example:<br />
AN(config)#show cluster virtual discreet<br />
show cluster virtual transition [interface_name]<br />
This command is used to display the last 100 cluster state transition logs on the specified<br />
interface. If no interface name is given, it will display the last 100 cluster state transition<br />
logs on all the interfaces. Cluster states include Initial (INIT), Backup (BACK), Discreet<br />
Backup (DISCREET), FFO and Master (MAST).<br />
interface_name Specify the interface name, which can be the system<br />
interface, bond interface, VLAN interface or MNET<br />
178
Example:<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
interface. The default value is all.<br />
Chapter 11 Clustering<br />
AN(config)#show cluster virtual transition<br />
ifname = port1, vcid = 1<br />
Sep 25 17:36:22 (+0000) [BACK -> MAST] Timeout.<br />
Sep 25 17:36:17 (+0000) [DISCREET -> BACK] Receive a VRRP advertisement <strong>of</strong> priority 0.<br />
Sep 25 17:34:58 (+0000) [BACK -> DISCREET] Entering discreet mode.<br />
Sep 25 17:34:58 (+0000) [FFO -> BACK] FFO cable is OK. Cluster is ready to work.<br />
Sep 25 17:34:58 (+0000) [INIT -> FFO] FFO is enabled.<br />
Sep 25 17:34:56 (+0000) [BACK -> INIT] Stop running.<br />
Sep 25 17:34:56 (+0000) [FFO -> BACK] FFO cable is OK. Cluster is ready to work.<br />
Sep 25 17:34:56 (+0000) [INIT -> FFO] FFO is enabled.<br />
clear cluster virtual transition [interface_name] [cluster_id]<br />
This command is used to remove cluster state transition logs on the specified interface <strong>of</strong><br />
either the specified virtual cluster or all virtual clusters. By default, “interface_name”<br />
parameter is set to all, which means removing cluster state transition logs on all interfaces.<br />
By default, “cluster_id” parameter is set to 0, which means removing cluster state<br />
transition logs on all virtual clusters.<br />
show statistics cluster virtual [interface]<br />
This command is used to display the virtual clustering statistics information on the<br />
specified interface. If no interface name is given, it will display the virtual clustering<br />
statistics information on all the interfaces.<br />
Example:<br />
AN(config)#show statistics cluster virtual<br />
ifname = port1, vcid = 1<br />
transition to master: 1<br />
(Switch to master, gain VIPs)<br />
quit master: 0<br />
(Leave master, release VIPs)<br />
VRRP loss: 0<br />
(Possible VRRP loss - receive none VRRP advertisements from master for two intervals while in<br />
backup state, but receive a valid VRRP advertisement before timeout (three intervals)<br />
quick transition: 2<br />
(Received VRRP advertisements <strong>of</strong> priority 0 -used for quick transition)<br />
inconsistency: 0<br />
(Detect inconsistent state with other interfaces <strong>of</strong> the same VCID, drop remote VRRP packets with<br />
lower priority)<br />
Note: The above contents in the brackets are explanations for output information.<br />
clear statistics cluster virtual [interface_name] [cluster_id]<br />
179
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 11 Clustering<br />
This command is used to remove the cluster statistics on the specified interface <strong>of</strong> either<br />
the specified virtual cluster or all virtual clusters. By default, “interface_name” is set to<br />
all, which means removing the cluster statistics on all interfaces. By default, “cluster_id”<br />
parameter is set to 0, which means removing the cluster statistics information on all<br />
virtual clusters.<br />
cluster virtual arp interval [seconds]<br />
This command is used to set the interval <strong>of</strong> masters broadcasting gratuitous ARP.<br />
seconds It can be 0, or any integer from 30 to 65535, in seconds. It<br />
defaults to 60 seconds. 0 means that devices only broadcast<br />
gratuitous ARP when switching to Master state.<br />
180
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
Chapter 12 Global Server Load Balancing<br />
Basic SDNS Commands<br />
sdns on [check|nocheck]<br />
This command allows users to enable the SDNS function on the <strong>APV</strong> appliance if<br />
licensed and set CHECK or NOCHECK on VIPs’ health status. It defaults to CHECK.<br />
This toggle command only affects the appliance on which it is executed.<br />
sdns nocheck <br />
The command is used to add a nocheck IP address.<br />
show sdns nocheck<br />
The command is used to display SDNS nocheck IP address.<br />
no sdns nocheck <br />
The command is used to remove a nocheck IP address.<br />
clear sdns nocheck<br />
The command is used to remove all the nocheck IP addresses.<br />
sdns <strong>of</strong>f<br />
This command allows users to disable the SDNS functions on the <strong>APV</strong> appliance if<br />
licensed.<br />
show sdns status<br />
This command is used to display the status <strong>of</strong> SDNS.<br />
The output from employing this command is as follows:<br />
AN(config)#show sdns status<br />
Smart DNS: ON CHECK<br />
Member Name: <strong>APV</strong>1<br />
Local Addr: 10.3.55.200<br />
Heartbeat Timer: 2<br />
Report Interval: 30<br />
Is running: no<br />
sdns statistics on<br />
clear sdns all<br />
181
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to clear all SDNS configured data (such as members, sites, groups,<br />
etc.) and set SDNS parameters (such as heartbeat frequency, status report frequency) back<br />
to the default values.<br />
show sdns all<br />
This command is used to display all SDNS configured data (such as members, sites,<br />
groups, etc.) and SDNS parameters (such as heartbeat frequency, status report frequency).<br />
sdns interval heartbeat [seconds]<br />
This command is used to specify the interval at which an <strong>APV</strong> appliance sends heartbeat<br />
messages to all other members in an SDNS network. SDNS members use heartbeat<br />
messages to determine the health <strong>of</strong> various members elsewhere on the network. The<br />
“seconds” parameter must be a positive integer, ranging from 1 to 86400, in seconds. The<br />
default value is 2 seconds. If the value is set to 0 or negative, or is larger than the<br />
maximum 86400, an error will be reported and the configuration will not take effect.<br />
sdns interval report [seconds]<br />
This command is used to set the interval at which HTTP proxy cache servers report their<br />
local status information to SDNS servers in the SDNS network. The “seconds” parameter<br />
must be a positive integer, ranging from 1 to 86400, in seconds. The default value is 30<br />
seconds. If the value is set to 0 or negative, or is larger than the maximum 86400, an error<br />
will be reported and the configuration will not take effect.<br />
SDNS Member<br />
sdns member attribute [port] [member_type]<br />
This command is used to create a member <strong>of</strong> an SDNS network and modify the current<br />
parameters <strong>of</strong> a member.<br />
member_name A given string <strong>of</strong> alphanumeric characters to identify the<br />
specified <strong>APV</strong> appliance. It is recommended that<br />
administrators use the assigned host name for the <strong>APV</strong><br />
appliance for this parameter though it is not required.<br />
ip The IP address assigned to the specified <strong>APV</strong> appliance. It<br />
should be a dot-noted IP address.<br />
port The communication port. It is optional. If not specified, it<br />
defaults to 5888. The range <strong>of</strong> valid values is [1, 65535].<br />
member_type The type <strong>of</strong> the members in SDNS network. The type<br />
includes “dns”, “proxy”, and “all”. It defaults to “all”. If<br />
the type is “dns”, it means the <strong>APV</strong> appliance is an SDNS<br />
server; if the type is “proxy”, it means the <strong>APV</strong> appliance<br />
182
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
is an HTTP proxy cache server. If the type is “all”, it means<br />
that the <strong>APV</strong> appliance can be an HTTP proxy cache server<br />
and an SDNS server at the same time.<br />
sdns member local [max_tcp_connections]<br />
Each SDNS member is configured with many other members, one <strong>of</strong> which can be<br />
defined as the local member by this command. Because those members’ information<br />
(including name, IP address, port, and type) may be configured on a member in order to<br />
communicate with each other, every member should assign itself to be the local member<br />
to make the whole system work normally. The optional parameter<br />
“max_tcp_connections” specifies the maximum number <strong>of</strong> TCP connections the <strong>APV</strong><br />
appliance may accept. The overflow algorithm uses this value. If not specified, the<br />
“max_tcp_connections” defaults to 1000.<br />
no sdns member <br />
This command is used to remove the specified SDNS member.<br />
show sdns member [member_name]<br />
This command is used to display the specified SDNS member. If the “member_name”<br />
parameter is not specified, it shows all members.<br />
show sdns method [method_name]<br />
The command is used to display SDNS method’s related host(s) information.<br />
clear sdns member<br />
This command is used to delete all the SDNS members.<br />
SDNS Disaster Recovery (DR) Group<br />
sdns group dr <br />
This command allows users to create a DR group for the specified host. A “group” is<br />
uniquely identified by the specified group name. Users should create a DR group for each<br />
domain name that requires the DR service.<br />
host_name In the “www.xyz.com” format.<br />
sdns group disable {primary|standby}<br />
This command is used to manually disable the primary or standby subgroup for the<br />
specified DR group. After this command is executed, if only the primary subgroup is<br />
183
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
disabled, the traffic will be routed to its standby sites; if the standby is disabled and the<br />
service currently is served by the primary, there is no impact on traffic; if the standby and<br />
the primary are both disabled, the service will be interrupted.<br />
sdns group enable {primary|standby}<br />
This command is used to manually enable the primary or standby subgroup for the<br />
specified DR group.<br />
sdns group preempt <br />
This command is used to set or reset the preempt flag for the specified group. The group<br />
should be a DR group. If a DR group works in the preempt mode, the primary site will<br />
grab the control back whenever it comes back from its previous failure. On the contrary,<br />
if it works in the non-preempt mode, it will assume the standby mode when it comes back<br />
from its previous failure and the previous standby is fully functioning now. The preempt<br />
value can be 0 (reset) or 1 (set).<br />
[no] sdns group standby <br />
This command is used to add a site to the standby subgroup <strong>of</strong> a DR group. Users should<br />
have defined the group and the site before running this command. The command “no<br />
sdns group standby” is used to remove a site from the standby subgroup.<br />
[no] sdns group primary <br />
This command is used to add a site to the primary subgroup <strong>of</strong> a DR group. Users should<br />
have defined the group and the site before running this command. The command “no<br />
sdns group primary” is used to remove a site from the primary subgroup.<br />
sdns group switch <br />
This command allows users to manually switch the specified DR group. Before using this<br />
command, it is important to make sure the DR group is working in the non-preempt mode<br />
and the primary site is “Inactive” while the standby site is “Active”. This command will<br />
set the primary site “Active” and the standby site “Inactive”. Users should use this<br />
command by caution. It is important to make sure that both <strong>of</strong> the primary site and the<br />
standby site are functioning normally before switching the group. Otherwise, it may<br />
cause the service to be interrupted.<br />
show sdns group [group_name]<br />
This command is used to display the group as specified with “group_name”. If no group<br />
name is specified, all groups will be displayed.<br />
Example:<br />
AN(config)#show sdns group Array<br />
184
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
Name Type Domainname Primarystatus Standbystatus ManuallySwitch<br />
Array p/s www.xyz.com inactive inactive <strong>of</strong>f<br />
no sdns group dr <br />
This command is used to remove the specified DR group.<br />
SDNS Site<br />
sdns site location [weight]<br />
This command is used to create a site specified by the “site_name” parameter and assign<br />
a weight to the site. “site” is a logical concept. The default value <strong>of</strong> site weight is 0.<br />
Whether a member belongs to a site or not is not limited by its physical locations. When a<br />
DNS resolving is being located in a site, the member <strong>of</strong> the highest-weighted site will be<br />
chosen.<br />
Note: The maximum sum <strong>of</strong> the configurable sites and regions is 64.<br />
sdns site distance <br />
This command is used to set the distance between two SDNS sites. The “distance”<br />
parameter is an integer. The smaller the value, the shorter the physical distance between<br />
the two SDNS sites; the bigger the value, the longer the physical distance between the<br />
two SDNS sites.<br />
[no] sdns site member <br />
This command is used to add a member to the specified site. The command “no sdns site<br />
member” is used to remove a member from the site.<br />
no sdns site distance <br />
This command is used to remove the distance settings between two specified SDNS sites.<br />
no sdns site location <br />
This command is used to remove the specified SDNS site.<br />
clear sdns site all<br />
This command is used to delete the SDNS settings, including sites and distance.<br />
clear sdns site distance<br />
This command is used to remove all the SDNS distance settings.<br />
clear sdns site location<br />
185
This command is used to remove all the SDNS site settings.<br />
show sdns site [site_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to display the specified SDNS site settings. If “site name” is null,<br />
display all the SDNS sites settings.<br />
show sdns sitemap [site_name1] [site_name2]<br />
This command is used to display the distance settings between the two specified sites. If<br />
no site name is specified, it will display all distance settings defined between the sites. If<br />
only one site is specified, it will display all the distance settings to the specified site.<br />
SDNS Proximity<br />
[no] sdns proximity {site|region_name} [priority]<br />
This command is used to define a proximity rule, i.e., a relationship between a range <strong>of</strong> IP<br />
addresses (defined by “source ip” and “net mask”) and a site/region (defined by<br />
“site/region name”). If the source IP <strong>of</strong> a request is in the specified IP address range, that<br />
request is considered in the specified site/region. The “priority” parameter is optional. By<br />
default, the priority for a rule is set to 0.<br />
If the host method <strong>of</strong> a domain name is configured as “proximity” by the command “sdns<br />
host method”, only the “site name” parameter is valid. The system will locate a resolving<br />
request on the specified site according to the specified IP range and the priority, and then<br />
locate it on the site which is determined by the values configured by the command “sdns<br />
site distance”.<br />
If the host method <strong>of</strong> a domain name is configured as “region” by the command “sdns<br />
host method”, the “site|region name” parameter is corresponding to a pool. The system<br />
will locate a resolving request on the specified site or region according to the specified IP<br />
range and the priority, and then return the host IPs in term <strong>of</strong> the rules <strong>of</strong> the pool.<br />
Note: It is allowed for two proximity rules to overlap on the source IP addresses.<br />
SDNS will perform longest match when that happens. For instance, it is possible to<br />
define the following two rules:<br />
AN(config)#sdns proximity 210.52.24.0 255.255.255.0 dallas<br />
AN(config)#sdns proximity 210.52.0.0 255.255.0.0 south<br />
Where, “dallas” and “south” are two sites. This means that if an address is in<br />
210.52.24/24, it is considered in “dallas”. If it is in 210.52.0.0/16but not in 210.52.24/24,<br />
it is considered in “south”. By default, we use a longest match to determine the best<br />
match rule. If the best matching rule cannot be determined by a longest match, “priority”<br />
will be used. Here the matching rule with the highest priority will be chosen.<br />
clear sdns proximity<br />
186
This command is used to clear all the proximity rules.<br />
show sdns proximity [all]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to display all proximity rules. If the optional parameter “all” is<br />
typed, all the manual and IP region created rules are displayed. And these ones preceded<br />
with a sharp “#” are rules created by IP region.<br />
sdns ipregion proximity {site|region} [priority]<br />
This command is used to define an SDNS proximity rule for specified IP region. If the<br />
source IP address <strong>of</strong> a DNS request hits any entry in the specified IP region, it will be<br />
considered as in the specified SDNS site/region.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
site|region The name <strong>of</strong> site/region defined in SDNS.<br />
priority This parameter is optional. It is used to set the proximity<br />
priority <strong>of</strong> the SDNS site/region, and the default value is<br />
65534.<br />
show sdns ipregion proximity<br />
This command is used to display all SDNS proximity rules for IP regions.<br />
no sdns ipregion proximity <br />
This command is used to remove SDNS proximity rules for a specified IP region.<br />
ipregion_name The name <strong>of</strong> IP region.<br />
clear sdns ipregion proximity<br />
This command is used to clear all SDNS proximity rules for IP regions.<br />
SDNS Overflow Chain<br />
[no] sdns overflow chain <br />
This command allows users to create an overflow chain. TCP connection based on<br />
overflow algorithm requires an overflow chain that defines how a member/site handles<br />
any overflow traffic. An overflow chain is a list <strong>of</strong> members. This command creates an<br />
empty chain. Use the command “no sdns overflow member” to remove members from<br />
the chain.<br />
sdns overflow member <br />
187
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to add a member into a specified overflow chain.<br />
no sdns overflow member <br />
This command is used to remove the specified member from the overflow chain specified<br />
by the “chain_name” parameter.<br />
show sdns overflow [chain_name]<br />
This command is used to show the contents <strong>of</strong> the specified overflow chain. If no chain<br />
name is specified, the <strong>APV</strong> appliance will display all overflow chains.<br />
sdns persistent timeout <br />
The command is used to set SDNS persistent timeout (in seconds). The default timeout<br />
time is 3600 seconds.<br />
no sdns persistent <br />
The command is used to restore SDNS persistent timeout to its default value 3600<br />
seconds.<br />
SDNS Region<br />
sdns region location [region_weight]<br />
This command allows users to create an SDNS region specified by the “region name”<br />
parameter. The “weight” parameter is optional and its default value is 0. When a DNS<br />
resolving reaches a region (by proximity), the comparisons <strong>of</strong> the weights will be done. If<br />
the weight <strong>of</strong> this region’s parent region is higher, the pool which the parent region is<br />
corresponding to will return an IP address. It is no need to compare the weight <strong>of</strong> this<br />
region with the weight <strong>of</strong> its child region. The maximum sum <strong>of</strong> the configurable regions<br />
and sites is 64.<br />
sdns region division {region|site_name}<br />
This command is used to add a specified site or region into the region specified by<br />
“region_name”.<br />
no sdns region division {region|site_name}<br />
This command is used to remove a specified region or site from an SDNS region.<br />
no sdns region location <br />
This command allows users to remove an SDNS region.<br />
clear sdns region location<br />
188
This command allows users to remove all SDNS regions.<br />
show sdns region [region_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to display all the SDNS regions’ information, including name, ID,<br />
bandwidth limit, weight, its parent region and child region.<br />
clear sdns secondary<br />
The command is used to reset all SDNS configurations except the member settings.<br />
SDNS Bandwidth<br />
sdns bandwidth {region|site|member|vip|host}<br />
{region|site|member|host_name|ip address} <br />
[region|site]<br />
This command allows users to define the maximum bandwidth and the statistical mode <strong>of</strong><br />
a region, site, member, VIP or host.<br />
The following modes are for member, site, region or VIP bandwidth:<br />
Mode Meaning<br />
Inout bandwidth=inbound + outbound<br />
In bandwidth=inbound<br />
Out bandwidth=outbound<br />
Maxinout bandwidth=max (outbound, inbound)<br />
Halfinout bandwidth= (outbound + inbound)/2<br />
inbound<br />
outbound<br />
member<br />
outbound<br />
The following modes are for host based bandwidth management:<br />
inbound<br />
Mode Meaning<br />
Request and response bandwidth=client req + client rsp + server req + server rsp<br />
Request bandwidth=client req + server req<br />
Response bandwidth=client rsp + server rsp<br />
189
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Client request<br />
Chapter 12 Global Server Load Balancing<br />
Client <strong>APV</strong> Server<br />
Client response<br />
Different numbers stand for the different modes:<br />
Server request<br />
Server response<br />
� For member/site/region/VIP: 1–inout; 2–in; 3–out; 4–maxinout; 5–halfinout;<br />
� For host: 6–request and response; 7–request; 8–response.<br />
no sdns bandwidth {region|site|member|vip|host}<br />
{region|site|member|host_name|ip address} {region|site_name}<br />
This command is used to delete the maximum bandwidth <strong>of</strong> a region, site, VIP or host.<br />
clear sdns bandwidth<br />
This command is used to remove all the bandwidth settings.<br />
show sdns bandwidth [region|site|member|vip|host]<br />
[region|site|member|host_name|ip_address]<br />
This command is used to display the region/site/member/ip/host bandwidth information.<br />
If the “region|site|member|vip|host” parameter is null, display all the bandwidth<br />
information.<br />
SDNS Alias<br />
sdns alias <br />
This command is used to set an alias name <strong>of</strong> a domain name for SDNS bandwidth.<br />
alias_name The assigned alias name <strong>of</strong> a domain name, and it must be<br />
in the “www.xyz.com” format.<br />
host_name Specify the domain name in the “www.xyz.com” format.<br />
no sdns alias <br />
This command allows users to delete an alias name <strong>of</strong> the specified domain name.<br />
clear sdns alias<br />
This command is used to remove all the SDNS aliases.<br />
190
show sdns alias [alias_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to display the host information <strong>of</strong> the specified alias name. If no<br />
alias is specified, display the host information <strong>of</strong> all aliases.<br />
SDNS Pool<br />
sdns pool method {region|site} <br />
[pool_type]<br />
This command allows users to create an SDNS pool for the specified region or site for the<br />
domain name. The pool’s name is the same as the region or site name.<br />
host_name The domain name.<br />
pool_method It can be Round Robin (rr), Weighted Round Robin(wrr),<br />
IP Overflow(ipo), Hash IP (hi), Persistent IP (pi) or Simple<br />
Network Management Protocol (snmp).<br />
number_<strong>of</strong>_vips The number <strong>of</strong> returned VIPs number when using method<br />
to choose VIPs from the pool.<br />
pool_type It can be A or CNAME type.<br />
sdns pool rule {region|site} <br />
This command is used to create an SDNS rule for a region/site. A rule should be<br />
associated with a pool, or region/site. Through the rule, a domain name and a pool can be<br />
associated together.<br />
pool_method It can be Round Robin (rr), Weighted Round Robin (wrr),<br />
IP Overflow (ipo), Hash IP (hi), Persistent IP (pi) or Simple<br />
Network Management Protocol (snmp).<br />
number_<strong>of</strong>_vips The number <strong>of</strong> returned VIPs number when using method<br />
to choose VIPs from the pool.<br />
sdns pool snmp {region|site} {asc|des} [weight1]<br />
[snmp_service2] [weight2] [snmp_service3] [weight3]<br />
This command is used to configure the SNMP services for a pool with “snmp” method.<br />
asc|des Ascending mode or descending mode.<br />
191
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
If users select only one service, users need not set the weight for the service. SDNS will<br />
resolve a host name to the related IP address which has the maximum value <strong>of</strong> the SNMP<br />
service for the “des” mode, or the minimum value for the “asc” mode.<br />
When users select more than one SNMP service, they need to set the weight for each<br />
SNMP service.<br />
no sdns pool snmp <br />
The command is used to remove specific SNMP configurations from an SDNS pool.<br />
sdns pool ip {host|rule_name} [weight]<br />
This command allows users to add a VIP into a pool specified by the “pool_name”<br />
parameter under the specified host or rule. Before adding a VIP to a pool, the pool should<br />
be defined firstly by using the “sdns pool method” command.<br />
host|rule_name The domain name or the rule name which the pool is<br />
corresponding to.<br />
pool_name The region or site name which matches the pool.<br />
vip The IP address needed to be added into the pool. A pool<br />
can only have up to 32 VIPs.<br />
weight Optional, and is used when the pool method is Weighted<br />
Round Robin. The default setting is 1.<br />
sdns persistence timeout <br />
This command is used to set the timeout value for the “pi” pool method. The default<br />
timeout value is 60 minutes.<br />
no sdns pool ip {host|rule_name} <br />
This command is used to delete a VIP from the specified pool under a host or a rule.<br />
no sdns pool method <br />
This command allows users to delete the specified pool under a host.<br />
no sdns pool rule <br />
This command is used to remove a rule from the specified pool.<br />
show sdns pool {host|rule_name} <br />
This command is used to display SDNS host/rule and pool information.<br />
192
show sdns pool_ip<br />
This command is used to display IP information about SDNS pools.<br />
show sdns snmp group [group_name]<br />
The command is used to display SDNS SNMP groups.<br />
show sdns snmp interval<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
The command is used to display SDNS data collection interval by SNMP in seconds.<br />
show sdns snmp ip<br />
This command is used to display the SNMP configuration information about the VIPs in<br />
the address pool.<br />
no sdns snmp ip <br />
The command is used to remove a host’s SNMP configuration.<br />
clear sdns snmp ip<br />
This command is used to clear the SNMP configuration information about the VIPs in the<br />
address pool.<br />
sdns host rule <br />
This command allows users to associate the specified rule with the specified host.<br />
no sdns host rule <br />
This command is used to delete the relationship between an SDNS host and a rule.<br />
clear sdns pool {host|rule_name} <br />
This command allows users to remove the pool under a host/rule.<br />
show sdns rule<br />
This command is used to display all the rules and related host names and pools.<br />
sdns pool ipo preempt {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f the SDNS pool ipo preemption for the pool using<br />
“ipo” method. If it is set to on, the VIPs with the highest priority in the pool will be<br />
selected; otherwise, the last selected VIPs in the pool will be chosen until they all don’t<br />
work anymore, no matter whether there are healthy VIPs with higher priorities or not.<br />
193
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
sdns pool ipo reset [desired_priority]<br />
This command is used to manually preempt when SDNS pool ipo preemption is <strong>of</strong>f. The<br />
“desired priority” parameter is optional, and it defaults to 0. If the “desired_priority”<br />
parameter is specified, the healthy VIPs with the desired priority in the pool using “ipo”<br />
method will be selected by using this command. If no healthy VIP with the desired<br />
priority in the pool is available, the healthy VIPs with the highest priority in the pool will<br />
be selected. If the “desired_priority” parameter is not specified, the healthy VIPs with the<br />
highest priority in the pool will be selected.<br />
sdns snmp group service <br />
This command allows users to create an SDNS SNMP service group. The command<br />
should be configured on HTTP proxy cache servers.<br />
no sdns snmp group service <br />
The command is used to remove an SDNS SNMP group.<br />
sdns snmp group member <br />
This command is used to add an SNMP service into an SNMP group. This command<br />
should be configured on HTTP proxy cache servers. Users can decide what SNMP<br />
information should be collected by configuring different SNMP services. The SNMP<br />
services include 6 types:<br />
Service Type Meaning<br />
cpu CPU usage<br />
mem Memory usage<br />
totalconn Total concurrent connections<br />
newconn New connections<br />
throughput Throughput<br />
user User-defined SNMP service<br />
no sdns snmp group member <br />
The command is used to remove an SDNS SNMP group member.<br />
sdns snmp ip [snmp_port]<br />
This command allows users to set the SNMP configurations for a host. This command<br />
should be configured on HTTP proxy cache servers.<br />
snmp_community Specify the SNMP community, which is required for secure<br />
information exchange.<br />
snmp_port Specify the port number used by SNMP. Optional, and<br />
defaults to 161.<br />
194
sdns snmp interval <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to set the SDNS data collection interval by SNMP. This command<br />
should be configured on HTTP proxy cache servers. The interval time defaults to 300<br />
seconds. Its minimum value is 30 seconds.<br />
sdns snmp version [v1|v2c]<br />
This command is used to set the version <strong>of</strong> the SNMP protocol used for data collection.<br />
The SNMP version v1 and v2c are supported. By default, the version v2c is used.<br />
SDNS IANA<br />
sdns iana import {http|ftp}<br />
This command is used to get an IANA file from the address in HTTP/FTP format.<br />
show sdns iana <br />
By using this command, when you enter an IP address, the corresponding country name<br />
will be returned.<br />
SDNS Host<br />
sdns host method [chain_name]<br />
This command allows users to assign a load balance algorithm to an SDNS host. The<br />
current methods include grr (Global Round Robin), vwgrr (VIP-based Global Weighted<br />
Round Robin), gco (Global Connection Overflow) and glc (Global Least Connection),<br />
proximity, ipo (IP Overflow) and region. Note: If the method is “gco”, the administrator<br />
is required to supply an overflow chain. Otherwise, the “chain name” parameter should<br />
not be specified. SDNS host method is defaulted to grr.<br />
sdns host ttl <br />
This command is used to set the host’s TTL (Time to Live) value on an SDNS server<br />
instead <strong>of</strong> the value received from an SDNS HTTP proxy <strong>APV</strong>. The parameter “host<br />
name” is required to be in the format <strong>of</strong> “www.xyz.com”. The “TTL” value should be in<br />
seconds (0 second means no cache).<br />
show sdns ttl [host_name]<br />
This command is used to display the host’s TTL settings. If a host name is specified, the<br />
TTL about this host will be displayed. If no host name is specified, the TTL settings about<br />
all existing hosts will be displayed.<br />
no sdns host ttl <br />
195
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to delete the specified host’s TTL setting on an SDNS server.<br />
clear sdns ttl<br />
This command is used to clear all the hosts’ TTL settings in an SDNS server.<br />
no sdns host method <br />
This command is used to reset the method for the specified host to its default method grr.<br />
show sdns host [host_name]<br />
This command is used to display the specified SDNS host information, including name,<br />
method, TTL, the number <strong>of</strong> up VIPs, the number <strong>of</strong> down VIPs, and total traffic. If the<br />
“host_name” parameter is null, display all the hosts’ information.<br />
SDNS Backup<br />
sdns backup ip <br />
This command is used to add a backup IP address for a host’s DNS resolving. The backup<br />
IP address is used for DNS resolving when and only when all the other IP addresses are<br />
not available.<br />
host_name The domain name to be resolved.<br />
ip The backup IP address used for DNS resolving.<br />
show sdns backup ip [host_name]<br />
This command is used to display all the backup IP addresses for a host. If no host is<br />
specified, all the backup IP addresses <strong>of</strong> all the hosts will be displayed.<br />
host_name Optional and specify the domain name to be resolved.<br />
no sdns backup ip <br />
This command is used to remove a backup IP address for a host’s DNS resolving:<br />
host_name The domain name to be resolved.<br />
ip The backup IP address used for DNS resolving.<br />
clear sdns backup ip [host_name]<br />
196
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to remove all the backup IP addresses for a host. If no host is<br />
specified, all the backup IP addresses <strong>of</strong> all the hosts will be removed.<br />
host_name Optional and specify the domain name to be resolved.<br />
SDNS Full DNS<br />
sdns cname <br />
This command is used to set a new CNAME RR (Resource Record) for a host. The<br />
“host_name” and the “alias” parameters should be in the format <strong>of</strong> “www.xyz.com”.<br />
sdns pool cname <br />
This command is used to add a CNAME RR <strong>of</strong> a host to a pool.<br />
no sdns cname <br />
This command is used to delete a CNAME RR for a host.<br />
no sdns pool cname <br />
This command is used to remove a CNAME RR <strong>of</strong> a host from the pool defined by the<br />
“pool_name” parameter.<br />
clear sdns cname<br />
This command is used to remove all SDNS hosts’ CNAME RR.<br />
show sdns cname [domain_name]<br />
This command is used to display all SDNS hosts’ CNAME RR information.<br />
sdns ipv6 <br />
This command is used to add a new IPv6 RR (Resource Record) for a domain name. The<br />
“host_name” parameter is configured in the format <strong>of</strong> “www.xyz.com”. The<br />
“ipv6_address” parameter should be configured in the format <strong>of</strong> “ff:fe::0”.<br />
show sdns ipv6<br />
The command is used to display all SDNS hosts’ IPv6 information.<br />
no sdns ipv6 <br />
The command is used to delete an IPv6 RR from specified host.<br />
clear sdns ipv6 [host_name]<br />
197
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to clear the SDNS host’s IPv6 RRs. If a host name is specified, the<br />
IPv6 RRs about this host will be cleared. If no host name is specified, the IPv6 RRs about<br />
all existing hosts will be cleared.<br />
sdns pool ipv6 <br />
This command is used to add an IPv6 address into SDNS pools. The “ipv6_address”<br />
parameter should be configured in the format <strong>of</strong> “ff:fe::0”.<br />
no sdns pool ipv6 <br />
The command is used to remove an IPv6 address from a specified pool.<br />
sdns recursion {on|<strong>of</strong>f}<br />
This command allows users to turn on/<strong>of</strong>f the SDNS recursive query function.<br />
SDNS DPS (Dynamic Proximity System)<br />
� SDNS DPS Server<br />
sdns dps {on|<strong>of</strong>f}<br />
This command is used to turn on or <strong>of</strong>f the SDNS dynamic proximity function.<br />
sdns dps master {on|<strong>of</strong>f} <br />
This command is used to start or stop an SDNS DPS master, to get and send a list <strong>of</strong> local<br />
DNS addresses to DPS detectors. The “port” parameter specifies the master broadcast<br />
port number, which is optional and defaults to 55456.<br />
sdns dps interval send <br />
This command is used to set the interval <strong>of</strong> sending a list <strong>of</strong> local DNS IP addresses.<br />
sdns dps interval query <br />
This command is used to set the interval <strong>of</strong> an SDNS dynamic proximity query.<br />
show sdns dps interval {send|query}<br />
This command is used to display the SDNS dynamic proximity send or query interval.<br />
sdns dps history <br />
This command is used to set the time span (in seconds) <strong>of</strong> history data that a detector<br />
detects. The “interval” parameter defaults to 9000 seconds.<br />
show sdns dps history<br />
198
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
The command is used to display the time span <strong>of</strong> the the detected SDNS dynamic<br />
proximity history data.<br />
sdns dps member <br />
This command is used to add a DPS server into the DPS member list, so that DPS<br />
detectors can allow or forbid query connections according to the DPS member list. It only<br />
can be applied on the DPS master.<br />
Note: If the member has many interface and many IPs (multiple links), they should<br />
all be added into the DPS master’s member list.<br />
show sdns dps member<br />
The command is used to display SDNS dynamic proximity member information.<br />
no sdns dps member <br />
The command is used to remove an SDNS dynamic proximity member.<br />
clear sdns dps member<br />
The command is used to remove all the SDNS dynamic proximity members.<br />
sdns dps detector [port] [detect_interval]<br />
This command is used to configure/add one SDNS DPS detector, one IP to one site only.<br />
The site must have been already defined in SDNS configuration. The “port” parameter<br />
specifies the detector’s port number, which is optional and defaults to 44544. The<br />
“detect_interval” parameter allows users to set the time interval (in seconds) <strong>of</strong> detecting<br />
local DNS servers. It defaults to 900.<br />
show sdns dps detector<br />
This command is used to display all the SDNS DPS detectors information, including IP<br />
address, port, interval and location site.<br />
no sdns dps detector <br />
This command is used to remove the specified DPS detector.<br />
clear sdns dps detector<br />
This command is used to clear all the SDNS DPS detectors.<br />
sdns dps method [weight_<strong>of</strong>_rtt] [weight_<strong>of</strong>_plr] [weight_<strong>of</strong>_hops]<br />
This command is used to set the dynamic proximity method <strong>of</strong> SDNS DPS server. Four<br />
methods are supported: RTT, PLR, HOPS and MIX. The default method is RTT. If you<br />
199
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
choose the MIX method, the “weight_<strong>of</strong>_rtt”, “weight_<strong>of</strong>_pl” and “weight_<strong>of</strong>_hops”<br />
parameters need be set optionally, which range from 0 to 9. The default weight <strong>of</strong> the<br />
RTT, PLR or HOPS method is 1.<br />
Dynamic Proximity Method Description<br />
RTT<br />
If the method is set to be RTT, the DPS detector will detect the<br />
round trip time.<br />
PLR<br />
If the method is set to be PLR, the DPS detector will detect the<br />
packet loss rate.<br />
If the method is set to be HOPS, the DPS detector will detect<br />
HOPS<br />
the number <strong>of</strong> the hops between local DNS and the proximity<br />
site.<br />
MIX<br />
If the method is set to be MIX, the DPS detector will detect a<br />
mixed value (weight *rtt+weight*plr+weight*hops).<br />
show sdns dps method<br />
This command is used to display the SDNS DPS method information.<br />
show sdns dps status<br />
This command is used to display the SDNS DPS status information.<br />
For example:<br />
<strong>APV</strong>1(config)#show sdns dps status<br />
SDNS DPS service is running.<br />
SDNS DPS Master service is running.<br />
DPS detector status:<br />
10.3.17.19 beijing DOWN<br />
172.16.63.204 chengdu DOWN<br />
Note: “FORBID” status means the DPS detector is up, but member’s IP address is<br />
not in DPS master’s member list. “CONNECTING” status means the TCP<br />
connection has been established, but the queried data has not been returned.<br />
show sdns dps proximity ip [source ip]<br />
This command is used to sort all dynamic proximity rules by IP addresses. The “source<br />
ip” parameter is optional. If it is specified, the corresponding dynamic proximity rule will<br />
be displayed.<br />
show sdns dps proximity site [site_name]<br />
This command is used to sort all dynamic proximity rules by sites. The “site_name”<br />
parameter is optional. If it is specified, the dynamic proximity rule pointing to the site<br />
will be displayed.<br />
clear sdns dps history<br />
200
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to remove the dynamic history data and dynamic proximity rules.<br />
sdns dps dump<br />
This command is used to dump the dynamic history data into proximity rules.<br />
sdns dps write proximity file <br />
This command is used to save all SDNS dynamic proximity rules load onto local storage.<br />
file_name The user assigned name for the file which saves the<br />
configurations.<br />
sdns dps write proximity scp {remote_server_ip|name} <br />
<br />
This command is used to store all SDNS dynamic proximity rules to the remote server.<br />
The IP address (in quotation marks) or the name <strong>of</strong> the server, the user’s name for the<br />
remote machine being accessed (a password prompt for the remote machine will appear),<br />
the remote file path and the remote file name need to be supplied.<br />
sdns dps write proximity tftp <br />
This command is used to save all SDNS dynamic proximity rules to the specified remote<br />
TFTP server.<br />
ip The IP address <strong>of</strong> the remote TFTP server.<br />
file_name The user’s assigned name for the file which saves<br />
configurations.<br />
show sdns dps localdns [ip_address]<br />
This command is used to display the following information for local DNS addresses:<br />
� IP address: The IP address <strong>of</strong> a local DNS.<br />
� Default Region: The region which corresponds to the default proximity rule (static<br />
rule with priority 0) that the local DNS hits.<br />
� Best Site: The site which corresponds to the dynamic proximity rule that the local<br />
DNS hits.<br />
� RTT: Round-trip time in millisecond.<br />
� RLR: Packet loss rate, in %.<br />
� Hops: The number <strong>of</strong> the hops between local DNS and the proximity site.<br />
Example:<br />
201
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
<strong>APV</strong>(config)#show sdns dps localdns<br />
LocalDNS Default Region Best Site RTT(ms) PLR(%%) Hops<br />
132.236.56.250 N/A beijing 338 0 24<br />
125.46.11.250 N/A beijing 42 0 19<br />
123.2.6.250 N/A shanghai 553 0 22<br />
121.1.3.250 china beijing 170 0 19<br />
152.1.1.248 N/A shanghai 349 0 29<br />
134.214.100.245 N/A beijing 733 0 23<br />
130.207.7.245 N/A shanghai 297 0 21<br />
125.70.254.244 world beijing 40 0 13<br />
130.237.72.238 N/A shanghai 535 0 20<br />
130.206.5.234 N/A shanghai 570 0 31<br />
123.10<strong>8.2</strong>55.233 N/A beijing 234 0 21<br />
sdns dps expire <br />
This command is used to set SDNS DPS expire count. The value <strong>of</strong> the “count”<br />
parameter ranges from 0 to 255. 0 means no expiration.<br />
show sdns dps expire<br />
The command is used to display the count <strong>of</strong> SDNS dynamic proximity expirations.<br />
� SDNS DPS Detector<br />
sdns dps localdetector [detect_port]<br />
[dps_port] [detect_timeout]<br />
This command is used to start a local SDNS DPS detector daemon on an <strong>APV</strong> appliance.<br />
detector_name The name <strong>of</strong> the detector daemon which will be started.<br />
ip IP address, and 0.0.0.0 means listening on all addresses.<br />
interface Interface name, and “all” means selecting all available<br />
interfaces automatically.<br />
detect_port Listen port for local DNS detecting packets. It ranges from<br />
1025 to 65535, and defaults to 53455.<br />
dps_port Listen port for communicating with SDNS DPS. It ranges<br />
from 1025 to 65535, and defaults to 44544.<br />
detect_timeout Timeout for detecting local DNS in seconds. The default<br />
value is 30 seconds.<br />
no sdns dps localdetector <br />
202
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
The command allows users to terminate a specified local SDNS DPS detector daemon on<br />
an <strong>APV</strong> appliance.<br />
clear sdns dps localdetector<br />
This command is used to terminate all the local SDNS DPS detector daemons on an <strong>APV</strong><br />
appliance.<br />
show sdns dps localdetector<br />
This command is used to display configurations and status <strong>of</strong> all the local SDNS DPS<br />
detector daemons on an <strong>APV</strong> appliance.<br />
show sdns dps all<br />
The command is used to display all the SDNS dynamic proximity configurations.<br />
clear sdns dps all<br />
The command is used to remove all the SDNS dynamic proximity configurations.<br />
SDNS Statistics<br />
sdns statistics on all<br />
This command is used to enable SDNS statistics function.<br />
sdns statistics <strong>of</strong>f all<br />
This command is used to disable SDNS statistics function.<br />
sdns statistics on localdns<br />
This command allows users to turn on local DNS statistics <strong>of</strong> SDNS. To run this<br />
command requires executing the “sdns statistics on all” command first.<br />
sdns statistics <strong>of</strong>f localdns<br />
This command allows users to turn <strong>of</strong>f local DNS statistics <strong>of</strong> SDNS.<br />
show statistics sdns localdns all<br />
This command is used to display the statistics <strong>of</strong> all local DNS that have accessed the<br />
SDNS.<br />
show statistics sdns localdns ip <br />
This command is used to display the statistics <strong>of</strong> the specified local DNS that has<br />
accessed the SDNS.<br />
203
local_dns_ip The IP address <strong>of</strong> the local DNS.<br />
show statistics sdns localdns host <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
This command is used to display the local DNS statistics information per host.<br />
show statistics sdns localdns summary<br />
This command is used to display the statistics summary <strong>of</strong> the local DNS which has<br />
accessed the SDNS.<br />
show statistics sdns vip all<br />
This command is used to display all the SDNS virtual IP statistics information.<br />
show statistics sdns vip status {up|down}<br />
This command is used to display SDNS virtual IP statistics information according to the<br />
status. The status is either up or down.<br />
show statistics sdns vip ip <br />
This command is used to display SDNS virtual IP statistics per IP.<br />
show statistics sdns host [host_name]<br />
This command is used to display the SDNS host’s statistics information.<br />
host_name Specify the host name. If no host name is specified, the<br />
statistics information <strong>of</strong> all SDNS hosts will be displayed.<br />
show statistics sdns query all<br />
This command is used to display all the SDNS query statistics information.<br />
show statistics sdns query host [host_name]<br />
This new command is used to display the SDNS query statistics information per domain<br />
host.<br />
host_name Optional. Specify the name <strong>of</strong> the domain host. If no host<br />
name is specified, the SDNS query statistics for all hosts<br />
will be displayed.<br />
Example:<br />
204
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 12 Global Server Load Balancing<br />
AN(config)#show statistics sdns query host<br />
Host Requests Success Failed Lastminhits Lasthourhits Peakminhits Peakhourhits<br />
www.a.com 23 23 0 0 0 12 20<br />
www.b.com 0 0 0 0 0 0 0<br />
www.c.com 0 0 0 0 0 0 0<br />
www.d.com 0 0 0 0 0 0 0<br />
www.e.com 18 18 0 0 0 14 18<br />
clear statistics sdns host<br />
This command is used to remove SDNS host statistics information.<br />
clear statistics sdns localdns<br />
This command is used to remove the statistics information <strong>of</strong> the local DNS that has<br />
accessed the SDNS.<br />
clear statistics sdns query<br />
This command is used to remove SDNS query statistics information.<br />
clear statistics sdns vip<br />
This command is used to remove SDNS virtual IP statistics information.<br />
205
Chapter 13 Logging<br />
log {on|<strong>of</strong>f}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
This command is used to enable or disable the system logging function. It defaults to <strong>of</strong>f.<br />
log http {squid|common|combined|welf} [vip|novip] [host|nohost]<br />
This command is used to record HTTP access log messages during proxy.<br />
squid|common<br />
|combined|welf<br />
Specify the format in which HTTP access information is to<br />
be logged. It can be set to one <strong>of</strong> the standard formats:<br />
squid, welf, common or combined. To set a custom format,<br />
the “log http custom” command should be used.<br />
vip|novip If it is set to “vip”, the VIP (virtual IP) on which the<br />
request is received is logged. When “novip” is used, the<br />
VIP is not logged. The default value for this parameter is<br />
“novip”.<br />
host|nohost If it is set to “host”, the host in the request is logged. When<br />
it is set to “nohost”, the host is not logged. The default<br />
value for this parameter is “nohost”.<br />
To start logging the information <strong>of</strong> HTTP access, the format <strong>of</strong> log message is set to squid,<br />
not recording vip and host information.<br />
Example:<br />
AN(config)#log http squid novip nohost<br />
log http custom <br />
This command is used to customize the format, in which HTTP access information is to<br />
be logged. The format must be enclosed in double quotes. The custom format can be<br />
formed using the symbols listed below. Any character in the format string that is not part<br />
<strong>of</strong> the symbols listed below is copied as is to the log message. So, if required, additional<br />
text can be included in the format string.<br />
Symbols and their meanings:<br />
Symbol Meaning<br />
%a Cache result<br />
%b Bytes returned by proxy to client<br />
%c Client IP address<br />
%d Date stamp<br />
%e HTTP MIME type information<br />
206
Symbol Meaning<br />
%f “PROXY_LOG”, tag can be used to distinguish with other logs.<br />
%g Time stamp (military format)<br />
%h Host name as pulled from client host<br />
%i User-agent<br />
%m HTTP method<br />
%n Full date/time stamp[MM/DD/YYYY:HH:MM:SS +/-0000]<br />
%k Session cookies<br />
%p Proxy IP address, VIP<br />
%q A single double quote<br />
%r HTTP return status code<br />
%s Real Server IP address<br />
%t Unix time stamp<br />
%u Request URL<br />
%v Protocol version<br />
%w Referer<br />
%U Full URL<br />
%R Elapsed time, time-taken<br />
%T Time format compatible with W3C (GMT)<br />
%o Port <strong>of</strong> virtual service<br />
%N Full date/time stamp [DD/MMM/YYYY:HH:MM:SS +/-0000]<br />
%D SSL session ID<br />
%P Real Server port<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
To start logging HTTP access information, users may customize the format. The<br />
following command sets the format to “%c%d%g%k”, which lets the log system record<br />
the information <strong>of</strong> client IP address, date stamp, time stamp and session cookies.<br />
AN(config)#log http custom “%c %d %g %k”<br />
no log http<br />
This command is used to disable the HTTP access logging function. By default, HTTP<br />
access logging is enabled.<br />
show log config<br />
This command is used to display the current logging configuration.<br />
clear log config<br />
This command is used to return the logging configuration to default settings.<br />
show log buff {forward|backward} [match_str]<br />
This command is used to display the last 500 logged messages, stored in a buffer, in the<br />
order <strong>of</strong> either first received (forward) or last received (backward).<br />
Example:<br />
207
AN(config)#show log buff backward<br />
clear log buff<br />
This command is used to clear the log buffer.<br />
log facility <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
This command is used to set the desired log facility to use. The supported facilities are<br />
LOCAL0 to LOCAL7. By default, the facility is set to LOCAL0.<br />
Example:<br />
AN(config)#log facility LOCAL1<br />
log host [port] [udp|tcp] [host_id]<br />
This command is used to set the remote host that is running Syslog, to which the log<br />
messages will be sent.<br />
host_ip The address for the remote host in dotted IP format.<br />
port The remote port. Optional, and defaults to 514.<br />
udp|tcp The protocol to be used, UDP or TCP, which is set to “udp”<br />
by default.<br />
host_id Optional; an identifier to a syslog server. It ranges from 0<br />
to 65535, and defaults to 0. All logs will be sent to the<br />
syslog servers whose host_id is 0 without any filtering. The<br />
host ID <strong>of</strong> multiple syslog servers can be set to 0<br />
simultaneously<br />
Note: Make certain that the assigned logging host is prepared to receive syslog<br />
messages. Log server is configured through configuring syslogd in the <strong>APV</strong><br />
appliance.<br />
AN(config)#log host 10.3.53.3 (Set the remote log host to 10.3.53.3 at udp 514 port.)<br />
AN(config)#log host 10.3.53.3 555 (Set the remote log host to 10.3.53.3 at udp 555 port.)<br />
AN(config)#log host 10.3.53.3 44 tcp (Set the remote log host to 10.3.53.3 at tcp 44 port.)<br />
log source port <br />
This command is used to set the source port from which all log messages should be sent<br />
by the <strong>APV</strong> appliance. The default value is 514, which is the syslog port.<br />
Example:<br />
208
AN(config)#log source port 555<br />
log level <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
This command is used to set the log level at which the system will either process<br />
messages or ignore them. The valid values for the log level are emerg, alert, crit, err,<br />
warning, notice, info, and debug. Once a level is set, messages below that level will be<br />
ignored. To let all information <strong>of</strong> debug and those whose level is higher than the level<br />
debug recorded by the log system, configure the following command:<br />
AN(config)#log level debug<br />
log alert [data|count]<br />
This command is used to configure the <strong>APV</strong> appliance to send an email to the specified<br />
email address, whenever a log message with the specified string “expression” in it is<br />
generated.<br />
id Identify the log alert rule.<br />
interval Specify the interval <strong>of</strong> sending two consecutive emails, in<br />
minutes. The interval can be any number from 0 to 10000.<br />
When the interval is set to 0, an email is sent the moment a<br />
matching log entry is generated.<br />
data|count By default, the matching log messages are sent as data in<br />
the email. “count” means sending just the count <strong>of</strong><br />
matching log messages in the mail.<br />
The configured log alerts can be viewed using the “show log config” command. To<br />
resolve the email address, your name server (DNS) should be set by using the “ip<br />
nameserver” command on the <strong>APV</strong> appliance.<br />
For example, to set id 1 log alert to send mail to “xyz@arraynetworks.com.cn” whenever<br />
the log message includes the string “sdns” every 1 minutes, you can execute the<br />
following command.<br />
AN(config)#log alert 1 "sdns" "xyz@arraynetworks.com.cn" 1 "data"<br />
Finished with the above setting, the following mail will be received in mailbox.<br />
From: AN<br />
To: Alert Log System Operator(s)<br />
Subject: Log Alert ID: 1 - sdns<br />
MIME-Version: 1.0<br />
Apr 25 21:05:01 <strong>CLI</strong>: cmd “log alert 2 “sdns” “xyz@arraynetworks.com.cn”<br />
0 “data””<br />
Apr 25 21:05:11 <strong>CLI</strong>: cmd “sdns on”<br />
209
Apr 25 21:05:12 <strong>CLI</strong>: cmd “sdns <strong>of</strong>f”<br />
log option logid {on|<strong>of</strong>f}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
This command is used to enable and disable the function that the log ID is added to log<br />
messages including <strong>APV</strong> appliance log buffer and log messages that will be sent to log<br />
servers.<br />
log option levelinfor {on|<strong>of</strong>f}<br />
This command is used to enable and disable the function that the level information is<br />
added to the logs that will be sent to log servers.<br />
no log host [port] [protocol]<br />
This command is used to remove the remote host that is running syslog, where the log<br />
messages will be sent. The “protocol” parameter is optional and is set to “udp” by default.<br />
no log alert <br />
This command is used to delete a log alert specified by the “id” parameter.<br />
show log alert<br />
This command is used to show all log alerts configurations.<br />
clear log alert<br />
This command is used to clear all log alerts configurations.<br />
log test<br />
This command is used to generate a test log message at the level “emerg”.<br />
log timestamp {on|<strong>of</strong>f}<br />
This command is used to turn on/<strong>of</strong>f appending timestamp to the log.<br />
log filter <br />
This command is used to create a log filter for a specified syslog host. “host_id” is the ID<br />
set by the "log host", and should be an integer greater than 0. The value <strong>of</strong> “filter_id' is in<br />
the range from 1 to 3. “filter_string” can’t be empty. The filter string is case insensitive.<br />
no log filter [filter_id]<br />
This command is used to clear the defined log filters.<br />
210
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 13 Logging<br />
filter_id Optional; it is set to 0 by default. If it is set to 0, all filters<br />
set on this host will be cleared.<br />
211
Chapter 14 Link Aggregation<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 14 Link Aggregation<br />
The link aggregation configuration commands are designed for the users to set the vital<br />
parameters to use this new functionality.<br />
bond name <br />
This command allows users to assign a name to the specified bond interface. The <strong>APV</strong><br />
appliance supports at most 6 bond interfaces.<br />
bond_id Default bond interface ID (bond1, bond2, bond3, bond4,<br />
bond5 and bond6) for the bond interfaces on the <strong>APV</strong><br />
appliance.<br />
bond_name A network interface name specified by an alphanumeric<br />
string; its default values are respectively bond1, bond2,<br />
bond3, bond4, bond5 and bond6.<br />
bond interface [1|0]<br />
This command allows users to add a system interface to the specified bond interface. At<br />
most 12 system interfaces can be added to a bond interface.<br />
The parameter “1|0” can be used to set the interface as one <strong>of</strong> the primary (1) or backup<br />
(0) interfaces in the bond. Multiple primary or backup interfaces can be set in the bond.<br />
When all the primary interfaces in the bond fail, the backup interfaces will take the place<br />
<strong>of</strong> primary interfaces to work.<br />
bond_name A network interface name specified by an alphanumeric<br />
string; its default values are bond1, bond2, bond3 and<br />
bond4.<br />
interface_name A network interface name specified by an alphanumeric<br />
string; port1|port2|port3|port4|…| are the default interface<br />
names. The interface can be set by using the command<br />
“interface name”.<br />
1|0 1: Sets the interface as one <strong>of</strong> the primary interfaces in the<br />
bond. By default, 1 applies.<br />
0: Sets the interface as one <strong>of</strong> the backup interfaces in the<br />
bond.<br />
no bond interface <br />
This command allows users to remove the system interface from the bond interface.<br />
212
show bond [bond_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 14 Link Aggregation<br />
This command is used to display all current system bond interfaces’ information. If the<br />
bond interface name is specified, the command will only show the specified interface’s<br />
information.<br />
clear bond [bond_name]<br />
This command is used to reset the bond interface’s configurations to default. If no bond<br />
interface name is specified, all the bond interfaces’ configurations are removed.<br />
213
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
QoS Queue<br />
qos interface [direction] [bandwidth]<br />
This command allows users to configure the QoS feature on the specified interface.<br />
interface_name Specify the name <strong>of</strong> the QoS interface. It may be system<br />
interface, VLAN interface or bond interface. Note: The<br />
QoS interface does not support MNET interface.<br />
direction IN or OUT, which specifies the input or output direction<br />
respectively. The default value is OUT.<br />
bandwidth The maximum bit rate allowed for all queues on the<br />
specified interface. The suffix can be b, KB, MB, or GB.<br />
The default value is 1 GB.<br />
no qos interface [direction]<br />
This command allows users to delete the QoS configuration on the specified interface.<br />
The “direction” parameter is optional, which specifies to delete the QoS configuration on<br />
the IN or OUT direction <strong>of</strong> the specified interface.<br />
show qos interface [interface_name] [direction]<br />
This command allows users to view configurations <strong>of</strong> QoS interfaces.<br />
direction Optional. If specified, the QoS statistics <strong>of</strong> this interface<br />
will be displayed.<br />
direction Optional. Specify to display the QoS statistics on the IN or<br />
OUT direction.<br />
qos enable [direction]<br />
This command allows users to enable QoS feature on the specified interface. The<br />
“direction” parameter is optional, which specifies to enable QoS feature on the IN or<br />
OUT direction <strong>of</strong> the specified interface.<br />
qos disable [direction]<br />
This command allows users to disable QoS feature on the specified interface. The<br />
“direction” parameter is optional, which specifies to disable QoS feature on the IN or<br />
OUT direction <strong>of</strong> the specified interface.<br />
214
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
qos queue root [direction] [bandwidth]<br />
[priority] [borrow] [default]<br />
This command allows users to create a QoS root queue on the specified interface.<br />
queue_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
queue. Note: If the assigned name begins with a numeric<br />
character, then the string needs to be framed in double<br />
quotes.<br />
interface_name Specify the name <strong>of</strong> QoS interface. It may be system<br />
interface, VLAN interface or bond interface.<br />
direction IN or OUT. Optional and the default value is OUT.<br />
bandwidth Specify the maximum bit rate to be processed by the<br />
queue. Optional and the default value is 1 GB.<br />
priority Optional. The range is from 0 to 7, with 7 being the highest<br />
and 0 being the lowest. The default value is 1.<br />
borrow It can be BORROW or UNBORROW, to configure<br />
whether the specified queue can borrow bandwidth from<br />
the parent or not. Optional, and the default value is<br />
UNBORROW.<br />
default Specify a queue to be the default queue. The packets not<br />
matched by other queues are assigned to this one. Only one<br />
default queue is required. Optional, and the default value is<br />
NONDEFAULT<br />
no qos queue root <br />
This command allows users to delete a QoS root queue.<br />
show qos queue root [queue_name]<br />
This command allows users to view configurations <strong>of</strong> all QoS root queues. The<br />
“queue_name” parameter is optional, which specifies to display the configuration <strong>of</strong> the<br />
specified QoS root queue.<br />
qos queue sub [bandwidth] [priority] [borrow]<br />
[default]<br />
This command allows users to create a QoS sub queue for a root queue on the specified<br />
interface.<br />
215
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
queue_name An assigned name, in the form <strong>of</strong> a character string, to the<br />
sub queue. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
parent_queue The parent queue <strong>of</strong> the sub queue being configured. It<br />
may be a root queue or a sub queue (sub-queues can also<br />
have their sub-queues).<br />
bandwidth Specify the maximum bit rate to be processed by the sub<br />
queue. Optional, and the default value is 1GB.<br />
priority Optional. The range is from 0 to 7, with 7 being the highest<br />
and 0 being the lowest. The default value is 1.<br />
borrow It can be BORROW or UNBORROW, to configure<br />
whether the specified sub queue can borrow bandwidth<br />
from the parent or not. Optional, and the default value is<br />
UNBORROW.<br />
default Specify the sub queue to be the default sub queue. The<br />
packets not matched by other sub queues are assigned to<br />
this one. Only one default sub queue is required. Optional,<br />
and the default value is NONDEFAULT.<br />
no qos queue sub <br />
This command allows users to delete a QoS sub queue.<br />
show qos queue sub [queue_name]<br />
This command allows users to view configurations <strong>of</strong> all QoS sub queues. If<br />
“queue_name” is supplied, this command will display configurations <strong>of</strong> the specified<br />
QoS sub queue.<br />
show qos queue all<br />
This command allows users to view all configurations <strong>of</strong> all QoS queues (including root<br />
queues and sub queues).<br />
clear qos interface [direction]<br />
This command allows users to clear configurations <strong>of</strong> the specified QoS interface. The<br />
“direction” parameter is optional, which specifies to clear configuration on the IN or<br />
OUT direction <strong>of</strong> the specified interface.<br />
216
QoS Filter Rule<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
qos filter < src_addr> <br />
[priority]<br />
This command allows users to configure a QoS filter to classify packets into a scheduling<br />
class. A filter specified determines any statically-defined packet classification rules.<br />
filter_name Specify a name to the filter for statistics.<br />
queue_name Specify the name <strong>of</strong> the queue to which matching packets<br />
are directed. Note: If the assigned name begins with a<br />
numeric character, then the string needs to be framed in<br />
double quotes.<br />
src_addr Dotted IP notation for the source subnet (e.g. 10.2.41.0).<br />
0.0.0.0 is a full wildcard.<br />
smask Dotted IP notation for the mask <strong>of</strong> the source IP address<br />
(e.g. 255.255.255.0). 0.0.0.0 is a full wildcard.<br />
sport Source port. 0 is a wildcard. Effective only when the<br />
protocol is “tcp” or “udp”.<br />
dst_addr See “src_addr” above.<br />
dmask See “smask” above.<br />
dport See “sport” above.<br />
proto Protocol type (TCP, UDP or any).<br />
priority Optional. Priority <strong>of</strong> the filter (1-255), which defaults to 1.<br />
“255” is the highest priority and “0” is the lowest.<br />
Here,<br />
� “fltr_name” is a unique string; it is useful to display the statistic information <strong>of</strong> QoS.<br />
� “queue_name” is used to establish certain logic between a Scheduler and the filter<br />
(Classifier).<br />
� “dst_addr” and “src_addr” are dotted-decimal addresses <strong>of</strong> the destination and the<br />
source respectively, and each has a netmask.<br />
� “dport” and “sport” are the port number <strong>of</strong> the destination and the source<br />
respectively.<br />
� “proto” is a protocol type defined for IP packets.<br />
217
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 15 Quality <strong>of</strong> Service (QoS)<br />
� “priority” is a number from 1 to 255. If two filters are satisfied with the mbuf, then<br />
the filter with higher priority will be used; if the priority <strong>of</strong> them is the same,<br />
round-robin method is used.<br />
When the filter value (dst_addr, dmask, dport, src_addr, smask, sport, proto) 0 or 0.0.0.0<br />
is used, it is taken as a wildcard.<br />
no qos filter <br />
This command allows users to delete an L4 QoS filter rule.<br />
show qos filter [fltr_name]<br />
This command allows users to view configurations <strong>of</strong> all QoS filter rules. If “fltr_name”<br />
is supplied, the configuration <strong>of</strong> the specified QoS filter rule will be displayed.<br />
Other QoS Commands<br />
show qos all<br />
This command allows users to view all QoS configurations.<br />
clear qos all<br />
This command allows users to clear all QoS configurations.<br />
show statistics qos [interface_name] [direction]<br />
This command allows users to view QoS statistics.<br />
interface_name Optional. If specified, the QoS statistics <strong>of</strong> this interface<br />
will be displayed.<br />
direction Optional. Specify to display the QoS statistics on the IN or<br />
OUT direction.<br />
clear statistics qos [interface_name] [direction]<br />
This command allows users to clear QoS statistics.<br />
interface_name Optional. If specified, the QoS statistics <strong>of</strong> this interface<br />
will be displayed.<br />
direction Optional. Specify to display the QoS statistics on the IN or<br />
OUT direction.<br />
218
Chapter 16 Administrative Tools<br />
Configuration Management Commands<br />
admin aaa {on|<strong>of</strong>f}<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to enable or disable the external authentication feature.<br />
admin aaa method [radius|tac_x]<br />
This command is used to configure the external authentication method. Users can choose<br />
RADIUS or TACACAS server. The parameter defaults to “RADIUS”.<br />
admin aaa server {es01|es02} <br />
This command is used to configure an external authentication server. The first parameter<br />
is used to specify the server ID. You can choose “es01” or “es02”. A second<br />
authentication will be tried on the server es02 if it is failed on server es01. The<br />
parameters “hostname_ip”, “port” and “secret” are used to configure the detailed<br />
information <strong>of</strong> the server.<br />
Example:<br />
AN(config)#admin aaa server es01 “10.1.31.1” 1812 radiusceret<br />
AN(config)#admin aaa server es02 radius_host 1812 radiusceret<br />
no admin aaa server {es01|es02}<br />
This command is used to remove an external authentication server configuration.<br />
clear admin aaa all<br />
This command is used to clear all external authentication configurations.<br />
show admin aaa all<br />
This command is used to displays all “admin aaa” configurations.<br />
passwd enable [password_string]<br />
This command allows users to set or change the enable password that allows access to the<br />
Enable and Config modes for the appliance. A password string may be up to 8 characters<br />
in length. Once users enter this command, the appliance will prompt users for password<br />
and confirmation. The password should be enclosed in double quotes. The<br />
“password_string” parameter is optional and the default value is empty, which means no<br />
password. To set the password to empty, just press “Enter” on your keyboard when the<br />
<strong>CLI</strong> prompts for an enable mode password.<br />
219
user [enable|config]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows administrators to create new users, or change the password and<br />
access privilege <strong>of</strong> existing users. If the input user name does not exist, the system will<br />
create the new user account. If the user name already exists, administrators can change<br />
the password and access privilege <strong>of</strong> this user.<br />
user_name Set the user name. The assigned user name can be up to 16<br />
alphanumeric characters.<br />
Special characters like “,\t:+&#%$^()!@~*?"=|\\/\” are<br />
not allowed for the “user_name” parameter. “$” is just<br />
allowed as the final character <strong>of</strong> the user name.<br />
password Set the login password <strong>of</strong> the user. The password can be up<br />
to 80 alphanumeric characters. If the password string<br />
begins with a numeric character or includes any keystroke<br />
symbol, such as “!” or “$”, the entire password must be<br />
enclosed within double quotes.<br />
enable|config This is an optional parameter, it is used to set the user’s<br />
access privilege to be “enable” or “config”. The default<br />
value is “config”.<br />
passwd user <br />
� enable: Users assigned with this access privilege are<br />
only allowed to run the commands <strong>of</strong> Enable mode,<br />
and cannot access the Config mode.<br />
� config: Users with this access privilege are allowed to<br />
run all commands on the <strong>APV</strong> appliance to make<br />
changes to any part <strong>of</strong> the appliance configurations.<br />
This command allows users to change the password associated with an established user.<br />
By employing this command, a prompt for the new assigned password will appear.<br />
show users<br />
This command allows system administrators to view users with authorization for access<br />
to the <strong>APV</strong> appliance along with the encrypted password assigned to each user.<br />
no user <br />
This command is used to remove a user from the list <strong>of</strong> authorized users.<br />
clear users<br />
220
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to remove all users from the list <strong>of</strong> authorized users.<br />
system license [validate|novalidate]<br />
This command allows users to enter a license key for the <strong>APV</strong> appliance. Without a valid<br />
license key, the <strong>ArrayOS</strong> will not auto reload configuration and <strong>ArrayOS</strong> will not run<br />
properly.<br />
validate The default option. After the user enters the license key and<br />
executes this command to import the key, the system will<br />
first validate the key. If validating succeeded, the system<br />
will import the license key and also save it.<br />
novalidate With this option used, The system will import the license<br />
key and save it, without any validation.<br />
system reboot<br />
This command is used to reboot the <strong>APV</strong> appliance. The last saved (by using the<br />
command “write memory”) system configuration will be used to configure the <strong>APV</strong><br />
appliance.<br />
system shutdown<br />
This command is used to halt all functions <strong>of</strong> the <strong>APV</strong> appliance and disable the <strong>CLI</strong>. A<br />
manual reboot <strong>of</strong> the <strong>APV</strong> appliance will be necessary to reinstate <strong>CLI</strong> control.<br />
system dump<br />
This command is used to turn on/<strong>of</strong>f system dump function when the system is panic.<br />
When the system is panic and it is on, the system running information will be stored in<br />
the file system for future use.<br />
show system dump<br />
This command is used to display the status <strong>of</strong> system dump function.<br />
system console reset<br />
This command is used to reset the system console. After executing this command, “Reset<br />
console” will prompt in the screen.<br />
config terminal [force]<br />
This command allows users to gain access to the commands required to configure the<br />
<strong>APV</strong> appliance. Deploying the optional parameter will force any existing Config sessions<br />
to end.<br />
221
config timeout <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows users to set the “timeout” limit as to when a configuration session<br />
will be terminated by another configuration session after the specified period <strong>of</strong> inactivity.<br />
The timeout value is measured in seconds, ranging from 30 to 36000 (1 hour). The<br />
default setting is 180 seconds (3 minutes). If there are no other sessions trying to enter the<br />
Config mode, the current session will stay active.<br />
show config timeout<br />
This command allows users to view the configured timeout setting.<br />
clear config timeout<br />
This command allows users to clear the configured timeout setting, thus returning it to the<br />
default setting <strong>of</strong> 180 seconds (3 minutes).<br />
statmon on<br />
This command allows users to start statmon daemon process. The statmon process is<br />
responsible for monitoring the system running status. The process collects and saves the<br />
status information about system running, network traffic and SDNS running at fixed<br />
intervals, and then displays the information in graphs on the WebUI. If the process is<br />
already running, the following message will be printed: Statmon is already running!<br />
statmon <strong>of</strong>f<br />
This command allows users to stop statmon daemon process. The statmon process is<br />
responsible for monitoring the system running status. The process collects and saves the<br />
status information about system running, network traffic and SDNS running at fixed<br />
intervals, and then displays the information in graphs on the WebUI. If the process is<br />
already stopped, the following message will be printed: Statmon is not running!<br />
statmon purge <br />
This command is used to purge statistics unused for some time already. The time is<br />
specified by the parameter “number_<strong>of</strong>_days_unused”.<br />
statmon clear<br />
This command is used to clear the existing statistics information for graphs, including the<br />
statistics table (item list), recorded in the file “/ca/etc/statmon.idx” and the statistics data,<br />
recorded in the file “/var/crash/statmon/*.rrd”.<br />
show statmon status<br />
This command is used to display the current statmon daemon status.<br />
write file <br />
222
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to save the current running configurations to a backup file on the<br />
local storage.<br />
file_name The user’s assigned name for the file where the<br />
configurations are saved.<br />
write memory<br />
This command allows users to save the current configuration to the file and assigns it to<br />
the boot configuration data.<br />
show memory<br />
This command allows users to display the memory critical information relating to the<br />
<strong>APV</strong> appliance.<br />
Example:<br />
The following lines describe system connection resource usage:<br />
ITEM SIZE LIMIT USED FREE REQUESTS<br />
TCP small pcb: 64, 20000, 426, 19574, 4490795<br />
TCP pcb: 288, 20000, 1, 19999, 5219107<br />
Each connection owns a “pcb” data structure. There are two kinds <strong>of</strong> “pcb” data structure;<br />
“small pcb” where size is 64 bytes is for TCP connections in “TIME_WAIT” state. “pcb”<br />
for all the other TCP connections has bigger size: 288 bytes. The “LIMIT” column tells<br />
the total number <strong>of</strong> data structure items. “USED” refers the number <strong>of</strong> items in use. The<br />
“Free” indicates left items that may be used. The “REQUEST” is the accumulation <strong>of</strong><br />
total usages and is always incremented.<br />
TCP connection is valuable system resource. When it is used up, new customer requests<br />
can’t be served. The number <strong>of</strong> total TCP connections is decided by system memory size<br />
as follows:<br />
� 4GB: 2M (2064352) connections<br />
� 1GB: 512K (516088) connections<br />
� 512MB: 40000 connections<br />
� 256MB: 20000 connections<br />
config file <br />
This command allows users to change the config from terminal, or restore a config from<br />
local storage or file on network devices by simply supplying the saved file’s name.<br />
config memory<br />
223
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows users to restore the configuration from the last “write memory”<br />
operation.<br />
config net tftp <br />
This command allows users to load configuration data stored on a TFTP server. The IP<br />
address (in quotation marks) or the name <strong>of</strong> the TFTP server and the remote file name<br />
need to be supplied.<br />
config net scp {remote_server_ip|name} <br />
This command allows users to load configuration data stored on an SCP server. The IP<br />
address (in quotation marks) or the name <strong>of</strong> the SCP server, the user’s name for the<br />
remote machine being accessed (a password prompt for the remote machine will appear)<br />
and the remote file path need to be supplied.<br />
config net http <br />
This command allows users to download a configuration file from a Web server. The<br />
“http_url” parameter is used to specify the URL address <strong>of</strong> the configuration file. For<br />
example, if you want to download the file “array.conf” from the Web server<br />
“www.xyz.com”, the “http_url” parameter should be “http://www.xyz.com/array.conf”.<br />
write net tftp [file_name]<br />
This command is used to store the current configuration to the specified remote TFTP<br />
server.<br />
ip_tftp The IP address <strong>of</strong> the TFTP server.<br />
file_name The name <strong>of</strong> the remote file in which the configuration data<br />
is saved. It is optional, and defaults to “ca.cfg”.<br />
write net scp {remote_server_ip|name} <br />
This command is used to store the current configuration to the remote SCP server. The IP<br />
address (in quotation marks) or the name <strong>of</strong> the server, the user’s name for the remote<br />
machine being accessed (a password prompt for the remote machine will appear) and the<br />
remote file path need to be supplied.<br />
no config <br />
The command is used to allow users to remove a user-defined configuration from a<br />
previously saved file.<br />
show config file [file_name] [regex]<br />
224
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to display a list <strong>of</strong> all saved configuration files. If the “file_name”<br />
parameter is supplied, the output will reflect the information about the specified config<br />
file.<br />
clear config file<br />
This command is used remove all user-defined configuration files.<br />
system fallback<br />
This command allows users to boot the <strong>APV</strong> appliance from the other root version on the<br />
next reboot.<br />
no system fallback<br />
This command is used to disable the system fallback functionality.<br />
clear config secondary<br />
This command allow users to restore all the settings on the <strong>APV</strong> appliance except the<br />
“primary” settings (restored by the command “clear config primary”), including settings<br />
about NAT, FWD, SNMP, log, domain server, proxy server, etc.<br />
clear config primary<br />
This command allow users to restore the basic network settings to the default value,<br />
including settings about IP address, cluster, access list, group, WebUI, Enable level<br />
password, “array” user password, etc. At the same time, all the users in the system except<br />
the “array” user will be removed.<br />
This command cannot be executed if there are other configurations based on these basic<br />
network settings. In this situation, please execute the command “clear config secondary”<br />
first to delete the related configurations, and then execute the command “clear config<br />
primary” again.<br />
clear config all<br />
This command allows users to restore all settings on the <strong>APV</strong> appliance.<br />
clear config factorydefault<br />
This command is used to reset the <strong>APV</strong> appliance box to factory default settings.<br />
Different from the existing command “clear config all”, this command will clean<br />
imported SSL key files so that previous user configuration influence will be totally<br />
removed.<br />
show running [pattern]<br />
225
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to display the current configuration <strong>of</strong> your <strong>APV</strong> appliance and all<br />
active function settings for the current configuration <strong>of</strong> the <strong>APV</strong> appliance. The optional<br />
parameter “pattern” calls for a string for the <strong>APV</strong> appliance to search for. For example<br />
“show running tcp” will display all file lines with the string TCP.<br />
show startup [pattern]<br />
This command allows users to view previously saved configuration by using the<br />
command “write memory”. The optional parameter “pattern” calls for a string for the<br />
<strong>APV</strong> appliance to search for. For example “show running tcp” will display all file lines<br />
with the string TCP.<br />
show version<br />
This command is used to display the system specific data such as host name, Array<br />
Networks s<strong>of</strong>tware version, system CPU, available memory and total memory, latest<br />
booting time, licensed features, and system up time.<br />
Example:<br />
AN(config)#show version<br />
<strong>ArrayOS</strong> Rel.TM.<strong>8.2</strong>.0.4 build on Fri Jun 10 12:18:09 2011<br />
Host name : AN<br />
System CPU : Intel(R) Pentium(R) CPU G6950 @ 2.80GHz<br />
System Module : X8SIE-LN4<br />
System RAM : 3918812 kbytes.<br />
System boot time : Fri Jun 24 11:33:28 GMT (+0000) 2011<br />
Current time : Fri Jun 24 11:44:09 GMT (+0000) 2011<br />
System up time : 12 mins,<br />
Platform Bld Date : Thu Jun 23 11:36:44 UTC 2011<br />
SSL HW : HW ( 1X8D ) Initialized<br />
Compression HW : No HW Available<br />
Power supply : 1U, AC<br />
Network Interface : 8 x Gigabit Ethernet copper<br />
Model : Array <strong>APV</strong> 1600<br />
Serial Number : 0437A3345200010001544134427220<br />
Licensed Features : WebWall Clustering L4SLB L7SLB Caching<br />
SSL tProxy SwCompression LLB GSLB QoS<br />
MultiLang DynRoute FFO IPv6<br />
License Key : 83e89607-d5635173-88bdf7e6-952e5116-05b301c0-00000000-0495d8<br />
ab-99999999<br />
Array Networks Customer Support<br />
Telephone : 877-992-7729 (877-MY-ARRAY)<br />
Email : support@arraynetworks.net<br />
Update : please contact support for instructions<br />
Website : http://www.arraynetworks.net<br />
Other Root Version<br />
226
Rel.TM.<strong>8.2</strong>.0.3 build on Fri May 20 18:16:09 2011<br />
show tech<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to display real-time statistics <strong>of</strong> the current running system and<br />
network.<br />
monitor<br />
This command allows users to monitor a command string executed every few seconds so<br />
that a variance can be observed. This is an interactive command and the user will be<br />
prompted for additional information.<br />
webui {on|<strong>of</strong>f}<br />
This command allows users to enable or disable the Web User Interface.<br />
webui language <br />
This command is used to set the WebUI login language.<br />
login_language It can be en (English), cn (Simplified Chinese) and jp<br />
(Japanese).<br />
show webui<br />
This command is used to display the WebUI port and login language information.<br />
webui ip <br />
This command is used to allow users to set the WebUI IP address. After executing the<br />
command, the <strong>APV</strong> appliance will only accept the connections at the specific IP address.<br />
Note: WebUI may not work if the WebUI IP address is not an interface IP address.<br />
clear webui ip<br />
This command is used to delete the WebUI IP address. After executing the command, the<br />
<strong>APV</strong> appliance will accept the connections at any IP address.<br />
webui port <br />
This command allows users to set the port that the <strong>APV</strong> appliance will accept Web User<br />
Interface commands from the Web. The port must be designated within the range <strong>of</strong> 1024<br />
to 65000. The default port is 8888.<br />
clear webui port<br />
This command is used to reset the WebUI port to the default port 8888.<br />
227
xmlrpc {on|<strong>of</strong>f} [https|http]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows users to enable the XML-RPC function, which allows<br />
administrators to gain access to the <strong>APV</strong> appliance and configure the <strong>ArrayOS</strong> from<br />
remote locations. The optional field “https|http” allows the <strong>APV</strong> appliance to post HTTPS.<br />
This optional parameter defaults to “https”.<br />
xmlrpc port <br />
This command allows users to set the designated port for the XML-RPC to listen on. The<br />
“port” parameter ranges from 1025 to 65000. The default port is 9999.<br />
show xmlrpc<br />
This command is used to display the current state <strong>of</strong> the XML-RPC function as well as<br />
the designated port assigned.<br />
clear xmlrpc<br />
This command is used to reset the XML-RPC port designation to the default value <strong>of</strong> port<br />
9999.<br />
system shutdown<br />
This command is used to halt all functions <strong>of</strong> the <strong>APV</strong> appliance and disable the <strong>CLI</strong>. A<br />
manual reboot <strong>of</strong> the <strong>APV</strong> appliance will be necessary to reinstate <strong>CLI</strong> control. Users<br />
should wait five to ten seconds after employing this command before terminating power<br />
to the appliance.<br />
system update <br />
This command allows users to import a new s<strong>of</strong>tware version directly from Array<br />
Networks. Once the user employs this command, using a URL supplied by Array<br />
Networks, the <strong>APV</strong> appliance will import the updated material and reboot the system. All<br />
specific configuration parameters will also be imported from the most recently saved file.<br />
Example:<br />
AN(config)#system update http://192.168.10.10/Rel_8_2_0_4.click<br />
This will upgrade your system from http://192.168.10.10/Rel_8_2_0_4.click<br />
Power outages or other systems failures may corrupt the system.<br />
It is highly recommended that you save your configuration on an<br />
external system prior to upgrading or downgrading.<br />
Any configuration changes that have not been "saved" will be lost.<br />
After a successful patch the system will be rebooted.<br />
Array Networks, Inc.<br />
Type "YES" to confirm upgrade: YES<br />
228
Caution:<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
1. If executing this command via an SSH connection and if the connection is lost<br />
during update procedure, the <strong>APV</strong> appliance will not be able to complete the update<br />
process.<br />
2. Do not disconnect the connections to the <strong>APV</strong> appliance during the system<br />
updating process.<br />
ssh {on|<strong>of</strong>f}<br />
This command allows users to enable or disable SSH access to the <strong>APV</strong> appliance.<br />
ssh regenerate keys<br />
This command is used to regenerate host keys for SSH server in <strong>ArrayOS</strong>. After this<br />
command is executed, the SSH server will use the newly generated keys as its host key.<br />
SSH clients must be updated with the new public keys <strong>of</strong> the SSH server to connect with<br />
the server.<br />
[no] pager <br />
This command is used to allow users to set the number <strong>of</strong> lines for a page display. Any<br />
value between 0 and 255 may be entered. If users enter zero for the value, the <strong>APV</strong><br />
appliance will display the number <strong>of</strong> lines configured within the current window.<br />
show pager<br />
This command is used to display the configured number <strong>of</strong> lines for a page display.<br />
system component update <br />
This command allows users to update the components on <strong>APV</strong> appliances from an HTTP<br />
or FTP URL.<br />
system component revert<br />
This command allows users to revert the last component update operation.<br />
Configuration Synchronization Commands<br />
The Configuration Synchronization feature <strong>of</strong> the <strong>APV</strong> appliance allows administrators to<br />
transfer configuration information among <strong>APV</strong> appliances within the same network.<br />
Synconfig commands are executed via SSH, therefore SSH must be enabled.<br />
[show|no|clear] synconfig peer <br />
229
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to define a peer within the network. The parameter “name” is a<br />
quoted string that specifies the peer’s name (not necessarily DNS name) and “ip”<br />
specifies the peer’s system IP address, which is NOT interface dependent.<br />
The “no” version <strong>of</strong> this command is used to remove a specific peer entry. The “clear”<br />
version is used to clear all peer settings. The “show” version is used to show the details<br />
for all peer nodes currently configured.<br />
synconfig to <br />
This command is used to manually synchronize the user node to the peer specified by<br />
“name” immediately. If “name” is “all”, all the nodes defined via the “synconfig peer”<br />
command will be synchronized. The nodes will receive the running configuration from<br />
the current <strong>APV</strong> appliance. Prior to applying the new configuration, the “clear config<br />
secondary” is applied to the receiving node(s). This will remove all the existing<br />
configurations except for the IP related settings that are preserved. The related IP settings<br />
unaffected include system IP addresses, IP route, host name, MNET, VLAN, WebWall,<br />
accesslist, accessgroup, LLB and WebUI IP address. At the end <strong>of</strong> the synchronization,<br />
the running configuration for the newly synchronized node is written to the disk as the<br />
current configuration. This preserves the configuration across reboots.<br />
synconfig from <br />
This command allows users to synchronize the “current configuration” from the peer<br />
specified by “name” to this node; the peer name must be first defined by the command<br />
“synconfig peer”. The newly synchronized configuration is NOT saved on disk unlike<br />
“synconfig to”. The user should save the running configuration to disk by using the<br />
“write memory” command.<br />
synconfig rollback local <br />
This command is used to revert the last synchronization executed on the local node from<br />
the peer specified by “name”. The previous synchronization may have been invoked<br />
using the “synconfig” command on the local node or “synconfig to” from the peer<br />
specified by “name”. The operation only affects the local node.<br />
synconfig rollback peer <br />
This command is used to revert the last synchronization executed on the peer specified by<br />
“name” from the local node. The previous synchronization would have been invoked<br />
when the user applied the “synconfig to” command on the other node. The operation<br />
affects the specified node other than the user’s node. If “name” is “all”, all the nodes<br />
previously defined via the “synconfig peer” command will be affected.<br />
show synconfig status from [peer_ip]<br />
This command is used to display the results <strong>of</strong> synchronization from other peers to the<br />
local node. The “peer_ip” parameter is optional, and should be input in quotes. If<br />
230
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
“peer_ip” is null, the command will show the list <strong>of</strong> peer nodes from which the local node<br />
has been synchronized. The time, remote IP and status will be displayed.<br />
show synconfig status history<br />
This command is used to show the history <strong>of</strong> the last 50 synchronization events executed<br />
on the local node. The time <strong>of</strong> the command, the peer and the command will be displayed.<br />
If a command fails, the error <strong>of</strong> the command will be displayed on the next line.<br />
show synconfig diff <br />
This command is used to show the difference between the running configuration on the<br />
local node and the saved configuration on the peer specified by “name”.<br />
SDNS Configuration Synchronization Commands<br />
The SDNS Configuration Synchronization feature <strong>of</strong> the <strong>APV</strong> appliance allows<br />
administrators to synchronize SDNS configurations and BIND 9 zone files except SDNS<br />
member configurations from an <strong>APV</strong> appliance to its peers.<br />
synconfig sdns peer <br />
This command allows users to define a peer for SDNS configuration synchronization.<br />
SDNS configurations are synchronized from the local peer to a specified remote peer. The<br />
“peer_name” parameter specifies the name <strong>of</strong> a peer. “peer_ip” is the IP address <strong>of</strong> the<br />
peer.<br />
synconfig sdns to <br />
This command allows users to start SDNS synchronizing to the specified remote peer.<br />
no synconfig sdns peer <br />
This command allows users to remove the specified peer for SDNS configuration<br />
synchronization.<br />
show synconfig sdns peer<br />
This command is used to display the IP address and name <strong>of</strong> the all the SDNS<br />
synchronization peers.<br />
clear synconf sdns peer<br />
The command is used to delete all the SDNS synchronization peers.<br />
231
SNMP Commands<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
SNMP (Simple Network Management Protocol) is a widely used network monitoring and<br />
control protocol. Data is passed from SNMP agents, which are hardware and/or s<strong>of</strong>tware<br />
processes reporting activity in each network device (hub, router, bridge, etc.) to the<br />
workstation console used to oversee the network. The agents return information<br />
contained in a MIB (Management Information Base), which is a data structure that<br />
defines what is obtainable from the device and what can be controlled. The <strong>ArrayOS</strong><br />
currently supports the SNMP GET requests, but not SNMP SET requests.<br />
snmp {on|<strong>of</strong>f}<br />
This command allows users to enable, or disable the SNMP feature.<br />
snmp on [default|v3]<br />
This command allows users to set the SNMP versions which are supported by the <strong>APV</strong><br />
appliance SNMP agent. “default” means that the SNMP agent supports three SNMP<br />
versions: v1, v2 & v3. “v3” means that SNMP agent only supports SNMP version 3.<br />
show snmp<br />
This command allows users to display all the information concerning the SNMP<br />
configuration.<br />
Example:<br />
AN(config)#show snmp<br />
snmp community reindeer<br />
snmp location server room 6<br />
snmp contact admin@example.com<br />
snmp host 10.2.21.1 rudolph<br />
snmp enable traps<br />
clear snmp<br />
This command is used to reset the SNMP settings to default configurations.<br />
snmp community <br />
This command allows users to define the relationship between the NMS (Network<br />
Management Station) and the SNMP agent. This string acts as a password to control or<br />
limit access from the NMS to the SNMP agent. The string can be changed only when<br />
SNMP agent is <strong>of</strong>f. The string for this command may be 0 to 32 characters in length. The<br />
default string is public.<br />
232
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
Note: For the sake <strong>of</strong> security, it is strongly recommended to modify the default<br />
SNMP community string to avoid possible system information interception.<br />
Example:<br />
AN(config)#snmp community reindeer<br />
no snmp community<br />
This command is used to reset the community default to public.<br />
snmp contact <br />
This command allows users to establish a contact individual should system situations<br />
require it. The “contact_name” parameter may be up to 128 characters in length enclosed<br />
in quotes. Example:<br />
AN(config)#snmp contact “admin@example.com”<br />
no snmp contact<br />
This command allows users to remove the designated contact information.<br />
snmp location <br />
This command allows users to configure the physical location <strong>of</strong> the <strong>APV</strong> appliance. The<br />
“location” string may be up to 128 characters in length.<br />
Example:<br />
AN(config)#snmp location “server room 6”<br />
no snmp location<br />
This command is used to remove the previous location entered for the <strong>APV</strong> appliance.<br />
snmp host [1|2|3] [user_name|community_name] [engine_id]<br />
[auth_password] [authNopriv|authPriv] [priv_password]<br />
This command allows users to set the SNMP host’s IP address, in standard dotted format,<br />
and its corresponding user or community string for where traps should be sent.<br />
host_ip Set the IP address for the SNMP host.<br />
1|2|3 Set the SNMP trap version. The default setting is 1.<br />
user_name|community_name Set the trap community string for SNMP v1 and v2,<br />
and set the trap user for SNMP v3. The default is<br />
233
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
“public”.<br />
Chapter 16 Administrative Tools<br />
engine_id Authoritative engine ID <strong>of</strong> remote SNMP trap receiver<br />
for SNMP v3. It is a HEX string less than 32<br />
characters.<br />
auth_password Authentication password. It should be no less than 8<br />
characters.<br />
authNopriv|authPriv Specify the security authorization level. The default<br />
setting is “authNopriv” which means no private<br />
password needed.<br />
priv_password Set the private password for data encryption used in<br />
“authPriv” mode. Its length is not less than 8<br />
characters.<br />
no snmp host <br />
This command is used to remove an SNMP host.<br />
snmp enable traps<br />
This command is used to enable the <strong>APV</strong> appliance to send generic and enterprise traps.<br />
no snmp enable traps<br />
This command is used to disable the SNMP traps.<br />
snmp ipcontrol {on|<strong>of</strong>f}<br />
This command is used to enable or disable access control based on the source IP <strong>of</strong> an<br />
SNMP client. The default setting is <strong>of</strong>f. This is to control SNMP GET requests following<br />
VACM.<br />
snmp ippermit <br />
This command is used to add a source NET into the permitted client list for SNMP GET<br />
requests.<br />
source_ip The host or network IP address in traditional dotted IP<br />
format.<br />
netmask The appropriately designated netmask.<br />
no snmp ippermit <br />
234
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to remove the specified source NET from the permitted client list.<br />
snmp v3user [authNopriv|authPriv]<br />
[priv_password]<br />
This command is used to add one user into SNMP v3 user database for GET request<br />
authentication. This is to control SNMP GET requests following USM.<br />
user_name The assigned user name may be up to 16 alphanumeric<br />
characters in length.<br />
auth_password Authentication password. It should be not less than 8<br />
characters.<br />
authNopriv|authPriv Specify the security authorization level. The default setting<br />
is “authNopriv”. A private password is needed in<br />
“authPriv” mode, but not in “authNopriv” mode.<br />
priv_password Set the private password for encryption in “authPriv”<br />
mode. Its length is not less than 8 characters.<br />
no snmp v3user <br />
This command is used to remove a specified user from SNMP v3 user database in SNMP.<br />
Troubleshooting Commands<br />
ping {ip|hostname}<br />
This command is used to generate a network connectivity echo request directed toward<br />
the specified IP address or host name.<br />
traceroute {ip|hostname}<br />
This command allows users to trace the route information <strong>of</strong> a packet, or the request for<br />
that packet travels. When the user supplies the IP address, or host name, the <strong>APV</strong><br />
appliance will display the devices and network locations used to process the request for<br />
that IP address or host name.<br />
nslookup {ip|hostname}<br />
This command allows users to verify the IP address for the given host name or the reverse.<br />
If you want to verify the host name for an IP address, please double quote the IP address.<br />
The information that will be displayed by employing this command includes the server<br />
from which the data is pulled as well as the host name or IP address.<br />
support <br />
235
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows the “test” users to access the <strong>APV</strong> appliance from <strong>of</strong>f site locations<br />
via the assigned IP address and netmask.<br />
show support<br />
This command is used to display the configured IP address and netmask for remote<br />
access to the <strong>APV</strong> appliance.<br />
clear support<br />
This command is used to remove the configured IP and netmask from the support<br />
function.<br />
Debug Commands<br />
debug enable<br />
This command is used to prepare to start collecting the debugging data. After the<br />
command is executed, the <strong>APV</strong> appliance will first clean the files (sys_debug.tar.gz and<br />
sys_core.tar.gz) the collected debugging data is written into, and then create a new file<br />
(such as englog.20090810_154747) in /var/crash/sys_debug/debug directory to store<br />
englog messages.<br />
debug disable<br />
This command is used to stop collecting the debugging data. After the command is<br />
executed, the <strong>APV</strong> appliance will firstly generate a tar file (sys_debug.tar.gz) to store the<br />
collected debug data, and then clean up the collected debug data in the system.<br />
The following is the generated tar file, which only contains the debug information<br />
collected from the moment <strong>of</strong> executing the command “debug enable” to the moment <strong>of</strong><br />
executing the command “debug disable”.<br />
/var/crash/sys_debug.tar.gz<br />
tcpdump<br />
ssldump<br />
debug.tar.gz (including englog, pipe and loopback information)<br />
debug corefile [core_files_number]<br />
This command is used to set the number <strong>of</strong> the system core files to be collected. The<br />
value <strong>of</strong> the number ranges from 0 to 10. The default value is 0, which means do not<br />
collect any core file.<br />
236
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
Note: Administrators must first execute this command to set the number <strong>of</strong> core files<br />
to be collected before executing the command “debug snapshot system” to collect<br />
core files (sys_core.tar.gz and app_core.tar.gz). If the value <strong>of</strong> the number is not<br />
specified, the system will not collect any core file.<br />
debug snapshot system<br />
This command is used to take a snapshot for the system activities and generate the<br />
following four files to save the snapshot information by categories:<br />
� sys_snap.tar.gz<br />
� sys_log.tar.gz<br />
� sys_core.tar.gz<br />
� app_core.tar.gz<br />
All these files will provide more comprehensive system running information for<br />
administrators to do better debugging. Administrators can collect the desired files for the<br />
system running information they need.<br />
debug snapshot proxy [level]<br />
This command is used to take a snapshot for the proxy activities. The output is written<br />
into the englog file.<br />
level Optional. It can be set to “1” or “3”. “1” means the least<br />
data and “3” means the most data. It defaults to 3.<br />
debug snapshot all [level]<br />
This command is used to take a snapshot for proxy and system activities. The output is<br />
written into the englog file.<br />
level Optional. It can be set to “1” or “3”. “1” means the least<br />
data and “3” means the most data. It defaults to 3.<br />
show debug file<br />
This command is used to display all the generated tarball files in the system, including<br />
sys_snap.tar.gz, sys_log.tar.gz, sys_core.tar.gz, app_core.tar.gz, and sys_debug.tar.gz.<br />
Example:<br />
AN(config)#show debug file<br />
File Size Time<br />
sys_snap 774001 May 31 18:22:48 2010<br />
237
sys_snap.0 775002 May 31 18:21:48 2010<br />
sys_snap.1 785003 May 31 18:20:01 2010<br />
sys_log 424000123 May 31 18:22:49 2010<br />
sys_log.0 456231245 May 31 18:21:49 2010<br />
sys_log.1 347234345 May 31 18:20:02 2010<br />
sys_core 200000123 May 31 18:22:12 2010<br />
app_core 142343446 May 31 18:22:12 2010<br />
sys_debug 92000 May 31 18:22:22 2010<br />
debug ftp [file_name]<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows users to export the files (sys_snap.tar.gz, sys_log.tar.gz,<br />
sys_core.tar.gz, app_core.tar.gz or sys_debug.tar.gz) storing the debugging data into the<br />
specified remote FTP server. A time stamp will be inserted into the name <strong>of</strong> each exported<br />
file to differentiate from other files on the FTP server.<br />
user_name Specify the user name <strong>of</strong> the remote FTP server.<br />
remote_ftp_ip Specify the IP address <strong>of</strong> the remote FTP server.<br />
file_name Specify the name <strong>of</strong> the exported file on the FTP server,<br />
without the suffix ".tar.gz". It defaults to "all", which<br />
means exporting all the latest tarball files (sys_snap,<br />
sys_log, sys_core, app_core and sys_debug) to the remote<br />
FTP server.<br />
debug scp {username@remote_scp_ip|host} [file_name]<br />
This command allows users to export the files storing the debugging data into the<br />
specified remote SCP server. A time stamp will be inserted into the name <strong>of</strong> each<br />
exported file to differentiate from other files on the SCP server.<br />
username@remote_scp_ip|host Specify the user name and the IP address or host<br />
name <strong>of</strong> the remote SCP server.<br />
file_name Specify the name <strong>of</strong> the exported file on the remote<br />
SCP server, without the suffix ".tar.gz". It defaults to<br />
"all", which means exporting all the latest tarball files<br />
(sys_snap, sys_log, sys_core, app_core and<br />
sys_debug) to the remote SCP server.<br />
debug monitor {on|<strong>of</strong>f}<br />
This command allows users to turn on/<strong>of</strong>f the monitor module. Once the monitor is on, it<br />
will trace the status <strong>of</strong> the <strong>APV</strong> appliance and the status information will be logged into a<br />
predefined file named monitor.out0.<br />
238
debug monitor import ftp <br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command allows users to import a customized script from a remote server via ftp. In<br />
the customized script, users can input the <strong>CLI</strong>s which can display the system information<br />
they want, and then import the customized script, so that they can collect the debugging<br />
information which they want. Please turn <strong>of</strong>f “debug monitor” before executing this<br />
command.<br />
debug monitor import scp <br />
This command allows users to import a customized script from a remote server via SCP.<br />
On the customized script, users can input the <strong>CLI</strong>s which can display the system<br />
information they want, and then import the customized script, so that they can collect the<br />
debugging information which they want. Please turn <strong>of</strong>f “debug monitor” before<br />
executing this command.<br />
username@remote_address:filepath It requires to be framed in double quotation<br />
marks, such as “test@172.16.13.12:/home/test”.<br />
debug monitor export ftp <br />
This command allows users to export the monitor result file to a remote server via ftp.<br />
Please turn <strong>of</strong>f “debug monitor” before executing this command.<br />
debug monitor export scp <br />
This command allows users to export the monitor result file to a remote server via SCP.<br />
Please turn <strong>of</strong>f “debug monitor” before executing this command.<br />
username@remote addres:filepath It requires to be framed in double quotation<br />
marks, such as “test@172.16.13.12:/home/test”.<br />
show debug monitor<br />
This command is used to display the monitor configurations, including its status and the<br />
customized scripts imported by the users.<br />
debug trace ssl [encrypt|plain]<br />
This command is used to trace the SSL activities. The output is written into the englog<br />
file. When the parameter “encrypt|plain” is set to “encrypt”, the encrypted data in SSL<br />
communication packets will be directly written into the englog file. If it is set to “plain”,<br />
the encrypted data in SSL communication packets will be decrypted first and then be<br />
written into a new generated file. The parameter defaults to “encrypt”.<br />
debug trace live ssl [encrypt|plain]<br />
239
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to trace the SSL activities live. The output is displayed on the<br />
screen. When the parameter “encrypt|plain” is set to “encrypt”, the encrypted data in SSL<br />
communication packets will be directly displayed on the screen. If it is set to “plain”, the<br />
encrypted data in SSL communication packets will be decrypted first and then be<br />
displayed on the screen. The parameter defaults to “encrypt”.<br />
debug trace live tcp [tcpdump_argument]<br />
This command is used to trace TCP activities live. The output is displayed on the screen.<br />
tcpdump_argument The argument <strong>of</strong> TCPDUMP which is a packet analyzer. It<br />
specifies what TCP activities live will be traced.<br />
debug trace tcp all [tcpdump_argument]<br />
This command is used to trace TCP activities on all the interfaces.<br />
tcpdump_argument The argument <strong>of</strong> TCPDUMP which is a packet analyzer. It<br />
specifies what TCP activities will be traced.<br />
debug trace tcp loopback [tcpdump_argument]<br />
This command is used to trace TCP activities on loopback interfaces. The output is<br />
written into a new generated file (such as tcpdump_lo0.20090810_160302) in<br />
/var/crash/sys_debug/debug directory.<br />
tcpdump_argument The argument <strong>of</strong> TCPDUMP which is a packet analyzer. It<br />
specifies what TCP activities will be traced.<br />
debug trace tcp nic [tcpdump_argument]<br />
This command is used to trace TCP activities on all the NICs. The output is written into a<br />
new generated file (such as tcpdump_port1.20090810_160508) in<br />
/var/crash/sys_debug/nic_trace directory.<br />
tcpdump_argument The argument <strong>of</strong> TCPDUMP which is a packet analyzer. It<br />
specifies what TCP activities will be traced.<br />
debug trace tcp pipe0 [tcpdump_argument]<br />
This command is used to trace the TCP activities on pipe0. The output is written into a<br />
new generated file (such as tcpdump_pipe0.20090810_160410) in<br />
/var/crash/sys_debug/debug directory.<br />
240
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
tcpdump_argument The argument <strong>of</strong> TCPDUMP which is a packet analyzer. It<br />
specifies what TCP activities will be traced.<br />
debug usage mbuf<br />
This command is used to enable to track the usage <strong>of</strong> mbufs by the system. To stop the<br />
trace, use command “no debug usage mbuf”. Users can then use “show debug usage<br />
mbuf” to see the result as below:<br />
AN#show debug usage mbuf<br />
Mbuf usage Statistics<br />
index: 1, app: 0x201993a8<br />
Total mbufs: 2094848<br />
Module Name no <strong>of</strong> mbufs (col 1) no <strong>of</strong> mbufs (col 2)<br />
ID_0: 2094847 2094847<br />
ID_1: 1 0<br />
ID_21: 0 1<br />
debug trace proxy<br />
This command is used to trace the proxy activities. The output is written into the englog<br />
file.<br />
debug trace live proxy [src_ip] [src_port] [dst_ip] [dst_port] [and|or]<br />
This command is used to trace the proxy activities live. The output is displayed on the<br />
screen.<br />
src_ip The source IP to be traced. It defaults to 0.0.0.0, which<br />
means all source IP addresses will be traced live.<br />
src_port The source port to be traced. It defaults to 0, which means<br />
all source ports will be traced live.<br />
dst_ip The destination IP to be traced. It defaults to 0.0.0.0, which<br />
means all destination IP addresses will be traced live.<br />
dst_port The destination port to be traced. It defaults to 0, which<br />
means all destination ports will be traced live.<br />
and|or The relationship between the configured parameters<br />
(source ip, source port, destination ip, destination port).<br />
"and" will match exact parameters (source ip, source port,<br />
destination ip, destination port) and only show those that<br />
match. "or" will show the output that matches any one <strong>of</strong><br />
the given parameters. The default value is "or".<br />
241
Remote Access Commands<br />
telnet “host port”<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
This command is used to create a Telnet connection to a remote host. <strong>ArrayOS</strong> supports<br />
all standard Telnet parameters under the Unix system. For details, please refer to the<br />
technical documentation about Telnet command. This command can be used in Enable<br />
mode.<br />
host port Specify the IP address and the port <strong>of</strong> the remote host.<br />
Note: The parameter(s) configured for this command must be double quoted. If you<br />
need to set attributes for the parameters, you should enclose the parameters and the<br />
attribute values with single quotes, and then with double quotes. For example, telnet<br />
“‘192.168.1.24 -l admin’”.<br />
Example:<br />
AN#telnet “‘172.16.2.182 -4’”<br />
Trying 172.16.2.182...<br />
Connected to 172.16.2.182 -4.<br />
Escape character is '^]'.<br />
Trying SRA secure login:<br />
User (root): array<br />
Password:<br />
[ SRA accepts you ].................succeed<br />
ssh remote “user@hostname”<br />
This command is used to create an SSH connection to a remote host. <strong>ArrayOS</strong> supports<br />
all standard SSH parameters under the Unix system. For details, please refer to the<br />
technical documentation about OpenSSH command. This command can be used in<br />
Enable mode.<br />
user@hostname Specify the user name and the name or IP address <strong>of</strong> the<br />
remote host.<br />
Note: The parameter(s) configured for this command must be double quoted. If you<br />
need to set attributes for the parameters, you should enclose the parameters and the<br />
attribute values with single quotes, and then with double quotes. For example, ssh<br />
remote “‘192.168.1.24 –p 8888’”.<br />
Example:<br />
AN#ssh remote “root@172.16.85.240”<br />
root@172.16.85.240's password:<br />
242
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 16 Administrative Tools<br />
Linux libh-server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686<br />
GNU/Linux<br />
Welcome to Ylmf_OS!<br />
* Information: http://www.ylmf.com/<br />
0 packages can be updated.<br />
0 updates are security updates.<br />
Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1<br />
root@libh-server1:~#<br />
243
Chapter 17 Monitoring<br />
Assigning Graph Items via the <strong>CLI</strong><br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 17 Monitoring<br />
Administrators may also establish custom graph items via the commands. To assign the<br />
custom graph items through the <strong>CLI</strong>, you should change your access level to the Config<br />
level at first by executing the command “config terminal”.<br />
graph name <br />
This command is used to add a new custom graph. The maximum length <strong>of</strong> the assigned<br />
new graph name is 20 alphanumeric characters.<br />
graph rename <br />
This command is used to rename a custom graph. The maximum length <strong>of</strong> the assigned<br />
new name is 20 alphanumeric characters.<br />
graph settings displaymode {nostack|stack} <br />
This command is used to set the display mode <strong>of</strong> the custom graph. You can set the<br />
“nostack” mode or the “stack” mode. The default mode is “nostack”.<br />
graph item [service] <br />
[order] [legend_string]<br />
This command is used to add an item to the specified graph.<br />
graph_name Custom graph name that the administrator has defined.<br />
module_name The graphed module. You can select one from the modules,<br />
which include System, TCP, Compress, Proxy, SSL, LLB,<br />
SLB Real, Ethernet, IP, UDP, ICMP, and SLB Virtual.<br />
type It depends on the module that the administrator has chosen.<br />
The following sheet “Default Legend String” shows the<br />
relation between module, type and the default legend<br />
string.<br />
scale The scale <strong>of</strong> the graph. The range is from 1 to 1,000,000.<br />
color You may set it for the particular “type” being configured. It<br />
is recommended that the administrators set the different<br />
colors to separate the types for ease <strong>of</strong> reading the<br />
graphical output. Administrators can set one <strong>of</strong> the<br />
following colors: red, green, blue, cyan, magenta, yellow,<br />
purple, pink, lightpink, turquoise, and slateblue. The<br />
244
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
default color is red.<br />
Chapter 17 Monitoring<br />
order The order <strong>of</strong> the legend. Administrator can choose a<br />
number from 1 to 999.<br />
legend_string Optional. The administrator can set it anyway or choose the<br />
default setting. The default settings depend on the module<br />
and type that the administrator has chosen. The default<br />
legend strings are described in the following sheet.<br />
Default Legend String<br />
Module Name Type Legend String (default)<br />
CPU Utilization System CPU Utilization (%)<br />
System<br />
TCP<br />
System Memory Utilization System Memory Utilization (%)<br />
Total Connections System Total Connections (/sec)<br />
Total Requests System Total Requests (/sec)<br />
LISTEN Connections TCP LISTEN Connections<br />
SYN_SEND Connections TCP SYN_SENT Connections<br />
SYN_RCVD Connections TCP SYN_RCVD Connections<br />
ESTABLISHED Connections TCP ESTABLISHED Connections<br />
CLOSE (CLOSE_WAIT+CLOSING+<br />
LAST_ACK+FIN_WAIT_1+<br />
FIN_WAIT_2) Connections<br />
TCP CLOSE<br />
(CLOSE_WAIT+CLOSING+<br />
LAST_ACK+FIN_WAIT_1+FIN_WAIT<br />
_2) Connections<br />
TIME_WAIT_Connections TCP TIME_WAIT Connections<br />
Total Connections TCP Total Connections<br />
Active Opens TCP Active Opens (/sec)<br />
Passive Opens TCP Passive Opens (/sec)<br />
Retransmission Segments TCP Retransmission Segments (/sec)<br />
Total Bytes In TCP Total Bytes In (bytes/sec)<br />
Total Bytes Out TCP Total Bytes Out (bytes/sec)<br />
Total Packets In TCP Total Packets In (/sec)<br />
Total Packets Out TCP Total Packets Out (/sec)<br />
Total Packets Dropped TCP Total Packets Dropped (/sec)<br />
Bytes In TCP Outside Bytes In (bytes/sec)<br />
Bytes Out TCP Outside Bytes Out (bytes/sec)<br />
Packets In TCP Outside Packets In (/sec)<br />
Packets Out TCP Outside Packets Out (/sec)<br />
Packets Dropped TCP Outside Packets Dropped (/sec)<br />
245
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 17 Monitoring<br />
Module Name Type Legend String (default)<br />
Compression Ratio for Compressible Compression Compression Ratio for<br />
Data<br />
Compressible Data (%)<br />
Compression Ratio for All Data<br />
Compression Compression Ratio for All<br />
Data (%)<br />
Total Bytes In Compression Total Bytes In (bytes/sec)<br />
Compression<br />
Proxy<br />
Total Bytes Out Compression Total Bytes Out (bytes/sec)<br />
Compressible Bytes In<br />
Compression Compressible Bytes In<br />
(bytes/sec)<br />
Compressible Bytes Out<br />
Compression Compressible Bytes Out<br />
(bytes/sec)<br />
Non-compressible Bytes - Low Resources<br />
Compression Non-compressible Bytes -<br />
Low Resources (/sec)<br />
Non-compressible Bytes - No<br />
Compression Non-compressible Bytes -<br />
Compression Client<br />
No Compression Client (/sec)<br />
Non-compressible Bytes - Document Compression Non-compressible Bytes -<br />
Type<br />
Document Type (/sec)<br />
Non-compressible Bytes - Generated Compression Non-compressible Bytes -<br />
Responses<br />
Generated Responses (/sec)<br />
Non-compressible Objects - Low Compression Non-compressible Objects -<br />
Resources<br />
Low Resources (/sec)<br />
Non-compressible Objects - No<br />
Compression Non-compressible Objects -<br />
Compression Client<br />
No Compression Client (/sec)<br />
Non-compressible Objects - Document Compression Non-compressible Objects -<br />
Type<br />
Document Type (/sec)<br />
Non-compressible Objects - Response Compression Non-compressible Objects -<br />
Code<br />
Response Code (/sec)<br />
Client Established Connections Proxy Client Established Connections<br />
Server Established Connections Proxy Server Established Connections<br />
Cache Hit Ratio Proxy Cache Hit Ratio (%)<br />
Cache Memory Utilization Proxy Cache Memory Utilization (%)<br />
Client Established Connections per Proxy v1 Client Established Connections<br />
Virtual<br />
per Virtual<br />
Cache Hit Ration per Virtual Proxy v1 Cache Hit Ratio per Virtual (%)<br />
Total Requests Proxy Total Requests (/sec)<br />
Total Redirect Responses Generated by Proxy Total Redirect Responses<br />
Proxy<br />
Generated by Proxy (/sec)<br />
Cache Hit - Total Responses Send From Proxy Cache Hit - Total Responses Send<br />
Cache<br />
From Cache (/sec)<br />
Cache Hit - Using Cache Proxy Cache Hit - Using Cache (/sec)<br />
Cache Hit - Not Modified Proxy Cache Hit - Not Modified (/sec)<br />
Cache Miss - Not Found Proxy Cache Miss - Not Found (/sec)<br />
Cache Miss - Response Noncacheable<br />
Proxy Cache Miss - Response<br />
Noncacheable (/sec)<br />
Cache Miss - Request Noncacheable<br />
Proxy Cache Miss - Request<br />
Noncacheable (/sec)<br />
Cache Miss - Server Error Proxy Cache Miss - Server Error (/sec)<br />
Cache Miss - Error Responses Proxy Cache Miss - Error Responses<br />
246
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 17 Monitoring<br />
Module Name Type Legend String (default)<br />
(/sec)<br />
SSL<br />
LLB<br />
Response Code - 100 Proxy Response Code - 100 (/sec)<br />
Response Code - Other 100 Proxy Response Code - Other 100 (/sec)<br />
Response Code - 200 Proxy Response Code - 200 (/sec)<br />
Response Code - 206 Proxy Response Code - 206 (/sec)<br />
Response Code - Other 200 Proxy Response Code - Other 200 (/sec)<br />
Response Code - 301 Proxy Response Code - 301 (/sec)<br />
Response Code - 302 Proxy Response Code - 302 (/sec)<br />
Response Code - 304 Proxy Response Code - 304 (/sec)<br />
Response Code - Other 300 Proxy Response Code - Other 300 (/sec)<br />
Response Code - 400 Proxy Response Code - 400 (/sec)<br />
Response Code - 401 Proxy Response Code - 401 (/sec)<br />
Response Code - 404 Proxy Response Code - 404 (/sec)<br />
Response Code - Other 400 Proxy Response Code - Other 400 (/sec)<br />
Response Code - 502 Proxy Response Code - 502 (/sec)<br />
Response Code - 503 Proxy Response Code - 503 (/sec)<br />
Response Code - Other 500 Proxy Response Code - Other 500 (/sec)<br />
Response Code Invalid Proxy Response Code Invalid (/sec)<br />
Total Requests per Virtual Proxy v1 Total Requests per Virtual (/sec)<br />
Total Redirect Responses Generated by Proxy v1 Total Redirect Responses<br />
Proxy per Virtual<br />
Generated by Proxy per Virtual (/sec)<br />
Cache Hit per Virtual - Using Cache<br />
Proxy v1 Cache Hit per Virtual - Using<br />
Cache (/sec)<br />
Cache Hit per Virtual - Not Modified<br />
Proxy v1 Cache Hit per Virtual - Not<br />
Modified (/sec)<br />
Cache Miss per Virtual - Not Found<br />
Proxy v1 Cache Miss per Virtual - Not<br />
Found (/sec)<br />
Cache Miss per Virtual - Response Proxy v1 Cache Miss per Virtual -<br />
Noncacheable<br />
Response Noncacheable (/sec)<br />
Cache Miss per Virtual - Request Proxy v1 Cache Miss per Virtual -<br />
Noncacheable<br />
Request Noncacheable (/sec)<br />
Open Connections SSL Open Connections<br />
Total Requested Connections SSL Total Requested Connections (/sec)<br />
Total Accepted Connections SSL Total Accepted Connections (/sec)<br />
Total Records Received SSL Total Records Received (/sec)<br />
Total Records Sent SSL Total Records Sent (/sec)<br />
Total Bytes Received SSL Total Bytes Received (/sec)<br />
Total Bytes Sent SSL Total Bytes Sent (/sec)<br />
Total Concurrent TCP Connections LLB Total Concurrent TCP Connections<br />
Total Concurrent UDP Connections LLB Total Concurrent UDP Connections<br />
Total Concurrent ICMP Connections LLB Total Concurrent ICMP Connections<br />
247
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 17 Monitoring<br />
Module Name Type Legend String (default)<br />
Total Inbound TCP Connections<br />
LLB Total Inbound TCP Connections<br />
(/sec)<br />
Total Outbound TCP Connections<br />
LLB Total Outbound TCP Connections<br />
(/sec)<br />
Total TCP Connections LLB Total TCP Connections (/sec)<br />
SLB Real<br />
Ethernet<br />
IP<br />
UDP<br />
ICMP<br />
Total UDP Connections LLB Total UDP Connections (/sec)<br />
Total ICMP Connections LLB Total ICMP Connections (/sec)<br />
Total Outstanding Requests SLB Real Total Outstanding Requests<br />
Total Open Connections SLB Real Total Open Connections<br />
Outstanding Requests SLB Real server5 Outstanding Requests<br />
Open Connections SLB Real server5 Open Connections<br />
Total Hits for all SLB Reals<br />
SLB Real Total Hits for all SLB Reals<br />
(/sec)<br />
Total Hits SLB Real server5 Total Hits (/sec)<br />
Successful Responses<br />
SLB Real server5 Successful Responses<br />
(/sec)<br />
Total Frames In Ethernet Total Frames In (/sec)<br />
Total Frames Out Ethernet Total Frames Out (/sec)<br />
Total Bytes In Ethernet Total Bytes In (bytes/sec)<br />
Total Bytes Out Ethernet Total Bytes Out (bytes/sec)<br />
Frames In Ethernet Outside Frames In (/sec)<br />
Frames Out Ethernet Outside Frames Out (/sec)<br />
Bytes In Ethernet Outside Bytes In (bytes/sec)<br />
Bytes Out Ethernet Outside Bytes Out (bytes/sec)<br />
Total Packets Received IP Total Packets Received (/sec)<br />
Total Packets Sent IP Total Packets Sent (/sec)<br />
Total Bytes Received IP Total Bytes Received (bytes/sec)<br />
Total Bytes Sent IP Total Bytes Sent (bytes/sec)<br />
Total Bytes In UDP Total Bytes In (bytes/sec)<br />
Total Bytes Out UDP Total Bytes Out (bytes/sec)<br />
Total Packets In UDP Total Packets In (/sec)<br />
Total Packets Out UDP Total Packets Out (/sec)<br />
Total Packets Dropped UDP Total Packets Dropped (/sec)<br />
Total Bytes In ICMP Total Bytes In (bytes/sec)<br />
Total Bytes Out ICMP Total Bytes Out (bytes/sec)<br />
Total Packets In ICMP Total Packets In (/sec)<br />
Total Packets Out ICMP Total Packets Out (/sec)<br />
Total Packets Dropped ICMP Total Packets Dropped (/sec)<br />
SLB Virtual Total QoS URL Hits SLB Virtual Total QoS URL Hits (/sec)<br />
248
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Chapter 17 Monitoring<br />
Module Name Type Legend String (default)<br />
Total QoS Hostname Hits<br />
SLB Virtual Total QoS Hostname Hits<br />
(/sec)<br />
Total Persistent Cookie Hits<br />
SLB Virtual Total Persistent Cookie Hits<br />
(/sec)<br />
Total QoS Cookie Hits SLB Virtual Total QoS Cookie Hits (/sec)<br />
Total Default Hits SLB Virtual Total Default Hits (/sec)<br />
Total Persistent URL Hits<br />
SLB Virtual Total Persistent URL Hits<br />
(/sec)<br />
Total Static Hits SLB Virtual Total Static Hits (/sec)<br />
Total QoS Network Hits<br />
SLB Virtual Total QoS Network Hits<br />
(/sec)<br />
Total Backup Hits SLB Virtual Total Backup Hits (/sec)<br />
Total Cache Hits SLB Virtual Total Cache Hits (/sec)<br />
Total Regex Hits SLB Virtual Total Regex Hits (/sec)<br />
Total Rewrite Cookie Hits<br />
SLB Virtual Total Rewrite Cookie Hits<br />
(/sec)<br />
Total Insert Cookie Hits<br />
SLB Virtual Total Insert Cookie Hits<br />
(/sec)<br />
Total QoS Clientport Hits<br />
SLB Virtual Total QoS Clientport Hits<br />
(/sec)<br />
Total Header Hits SLB Virtual Total Header Hits (/sec)<br />
QoS URL Hits SLB Virtual v1 QoS URL Hits (/sec)<br />
QoS Hostname Hits SLB Virtual v1 QoS Hostname Hits (/sec)<br />
Persistent Cookie Hits<br />
SLB Virtual v1 Persistent Cookie Hits<br />
(/sec)<br />
QoS Cookie Hits SLB Virtual v1 QoS Cookie Hits (/sec)<br />
Default Hits SLB Virtual v1 Default Hits (/sec)<br />
Persistent URL Hits SLB Virtual v1 Persistent URL Hits (/sec)<br />
Static Hits SLB Virtual v1 Static Hits (/sec)<br />
QoS Network Hits SLB Virtual v1 QoS Network Hits (/sec)<br />
Backup Hits SLB Virtual v1 Backup Hits (/sec)<br />
Cache Hits SLB Virtual v1 Cache Hits (/sec)<br />
Regex Hits SLB Virtual v1 Regex Hits (/sec)<br />
Rewrite Cookie Hits<br />
SLB Virtual v1 Rewrite Cookie Hits<br />
(/sec)<br />
Insert Cookie Hits SLB Virtual v1 Insert Cookie Hits (/sec)<br />
QoS Clientport Hits SLB Virtual v1 QoS Clientport Hits (/sec)<br />
Header Hits SLB Virtual v1 Header Hits (/sec)<br />
249
Appendix I SNMP OID List<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Appendix I SNMP OID List<br />
SNMP OID List<br />
1 .1.3.6.1.4.1.7564 This file defines the private CA SNMP MIB extensions.<br />
2 .1.3.6.1.4.1.7564.4.1.0 Current system total available memory.<br />
3 .1.3.6.1.4.1.7564.16.1.1.0 Current status <strong>of</strong> the reverse proxy cache - on or <strong>of</strong>f.<br />
4 .1.3.6.1.4.1.7564.16.1.2.0<br />
Total number <strong>of</strong> requests received by the reverse proxy<br />
cache.<br />
5 .1.3.6.1.4.1.7564.16.1.3.0 Total GET requests received by the reverse proxy cache.<br />
6 .1.3.6.1.4.1.7564.16.1.4.0<br />
Total HEAD requests received by the reverse proxy<br />
7 .1.3.6.1.4.1.7564.16.1.5.0<br />
cache.<br />
Total PURGE requests received by the reverse proxy<br />
cache.<br />
8 .1.3.6.1.4.1.7564.16.1.6.0 Total POST requests received by the reverse proxy cache.<br />
9 .1.3.6.1.4.1.7564.16.1.7.0<br />
Number <strong>of</strong> current client connections (e.g. from the<br />
browsers).<br />
10 .1.3.6.1.4.1.7564.16.1.8.0 Number <strong>of</strong> current backend server connections.<br />
11 .1.3.6.1.4.1.7564.16.1.9.0 Requests redirected to HTTPS.<br />
12 .1.3.6.1.4.1.7564.16.1.10.0 Requests redirected based on regex match.<br />
13 .1.3.6.1.4.1.7564.16.1.11.0 Requests forwarded with rewritten url.<br />
14 .1.3.6.1.4.1.7564.16.1.12.0 Locations rewritten to HTTPS.<br />
15 .1.3.6.1.4.1.7564.16.1.13.0 Locations rewritten based on regex match.<br />
16 .1.3.6.1.4.1.7564.16.1.14.0 Cache skip, cache <strong>of</strong>f.<br />
17 .1.3.6.1.4.1.7564.16.1.15.0<br />
18 .1.3.6.1.4.1.7564.16.1.16.0<br />
We found the requested URL in the cache. The object<br />
was fresh and we did not have to revalidate. The object<br />
was served from our cache.<br />
We got an IMS header in the request. We validated the<br />
timestamp and decided that the client's copy <strong>of</strong> this object<br />
is fresh. So we generated a 304 response and sent it out to<br />
the client.<br />
19 .1.3.6.1.4.1.7564.16.1.17.0 Cache hit, reply with Precondition Failed.<br />
20 .1.3.6.1.4.1.7564.16.1.18.0<br />
21 .1.3.6.1.4.1.7564.16.1.19.0<br />
The requested object was found in the cache. However,<br />
the request required revalidation (due to client generated<br />
revalidate, proxy generated revalidate or proxy generated<br />
forced miss).<br />
The request does not result in a cache table search.<br />
Something in the request made us deem it non-cacheable<br />
(e.g. very long URL, a 'Cache-Control: no-store' header<br />
etc).<br />
22 .1.3.6.1.4.1.7564.16.1.20.0<br />
Count <strong>of</strong> times the cache table was searched, no matching<br />
entry was found and a new entry was created. However,<br />
note that sometimes, an entry is created temporarily (e.g.<br />
for an IMS request resulting in a 304) and is deleted after<br />
sending it out to the client (delayed delete).<br />
23 .1.3.6.1.4.1.7564.16.1.21.0 Cache miss, create new entry, resp noncacheable.<br />
24 .1.3.6.1.4.1.7564.16.1.22.0<br />
Cache hit reply using cache + cache reply with 'not<br />
25 .1.3.6.1.4.1.7564.18.1.1.0<br />
modified'.<br />
Current maximum possible number <strong>of</strong> entries in the<br />
vrrpTable, which is 255 * (number <strong>of</strong> interfaces for which<br />
a cluster is defined). 255 is the max number <strong>of</strong> VIPs in a<br />
250
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
cluster.<br />
26 .1.3.6.1.4.1.7564.18.1.2.0 Current number <strong>of</strong> entries in the vrrpTable.<br />
27 .1.3.6.1.4.1.7564.18.1.3 A table containing clustering configuration.<br />
28 .1.3.6.1.4.1.7564.18.1.3.1<br />
An entry in the vrrpTable. Each entry represents a cluster<br />
VIP and not the cluster itself. If a cluster has n VIPs, then<br />
there will be n entries for the cluster in the vrrpTable (0<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
64 .1.3.6.1.4.1.7564.19.1.3.2.1.3 Name <strong>of</strong> the real service.<br />
65 .1.3.6.1.4.1.7564.19.1.3.2.1.4 Metric used to balance real services within the group.<br />
66 .1.3.6.1.4.1.7564.19.2.1.1 Real service statistics table.<br />
67 .1.3.6.1.4.1.7564.19.2.1.1.1<br />
An rsStatsTable entry containing the statistics <strong>of</strong> one real<br />
service.<br />
68 .1.3.6.1.4.1.7564.19.2.1.1.1.1 Reference index for each real service.<br />
69 .1.3.6.1.4.1.7564.19.2.1.1.1.2 Name <strong>of</strong> the real service.<br />
70 .1.3.6.1.4.1.7564.19.2.1.1.1.3 Real service IP address.<br />
71 .1.3.6.1.4.1.7564.19.2.1.1.1.4 The port number <strong>of</strong> the real service.<br />
72 .1.3.6.1.4.1.7564.19.2.1.1.1.5 Number <strong>of</strong> outstanding requests to the real service.<br />
73 .1.3.6.1.4.1.7564.19.2.1.1.1.6 Number <strong>of</strong> open connections to the real service.<br />
74 .1.3.6.1.4.1.7564.19.2.1.1.1.7 The total number <strong>of</strong> requests sent to the real service.<br />
75 .1.3.6.1.4.1.7564.19.2.1.1.1.8 The health status (up or down) <strong>of</strong> the real service.<br />
76 .1.3.6.1.4.1.7564.19.2.2.1 A statistics table for virtual service.<br />
77 .1.3.6.1.4.1.7564.19.2.2.1.1<br />
A vsStatsTable entry containing the statistics <strong>of</strong> one<br />
virtual service.<br />
78 .1.3.6.1.4.1.7564.19.2.2.1.1.1 Reference index for each virtual service.<br />
79 .1.3.6.1.4.1.7564.19.2.2.1.1.2 Name <strong>of</strong> the virtual service.<br />
80 .1.3.6.1.4.1.7564.19.2.2.1.1.3 IP address <strong>of</strong> the virtual service.<br />
81 .1.3.6.1.4.1.7564.19.2.2.1.1.4 Port number <strong>of</strong> the virtual service.<br />
82 .1.3.6.1.4.1.7564.19.2.2.1.1.5 Number <strong>of</strong> QoS URL policy hits for the virtual service.<br />
83 .1.3.6.1.4.1.7564.19.2.2.1.1.6<br />
Number <strong>of</strong> QoS Hostname policy hits for the virtual<br />
service.<br />
84 .1.3.6.1.4.1.7564.19.2.2.1.1.7<br />
Number <strong>of</strong> Persistent Cookie policy hits for the virtual<br />
service.<br />
85 .1.3.6.1.4.1.7564.19.2.2.1.1.8 Number <strong>of</strong> QoS Cookie hits for the virtual service.<br />
86 .1.3.6.1.4.1.7564.19.2.2.1.1.9 Number <strong>of</strong> Default policy hits for the virtual service.<br />
87 .1.3.6.1.4.1.7564.19.2.2.1.1.10<br />
Number <strong>of</strong> Persistent URL policy hits for the virtual<br />
service.<br />
88 .1.3.6.1.4.1.7564.19.2.2.1.1.11 Number <strong>of</strong> Static policy hits for the virtual service.<br />
89 .1.3.6.1.4.1.7564.19.2.2.1.1.12<br />
Number <strong>of</strong> QoS Network policy hits for the virtual<br />
service.<br />
90 .1.3.6.1.4.1.7564.19.2.2.1.1.13 Number <strong>of</strong> QoS URL policy hits for the virtual service.<br />
91 .1.3.6.1.4.1.7564.19.2.2.1.1.14 Number <strong>of</strong> Backup policy hits for the virtual service.<br />
92 .1.3.6.1.4.1.7564.19.2.2.1.1.15 Number <strong>of</strong> Cache hits for the virtual service.<br />
93 .1.3.6.1.4.1.7564.19.2.2.1.1.16 Number <strong>of</strong> Regex policy hits for the virtual service.<br />
94 .1.3.6.1.4.1.7564.19.2.2.1.1.17<br />
Number <strong>of</strong> Rewrite Cookie policy hits for the virtual<br />
95 .1.3.6.1.4.1.7564.19.2.2.1.1.18<br />
service.<br />
Number <strong>of</strong> Insert Cookie policy hits for the virtual<br />
service.<br />
96 .1.3.6.1.4.1.7564.19.2.3.1 A statistics table <strong>of</strong> the group.<br />
97 .1.3.6.1.4.1.7564.19.2.3.1.1<br />
A gpStatsTable entry containing the statistics <strong>of</strong> one<br />
group.<br />
98 .1.3.6.1.4.1.7564.19.2.3.1.1.1 Reference index for each group.<br />
99 .1.3.6.1.4.1.7564.19.2.3.1.1.2 Name <strong>of</strong> the group.<br />
100 .1.3.6.1.4.1.7564.19.2.3.1.1.3 Total hits for the group.<br />
101 .1.3.6.1.4.1.7564.20.1.2.0 Number <strong>of</strong> vhosts currently configured.<br />
102 .1.3.6.1.4.1.7564.20.2.1.0 Total number <strong>of</strong> open SSL connections (all vhosts).<br />
103 .1.3.6.1.4.1.7564.20.2.2.0 Total number <strong>of</strong> accepted SSL connections (all vhosts).<br />
104 .1.3.6.1.4.1.7564.20.2.3.0 Total number <strong>of</strong> requested SSL connections (all vhosts).<br />
252
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
105 .1.3.6.1.4.1.7564.20.2.4 SSL vhost statistics table.<br />
106 .1.3.6.1.4.1.7564.20.2.4.1 sslTable entry for one vhost.<br />
107 .1.3.6.1.4.1.7564.20.2.4.1.1 The SSL table index.<br />
108 .1.3.6.1.4.1.7564.20.2.4.1.2 Name <strong>of</strong> the SSL vhost.<br />
109 .1.3.6.1.4.1.7564.20.2.4.1.3 Open SSL connections for vhostName.<br />
110 .1.3.6.1.4.1.7564.20.2.4.1.4 Number <strong>of</strong> accepted SSL connections for vhostName.<br />
111 .1.3.6.1.4.1.7564.20.2.4.1.5 Number <strong>of</strong> requested SSL connections for vhostName.<br />
112 .1.3.6.1.4.1.7564.20.2.4.1.6 Number <strong>of</strong> resumed SSL sessions for vhostName"<br />
113 .1.3.6.1.4.1.7564.20.2.4.1.7 Number <strong>of</strong> resumable SSL sessions for vhostName.<br />
114 .1.3.6.1.4.1.7564.20.2.4.1.8 Number <strong>of</strong> session misses for vhostName.<br />
115 .1.3.6.1.4.1.7564.22.1.0 Status <strong>of</strong> VIP statistics gathering - on or <strong>of</strong>f.<br />
116 .1.3.6.1.4.1.7564.22.2.0<br />
The hostname that the VIP is representing (hostname <strong>of</strong><br />
the appliance).<br />
117 .1.3.6.1.4.1.7564.22.3.0 The current time in the format <strong>of</strong> MM/DD/YY HH:MM.<br />
118 .1.3.6.1.4.1.7564.22.4.0 Total number <strong>of</strong> ip packets received on all VIPs.<br />
119 .1.3.6.1.4.1.7564.22.5.0 Total number <strong>of</strong> ip packets sent out on all VIPs.<br />
120 .1.3.6.1.4.1.7564.22.6.0 Total number <strong>of</strong> IP bytes received on all VIPs.<br />
121 .1.3.6.1.4.1.7564.22.7.0 Total number <strong>of</strong> IP bytes sent out on all VIPs.<br />
122 .1.3.6.1.4.1.7564.22.8 A table <strong>of</strong> VIP statistics.<br />
123 .1.3.6.1.4.1.7564.22.8.1<br />
An entry in the ipStatsTable which is created for each<br />
VIP.<br />
124 .1.3.6.1.4.1.7564.22.8.1.1 The VIP statistics table index.<br />
125 .1.3.6.1.4.1.7564.22.8.1.2 The VIP address.<br />
126 .1.3.6.1.4.1.7564.22.8.1.3 Total number <strong>of</strong> IP packets received on the VIP.<br />
127 .1.3.6.1.4.1.7564.22.8.1.4 Total number <strong>of</strong> bytes received on the VIP.<br />
128 .1.3.6.1.4.1.7564.22.8.1.5 Total number <strong>of</strong> packets sent out on the VIP.<br />
129 .1.3.6.1.4.1.7564.22.8.1.6 Total number <strong>of</strong> bytes sent out on the VIP.<br />
130 .1.3.6.1.4.1.7564.22.8.1.7 The time statistics gathering was enabled for the VIP.<br />
131 .1.3.6.1.4.1.7564.23.1.0<br />
The number <strong>of</strong> network interfaces presented on this<br />
system.<br />
132 .1.3.6.1.4.1.7564.23.2.0<br />
The total accumulated number <strong>of</strong> octets received on all<br />
the active interfaces (loopback is not included).<br />
133 .1.3.6.1.4.1.7564.23.3.0<br />
The total accumulated number <strong>of</strong> octets transmitted out<br />
134 .1.3.6.1.4.1.7564.23.4<br />
on all the active interfaces (loopback is not included).<br />
A table <strong>of</strong> interface statistics. The number <strong>of</strong> entries is<br />
given by the value <strong>of</strong> infNumber.<br />
135 .1.3.6.1.4.1.7564.23.4.1 An infTable entry for one interface.<br />
136 .1.3.6.1.4.1.7564.23.4.1.1<br />
137 .1.3.6.1.4.1.7564.23.4.1.2 Name <strong>of</strong> the interface.<br />
A unique value for each interface. Its value ranges<br />
between 1 and the value <strong>of</strong> infNumber. The value for<br />
each interface must remain constant at least from one<br />
re-initialization <strong>of</strong> the entity's network management<br />
system to the next re- initialization.<br />
138 .1.3.6.1.4.1.7564.23.4.1.3<br />
The current operational state <strong>of</strong> the interface (up or<br />
down).<br />
139 .1.3.6.1.4.1.7564.23.4.1.4 The interface's IP address.<br />
140 .1.3.6.1.4.1.7564.23.4.1.5<br />
The total number <strong>of</strong> octets received on the interface,<br />
141 .1.3.6.1.4.1.7564.23.4.1.6<br />
including framing characters.<br />
The number <strong>of</strong> packets, delivered by this sub-layer to a<br />
higher (sub-) layer, which were not addressed to a<br />
253
142 .1.3.6.1.4.1.7564.23.4.1.7<br />
143 .1.3.6.1.4.1.7564.23.4.1.8<br />
144 .1.3.6.1.4.1.7564.23.4.1.9<br />
145 .1.3.6.1.4.1.7564.23.4.1.10<br />
146 .1.3.6.1.4.1.7564.23.4.1.11<br />
147 .1.3.6.1.4.1.7564.23.4.1.12<br />
148 .1.3.6.1.4.1.7564.23.4.1.13<br />
149 .1.3.6.1.4.1.7564.23.4.1.14<br />
150 .1.3.6.1.4.1.7564.24.1.1.0<br />
151 .1.3.6.1.4.1.7564.24.1.2.0<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
multicast or broadcast address at this sub-layer.<br />
The number <strong>of</strong> packets, delivered by this sub-layer to a<br />
higher (sub-) layer, which were addressed to a multicast<br />
or broadcast address at this sub-layer.<br />
The number <strong>of</strong> inbound packets which were chosen to be<br />
discarded even though no errors had been detected to<br />
prevent their being deliverable to a higher-layer protocol.<br />
One possible reason for discarding such a packet could be<br />
to free up buffer space.<br />
For packet-oriented interfaces, the number <strong>of</strong> inbound<br />
packets that contained errors preventing them from being<br />
deliverable to a higher-layer protocol. For characteroriented<br />
or fixed-length interfaces, the number <strong>of</strong> inbound<br />
transmission units that contained errors preventing them<br />
from being deliverable to a higher-layer protocol.<br />
For packet-oriented interfaces, the number <strong>of</strong> packets<br />
received via the interface which were discarded because<br />
<strong>of</strong> an unknown or unsupported protocol. For<br />
character-oriented or fixed-length interfaces that support<br />
protocol multiplexing the number <strong>of</strong> transmission units<br />
received via the interface which were discarded because<br />
<strong>of</strong> an unknown or unsupported protocol. For any interface<br />
that does not support protocol multiplexing, this counter<br />
will always be 0.<br />
The total number <strong>of</strong> octets transmitted out <strong>of</strong> the<br />
interface, including framing characters.<br />
The total number <strong>of</strong> packets that higher-level protocols<br />
requested be transmitted, and which were not addressed<br />
to a multicast or broadcast address at this sub-layer,<br />
including those that were discarded or not sent.<br />
The total number <strong>of</strong> packets that higher-level protocols<br />
requested be transmitted, and which were addressed to a<br />
multicast or broadcast address at this sub-layer, including<br />
those that were discarded or not sent.<br />
For packet-oriented interfaces, the number <strong>of</strong> outbound<br />
packets that could not be transmitted because <strong>of</strong> errors.<br />
For character-oriented or fixed-length interfaces, the<br />
number <strong>of</strong> outbound transmission units that could not be<br />
transmitted because <strong>of</strong> errors.<br />
The number <strong>of</strong> syslog notifications that have been sent.<br />
This number may include notifications that were<br />
prevented from being transmitted due to reasons such as<br />
resource limitations and/or non-connectivity. If one is<br />
receiving notifications, one can periodically poll this<br />
object to determine if any notifications were missed. If<br />
so, a poll <strong>of</strong> the logHistoryTable might be appropriate.<br />
Indicates whether logMessageGenerated notifications will<br />
or will not be sent when a syslog message is generated by<br />
the device. Disabling notifications does not prevent<br />
syslog messages from being added to the<br />
logHistoryTable.<br />
254
152 .1.3.6.1.4.1.7564.24.1.3.0<br />
153 .1.3.6.1.4.1.7564.24.2.1.0<br />
154 .1.3.6.1.4.1.7564.24.2.2<br />
155 .1.3.6.1.4.1.7564.24.2.2.1<br />
156 .1.3.6.1.4.1.7564.24.2.2.1.1<br />
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
Indicates which syslog severity levels will be processed.<br />
Any syslog message with a severity value greater than<br />
this value will be ignored by the agent. note: severity<br />
numeric values increase as their severity decreases, e.g.<br />
error(4) is more severe than debug(8).<br />
The upper limit on the number <strong>of</strong> entries that the<br />
logHistoryTable may contain. A value <strong>of</strong> 0 will prevent<br />
any history from being retained. When this table is full,<br />
the oldest entry will be deleted and a new one will be<br />
created.<br />
A table <strong>of</strong> syslog messages generated by this device. All<br />
'interesting' syslog messages (i.e. severity
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
Appendix I SNMP OID List<br />
168 .1.3.6.1.4.1.7564.25.9.0<br />
SNMP OID List<br />
number <strong>of</strong> ClickTCP segments transmitted containing one<br />
or more previously transmitted octets.<br />
The total number <strong>of</strong> segments received in error (e.g., bad<br />
ClickTCP checksums).<br />
169 .1.3.6.1.4.1.7564.25.10.0<br />
The number <strong>of</strong> ClickTCP segments sent containing the<br />
RST flag.<br />
170 .1.3.6.1.4.1.7564.25.11<br />
A table containing ClickTCP connection-specific<br />
information.<br />
A conceptual row <strong>of</strong> the ctcpConnTable containing<br />
information about a particular current TCP connection.<br />
171 .1.3.6.1.4.1.7564.25.11.1<br />
Each row <strong>of</strong> this table is transient, in that it ceases to exist<br />
when (or soon after) the connection makes the transition<br />
to the CLOSED state.<br />
172 .1.3.6.1.4.1.7564.25.11.1.1 A unique value for each clicktcp connection.<br />
173 .1.3.6.1.4.1.7564.25.11.1.2 The state <strong>of</strong> this TCP connection.<br />
The local IP address for this TCP connection. In the case<br />
174 .1.3.6.1.4.1.7564.25.11.1.3<br />
<strong>of</strong> a connection in the listen state which is willing to<br />
accept connections for any IP interface associated with<br />
the node, the value 0.0.0.0 is used.<br />
175 .1.3.6.1.4.1.7564.25.11.1.4 The local port number for this TCP connection.<br />
176 .1.3.6.1.4.1.7564.25.11.1.5 The remote IP address for this TCP connection.<br />
177 .1.3.6.1.4.1.7564.25.11.1.6 The remote port number for this TCP connection.<br />
178 .1.3.6.1.4.1.7564.27.1.1.0 The number <strong>of</strong> real services being checked.<br />
179 .1.3.6.1.4.1.7564.27.1.2 Health Check statistics table.<br />
180 .1.3.6.1.4.1.7564.27.1.2.1<br />
An hcStatsTable entry containing health check statistics<br />
for one real service.<br />
181 .1.3.6.1.4.1.7564.27.1.2.1.1 Reference index for each real service being checked.<br />
182 .1.3.6.1.4.1.7564.27.1.2.1.2 Real service name.<br />
183 .1.3.6.1.4.1.7564.27.1.2.1.3 Health Check IP address.<br />
184 .1.3.6.1.4.1.7564.27.1.2.1.4 Health Check port.<br />
185 .1.3.6.1.4.1.7564.27.1.2.1.5 The status (UP/DOWN) <strong>of</strong> the health check.<br />
186 .1.3.6.1.4.1.7564.27.1.2.1.6<br />
The reason why the health check is being marked<br />
UP/DOWN.<br />
187 .1.3.6.1.4.1.7564.27.1.2.1.7 The number <strong>of</strong> times the health check is down.<br />
188 .1.3.6.1.4.1.7564.27.1.2.1.8 The number <strong>of</strong> times the health check is up.<br />
189 .1.3.6.1.4.1.7564.27.1.2.1.9 The number <strong>of</strong> connections attempted.<br />
190 .1.3.6.1.4.1.7564.27.1.2.1.10 The number <strong>of</strong> successful connections.<br />
191 .1.3.6.1.4.1.7564.27.1.2.1.11 The number <strong>of</strong> connection failures.<br />
192 .1.3.6.1.4.1.7564.28.1.0 Total number <strong>of</strong> bytes received.<br />
193 .1.3.6.1.4.1.7564.2<strong>8.2</strong>.0 Total number <strong>of</strong> bytes sent.<br />
194 .1.3.6.1.4.1.7564.28.3.0 Number <strong>of</strong> bytes received per second.<br />
195 .1.3.6.1.4.1.7564.28.4.0 Number <strong>of</strong> bytes sent per second.<br />
196 .1.3.6.1.4.1.7564.28.5.0 Peak received bytes per second.<br />
197 .1.3.6.1.4.1.7564.28.6.0 Peak sent bytes per second.<br />
198 .1.3.6.1.4.1.7564.28.7.0 Number <strong>of</strong> currently active transaction.<br />
199 .1.3.6.1.4.1.7564.30.1.0 Current percentage <strong>of</strong> CPU utilization.<br />
200 .1.3.6.1.4.1.7564.30.2.0 Number <strong>of</strong> connections per second.<br />
201 .1.3.6.1.4.1.7564.30.3.0 Number <strong>of</strong> requests per second.<br />
202 .1.3.6.1.4.1.7564.31.1.0 Total DNS requests.<br />
203 .1.3.6.1.4.1.7564.31.2.0 Total successful DNS resolvings.<br />
256
©2011 Array Networks, Inc.<br />
All Rights Reserved.<br />
SNMP OID List<br />
Appendix I SNMP OID List<br />
204 .1.3.6.1.4.1.7564.31.3.0 Total failed DNS resolvings.<br />
205 .1.3.6.1.4.1.7564.31.4.0 Total DNS requests in the last second.<br />
206 .1.3.6.1.4.1.7564.31.5.0 Total successful DNS resolvings in the last second.<br />
207 .1.3.6.1.4.1.7564.31.6.0 Total failed DNS resolvings in the last second.<br />
208 .1.3.6.1.4.1.7564.31.7.0 Peak DNS requests in a second.<br />
209 .1.3.6.1.4.1.7564.31.8.0 Peak successful DNS resolvings in a second.<br />
210 .1.3.6.1.4.1.7564.31.9.0 Total DNS requests in the last minute.<br />
211 .1.3.6.1.4.1.7564.31.10.0 Total successful DNS resolvings in the last minute.<br />
212 .1.3.6.1.4.1.7564.31.11.0 Total failed DNS resolvings in the last minute.<br />
213 .1.3.6.1.4.1.7564.31.12.0 Peak DNS requests in a minute.<br />
214 .1.3.6.1.4.1.7564.31.13.0 Peak successful DNS resolvings in a minute.<br />
215 .1.3.6.1.4.1.7564.31.14.0 Total DNS requests in the last hour.<br />
216 .1.3.6.1.4.1.7564.31.15.0 Total successful DNS resolvings in the last hour.<br />
217 .1.3.6.1.4.1.7564.31.16.0 Total failed DNS resolvings in the last hour.<br />
218 .1.3.6.1.4.1.7564.31.17.0 Peak DNS requests in an hour.<br />
219 .1.3.6.1.4.1.7564.31.18.0 Peak successful DNS resolvings in an hour.<br />
220 .1.3.6.1.4.1.7564.31.19.0 Total DNS requests in the last day.<br />
221 .1.3.6.1.4.1.7564.31.20.0 Total successful DNS resolvings in the last day.<br />
222 .1.3.6.1.4.1.7564.31.21.0 Total failed DNS resolvings in the last day.<br />
223 .1.3.6.1.4.1.7564.31.22.0 Peak DNS requests in a day.<br />
224 .1.3.6.1.4.1.7564.31.23.0 Peak successful DNS resolvings in a day.<br />
225 .1.3.6.1.4.1.7564.31.24.0 Total DNS requests in the last 5 seconds.<br />
226 .1.3.6.1.4.1.7564.31.25.0 Total successful DNS resolvings in the last 5 seconds.<br />
227 .1.3.6.1.4.1.7564.31.26.0 Total failed DNS resolvings in the last 5 seconds.<br />
228 .1.3.6.1.4.1.7564.31.27.0 Peak DNS requests in 5 seconds.<br />
229 .1.3.6.1.4.1.7564.31.28.0 Peak successful DNS resolvings in 5 seconds.<br />
230 .1.3.6.1.4.1.7564.251.1 This trap is sent when the agent starts.<br />
231 .1.3.6.1.4.1.7564.251.2 This trap is sent when the agent terminates.<br />
232 Float<br />
233 Synlogseverity<br />
A single precision floating-point number. The semantics<br />
and encoding are identical for type 'single' defined in<br />
IEEE Standard for Binary Floating-Point, ANSI/IEEE Std<br />
754-1985. The value is restricted to the BER serialization<br />
<strong>of</strong> the following ASN.1 type: FLOATTYPE ::= [120]<br />
IMPLICIT FloatType (note: the value 120 is the sum <strong>of</strong><br />
'30'h and '48'h) The BER serialization <strong>of</strong> the length for<br />
values <strong>of</strong> this type must use the definite length, short<br />
encoding form. For example, the BER serialization <strong>of</strong><br />
value 123 <strong>of</strong> type FLOATTYPE is '9f780442f60000'h.<br />
(The tag is '9f78'h; the length is '04'h; and the value is<br />
'42f60000'h.) The BER serialization <strong>of</strong> value<br />
'9f780442f60000'h <strong>of</strong> data type Opaque is<br />
'44079f780442f60000'h. (The tag is '44'h; the length is<br />
'07'h; and the value is '9f780442f60000'h.<br />
The severity <strong>of</strong> a syslog message. The enumeration<br />
values are equal to the values that syslog uses + 1. For<br />
example, with syslog, emergency=0.<br />
257