Download ePaper

ArrayOS APV 8.2 CLI Handbook - Index of

ArrayOS APV 8.2 CLI Handbook - Index of ArrayOS APV 8.2 CLI Handbook - Index of

from rharrison8.com More from this publisher

07.01.2013 Views

ArrayOS APV 8.2 CLI Handbook

ArrayOS APV 8.2

CLI Handbook

This document is protected by copyright and distributed under licenses restricting its use,

copying, distribution, and compilation. No part of this document may be reproduced in

any form by any means without prior written authorization of Array Networks, Inc.

Documentation is provided “as is” without warranty of any kind, either express or

implied, including any kind of implied or express warranty of non-infringement or the

implied warranties of merchantability or fitness for a particular purpose.

Array Networks, Inc., reserves the right to change any products described herein at any

time, and without notice. Array Networks, Inc. assumes no responsibility or liability

arising from the use of products described herein, except as expressly agreed to in writing

by Array Networks, Inc. The use and purchase of this product does not convey a license

to any patent copyright, or trademark rights, or any other intellectual property rights of

Array Networks, Inc.

Warning: Modifications made to the Array Networks unit, unless expressly

approved by Array Networks, Inc., could void the user’s authority to operate the

equipment.

Declaration of Conformity

We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035, 1-866-992-7729;

declare under our sole responsibility that the product(s) Array Networks, Inc., Array

Appliance complies with Part 15 of FCC Rules. Operation is subject to the following two

conditions: (1) this device may not cause harmful interference, and (2) this device must

accept any interference received, including interference that may cause undesired

operation.

Warning: This is a Class A digital device, pursuant to Part 15 of the FCC rules.

These limits are designed to provide reasonable protection against harmful

interference when the equipment is operated in a commercial environment. This

equipment generates, uses, and can radiate radio frequency energy, and if not

installed and used in accordance with the instruction manual, may cause harmful

interference to radio communications. In a residential area, operation of this

equipment is likely to cause harmful interference in which case the user may be

required to take adequate measures or product. In a domestic environment this

product may cause radio interference in which case the user may be required to take

adequate measures.

About Array Networks

Array Networks Inc. is a global leader in enterprise secure application delivery and

universal access solutions for the rapidly growing SSL VPN and application delivery

controller (ADC) markets. More than 5,000 customers worldwide – including enterprises,

service providers, government and vertical organizations in healthcare, finance, insurance

and education – rely on Array to provide anytime, anywhere secure and optimized

application access. Industry leaders including Deloitte, Red Herring, Gartner, and Frost

and Sullivan have recognized Array as a market and technology leader.

Contacting Array Networks

Please use the following information to contact us at Array Networks:

� Website:

http://www.arraynetworks.net/

� Telephone:

1-877-99-Array (1-877-992-7729)

408-240-8700

408-240-8753 (Fax)

Telephone access to Array Networks, Inc. is available Monday through Friday, 9 A.M. to

5 P.M. PST.

� Address:

1371 McCarthy Boulevard

Milpitas, California 95035, USA

Table of Contents

Declaration of Conformity .......................................................................................... I

About Array Networks............................................................................................... II

Contacting Array Networks ....................................................................................... II

Table of Contents .................................................................................................... III

Chapter 1 CLI Basics................................................................................................. 1

Login APV Appliance ........................................................................................ 1

Levels of Global Access Control ........................................................................ 2

ShortHand ......................................................................................................... 2

Chapter 2 Basic System Operations ........................................................................... 4

Chapter 3 Advanced System Operations .................................................................. 19

Chapter 4 WebWall .................................................................................................. 28

Access Groups ................................................................................................. 28

Access List ...................................................................................................... 28

WebWall .......................................................................................................... 29

Chapter 5 Server Load Balancing ............................................................................ 32

Basic SLB Commands ..................................................................................... 32

Adding Real Services....................................................................................... 34

Adding HC Checker and HC Checker List ....................................................... 45

Adding Virtual Services ................................................................................... 55

Adding Port Range for Virtual Service ............................................................. 58

Adding SLB Group Services ............................................................................ 60

Adding IP Pool ................................................................................................ 70

Adding Real Services to Groups ...................................................................... 71

III

Table of Contents

Other SLB Group Commands .......................................................................... 72

SLB Policy Settings ......................................................................................... 74

Other SIP Commands ...................................................................................... 88

Compatibility Check ........................................................................................ 89

Proxy Mode ..................................................................................................... 90

Statistics .......................................................................................................... 91

URL Rewrite/Redirect HTTP/HTTPS .............................................................. 94

URL Filtering ................................................................................................ 100

SLB Summary ............................................................................................... 107

Chapter 6 Link Load Balancing .............................................................................. 110

Chapter 7 Reverse Proxy Cache ............................................................................. 122

Cache Commands .......................................................................................... 122

HTTP Commands .......................................................................................... 132

Chapter 8 DNS Cache ........................................................................................... 150

Chapter 9 HTTP Compression ............................................................................... 152

Chapter 10 Secure Sockets Layer (SSL) ................................................................ 156

Chapter 11 Clustering ............................................................................................ 173

Chapter 12 Global Server Load Balancing ............................................................. 181

Basic SDNS Commands ................................................................................ 181

SDNS Member .............................................................................................. 182

SDNS Disaster Recovery (DR) Group ........................................................... 183

SDNS Site ..................................................................................................... 185

SDNS Proximity ............................................................................................ 186

SDNS Overflow Chain .................................................................................. 187

SDNS Region ................................................................................................ 188

Table of Contents

SDNS Bandwidth .......................................................................................... 189

SDNS Alias ................................................................................................... 190

SDNS Pool .................................................................................................... 191

SDNS IANA .................................................................................................. 195

SDNS Host .................................................................................................... 195

SDNS Backup................................................................................................ 196

SDNS Full DNS ............................................................................................ 197

SDNS DPS (Dynamic Proximity System) ...................................................... 198

SDNS Statistics ............................................................................................. 203

Chapter 13 Logging ............................................................................................... 206

Chapter 14 Link Aggregation ................................................................................. 212

Chapter 15 Quality of Service (QoS) ..................................................................... 214

QoS Queue .................................................................................................... 214

QoS Filter Rule .............................................................................................. 217

Other QoS Commands ................................................................................... 218

Chapter 16 Administrative Tools ............................................................................ 219

Configuration Management Commands ......................................................... 219

Configuration Synchronization Commands .................................................... 229

SDNS Configuration Synchronization Commands ......................................... 231

SNMP Commands ......................................................................................... 232

Troubleshooting Commands .......................................................................... 235

Debug Commands ......................................................................................... 236

Remote Access Commands ............................................................................ 242

Chapter 17 Monitoring .......................................................................................... 244

Assigning Graph Items via the CLI ................................................................ 244

Table of Contents

Default Legend String .................................................................................... 245

Appendix I SNMP OID List .................................................................................. 250

Chapter 1 CLI Basics

The APV Command Line Interface (CLI) is designed to maximize the functionality and

performance of the APV appliance by allowing administrators to configure and control

key functions of the APV appliance directly.

This CLI Handbook covers the proper use and execution of each command available to

the APV appliance administrator and user alike. The commands covered in this handbook

will adhere to these general conventions:

Style Convention

Bold typeface The body of a CLI command is in Boldface.

Italic CLI parameters are in Italic.

< > Parameters in angle brackets < > are required.

[ ]

Parameters in square brackets [ ] are optional.

Subcommand such as “no”, “show” and “clear”.

{ x | y | … }

Alternative items are grouped in braces and separated by vertical bars.

[ x | y | … ]

One should be selected.

Optional alternative items are grouped in square brackets and separated by

vertical bars. One or none is selected.

Note: If a string we input for configuring a parameter starts with figure, or the

string contains spaces, we must put the configuration string within double quotes to

make sure that we can configure the command correctly.

After getting connected to the APV appliance successfully via SSH or Console

connection, the administrator will be prompted for a login username and a password. The

default/first time login username is “array”, and the first time password is “admin”.

To recover the login password, administrators will need the aid of the Array Customer

Satisfaction personnel at support@arraynetworks.net. To recover the login password,

administrators will be required to do the following:

1. Establish a console connection with the APV appliance.

2. Input the command “recovery” in the CLI.

3. The APV appliance will present the administrator with a challenge, which consists

of a series of randomly generated characters. The following line displays the prompt

“response:”.

4. The administrator will need to “copy” and “paste” the challenge charatcters into an

email to the Array Customer Satisfaction personnel at support@arraynetworks.net.

5. The Customer Satisfaction personnel will return to the administrator a valid response

that corresponds to the challenge previously received. The response begins with

“--begin--” and ends with “--end--”.

Chapter 1 CLI Basics

6. Administrators need to copy the complete response and paste it after the “response:”

prompt in CLI, making sure that no leading or trailing spaces are included. And the

press “Enter”.

7. The password of “array” will be reset to the default “admin”.

Note: The “username recovery” function will not work if the user “array” is deleted.

Levels of Global Access Control

The APV appliance offers three levels or modes for global configuration and access to the

ArrayOS. Each mode is designated by a unique cursor prompt. The CLI prompt consists

of the host name of the APV appliance followed by either “>”, “#” or “(config)#”.

� User Mode

The first level is User Mode. Here, the user is only authorized

to execute some very basic operations and non-critical

functions. The User Mode prompt appears as “AN>” in the

CLI.

� Enable Mode

Users in this mode have access to a majority of view only

commands such as “show log config”. Commands from both

the User and Enable modes can be executed. Once accessing

the Enable mode successfully, the CLI prompt changes from

“AN>” to “AN#”.

� Config Mode

The final level is Config mode. It is at this level that users can

make changes to any part of the APV appliance configuration.

No two users may access the Config mode at the same time.

The CLI prompt will change from “AN#” to “AN(config)#”.

Note: In the ArrayOS, users can be assigned with Enable or Config access privilege.

The Enable users cannot access the Config mode. To allow an Enable user to access

the Config mode, administrators need to first change this user’s access privilege by

using the command “user [enable|config]”.

ShortHand

The ArrayOS has been designed with Shorthand to make interaction user friendly by

allowing the APV appliance to intuitively complete CLI commands based on the first

letters entered. Other user shortcuts are listed below:

CLI Shortcuts Operation

^a/^e Move the cursor to the beginning/end of a line.

^f/^b Move the cursor forward/backward one character.

CLI Shortcuts Operation

Esc-f Move the cursor forward one word.

Esc-b Move the cursor backward one word.

^d Delete the character under the cursor.

^k Delete from the cursor to the end of the line.

^u Delete the entire line.

Chapter 1 CLI Basics

Note: The symbol “^” indicates holding down the Control (Ctrl) Key while pressing

the letter that appears after the symbol.

Chapter 2 Basic System Operations

The System Operation portion of the CLI focuses on the specifics of your APV appliance.

The commands in this chapter provide the ability to assign an IP address and netmask to

the Appliance as well as to view the current parameters for the network interfaces and

software.

help

This command is used to display all commands based on level and function. This

command may be executed at any time, at any level while configuring the APV

appliance.

enable [recovery]

This command is used to gain access to the Enable level of the ArrayOS. After entering

this command in CLI, the system will prompt the user to supply the Enable level

password. The default password is null (empty).

If users forget the assigned password, they may execute the “enable” command with the

optional parameter “recovery” to reset the Enable level’s default password as follows:

1. Enter “enable recovery” at the User level prompt, e.g. AN>enable recovery.

2. A challenge string will be displayed.

3. Email the challenge string to Customer Support at support@arraynetworks.net.

4. The response code will be returned via email by the Customer Support personnel.

5. Cut and paste the response code in the CLI, and press “Enter”. The password of the

Enable level will be reset to empty.

disable

This command allows users to return the operator to the User mode from the current

privileged mode.

exit

This command returns the operator to the lower-level mode from the current privileged

mode. If users are in the User mode, this command allows them to exit out of the shell

system.

quit

This command allows users to leave the CLI. It can be executed at any time throughout

the configuration process.

show tech

Chapter 2 Basic System Operations

This command allows users to capture and view essential system information in real time.

show system warning

This command allows users to check the instant system warning message.

The yellow LED on the appliance will be activated when one of the following hardware

errors occurs. Then, users can execute this command to check whether one of the

following errors happens:

1. The CPU fan stopped working;

2. The CPU overheated (over 85℃);

3. The system overheated (over 75℃ on 1U appliances, or 85℃ on 2U appliances);

4. One of the dual power supplies failed (If redundant power supply applies to the

appliance).

Note: If the error is recovered, the warning message will be cleared. But it still can

be traced in system logs.

ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname}

This command allows users to set the IP address and netmask of the system interface,

MNET interface, VLAN interface or bond interface.

system_ifname Specify the system interface name, which is port1, port2,

port3, port4, …, or port14 by default. (Administrators can

self-define the system interface name by using the

command “interface name”.)

mnet_ifname Specify the MNET interface name, which should be an

alphanumeric string.

vlan_ifname Specify the VLAN interface name, which should be an

alphanumeric string.

bond_ifname Specify the bond interface name, which should be an

alphanumeric string. The default bond interface name is

bond1, bond2, bond3, and bond4.

ip_address Specify the IP address of the interface.

netmask Specify the netmask appropriately.

Example:

AN(config)#ip address inside 209.120.10.1 255.255.255.0

no ip address

Chapter 2 Basic System Operations

This command is used to remove the specified IP address from the configuration.

show ip address

This command is used to display system IP address along with the assigned netmask.

clear ip address

This command is used to remove the configured IP address.

interface mac

This command is used to configure MAC address for the specified system interface.

interface_name Specify the system interface name. The interface here

cannot be VLAN, MNET and Bond interface. If the IP

address of the interface has been configured on VLAN,

MNET, Bond or SLB virtual services, its MAC address

cannot be changed.

mac_address Specify the MAC address of the system interface.

no interface mac

This command is used to restore MAC address of the specified system interface to the

default value.

interface_name Specify the system interface name.

clear interface mac

This command is used to restore the MAC address of all system interfaces to the default

value.

ip host

This command allows users to preset a DNS host name and corresponding IP address.

no ip host [ip]

This command allows users to remove a configured DNS host name.

clear ip host

Chapter 2 Basic System Operations

This command allows users to remove all configured DNS host names from the running

configuration.

show ip host

This command is used to display the configured DNS host names and the subsequent IP

addresses.

ip arp

This command allows users to create an ARP entry to the ArrayOS. The IP address and

MAC address (XX:XX:XX:XX:XX:XX) are required.

ip route default

This command allows users to set a default gateway IP address into the configuration of

the APVA appliance. Only one default route is permitted to be configured. The default

gateway IP must be entered in dotted IP format.

ip route static

This command is used to modify the network’s routing table as used by the APV

appliance. Multiple static routes are permitted to be configured. Typically the

“destination” parameter is the network IP address.

no ip route static

This command allows users to remove the static route from the running configuration.

no ip route default

The command allows users to remove the default IP route from the APV appliance.

show ip route

This command allows users to display the static routing table.

show statistics ip [ip_address]

This command is used to display the gathered information for the specific IP address. If

no IP address is assigned, this command displays all relevant statistics for all configured

IP addresses.

clear statistics ip [ip_address]

This command will clear the statistics for a specific IP address. If no IP address is

assigned, this command will clear all.

interface mtu

Chapter 2 Basic System Operations

This command allows users to set the largest frame size that can be transmitted over the

network.

interface_id Default Ethernet ID (port1, port2, port3, port4, port5, …,

port14) for the physical interfaces on the ArrayOS. The

number of the physical interfaces supported by the APV

appliance depends on the appliance model. At most 14

interfaces are supported now.

mtu_size The MTU (Maximum Transmission Unit) size preference.

This is the largest frame size that can be transmitted over

the network. The default size is 1500 bytes. Each interface

used by TCP/IP may have different MTU values.

interface name

This command allows users to set the interface name.

interface_id Default interface ID (port1, port2, port3, port4, …, port14)

for the physical interfaces on the ArrayOS. The number of

the physical interfaces supported by the APV appliance

depends on the appliance model. At most 14 interfaces are

supported now.

interface_name Specify unique name for the physical interface, which

should be an alphanumeric string of up to 32 characters.

The default interface name is port1, port2, port3, port4, …,

port14.

interface speed

This command allows users to set the interface speed. The interface speed of a 10G port

can only be set to “auto”.

interface_id Default port ID (port1, port2, port3, port4, port5, …,

port14) for the physical interfaces on the ArrayOS. The

number of the physical interfaces supported by the APV

appliance depends on the appliance model. At most 14

interfaces are supported now.

speed_option 10half (10 Mbps Ethernet half duplex communications),

100half (100 Mbps Ethernet half duplex communications),

100full (100 Mbps full duplex communications), 1000full

(1000 Mbps Ethernet full duplex communications) or auto.

Note: The ArrayOS sets the interface speeds to auto by

default. If any interface is setup to be connected to a

show interface [interface_name]

Chapter 2 Basic System Operations

device, such as a router or switch with a specific speed and

duplex mode, users will need to set the APV appliance to

match those requirements. Employing the “show

interface” command will allow users to view the current

speed setting.

This command is used to display the statistical information for all the system interfaces.

If a specific interface name is input, the system will only display the statistical

information for this interface.

interface_name Specify the physical interface name, which should be an

alphanumeric string of up to 32 characters. The default

interface name is port1, port2, port3, port4, …, port14.

Note: If IP statistics function is off, the number of the WebWall permit or drop

packages will be 0 in the output of the command “show interface”. The IP statistics

function is off by default, and you can turn it off via the command “ip statistics off”.

clear interface name

This command is used to reset all the interface names to the default.

clear interface speed {interface_id|all}

This command is used to restore the specified interface’s speed and duplex mode. “all”

means all the interfaces.

interface_id Default port ID (port1, port2, port3, port4, …, port14) for

the physical interface on the ArrayOS. The number of the

physical interfaces supported by the APV appliance

depends on the appliance model. At most 14 interfaces are

supported now.

clear interface mtu {interface_id|all}

This command is used to remove the specified interface’s (e.g. port1) size setting of MTU.

“all” means all the interfaces.

no interface name

This command is used to reset the specified interface (e.g.port1) name to the default.

show system tune

Chapter 2 Basic System Operations

This command is used to display the user-defined system tuning parameters.

show system attackfilter

This command is used to show the statistics information of the attack packets which have

been dropped by the APV appliance.

clear system tune

This command is used to reset the defined system tuning parameters.

system tune defraglimit

This command consolidates packet data requiring less memory frames. Users set the

“smallest_object_size”, measured in bytes, for packets received for defragmentation. For

example; an object with 10K size and the server MTU is 1K. Roughly, the Array receives

10 packets where 10 frames are used to cache the object. If “system tune defraglimit 512”

is configured, the APV appliance will consolidate the 10K data from 10 frames onto 5

frames (2K data/frame) to fully utilize the frame memory.

[no] system tune hwcksum {on|off}

This command is used to enable/disable hardware checksums on network cards. The

default setting is on.

[no] system tune tcpidle

This command allows users to establish the maximum time, in seconds, before

terminating a TCP connection. The default idle timeout is 300 seconds. The idle timeout

ranges from 60 seconds to 7200 seconds.

[no] system tune attackfilter {level_0|1|2}

This command is used to set the level to filter some invalidate IP packets. The

“level_0|1|2” parameter specifies the level which is used in APV appliance system. Its

default value is 0.

0 Disable the internal filter for IP packets. That’s to say, it

will permit any packets to Ethernet card into our system.

1 APV appliance will drop the packets which match the

following cases:

Source IP or destination IP is 0.0.0.0

Source IP is 255.255.255.255

Source IP is 224.x.x.x

Chapter 2 Basic System Operations

TCP port or UDP port is zero. This requires the WebWall

on the specific interface.

2 APV appliance will drop the packets which match the

following cases:

Source IP or destination IP is 0.0.0.0

Source IP is 255.255.255.255

Source IP is 224.x.x.x

system tune tcp retransmit timeout

TCP port or UDP port is zero. This requires the WebWall

on the specific interface.

Source IP is the local IP address, but the packets are

received by Ethernet interfaces.

This command allows users to set the timeout for retransmissions. The default setting is

1000ms. It is recommended that the default settings not be changed without contacting

Array Support.

system tune tcp retransmit dupacks

This command allows users to set the number of duplicate ACKs to start TCP fast

transmission. The default setting is 3. It is recommended that default settings not be

changed without contacting Array Support.

system tune tcp retransmit policy {newreno|adaptive}

This command allows users to change the default algorithm from NewReno to Adaptive

for starting TCP fast retransmission. It is recommended that default settings not be

changed without contacting Array Support.

system tune tcp slowstart {on|off}

It is recommended that default settings not be changed without contacting Array Support.

The default status is ON.

system tune tcp delack count

This command is used to configure the maximum delay ACK count. “count” defines the

maximum packets that can be delay ACK. It defaults to 4. 0 means no delay ACK.

system tune tcp delack timeout

Chapter 2 Basic System Operations

This command configures the maximum timeout (in ms) for delay ACK. “timeout”

defines the maximum timeout (in ms) for delay ACK, and its value must be the multiple

of 10. Its default is 100ms.

system tune tcp syntimeout

This command is used to set the minimum timeout for TCP SYN packets, in seconds.

no system tune tcp delack

This command is used to reset the TCP delay ACK to the default setting.

no system tune tcp retransmit {timeout|dupacks|policy}

This command is used to reset the TCP retransmit settings for the specified (timeout,

dupacks or policy) to the default setting.

no system tune tcp slowstart

This command is used to reset the slowstart to the default setting (on).

system tune ip randomid {on|off}

This command allows users to enable or disable the feature of setting a random number

for an IP packet. By default, this feature is disabled and the identification of an IP packet

will be sequentially increased. If “randomid” is on, the IP packet’s identification will be a

random number.

system tune tcp pktdropopt

This command is used to control packet drop behaviour when TCP packets are received

and dropped on a closed TCP port. This function is useful to slow down anyone who is

port scanning a system, attempting to detect vulnerable services on a system. It could

potentially also slow down someone who is attempting a DoS attack.

packet_drop_option Its value can be 0, 1 or 2.

� 0: return a TCP RST.

� 1: silently drop TCP SYN, and return TCP RST for all

other TCP packets.

� 2: silently drop all TCP packets.

system tune udp pktdropopt

This command is used to control packet drop behavior when UDP packets are received

and dropped on a closed UDP port. This function is useful to slow down anyone who is

Chapter 2 Basic System Operations

port scanning a system, attempting to detect vulnerable services on a system. It could

potentially also slow down someone who is attempting a DoS attack.

packet_drop_option Its value can be 0 or 1.

no system tune tcp pktdropop

� 0: return an ICMP port unreachable message.

� 1: silently drop all UDP packets.

This command is used to reset TCP packet drop behaviour to default.

no system tune udp pktdropop

This command is used to reset UDP packet drop behaviour to default.

ip nameserver

This command allows users to establish up to three name servers. Users may enter only

one name server IP address, in standard dotted format, at a time. If a user attempts to

enter a fourth name server, the APV appliance will instruct the user to delete one of the

previously entered name server addresses before accepting the new data.

show ip nameserver

This command allows users to display the IP addresses for the name servers.

no ip nameserver

This command allows users to remove a name server from the configuration protocols.

[no] fwd mode {nontransparent|transparent}

This command allows users to set the mode of operation. The APV appliance will use

Array’s management IP (nontransparent) or client’s IP (transparent) as source IP in port

forward connection.

Note: Port Forwarding feature cannot support FTP, users are recommended to use

SLB feature instead.

system date

In the event that a network does not rely on an NTP server, users may set the date within

the APV appliance by employing this command. The values for each parameter may be

entered as one or two digits as necessary. For example, if a user wants to enter the date

October 20, 2010, the input will be as follows:

AN(config)#system date 10 10 20

show date

Chapter 2 Basic System Operations

This command allows users to view the running date and time for the appliance.

system time

In the event that a network does not rely on an NTP server, users may set the time within

the APV appliance by employing this command. The values for each parameter may be

entered as one or two digits as necessary (Note: The APV appliance runs on a twenty-four

hour/military standard clock.). For example, if a user wants to enter the time as 11:33:51

PM, the input will be as follows:

AN(config)#system time 23 33 51

system timezone [timezone_string]

This command allows users to set the system time zone. When this command is executed,

the APV appliance will present the user with a three-step menu driven process to set the

correct time zone. The first step/menu in the process is to choose the correct continent (i.e.

Asia, Europe or North America). After the desired continent is entered, the next menu

will offer the list of support countries within the specified continent (i.e. China, Hong

Kong, Japan, South Korea, Singapore or Taiwan). The final step is to choose the specific

time zone region from the APV appliance generated list. Note: At any time during the

time zone setup, users may enter “0” to return to the previous option (i.e. entering “0” on

the country list page will return users to the continent page).

show system timezone

This command is used to display current timezone.

clear system timezone

This command is used to set system timezone to default, and the default system timezone

is “GMT”.

ntp {on|off}

This command activates or deactivates synchronizing the APV appliance clock with the

NTP server. NTP server settings and NTP time setting received by the APV appliance will

preempt CLI date and time settings. The “ntp server” command must be configured

before the NTP function can be enabled.

ntp server [version]

This command allows the APV appliance to act as a client to a specified NTP server.

Users may choose a specific NTP protocol version if so desired. The default is “Version

4”. NTP will get turned off if the time difference between NTP server and Array box is

greater than 1000 seconds (16 minutes approx) sanity limit. If the time difference is

Chapter 2 Basic System Operations

greater than 1000 seconds, it has to be adjusted to a closer value by using “system time”

command.

show ntp

This command allows users to view the current NTP configuration. This command will

also display the time dispersion and association of the current server.

clear ntp

This command removes the NTP configuration.

show statistics tcp

This command displays TCP connections in detail. The number of TCP connections in

each state is counted:

AN#show statistics tcp

LISTEN: 1

SYN_SENT: 0

SYN_RCVD: 0

ESTABLISHED: 0

CLOSE_WAIT: 0

FIN_WAIT_1: 0

CLOSING: 0

LAST_ACK: 0

FIN_WAIT_2: 0

TIME_WAIT: 432

Compared with the “show memory” output, “TIME_WAIT” figure is the same as

“USED” TCP small pcb. All the rest, from “LISTEN” figure to “FIN_WAIT” figure add

up to “USED” TCP pcb.

hostname

This command allows users to set or change the given name for an APV appliance, even

though a specified appliance may not be running (the name will be saved in all other

running configurations and later when the newly named machine is up and running, the

master will notify the new machine of the newly assigned name). A name may be entered

as a single set of continuous alphanumeric characters or a set of alphanumeric characters

housed within double quotation marks. Currently, the maximum length for a host name is

64 characters.

show hostname

This command is used to display the given host name for an APV appliance.

no hostname

Chapter 2 Basic System Operations

This command clears an APV appliance’s host name. After the host name is cleared, the

default name “AN” will be used as the host name.

[no] system mail from

For certain configured events (URL filtering and logging alerts), the APV appliance sends

emails to the configured addresses. This command can be used to configure the value of

the "From" header in the mail being sent out. Essentially, this is used to configure the

from email address. Default for is “%h alert@log.domain”.

% An escape character in both strings.

%h Full host name defined by the “hostname” command.

%q Doublequote (”).

%% A literal percent.

[no] system mail hostname

For certain configured events (URL filtering and logging alerts), the APV appliance sends

emails to configured addresses. This command can be used to configure the value of the

host name from which the mail is recorded as sent. The default for is

“%l.alert_pseudo_domain”.

% An escape character in both strings.

%h Full host name defined by the “hostname” command.

%l First part of the host name (up to the first “.”).

[clear|show] system mail

This command allows users to view or clear the system mail configuration.

system mail relay server

This command allows users to create a new system mail relay server.

host_name The assigned name of the domain name.

relay_server The IP address or the server name.

system mail relay {on|off}

Chapter 2 Basic System Operations

This command is used to turn on/turn off the system mail relay service. Followings are

the CLI examples to set up mail relay server.

AN(config)#system mail relay server “arraynertworks.com.cn” “relay.com”

AN(config)#system mail relay on

APV appliance will send mails using “relay.com”, with the host name of

"arraynetworks.com.cn". But firstly, we should make sure that the APV appliance can

find the relay server “relay .com” or the DNS can find it.

show system relay

This command is used to display the configuration and the status of the relay service.

clear system relay

This command is used to remove all the relay servers and turn off mail relay.

no system mail relay server

This command is used to delete the record of system mail relay server configuration.

system interactive on

This command is used to turn on CLI command interactive mode. If this command is

used, more command result messages will be displayed.

system interactive off

This command is used to turn off CLI command interactive mode. Less command result

messages will be displayed. This is the default setting.

show system interactive

This command is used to display the current system interactive setting (on|off).

system command timeout

This command is used to set the command execution timeout when the system boots up

or users execute the “config file|config memory” command. Fastlog and syslog will log

the timeout command for troubleshooting.

timeout Specify the timeout value in seconds (30-65535). The

default value is 0.

show system command timeout

This command is used to display the command execution timeout value.

setup

Chapter 2 Basic System Operations

This command allows users to login a wizard navigation, in which users can be navigated

to setup the APV appliance step by step.

Chapter 3 Advanced System Operations

[no|show|clear] mnet {system_ifname|bond_ifname}

This command allows users to create an MNET (mutil-netting) interface for the specified

system interface or bond interface. ArrayOS supports creating at most 16 MNET

interfaces.

The “no” version of this command is used to delete the specified MNET interface, and

the “show|clear” versions of this command are respectively used to display or remove

configurations about all MENT interfaces.

system_ifname Specify the system interface name, which is port1, port2,

port3, port4, …, or port14 by default. (Administrators can

self-define the system interface name by using the

command “interface name”.)

bond_ifname Specify the bond interface name, which should be an

alphanumeric string.

user_interface_name Self-define the MNET interface name, which should be an

alphanumeric string and contain at most 32 characters.

[no|show|clear] vlan {system_ifname|bond_ifname}

This command allows users to create a VLAN (Virtual Local Area Network) interface for

the specified system interface or bond interface. ArrayOS supports creating at most 250

VLAN interfaces.

The “no” version of this command is used to delete the specified VLAN interface, and

the “show|clear” versions of this command are respectively used to display or remove

configurations about all VLAN interfaces.

system_ifname Specify the system interface name, which is port1, port2,

port3, port4, …, or port14 by default. (Administrators can

self-define the system interface name by using the

command “interface name”.)

bond_ifname Specify the bond interface name, which should be an

alphanumeric string.

user_interface_name Self-define the VLAN interface name, which should be an

alphanumeric string.

vlan_tag Specify the ID for the VLAN interface being created,

Chapter 3 Advanced System Operations

which should be any integer from 1 to 4094.

fwd tcp [timeout]

This command allows users to assign a port on the APV appliance to a network IP/port

pair. All TCP traffic to a specific local IP and port received by the APV appliance will be

routed to a specified remote IP and port. ArrayOS supports creating at most 584 “fwd

tcp|udp” configurations.

local_ip The local IP address to forward.

local_port The port to forward into the network server farm.

remote_ip The IP address of the server that the appliance will forward

to the backend server.

remote_port The destination port corresponding to the remote IP

address.

timeout Optional timeout setting in seconds; it defaults to 300

seconds.

fwd udp [timeout]

This command allows user to forward UDP packets. All UDP traffic to a specific local IP

and port will be routed to a specified remote IP and port. ArrayOS supports creating at

most 584 “fwd tcp|udp” configurations.

local_ip The local IP address to forward.

local_port The UDP port to forward.

remote_ip The IP address of the server, in standard dotted format.

remote_port The destination port corresponding to the IP address.

timeout Optional timeout setting in seconds; it defaults to 300

seconds.

no fwd tcp

no fwd udp

These commands are used to disable the specified port-forwarding configuration.

clear fwd

This command is used to remove any configured port forwarding.

Chapter 3 Advanced System Operations

nat port {pool_name|vip} [timeout] [gateway]

This command is used to enable network address translation (NAT) along with port

translation. NAT converts the address of each server or device on the inside network into

one IP address or IP addresses in the pre-defined IP pool for the Internet, and vice versa.

It also serves as a WebWall by keeping individual IP addresses hidden from the outside

world. The appliance will check for subnet overlap or verify that the configured virtual IP

exists. Data packets will be NATTed if and only if:

� The source IP address should be in the range of the configured “network_ip” and

“netmask”.

� The configured “gateway” should be the same as the route gateway. If the “gateway”

is set to the default value 0.0.0.0, the “VIP/IP pool” and the route gateway should be

within the same network segment.

Up to 512 “nat port” configurations are allowed on one APV appliance.

pool_name|vip A supplied virtual IP address or IP pool name.

network_ip The network IP to perform the network translation on.

netmask The netmask for the network performing the NAT.

timeout Optional timeout setting in seconds; and it defaults to 60

seconds.

gateway The gateway IP address, to which the data packets were

routed after NATTed. It defaults to 0.0.0.0.

no nat port {pool_name|vip}

This command is used to remove the specified virtual IP address or IP pool from the NAT

configuration.

show nat port

This command is used to display all NAT configurations.

clear nat port

This command stops and removes the NAT configuration.

nat static [timeout] [gateway]

Chapter 3 Advanced System Operations

This command allows users to establish the static NAT route. Data packets will be

NATTed if and only if:

� The source IP address should be in the range of the configured “network_ip”.

� The configured “gateway” should be the same as the route gateway (The route

gateway is configured by using the command “ip route default”). If the “gateway”

is set to the default value 0.0.0.0, the “vip” and the route gateway should be within

the same network segment.

Up to 512 “nat static” configurations are allowed on one APV appliance.

vip A supplied virtual IP address.

network_ip The network IP to perform the network translation on.

timeout Timeout value in seconds; it defaults to 60 seconds.

gateway The gateway IP address, to which the data packets were

routed after NATTed. It defaults to 0.0.0.0.

no nat static

This command is used to remove the specified virtual IP address from the static NAT

configuration.

show nat static

This command is used to display all static NAT configurations.

clear nat static

This command is used to stop and remove the static NAT configuration.

nat protocol pptp [port]

This command is used to enable NAT traversal for PPTP tunnels. This function is enabled

by default.

port Specify the port number of the PPTP server. It defaults to

1723.

no nat protocol pptp

This command is used to disable NAT traversal for PPTP tunnels.

show nat protocol

Chapter 3 Advanced System Operations

This command is used to display the configurations of NAT traversal for PPTP tunnels.

show nat table

This command displays the existing network translations for incoming and outgoing

traffic and the statistics of GRE tunnels.

Example:

AN(config)#show nat table

From 172.16.74.201(1534)through 172.16.2.11(35940) to 172.16.2.226(1723)

PPTP GRE NAT table statistics.

Current GRE tunnel: 2

Total Out Packets: 277

Total In Packets: 205

Total Out Bytes: 100808

Total In Bytes: 12199

From(ip:call id) Through(ip:call id) To(ip:call id) Out Packets In Packets

172.16.74.201:16384 172.16.2.11:1025 172.16.2.226:33767 231 164

172.16.74.201:32769 172.16.2.11:1026 172.16.2.226:998 46 41

rip {on|off}

This command is used to turn on/off RIP.

rip version {1|2}

This command is used to set the RIP version to be RIPv1 or RIPv2. Its default setting is

RIPv2.

[no] rip network

This command is used to enable/disable RIP interfaces which have address matching with

the parameter “ip_address”.

show rip status

This command is used to display the status of RIP.

show rip settings

This command is used to display the current settings of RIP.

ospf {on|off}

This command is used to enable/disable OSPF.

[no] ospf network

Chapter 3 Advanced System Operations

This command is used to enable or disable the OSPF interfaces and define an area ID for

those interfaces.

area_id The identification number (0-4294967295) assigned to the

interfaces.

show ospf status

This command is used to display running status of OSPF.

show ospf settings

This command is used to display the current settings of OSPF.

ipv6 address [prefix_length]

This command is used to set the IPv6 address for a specified system interface. Only one

IPv6 address can be configured for each system interface.

interface_name The name of the system interface.

v6_address The IPv6 address, which should be a global unicast

address, in the format of “2000::2”.

prefix_length The prefix length of the IPv6 address. It ranges from 1 to

128, and defaults to 64.

no ipv6 address

This command is used to remove the IPv6 address of the specified system interface.

clear ipv6 address

This command is used to clear the IPv6 addresses configured for all system interfaces.

show ipv6 address

This command is used to display the IPv6 addresses configured for all system interfaces.

ipv6 natpt {on|off}

This command is used to enable or disable the NAT-PT translation.

show ipv6 natpt status

This command is used to display the status (on or off) of IPv6 NAT-PT.

ipv6 natpt prefix

Chapter 3 Advanced System Operations

This command is used to set the prefix of IPv6 address for NAT-PT translating. The

destination IPv6 address with this prefix will be translated by the APV appliance.

prefix The prefix of IPv6 address, in the format of “3001::”.

no ipv6 natpt prefix

This command is used to remove the IPv6 prefix configurations for NAT-PT translating.

ipv6 natpt v6v4

This command is used to set a dynamic IPv6-to-IPv4 translation rule. Any source IPv6

addresses will be translated into the IPv4 address specified by the parameter “v4_addr”,

and the port will be also remapped. Only one IPv6-to-IPv4 translation rule is supported.

The port number should be between 1025 and 65535.

no ipv6 natpt v6v4

This command is used to remove the IPv6-to-IPv4 translation rule.

ipv6 natpt v4v6

This command is used to set an IPv4-to-IPv6 static translation rule. Each IPv4 address is

mapped into an IPv6 address.

v4_addr The IPv4 address.

v6_addr The IPv6 address, which should be a global unicast

address.

no ipv6 natpt v4v6

This command is used to remove the IPv4-to-IPv6 translation rule associated with the

specified IPv4 address.

clear ipv6 natpt v4v6

This command is used to clear all the configured IPv4-to-IPv6 translation rules.

show ipv6 natpt config

This command is used to display the IPv6 NAT-PT configurations.

clear ipv6 natpt all

This command is used to clear all the IPv6 NAT-PT configurations.

show ipv6 natpt translations

This command is used to display the NAT-PT translation table.

ipv6 route default

This command is used to set the IPv6 default route.

Chapter 3 Advanced System Operations

gateway_ip The gateway IP address of IPv6 default route, which should

be a global unicast IPv6 address.

no ipv6 route default

This command is used to remove the IPv6 default route.

ipv6 route static

This command is used to set the IPv6 static route.

dst_ip The destination IP address, which must be a global unicast

IPv6 address.

prefix_length The prefix length, which ranges from 1 to 128.

gateway_ip The gateway IP address, which must be a global unicast

IPv6 address.

no ipv6 route static

This command is used to remove the IPv6 static route.

show ipv6 route

This command is used to display the IPv6 default route and static route.

clear ipv6 route

This command is used to remove the IPv6 default route and static route.

ip pool [end_ip]

This command is used to create an IP pool and add an IP segment into the IP pool. This

command can also be used to only add an IP segment into an IP pool. Multiple IP

segments can be added into a pool. If the IP pool input does not exist, ArrayOS will

Chapter 3 Advanced System Operations

create a new IP pool. The maximum number of IP pools supported on APV appliance is

32, and the maximum number of IP addresses allowed for each IP pool is 256.

pool_name The name of the IP pool. If the assigned name begins with

a numeric character, then the string needs to be framed in

double quotes.

start_ip The starting IP address of the IP segment.

end_ip The end IP address of the IP segment. It’s an optional

parameter. If it is not assigned, only the “start_ip” will be

added into the IP pool.

no ip pool [start_ip]

The command is used to remove an IP segment from the specified IP pool.

pool_name The name of the IP pool.

start_ip The starting IP address of the IP segment to be removed.

With the start IP configured, the IP segment that begins

with this IP address will be removed.

clear ip pool [pool_name]

This parameter is optional. If not specified, the specified IP

pool will be removed.

This command is used to remove the specified IP pool. If the parameter “pool_name” is

not assigned, the command will remove all the IP pools.

show ip pool [pool_name]

This command is used to display configurations about the specified IP pool. If the

parameter “pool_name” is not assigned, the command will show configurations about all

the IP pools.

Chapter 4 WebWall

The Access Control List (ACL) allows you to perform administration on WebWall or

firewall style of security rules. The commands in this chapter dictate those who may gain

access to your system based on their location in the Internet, and the network interface

used to contact the appliance.

Access Groups

accessgroup

This command allows users to assign access list members to a specific group and a

specific interface.

accesslist_id The identification number (1-999) assigned to this group of

members. This value should match the value established

for the access list member created with the “accesslist”

command.

interface The associated interface for this access group, which can

be the system interface, bond interface, VLAN interface or

MNET interface.

Example:

AN(config)#accessgroup 250 port1

no accessgroup

This command allows users to remove an access group from the associated interface.

show accessgroup

This command is used to display all access groups.

clear accessgroup

This command is used to remove all the group entries created by using the

“accessgroup” command. No TCP, UDP or ICMP packets will be allowed through the

WebWall nor will users be able to access the appliance by way of the WebUI unless

WebWall is disabled.

Access List

accesslist permit icmp echoreply

accesslist permit icmp echorequest

Chapter 4 WebWall

accesslist permit tcp

accesslist permit udp

accesslist deny icmp echoreply

accesslist deny icmp echorequest

accesslist deny tcp

accesslist deny udp

These commands are used to either permit or deny access. Access is disabled at boot time,

and rules control access to the appliance and network. There are two forms of the

command, one permitting access rules for a specific IP address and port number, and one

denying the access rules. The access list ID ranges from 1-999. This command works in

conjunction with the “accessgroup” command. Once an access list has been created, the

user has to run the “accessgroup” command to bind the newly created access list ID to an

interface (NIC). The IP addresses and netmasks specify the source subnet and destination

subnet for the rules that may be any classless subnets. Port number “0” can be used as the

wildcard for the source and destination port number fields. To remove any of the above

access list configurations, simply use the “no” version of the appropriate commands.

show accesslist

This command is used to display permitted IP addresses and denied source IP addresses

for the interfaces of the APV appliance.

clear accesslist

This command is used to remove all permit or deny WebWall rules.

Important: If the permit rules are cleared, no TCP, UDP and ICMP packets will be

passed through the WebWall.

WebWall

webwall on [mode]

Chapter 4 WebWall

This command allows users to turn on the WebWall function on a specified interface.

interface Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

mode This parameter is used to control WebWall behavior.

webwall off

� 0: Normal mode. All the packets will follow ACL

rules.

� 1: Ack mode. In this mode, WebWall is backward

compatible in that all the ACK TCP packets will be

permitted by default.

The default value is 0 for security consideration.

This command allows users to turn off the WebWall function on a specified interface.

By turning off the WebWall, the APV appliance will allow packets to travel freely

through the system. Users should only turn off the WebWall for diagnostic purposes since

it will disable all access list filters. Users also have the choice to enable or disable the

WebWall function for a specific interface, including the system interface, bond interface,

VLAN interface or MNET interface. Users who are using the Array clustering technology

should consult the clustering section of this manual before setting up the WebWall

functionality. The command does not reset any of the configured parameters. The

WebWall function is always off by default.

Example:

AN(config)#webwall port2 off

show statistics webwall [interface]

This command is used to display the current WebWall running information pertaining to

all interfaces (with the WebWall function enabled). If an interface is specified, this

command will only show the running information for this interface.

show webwall

This command is used to display the current configuration of the WebWall.

clear statistics webwall [interface]

Chapter 4 WebWall

This command is used to clear current statistics pertaining to the WebWall on the

specified interface. If no interface is specified, this command will clear the statistics for

all interfaces with WebWall on.

Chapter 5 Server Load Balancing

Server Load Balancing (SLB) improves server utilization, scalability, and failover

redundancy. The APV appliance monitors the available content servers, and directs client

requests to the most appropriate server based on one of several available algorithms.

Basic SLB Commands

show slb all

This command is used to display the entire SLB configuration, including real and virtual

services, policies, groups and group members.

clear slb all

This command is used to remove the SLB configurations.

slb timeout

This command is used to specify a custom TCP connection timeout value for all

connections to a virtual service. By default, connections to a virtual service use the

standard TCP timeout value.

virtual_name The name of the virtual service.

timeout The TCP timeout value, in seconds. The maximum value is

999999 seconds.

slb mode ircookie {plainname|hexname}

This command is used to set the SLB insert/rewrite cookie mode. If the mode is

“plainname”, an ASCII value of the real server’s name will be set as the cookie value, e.g.

name=aTc8acd!?9; if the mode is set to “hexname”, a hexadecimal value of the real

server’s name will be set as the cookie value, e.g. name=456143!?04.

Note: “!?” is the end of the rewriting part.

slb mode icookie {always|onlyone}

This command is used to control SLB insert cookie behavior to fit different client

browsers. If the mode is “always”, the APV appliance will always insert cookie no matter

whether the client’s request already contains inserted cookie or not. If the mode is set to

“onlyone”, the APV appliance will insert a cookie only when the client’s request doesn’t

contain any inserted cookies.

[no] slb mode packetbased

Chapter 5 Server Load Balancing

This command is used to configure UDP packet based load balancing for a specified

virtual service. With this configuration, the packets of one client connection can be

scattered to several different servers according to specified SLB algorithms.

The “no” version of this command is used to remove the packet-based load balancing

configuration of a specified virtual service.

virtual_name The name of the virtual service.

clear slb mode packetbased

This command is used to remove all the configurations about packet-based load

balancing.

slb directfwd {on|off}

This command is used to turn on/off the DirectFWD function. It is off initially.

slb directfwd syncache {on|off}

This command is used to turn on/off DirectFWD module’s syncache function. This

function can avoid synflood attacking effectively. It is off initially.

slb mode activeclose {on|off}

This command is used to turn on/off the L4 TCP connection actively closing feature. The

default value is off. When the feature is on, the system will close L4 related TCP

connections when the IP, TCP or TCPS real service goes down. When the feature is off,

L4 TCP connections will not be closed until connection timeout. The client request in the

existent connections will be sent to the original real service though it may have become

down.

APV appliance supports two modes to close L4 TCP connection:

� Actively closing: APV appliance will actively close the L4 TCP connections when

the corresponding real service goes down. It is useful to close the long connections

in time, and need to be turned on/off by using this command.

� Passively closing: For the spliced TCP connection, APV appliance checks the health

status of the real service by examining each packet to the real service. If the real

service becomes down, APV appliance will reset the connections. And this feature

will always work no matter the active closing mode is on or off.

slb mode regexcase {on|off} [virtual_service|vlink_name]

This command is used to enable or disable the SLB regexcase mode, i.e. to configure

whether or not the APV appliance will distinguish the uppercase or lowercase letters in

the strings that users input for some specific SLB settings. The default status is “off”,

Chapter 5 Server Load Balancing

which means the APV appliance will distinguish the uppercase or lowercase letters

(case-sensitive).

on|off If this value is “off”, the APV appliance will distinguish

the uppercase or lowercase letters (case-sensitive).

If this value is “on”, the APV appliance will not

distinguish the uppercase or lowercase letters

(case-insensitive). The APV appliance will automatically

change the uppercase letters in the string into lowercase

letters.

virtual_service|vlink_name This parameter is optional. It is used to enable or disable

the SLB regexcase mode for a specified virtual service or

vlink.

If this parameter is null, the SLB regexcase mode will be

enabled or disabled for all the virtual services and vlinks,

i.e. it’s a global setting.

If this parameter is set for a virtual service or vlink, the

global setting will be ignored on this virtual service or

vlink.

Note: This feature will take effect on the following commands: “slb policy regex”,

“slb policy header”, “http rewrite request url”, “http rewrite response url” and “slb

policy redirect”. If the SLB regexcase mode is not set before executing these

commands, the global setting will apply.

Adding Real Services

slb real http [port] [max_conn]

slb real tcp [max_conn]

slb real ftp [port] [max_conn]

slb real udp [max_conn] [hc_up] [hc_down] [timeout]

slb real https [port] [max_conn]

[hc_down]

Chapter 5 Server Load Balancing

slb real tcps [max_conn]

[hc_down]

slb real dns [max_conn]

slb real siptcp [port] [max_conn]

slb real sipudp [port] [max_conn]

[hc_up] [hc_down] [timeout]

slb real rtsp [port] [max_conn]

slb real rdp real_name [port] [maxconn] [tcp|icmp] [hc_up] [hc_down]

These commands allow users to assign specific parameters for your real services.

Inclusion of two different real services with the same name is not permitted. The real

service must be established before it can be added to any SLB group.

real_name An alpha-numeric string for the real service name. Note: If

the assigned name begins with a numeric character, then

the string needs to be framed in double quotes.

ip The real service’s IP address.

port The port number that the real service will answer incoming

requests. The default value is 80 for HTTP, 21 for FTP, 53

for DNS, 443 for HTTPS and TCPS, 554 for RTSP, 3389

for RDP and 5060 for SIP TCP and SIP UDP. There is no

default port setting for TCP or UDP. When the port is 0, it

is a port range real service, and its port range is considered

all-port.

max_conn Sets the maximum number of open connections per real

server. Default is 1000.

http|tcp|icmp|tcps

|dns|srcipt-tcp|script-udp

|radius-auth|radius-acct

|sip-tcp|sip-udp|rtsp-tcp

|https|script-tcps|ldap

Health check type performed to determine real service

availability. The default value is icmp for UDP, tcp for FTP,

HTTP, TCP, HTTPS, TCPS, dns for DNS, rtsp-tcp for

RTSP, sip-tcp for SIP TCP and sip-udp for SIP UDP. When

the port is 0, the real service can only use “icmp” or “none”

health check.

The ldap health check can only be configured for TCP real

services.

Chapter 5 Server Load Balancing

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

timeout Optional. Timeout period measured in seconds. This

parameter is only required when establishing a real service

through UDP. The default timeout setting for an UDP real

service is sixty seconds.

slb real ip [max_conn] [icmp|none] [hc_up] [hc_down]

[udp_timeout]

This command is for L3 IP load balancing. It allows users to add a new real service,

whose type is “IP”. The real service must be established before it can be added to any

SLB group. The real service of L3 load balancing can support TCP and UDP protocols at

the same time. And the real service TCP session will obey the global setting by the

command “system tune tcpidle ”.

max_conn Optional. Set the maximum number of both TCP and UDP

connections per real service. Default is 1000.

icmp|none Optional. The check type to determine real service

availability. Default is “icmp”.

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

udp_timeout The real service UDP session time out value (in seconds).

slb real l2ip

This command allows users to create L2IP based real services for load balancing

operations and protocols.

real_name An assigned name, in the form of a character string, to the

Chapter 5 Server Load Balancing

real service. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

real_ip The real server’s IP address, in traditional dotted IP format.

slb real l2mac

This command allows users to create L2 MAC based real services for load balancing

operations and protocols.

real_name An assigned name, in the form of a character string, to the

real service. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

real_mac The real server’s MAC address, in the format of

AB:CD:EF:GH:IJ:KL.

output_interface The output interface of the real service.

health ipreflect [protocol]

It is used to configure a reflector for L2 SLB TCP health check. This health check

reflector is set up and runs on another APV appliance.

reflector_name The name of the reflector, which supports at most 40

characters.

ip_address The IP address to bind with the reflector. 0.0.0.0 means any

IP address on the APV appliance.

port The port that the health check reflector listens upon.

protocol The health check type. Only TCP is supported for now.

no health ipreflect

This command is used to remove the specified reflector configuration.

clear health ipreflect

This command is used to clear all the reflector configurations.

show health ipreflect

This command is used to display all the reflector configurations.

Chapter 5 Server Load Balancing

no slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}

This command is used to delete the real service with the given name. If the real service is

a member of any groups, it will be removed from those groups.

show slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}

[real_name]

This command is used to display the real service with the given name and protocol. If no

real service name is given, this command will display all real services with the given

protocol.

show slb real all

This command is used to display all defined real services and all associated parameters.

clear slb real {http|tcp|ftp|udp|tcps|https|dns|siptcp|sipudp|rtsp|rdp}

This command is used to delete all configured real services of the specified protocol.

no slb real ip

This command is used to delete the L3 IP based real service with the given name. If the

real service is a member of any groups, it will be removed from those groups.

show slb real ip [real_name]

This command is used to display all the defined L3 real services or the specified real

service.

clear slb real ip

This command is used to remove all the defined L3 real services.

no slb real l2ip

This command is used to delete the L2 IP based real service with the given name. If the

real service is a member of any groups, it will be removed from those groups.

no slb real l2mac

This command is used to delete the L2 MAC based real service with the given name. If

the real service is a member of any groups, it is removed from those groups.

show slb real {l2ip|l2mac} [real_name]

Chapter 5 Server Load Balancing

This command displays all the defined L2 real services or the specified real service.

clear slb real {l2ip|l2mac}

This command removes all the defined L2 real services.

slb real enable

This command is used to activate a real service, so that traffic can be directed to it. This is

the default state of a real service.

slb real activation [warm-up_time]

This command is used to set the recovery and warm-up time for a real service.

real_name An alpha-numeric string for the real service name. Note: If

the assigned name begins with a numeric character, then

the string needs to be framed in double quotes.

recovery_time A period of time in seconds. When a real service’s

operational status is changed from inactive to active, it is

not eligible to receive any client requests for this period of

time. Once this time is reached, the APV appliance will

send client requests to this real service.

warm-up_time Optional. A period of time in seconds, after a real service is

recovered to be active, during which the client requests are

slowly sent to the real service, so that the real service can

reach its capacity gradually. Until the time is reached, the

real service’ capacity can reach its maximum connections.

If the value of the parameter is set to 0 (default), the real

service will reach its maximum capacity immediately after

the recovery time.

The administrator can use the command “show statistics slb real” to check the status of a

real service which has been just enabled. As shown in the following example, after the

real service named “service is enabled, its status will be first displayed as “UP (softup)”,

which means it is in the recovery time. In this period, no connection request will be

forwarded to this real service.

AN(config)#show statistics slb real service

Real service service 192.168.10.10 80 UP (softup) ACTIVE

Main health check: 192.168.10.10 80 tcp ACTIVE

Max Conn Count: 1000

Current Connection Count: 0

Outstanding Request Count: 0

Total Hits: 0

Total Bytes In: 0

Total Bytes Out: 0

Total Packets In: 0

Total Packets Out: 0

Average Response time: 0.000 ms

no slb real activation

Chapter 5 Server Load Balancing

This command is used to remove the recovery and warm-up time settings of the specified

real service.

show slb real activation

This command is used to display the recovery and warm-up time settings of the specified

real service.

slb real disable

This command is used to disable a real service.

By default, when a real service is disabled or deleted, the APV appliance SLB shall not

send session requests to the real services that have been disabled. However, for the real

services using cookie-based group method and load balancing polices, such as PC

(Persistent Cookie), IC (Insert Cookie), RC (Rewrite Cookie), SLB will still send the

existing session requests that match the cookie to the disabled real service to ensure

service persistence. While the new session requests will be sent to other working real

services. This function is called “Graceful Shutdown”.

The following gives an example of Graceful Shutdown:

AN(config)#slb real disable service

After disabling the real service named “service”, users can check the status of the real

service by using the command “show statistics slb real”.

AN(config)#show statistics slb real service

Real service service 10.8.6.42 80 DOWN INACTIVE(waiting)

Main health check: 10.8.6.42 80 tcp DOWN

Max Conn Count: 1000

Current Connection Count: 4572

Outstanding Request Count: 4215

Total Hits: 311

Total Bytes In: 39431

Total Bytes Out: 53466

Total Packets In: 7541

Total Packets Out: 3252

Average Response time: 32.000 ms

As shown in the above output information, the status of “service” is displayed as

“INACTIVE(waiting)”, which means the real service is still processing connection

Chapter 5 Server Load Balancing

requests, i.e., it is in the process of “Gracefully Shutdown”. During this process, the

session requests that match the cookie will be forwarded to this real service, while the

connection requests from new clients will be forwarded to other working real services.

After a while, users can run the command “show statistics slb real” again to check the

status of the real service.

AN(config)#show statistics slb real service

Real service service 192.168.10.10 80 DOWN INACTIVE(suspend)

Main health check: 192.168.10.10 80 tcp DOWN

Max Conn Count: 1000

Current Connection Count: 0

Outstanding Request Count: 0

Total Hits: 0

Total Bytes In: 0

Total Bytes Out: 0

Total Packets In: 0

Total Packets Out: 0

Average Response time: 0.000 ms

As shown in the above output information, the status of “service” now is displayed as

“INACTIVE(suspend)”, which means it has been shut down completely.

health interval

This command is used to set the interval time between health checks and health check

timeout time.

interval Specify the health check interval as measured in seconds,

which ranges from 1 to 100000.

server_timeout Optional, which specifies how long for health check to wait

for the real server/service to reply the health check request.

It ranges from 1 to 100000 and defaults to 5.

health request

This command is used to add the specified “request_string” at the specified index in the

Health Check Request Table. The string may be any valid character string up to 510

characters in length. Remember that any string with blank spaces in it requires that string

to be framed with double quotation marks. The value of the index must be within 0 to 999.

To overwrite an existing request string, just enter a new command. To remove an entry,

the “no health request” command should be used.

no health request

This command is used to return the health request at the specified index in the Health

Check Request Table to the default request, which is “HEAD / HTTP/1.0\r\n\r\n”.

show health request [request_index]

Chapter 5 Server Load Balancing

This command is used to display the Health Request Table. The value of the request

index must be within 0 to 1000.

clear health request

This command is used to revert all the health requests in the Health Request Table to the

default request, which is “HEAD / HTTP/1.0\r\n\r\n”.

health response

This command is used to add the specified “response_string” at the specified index in the

Health Check Response Table. The string may be any valid character string up to 510

characters in length. Remember that any string with blank spaces in it requires that string

to be framed with double quotation marks. The value of the index must be within 0 to 999.

The response string should be the response that is to be expected from the request set by

the “health server” command.

Example:

AN(config)#health response 5 “200 OK”

The string “200 OK” has been placed in the Response Table, row five.

no health response

This command is used to return the health response at the specified index in the Health

Check Response Table to the default response, which is “200 OK”.

show health response [response_index]

This command is used to display the Health Response Table. The value of the response

index must be within 0 to 1000.

clear health response

This command is used to revert all the health responses in the Health Response Table to

the default response, which is “200 OK”.

health server {real_name|add_hc_name}

This command is used to associate a real server with specific indices (request_index and

response_index) in the Request Response Table. The HTTP health check for this real

server will pick the request and response at these indices in the Request Response Table.

The command only takes effects on the real service or additional health check with the

type of http/https health check. Otherwise, this configuration will not work.

Chapter 5 Server Load Balancing

real_name|add_hc_name The real server name. The maximum length of the name is

40 characters.

request_index A specific request line index in the Request Response

Table.

response_index A specific response line index in the Request Response

Table.

no health server {real_name|add_hc_name}

This command is used to revert the request and response to the default for the specified

health server, including additional health check server.

show health server [server_name]

This command is used to show all ACTIVE real servers’ health status. The

“server_name” parameter is optional. If a server name is given, the specified real server’s

health status is shown. If a real service is deactivated via the command “slb real disable”,

its health status will not be displayed by this command.

Example:

AN(config)#show health server

----------------------------------- Server Status --------------------------

real server name status

r1 UP

r2 UP

r3 DOWN

----------------------------------- Health Check ---------------------------

real server name ip :port status hct rqr rpr checklist

----------------------------------------------------------------------------

r1 172.16.63.201 :80 UP tcp

r2 172.16.63.200 :80 UP tcp

r3 172.163.25.1 :80 DOWN tcp

clear health server

This command is used to revert the request and response to the default for all health

servers.

health import request

This command is used to import a health request file from a remote URL.

index The index for the newly imported request file.

url The URL which the file should be imported from.

health import response

Chapter 5 Server Load Balancing

This command is used to import a health response file from a remote URL.

index The index for the newly imported response file.

url The URL which the file should be imported from.

health load request

This command is used to load an imported health request file into memory.

index The index for the request file to be loaded.

health load response

This command is used to load an imported health response file into memory.

index The index for the request file to be loaded.

show health import request [output_mode]

This command is used to display the imported request file with a specified index.

output_mode Optional. It can be “binary” or “text”, and defaults to

“binary”.

show health import response [output_mode]

This command is used to display the imported response file with a specified index.

output_mode Optional. It can be “binary” or “text”, and defaults to

“binary”.

no health import request

This command is used to delete the imported request file with a specified index.

no health import response

This command is used to delete the imported response file with a specified index.

clear health import request

This command is used to remove all the imported request files.

clear health import response

This command is used to remove all the imported response files.

Chapter 5 Server Load Balancing

slb real activation [warm-up_time]

This command is used to set the recovery and warm-up time for a real service.

real_name An alpha-numeric string for the real service name. Note: If

the assigned name begins with a numeric character, then

the string needs to be framed in double quotes.

recovery_time A period of time in seconds. When a real service’s

operational status is changed from inactive to active, it is

not eligible to receive any client requests for this period of

time. Once this time is reached, the APV appliance will

send client requests to this real service.

warm-up_time Optional. A period of time in seconds, after a real service is

recovered to be active, during which the client requests are

slowly sent to the real service, so that the real service can

reach its capacity gradually. Until the time is reached, the

real service’ capacity can reach its maximum connections.

If the value of the parameter is set to 0 (default), the real

service will reach its maximum capacity immediately after

the recovery time.

no slb real activation

This command is used to remove the recovery and warm-up time of the specified real

service.

show slb real activation

This command is used to display the recovery and warm-up time of the specified real

service.

Adding HC Checker and HC Checker List

health {on|off}

This command allows users to turn on or turn off health check function. It defaults to on.

Chapter 5 Server Load Balancing

Note: With the health check function disabled, to execute the command “health on”

will reset the health check early warning counter.

health checker [timeout]

[flag]

This command allows users to create a health checker.

checker_name The assigned name of the checker. The limited length of

the name is 20 characters. If the name begins with a

number, the name should be quoted.

request_index The index to request table element, which contains the

message to be sent; the range is from 0 to 999.

response_index The index to response table element, which contains

expected response pattern; the range is 0-999.

timeout The timeout interval of this HC checker. The default value

is 3 seconds.

flag Success/fail flag, binary/ASCII flag. Its value can be 0, 1, 2

or 3. The default setting is 1.

no health checker

0 means when the response contains a string that matches

the predefined string from command "health response",

HC will mark the server as DOWN. Both request and

response strings should be input in ASCII.

1 means the response need to match the expected response

mode, HC succeeds and the request and response should be

input in ASCII.

2 means when the response contains a string that matches

the predefined string from command "health response",

HC will mark the server as DOWN. Both request and

response strings should be input in HEX.

3 means the response need to match the expected response

mode, HC succeeds and the request and response should be

input in HEX.

This command allows users to remove the specified health checker.

Chapter 5 Server Load Balancing

checker_name The assigned name of the health checker. The limited

length of the checker name is 20 characters. If the name

begins with a number, the name should be quoted.

show health checker [checker_name]

This command is used to display the specified HC checker. If no HC checker name is

given, display all the HC checkers.

clear health checker

This command is used to remove all the configured HC checkers.

slb real health

ct|sip-tcp|sip-udp|rtsp-tcp] [hc_up] [hc_down]

The command is used to define additional health check for existing real servers.

add_hc_name The name of the additional health check.

real_name An alphanumeric string for the real service name. If the

assigned name begins with a numeric character, then the

string needs to be framed in double quotes.

ip The IP address for the additional health check.

port The port number for the additional health check. For L2

SLB health check or “icmp” health check type, the port

number must be set to 0.

ladp|srcipt-tcp|script-udp

|radius-auth|radius-acct

|sip-tcp|sip-udp|rtsp-tcp

|https|script-tcps

The type of additional health check. The default value is

tcp.

The ldap additional health check can only be configured

for TCP real services.

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

no slb real health

Chapter 5 Server Load Balancing

This command is used to remove specified additional health check configuration.

show slb real health [real_name]

This command is used to display the SLB additional health check configurations about a

specified real service. And if no real service is specified, all SLB additional health check

configurations will be displayed.

clear slb real health [real_name]

This command is used to remove the SLB additional health check configurations about a

specified real service. And if no real service is specified, all SLB additional health check

configurations will be removed.

show health template {ftp|telnet|smtp|ldap|radius-auth|radius-acct|all}

This command is used to display application health check configuration sample

information. If the application protocol is specified, only the sample of that protocol will

be displayed. "all" means displaying all the samples. Currently, the following application

health check types are supported: ftp, telnet, smtp, ldap, radius-auth, and radius-acct.

health list

This command is used to designate a new HC checker list.

list_name The assigned name of a HC checker list. The limited length

of the list name is 20 characters. If the list name begins

with a number, a quotation mark should be added.

no health list

This command allows users to delete the specified HC checker list.

list_name The assigned name of a HC checker list. The limited length

of the list name is 20 characters. If the list name begins

with a number, a quotation mark should be added.

clear health list

This command is used to remove all the configured HC checker lists.

health member [place_index]

This command is used to add a checker to an HC checker list. The maximum number of

members in a list is 10. If the “place index” unspecified, the HC checker will be added to

the last entry of the HC checker list; if the “place index” is larger than the number of the

checkers in a checker list, the HC checker will also be added to the last entry of the HC

Chapter 5 Server Load Balancing

checker list; otherwise, the HC checker will be added at the specified place of the HC

checker list.

list_name The assigned name of a HC checker list. The limited length

of the list name is 20 characters. If the list name begins

with a number, a quotation mark should be added.

checker_name The assigned name of the checker. The limited length of

the checker name is 20 characters. If the name begins with

a number, the name should be quoted.

place_index Optional, the specified place of the checker list. The default

setting is 0. The range is from 0 to 10. If not specified, the

new checker will be added to the last entry of the HC

checker list. To view the sequence of the HC checker list,

use the command “show health list”. Note: the value of

the “place index” parameter will not be stored in

configuration.

no health member

This command is used to remove the specified HC checker from the specified HC

checker list of AppHC. When the HC checker is removed, the HC checkers behind it will

move forward a place automatically.

clear health member

This command is used to delete all the HC checkers in the specified HC checker list.

show health list [list_name]

This command is used to display the specified check list and all the HC checkers in this

checker list. If no HC checker list name is given, display all the checker lists and all the

HC checkers in all the checker lists.

health app {real_name|add_hc_name} [frequency] [hc_localip]

[hc_localport]

This command allows users to attach a health check to the specified HC checker list. If

one health check (which is configured by using the “slb real” command) is a nonempty

HC checker list, it will do health check according to the HC checker in the checker list;

otherwise it will do health check according to the request and response configured by the

“health server” command or the default request and response. The command only

applies to the real service or additional health check with script health check such as

script-tcp, script-udp and script-tcps. Otherwise, this configuration will not work.

Chapter 5 Server Load Balancing

real_name|add_hc_name The name of the real server or the additional health

checker, less than 40 characters.

list_name The assigned name of a HC checker list. The limited length

of the list name is 40 characters.

frequency Optional, which specifies the HC frequency of the health

check. The default value of the frequency is 2, in seconds.

hc_localip &

hc_localport

Optional. The local IP and port which are used when doing

health check. If “hc localip” and/or “hc localport” are not

given, the system will determine the local IP and port.

no health app {real_name|add_hc_name}

This command allows users to delete the association between the specified health checker

list and health check.

show health app [real_name|add_hc_name]

This command is used to display the specified health check information.

clear health app

This command is used to delete all the associations between health checker list and health

check.

health radius auth {real_name|add_hc_name}

[resp_code] [attr_list]

This command is used to configure authentication health check for the Radius server.

Array APV appliance sends authentication request packets to the Radius, if the Radius

server returns expected authentication response by a collection of handshake of Radius

protocol, then the Radius server is working well; else it is out of work. The command

only applies to the real service or additional health check with the type of radius-auth

health check. Otherwise, this configuration will not work.

real_name|add_hc_name The name of the real server or the additional health

checker, less than 40 characters.

secret_string The secret string is used as the key to encrypt password. It

should be obtained from the real server beforehand.

resp_code Optional. Set the expected response code returned by the

Radius server, which can be used to determine the health

status of the Radius server. It can be set to 2 or 3. The

default value is 2.

Chapter 5 Server Load Balancing

2: Radius Access-Accept. When you set the value of

“resp_code” to 2 and the username and password you

provide are both correct, if the response code returned by

the Radius server is 2, then the Radius server is marked as

UP; else it is marked as DOWN.

3: Radius Access-Reject. When you set the value of

“resp_code” to 3 and the password is wrong, if the

response code returned by Radius server is 3, then the

Radius server is marked as UP; else it is marked as

DOWN.

attr_list Optional. By now, only two attributes “NAS-IP-Address”

and “NAS-Port” are supported. You can configure the

attribute list string by following this format:

“attribute-name1=attribute-value1,attribute-name2=attribut

e-value2”

In this string, blank character is not allowed, and each

value length must be less than 32 characters. The key/value

pairs must be separated by the character ‘,’.

For example:

“NAS-IP-Address=192.168.1.2,NAS-Port=2012”.

no health radius auth {real_name|add_hc_name}

This command is used to remove the specified Radius authentication health check

configuration.

clear health radius auth

This command is used to remove all the Radius authentication health check

configurations.

show health radius auth [real_name|add_hc_name]

This command is used to show the Radius authentication health check configurations. If

no real service name or additional health check name is specified, all Radius

authentication health check configurations will be displayed.

health radius acct {real_name|add_hc_name} [resp_code]

This command is used to configure Radius accounting health check for the Radius server.

The command only applies to the real service or additional health check with the type of

radius-acct health check. Otherwise, this configuration will not work.

Chapter 5 Server Load Balancing

real_name|add_hc_name The real server name. The maximum length of the name is

40 characters.

secret_string The secret string is used as the key to encrypt password. It

should be obtained from the real server beforehand.

resp_code Optional. Set the expected response code returned by the

Radius server, which can be used to determine the health

status of the Radius server. Its default value is 5.

5: Radius Accounting-Response. When you set the value of

“resp_code” to 5, if the response code returned by Radius

server is 5, then the Radius server is marked as UP; else it

is marked as DOWN.

no health radius acct {real_name|add_hc_name}

This command is used to remove the specified Radius accounting health check

configuration.

clear health radius acct

This command is used to remove all Radius accounting health check configurations.

show health radius acct [real_name|add_hc_name]

This command is used to show the Radius accounting health check configurations. If no

real service name or additional health check name is specified, all Radius accounting

health check configurations will be displayed.

clear health radius all

This command is used to remove all the Radius accounting and authentication health

check configurations.

health ldap {real_name|add_hc_name} [bind_dn] [password] [search_dn]

[filter_keyword]

This command is used to add an LDAP health check configuration to a specified real

server. The LDAP additional health check is only supported for TCP real services.

Besides, the command only applies to the real service or additional health check with the

type of ldap health check. Otherwise, this configuration will not work.

real_name|add_hc_name The name of the real server or the additional health

checker, no more than 40 characters.

bind_dn The LDAP DN (Distinguished Name) to perform binding

operation, no more than 255 characters.

Chapter 5 Server Load Balancing

password The password of the specified DN, no more than 255

characters.

search_dn The DN to perform search operation, no more than 255

characters.

filter_keyword The filter keyword to search, no more than 255

characters. With the filter keyword configured, the LDAP

server will return the result set matching the filter. If null,

all the results matching “search_dn” will be returned. It is

recommended to specify the parameter “search_dn” more

accurately to reduce related network traffic.

no health ldap {real_name|add_hc_name}

This command is used to remove a specified LDAP health check configuration.

real_name|add_hc_name The name of the real server or the additional health

checker.

clear health ldap

This command is used to clear all the LDAP health check configurations.

show health ldap [real_name|add_hc_name]

This command is used to display LDAP health check configurations. If no real service

name or additional check name is specified, all existing LDAP configurations will be

displayed.

real_name|add_hc_name The name of the real server or the additional health

checker.

health relation

This command is used to set the relationship (and/or) among different health check

configurations. When the relationship is AND, if any one of the health checks (including

both original and additional health check configurations) fails, the real service is down.

When the relationship is OR, the real service will be down if, and only if, all the health

checks fail. For a new real service, the default health check relationship is AND.

real_name The real service’s name, string type.

Chapter 5 Server Load Balancing

relationship The relationship among different health check

configurations, either AND or OR.

show health relation

This command is used to display the health check relationship of a real service.

health failover {enable|disable}

This command is used to turn on/off the automatic failover when all backend real servers

are down. When the setting is enabled, the master cluster will fail over to the backup

cluster when all real servers are down. If all real servers configured in an APV appliance

are marked DOWN by Health Check, Clustering function will be disabled in this APV

appliance and other APV appliances will take over the traffic. As long as at least one real

server configured in an APV appliance is marked UP by Health Check, Clustering

function will be enabled in this APV appliance again and the APV appliance will take

over the traffic again if its mode is preemptive.

health failover retires

This command is used to set the number of retries before failover. The default number of

retries is 3.

health earlywarning

This command is used to enable the health early warning feature on the APV appliance

by setting a global threshold for the response time of all real servers. If the response time

of a real server exceeds the threshold, it means the real server is very slow, and it might

be in abnormal status.

With the feature enabled, the APV appliance will detect the event that real servers’

response time exceeds the threshold, and set a counter to record the times that the event

occurs. Based on these records, the APV appliance will create “Warning” logs to notify

the administrators of the real server’s abnormal status.

By default, this feature is off. For the real servers without health check configured, this

feature is not available.

threshold Set the response time threshold, in milliseconds. It ranges

from 0 to 60000. 0 means this feature will be disabled.

Note:

Chapter 5 Server Load Balancing

1. Only when the recorded times that a real servers’ response time consecutively

exceeds the threshold is the power of 2 (1, 2, 4, 8...), will the APV appliance record

“Warning” logs. Once the response time returns to the normal level, i.e. not

exceeding the threshold, related old records will be cleared. The counter will begin

to collect new records.

2. At most 1024 records are allowed on the counter. If the number of records exceeds

1024, the counter will be reset to 0 and start to recount.

clear health earlywarning

This command is used to reset the early warning threshold, and reset the early warning

counter.

show health earlywarning

This command is used to display the configuration about early warning threshold.

Note: With the health check function disabled, to execute the command “health on”

will reset the early warning counter.

Adding Virtual Services

slb virtual http [vport] [arp|noarp] [max_conn]

slb virtual https [vport] [arp|noarp] [max_conn]

slb virtual tcp [arp|noarp] [max_conn]

slb virtual tcps [arp|noarp] [max_conn]

slb virtual ftp [vport] [max_conn]

slb virtual ftps [vport] [max_conn]

slb virtual udp [arp|noarp] [max_conn]

slb virtual dns [vport] [arp|noarp] [max_conn]

slb virtual sipudp [vport] [arp|noarp] [max_conn]

slb virtual siptcp [vport] [arp|noarp] [max_conn]

slb virtual rtsp [vport] [mode] [arp|noarp] [max_conn]

slb virtual rdp [vport] [arp|noarp] [max_conn]

Chapter 5 Server Load Balancing

These commands allow users to create virtual services for load balancing operations and

protocols. For bond or VLAN interfaces, only the virtual service whose IP address

belongs to their subset can be allowed to be created.

virtual_name An assigned name, in the form of a character string, to the

virtual service. Note: If the assigned name begins with a

numeric character, then the string should be framed in

double quotes.

vip The virtual server IP address, in traditional dotted IP

format. Note: If the VIP is not in the subnet of any

interface, it will be bound with the first interface (port1)

and a warning message will be prompted.

vport The virtual server port. The default port setting is 80 for

HTTP, 443 for HTTPS, 53 for DNS, 21 for FTP, 554 for

RTSP, 5060 for SIP, 3389 for RDP and 990 for FTPS. This

is a required parameter for TCP and UDP. When the port is

0, the virtual service is a virtual service with all-port range

and this port range may be narrowed down by using the

“slb virtual port” command.

mode This parameter is designed for RTSP SLB. It can be

“redirect” or “nat”. It defaults to “redirect”.

arp|noarp If this parameter is provided, a “noarp” SLB virtual service

is defined. A “noarp” SLB virtual service doesn’t have its

virtual IP address added in the network interfaces.

Therefore, the virtual IP addresses of a “noarp” SLB virtual

service can’t be pinged or ARPed. This enables the client to

send packets to the real service’s IP address directly

without knowing any new virtual IP address. In this case,

APV appliance should be set as the client’s gateway. The

APV appliance will forward the traffic to the real servers

after some kinds of SLB processing, e.g.: SSL acceleration.

It defaults to “arp”.

max_conn Set the maximum number of open connections per VIP.

Default is 0.

slb virtual ip

This command allows users to create SLB virtual services for L3 load balancing

operations and protocols. This type of the virtual service can support TCP and UDP

protocol at the same time.

slb virtual l2ip [gateway_ip]

Chapter 5 Server Load Balancing

This command allows users to create L2 virtual services for load balancing operations.

virtual_name The assigned name, in the form of a character string, to a

virtual service. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

vip The virtual server’s IP address, in traditional dotted IP

format. Note: If the VIP is not in the subnet of any

interface, it will be bound with the first interface (port1)

and a warning message will be prompted.

gateway_ip The gateway IP address relative to the virtual IP address, in

traditional dotted IP format. 0.0.0.0 is a wildcard. Default is

0.0.0.0.

no slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}

This command allows users to remove the specified virtual service from load balancing

protocols along with all associated policies.

no slb virtual l2ip

This command allows users to remove the specified L2 virtual services for load balancing

protocols along with all associated policies.

show slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}

[virtual_name]

This command is used to display the given virtual service, or all virtual services of the

given protocol if no name is specified.

show slb virtual all

This command is used to display all defined virtual services and all associated

parameters.

show slb virtual l2ip [virtual_name]

This command is used to display all defined L2 virtual services or the specified virtual

service.

clear slb virtual {http|tcp|https|tcps|ftp|ftps|udp|dns|siptcp|sipudp|rtsp|rdp}

This command is used to remove all virtual services of the given protocol type.

no slb virtual ip

Chapter 5 Server Load Balancing

This command is used to delete the L3 IP based virtual service with the given name.

show slb virtual ip [real_name]

This command is used to display all the defined L3 virtual services or the specified

virtual service.

clear slb virtual ip

This command is used to remove all the defined L3 virtual services.

slb virtual {enable|disable}

This command is used to toggle the status of a virtual service. When a virtual service is

disabled, it cannot be used for SLB.

slb virtual health {on|off}

This command is used to turn on/off the health check on virtual services. When the

function is on, if all the real services associated with the virtual service are down, the

APV appliance will reset the coming connections.

Adding Port Range for Virtual Service

slb virtual portrange [protocol] [dst|src]

This command allows users to define a port range for the virtual service specified by the

“virtual name” parameter. The port range is from “min_port” to “max_port”. No

duplicated port range of one IP is allowed. This command is shared by both L2 and

portrange SLB. If a port range is attached to an SLB virtual service, only network traffic

in the port range will be balanced. Otherwise, the traffic will be simply routed as

pass-through traffic.

virtual_name An assigned name, in the form of a character string, to the

virtual service. Note: If the assigned name begins with a

numeric character, then the string should be framed in

double quotes.

protocol Optional. It can be chose from “all|tcp|udp”. It defaults to

“all”. It is useful only when the virtual service is L2 virtual

service.

dst|src Optional. It is the destination or source port. It defaults to

“dst”.

no slb virtual portrange [protocol]

Chapter 5 Server Load Balancing

This command allows users to remove filtering port range from the L2 virtual service.

ftp passive portrange

This command allows users to set the port range for data connection in passive

FTP/FTPS. The begin port and end port should be in the range of 1024-65535, and users

can define 20 to 1000 ports for a port range. The port range is global and can be used for

all FTP/FTPS virtual services.

start port The start port number.

end port The end port number.

clear ftp passive portrange

This command allows users to remove a port range.

show ftp passive portrange

This command allows user to view a port range.

ftp passive externalip

Please note that the difference between end port and start

port number should be greater than 19 but less than 999.

For example, if the start port is 2000, the end port should

be configured as 2019 at least, and 2999 at most.

This command is used to specify the external IP addressfor FTP/FTPS virtual services.

virtual_name The name of virtual service. Note: If the assigned name

begins with a numeric character, then the string should be

framed in double quotes.

ip

The external IP address.

no ftp passive externalip [virtual_name]

This command is used to remove the external IP address.

virtual_name The name of virtual service. Optional, and the default value

is “all”, which means the external IP address of all

FTP/FTPS virtual services will be cleared.

show ftp passive externalip [virtual_name]

This command is used to display the external IP address.

Chapter 5 Server Load Balancing

virtual_name The name of virtual service. Optional, and the default value

is “all”, which means the external IP address of all

FTP/FTPS virtual services will be displayed.

Adding SLB Group Services

The following command sequences are the necessary steps to establish and assign a load

balancing protocol to groups of servers.

slb group method [algorithm]

This command allows users to create an SLB group. The group is used to assign a

specific load-balancing algorithm to a set of real services. A group method must be

established before the user may assign real or virtual servers to a group.

group_name An assigned name, in the form of a character string, to the

group service. Note: If the assigned name begins with a

non-alphabetic character, then the string should be framed

in double quotes.

algorithm The algorithm used to balance load among real services

that are members of the group. This parameter is optional,

with a default value of Round Robin (“rr”). Depending on

the algorithm used, additional parameters may need to be

specified. The following shows the algorithms available

with the APV appliance. Methods requiring additional

parameters are designated with “*”.

� rr Round Robin

� pc Persistent Cookie*

� pi Persistent IP*

� hi Hash IP*

� hc Hash Cookie*

� ph Persistent Hostname*

� pu Persistent URL

� ic Insert Cookie*

� rc Rewrite Cookie*

� ec Embed Cookie*

� lc Least Connections*

� sr Shortest Response

� hh Hash Header*

� sslsid SSL Session ID*

� chi Consistent Hash IP*

� prox Proximity*

Chapter 5 Server Load Balancing

� snmp Simple Network Management Protocol*

� sipcid SIP CallID*

� sipuid SIP UserID*

� chh Consistent Hash Header*

� hq Hash Query*

� hip Hash (IP + Port)*

� rdprt RDP Routing Token

Following describes the above algorithms in more details.

slb group method {rr|pu|sr}

Round Robin (rr): Each server takes a turn based on its weight, if any. For example, with

a weight of 3, each server will be chosen for 3 requests before the next one in the list is

selected.

Shortest Response (sr): Server selection is based on lowest latency.

Persistent URL (pu): Based on a URL value. A group of this method must be associated

to a virtual service using the Persistent URL policy.

slb group method hc [rr|sr|lc] [weight|threshold]

Based on cookie Name=Value pair can only be used in conjunction with QoS Cookie and

Persistent Cookie policies. The “rr|sr|lc” argument can be called the “first choice method”.

If a client request does not yet have an assigned real service, this method will be used to

choose a real service for that client, based on the request properties appropriate to the

group method. The default value is rr. The “threshold” argument only applies if the “first

choice method” is lc, and is the same as the group method lc threshold parameter.

slb group method ic [cookie_name] [add_path] [rr|sr|lc]

[threshold]

When Insert Cookie (ic) is specified as the group’s algorithm, use this command structure,

where users can provide the optional parameter “cookie_name”, “add_path”, “rr|sr|lc”

and “threshold”.

Chapter 5 Server Load Balancing

cookie_name The name of the insert cookie. If no cookie name is

provided, the APV appliance will generate a cookie name.

add_path The path attribute of the cookie. Setting the “add_path”

parameter to 1 will insure that inserted cookie will have the

path attribute “/”, while 0 means no path will be included

in the cookie. The default setting is 0.

rr|sr|lc The “rr|sr|lc” parameter can be called the “first choice

method”. If a client request does not yet have an assigned

real service, this method will be used to choose a real

service for that client, based on the request properties

appropriate to the group method. The default value is rr.

threshold The “threshold” parameter only applies if the “first choice

method” is lc, and is the same as the group method lc

threshold parameter.

Note: The configuration of the command "slb group option ic" takes higher priority

than "slb group method ic".

If "slb group options ic" is not configured, the system will determine whether to

insert “/” into the cookie according to the “add_path” setting in the command "slb

group method ic".

If "slb group options ic" is configured:

1. If "slb group option ic" has defined "path", the path value will be inserted into

the cookie, and the path defined in the command "slb group method

ic " will be ignored.

2. If "slb group option ic" has not defined "path", the path value will not be

inserted into the cookie, and the path defined in the command "slb group method

ic " will also be ignored.

slb group option ic {expires|path|domain|secure|httponly}

Inserts cookie method allows APV to maintain persistence to a server. This command is

used to define the properties of the cookie including “expires”, “path”, “domain”,

“secure” and “httponly”.

Note: To configure this command, the parameter

“expires|path|domain|secure|httponly” must be enclosed in double quotes; otherwise,

the command cannot be executed.

group_name The real service group name.

expires|path|domain|secu

re|httponly

The property of the cookie.

Chapter 5 Server Load Balancing

� “expires” is used to define the expiration time of the

cookie. It ranges from 0 to 5256000, in minutes, i.e.

3650 days. “expires” should be in the format of

“expires=day:hour:minue”. For example, “expires=3”

indicates the expiration time is 3 minutes,

“expires=2:3” indicated the expiration time is 123

minutes (2 hours and 3 minutes) and “expires=1:2:3”

indicates the expiration time is 1563 minutes (1 day, 2

hours and 3 minutes).

� “path” is used to specify the path of the Web page

associated with the cookie. The string length ranges

from 1 to 128 characters. “path” should be in the

following format: “path=string”.

� “domain” is used to define the domain name. Servers

coming from different domains can access this cookie

via the “domain” parameter. The string length ranges

from 1 to 128 characters. “domain” should be in the

following format: “domain=string”.

� “secure” is used to define the transfer mode of the

cookie. It should be in the format of “secure=yes|no”.

If “secure=yes”, cookie will be transferred via

browsers and servers deploying HTTPS or other

security protocols. If “secure=no”, cookie will only be

transferred via the HTTP protocol.

� “httponly” is used to define if the cookie can be

accessed through client-end scripts. It should be in the

format of “httponly=yes|no”.

Note: The strings defined via the parameter “path” and

“domain” will be inserted into the cookie without any

change. The strings are case sensitive, and spaces are

allowed in the strings.

Chapter 5 Server Load Balancing

Note: The configuration of the command "slb group option ic" takes higher priority

than "slb group method ic".

If "slb group options ic" is not configured, the system will determine whether to

insert “/” into the cookie according to the “add_path” setting in the command "slb

group method ic".

If "slb group options ic" is configured:

1. If "slb group option ic" has defined "path", the path value will be inserted into

the cookie, and the path defined in the command "slb group method

ic " will be ignored.

2. If "slb group option ic" has not defined "path", the path value will not be

inserted into the cookie, and the path defined in the command "slb group method

ic " will also be ignored.

show slb group option ic [group_name]

This command is used to display the cookie property configuration of the specified group.

If no group name is specified, cookie property configurations of all groups will be

displayed.

clear slb group option ic [group_name]

This command is used to clear the cookie property of the specified group. If no group

name is specified, cookie property configurations of all groups will be cleared.

slb group method rc [cookie_name] [offset] [rr|sr|lc] [threshold]

For Rewrite Cookie (rc), use the command structure where “cookie_name” is required as

is the “offset” value. (The “offset” value is the number of protected bytes in a backend

server generated cookie.) Users must allow at least four (4) bytes of free space within the

server cookie value for the APV appliance to perform this task. The default value is zero

(0). The “rr|sr|lc” argument can be called the “first choice method”. If a client request

does not yet have an assigned real service, this method will be used to choose a real

service for that client, based on the request properties appropriate to the group method.

The default value is rr. The “threshold” argument only applies if the “first choice method”

is lc, and is the same as the group method lc threshold parameter.

slb group method pc [option]

For the SLB method Persistent Cookie (pc), the “option” parameter will correspond to the

cookie value offset. The default value for cookie value offset is 0. A group of this method

must be associated to a virtual service using the Persistent Cookie policy.

slb group method lc [threshold] [yes|no]

When Least Connections (lc) is used as the group’s algorithm, two additional parameters

can be specified. The parameter “threshold” is the threshold granularity of the algorithm

Chapter 5 Server Load Balancing

which defines how much the response time or active connection count for two real

services must differ before they are treated as different by the algorithm. This parameter

is optional, with a default value of 10. The parameter “yes|no” specifies whether SLB

should use round robin among all of the real services that are at the same active

connection count or response time threshold. A value of “yes” means that Round Robin

should be used, and a value of “no” means that Round Robin should not be used. This

parameter is optional, with a default value of “no”.

slb group method sslsid [timeout]

For load balancing based on SSLSID, employ this version of the command structure.

Please note that only TCP real servers are allowed as members of an SSLSID group and

only TCP virtual services will be allowed to be associated with this group. The optional

parameter refers to the length of time (in minutes, and defaults to 5 minutes) that a

session may be open before it can be replaced. A group deploying this method may only

be assigned as a default group.

slb group method pi [hash_bits] [rr|sr|lc] [threshold]

This command calls for the additional (optional) parameter “hash bits”. The optional

“hash_bits” field controls how many bits of the source IP are used in generating the hash.

It can be compared to a netmask, which is applied to the IP before it is hashed. The value

range for this parameter is 0-32 inclusive, with a default setting of 32. The “rr|sr|lc”

argument can be called the “first choice method”. If a client request does not yet have an

assigned real service, this method will be used to choose a real service for that client,

based on the request properties appropriate to the group method. The default value is rr.

The “threshold” argument only applies if the “first choice method” is lc, and is the same

as the group method lc threshold parameter.

slb persistence timeout [group_name]

This command allows users to set “pi” group method timeout value globally or per group.

If this value is set to “0”, it means that “pi” timeout function is closed; otherwise, it

means, that in a “pi” group if a IP address idle time exceeds the timeout value, it will be

treated as a new IP address and rechoose one member in the group.

timeout_minutes The value defaults to 0, which means OFF. The max value

is 50000 minutes. (43200 minutes = 1 month)

group_name Optional. It is set to null by default, which means the

timeout is a global setting.

no slb persistence timeout [group_name]

This command is used to remove “pi” group method timeout value. If “group_name” is

null, the system will only delete the global timeout. If “group_name” is given, only the

timeout of the specified group will be deleted.

show slb persistence timeout [group_name]

Chapter 5 Server Load Balancing

This command is used to display “pi” group method timeout value. If “group_name” is

null, only the global timeout is displayed. If “group_name” is given, only the timeout of

the specified group is displayed.

slb group method ph [rr|sr|lc] [threshold]

This command allows users to define the method on persistent host name. The “rr|sr|lc”

argument can be called the “first choice method”. If a client request does not yet have an

assigned real service, this method will be used to choose a real service for that client,

based on the request properties appropriate to the group method. The default value is rr.

The “threshold” argument only applies if the “first choice method” is lc, and is the same

as the group method lc threshold parameter.

slb group method hi [hash_bits]

The Hash IP (hi) load balancing method maps incoming traffic to real services based

upon the source IP of the traffic. The Hash IP algorithm is consistent across multiple APV

appliances, as long as the Hash IP groups on each APV appliance are configured the same.

The optional “hash_bits” field controls how many bits of the source IP are used in

generating the hash. Note that if a real service in a Hash IP group goes down, the existing

persistence will be disrupted.

slb group method hh [rr|sr|lc] [threshold] [prefix]

[delimiter]

For balancing based on Hash Header (hh), users must define an available header. Users

can hash an entire HTTP header or just hash a part of an HTTP header. “prefix” and

“delimiter” arguments are configured to match the part to be hashed. If the configured

prefix string is not matched, the entire HTTP header will be hashed. If the configured

prefix is matched but no configured delimiter is matched, the entire string starting after

the configured prefix will be hashed. This command only matches the string between the

prefix and the delimiter, not including the prefix and the delimiter. If one configured

prefix appears more than once in an HTTP header, only the first prefix will be matched.

header_name Specify a name for an HTTP header. It must be a

non-standard HTTP header (e.g. “Accept”, “Content-Type”

and “Content-Length”).

rr|sr|lc This argument is also called the “first choice method”. If a

client request does not yet have an assigned real service,

this method will be used to choose a real service for that

client. The default value is rr.

threshold It only applies if the “first choice method” is “lc”. If and

only if the difference of two servers’ respective connection

numbers is larger than the threshold, Array system will

Chapter 5 Server Load Balancing

consider that the connection numbers of two servers are

different, so that “lc” method can work. It defaults to 10. If

the “first choice method” is “rr” or “sr”, users must enter

an arbitrary integer to continue the latter parameters.

prefix Optional. If the configured prefix is not the beginning

string (a string closely following the header name, not

including a blank), it will be matched only when it follows

the configured delimiter (blanks and TAB are allowed

between the prefix and the delimiter). For example, if the

configured delimiter is “y”, the configured prefix

“username” can match “myusername” and “my username”.

The prefix string is case-sensitive. It can be (or not be) in

double quotes.

delimiter Optional. This argument indicates where the part to be

hashed in an HTTP header should end. The end of the part

to be hashed in an HTTP header is the last character before

the delimiter. It is case-sensitive, and must be in double

quotes.

slb group method chi [hash_bits]

This command creates a Consistent Hash IP (chi) group with the given group name. The

chi algorithm maps client requests to servers by hashing the source IPs of the requests.

The optional “hash_bits” field controls how many bits of the source IP are used in

generating the hash. The value of “hash_bits” can be any number between 0 and 32

inclusive, with a default of 32.

slb group method prox [rr|sr|lc] [threshold]

This command creates a Proximity (prox) group with the given group name. The “rr|sr|lc”

argument can be called the “first choice method”. If a client request does not yet have an

assigned real service according SDNS proximity rules, this method will be used to choose

a real service for that client, based on the request properties appropriate to the group

method. The default value is rr. The “threshold” argument only applies if the “first choice

method” is lc, and is the same as the group method lc threshold parameter.

slb group method snmp [weight|cpu] [community] [oidcount]

[oid1] [oidweight1] [oid2] [oidweight2] [check_interval]

This command creates an SLB group with snmp group method.

weight|cpu Mode value. CPU mode can meet most customer

requirements; weight mode supports customization for

OIDs and check interval settings. In CPU mode, only

community parameter needs to be configured and a fixed

interval of 60 seconds will be applied.

community The community field of SNMP server.

Chapter 5 Server Load Balancing

oidcount 1 or 2, which specifies the number of OIDs in weight

mode.

oid1 The first OID of weight mode.

oidweight1 The weight of the first OID in weight mode.

oid2 The second OID of weight mode.

oidweight2 The weight of the second OID in weight mode.

check interval The SNMP check interval for weight mode.

slb group method ec [rr|sr|lc] [threshold]

The first HTTP request without cookie may hit the group associated with the default

policy and the APV appliance will choose a real service according to “rr|sr|lc” method.

When the APV appliance gets the response from the server with the configured cookie

name, a string containing the real server’s information will be embedded at the head of

the cookie by the APV appliance. Then the modified response will be forwarded to the

client. Subsequent client requests will have the modified cookie value from which the

APV appliance can know the persistent real service. The APV appliance will remove the

embedded real service’s information from the cookie value and forward the request with

the original cookie value to the server. So only the cookie value between the client and

the APV appliance is alternated, and the cookie value between the APV appliance and the

real service keeps unchanged. The “rr|sr|lc” argument can be called the “first choice

method”. The default value is rr. The “threshold” argument only applies if the “first

choice method” is lc, and is the same as the group method lc threshold parameter.

slb group method {sipcid|sipuid} [rr|sr|lc] [threshold]

This command is used to configure an SLB group of SIP servers for which SIP call ID

persistence (parse the Call-ID header) or SIP user ID persistence (parse the User-ID

header) are required. Please notice: Besides sipcid and sipuid methods, SLB groups of

SIP real services may use other L4 methods, such as rr, lc, sr, etc. But groups not for SIP

real services can’t use sipcid and sipuid methods.

group_name An assigned name, in the form of a character string, to the

group service. Note: If the assigned name begins with a

numeric or otherwise non-alphabetical character, then the

string should be framed in double quotes.

Chapter 5 Server Load Balancing

rr|sr|lc For balancing based on SIP call ID or user ID persistence.

The “rr|sr|lc” argument can be called the “first choice

method”. If the client request does not yet have an assigned

real service, this method will be used to choose a real

service for that client, based on the request properties

appropriate to the group method. The default value is rr.

threshold It only applies if the “first_choice_method” is lc, and is the

same as the group method lc threshold parameter.

slb group method chh

This command is used to add a Consistent Hash Header (chh) SLB group. “chh” method

maintains persistency by applying hash functions on the specified HTTP request header.

“chh” method will hash the specified HTTP request header at most 3 times until an

available real service in the group is selected. If all the 3 hash values point to

out-of-service real services, a healthy real service will be chosen in round robin manner.

group_name An assigned name, in the form of a character string, to the

group service. Note: If the assigned name begins with a

numeric or otherwise non-alphabetical character, then the

string needs to be framed in double quotes.

header_ name The name of an HTTP request header. Both standard and

extended headers are supported. If HTTP URL (without

host name portion) is going to be used, just set the header

name to be “url”.

slb group method hq [rr|sr|lc]

This command is used to create a Hash Query (hq) SLB group. “hq” method maintains

persistency by hashing the specified tag value in the query of the HTTP requests. This

method must work with persistent URL policy together. The specified tag is defined in

persistent URL policy. The “rr|sr|lc” argument can be called the “first_choice_method”

and it defaults to rr.

slb group method hip [hash_bits]

The HIP load balancing method maps incoming traffic to real services based upon the

source IP and port of the traffic. The HIP algorithm maintains persistency by hashing the

source IP and port of the traffic. The optional “hash_bits” field controls how many bits of

the source IP are used in generating the hash. Note: If a real service in a Hash IP and port

group goes down, the existing persistence will be disrupted.

slb group method rdprt [rr|sr|lc]

Chapter 5 Server Load Balancing

This command is used to create an SLB group that uses the “rdprt” (RDP Routing Token)

algorithm.

group_name The real service group name.

rr|sr|lc This argument is also called the “first choice method”. If a

client request does not yet have an assigned real service,

this method will be used to choose a real service for that

client. The default value is rr.

The following command is used to set L2 SLB groups.

slb group method {hi|rr|chi} [route|direct]

This command defines an L2 SLB group. L2 SLB supports three kinds of group methods:

Round Robin (rr), Hash IP (hi) and Consistent Hash IP (chi).

route|direct Specify the route mode, which determines how the traffic

initiated from the real servers will be routed.

Adding IP Pool

[no] slb proxyip global

� route: The traffic will be routed by normal routing

rules.

� direct: The traffic will be routed from the interface

associated with the L2 virtual service.

This parameter is optional. By default, the “direct” mode is

used.

This command is used to assign a pre-defined IP pool for all SLB real servers as the

global IP pool. The “no” version of this command is used to remove a specified global IP

pool.

pool_name The name of the IP pool, which can be pre-defined via the

command “ip pool [end_ip]”. If

the pool name begins with a numeric character, then the

string needs to be framed in double quotes.

[no] slb proxyip group

This command is used to assign a pre-defined IP pool for a specified SLB group. The

“no” version of this command is used to remove a specified IP pool for an SLB group.

Note: The priority of group IP pools is higher than global IP pools.

clear slb proxyip [group_name]

Chapter 5 Server Load Balancing

This command is used to clear the IP pool configurations of a specified group. If no

group name is specified, the IP pool configurations of all SLB groups will be cleared.

show slb proxyip [group_name]

This command is used to display the IP pool configurations of a specified group. If no

group name is specified, the IP pool configurations of all SLB groups will be displayed.

show statistics slb proxyip [group_name]

This command is used to display the IP pool statistics of a specified group. If no group

name is specified, the IP pool statistics of all SLB groups will be displayed.

clear statistics slb proxyip [group_name]

This command is used to clear IP pool statistics of a specified group. If no group name is

specified, the IP pool statistics of all SLB groups will be cleared.

Adding Real Services to Groups

slb group member

This command is used to add a real service to a group. This generic command may be

used to assign real services to groups employing Shortest Response, Insert Cookie, Hash

Cookie, Hash Header, Persistent IP, or Persistent Hostname balancing methods.

group_name Specify which group to assign the real service to.

real_name Specify the real service name.

If users want to assign a real service to a group employing the round robin balancing

scheme, a slight modification of the command may be used. To add a real service to a

group balanced via Round Robin, use this command.

slb group member [weight]

If users want to assign a real service to a group employing the Round Robin or Least

Connection balancing method, a slight modification of the command may be used. To add

a real service to a group balanced via Round Robin or Least Connection, use this

command.

group_name Specify which group to assign the real service to.

eal_name Specify the real service name.

Chapter 5 Server Load Balancing

weight Optional parameter for weighted round robin and least

connection. The default value is 1.

slb group member [priority]

When users wish to assign a real service to a group employing the Persistent URL or

Persistent Cookie balancing scheme, an associate string value must also be specified. To

add a real service to a group balanced via PC or PU, use this command.

group_name Specifies which group to assign the real service to.

real_name Real service name.

param_string For persistent URL values, this string consists of the

characters that follow the “=” in a specified URL (see

the “slb policy persistent url” command). For persistent

cookies, the string refers to the cookie value from the

associated PC policy.

priority Set the priority of group members. The greater the value,

the higher the priority. It defaults to 0.

no slb group member

This command is used to remove a real service from a group.

show slb group member [group_name]

This command is used to display all the members of the specified group. If the group

name is not specified, display the members of all the groups.

clear slb group member

This command is used to remove the members of all the groups.

Other SLB Group Commands

no slb group method

This command is used to delete the specified group. This command will also remove all

associated policies and group memberships.

show slb group method [group_name]

Chapter 5 Server Load Balancing

This command is used to display group information including the method of balancing

for the specified group.

clear slb group method

This command is used to delete all defined groups, including all relationships with real

and virtual services.

show slb group protocol

The ArrayOS assigns a protocol to a real group based on the user’s configuration (TCP,

HTTP, etc.) to prevent real services from being assigned to an incompatible group. This

command allows users to see which protocol has been assigned to the specified group.

slb group flush

This command allows administrators to clear a persistent table for the specified group.

This command will also eliminate any existing persistence already established, so caution

is recommended when employing this command. Users who have already established a

persistent connection will be forced to reestablish a persistent connection. The

“group_name” parameter must refer to hc, hh, ph or pi groups.

slb group activation

This command allows users to activate health real services in a group based on their

priorities. Among the health real services in a group, only those with the highest priority

can be activated. If the number of health real services with the highest priority is smaller

than the number of real services to be activated, the health real services with the second

highest priority will be activated.

group_name An assigned name, in the form of a character string, to the

group service. Note: If the assigned name begins with a

numeric or otherwise non-alphabetical character, then the

string needs to be framed in double quotes.

num_of_rs The number of real services to be activated. If the

parameter is set to 2, two healthy real services in a group

with the highest priority will be activated, and the coming

requests can only be distributed to the two active real

services.

no slb group activation

This command allows users to unset the configured number of real services to be

activated.

show slb group activation

Chapter 5 Server Load Balancing

This command is used to display the number of real services to be activated and the status

of all the real services in a specified group.

Example:

AN(config)#show slb group activation group1

Group activation presetting: 1

real server priority active reason

r1 1 NO HEALTH

r2 2 NO Priority

r3 3 YES

SLB Policy Settings

In SLB, a policy links a virtual service to a group according to a specific rule. There are

16 different policies. A virtual service can be associated with multiple policies of each

type (with a few exceptions). Policies have precedence between policy types, as well as

within policy types. Virtual services using a cookie based policy (such as insert cookie,

rewrite cookie, etc.) need to assign the configured group as the default group as well so

that the cookie may be set for a client’s initial request. Multiple SLB policies’

precedences are configurable. The default precedence between policy types is as follows:

1. redirect

2. static

3. qos client port

4. qos network

5. persistent url

6. rewrite cookie

7. insert cookie

8. persistent cookie

9. qos cookie

10. qos hostname

11. qos url

12. regex

13. header

14. hash url

15. default

16. backup

(The italic policies’ precedences are configurable.)

Chapter 5 Server Load Balancing

During policy lookup for a specific VIP, each type is checked in the order given above. At

each type, all possible matches for that type are collected. The match with the highest

precedence within that type is then used to resolve to the associated group. Below are the

available commands for configuring the APV appliance to establish balancing policies.

show slb policy all

This command allows users to display all policies currently configured within the APV

appliance.

slb policy order

This command is used to set the specified policy’s precedence in the order template

named by the “order_template_name” parameter. If the specified order template name

already exists, this command will override it; otherwise, the command will create a new

order template based on the default order. 100 order templates can be created at most. If

one policy is moved forward to a place, all the policies in between will be moved one

place backward. On the other hand, if one policy is moved backward to a place, all the

policies in between will be moved one place forward. For L4 SLB, only five policies

(static, qos clientport, qos network, default and backup) can be used in the policy order

template.

order_template_name Customer defined order template name; the name can

contain 1 to 64 characters; up to 100 individual order

templates can be defined.

policy_type The policy type, such as header, ic, qos-cookie, etc.

precedence 1 to 12.

no slb policy order

This command is used to remove the specified SLB policy order template.

clear slb policy order

This command is used to remove all the SLB policy order templates.

show slb policy order [order_template_name] [policy_type]

If the policy type is specified, display its index in the specified order template; otherwise

display all the policies in the configured order in this order template. If the order template

name is not specified, display all the policies in the configured order in all defined order

templates, and the default order will be displayed at first.

slb vlink

This command is used to create a vlink.

show slb vlink [vlink_name]

This command is used to display one or all the defined vlinks.

no slb vlink

This command is used to remove a specified vlink.

clear slb vlink

This command is used to delete all the defined vlinks.

show statistics slb vlink [vlink_name]

Chapter 5 Server Load Balancing

This command is used to display the statistics about a vlink or all of the defined vlinks.

clear statistics slb vlink [vlink_name]

This command is used to remove the statistics about a vlink or all of the defined vlinks.

slb policy static

This command allows users to establish a static connection between a virtual service and

a real service, thus any requests calling on the virtual service will be redirected to the

corresponding real service. You may only have one static policy for each virtual service.

virtual_name The name of the virtual server.

real_name The name of the real server.

Example:

AN(config)#slb policy static leadbelly acen

no slb policy static

This command is used to delete the static policy for a virtual service.

show slb policy static [virtual_name]

This command is used to display the static connection between a specified virtual service

and the associated real service. If no virtual service name is specified, all defined static

policies are displayed.

clear slb policy static

Chapter 5 Server Load Balancing

This command is used to remove all static connections between virtual services and real

servers. If users want to remove a single, static connection between a virtual service and a

real server, the “no slb policy static” command should be employed.

slb policy persistent url {virtual_name|vlink_name}

This command allows users to set a Persistent URL policy to associate a virtual service or

a vlink with a Persistent URL (pu) group.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name The name of the group.

url_tag The “tag” string that the appliance will match against.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other Persistent URL policies.

no slb policy persistent url

This command is used to delete a Persistent URL policy.

show slb policy persistent url [policy_name]

This command is used to display the given Persistent URL related policy, or all Persistent

URL policies if no name is specified.

clear slb policy persistent url

This command is used to delete all Persistent URL policies.

slb policy rcookie {virtual_name|vlink_name}

This command allows users to set a Rewrite Cookie policy to associate a virtual service

or a vlink with a group.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name This group should be configured with the Rewrite Cookie

(rc) method and Embed Cookie (ec).

Chapter 5 Server Load Balancing

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other Rewrite Cookie policies.

no slb policy rcookie

This command is used to remove the specified SLB policy from the running

configuration.

show slb policy rcookie [policy_name]

This command is used to display all Rewrite Cookie policies currently defined in the

running configuration.

clear slb policy rcookie

This command is used to remove all Rewrite Cookie policies from the running SLB

configuration.

slb policy icookie {virtual_name|vlink_name}

This command allows users to set an Insert Cookie policy to associate a virtual service or

a vlink with a group.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name This group must be configured with the Insert Cookie (ic)

method.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other Insert Cookie policies.

no slb policy icookie

This command is used to remove the specified SLB policy from the running

configuration.

show slb policy icookie [policy_name]

This command is used to display all Insert Cookie policies.

clear slb policy icookie

This command is used to remove all Insert Cookie policies from the running SLB

configuration.

Chapter 5 Server Load Balancing

slb policy persistent cookie {virtual_name|vlink_name}

This command allows users to set a Persistent Cookie policy to associate a virtual service

or a vlink with a group. This policy can only be used with Hash Cookie or Persistent

Cookie group balancing methods.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name The name of the group.

cookie_name Assigned cookie name.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other persistent cookie policies.

no slb policy persistent cookie

This command is used to delete the specified Persistent Cookie policy.

show slb policy persistent cookie [policy_name]

This command is used to display the specified Persistent Cookie policy. If no name is

given, all Persistent Cookie policies will be displayed.

clear slb policy persistent cookie

This command is used to remove all Persistent Cookie policies.

slb policy qos clientport {virtual_name|vlink_name}

{group_name|vlink_name}

This command is used to create a QoS Client Port policy to associate a virtual service or a

vlink with a group or another vlink. When a packet hits a virtual service, its source IP and

source port will be checked. If the source IP belongs to the defined subnet and the source

port falls into the defined port range, the packet will hit the policy.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

network_ip The specified network IP address.

network_mask The subnet mask.

low_port The low value of the port range.

high_port The high value of the port range.

Chapter 5 Server Load Balancing

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other QoS Client Port policies.

no slb policy qos clientport

This command is used to remove the specified QoS Client Port policy.

show slb policy qos clientport [policy_name]

This command is used to display the associated QoS Client Port policy.

clear slb policy qos clientport

This command is used to remove all configured QoS Client Port policies.

slb policy qos cookie {virtual_name|vlink_name}

{group_name|vlink_name}

This command is used to create a QoS Cookie policy to associate a virtual service or a

vlink with a group or another vlink.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

cookie_name=cookie_value The assigned cookie name bound to a specific value.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other QoS Cookie policies.

no slb policy qos cookie

This command is used to delete the specified QoS Cookie policy.

show slb policy qos cookie [policy_name]

This command is used to display the specified QoS Cookie policy.

clear slb policy qos cookie

This command is used to remove all QoS Cookie policies.

Chapter 5 Server Load Balancing

slb policy qos hostname {virtual_name|vlink_name}

{group_name|vlink_name}

This command allows users to set a server load balancing policy to associate a virtual

service or a vlink with a group or another vlink. It may also be used with any balancing

method except Persistent Cookie and Persistent URL.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

host_name Assigned host name.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other QoS Host Name policies.

no slb policy qos hostname

This command is used to remove the specified QoS Host Name policy.

show slb policy qos hostname [policy_name]

This command is used to display the associated QoS Host Name policy.

clear slb policy qos hostname

This command is used to remove all configured QoS Host Name policies.

slb policy qos network {virtual_name|vlink_name}

{group_name|vlink_name}

This command is used to create a QoS Network policy to associate a virtual service or a

vlink with a group or another vlink.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

network_ip The specified network IP address.

network_mask The subnet mask.

Chapter 5 Server Load Balancing

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other QoS Network policies.

no slb policy qos network

This command is used to remove the specified QoS Network policy.

show slb policy qos network [policy_name]

This command is used to display the associated QoS Network policy.

clear slb policy qos network

This command is used to remove all configured QoS Network policies.

slb policy qos url {virtual_name|vlink_name}

{group_name|vlink_name}

This command is used to create a QoS URL policy to associate a virtual service or a vlink

with a group or another vlink.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

qos_string String to match requested URLs against.

precedence A value between 0 and 65535 inclusive, which specifies the

policy’s precedence relative to other QoS URL policies.

The lower the value is, the higher the policy precedence

will be.

no slb policy qos url

This command is used to delete the specified QoS URL policy.

show slb policy qos url [policy_name]

This command is used to display the specified QoS URL policy.

clear slb policy qos url

This command is used to remove all QoS URL policies.

slb policy regex {virtual_name|vlink_name}

{group_name|vlink_name}

Chapter 5 Server Load Balancing

This command allows users to create a Regular Expression policy to associate a virtual

service or a vlink with a group or another vlink.

policy_name User specified name for the policy being configured.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or vlink.

regex String in the form of :[^] string1[*string2[*stringN]][$];

where “^” matches the beginning of the URL, “*” means

any sequence of 0 or more characters and “$” matches the

end of the URL.

Note: This string is case-sensitive. Administrators can

configure whether to distinguish the uppercase or

lowercase letters in this command via the command “slb

mode regexcase {on|off}”.

precedence A value between 0 and 65535 inclusive. The policy’s

precedence is relative to other Regex policies.

no slb policy regex

This command is used to delete the specified Regex policy.

show slb policy regex [policy_name]

This command is used to display the specified Regex policy.

clear slb policy regex

This command is used to remove all Regex policies.

slb policy header {virtual_name|vlink_name}

{group_name|vlink_name}

This command allows users to create a Header policy to associate a virtual service or a

vlink with a group or another vlink. A Header policy is applied to the headers in incoming

HTTP requests. If the “header_name” parameter of a Header policy is the same as the

name of a header in an HTTP request, and the value of the header in the request matches

the pattern specified in the “header_pattern” parameter, then the Header policy matches

the request.

Chapter 5 Server Load Balancing

policy_name The name identifying the policy. It can be an alphanumeric

string with 1 to 20 characters. If the first character of the

name is a number, then the name must be enclosed in

double quotes.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

header_name The name of the HTTP header to match in requests.

header_pattern A pattern specifying which header values match the policy.

String in the form of :[^] string1[*string2[*stringN]][$];

where “^” matches the beginning of the URL, “*” means

any sequence of 0 or more characters and “$” matches the

end of the URL.

Note: This string is case-sensitive. Administrators can

configure whether to distinguish the uppercase or

lowercase letters in this command via the command “slb

mode regexcase {on|off}”.

precedence The precedence of this policy is relative to other Header

policies for the same virtual service.

no slb policy header

This command is used to delete the specified Header policy.

show slb policy header [policy_name]

This command is used to display the Header policy with the given name, or all

configured Header policies if no policy name is given.

clear slb policy header

This command is used to delete all Header policies.

slb policy hashurl {virtual_name|vlink_name}

{group_name|vlink_name}

This command allows users to create an SLB Hash URL policy to associate a virtual

service or a vlink with a group or another vlink. The SLB Hash URL policy supports

recoverable persistency. When a downed real service is up again, the original clients it

served before will be balanced back to it. The Hash URL policy priority is just higher

than default policy. The requests to a virtual service will be hashed into one of the groups

Chapter 5 Server Load Balancing

associated with the virtual service through some hashing function. If the hashed group

has no real service available, default group will be used.

policy_name The name identifying the policy. It can be an alphanumeric

string with 1 to 20 characters. If the first character of the

name is a number, then the name must be enclosed in

double quotes.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or vlink.

slb policy default {virtual_name|vlink_name} {group_name|vlink_name}

This command allows users to set a default policy to associate a virtual service or a vlink

with a group or another vlink. You may only have one default policy per virtual service or

vlink.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink. The Persistent Cookie

(pc) and Persistent URL (pu) methods cannot be assigned

as the default group policy.

no slb policy default {virtual_name|vlink_name}

This command is used to remove the default policy from a specified virtual service.

show slb policy default [virtual_name|vlink_name]

This command is used to display the default group for a virtual service.

clear slb policy default

This command is used to remove the default policy from all virtual services.

slb policy backup {virtual_name|vlink_name} {group_name|vlink_name}

This command allows users to set a backup policy to associate a virtual service or a vlink

with a group or another vlink. You may only have one backup policy per virtual service

or vlink. The group assigned to the virtual service or the vlink using the backup policy

will be used only if there is at least one successful match in a prior policy, but all real

services in all matches are down or overflowed.

virtual_name|vlink_name The name of the virtual service or the vlink.

group_name|vlink_name The name of the group or the vlink.

no slb policy backup {virtual_name|vlink_name}

Chapter 5 Server Load Balancing

This command is used to remove the backup policy from the virtual service.

show slb policy backup [virtual_name|vlink_name]

This command is used to display the backup group for a virtual service.

clear slb policy backup

This command is used to remove all backup policies.

slb policy redirect

This command allows users to create a redirect policy between a virtual service and a

group. A redirect policy is applied to the URL host in incoming HTTP requests. If the

“redirected_from_host” parameter of a redirect policy is the same as the host name of the

URL in an HTTP request, then the redirect policy matches the request.

policy_name The name identifying the policy. It can be an alphanumeric

string with 1 to 20 characters. If the first character of the

name is a number, then the name must be enclosed in

double quotes.

virtual_name The name of the virtual service.

group_name The name of the group.

redirected_from_host The host name in the HTTP request URL.

show slb policy redirect [policy_name]

Note: This string is case-sensitive. Administrators can

configure whether to distinguish the uppercase or

lowercase letters in this command via the command “slb

mode regexcase {on|off}”.

This command is used to display the redirect policy with the given name, or all

configured redirect policies if no policy name is given.

no slb policy redirect

This command is used to delete the specified redirect policy.

clear slb policy redirect

This command is used to delete all the redirect policies.

show slb policy group

Chapter 5 Server Load Balancing

This command is used to display all the policies associated with a specified group. An

SLB policy is used to map an SLB virtual service to a group. An SLB group may be

mapped with single or multiple virtual services through multiple policies. This command

helps to find all the policies concerned with the specified SLB group.

clear slb policy group

This command is used to remove all the policies concerned with the specified SLB group.

After executing this command, all the SLB virtual services will be unmapped from the

specified SLB group if they have been previously mapped.

[no] slb virtual order

This command is used to associate the specified order template to an SLB virtual service.

The policy precedence for the virtual service will go by the order defined in the order

template. Each SLB virtual service can only have one order template. If no order template

is specified, the default precedence order is used. If another order template has been set

for the virtual service, this command will modify it.

show slb virtual order [order_template_name]

This command is used to display the configured association between virtual services and

the specified policy order template. If no order template name is specified, this command

will display all configured association between virtual services and order templates.

clear slb virtual order [order_template_name]

This command is used to remove the configured association between virtual services and

the specified policy order template. If the name of the order template is not specified,

clear all association between virtual services and order templates from the system.

slb policy filetype

This command allows the users to establish a policy or rule for filetype.

policy_name User specified name for the policy being configured.

vs_name The name of the virtual service.

group_name The name of the group.

filetype The file extension.

no slb policy filetype

Chapter 5 Server Load Balancing

This command is used to remove the filetype policy with the given name.

show slb policy filetype [policy_name]

This command is used to display the filetype policy with the given name. If no policy

name is given, display all the defined filetype policies.

Other SIP Commands

sip nat [udp|tcp] [timeout]

[persistence_mode]

This command allows users to configure an SIP NAT rule for an SIP real service. All the

packets from the real service will be translated to the virtual service address.

virtual_ip The source IP will be transferred to this IP.

virtual_port The source port will be transferred to this port. 0 means

using the old source port.

real_ip The source IP of the packet.

real_port The source port of the packet. 0 means all ports.

udp|tcp The protocol of the packets to be translated. Optional, and

the default value is “udp”.

timeout Timeout value in seconds. It's optional, and the default

value is 60.

persistence_mode SIP NAT session persistence mode. It can be “callid” or

“userid”. The optional default value is “callid”.

no sip nat [udp|tcp]

This command is used to delete the SIP NAT rules for the specified real service.

clear sip nat

This command is used to delete all the SIP NAT rules.

show sip nat

This command is used to display all configured SIP NAT rules.

show statistics sip nat

Chapter 5 Server Load Balancing

This command is used to display the statistics information of all the SIP NAT rules.

clear statistics sip nat

This command is used to clear the statistics information of all the SIP NAT rules.

sip multireg {on|off}

This command is used to turn on/off the feature of SIP register packet forwarding. When

“multireg” is on, a client registration request is served by only one real server, but all the

other real servers in the same SIP server group will get a copy of the same client request

forwarded by an APV appliance for registration data synchronization.

Compatibility Check

There are different types of real and virtual services. There are also various kinds of SLB

policies and groups. We may refer to all of them as “SLB objects”. The relationships

among all the SLB objects are complicated. Not all the SLB objects may be connected

with all other objects. There are some compatibility issues among them depending on the

objects, categories and types. The following commands help to clarify the compatibilities.

show slb group compatible real

This command is used to display all the existing groups compatible with a given real

service. If a real service is compatible with an SLB group, it may be defined as a member

of the group.

Example:

AN(config)#show slb group compatible real r1

Output: “g1”

show slb group compatible virtual

This command is used to display all the groups compatible with a given virtual service. If

a virtual service is compatible with an SLB group, it may be connected with this group by

some types of SLB policies.

show slb policy compatible

This command is used to display all the policy types which can be used to connect the

given SLB virtual service with the given SLB group.

Example:

AN(config)#show slb policy compatible g1 v1

qos clientport

qos network

qos cookie

qos hostname

qos url

regex

header

default

backup

redirect

show slb real compatible groups

Chapter 5 Server Load Balancing

This command is used to display all the existing real services compatible with a given

group. If a real service is compatible with an SLB group, it may be defined as a member

of the group.

show slb virtual compatible groups

This command is used to display all the existing virtual services compatible with a given

group. If a virtual service is compatible with an SLB group, it may be connected with this

group by some types of SLB policies.

show slb real compatible healthcheck

This command is used to display the corresponding health check types compatible with a

given real service type. If the parameter “real_type” is set to “all”, the command will

display the corresponding health check types compatible with all the real service types

supported by APV appliance.

Example:

AN(config)#show slb real compatible healthcheck all

tcp:icmp/tcp/script-tcp/none

tcps:icmp/tcp/tcps/script-tcps/none

http:icmp/tcp/http/script-tcp/none

https:icmp/tcp/tcps/https/script-tcps/none

dns:icmp/dns/script-udp/none

ftp:icmp/tcp/script-tcp/none

udp:icmp/script-udp/radius-auth/radius-acct/none

ip:icmp/none

rtsp:icmp/tcp/rtsp-tcp/script-tcp/none

siptcp:icmp/tcp/sip-tcp/script-tcp/none

sipudp:icmp/sip-udp/script-udp/none

l2ip:arp/none

l2mac:none

Proxy Mode

system mode reverse [virtual_name]

Chapter 5 Server Load Balancing

This command is used to set the proxy mode of a virtual service to be reverse mode if the

optional parameter “virtual_name” is provided. Otherwise, the global proxy mode will be

changed to be reverse mode.

system mode transparent [virtual_name]

This command is used to set the proxy mode of a virtual service to be transparent mode if

the optional parameter “virtual_name” is provided. Otherwise, the global proxy mode

will be changed to be transparent mode.

system mode triangle [virtual_name]

This command is used to set the proxy mode of a virtual service to be triangle

transmission mode if the optional parameter “virtual_name” is provided. Otherwise, the

global proxy mode will be changed to be triangle transmission mode. Only TCP, UDP

and IP virtual services are supported in triangle mode.

[no] show system mode [virtual_name]

This command is used to display the proxy mode setting of a virtual service if the

optional parameter “virtual_name” is provided. Otherwise, the global proxy mode setting

will be displayed.

clear system mode

This command is used to undo all the virtual services’ proxy mode setting.

Statistics

Below are a series of commands to allow users to poll various statistics relating to Server

Load Balancing. Each command focuses on a particular element of the SLB protocol.

show statistics slb real

{dns|ftp|http|https|ip|l2ip|l2mac|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}

[real_name]

This command is used to display current statistics for one or all of the real services.

clear statistics slb real

{dns|ftp|http|https|ip|l2ip|l2mac|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}

[real_name]

This command is used to reset the statistics for one or all of the real services.

show statistics slb group [group_name]

Chapter 5 Server Load Balancing

This command is used to display current statistics for groups of real services. For SNMP

SLB groups, the MIB values of each real service will be displayed for monitoring

purpose.

clear statistics slb group [group_name]

This command is used to reset current statistics for groups of real services.

show statistics slb virtual

{dns|ftp|ftps|http|https|ip|l2ip|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}

[virtual_name]

This command is used to display the statistics information of one or all of the virtual

services.

clear statistics slb virtual

{dns|ftp|ftps|http|https|ip|l2ip|rdp|rtsp|siptcp|sipudp|tcp|tcps|udp|all}

[virtual_name]

This command is used to clear the statistics information of one or all the defined virtual

services.

show statistics slb policy static [virtual_name]

This command is used to display how many times the static policy of the specified virtual

service has matched a request. If no virtual service name is given, this command will

show match counts for the static policies of all configured virtual services.

show statistics slb policy virtual [virtual_name|vlink_name]

This command is used to display the statistics of all policies associated to the defined

virtual services or Vlink.

show statistics slb policy filetype [policy_name]

This command is used to display how many times the specified policy of RTSP filetype

has matched a request. If no policy name is given, the command will display the match

counts for all the defined policies of RTSP filetype.

clear statistics slb policy filetype [policy_name]

This command is used to reset the match counts of the specified policy of RTSP filetype.

If no policy name is given, the command will reset the match counts for all the defined

policies of RTSP filetype.

show statistics slb policy header [policy_name]

show statistics slb policy redirect [policy_name]

show statistics slb policy default [virtual_name]

show statistics slb policy backup [virtual_name]

show statistics slb policy persistent url [policy_name]

show statistics slb policy persistent cookie [policy_name]

show statistics slb policy icookie [policy_name]

show statistics slb policy rcookie [policy_name]

show statistics slb policy qos url [policy_name]

show statistics slb policy qos hostname [policy_name]

show statistics slb policy qos cookie [policy_name]

show statistics slb policy regex [policy_name]

show statistics slb policy qos network [policy_name]

Chapter 5 Server Load Balancing

The above commands are respectively used to display the match counts of different types

of policies. For the “show statistics slb policy default” and “show statistics slb policy

backup” commands, if no virtual service name is given, the commands will respectively

show match counts for default or backup policies of all configured virtual services. For

other commands, if no policy name is given, the commands will respectively show match

counts for all policies of the specified type.

clear statistics slb policy header [policy_name]

clear statistics slb policy redirect [policy_name]

clear statistics slb policy default [virtual_name]

clear statistics slb policy backup [virtual_name]

clear statistics slb policy persistent url [policy_name]

clear statistics slb policy persistent cookie [policy_name]

clear statistics slb policy icookie [policy_name]

clear statistics slb policy rcookie [policy_name]

clear statistics slb policy qos url [policy_name]

clear statistics slb policy qos hostname [policy_name]

clear statistics slb policy qos cookie [policy_name]

clear statistics slb policy regex [policy_name]

clear statistics slb policy qos network [policy_name]

Chapter 5 Server Load Balancing

The above commands are respectively used to reset the match counts of different types of

policies.

URL Rewrite/Redirect HTTP/HTTPS

http redirect url

This command allows users to redirect any request with URL that has path matching

specified regex and host matching specified host to URL that includes new host and new

path. Redirection is achieved by generation of 301 or 302 responses with location header

containing modified URL.

The maximum number of HTTP redirect rules allowed varies with the system memory:

for the appliances with 1G or 2G memory, a maximum of 200 rules can be configured;

for the appliances with 4G or 8G memory, a maximum of 400 rules are allowed.

virtual_name The name of the assigned virtual service.

policy_name The name of the HTTP redirect policy.

priority The priority of rule; the larger, the higher.

original_host The exact string of “Host:” header. This parameter supports

part match mode, i.e. users can input part of the host name.

For example, if a user sets this parameter as “sample”, all

host names in the requests (responses) containing the string

“sample” will be selected to be replaced. This parameter

supports the wildcards “^”, “*” and “$” to match the host

name. “^” matches the beginning of the host name, “*”

means any sequence of 0 or more characters and “$”

matches the end of the host name.

path_regex The regular expression to match with the path of the

request.

Chapter 5 Server Load Balancing

new_protocol The scheme of redirected response, either HTTP or

HTTPS.

new_host The host part of redirected response.

path_replacement The string to replace the part matching Path Regex.

response_code HTTP status code to send back response with, either 301 or

302.

Example:

AN(config)#http redirect url “vhost” “redirectpolicy” 10 “www.arraynetworks.com.cn”

“/market” https “arraynetworks.com.cn” “/support” 301

With this command the matching substring is “/market” and the replaced string is

“/support”. So at the end the original URL

http://www.arraynetworks.com.cn/market/faq/index.html will be redirected to

https://arraynetworks.com.cn/support/faq/index.html.

no http redirect url

This command is used to remove a specified HTTP redirect policy from an HTTP virtual

service configuration.

show http redirect url [virtual_name]

This command is used to display HTTP redirect policy for a specified virtual service or

for all virtual services.

clear http redirect url

This command is used to remove all HTTP redirect policies for a specified virtual service

or remove all HTTP redirect policies.

http redirect https

This command is used to configure HTTP to HTTPS redirects for a virtual service. It

allows users to redirect any request for the virtual service to URL that “http” is replaced

with “https”. Redirection is achieved by generation of 301 or 302 responses with location

header containing modified URL. There is no limitation of total HTTPS redirect rules,

but the number of virtual services is limited.

no http redirect https

This command is used to remove a specified HTTP-HTTPS redirect policy from an

HTTP virtual service configuration.

show http redirect https

Chapter 5 Server Load Balancing

This command is used to display HTTP-HTTPS redirect policy for all virtual services.

clear http redirect https

This command is used to remove all HTTP-HTTPS redirect policies.

http rewrite request url

This command allows users to modify the “Host:” header and the path in the HTTP

method line by rewriting the request before that request is sent to the backend.

The maximum number of rewrite HTTP request rules allowed varies with the system

memory: for the appliances with 1G or 2G memory, a maximum of 200 rules can be

configured; for the appliances with 4G or 8G memory, a maximum of 400 rules are

allowed.

virtual_name The name of the assigned virtual service.

policy_name The name of the HTTP rewrite policy.

priority The priority of rule, larger is higher.

original_host The exact string of “Host:” header. This parameter supports

part match mode, i.e. users can input part of the host name.

For example, if a user sets this parameter as “sample”, all

host names in the requests (responses) containing the string

“sample” will be selected to be replaced. This parameter

supports the wildcards “^”, “*” and “$” to match the host

name. “^” matches the beginning of the host name, “*”

means any sequence of 0 or more characters and “$”

matches the end of the host name.

path_regex The regular expression to match with the path of the

request.

Note: This string is case-sensitive. Administrators can

configure whether to distinguish the uppercase or

lowercase letters in this command via the command “slb

mode regexcase {on|off}”.

new_host The string to replace the host part of the matched requests.

Using “%r” as the new host means that the host part of the

marched requests will be rewritten as “ip:port” of the

selected real service. If the selected real service is a

port-range real service (whose port is 0), the port, on which

Chapter 5 Server Load Balancing

APV appliance connects to the real service, will be used.

path_replacement The string to replace the part matching Path Regex.

no http rewrite request url

This command is used to remove a specified HTTP rewrite request URL policy from an

HTTP virtual service configuration.

show http rewrite request url [virtual_name]

This command is used to display HTTP rewrite request URL policies for a specified

virtual service or for all virtual services.

clear http rewrite request url

This command is used to remove all HTTP rewrite request URL policies for a specified

virtual service or removes all HTTP rewrite request URL policies.

http rewrite response url

This command allows users to take the “Location:” header content from the backend and

rewrite it.

The maximum number of rewrite HTTP response rules allowed varies with the system

memory: for the appliances with 1G or 2G memory, a maximum of 200 rules can be

configured; for the appliances with 4G or 8G memory, a maximum of 400 rules are

allowed.

virtual_name The name of the assigned virtual service.

policy_name The name of the HTTP redirect policy.

priority The priority of rule; the larger, the higher.

original_protocol The scheme of original response either http, https or both.

original_host The exact host string in the response “Location:” header.

This parameter supports part match mode, i.e. users can

input part of the host name. For example, if a user sets this

parameter as “sample”, all host names in the requests

(responses) containing the string “sample” will be selected

to be replaced. This parameter supports the wildcards “^”,

“*” and “$” to match the host name. “^” matches the

beginning of the host name, “*” means any sequence of 0

or more characters and “$” matches the end of the host

name.

Chapter 5 Server Load Balancing

Note: This parameter does not take regex, and there is no

need to configure the port number for it.

path_regex The regular expression to match with the path in the

“Location:” header.

Note: This string is case-sensitive. Administrators can

configure whether to distinguish the uppercase or

lowercase letters in this command via the command “slb

mode regexcase {on|off}”.

new_protocol The scheme of redirected response, either http or https.

new_host The host part of redirected response. The special format

“%h” means the host in client request will be used.

path_replacement The string to replace the part matching Path Regex.

Example:

AN(config)#http rewrite response url v1 re1 2 http “www.a.com” “/” http “www.b.com” “/”

no http rewrite response url

This command is used to remove a specified HTTP rewrite response URL policy from an

HTTP virtual service configuration.

show http rewrite response url [virtual_name]

This command is used to display HTTP rewrite response URL policies for a specified

virtual service or for all virtual services.

clear http rewrite response url

This command is used to remove all HTTP rewrite response URL policies for a specified

virtual service or removes all HTTP rewrite response URL policies.

http rewrite response https

This command is used to configure rewrite of HTTP redirects to HTTPS for a virtual

service. Each response for this virtual service will be rewritten to an HTTPS response,

and an HTTPS response will be rewritten to the HTTP response.

no http rewrite response https

Chapter 5 Server Load Balancing

This command is used to remove a specified HTTP-HTTPS rewrite policy from an HTTP

virtual service configuration.

show http rewrite https

This command is used to display HTTP-HTTPS rewrite policies for all virtual services.

clear http rewrite https

This command is used to remove all HTTP-HTTPS rewrite policies.

http rewrite request removeheader

This command is used to add an HTTP rewrite policy to remove an HTTP header field

from all the client requests for the specified virtual service.

virtual_service An HTTP or HTTPS virtual service.

header_name The header field to be removed.

no http rewrite request removeheader

This command is used to delete an HTTP rewrite policy of removing an HTTP header

field from all the client requests for the specified virtual service.

show http rewrite request removeheader [virtual_service]

This command is used to display the HTTP rewrite policies of removing an HTTP header

field from all the client requests for a specified virtual service. If the parameter

“virtual_service” is null, display the HTTP rewrite policies of removing an HTTP header

field from all the client requests for all the virtual services.

clear http rewrite request removeheader [virtual_service]

This command is used to remove the HTTP rewrite policies of removing an HTTP header

field from all the client requests for a specified virtual service. If the parameter

“virtual_service” is null, remove the HTTP rewrite policies of removing an HTTP header

field from all the client requests for all the virtual services.

http rewrite response removeheader

This command is used to add an HTTP rewrite policy to remove an HTTP header field

from all the server responses for the specified virtual service.

virtual_service An HTTP or HTTPS virtual service.

header_name The header field to be removed.

no http rewrite response removeheader

Chapter 5 Server Load Balancing

This command is used to delete an HTTP rewrite policy of removing an HTTP header

field from all the server responses for the specified virtual service.

show http rewrite response removeheader [virtual_service]

This command is used to display the HTTP rewrite policies of removing an HTTP header

field from all the server responses for a specified virtual service. If the parameter

“virtual_service” is null, display the HTTP rewrite policies of removing an HTTP header

field from all the server responses for all the virtual services.

clear http rewrite response removeheader [virtual_service]

This command is used to remove the HTTP rewrite policies of removing an HTTP header

field from all the server responses for a specified virtual service. If the parameter

“virtual_service” is null, remove the HTTP rewrite policies of removing an HTTP header

field from all the server responses for all the virtual services.

http requestbody {enable|disable}

This command is used to turn on/off the support of the HEAD/GET request with body.

The function is off by default.

URL Filtering

The ArrayOS also offers the additional security mechanism of URL Filtering, protecting

against buffer overflow attacks, parser evasion attacks, directory traversal attacks, as well

as other hacker strategies. The commands set to implement the ArrayOS URL Filtering

protocols are listed below. Note: The URL filtering mechanism must work together with

L7 SLB.

filter vip [virtual_service_name]

This command allows users to create the URL filtering for a specified virtual service. The

parameter “virtual_service_name” defaults to “global” which denotes global setting.

filter mode {passive|active} [virtual_service_name]

This command allows users to set what action the APV appliance will take if a bad URL

request is received by the ArrayOS. The “passive” setting will allow the request to pass

through the appliance while keeping a transaction record of the violation. The “active”

setting will instruct the appliance to drop any request that violates the URL filtering

protocols as configured by the user. By default, the active mode is used. The parameter

“virtual_service_name” defaults to “global” which denotes global setting.

[no] filter url character

[virtual_service_name]

100

Chapter 5 Server Load Balancing

This command allows users to establish various ASCII values to deny access to the

backend servers. The parameter “virtual_service_name” defaults to “global” which

denotes global setting.

filter url keyword match [virtual_service_name]

This command is used to check whether the string matches one of configured regular

expressions for URL filter rules. It ensures that the configured regular expression rules

are written correctly so that the matched strings are really what customers want to deny or

permit. The parameter “virtual_service_name” defaults to “global” which denotes global

setting.

filter url keyword default {permit|deny} [virtual_service_name]

This command allows users to set the default rule for URL filtering for virtual service. In

conjunction with the “filter url keyword” command, this command provides the

flexibility to define black and white lists for URL keyword filtering. Since this command

depends on the “filter url keyword” command, it is required that no deny or permit rules

for URL keyword filtering are present when user changes the default filter setting (default

is permit). The parameter “virtual_service_name” defaults to “global” which denotes

global setting.

[no] filter url keyword {permit|deny} [virtual_service_name]

This command allows users to set a specific keyword or string to alert the APV appliance

as to the potential unwanted server request. This command is in conjunction with the

“filter url keyword default” command.

� If the “filter url keyword default” command is set to “permit”, users should choose

“deny” option of this command. Such configuration will result in rejecting requests

with URLs that match configured keywords.

� If the “filter url keyword default” command is set to “deny”, users should choose

“permit” option of this command. Then, all the requests will be rejected unless

URLs match specified keywords.

permit|deny Permit or deny a specific keyword.

string The parameter “string” can take regular expression which

is compatible with PERL’s. Note: “*” means matching the

ahead subexpression for 0 or n times, which is different

from “*” in the wildcard expression. If the character “*”

needs to be matched, “\*” is used to meet the need, and the

character “\*” is used to transfer the meaning. Typical

formats are: “/upload/” matching any URL which includes

the “/upload/” keyword, “\.exe” matching all the exe files

and “/image/.” “*\.jpg” matching all jpg files under

“/image” directory. If two or more matching rules match

the same URL, cache filter will select the rule with the

101

longest match.

Chapter 5 Server Load Balancing

Note: The parameter URL only supports the regular

expressions which are compatible with PERL’s. The

meaning of “*” in the regular expressions differs from “*”

in wildcard expression. Single “*” must be avoided to

appear in a cache filter. Single “*” is meaningless in the

regular expressions. (For example: cache filter rule

“www.sina.com.cn” “*” “cache=yes” is not allowed). In

the ArrayOS system, “.*” is used as the wildcard to match

all URLs. The meaning of “.*” in regular expression is the

same as that of “*” in the wildcard expressions.

virtual_service_name The name of the virtual servive. It defaults to “global”

which denotes global setting.

[no] filter type {integer|string} [virtual_service_name]

This command allows users to configure filtering requests by the type of the variable in

the URL query (the section after the “?” in the URL). APV appliance will allow or deny

requests depending on whether the value of URL query variable provided by the

“variable_name” parameter is of type “integer” or “string”. The parameter

“virtual_service_name” defaults to “global” which denotes global setting.

filter length {url|query|queryvariable|querydata|header|request}

[virtual_service_name]

This command allows users to set various filtering parameters concerning separate

aspects of the request being made to the network. The parameter “virtual_service_name”

defaults to “global” which denotes global setting. Default filter lengths are as follows:

� URL 1024

� query 1024

� queryvariable 128

� querydata 512

� header 1024

� request 10,000

filter alert [virtual_service_name]

This command allows users to enable or disable email notification/alert related to a

specified virtual service. The “email_address” parameter must be framed with quotation

marks; and the DNS name lookup of this email address depends upon the command “ip

nameserver ”. The “threshold” parameter is to set the number of drop requests

102

Chapter 5 Server Load Balancing

needed to issue an email alert. The parameter “virtual_service_name” defaults to “global”

which denotes global setting.

filter request controlchar {on|off}

This command is used to turn on/off the control characters filtering feature. By default,

the control character-based filtering is on. When this feature is on, all the characters

following a “%”(escape character) will be translated. However, if the translation fails, the

whole URL is denied. When this feature is off, all the characters following a “%” (escape

character) will be translated too. Different from the “on” mode, when the translation fails,

the translation will be ignored and the whole URL is accepted.

Permitted escaping patterns include:

%XX : XX is 00~FF, not including 00~1F and 7F

%uXXXX : XXXX is 0000~FFFF

Some translation examples are provided in the following table:

URL\Mode On Off

http://abc.com http://abc.com http://abc.com

http://abc.com/%30

http://abc.com/0 (translates

successfully)

http://abc.com/0 (translates

successfully)

http://abc.com/%00

……..

http://abc.com/%1F

Deny. (fails to translate

since %00~%1F are control

characters)

http://abc.com/%00

http://abc.com/%1F

(fails to translate, but keeps the

characters)

http://abc.com/%7F

Deny. (fails to translate since %7F

is a control character)

http://abc.com/%7F (fails to

translate, but keeps the

characters)

Deny. (fails to translate since “%” http://abc.com/%p (fails to

http://abc.com/%p

can only be followed by a HEX translate, but keeps the

byte, e.g.: %5B)

http://abc.com/%u1234

characters)

http://abc.com/%u1234

(%u is a special case which follows

by two HEX bytes, e.g. %u5B5B.

No translation is needed)

http://abc.com/%u1234

http://abc.com/%upq (fails to

http://abc.com/%upq Deny. (fails to translate)

translate, but keeps the

characters)

http://abc.com http://abc.com http://abc.com

http://abc%30.com

http://abc0.com (translates

successfully)

http://abc0.com (translates

successfully)

http://abc%00.com

……..

http://abc%1F.com

Deny. (fails to translate

since %00~%1F are control

characters)

http://abc%00.com

http://abc%1F.com

(fails to translate, but keeps the

characters)

http://abc%7F.com

Deny. (fails to translate since %7F

is a control character)

http://abc%7F.com (fails to

translate, but keeps the

characters)

103

http://abc%p.com

Chapter 5 Server Load Balancing

URL\Mode On Off

http://abc%u1234.com

Deny. (fails to translate since “%”

can only be followed by a HEX

byte, e.g.: %5B)

http://abc%u1234.com

(%u is a special case which follows

by two HEX bytes, e.g. %u5B5B.

No translation is needed)

http://abc%upq.com Deny. (fails to translate)

show filter all

http://abc%p.com (fails to

translate, but keeps the

characters)

http://abc%u1234.com

http://abc%upq.com (fails to

translate, but keeps the

characters)

This command is used to display global setting and the current configuration for each

URL filtering protocol.

show filter mode [virtual_service_name]

This command is used to display whether the APV appliance will operate in passive or

active mode with regards to dropping and logging suspect network queries. The

parameter “virtual_service_name” defaults to “all” which will display all filter mode

settings in the system; and “global” means to display the global URL filter mode setting.

show filter vip [virtual_service_name]

show filter length [virtual_service_name]

show filter type {interger|string} [virtual_service_name]

show filter url keyword [virtual_service_name]

show filter url character [virtual_service_name]

show filter alert [virtual_service_name]

These commands are used to display the specific configurations regarding the filter

parameters indicated. The parameter “virtual_service_name” defaults to “all” which will

display all the related settings; and “global” means to display the related global setting.

clear filter vip [virtual_service_name]

This command is used to remove virtual service’s URL filter setting, including the global

setting. The parameter “virtual_service_name” defaults to “all” which will remove all the

related configurations in the system; and “global” means to remove the related global

setting.

clear filter mode [virtual_service_name]

clear filter length [virtual_service_name]

104

Chapter 5 Server Load Balancing

These commands are used to return the URL filter mode or the filter length to the default

settings respectively. The parameter “virtual_service_name” defaults to “all” which will

reset all the related URL filter settings to the default value; and “global” means to return

the global setting to the default value.

clear filter type {interger|string} [virtual_service_name]

clear filter url keyword [virtual_service_name]

clear filter url character [virtual_service_name]

clear filter alert [virtual_service_name]

These commands are used to remove the related URL filter settings.

show statistics filter url keyword default [virtual_service_name]

This command is used to display total default hits for a particular virtual IP address. The

parameter “virtual_service_name” defaults to “all” which will display all the related

statistics; and “global” means to display the related global statistics.

show statistics filter url keyword {deny|permit} [keyword]

[virtual_service_name]

This command is used to display keyword filter statistics for a particular keyword.

clear statistics filter url keyword default [virtual_service_name]

This command is used to clear the statistics of the total default hits.

clear statistics filter url keyword {deny|permit} [keyword]

[virtual_service_name]

This command is used to clear keyword filter statistics for a particular keyword string.

show connection [protocol] [content_type] [ip]

The command is used to display active connection(s) with protocol, content type and IP

address as filters.

protocol The connections’ protocol type: TCP, UDP or all (both TCP

and UDP). This parameter is optional and the default value

is “all”.

content_type The data or count. Data means detail information of

matched connections. Count means only the number of

matched connections that will be displayed.

105

Chapter 5 Server Load Balancing

ip The IP address matching either the local or remote IP

addresses of active connections.

Example:

AN(config)#show connection tcp data 10.3.21.14

Proto Local Address Foreign Address state Interface

-----------------------------------------------------------------------

TCP 10.3.21.2:443 10.3.21.14:2470 ESTABLISHED em0

TCP 10.3.21.1:26491 10.3.21.14:80 ESTABLISHED em0

no connection [local_ip] [local_port] [remote_ip] [remote_port]

This command is used to remove active connection(s) with protocol, IP and port filters:

protocol TCP, UDP or all (both TCP and UDP).

local_ip The local IP. Optional, and the default value is 0.0.0.0

which means all the IP addresses.

local_port The local port. Optional, and the default value is 0 which

means all the port values.

remote_ip The remote IP. Optional, and the default value is 0.0.0.0

which means all the IP addresses.

remote_port The remote port. Optional, and the default value is 0 which

means all the port values.

106

SLB Summary

SLB Type

L7

HTTP/HTTP

S

Priority

(1 is highest)

2

L7 DNS 2

L7 FTP 2

L7 SIP 2

L7 RTSP 2

Virtual

Service

IP + Port

+ proto

(HTTP,

HTTPS)

IP + Port

+ proto

(DNS)

IP + Port

+ proto

(FTP)

IP + Port

+ proto

(SIP-TCP,

SIP-UDP)

IP + Port

+ proto

(RTSP)

Real

Service

IP + Port +

proto

(HTTP,

HTTPS)

IP + Port +

proto

(DNS)

IP + Port +

proto

(FTP)

IP + Port +

proto

(SIP-TCP,

SIP-UDP)

IP + Port +

proto

(RTSP)

L4 2 IP + port IP + Port

Port range

(for L7)

3

L7 VS +

Port range

L7 RS

L7 RS (0

port)

Chapter 5 Server Load Balancing

Health

check

None

HTTP

HTTPS

TCP

TCPS

ICMP

Additional

Script

None

DNS

ICMP

Additional

Script

None

TCP

ICMP

Additional

Script

None

TCP

TCPS

ICMP

Additional

Script

SIP-TCP

SIP-UDP

None

TCP

ICMP

Additional

Script

RTSP-TCP

None

TCP

TCPS

ICMP

Additional

Script

Non-zero

port RS:

L7 health

check

Zero port

RS:

ICMP

Scenarios

1. Balance traffic

according to

application protocol

headers. e.g. HTTP

headers.

2.Cache feature is

needed.

DNS requests

DNS cache feature

can be applied for

better performance.

FTP traffic.

Balance VOIP traffic.

Balance real time

media traffic.

1. Balance traffic

according to

TCP/UDP headers.

2. TCP port or UDP

port is specified to

determine a particular

service.

In addition to L7 SLB,

cross-port and

dynamic port

application traffic

balance is supported.

107

SLB Type

Port range

(for L4)

Priority

(1 is highest)

3

Virtual

Service

L4 VS +

Port range

L3 4 IP IP

L2 1

IP + port

ranges

Real

Service

L4 RS

L4 RS (0

port)

IP, MAC

Chapter 5 Server Load Balancing

Health

check

Additional

Non-zero

port RS:

L4 health

check

Zero port

RS:

ICMP

Additional

None

ICMP

Additional

ARP

Additional

(only

ICMP)

Scenarios

In addition to L4 SLB,

cross-port and

dynamic port

application traffic

balance is supported.

In addition to port

range SLB,

cross-protocol

application traffic

balance is supported.

Currently, only TCP

and UDP protocol are

supported.

1.The backend real

services don’t have

usable IP addresses so

that the traffic can’t

be balanced according

to IP addresses;

2. The backend real

services are not the

destination of the

input traffic (e.g. virus

scanners check every

packet before

forwarding it to the

real destination).

108

Chapter 5 Server Load Balancing

109

Chapter 6 Link Load Balancing

For users who would prefer to deploy multiple firewall devices or protocols, it will

become necessary to load balance the traffic passing back and forth between these

devices.

ip eroute

[weight]

This command allows the administrator to provide the method necessary to allow

end-users to direct outbound traffic to a preferred route based on the IP (source and

destination), port (source and destination) and protocol type. Eroute priority is higher

than the priority of the default and static routes. Default routes will have priority 1 and

static routes 101-132 depending on the netmask; i.e. static route with netmask 24 bits will

have priority 124 and with netmask 32 bits will have priority 132. Routes that correspond

to the interfaces will have priority 2000. The routes created based on the traffic coming

from the local subnet are called droutes (Direct Route) and will have priority 2000.

Droutes are created dynamically and will expire after 1 hour.

The APV appliance supports at most 5000 eroutes (including normal eroutes and ISP

routes), among which at most 500 normal eroutes are supported. ISP routes are the routes

whose source subnet is all 0, port is 0 and protocol is “any”.

name Policy identifier (mostly used for “no” and “show” version

commands).

priority The priority number, 1001 through 1999 (inclusive). 1999

is the highest.

srcip/srcmask Dotted IP notation for source subnet (e.g., 10.2.41.0 and

255.255.255.0). 0.0.0.0 for IP or netmask is a full wildcard.

srcport Source port. 0 is a wildcard. Ignored unless the protocol is

TCP or UDP.

dstip/dstmask See “srcip/srcmask” above.

dstport See “srcport” above.

proto TCP, UDP or any.

gatewayip Gateway IP address.

weight Weight to be used for weighted round robin. Optional, and

the default is 1.

no ip eroute

110

This command is used to remove the configured extended routing policy.

clear ip eroute

Chapter 6 Link Load Balancing

This command is used to remove all extended routing policy configurations.

show ip eroute [all]

This command is used to display all extended routing policy configurations. If the

parameter “all” is typed, all the manual eroutes and IP region created eroutes are

displayed in details.

[show|clear] statistics eroute

This command is used to display or remove the running statistics related to extended

routing policy. This command will also clear droute, IPflow and RTS statistics.

ipregion table import

This command is used to import an IP region table. Array APV supports importing IP

region tables via HTTP or FTP URL. Administrators can also import local IP region table

files via WebUI.

ipregion_name Specify the name of IP region.

url Specify the HTTP/FTP URL of the remote host to import

the IP region table.

Note:

1. By default, there are three predefined IP region tables including

“predefined_cernet”, “predefined_cnc” and “predefined_ct”. It is recommended not

to use the same name with the default predefined IP region tables.

2. The routes and proximity rules configured for IP region exist as a whole in the

system. Administrators cannot change or remove a single route or a rule.

show ipregion name

This command is used to display the name of all existing IP regions in the system.

show ipregion table

This command is used to display the entries of a specified IP region table.

ipregion_name The name of IP region.

no ipregion table

111

This command is used to remove a specified IP region table.

ipregion_name The name of IP region.

clear ipregion table

This command is used to clear all IP region tables.

ipregion route [priority] [weight]

Chapter 6 Link Load Balancing

This command is used to set route for specified IP region. If the destination IP address of

outbound traffic hits any entry in the IP region, it will be directed to the corresponding

gateway.

ipregion_name The name of IP region.

gateway Gateway IP address.

priority This is an optional parameter. It is used to define the route

priority, and the default value is 1999.

weight This is an optional parameter. It is used to define the

weight for WRR method, and the default value is 1.

show ipregion route

This command is used to display route configurations about all IP regions.

no ipregion route

This command is used to remove route configurations for a specified IP region.

ipregion_name The name of IP region.

clear ipregion route

This command is used to clear route configurations about all IP regions.

ip ipflow {on|off}

This command enables or disables the IPflow feature, which defines a mapping of

particular source and destination addresses to some gateway. By default, the IPflow

feature is off.

ip ipflow priority

112

Chapter 6 Link Load Balancing

This command allows users to set a priority for a persistent mapping of particular source

and destination addresses to some gateway. This priority is used in conjunction with the

eroute settings to determine the flow order. The priority value ranges from 1000 through

1999 (inclusive) where 1999 ranks as the highest. The default value is 1000. The base

priority value of eroute is 1001 and the highest is 1999. By default, eroute has high

priority over ipflow. But ipflow priority value can be increased, once the priority value is

equal to or higher than the priority value of eroute, ipflow will get higher priority over

eroute.

ip ipflow expire [timeout]

This command is used to set the timeout value of IPflow, in seconds. Once the time

period elapses, the persistent mapping of source and destination address to a particular

gateway is destroyed. Default is 60 seconds

clear ip ipflow

This command is used to reset the configuration for IPflow and clear the IPflow table.

show ip ipflow

This command is used to display the configuration for IPflow.

show statistics ipflow

This command is used to display the running statistics related to IPflow.

ip statistic {on|off}

This command is used to turn on/turn off IP statistics function. The default value is off.

Turning off IP statistic will improve the performance. However it will affect some other

features, such as SDNS and flight deck.

ip rts on [all|gateway]

This command is used to enable the RTS function. The RTS protocol insures that the

transactions that pass through a particular router to a server will return through the same

router. By default,the “all” mode applies.

all RTS records all external senders that send packets to the

unit. All the packets will be sent back along the route

which they came from.

gateway RTS records external senders as configured gateways. Only

the packets coming from these gateways will be sent back

along the route which they came from.

Note: The “gateway” should be set as the gateway

113

ip rts off

Chapter 6 Link Load Balancing

configured via the commands “ip route default”, “ip

eroute” and “ip route static”.

This command is used to disable the RTS function. The RTS function is disabled by

default.

ip rts expire [seconds]

This command allows users to set the timeout value of RTS, in seconds, that an RTS

entry will be stored in an unused state before it expires. The default setting is 60 seconds.

clear ip rts

This command is used to reset the RTS configurations.

show ip rts

This command is used to display the RTS configurations.

show statistics rts

This command is used to display the running statistics related to RTS.

Example:

AN(config)#show statistics rts

RTS Statistics:

0 rts hits

0 ERT gateway matched

0 unknown gateway matched

4 failed for unknown gateway in gateway mode

0 failed for unknown gateway allocation

Use "clear statistics eroute" command to clear RTS statistics

Note: The maximum number of RTS entries allowed on the APV appliance varies

with different system memories. Please see the table below for details (each RTS

entry takes about 264 bytes memory).

Sytem Memory Max RTS Entries Memory Usage

1G 10000 2.5M

2G 20000 5M

4G 40000 10M

llb statistics link {on|off}

This command is used to turn on/off LLB link statistics function. This function allows

users to monitor LLB link status and network traffic.

114

[show|clear] statistics llb link [link_name]

Chapter 6 Link Load Balancing

This command is used to display or delete the statistics of all LLB links, including the

statistics of LLB link health checks and the statistics of LLB bandwidth. If the link name

is specified, display or remove the statistics of the specified LLB link only.

The APV appliance identifies links based on the logical port and peer MAC address. The

statistics of LLB links are also collected based on the logical port and peer MAC address.

[no|show|clear] llb link route [weight] [hc_srcip]

[banwidth_threshold]

This command allows users to add an LLB link. The maximum number of LLB links

allowed on the APV appliance is 32.

By employing the “no” version of this command, users can delete an LLB link.

By employing the “show” version of this command, users can view the current LLB link

configuration.

By employing the “clear” version of this command without any parameters, users can

remove all the existing LLB links.

link_name A unique name given to an LLB link. All the link-related

configurations will be defined upon the link name.

route_ip The gateway IP address of this LLB link. After executing

this command, the system will automatically create an

eroute with the “route_ip” as its gateway, and the priority

of the eroute is 2.

weight Optional parameter for weighted round robin. The default

value is 1. The larger the number is, the more chances the

link will be selected for link load balance.

hc_srcip The IP address assigned as the source IP of the LLB health

check packets. It defaults to the interface IP which is in the

same subnet with the eroute gateway.

banwidth_threshold The maximum bandwidth allowed for this link. This value

is not a strict limit. If the real traffic load exceeds the

allowed maximum bandwidth, the packets will not be lost;

they will be forwarded via other links.

Example:

AN(config)#llb link route “link1” 10.191.2.100 1 10.191.2.105

115

Chapter 6 Link Load Balancing

The following commands are used to configure ICMP, TCP-based and DNS-based

additional health checks respectively. At most 8 additional health checks can be

configured for each LLB link.

llb link health checker icmp [hc_interval] [timeout] [hc_up]

[hc_down]

This command is used to add an additional LLB health check of ICMP type for an

existing link.

link_name A unique name given to an LLB link. All the link-related

configurations will be defined upon the link name.

host Additional health check host name or IP address to which

APV sends ICMP request for link health check.

hc_interval Optional. The time interval (in seconds) of health check.

The default value is 10.

timeout Optional. The timeout (in seconds) of health check. The

default value is 5. Note: The timeout setting cannot be

larger than the interval setting.

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

Example:

AN(config)#llb link health checker icmp “link1” “10.191.2.130” 3 3 3 3

AN(config)#llb link health checker icmp “link1” “10.191.2.131” 3 3 3 3

no llb link health checker icmp

This command is used to remove the ICMP additional health check configuration about a

specified link.

llb link health checker tcp [hc_interval] [timeout]

[hc_up] [hc_down]

This command is used to add an additional LLB health check based on TCP for an

existing link.

116

Chapter 6 Link Load Balancing

link_name A unique name given to an LLB link. All the link-related

configurations will be defined upon the link name.

host Additional health check host name or IP address, to which

APV sends TCP request for link health check.

port Additional health check host port, which is used to listen

upon TCP requests sent by APV.

hc_interval Optional. The time interval (in seconds) of health check.

The default value is 10.

timeout Optional. The timeout (in seconds) of health check. The

default value is 5. Note: The timeout setting cannot be

larger than the interval setting.

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

Example:

AN(config)#llb link health checker tcp “link1” “www.xyz.com” 80 10 5 3 3

AN(config)#llb link health checker tcp “link1” “10.191.2.141” 21 10 5 3 3

no llb link health checker tcp

This command is used to remove the TCP additional health check configuration about a

specified link.

llb link health checker dns [interval]

[timeout] [hc_up] [hc_down]

This command is used to add an additional LLB health check based on DNS for an

existing link.

link_name A unique name given to an LLB link. All the link-related

configurations will be defined upon the link name.

host DNS host name or IP address used by additional health

check.

domain_name Domain name for additional health check. Get link status

117

based on the resolution results.

Chapter 6 Link Load Balancing

hc_interval Optional. The time interval (in seconds) of health check.

The default value is 10.

timeout Optional. The timeout (in seconds) of health check. The

default value is 5. Note: The timeout setting cannot be

larger than the interval setting.

hc_up The number of health checks to be performed with a

positive result before marking the service as “up”. The

default value is 3.

hc_down The number of health checks to be performed with a

negative result before determining the service as “down”.

The default value is 3.

Example:

AN(config)#llb link health checker dns “link1” “10.191.2.150” “www.test.com” 20 5 3 3

AN(config)#llb link health checker dns “link1” “10.191.2.151” “www.test.com” 20 5 3 3

no llb link health checker dns

This command is used to remove the DNS additional health check configuration about a

specified link.

clear llb link health checker

This command is used to remove all existing configurations about LLB additional health

check.

show llb link health checker

This command is used to display all existing configurations about LLB additional health

check.

llb link statistics on

This command is used to turn on the LLB link statistics.

llb link statistics off

This command is used to turn off the LLB link statistics.

show llb link status [detail]

This command is used to display the LLB link status information.

118

Chapter 6 Link Load Balancing

detail Optional. The parameter is used to show the recent

additional health check configurations and related

summary information, such as success number, failure

number of health check request and so on.

show llb link bandwidth

This command is used to display the bandwidth information of inbound and outbound

links.

llb link health {on|off}

This command is used to enable or disable link health check.

llb link enable

This command is used to enable an LLB link. When a link is enabled, it will be used for

outgoing traffic and incoming traffic (by LLB DNS resolving).

llb link disable

This command is used to disable an LLB link. When a link is disabled, it will NOT be

used for outgoing traffic and incoming traffic (by LLB DNS resolving).

Note:

Mostly, the network traffic will not be in and out a disabled link. However there are

some exceptions which are out of control:

1. If the incoming traffic doesn’t follow LLB DNS resolving, it might get in from a

disabled link;

2. If RTS feature is turned on and the incoming traffic gets in from a disabled link,

the related outgoing traffic will also go through the disabled link since RTS has

higher priority.

llb method inbound {rr|wrr|proximity}

This command allows users to define the inbound LLB method, which can be Round

Robin (rr), Weighted Round Robin (wrr) or proximity. The default setting is “rr”.

Note: To use the “proximity” method for inbound load balancing, please first make

configurations about “ip eroute”.

llb method outbound {rr|wrr|sr|dd} [time_interval] [count_interval]

This command allows users to define the outbound LLB method, including Round Robin

(rr), Weighted Round Robin (wrr), Shortest Response (sr) or Dynamic Detecting (dd).

119

Chapter 6 Link Load Balancing

The default setting is “rr”. If “dd” method is selected, you need to further set the

following two parameters:

time_interval The interval between two dynamic detections. It defaults to

300 seconds and ranges from 60 to 7200.

count_interval The number of connection requests between two dynamic

detections. It defaults to 1000 seconds and ranges from 10

to 5,000,000.

Note: The LLB DD method should work with NAT configuration. If there is no NAT

configuration related with LLB link route, the DD method could not work normally.

show statistics llb method outbound [dst_net] [mask]

This command is used to display the statistics of Dynamic Detecting (dd) method of the

specified net.

method_name The name of outbound LLB method, dd (dynamic

detecting).

dst_net Destination IP address or net.

mask The mask of the destination IP address.

show llb method

This command is used to display the configuration for inbound and outbound balancing

methods.

llb dns host [weight] [port] [link_name]

This command is used to add a DNS A record for the specified host. Based on the IP and

port in this command, SDNS will try to match the VS or RS configured in SDNS system

at specified interval (defined by the command “sdns interval report”). If any match is

found, SDNS reporter process will set the VS or RS’ health check status as the status of

the IP configured in this command; if no match is found, the status of the IP configured in

this command is set to “UP”. SDNS only resolves the “UP” IP to the users. At last, SDNS

reporter process will report the configured IP, its status and the specified weight to SDNS

servers.

Up to 2048 SDNS hosts can be configured on each APV appliance, up to 128 VIPs can be

configured for each SDNS host, and up to 65536 VIPs can be configured for each APV

appliance.

host name The name of the host which SDNS system serves.

120

ip The IP to be reported to SDNS servers.

Chapter 6 Link Load Balancing

weight The weight or priority of the specified IP used by SDNS

servers in VWGRR or IPO algorithm. Its valid value

ranges from 1 to 65535 and it defaults to 1.

port The port used to match a virtual service or a real service. If

“port” is set to 0, the system will firstly try to match the

first virtual service whose IP is the same as the configured

“IP”; if no virtual service is matched, it will then try to

match the first real service whose IP is the same as the

configured “IP” and port is 0 (ip/l2ip/l2mac real service); if

still no real server is matched, it will try to match the first

real service whose IP is the same as the configured “IP”. It

ranges from 0 to 65535, and defaults to 0.

link_name The name of the LLB link (defined by “llb link route”) it

belongs to. This parameter is optional, and the default

value is empty, which means the system will find the

corresponding old link for it.

no llb dns host

This command is used to remove a DNS A record for the specified host.

clear llb dns host

This command is used to clear all the configurations about LLB DNS hosts.

show llb dns host [host_name]

This command is used to show the information about configured LLB DNS hosts.

[show] llb dns ttl [seconds]

This command is used to set the TTL of an inbound host DNS entry (0 second means no

cache). The “host name” parameter is required to be in the format of “www.xyz.com”.

The “show” version of this command is used to display the TTL configuration about the

specified inbound host DNS entry.

show statistics droute

This command is used to display the statistics of a droute.

clear droute

This command is used to delete a droute table.

121

Chapter 7 Reverse Proxy Cache

Cache Commands

cache {on|off}

Chapter 7 Reverse Proxy Cache

This command is used to enable or disable the Reverse Proxy Cache for a specified

virtual service. By default, the cache is turned off. Turning the cache off will not change

the current cache configuration or contents in the system.

show cache status

This command is used to display the current status (on or off) of the cache function.

cache settings objectsize

This command is used to set the maximum size for an object to be cached. The size must

be specified in kilobytes. The default value is 5120KB. The minimum size allowed is

1KB. And the maximum size allowed depends on different system memories of the APV

appliances:

System Memory Max Size of Cache Object

4GB 10240KB (10MB)

8GB 20480KB (20MB)

16GB 40960KB (40MB)

cache settings expire {hh:mm:ss|seconds}

This command is used to set the global (for all objects in cache) expiration time. The

default value is 82,800 seconds (23 hours). The expiration time must be specified either

in the format “hh:mm:ss”, or in seconds enclosed in double quotes.

The global expiration time will be used as the expiration time for an object in cache only

if it is not possible to calculate the expiration time using the Expiration Model specified

in Section 13.2 of RFC 2616.

If the expiration time is specified in seconds, the acceptable value is from “0” to

“2147483647” seconds. “0” means the contents will expire at once after it is stored in

cache.

Three types of cache expiration time are involved during the cache process:

� The expiration time defined by the “Expires” field in the HTTP header;

� The global cache expiration time configured via the command “cache settings

expire”;

� The TTL time specified by the “ttl” parameter in the command “cache filter rule”.

122

The priorities of the three expiration times are as follows:

Chapter 7 Reverse Proxy Cache

1. The expiration time configured in “cache filter rule” will be used first.

2. If the “ttl” parameter is not specified, the global expiration time specified by “cache

settings expire” command will apply.

3. For the cache content that does not match any cache filter rule, the expiration time

defined in the HTTP header will be applied.

4. If no “Expires” field is available in the HTTP header to define the expiration time,

just follow the configuration of “cache settings expire”.

show cache settings

This command is used to display the current configurations of the cache, including the

expiration time of the objects in cache (cache settings expire) and the maximum size of

an object in cache (cache settings objectsize).

show statistics cache [virtual_service]

This command is used to display all the current HTTP cache statistics. If a virtual service

is provided, the cache statistics for this virtual service will be displayed.

Note: The cache statistics is only available for HTTP and HTTPS virtual services.

Example:

AN(config)#show statis cache

Reverse Proxy Cache Global Statistics:

Basic Statistics:

Requests received: 3601254

Requests with GET method: 3601254

Requests with HEAD method: 0

Requests with PURGE method: 0

Requests with POST method: 0

Number of open client connections: 115

Number of open server connections: 115

Requests redirected to HTTPS: 0

Requests redirected based on regex match: 0

Requests forwarded with rewritten url: 0

Locations rewritten to HTTPS: 0

Locations rewritten based on regex match: 0

Cache skip, cache off: 3601254

Cache hit, reply using cache: 0

Cache hit, reply with "Not Modified": 0

Cache hit, reply with "Precondition Failed": 0

Cache hit, revalidate: 0

Cache miss, noncacheable requests: 3601254

Cache miss, create new entry: 0

Cache miss, create new entry, resp noncacheable: 0

Hit ratio: 0.00%

123

(Notice: the real server's time should be in sync with this machine.

Otherwise, the time difference could expire the cachable objects

resulting in low cache hit ratio.)

Advanced Statistics:

Number of cache objects: 0

Number of cache frames: 0

Successful cache probes:0

Why were certain requests sent to the server?

a) We had to revalidate the cached object due to:

Request with "no-cache": 0

Requset with "maxage=0": 0

Cached object had "no-cache": 0

Cache object expired: 0

b) We had to bypass cache for some requests because:

Cache was filling when request was made: 0

Revalidation failed due to IMS mismatched: 0

Client has newer copy, cannot send from cache: 0

Object in cache is chunked, cannot give to 1.0 client: 0

Network memory utilization was too high: 0

c) Request cannot be served from cache because:

Cache filter denied caching: 0

Requests with "no-store": 0

Requests with "authorization": 0

Requests with cookies: 0

Requests with range: 0

Requests non GET, non HEAD: 0

Requests URL too long: 0

Requests host too long: 0

d) Error occurred while doing cache lookup

Network memory shortage when cache hit (200, 304): 0

Cache was not accessible: 0

Fail to send cache lookup to cache: 0

Fail to find url and host: 0

Fail to parse cache specific http request headers: 0

Fail to create a new cache object: 0

Noncacheble requests due to other errors: 3601254

Why were certain responses not stored in cache?

a) HTTP directive in response told us not to cache

HTTP response code not 200, 300 or 301: 0

Response had a "no-store": 0

Response had a "private": 0

Response had a "set-cookie": 0

Response had a "vary": 0

b) The response did not meet our guidelines for cacheability

Response noncacheable too big: 0

Chapter 7 Reverse Proxy Cache

124

c) Error occurred when trying to cache response

Cache storage limit exceeded based on header data: 0

Cache storage limit exceeded based on payload: 0

Network memory shortage when storing response body: 0

Cache object was deleted before response arrived: 0

Fail to parse cache specific http response headers: 0

Fail to store response headers in cache: 0

Fail to store response body in cache: 0

Cache object was aborted due to connection reset: 0

Noncacheble responses due to other errors: 0

Chapter 7 Reverse Proxy Cache

The following contents are explanations about the items in above output information.

� Basic Statistics

Output Item Description

Requests received Total requests received by the APV appliance.

Requests with GET method Total GET requests received by the APV appliance.

Requests with HEAD method Total HEAD requests received by the APV appliance.

Number of open client connections Total number of open connections with clients.

Number of open server connections Total number of open server connections.

Count of times the cache table has been searched, no

matching entry has been found and a new entry is

created. However, note that sometimes, an entry is

Cache miss, new entry created

created temporarily (i.e. for an IMS

(if_modified-source) request resulting in a 304) and is

deleted after sending it out to the client (delayed delete).

Cache miss, noncacheable requests

Cache revalidate

Cache hit, reply using cache

Cache hit, reply with "Not Modified"

This request does not result in a cache table search.

Something in the request makes the APV appliance

deem it non-cacheable (i.e. very long URL, a

“Cache-Control: no-store” header etc.)

The requested object has been found in the cache.

However, the request requires revalidation (due to client

generated revalidate, proxy generated revalidate or

proxy generated forced miss).

The APV appliance has found the requested URL in the

cache. The object is fresh and the APV appliance does

not have to revalidate. The object is served from our

cache.

The APV appliance receives an IMS

(if_modified-source) header in the request. The APV

appliance validates the timestamp and decides that the

client’s copy of this object is fresh. The APV appliance

generates a 304 response and sends it out to the client.

125

Hit ratio

� Advanced Statistics

Output Item Description

Chapter 7 Reverse Proxy Cache

Cache hit reply using cache + cache hit reply with “not

modified”.

Output Item Description

Number of cache frames Number of network buffers used by the cache.

Number of times the APV appliance has searched the

cache table and found something. Note that this does

not imply a cache hit. The APV appliance may have

Successful cache probes

found a stale object; the request may have cookies etc.

resulting in our not using the object we have found in

the cache.

Requested object has been found in the cache but the

request has a “Cache-Control: no-cache” header. So the

Cache revalidate, request with “no-cache” APV appliance forwards the request to the backend

server and updates our cache with the response

received.

Request has an IMS (if_modified-source) header, object

has been found in the cache but it is stale. The APV

appliance forwards the original request to the backend

Cache revalidate, client IMS forward server and updates the cached object when the response

comes back (Note: This may only involve updating the

timestamps on our cached response if we get a 304 not

modified response).

Request does not have an IMS (if_modified-source)

header, object has been found in the cache but it was

stale. So the APV appliance inserts an IMS header in

the request (if the APV appliance can assemble on with

Cache revalidate, proxy IMS forward

information contained in the other request headers else

we treat this as a cache miss) and sends this request to

the backed server. When a response comes back, the

APV appliance updates our cache entry.

When the APV appliance receives a “304 Not

Modified” response, the APV appliance will increment

Cache revalidate, not modified

this counter (irrespective of whether the request that has

generated this response is an IMS from the client or one

generated by us).

The requested object has been found in the cache.

However, the request contains cookies. We forward the

Cache miss, requests with cookies

request to the backend server. The cache will not be

updated.

The requested object has been found in the cache.

However, the request contains a range header. We

Cache miss, requests with range

forward the request to the backend server. The cache

will not be updated.

Cache miss, HTTP version mismatch This counter should always be zero.

126

Chapter 7 Reverse Proxy Cache

Output Item Description

The APV appliance receives an IMS

(if_modified-source) header in the request. The APV

appliance validates the timestamp and decides that the

Cache miss, IMS mismatch

client’s copy of this object is stale. So the APV

appliance forwards the request to the backend server

(essentially, we treat this as a cache miss).

Cache miss, server driven negotiation

Cache miss, negative entry hit

The requested object has been found in the cache.

However, the cached response contains a “vary” header

forcing comparison of certain request headers. This

comparison fails and the APV appliance treats this as a

cache miss. The APV appliance will forward the request

to the backend server. The cache will not be updated.

The request results in a negative cache hit. Negative

Caching is when the APV appliance cache’s HTTP

responses of HTTP error codes; for example, 404, 302,

503, etc.

Requests redirected to HTTPS The request that have been redirected to HTTPS.

clear statistics cache [virtual_service|all]

This command is used to clear the cache statistics, including the statistics for the number

of cache hits, and the number of requests. If a virtual service is provided, cache statistics

for this virtual service will be cleared. If “all” keyword is used, the statistics for all HTTP

and HTTPS virtual services will be cleared. If no argument is provided, the global cache

statistics will be cleared.

show cache content

This command is used to display the information about the cache objects that match the

specified host name and URL regex.

host_name Specify the host name of the objects.

url_regex Specify the regular expression for the URLs of the objects.

clear cache content

This command is used to remove all cache objects from cache. This operation will not

change the current cache configuration in the system.

cache filter {on|off}

This command is used to enable or disable the cache filter function. By default, the cache

filter is turned off.

cache filter rule {force_cache|urlquery|ttl}

127

Chapter 7 Reverse Proxy Cache

This command is used to create a cache filter rule to define the cache behavior of the

APV appliance for the objects matched with the “host name” and “url”. The parameters

“host name” and “url” define the host and URL address to impose cache filter on. The

host name does not take any regular expression, and must be a complete keyword. In

“url”, you can use any meaningful regular expression which is compatible with PERL’s to

construct powerful regular expression. The “force_cache” parameter seeks a

“force_cache=yes” or “force_cache=no” input to decide whether to cache the matched

objects. The “urlquery” parameter seeks a “urlquery=yes” or “urlquery=no” input to

decide whether to ignore the URL query string in user request. The parameter “ttl” (Time

to Live) decides how long to cache the object.

host_name “host_name” and “url” are used to define the address we

want to impose the cache filter rule on.

url URL can take regular expression which is compatible with

PERL’s. For example, “*” means matching the ahead

subexpression for 0 or n times, which is different from “*”

in the wildcard expression. If the character “*” needs to be

matched, “\*” is used to meet the need, and the character

“\*” is used to transfer the meaning. Typical formats are:

“/upload/” matching any URL which includes the

“/upload/” keyword, “\.exe” matching all the exe files and

“/image/.” “*\.jpg” matching all jpg files under “/image”

directory. If two or more matching rules match the same

URL, cache filter will select the rule with the longest

match.

Note: The parameter “url” only supports the regular expressions which are

compatible with PERL’s. The meaning of “*” in the regular expressions differs from

“*” in wildcard expression. Single “*” must be avoided to appear in a cache filter.

Single “*” is meaningless in the regular expressions. (For example: cache filter rule

“www.sina.com.cn” “*” “force_cache=yes” is not allowed). In the Array system, “.*”

is used as the wildcard to match all URLs. The meaning of “.*” in regular expression

is the same as that of “*” in the wildcard expressions.

force_cache|urlquery|ttl “force_cache=yes|no” means whether to cache the matched

objects or not. If “force_cache=yes”, the matched objects

will be cached and the information in the cache control

header will be ignored.

“urlquery=yes|no” means whether to ignore the URL query

string in user request. The default value is “urlquery=no”,

which means do not ignore the URL query string.

“ttl=n”. TTL defines the freshness time in seconds of cache

contents, i.e. how long a cached object can be used before

the APV appliance must re-fetch or refresh the object.

128

Chapter 7 Reverse Proxy Cache

(Note: For this parameter, at least one option should be

used. You can configure two or all the three options. The

configured values must be all enclosed in double quotes.

For details, please refer to the examples below.)

Cache filter rules will change the cache system behavior. The table below lists the

behavior of the cache system after cache filter rules are configured.

Control

Keyword

force_cache

urlquery

ttl

Configuration Behavior

The request will be served from cache even with these cache

control fields:

request with cache-control no-store

request with cache-control no-cache

request with authorization

request with cookie

yes

The response with the following cache control fields can be

cached:

response with cache-control no-store

response with cache-control no-cache

response with cache-control private

response with set-cookie

no Force no cache if matched.

not set Follow the configuration in the caching control header.

yes Cache will ignore the query string in url.

no Cache will not ignore the query string in url.

not set Cache will not ignore the query string in url.

new_ttl_value Matched cache object will use the new_ttl_value.

not set

Additional configuration and usage notes:

Use the default TTL value configured by using “cache setting

expire” or use the TTL specified in cache control filed.

“cache=yes” means the request will be served from cache even with these cache control

fields:

� request with cache-control no-store

� request with cache-control no-cache

� request with authorization

� request with cookie

The response with the following cache control fields can be cached:

� response with cache-control no-store

� response with cache-control no-cache

� response with cache-control private

129

� response with set-cookie

Chapter 7 Reverse Proxy Cache

“cache=no” means the user will force the object not to be cached regardless of whether

the headers allow objects to be cached or not.

If “cache” is not specified, cache filter will follow the configuration in the caching

control header.

In cache filters, TTL can be used in two ways:

cache filter rule “force_cache=yes” “ttl =n”

In this case, all objects matched with the host name and URL regular expression will be

forced to be cached for TTL seconds. After TTL seconds, the APV appliance must refresh

or revalidate the objects before they can be used again.

cache filter rule “ttl =n”

In this case, all the objects matched with the host name and URL regular expression

should first obey the freshness time specified in the objects, if the objects contain the TTL

related control directives. Otherwise, the objects will use the TTL value specified in the

rule.

Examples:

1. Cache specific types of files; and others files follow the server’s cache-directives.

AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=yes”

2. Cache all “jpg” files for the host “www.xyz.com”.

AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=yes” “ttl=200000”

Cache all “gif” files for host “www.xyz.com”. Override its TTL value to 200000 seconds.

3. Cache specific types of files; other files should NOT be cached.

AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=yes”

AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=yes” “ttl=200000”

AN(config)#cache filter rule www.xyz.com “.*\.html” “cache=yes” “ttl=200000”

AN(config)#cache filter rule www.xyz.com “/” “cache=no”

4. Do not cache specific types of files; other files follow the server’s cache-directives.

AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=no”

AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=no”

5. Do not cache specific types of files; other files should be cached.

AN(config)#cache filter rule www.xyz.com “.*\.jpg” “cache=no”

AN(config)#cache filter rule www.xyz.com “.*\.gif” “cache=no”

AN(config)#cache filter rule www.xyz.com “/” “cache=yes”

130

Chapter 7 Reverse Proxy Cache

6. Specify a file type. The files of this type will follow the TTL defined in cache filter;

other files follow the TTL defined in cache control header.

AN(config)#cache filter rule www.xyz.com “.*\.jpg” “ttl=200000”

AN(config)#cache filter rule www.xyz.com “.*\.gif” “ttl=200000”

AN(config)#cache filter rule www.xyz.com “/” “cache=yes”

7. Specify a file type. The files of this type will ignore the cache query string in URL;

other files use the whole URL.

AN(config)#cache filter rule www.xyz.com “.*\.html*” “urlquery=yes”

show cache filter status

This command allows users to display the cache filter configuration.

show cache filter hostname

This command is used to display all the cache filters relating to the specified host name.

show cache filter all

This command is used to display all cache filter rules.

cache filter match

This command is used to show all the configured cache filter rules matching the specified

host name and URL regular expression. Administrators can use this command to test the

correctness of cache filter rules configured previously.

no cache filter rule

This command is used to remove a cache filter matched with the specified “host name”

and “url”.

clear cache filter hostname

This command is used to clear the cache filter matched with the specified host.

clear cache filter all

This command is used to clear all the cache filters.

show statistics cachefilter

This command is used to display the statistical information from the cache filter

configuration related to the specified host name and URL regular expression.

clear statistics cachefilter [host_name|all]

131

Chapter 7 Reverse Proxy Cache

This command is used to clear the cache filter statistics. If a host name is specified, the

cache filter statistics about the host will be cleared. “all” means all cache filter statistics

will be cleared. If no argument is provided, the global cache filter statistics will be

cleared.

HTTP Commands

There are commands to manipulate how the APV appliance will process special HTTP

traffic and requests. The first deals with “X-Forwarding”, a process where users may

configure an option to insert an “X-Forwarded-For” header into all HTTP and HTTPS

requests. This allows for client-IP visibility at the real server. The second function allows

users to configure an option for the ArrayOS to parse non-ASCII characters or such

characters occupying more than one byte. Xforwardedfor commands support transferring

client IP address to the backend server through HTTP header, URL parameter or both.

The configuration is virtual service oriented. Details on both command sets are below.

http xforwardedfor on [vs_name] [mode] [customized_name]

This command is used to turn on the insertion of the host IP address into HTTP header,

URL request or HTTP cookie forwarded to the backend server. The parameters in the

command are optional. If no parameter is specified, the command is global. For this

function, the global setting is off by default while the setting of per virtual service is on

by default.

http xforwardedfor off

http xforwardedfor on vs1

( these are default settings)

http xforwardedfor on

http xforwardedfor on vs1

http xforwardedfor on

http xforwardedfor off vs1

Settings Behaviors

The host IP address will not be inserted into vs1’s HTTP

header, URL request and HTTP cookie forwarded to the

backend server, as the global setting is off.

The host IP address will be inserted into vs1’s HTTP header,

URL request and HTTP cookie forwarded to the backend

server. Only when the global and per virtual service settings

are on, can the host IP address be inserted into vs1’s HTTP

header, URL request and HTTP cookie.

vs_name The SLB virtual service name

The host IP address will not be inserted into vs1’s HTTP

header, URL request and HTTP cookie forwarded to the

backend server, as the per virtual service setting is off.

mode It can be header, url, cookie or all. All means HTTP header,

URL request and HTTP cookie will include the client IP

address.

customized_name Specify a new name for the IP address in HTTP header,

URL request and HTTP cookie.

132

http xforwardedfor off [vs_name]

Chapter 7 Reverse Proxy Cache

This command is used to turn off the insertion of the host IP address into HTTP header,

URL request and HTTP cookie forwarded to the backend server. If no parameter is

specified, the command is global.

show http xforwardedfor

This command is used to display the current status (on/off) of X-Forwarded-For header

insertion in the request forwarded to the backend server.

http xclientcert virtual [insert_mode] [content_type]

When the SSL client authentication is enabled, the APV appliance can use this command

to forward the received client certificate to the backend server through HTTP header or

HTTP cookie. If and only if the “ssl settings clientauth” command is configured

successfully, the APV appliance will forward the client certificate to the backend server.

insert_mode It includes two modes: “header” and “cookie”. If

“insert_mode” is header, the client certificate will be

inserted in the header of the request forwarded to the

server. The default insert mode is “header”.

content_type It has two certificate encoding content formats: “PEM” and

“body”. “body” means that the APV appliance forwards the

BASE64 encoding value of the digital certificates to the

backend server, while “PEM” means that the APV

appliance forwards the encoding value of the client

certificate to the backend server in an OpenSSL internal

encoding format. The OpenSSL internal encoding format

has the begin/end header line (“-----BEGIN

CERTIFICATE-----“and”-----END CERTIFICATE-----”)

and has a separator “;” every 64 bits. The parameter

defaults to “body”. (Note: The encoding certificates in the

OpenSSL internal format use “;” as a separator and cookie

also uses “;” as a separator, so please make sure whether

the APV appliance can use the encoding to forward the

certificate to the backend server.)

show http xclientcert virtual

This command is used to display all the virtual services for which the insertion of

X-Client-Cert header, in the request forwarded to the server, is enabled.

no http xclientcert virtual

133

Chapter 7 Reverse Proxy Cache

This command is used to disable the insertion of X-Client-Cert header, in the request

forwarded to the server, for the specified virtual service.

clear http xclientcert virtual

This command is used to disable the insertion of X-Client-Cert header, in the request

forwarded to the server, for all the virtual services.

http xclientcert header [header_name]

This command is used to configure client certificate header name. The default name is

X-Client-Cert.

http xclientcert plaintext

[customized_name] [format_opt]

This command is used to enable or disable forwarding the specified certificate field, with

the customized header name if it is defined, in HTTP header, URL request or HTTP

cookie to the backend server. Users can use the option “customized name” to customize

the field name which can be accepted by the backend server. If the customized name is

NULL, the system will use the field’s default value. Supported fields include: subject,

issuer, validity, NotBefore, NotAfter, CommonName, PublicKey, serial (for serial number)

and customized RDN.

mode The way to pass client certificate information; following

methods are supported:

� header: By inserting http header.

� url: By appending to the URL.

� cookie: By inserting cookie.

� all: Enable all of the above three methods.

field_name A certificate field name. Following certificate section

names are supported: subject, issuer, validity, serial (for

serial number), NotBefore, NotAfter, CommonName,

Publickey and relative RDNs C, CN, etc. or OID) in a

certificate.

� Subject: Transfer the subject DN of a client certificate

to the backend server.

� Issuer: Transfer the Issuer DN of a client certificate to

the backend server.

� Validity: Transfer the certificate’s Validity to the

backend server. Its format is “From To

”.For example, “From Dec 19 5:54:42

2007 GMT To Dec 19 5:54:42 2008 GMT”.

134

Chapter 7 Reverse Proxy Cache

� Serial: Transfer the certificate’s serial number to the

backend server.

� NotBefore: Transfer the certificate’s NotBefore time to

the backend server.

� NotAfter: Transfer the certificate’s NotAfter time to

the backend server.

� CommonName: Transfer the certificate’s

CommonName of the subject to the backend server.

� PublicKey: Transfer the publickey of a certificate to

the backend server. The publickey is transferred in

HEX mode. For example, the publickey “0x00 0x43

0x78 0xed” is transferred to the backend server in the

form of “00 43 78 ed” (ASCII value).

� RDN: Transfer one of the standard RDNs in Subject

and Issuer DN to the backend server.

To define the RDN which will be sent to the backend server, the formal format should be:

.

Or

For scope:

Scope Description

Subject

The value of symbol or specific OID will be searched in client certificate’s subject

DN

Issuer

The value of symbol or specific OID will be searched in client certificate’s issuer

DN

Ext

The value of symbol or specific OID will be searched in client certificate’s external

field. This required the client certificate should be in version 2 or 3.

The value of specific OID will be searched in client certificate’s TBS. TBS means

OID or the certificate’s customer information. When the scope is null, the dot shouldn’t

appear in this formal format.

For symbol:

OID Symbol Standard Name

2.5.4.6 C Country Name

2.5.4.8 ST State or Province Name

2.5.4.7 L Locality Name

2.5.4.10 O Organization Name

2.5.4.11 OU Organizational Unit Name

135

Chapter 7 Reverse Proxy Cache

OID Symbol Standard Name

2.5.4.3 CN Common Name

2.5.4.5 SN Serial Number

2.5.4.46 dnQualifier DN Qualifier

2.5.4.65 Pseudonym Pseudonym

2.5.4.12 Title Title

2.5.4.44 GQ Generation Qualifier

2.5.4.43 Initials Initials

2.5.4.41 Name Name

2.5.4.42 givenName Given Name

2.5.4.4 Surname Surname

0.9.2342.19200300.100.1.25 DC Domain Component

1.2.840.113549.1.9.1 emailAddress Email Address

{OID expression} OID information, for example: 1.2.3.4

Note: When there is one more value to the same symbol in the specific scope, the

APV appliance will transfer all of them to the backend server, and one digital

number will be appended to the customized name from the second symbol. The

digital number is increased from 1.

For example:

One configuration on APV appliance:

AN(config)#http xclientcert plaintext cookie “Subject.OU” vs1 “OU” positive

And the client certificate has following subject DN:

C=CN, ST=Beijing, L=Beijing, O=ArrayNetworks Inc., OU=Dev, OU=TM, CN=abc,

emailAddress=abc@arraynetworks.net

Then the backend server will received following cookie:

Cookie: OU=Dev, OU1=TM

virtual_service Specify SLB virtual service name, which has been defined.

customized_name Optional. Specify a name for the field to replace the

standard field name defined in previous parameter.

format_opt

Optional. Specify the format of the “field” forwarded to the

backend application.

For Subject, Issuer: Sequence order format option which

136

should be:

Chapter 7 Reverse Proxy Cache

� Positive: (Default) Start from the small scope. (See the

following example.)

� Reverse: Start from the large scope.

� Original: The original order parsed from the client

certificate.

Example for Subject format option:

If a client certificate has the following subject DN:

C=CN,O=Array,OU=TM,ST=BJ,CN=abc,EmailAddress=abc@array

networks.net

If “format_opt” is “positive”, the subject will be transferred

in the following order:

EmailAddress=abc@arraynetworks.net,CN=abc,OU=TM,O

=Array,ST=BJ,C=CN

If “format_opt” is “reverse”, he subject will be transferred in

the following order:

C=CN,ST=BJ,O=Array,OU=TM,CN=abc,EmailAddress=ab

c@arraynetworks.net

If “format_opt” is “original”, the subject will be transferred

137

in the following order:

Chapter 7 Reverse Proxy Cache

C=CN,O=Array,OU=TM,ST=BJ,CN=abc,EmailAddress=ab

c@arraynetworks.net

For Validity, NotBefore, NotAfter: Date/time format option

should be:

� Digital: (Default) All the date and time numbers are

used the digital number, except the GMT expression.

� Latin: Month will be expressed in English word.

� W3C: Standard time formal format. Use the local time

zone information from the client certificate.

Example for Validity format option:

Latin: From Jan 31 15:35:5 2008 GMT To Jan 30 15:35:5 2009 GMT

Digital: Valid from 2008-01-01 20:01:01 GMT to 2010-0101

20:01:00 GMT

W3C: From 2008-01-31T15:35:05Z To 2009-01-30T15:35:05Z

For ext.: The format option should be: unparsed or

parsed.

X509 certificate’s extensions are defined as follow:

Extension::= SEQUENCE {

extnID OBJECT IDENTIFIER,

critical BOOLEAN DEFAULT FALSE,

extnValue OCTET STRING }

Among which:

extnID: The OID of the extension;

critical: The criticality flag;

extnValue: The extension value.

� Unparsed: (Default) Only the entire value of the

extnValue will be forwarded to the backend server. For

DER, one object is expressed by three parts: type,

length and value. The extnValue is encoded in DER.

Therefore, the extnValue consists of its type, length and

value.

138

Chapter 7 Reverse Proxy Cache

� Parsed: The value of the extnValue is also encoded in

DER, so that it includes three parts: type, length and

value. When this option is enabled, only the value in

the value of the extnValue will be forwarded to the

backend server.

When the type in the value of the extnValue is one of the

following, no matter the option is unparsed or parsed, the

value of the extnValue will be forwarded to the backend

server:

SEQUENCE

SET

Untagged data

For example, the following is an extension of which the type

in the value is SEQUENCE:

404 30 31: SEQUENCE {

406 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29

18)

411 04 24: OCTET STRING, encapsulates {

413 30 22: SEQUENCE {

415 86 20: [6] 'http://www.nist.gov/'

: }

For the two commands “http xclientcert plaintext header

"ext.2.5.29.18" vs1 "url1" "parsed"” and “http

xclientcert plaintext header "ext.2.5.29.18" vs1 "url1"

"unparsed"”, the same result “0x30 0x22 0x86 0x20…”

will be sent to backend server.

When the type of the value in the value of the extnValue is

time string, ArrayOS will transfer its content to DIGITAL

format:

Generalized Time

UTC tim

139

Example for ext. format option:

Chapter 7 Reverse Proxy Cache

In this example, the extension OID is 0.1.2.3, and the value

of the extnValue is "0x0c 0x06 0x36 0x35 0x34 0x33 0x32

0x31". "0c" represents the type in the value of extnValue

and "06" represents the length in the value of the extnValue.

If “format_opt” is “unparsed”, “0x0c 0x06 0x36 0x35 0x34

0x33 0x32 0x31” will be forwarded.

If “format_opt” is “parsed”, “0x36 0x35 0x34 0x33 0x32

0x31” will be forwarded.

http xclientcert dnencoding [encoding]

This command is used to specify the encoding format for client certificate’s DN

(Distinguished Name) transferred from the specified SLB virtual service to the backend

server.

virtual_service Specify the SLB virtual service name.

encoding Optional. Specify the encoding format for multibyte

characters. UTF-8, GB2312, GBK and GB18030 are

supported. The default format is UTF-8.

show http xclientcert dnencoding [virtual_service]

This command is used to display the DN encoding configuration.

virtual_service Specify the SLB virtual service name. Optional. If no

virtual service is specified, the DN encoding configuration

for all SLB virtual services will be displayed.

no http xclientcert dnencoding

This command is used to restore the DN encoding configuration for the specified virtual

service to default.

virtual_service Specify the SLB virtual service name.

clear http xclientcert dnencoding

This command is used to reset the DN encoding configurations for all virtual services.

http owa {on|off}

140

Chapter 7 Reverse Proxy Cache

This command is used to enable or disable the subsystem, which inserts OWA (Outlook

Web Access) specific header, FRONT-END-HTTPS: on, in the requests forwarded to

backend servers. When this subsystem is turned on, the header insertion will be done only

for the virtual services configured using the “http owa virtual” command. When this

subsystem is turned off, the header insertion will not be done even if there are virtual

services configured using the “http owa virtual” command. The default setting is off.

show http owa status

This command is used to display the status (on/off) of the OWA subsystem.

http owa virtual

This command is used to enables the insertion of FRONT-END-HTTPS: on header in the

requests forwarded to the backend servers for the specified virtual service.

show http owa virtual

This command is used to display all the virtual services for which the insertion of

FRONT-END-HTTPS: on header, in the requests forwarded to the backend servers, is

enabled.

no http owa virtual

This command is used to disable the insertion of FRONT-END-HTTPS: on header, in the

requests forwarded to the backend servers, for the specified virtual service.

clear http owa virtual

This command is used to disable the insertion of FRONT-END-HTTPS: on header, in the

requests forwarded to the backend servers, for all the virtual services.

http mask server {on|off}

This command allows users to "hide" the identity of the backend server from the client.

The “Server” header will be removed if it is set to “on”. The default value is “off”.

http mask via {on|off}

This command allows users to prevent the client Web browser from knowing that the

responses have been proxied through the APV appliance. The “Via” header will be

removed if it is set to “on”. The default value is “off”.

show http mask

This command is used to display the current status (on/off) for the HTTP mask server and

HTTP mask via functions.

http serverconnreuse {on|off}

141

Chapter 7 Reverse Proxy Cache

This command is used to turn on or off the reuse of server connections for multiple

transactions. Setting to “off” makes every server connection to be used only for a single

transaction after which the connection is terminated. Setting to “on” makes every server

connection to be used for multiple transactions. The default setting is “on”.

[no] http serverconnreuse real off

This command is used to force every server connection to be used for a single transaction

for the specified real service.

real_name An assigned name, in the form of a character string, to the

real service. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

[show|clear] http serverconnreuse

This command is used to display or clear the current status (on/off), regarding the use of

server connections for multiple transactions.

http serverpersist {on|off}

This command is used to enable or disable the use of persistent connections for

communication with the backend servers. By default, the use of persistent connections is

turned on. When connection reuse is enabled, enabling connection persistence ensures

that all transactions from the same client connection are forwarded to the same back end

server. If connection reuse is enable but connection persistence is disabled, then

transactions from the same client connection may be forwarded to different backend

server connections.

[no] http serverpersist real off

This command is used to disable the use of persistent connections for communication

with the backend servers for the specified real service.

real_name An assigned name, in the form of a character string, to the

real service. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

[show|clear] http serverpersist

This command is used to display or clear the status (on/off) regarding the use of

persistent connections concerning the communication with backend servers.

http shuntreset {on|off}

142

Chapter 7 Reverse Proxy Cache

This command is used to enable or disable resetting non-reusable server connections.

Enabling this option forces the APV appliance to reset non-reusable server connections.

By default this option is disabled.

show http shuntreset

This command is used to display the status for the handling of non-reusable server

connections.

http buffer nomsglen {on|off}

This command is used to enable (on) or disable (off) the cache to accept and cache some

non-RFC compliant responses. When enabled, responses that do not possess an “end of

response” HTTP message length indicator within the headers will still be cached before

returning the information to the client. By default this is enabled.

show http buffer nomsglen

This command is used to display the status of caching those responses that do not possess

an “end of response” HTTP message length indicator.

http rewrite request insertheader

This command is used to insert arbitrary header-string in HTTP request received for the

specified virtual service. The header-string will be inserted verbatim except % sign,

which can be used for escaping. %n represents a line separator (replaced by \r\n), %q is a

double quote (“) and %% is the percent itself. Limit of the header-string length is 500

bytes. For example, for a header string FRONT-END-HTTPS: on%n, the administrator

will enter “FRONT-END-HEADER: on%n” with the entire string framed in double

quotes when entering via the CLI; no quotes necessary when entering the string via the

WebUI.

no http rewrite request insertheader

This command is used to disable the insertion of the custom HTTP header for the

specified virtual service.

show http rewrite request insertheader [virtual_service]

This command is used to display the status of the arbitrary HTTP header insertion for a

virtual service. If the keyword “all” is used, the HTTP header insertion configuration for

all virtual services will be displayed. Default is “all”.

clear http rewrite request insertheader

This command is used to clear the HTTP header insertion function for the specified

virtual service. If the keyword “all” is used, the HTTP header insertion function for all

virtual services will be cleared.

143

http rewrite response cookie secure {on|off}

Chapter 7 Reverse Proxy Cache

This command is used to enable or disable the placement of a secure clause within the

HTTP Set-Cookie header preventing the client forwarding of the cookie on an insecure

connection. The default status is “on”.

http rewrite response cookie secure icookie {on|off}

This command is used to enable or disable the support of secure cookies for HTTPS

clients. The default status is “on”. This command is added for not inserting “secure” tag

to Set-Cookie header when the “http rewrite response cookie secure” command is

enabled.

show http rewrite response cookie secure

This command is used to display the running status of the secure cookie in the response.

clear http rewrite response cookie

This command is used to reset the rewrite response to the default setting “on”.

http rewrite response port

This command is used to modify the port number contained in the Location header in the

responses for the HTTP requests received by the specified virtual service.

virtual_service Specify the virtual service name.

modify_action Specify the modification action. Now, only “remove”

action is supported.

no http rewrite response port

This command is used to disable the port number modification function for the specified

virtual service.

show http rewrite response port [virtual_service]

This command is used to display the port number modification settings for all virtual

services. If a virtual service is specified, this command will only display the port

modification setting of the virtual service.

clear http rewrite response port

This command is used to reset the port number modification setting for the specified

virtual service.

144

Chapter 7 Reverse Proxy Cache

virtual_service Specify the virtual service name. If the keyword “all” is

used, the port number modification settings for all virtual

services will be reset.

http rewrite response https

This command allows users to configure the rewrite of HTTP redirects to HTTPS for the

specified HTTP or HTTPS virtual service. This is accomplished by rewriting HTTP

location header content to use HTTPS scheme in the URL.

show http rewrite response https

This command is used to display all the virtual services for which the rewrite of HTTP

redirects to HTTPS redirects is configured.

no http rewrite response https

This command is used to disable the rewrite of HTTP redirects to HTTPS redirects for

the specified virtual service.

clear http rewrite response https

This command is used to disable the rewrite of HTTP redirects to HTTPS redirects for all

the virtual services.

http redirect https

This command allows users to configure redirection of all HTTP request to HTTPS.

This is accomplished by generating a 301 (Moved permanently) response with location

header containing HTTPS scheme in the URL. This command can only be applied to

HTTP virtual services.

show http redirect https

This command is used to display all the virtual services for which the HTTP to HTTPS

redirects are configured.

no http redirect https

This command is used to disable the HTTP to HTTPS redirects for the specified virtual

service.

clear http redirect https

This command is used to disables the HTTP to HTTPS redirects for all the virtual

services.

145

http import error

Chapter 7 Reverse Proxy Cache

This command allows users to import a customized HTTP error page from a remote

server. The "error_code" refers to the HTTP error code, the “host name” refers to the

desired destination that has generated the error, and the "url" points to the location of the

customized error page. The supported HTTP error codes for importing customized error

pages are 400 (Bad Request), 403 (Forbidden), 412 (Precondition Failed), 416

(Requested Range Not Satisfiable), 502 (Bad Gateway) and 503 (Service Unavailable).

show http import error [error_code] [host_name]

This command is used to display the list of HTTP error codes and host names for which a

custom error page is imported. If the “error_code” and “host name” are specified, the

content of the imported error page (if present) is displayed.

clear http import error [error_code] [host_name]

This command is used to remove all the imported error pages. If “error_code” and “host

name” are specified, then the corresponding error page will be removed.

http error

This command is used to activate the imported error page for the specified “error_code”

and “host name”.

show http error [error_code] [host_name]

This command is used to display all the HTTP error codes and host names for which a

custom error page is activated. If the “error_code” and “host name” parameters are

specified, the content of the activated error page (if present) is displayed.

clear http error [error_code] [host_name]

This command is used to deactivate all the activated error pages. If the “error_code” and

“host name” parameters are specified, only the corresponding error page is deactivated.

http permit host

This command is used to add the specified host name to the list of permitted host names.

By default all host names are permitted. The moment at least one host name is configured

by using this command, only the configured host names are permitted and the rest are

denied.

show http permit host

This command is used to display the list of permitted host names.

no http permit host

146

Chapter 7 Reverse Proxy Cache

This command is used to remove the specified host name from the list of permitted host

names, if present. After this host name is removed, if there are no more host names in the

list, all the host names will be permitted.

clear http permit host

This command is used to remove all the host names from the list of permitted host names.

The moment this is done, all the host names will be permitted.

[no] http permit method [vip]

This command is used to add or delete the specified method to/from the list of permitted

HTTP methods. The possible methods are get, post, put, delete, trace, connect, options,

head, propfind, proppatch, mkcol, copy, move, lock, unlock and purge. By default, all the

methods are permitted and no commands of this kind are configured. The moment at least

one method is configured using this command, only the configured methods are permitted

and the rest are denied. When no methods are configured using this command, all the

methods are permitted. If the “vip” parameter is none or 0.0.0.0, this command is

configured at global level. Otherwise, it is configured at VIP level.

show http permit method [vip]

This command is used to display the list of permitted and denied HTTP methods. If the

“vip” parameter is 0.0.0.0, this command shows the global configuration. If the “vip”

parameter is not provided, this command shows all the settings, including global settings

and all the per-vip settings. If the VIP is given, only the specified VIP setting will be

displayed.

clear http permit method [vip]

This command is used to remove all the methods from the list of permitted HTTP

methods. The moment this is done, all the HTTP methods will be permitted. If the “vip”

parameter is 0.0.0.0, this command clears the global permit method. If the “vip”

parameter is not provided, this command clears all permit methods, including the global

settings and all the per-VIP settings. If the VIP is given, only the specified VIP permit

method will be cleared.

http modifyheader http10 {on|off}

This command allows users to change the HTTP version in response from 1.1 to 1.0 and

add “connection: keep-alive” to response header at the same time. If the HTTP version is

1.1, the APV appliance will change it to 1.0. If the “connection” field does not exist or

connection field is “connection: close”, the APV appliance will add this field or change it

to “connection: keep-alive”. The default setting is “off”.

show http modifyheader http10

This command is used to display the configuration of modify header.

147

[no] http acl url [level_0|1|2]

Chapter 7 Reverse Proxy Cache

This command is used to define an ACL rule for particular network resource of an SLB

virtual service.

The maximum number of the configured ACL rules depends on the system memory size:

� In the system with 1G memory, the maximum number of the configured ACL rules is

100;

� In the system with 2G memory, the maximum number of the configured ACL rules is

200;

� In the system with 4G or 8G memory, the maximum number of the configured ACL

rules is 1000.

virtual_service Specify the SLB virtual service name, which has been

defined.

path Define a network resource by its URL which needs to

be protected through access level. If the coming SSL

request fails to satisfy the access level “0|1|2”, the

“HTTP 403” error will be returned.

level_0|1|2 The following are all the cases:

Option Value Description

0 The resource can be accessed through both HTTP and HTTPS.

The resource can only be accessed through HTTPS with or without client

1 certificate authentication. However, if SSL mandatory authentication is set,

client certificate authentication is needed as in level “2”.

The resource can only be accessed through HTTPS and client certificate

2

authentication is mandatory.

http serverconnip [header_name]

This command is used to set a server connection IP rule for a specified virtual service.

The server connection IP setting tells the APV appliance to obtain the IP address from the

specified HTTP request header and use it as the source IP to connect the backend server.

virtual_service Specify the name of an HTTP or HTTPS virtual service.

header_name A case-insensitive HTTP request header name (can’t be a

standard HTTP header). This is an optional parameter and

the default value is “X-Forwarded-For”. Its maximum

length is 100 characters.

148

no http serverconnip

Chapter 7 Reverse Proxy Cache

This command is used to remove a server connection IP setting for a specified virtual

service.

virtual_service Specify the name of an HTTP or HTTPS virtual service.

show http serverconnip [virtual_service]

This command is used to display a server connection IP setting for a specified virtual

service. If no virtual service is specified, all the server connection IP settings will be

displayed.

clear http serverconnip

This command is used to remove all the server connection IP settings.

149

Chapter 8 DNS Cache

dns cache {on|off}

This command is used to turn on/off DNS cache. The default value is off.

dns cache expire

Chapter 8 DNS Cache

This command is used to configure DNS cache expiration time. If TTL (Time to Live) of

DNS response is shorter than the Min seconds setting, the expiration will take place after

Min seconds. “0” indicates no limit to the minimum TTL. The default value is 60. If TTL

of DNS response is longer than the Max seconds, cache will expire after Max seconds.

“0” configures no limit to the maximum TTL. The default value is 3600.

dns cache host

This command is used to add static entry to cache.

no dns host

This command is used to remove a static entry from cache.

show dns cache setting

This command is used to display DNS cache setting, including “dns cache on|off” and

“dns cache expire” status.

show dns cache host

This command is used to display all static DNS cache entries.

show statistics dns cache

This command is used to display statistics concerning the DNS cache.

clear dns cache content

This command is used to clear all dynamic DNS cache entries.

clear dns host

This command is used to clear all static DNS cache entries.

clear dns all

This command is used to clear the DNS cache configuration and return the APV

appliance default status.

150

clear statistics dns cache

This command is used to clear all the DNS cache statistics.

Chapter 8 DNS Cache

151

Chapter 9 HTTP Compression

The following section covers the commands for configuring various parameters for HTTP

data compression.

http compression {on|off} [virtual_name]

This command allows users to enable/disable HTTP data compression using gzip. If the

virtual service name is specified, this command enables/disables HTTP compression

feature for that specified virtual service. The global HTTP compression feature will be set

when no virtual service is specified. Only when both the global HTTP compression and

the per virtual service HTTP compression features are both enabled, does the APV

appliance compress the HTTP data of a virtual service.

show http compression settings

This command is used to display the current state of the compression feature

(enabled/disabled).

[no] http compression policy useragent

{js|css|pdf|ppt|xls|doc}

This command allows users to configure JavaScript, CSS, PDF, PPT, XLS and DOC to be

served to the configured user agents. The “user_agent_string” parameter must be encased

within quotation marks, e.g. http compression policy useragent “IE 5.5” pdf. However,

TEXT, XML and HTML of HTTP compression are default values, so they do not need to

be configured by the command “http compression policy useragent”. The

“user_agent_string” parameter need only be a sub-string for comparison purposes

performed by the APV appliance.

Deploying the “no” version of this command will remove the configuration (no http

compression policy useragent).

http compression advanced useragent on

This command is used to turn on the Java Script and CSS type compression for the

following four types of explorers (user agents): IE 6, IE 7, IE 8 and Mozilla 5.0.

http compression policy urlexclude

This command is used to add a url-exclude compression rule for a virtual service. If the

URL of a client request to that virtual service matches the configured

“wildcard_expression”, the textual contents in the response will not be compressed even

if HTTP compression is on. This command has higher priority than the “http

compression policy useragent” command.

show http compression policy urlexclude [vhost]

152

Chapter 9 HTTP Compression

This command is used to show all the HTTP compression policy urlexclude rules for the

virtual service specified by the “vhost” parameter. If the virtual service name is not

provided, show all the HTTP compression policy urlexclude rules.

no http compression policy urlexclude

This command is used to remove an HTTP compression policy urlexclude rule specified

by the virtual service name and wildcard expression.

clear http compression policy urlexclude [vhost]

This command is used to remove all the HTTP compression policy urlexclude rules for a

specified virtual service or all virtual services.

show http compression policy useragent

This command is used to show HTTP compression policies for configured user agents.

clear http compression policy useragent

This command is used to remove all the HTTP compression policies for the configured

user agents.

show statistics compression [virtual_name]

This command is used to display various statistics for compression. Specifying a virtual

name will display the statistics for a particular SLB virtual service. To view the statistics

for all configured layer 7 virtual services, issue the above command without specifying

the virtual name.

Example:

AN(config)#show statistics compression

Global Compression Statistics:

Throughput Statistics:

29003769 Total bytes sent out to client

16423821 Total bytes sent to compression

23412681 Total bytes rcvd from compression

0 Sent bytes/second

0 Rcvd bytes/second

33746 Peak Sent bytes/second

48049 Peak Rcvd bytes/second

0 Currently active transactions

Content Statistics:

349443 HTML's compressed

0 TEXT's compressed

0 XML's compressed

0 DOC's compressed

0 PPT's compressed

153

0 XLS's compressed

0 CSS's compressed

0 JS's compressed

0 PDF's compressed

349443 requests attempted

349443 content length transactions

0 chunk encoding transactions

0 fin terminated transactions

0 Http 1.0 response

349443 Http 1.1 response

Compression Ratio Statistics:

0% compression ratio of compressible data

Chapter 9 HTTP Compression

The following contents are explanations about the items in above output information.

� Throughput Statistics

Statistics Description

Total bytes sent to

compression

Total bytes recvd from

compression

Sent bytes/second

Rcvd bytes/second

Peak Sent bytes/second

Peak Rcvd bytes/second

Currently active

transactions

� Content Statistics

The total compressed data in bytes, which is the length of the result after

compression, either by software compression or by hardware

compression.

The total original data to be compressed in bytes, either by software

compression or by hardware compression.

The total compressed data in the last second. This is calculated by:

current total_bytes_sent_out – total_bytes_sent_out one second ago.

The total original data to be compressed in the last second. This is

calculated by: current total_bytes_recvd - total_bytes_recvd one second

ago.

The maximum number of bytes sent per second from the beginning to

now. If the new sent_bytes_per_second> peak_sent_bytes_per_second,

then peak_sent_bytes_per_second = new sent_bytes_per_second.

The maximum number of bytes received per second from the beginning

to now. If the new recvd_bytes_per_second>

peak_recvd_bytes_per_second, then peak_bytes_per_second = new

recvd_bytes_per_second.

The number of active HTTP connections in which the response data to

be compressed, which should be equal to or bigger than 0.

Statistics Description

HTML’s compressed

The total number of compressed HTTP responses whose types are

HTML.

TEXT’s compressed

The total number of compressed HTTP responses whose types are

TEXT.

XML’s compressed

The total number of compressed HTTP responses whose types are

XML.

DOC’s compressed The total number of compressed HTTP responses whose types are DOC.

PPT’s compressed The total number of compressed HTTP responses whose types are PPT.

XLS’s compressed The total number of compressed HTTP responses whose types are XLS.

CSS’s compressed The total number of compressed HTTP responses whose types are CSS.

JS’s compressed The total number of compressed HTTP responses whose types are JS

154

Chapter 9 HTTP Compression

Statistics Description

PDF’s compressed The total number of compressed HTTP responses whose types are PDF.

requests attempted

The total number of compressed HTTP responses. It equals to the sum

of all the individual types of compressed responses.

content length transactions The total number of compressed HTTP responses in HTTP length.

chunk encoding

The total number of compressed HTTP responses which have

transactions

chunk-encoding header.

fin terminated transactions

The total number of compressed HTTP responses which are

Fin-terminated.

Http 1.0 response The total number of compressed HTTP 1.0 responses.

Http 1.1 response The total number of compressed HTTP 1.1 responses.

clear statistics compression [virtual_name]

This command is used to clear the statistics of compression. Specifying a virtual name

will clear the statistics for a particular SLB virtual service. To clear the statistics for all

configured layer 7 virtual services, issues the above command without specifying the

virtual name.

155

Chapter 10 Secure Sockets Layer (SSL)

show ssl status

This command is used to display the current status of all configured SSL virtual and real

hosts.

show ssl host

This command is used to display all currently configured SSL hosts and the SLB service

to which it is paired.

show statistics ssl [host]

This command is used to generate a display of all the current SSL statistics for the

specified host. If no host is specified, data relating to all configured hosts will be

displayed.

clear statistics ssl [host]

This command is used to clear all relative statistics for the specified host. If no particular

host is specified, then the statistics for all configured hosts will be cleared.

[no] ssl host {real|virtual}

This command is used to create an SSL host and binds that host to a particular SLB

service, whether virtual or real. The SLB service assigned to an SSL host must be of

HTTPS or TCPS type. It is required that an SLB service be established prior to the

creation of an SSL host. Please note that multiple SLB service may be assigned to a host

by invoking this command with different SLB service names. Now up to 64 SLB services

can share the same SSL virtual host. The “no” version of the command will disassociate

the relationship between the host and the SLB service.

real|virtual Alert the ArrayOS to whether the assigned binding between

an SSL host and an SLB service is a virtual connection or a

real one. If an SSL host is associated with an SLB virtual

service, the newly created virtual SSL host will act as an

SSL server, while if it is associated with an SLB real

service, the newly created SSL real host will act as an SSL

client. An SSL host which is associated with SLB virtual

service is referred as an SSL virtual host from here onward,

while an SSL host that is associated with an SLB real

service is referred as an SSL real host from here onward.

SSL virtual host and SSL real host are two different entities

and have different configuration parameters. These options

are explained in each individual command.

156

Chapter 10 Secure Sockets Layer (SSL)

host_name The name assigned to the newly configured SSL host.

slb_service The SLB host name for which the SSL host has been

created and bound to.

ssl csr [key_length]

This command is used to generate a CSR (Certificate Signing Request) for the specified

host. After this command is employed, users will be led through a series of prompts in

order to properly receive a CSR. Administrators will have the option to make this key

exportable and to protect this exportable key with an encrypted password for future use.

In addition, this command also generates a “test” certificate for the host. When you start

the host with this test certificate, you will get a warning message on console about

incomplete certificate chain.

host_name The SSL virtual host name.

key_length Specify the length of the generated SSL key pair. The

length of the SSL key pair can be 1024 bits or 2048 bits. It

defaults to 1024 bits.

The requested data, via the prompts, are as follows:

AN(config)#ssl csr www.foo.com

We will now gather some required information about your ssl virtual host,

This information is encoded into your certificate

Two character country code for your organization (eg. US):

State or province:

Location or local city:

Organization Name:

Organizational Unit:

Do you want to use the virtual host name "vh1" as the Common Name (recommended)?(Y/N):

Email address of administrator:

Do you want the private key to be exportable [Yes/(No)]:

Enter passphrase for the private key:

Confirm passphrase for the private key:

Once the above information has been provided, the APV appliance will supply users with

a data message that should be copied over to an email message to be sent to a certifying

body. The lengths of these subject fields in the CSR should conform to the following

limits:

� Two Character Country Code: 2 bytes

� Common Name: 64 bytes

� State or Province: 64 bytes

� Location or Local City: 64 bytes

157

� Organization Name: 64 bytes

� Organizational Unit: 64 bytes

� Email Address for Administrator: 80 bytes

Chapter 10 Secure Sockets Layer (SSL)

Warning: The test certificate generated by the “ssl csr” command should not be

used for production systems, rather only for testing purposes.

show ssl csr

This command is used to display the CSR of the specified virtual host.

no ssl csr

This command is used to remove the existing CSR for a particular virtual host.

ssl backup certificate

This command allows users to backup the certificate and the private key of the specified

SSL host into a PFX file. If necessary, it will transfer the PFX file to the specified TFTP

server. If anyone wants to access this PFX file, he or she must enter the correct password.

host_name The name assigned to the specified SSL host.

file_name The designated name specified by an alphanumeric string.

Local format: the specified valid local file name, stored

locally. TFTP format: tftp://server/filename.

password The string that allows access to the specified file. Should

users desire keystroke symbols, such as “!” or “$”, the

entire password must be enclosed within quotation marks.

show ssl backup certificate

This command is used to display the file that the certificate and the private key of the

specified host are backed up into.

no ssl backup certificate

This command is used to remove the specified file that the certificate and the private key

of the specified host are backed up into.

ssl import certificate [tftp_ip] [filename]

This command allows users to input a certificate to ArrayOS from a TFTP server or CLI.

The parameter that is required with every command is “host_name” where the TFTP

server IP is required only if certificates are being imported via TFTP. The optional

parameter “filename” allows you to specify the filename of the certificate on the TFTP

158

Chapter 10 Secure Sockets Layer (SSL)

server. The default filename is .crt. Once the user has received the certificate

via an email, he or she simply needs to “cut and paste” the certificate supplied by the

certification authority into the CLI, if the certificate is in PEM format. ArrayOS has the

capability of importing certificates in PEM and DER formats and the certificates used by

IIS 5, IIS 4, Netscape iPlanet and Apache Web servers, via TFTP. To import the

certificate using TFTP, the optional parameter (TFTP server IP) should be specified.

show ssl certificate

This command allows users to view the certificate that has been issued for the specified

virtual host.

display_mode It can be “complete” mode or “simple” mode. The default

mode is “complete”.

ssl restore certificate

The command allows users to restore the certificate and the private key of the specified

SSL host from a PFX file, which can be stored in a local storage or remote TFTP server.

The password string MUST be identical to the string entered when this file is produced

by using the command “ssl backup”.

host_name The name assigned to the specified SSL host.

file_name The designated name specified by an alphanumeric string.

Local format: the specified valid local file name, stored

locally. TFTP format: tftp://server/filename.

password The string that allows access to the specified file. Should

users desire keystroke symbols, such as “!” or “$”, the

entire password must be enclosed within quotation marks.

ssl import key [tftp_ip] [filename]

This command allows users to input a key to ArrayOS from a TFTP server or CLI. The

parameter that is required with every command is “host_name” (virtual host name) where

the TFTP server IP is required only if keys are being imported via TFTP. The optional

parameter “filename” allows you to specify the filename of the key on the TFTP server.

The default filename is .key. Once the user has received the key via an email,

he or she simply needs to "cut and paste" the key supplied by the certification authority

into the CLI. ArrayOS has the capability of importing key formats used by IIS 5, IIS 4,

Netscape iPlanet and Apache Web servers, via TFTP. To import the key via TFTP, the

optional parameter “tftp_ip” (TFTP server IP) should be specified. Note that this

command can import unencrypted private keys in PEM format also by TFTP but this can

be very insecure and should be avoided.

159

ssl export key

Chapter 10 Secure Sockets Layer (SSL)

This command only allows users to export the private key produced while generating

CSR for a specified host from ArrayOS.

show ssl rootca [host_name] [display_mode]

This command is used to view the trusted CA certificate that has been issued for the

virtual host.

host_name The host name in the format of “www.xyz.com” or “ALL”.

“ALL” means the global root CA will be displayed. It

defaults to “ALL”.

display_mode It can be “complete” mode or “simple” mode. The default

mode is “complete”.

no ssl rootca [certificate_number]

This command is used to remove the specified trusted CA certificate that is issued for the

specified virtual host.

host_name The host name in the format of “www.xyz.com” or “ALL”.

“ALL” means the global root CA will be deleted.

certificate_number The serial number of the certificate which will be removed.

Users can find the serial number of the certificates via the

“show ssl certificate” command.

ssl import rootca [host_name] [tftp_ip] [filename]

If you enable SSL client authentication for an SSL virtual host, you must provide a

trusted CA Certificate. The “host_name” parameter is optional, and its default is “ALL”

which means a trusted CA certificate will be imported to the global root CA list. This will

be utilized for the verification of client certificates. This command allows users to import

the certificate for the Trusted Certificate Authority from TFTP server or CLI. The

ArrayOS has the default list of CAs preinstalled, and this command will import the new

certificate and append the existing list. This operation is for SSL virtual hosts only. Users

can simply “cut and paste” the root CA certificate into the CLI, if the certificate is in

PEM format. ArrayOS has the capability of importing certificates in PEM and DER

formats of a Certificate Authority, via TFTP. To import the certificate using TFTP, the

optional parameter “tftp_ip” (TFTP server IP) should be specified. The optional

parameter “filename” is used to specify the filename of root CA certificate on the TFTP

server. The default filename is .crt.

ssl import interca [tftp_ip] [filename]

160

Chapter 10 Secure Sockets Layer (SSL)

This command allows users to import the certificate of an Intermediate Certificate

Authority. This command is used when users need to configure a certificate chain for an

SSL virtual host from TFTP server or CLI. This operation is for SSL virtual hosts only.

Once the user has received the certificate via an email, he or she simply needs to “cut and

paste” the certificate supplied by the certification authority into the CLI, if the certificate

is in PEM format. ArrayOS has the capability of importing certificates in PEM and DER

formats of an Intermediate Certificate Authority, via TFTP. To import the certificate using

TFTP, the optional parameter “tftp_ip” (TFTP server IP) should be specified. The

optional parameter “filename” is used to specify the filename of intermediate CA

certificate on the TFTP server. The default filename is .crt.

show ssl interca [display_mode]

This command is used to view the intermediate CA certificate that is issued for the

specified virtual host.

display_mode It can be “complete” mode or “simple mode”. The default

mode is “complete”.

no ssl interca [certificate_number]

This command is used to remove the specified intermediate CA certificate that is issued

for the specified virtual host.

host_name The host name in the format of “www.xyz.com”.

url The serial number of the certificate which will be removed.

ssl import clientkey

This command is used to import an SSL client private key for the specified SSL virtual

host, to be used to contact with other SSL servers with client authentication, for example,

OCSP responder over SSL with client authentication. That's to say, this private key is not

limited to the OCSP and it can also be used for CRL server over LDAP server with client

authentication.

host_name The host name in the format of “www.xyz.com”.

url Specify HTTP, FTP or TFTP URL of the remote host to

import the client private key.

ssl import clientcert

This command is used to import an SSL client certificate for the specified SSL virtual

host, to be used to contact with other SSL servers with client authentication, for example,

OCSP responder over SSL with client authentication. That’s to say, this certificate is not

161

Chapter 10 Secure Sockets Layer (SSL)

limited to the OCSP and it can also be used for CRL server over LDAP server with client

authentication.

host_name The host name in the format of “www.xyz.com”.

url Specify HTTP, FTP or TFTP URL of the remote host to

import the client certificate.

ssl import crlca [host_name] [tftp_ip] [filename]

If you enable SSL CRL for an SSL virtual host, you must provide a CRL signature

certificate to verify the CRL signature. The “host_name” parameter is optional, and its

default is “ALL” which means the certificate for the global CDP will be imported. This

command allows users to import the CRL signature certificate in DER/PEM format from

TFTP server. This operation is for SSL virtual hosts only. To import the certificate using

TFTP, the optional parameter “tftp_ip” (TFTP server IP) should be specified. The

optional parameter “filename” is used to specify the full filename of CRL signature

certificate on the TFTP server. If the “host_name” parameter defaults to “ALL”, the

default filename is gcrlca.crt; otherwise, the default file name is .cca.

show ssl crlca

This command is used to view the CRL signature certificate that is issued for the

specified virtual host.

host_name The host name in the format of “www.xyz.com” or “ALL”.

“ALL” means the global CRL signature certificate will be

displayed. It defaults to “ALL”.

display_mode It can be “complete” mode or “simple” mode. The default

mode is “complete”.

no ssl crlca [certificate_number]

This command is used to remove the specified CRL signature certificate that is issued for

the specified virtual host.

host_name The host name in the format of “www.xyz.com” or “ALL”.

“ALL” means the global CRL signature certificate will be

deleted.

certificate_number The serial number of the CRL signature certificate which

will be removed. Users can find the serial number of the

certificates via the “show ssl certificate” command.

ssl start

162

Chapter 10 Secure Sockets Layer (SSL)

This command allows users to enable a configured SSL host or re-enable a previously

stopped SSL host. All SLB services associated with this specified SSL host will be

affected. ArrayOS will check the certificate chain for the SSL virtual host when starting

the virtual host. A warning message, stating that the certificate chain is incomplete, will

be printed on console if the certificate chain cannot be formed using the intermediate CA

file and global trusted CA file.

Note: Users cannot make changes to an SSL host settings with the “ssl start”

engaged. To make changes to a host, the “ssl stop” command must be used for the

specified SSL host first.

ssl stop

This command is used to disable the specified SSL host, but will not remove the

associated information such as key and certificate. Note: Users cannot make changes to

an SSL host with the “ssl start” engaged. To make changes to a host, the “ssl stop”

command must be used for the specified SSL host. Note: All SLB services associated

with this specified SSL host will be affected.

clear ssl

This command is used to remove the configuration of the specified SSL host, including

the key and certificate pair. If this command is employed, there is no manner to retrieve

the key even if there is a copy of the CSR. To reconfigure SSL for this host, a new key

and a replacement certificate will have to be created. Note: All SLB services associated

with this specified SSL host will be affected.

show ssl settings

This command allows users to view the various settings concerning the specified SSL

host, including the host name, designated port, origin server IP, origin port, CipherSuite

and current SSL version. Note: Users cannot make changes to an SSL host with “ssl start”

engaged. To make changes to a host, the “ssl stop” command must be used for the

specified SSL host.

ssl settings acceptchain

This command is used to enable the specified SSL host to utilize the certificate chain sent

by the peer in SSL handshake when verifying that peer’s certificate. By doing so, the SSL

host will try to use the certificate chain from peer to form the certificate chain until it

finds one CA certificate in its own trust CA list (global trust list for SSL real). For SSL

virtual hosts, this command will only take effect when client authentication is enabled.

no ssl settings acceptchain

This command is used to disable the accept chain setting.

ssl settings minimum

163

Chapter 10 Secure Sockets Layer (SSL)

This command is used to set the minimum strength of the browser that is required to

access the specified virtual host. If any browser connecting to this virtual host does not

support encryption strength specified by “key_size” (ranging from 0 to 512 bits), it will

be redirected to the URL specified by the “url” parameter. This command should only be

used with virtual hosts doing HTTPS. This operation is for SSL virtual hosts only.

no ssl settings minimum

This command is used to turn off the minimum key size feature.

ssl settings protocol

This command allows users to set the SSL protocol for the specified SSL host. The Array

appliance supports two types of protocols: SSLv3 and TLSv1.

host_name Specify the SSL host.

version Set the SSL protocol version. You may enter either of the

protocols SSLv3 and TLSv1.To use both the two protocols,

just input “ALL” for this parameter.

For example:

AN(config)#ssl settings protocol vhost1 SSLv3

AN(config)#ssl settings protocol ALL

ssl settings clientauth [subject_filter]

This command allows users to establish client authentication for the specified SSL host.

If the host is an SSL virtual host, all SSL clients connecting to this virtual host will be

required to present a client certificate before communication will be allowed to continue.

If the host is an SSL real host, it will present a certificate to the server when requested for

further communication.

In addition to basic client certificate validation, client certificate authentication is

extended to filter the client certificate “Subject” fields as well. A client certificate will be

checked against the configured filter information. If no match is made, the client access

will be rejected.

host_name Specify the SSL host.

subject_filter Configure filter rules for the “Subject” fields. The

configured rules must be enclosed in double quotes, such

as “/C=US”. Multiple filter rules can be configured via one

command, and these rules are in “AND” relation (i.e. all

must be matched) and must be separated by “/”. If no

setting is made, the system will not perform filtering on the

164

“Subject” fields.

Chapter 10 Secure Sockets Layer (SSL)

The filter rules can be configured with any of the supported RDNs on the APV appliances,

including:

RDN Standard Name OID

C Country Name 2.5.4.6

ST State or Province Name 2.5.4.8

L Locality Name 2.5.4.7

O Organization Name 2.5.4.10

OU Organizational Unit Name 2.5.4.11

CN Common Name 2.5.4.3

SN Serial Number 2.5.4.5

dnQualifier DN Qualifier 2.5.4.46

Pseudonym Pseudonym 2.5.4.65

Title Title 2.5.4.12

GQ Generation Qualifier 2.5.4.44

Initials Initials 2.5.4.43

Name Name 2.5.4.41

givenName Given Name 2.5.4.42

Surname Surname 2.5.4.4

DC Domain Component 0.9.2342.19200300.100.1.25

emailAddress Email Address 1.2.840.113549.1.9.1

{OID expression} OID information, for example: 1.2.3.4

For example:

AN(config)#ssl settings clientauth vhost

“/C=US/O=Array/OU=QA/emailAddress=admin@arraynetworks.net”

In this example, all client certificates with the “C” entry “US”, the “O” entry “Array”, the

“OU” entry “QA”, and the “emailAddress” entry “admin@arraynetworks.net” will pass

the subject filter.

AN(config)#ssl settings clientauth vhost “/2.5.4.6=JP”

In this example, the OID “2.5.4.6” means “Country Name”. With this command executed,

the client certificate whose Subject contains OID “2.5.4.6” and its value equals to “JP”

will pass the subject filter.

no ssl settings clientauth

This command is used to disengage the client authentication feature for the specified

host.

[no] ssl settings crl online

165

Chapter 10 Secure Sockets Layer (SSL)

This command allows users to verify the client certificate via CRL (Certificate

Revocation Lists). These lists are downloaded from the CRL Distribution Point (CDP)

specified in the client certificate during SSL handshake. This command operates for

virtual hosts only and works only after enabling client authentication.

[no] ssl settings crl offline

[time_interval] [delay_time]

This command allows users to verify the client certificate via CRL (Certification

Revocation Lists). These lists are downloaded from the configured CRL Distribution

Point (CDP) at the desired time interval. HTTP, FTP and LDAP are supported protocols

to fetch the CRL files. For each virtual host, administrators can configure ten CDPs. This

command operates for virtual hosts only and works only after enabling client

authentication.

Note: To configure CRL for an SSL virtual host, please import the CRL signature

certificate via the “ssl import crlca” command firstly.

crldp_name The assigned name to CRL Distribution Point.

crldistribution_point The URL from where Certification Revocation Lists are

downloaded.

time_interval An integer (in minutes) that indicates the time interval

between two downloads. It defaults to 1440 minutes.

delay_time Optional. Its value must be equal to or greater than zero. It

defaults to 0. When it is greater than zero, the APV

appliance checks whether the CRL file is expired after

downloading the CRL file. If the current time is greater

than the sum of the next update time and delay time, the

CRL file is expired, which means that the APV appliance

will refuse all SSL connections which need authenticate the

client certificate via the CRL; if the current time is less

than or equal to the sum of the next update time and delay

time, the CRL file is unexpired. When the delay time is

equal to zero, the APV appliance will not check whether

the CRL file is expired after downloading the CRL file.

ssl settings ocsp

This command allows users to validate the certificate online via OCSP server. After

executing this command, the APV appliance will validate the certificate online via the

OCSP server specified in the client certificate. If this validation via the OCSP server

specified in the client certificate fails, then the APV appliance will go on to validate the

certificate online via the OCSP server configured in this command. If OCSP server is

configured, CRL check will be disabled automatically.

166

no ssl settings ocsp

This command is used to remove the OCSP configuration.

ssl settings reuse

Chapter 10 Secure Sockets Layer (SSL)

This command allows users to take advantage of the APV appliance’s SSL session reuse

functionality. By default, the SSL session reuse function is active.

no ssl settings reuse

This command disengages the SSL session reuse function.

ssl settings servername

This command provides an expected SSL server common name for the specified SSL real

host. After the server certificate is successfully verified, the SSL real host still checks the

common name in server certificate to see whether it matches the one given in this

command. If it doesn’t match, SSL real host will reject the SSL server certificate. The

command will only take effect when the SSL global settings for the verification the server

certificate is on. If it is off, the server certificate will not be verified and so the common

name in the certificate will not be checked either.

no ssl settings servername

This command is used to remove the SSL settings servername configuration.

ssl globals ignoreclosenotify {on|off}

This command is used to instruct the APV appliance to ignore the SSL close notify error

when a client does not terminate the SSL connection correctly (or terminates an SSL

connection without sending Close Notify Alert). This command is ON by default. If this

feature is OFF, the APV appliance will require the connection to be closed with Close

Notify Alert and if a client doesn’t send Close Notify Alert before closing a connection,

the SSL session pertaining to that connection will be marked as invalid and will be

flushed. If this feature is ON, the APV appliance will ignore the improper closing of SSL

connection and will keep on reusing the SSL session pertaining to this connection even if

the client has closed the connection without sending Close Notify Alert. This command is

global and applies to all configured SSL virtual hosts and SSL real hosts.

ssl globals sessiontimeout

This command allows users to set SSL session cache timeout, in seconds, ranging from

60 to 86400.

ssl globals verifycert {on|off}

This command allows users to turn on or off the certificate verification function.

167

on Enable certificate verification.

off Disable certificate verification.

ssl settings ciphersuite

Chapter 10 Secure Sockets Layer (SSL)

This command allows users to set the desired cipher suite. Below is a list of the supported

cipher suites.

Note: Only experienced administrators should employ this command. If you have

any questions regarding these settings, please call customer support BEFORE

implementing this command.

Supported Cipher methods include:

� DES-CBC3-SHA *

� DES-CBC-SHA

� RC4-SHA *

� RC4-MD5 *

� EXP-DES-CBC-SHA

� EXP-RC4-MD5

� AES128-SHA *

� AES256-SHA *

The cipher suites followed with “*” can be used for both SSL virtual hosts and SSL real

hosts. While the other cipher suites can be used only with SSL virtual hosts.

ssl settings authmandatory

This command is used to enable client mandatory authentication mode for the specified

SSL virtual host.

vhost SSL virtual host name.

no ssl settings authmandatory

This command is used to disable client mandatory authentication mode for the specified

SSL virtual host. After executing this command, the specific SSL virtual host is in

non-mandatory mode.

vhost SSL virtual host name.

168

ssl import error

Chapter 10 Secure Sockets Layer (SSL)

This command is used to import a customized static error page to the APV appliance

system disk from the administrator’s remote host. The administrator can define the error

code for different types of error pages. The error pages should be static HTML without

pictures and flashes.

error_code Specify the code of customized error pages, as follows.

� 901: SSL virtual host requires the client certificate;

� 903: The SSL client certificate is not trusted;

� 904: The SSL client certificate is expired;

� 905: The SSL client certificate isn’t valid yet;

� 906: The SSL client certificate has been revoked.

url Specify HTTP or FTP URL of the remote host to retrieve

the static error page. For example, the administrator sets an

error page called “error.html” on his computer whose IP

address is 10.3.50.100, so the URL in this command should

be “http://10.3.50.100/error.html”.

ssl load error

This command is used to load an SSL customized error page into the APV appliance

system memory. The loaded error page should have been imported into the APV

appliance system disk by using the command “ssl import error”. After the administrator

executes this command, this SSL customized error page will be displayed to SSL clients

when client authentication fails.

error_code Specify the code of customized error pages, as follows:

ssl load crl

� 901: SSL virtual host requires the client certificate;

� 903: The SSL client certificate is not trusted;

� 904: The SSL client certificate is expired;

� 905: The SSL client certificate isn’t valid yet;

� 906: The SSL client certificate has been revoked.

This command is used to re-download all CRL files immediately from the CDPs defined

in the system.

show ssl import error

169

Chapter 10 Secure Sockets Layer (SSL)

This command is used to display the imported error page of the error code which is

specified by “error_code”.

no ssl import error

This command is used to delete the imported error page of the error code which is

specified by “error_code”.

show ssl load error

This command is used to display the loaded error page of the error code which is

specified by “error_code”.

no ssl load error

This command is used to delete the loaded error page of the error code which is specified

by “error_code”.

[no] http xclientcert rdnsep [separator] [pre|post]

This command is used to configure the DN field separator for an HTTPS virtual service.

The “no” version of this command removes a DN filed separator for an HTTPS virtual

service.

vs_name HTTPS SLB virtual service name.

separator A customized separator, default value is “,”.

pre|post The position where the field separator is put. “pre” means

before each DN field and “post” means after each DN

field. This parameter is optional and the default value is

“post”.

show http xclientcert rdnsep [vs_name]

This command is used to display DN separator customizations for one or all SLB virtual

services.

vs_name The virtual service for which the DN separator is

configured. This parameter is optional and the default

value is “all”.

show ssl crlstatus [cdp_name]

This command is used to display one or all SSL CRL (Certificate Revoked List) files for

an SSL virtual host, including CDP name, update time and its status. A CRL file can have

3 states: success, failed and downloading.

170

Chapter 10 Secure Sockets Layer (SSL)

host SSL virtual host name for which CRL files will be

displayed.

cdp_name Optional. Default is “all”, meaning all the CRL files for the

virtual host will be displayed. Otherwise, only the CRL

associated with the CDP will be displayed.

The following is a sample output:

AN(config)#show ssl crlstatus

CDP Name Update Time Status

cfca Fri Oct 29 14:01:20 2010 Downloading

bjc Fri Oct 29 13:57:38 2010 Success

ssl globals sendclosenotify {on|off}

This command is used to enable/disable the function of sending SSL close notification.

[no] ssl globals crl host

This command is used to associate the global CRL with the specified virtual host or to

disassociate the global CRL from the specified virtual host.

cdp_name The assigned name to CRL Distribution Point.

vhost The SSL virtual host name.

[no] ssl globals crl cdp [time_interval]

[delay_time]

This command allows users to configure or remove global CRL Distribution Point (CDP).

These lists can be downloaded from the specified CDP at the desired time interval. HTTP,

FTP and LDAP are supported protocols to fetch the CRL files. Note: To configure CRL

for an SSL virtual host, please import the CRL signature certificate via the “ssl import

crlca” command firstly.

cdp_name The assigned name to CRL Distribution Point.

crl_distribution_point_url The URL from where Certification Revocation Lists are

downloaded.

time_interval An integer (in minutes) that indicates the time interval

between two downloads. It defaults to 1440 minutes.

delay_time Optional. Its value must be equal to or greater than zero.

It defaults to 0. When it is greater than zero, the APV

appliance checks whether the CRL file is expired after

171

ssl globals fastcrl {on|off}

Chapter 10 Secure Sockets Layer (SSL)

downloading the CRL file. If the current time is greater

than the sum of the next update time and delay time, the

CRL file is expired; if the current time is less than or

equal to the sum of the next update time and delay time,

the CRL file is unexpired. When the delay time is equal

to zero, the APV appliance will not check whether the

CRL file is expired after downloading the CRL file.

This command is used to enable or disable CRL (Certificate Revocation Lists) memory.

When FastCRL function is enabled, the CRL files on disk will be loaded into memory

immediately.

ssl globals renegotiation {on|off}

This command is used to enable/disable global SSL renegotiation. SSL renegotiation

function is disabled by default.

[no] ssl settings reneg

This command is used to enable/disable SSL renegotiation per SSL virtual host. To

enable SSL renegotiation per SSL virtual host, users must first enable the global settings.

172

Chapter 11 Clustering

show cluster virtual status [interface_name]

Chapter 11 Clustering

The command is used to output the status of the cluster feature for the APV appliance

(either on or off), followed by the state of each configured virtual cluster (either in

incomplete, initialize, backup, or master state), and the name and link status of the

interfaces specified for each virtual cluster.

If an interface name is specified, the system will only display the cluster status

information about this interface.

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

Example:

AN(config)#show cluster virtual status

ffo cable status: remote no power

discreet mode enabled

ifname= outside

vcid off/on vc state

1 on master

ifname= inside

vcid off/on vc state

1 on master

ifname= mnet1

vcid off/on vc state

1 on master

cluster virtual {on|off} [cluster_id|0] [interface_name]

This command is used to enable or disable the virtual clustering capabilities for the APV

appliance. The minimum value of a virtual cluster ID is 1 and the maximum decimal

value is 255. It defaults to 0, which means all clusters will be activated. Also with this

command, users must specify the appropriate interface name. If no cluster ID or interface

name is supplied, all clusters will be activated.

cluster virtual ffo {on|off}

This command is used to enable or disable the Fast Failover (FFO) feature. The default

value is off.

cluster virtual ffo interface carrier loss timeout

173

Chapter 11 Clustering

This command is used to configure how long an APV appliance waits before failover (if

necessary) when it detects interface carrier loss (in milliseconds). If network carrier

recovers in the timeout value, no action will be taken. This timeout value ranges from 0

to 65535, in milliseconds. 0 means no wait while 65535 means no failover.

system test failover port

This command allows users to test the status of the FFO port on the APV appliance with

active console connected. To use this command, users should follow these steps:

1. Execute “cluster virtual ffo off” to turn off the Fast Failover functionality;

2. Execute “system test failover port” and the system will prompt the following

message:

Connect the console cable to the failover port then press the ‘Enter’ key.

3. Unplug the Console cable from the Console port and plug it to the FFO port;

4. Press the Enter key;

5. The system will display “The failover port is ok.” if the status of the FFO port is

normal, while system will prompt nothing if there is anything wrong with the FFO

port;

6. Plug the Console cable back to the Console port.

Note:

1. Before using this command to test the FFO port, first please make certain that

you have turned off the Fast Failover function by executing the “cluster virtual ffo

off” command.

2. This command also applies to the FFO USB port.

show cluster virtual config [interface_name]

This command is used to display the current virtual cluster configuration or the virtual

cluster configuration of all the interfaces. If an interface name is specified, the system

will only display the cluster status information about this interface.

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface. The default value is all.

Example:

AN(config)#show cluster virtual config inside

cluster virtual ifname “inside” 1

cluster virtual vip “inside” 1 10.30.0.30

cluster virtual auth “inside” 1 1 “myString”

cluster virtual interval “inside” 1 10

174

cluster virtual preempt “inside” 1 0

cluster virtual priority “inside” 1 200

show cluster virtual ffo

This command is used to display the current fast failover configurations.

cluster virtual ifname

This command is used to define a virtual cluster ID for specific interface.

Chapter 11 Clustering

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

cluster_id A virtual cluster ID where the minimum decimal value is 1

and the maximum decimal value is 255.

Note: As too many virtual cluster IDs (VCID) might cause unnecessary system

overload, it is suggested not to configure too many VCIDs in the system. If many

virtual IP addresses are needed, administrators can configure multiple IP addresses

within one VCID, instead of configuring one VCID for each IP address.

show cluster virtual interface

This command allows users to view declared interface names configured via the “cluster

virtual ifname” command.

clear cluster virtual {interface_name|all} {cluster_id|0}

This command is used to remove virtual clusters from the specified system interface.

interface_name|all Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface. “all” means all existing interfaces.

cluster_id|0 Specify the virtual cluster ID to be removed, which ranges

from 1 to 255. “0” means all virtual clusters.

cluster virtual vip

This command is used to set the virtual IP address for a virtual cluster on specified

interface..

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

175

interface.

Chapter 11 Clustering

cluster_id A virtual cluster ID where the minimum decimal value is 1

and the maximum decimal value is 255. A cluster ID can

have up to 255 virtual IP addresses. The same virtual IDs,

located on different interfaces, are treated as different

virtual IDs. All the virtual IP addresses with the same

virtual ID will have the same status (master or backup).

vip A virtual IP address may be any IP address on the Internet

in IP dot format, excluding 0.0.0.0 and 255.255.255.255.

All IPs are valid barring reserved IP addresses such as loop

back, multicast, and other commonly known specialized

ranges. Each virtual IP address entered must be unique.

cluster virtual auth {0|1} [password]

This command is used to configure virtual cluster authentication.

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

cluster_id A virtual cluster ID where the minimum decimal value is 1

and the maximum decimal value is 255.

0|1 Authentication type with a value of “0” specifies that no

password will be used, and authentication type with a value

of “1” has a password field specified in simple text.

password The password consists of up to eight alphanumeric

characters. (Note: All numeric strings must be in quotes.)

cluster virtual preempt {1|0}

This command is used to configure virtual cluster preemption. (Note: Exception is a

cluster that has been configured with a priority 255.)

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

cluster_id The assigned identification number for the virtual cluster.

1|0 The value “1” allows preemption of a higher priority

master, while the value “0” prohibits preemption of a

176

higher priority master.

cluster virtual interval

Chapter 11 Clustering

This command is used to set the advertisement interval for the specified cluster.

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

cluster_id The assigned identification number for the virtual cluster.

seconds Specify the advertisement interval, which ranges from

three (3) to sixty (60) seconds. The default interval time is

five (5) seconds. Any state transition of the virtual cluster

will be approximately three (3) times to the interval value.

cluster virtual priority

[synconfig_peer_name]

This command is used to set the virtual cluster priority. The priority can be from 1 to 255,

where 255 is defined as the highest priority.

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

interface.

cluster_id The assigned identification number for the virtual cluster.

priority Set this parameter to determine the priority for redundancy.

The greater the value, the higher the priority. The value

ranges from 1 to 255.

synconfig_peer_name Optional parameter. Default value is “Primary”. Except for

the default value (“Primary”), this parameter can be any

synconfig peer defined via the command “synconfig peer

”. When it is set to “Primary”, the

command applies to the local node. When it is set to an

actual synconfig peer name, the command applies to the

node the synconfig peer name refers to. It can also be a

synconfig peer defined for the local node. In this case, the

command applies to the local node.

no cluster virtual vip

177

Chapter 11 Clustering

This command is used to remove the VIP from the specified cluster ID and interface

name.

no cluster virtual auth

This command is used to reset cluster authentication to default setting (false).

no cluster virtual interval

This command is used to reset advertisement interval to default (5 seconds).

no cluster virtual preempt

This command is used to reset cluster preemption mode to default (true).

no cluster virtual priority

[synconfig_peer_name]

This command is used to reset cluster priority to default value (100).

cluster virtual discreet {on|off}

This command is used to turn on/off the discreet backup mode. In this mode, the system

determines whether a status transition is needed for the devices based on their status

information detected through a heartbeat cable. This mode makes the status transition

more reliable, and any VRRP packet loss will not result in double-master status. This

mode is “off” by default. Note: in discreet backup mode, the system utilizes the heartbeat

cable to collect the status information, so that please make sure the heartbeat cable

between the devices is well connected and turned on by “cluster virtual ffo on”

command firstly (Heartbeat cable and FFO cable are one cable).

show cluster virtual discreet

This command is used to display the discreet backup mode configuration.

Example:

AN(config)#show cluster virtual discreet

show cluster virtual transition [interface_name]

This command is used to display the last 100 cluster state transition logs on the specified

interface. If no interface name is given, it will display the last 100 cluster state transition

logs on all the interfaces. Cluster states include Initial (INIT), Backup (BACK), Discreet

Backup (DISCREET), FFO and Master (MAST).

interface_name Specify the interface name, which can be the system

interface, bond interface, VLAN interface or MNET

178

Example:

interface. The default value is all.

Chapter 11 Clustering

AN(config)#show cluster virtual transition

ifname = port1, vcid = 1

Sep 25 17:36:22 (+0000) [BACK -> MAST] Timeout.

Sep 25 17:36:17 (+0000) [DISCREET -> BACK] Receive a VRRP advertisement of priority 0.

Sep 25 17:34:58 (+0000) [BACK -> DISCREET] Entering discreet mode.

Sep 25 17:34:58 (+0000) [FFO -> BACK] FFO cable is OK. Cluster is ready to work.

Sep 25 17:34:58 (+0000) [INIT -> FFO] FFO is enabled.

Sep 25 17:34:56 (+0000) [BACK -> INIT] Stop running.

Sep 25 17:34:56 (+0000) [FFO -> BACK] FFO cable is OK. Cluster is ready to work.

Sep 25 17:34:56 (+0000) [INIT -> FFO] FFO is enabled.

clear cluster virtual transition [interface_name] [cluster_id]

This command is used to remove cluster state transition logs on the specified interface of

either the specified virtual cluster or all virtual clusters. By default, “interface_name”

parameter is set to all, which means removing cluster state transition logs on all interfaces.

By default, “cluster_id” parameter is set to 0, which means removing cluster state

transition logs on all virtual clusters.

show statistics cluster virtual [interface]

This command is used to display the virtual clustering statistics information on the

specified interface. If no interface name is given, it will display the virtual clustering

statistics information on all the interfaces.

Example:

AN(config)#show statistics cluster virtual

ifname = port1, vcid = 1

transition to master: 1

(Switch to master, gain VIPs)

quit master: 0

(Leave master, release VIPs)

VRRP loss: 0

(Possible VRRP loss - receive none VRRP advertisements from master for two intervals while in

backup state, but receive a valid VRRP advertisement before timeout (three intervals)

quick transition: 2

(Received VRRP advertisements of priority 0 -used for quick transition)

inconsistency: 0

(Detect inconsistent state with other interfaces of the same VCID, drop remote VRRP packets with

lower priority)

Note: The above contents in the brackets are explanations for output information.

clear statistics cluster virtual [interface_name] [cluster_id]

179

Chapter 11 Clustering

This command is used to remove the cluster statistics on the specified interface of either

the specified virtual cluster or all virtual clusters. By default, “interface_name” is set to

all, which means removing the cluster statistics on all interfaces. By default, “cluster_id”

parameter is set to 0, which means removing the cluster statistics information on all

virtual clusters.

cluster virtual arp interval [seconds]

This command is used to set the interval of masters broadcasting gratuitous ARP.

seconds It can be 0, or any integer from 30 to 65535, in seconds. It

defaults to 60 seconds. 0 means that devices only broadcast

gratuitous ARP when switching to Master state.

180

Chapter 12 Global Server Load Balancing

Basic SDNS Commands

sdns on [check|nocheck]

This command allows users to enable the SDNS function on the APV appliance if

licensed and set CHECK or NOCHECK on VIPs’ health status. It defaults to CHECK.

This toggle command only affects the appliance on which it is executed.

sdns nocheck

The command is used to add a nocheck IP address.

show sdns nocheck

The command is used to display SDNS nocheck IP address.

no sdns nocheck

The command is used to remove a nocheck IP address.

clear sdns nocheck

The command is used to remove all the nocheck IP addresses.

sdns off

This command allows users to disable the SDNS functions on the APV appliance if

licensed.

show sdns status

This command is used to display the status of SDNS.

The output from employing this command is as follows:

AN(config)#show sdns status

Smart DNS: ON CHECK

Member Name: APV1

Local Addr: 10.3.55.200

Heartbeat Timer: 2

Report Interval: 30

Is running: no

sdns statistics on

clear sdns all

181

Chapter 12 Global Server Load Balancing

This command is used to clear all SDNS configured data (such as members, sites, groups,

etc.) and set SDNS parameters (such as heartbeat frequency, status report frequency) back

to the default values.

show sdns all

This command is used to display all SDNS configured data (such as members, sites,

groups, etc.) and SDNS parameters (such as heartbeat frequency, status report frequency).

sdns interval heartbeat [seconds]

This command is used to specify the interval at which an APV appliance sends heartbeat

messages to all other members in an SDNS network. SDNS members use heartbeat

messages to determine the health of various members elsewhere on the network. The

“seconds” parameter must be a positive integer, ranging from 1 to 86400, in seconds. The

default value is 2 seconds. If the value is set to 0 or negative, or is larger than the

maximum 86400, an error will be reported and the configuration will not take effect.

sdns interval report [seconds]

This command is used to set the interval at which HTTP proxy cache servers report their

local status information to SDNS servers in the SDNS network. The “seconds” parameter

must be a positive integer, ranging from 1 to 86400, in seconds. The default value is 30

seconds. If the value is set to 0 or negative, or is larger than the maximum 86400, an error

will be reported and the configuration will not take effect.

SDNS Member

sdns member attribute [port] [member_type]

This command is used to create a member of an SDNS network and modify the current

parameters of a member.

member_name A given string of alphanumeric characters to identify the

specified APV appliance. It is recommended that

administrators use the assigned host name for the APV

appliance for this parameter though it is not required.

ip The IP address assigned to the specified APV appliance. It

should be a dot-noted IP address.

port The communication port. It is optional. If not specified, it

defaults to 5888. The range of valid values is [1, 65535].

member_type The type of the members in SDNS network. The type

includes “dns”, “proxy”, and “all”. It defaults to “all”. If

the type is “dns”, it means the APV appliance is an SDNS

server; if the type is “proxy”, it means the APV appliance

182

Chapter 12 Global Server Load Balancing

is an HTTP proxy cache server. If the type is “all”, it means

that the APV appliance can be an HTTP proxy cache server

and an SDNS server at the same time.

sdns member local [max_tcp_connections]

Each SDNS member is configured with many other members, one of which can be

defined as the local member by this command. Because those members’ information

(including name, IP address, port, and type) may be configured on a member in order to

communicate with each other, every member should assign itself to be the local member

to make the whole system work normally. The optional parameter

“max_tcp_connections” specifies the maximum number of TCP connections the APV

appliance may accept. The overflow algorithm uses this value. If not specified, the

“max_tcp_connections” defaults to 1000.

no sdns member

This command is used to remove the specified SDNS member.

show sdns member [member_name]

This command is used to display the specified SDNS member. If the “member_name”

parameter is not specified, it shows all members.

show sdns method [method_name]

The command is used to display SDNS method’s related host(s) information.

clear sdns member

This command is used to delete all the SDNS members.

SDNS Disaster Recovery (DR) Group

sdns group dr

This command allows users to create a DR group for the specified host. A “group” is

uniquely identified by the specified group name. Users should create a DR group for each

domain name that requires the DR service.

host_name In the “www.xyz.com” format.

sdns group disable {primary|standby}

This command is used to manually disable the primary or standby subgroup for the

specified DR group. After this command is executed, if only the primary subgroup is

183

Chapter 12 Global Server Load Balancing

disabled, the traffic will be routed to its standby sites; if the standby is disabled and the

service currently is served by the primary, there is no impact on traffic; if the standby and

the primary are both disabled, the service will be interrupted.

sdns group enable {primary|standby}

This command is used to manually enable the primary or standby subgroup for the

specified DR group.

sdns group preempt

This command is used to set or reset the preempt flag for the specified group. The group

should be a DR group. If a DR group works in the preempt mode, the primary site will

grab the control back whenever it comes back from its previous failure. On the contrary,

if it works in the non-preempt mode, it will assume the standby mode when it comes back

from its previous failure and the previous standby is fully functioning now. The preempt

value can be 0 (reset) or 1 (set).

[no] sdns group standby

This command is used to add a site to the standby subgroup of a DR group. Users should

have defined the group and the site before running this command. The command “no

sdns group standby” is used to remove a site from the standby subgroup.

[no] sdns group primary

This command is used to add a site to the primary subgroup of a DR group. Users should

have defined the group and the site before running this command. The command “no

sdns group primary” is used to remove a site from the primary subgroup.

sdns group switch

This command allows users to manually switch the specified DR group. Before using this

command, it is important to make sure the DR group is working in the non-preempt mode

and the primary site is “Inactive” while the standby site is “Active”. This command will

set the primary site “Active” and the standby site “Inactive”. Users should use this

command by caution. It is important to make sure that both of the primary site and the

standby site are functioning normally before switching the group. Otherwise, it may

cause the service to be interrupted.

show sdns group [group_name]

This command is used to display the group as specified with “group_name”. If no group

name is specified, all groups will be displayed.

Example:

AN(config)#show sdns group Array

184

Chapter 12 Global Server Load Balancing

Name Type Domainname Primarystatus Standbystatus ManuallySwitch

Array p/s www.xyz.com inactive inactive off

no sdns group dr

This command is used to remove the specified DR group.

SDNS Site

sdns site location [weight]

This command is used to create a site specified by the “site_name” parameter and assign

a weight to the site. “site” is a logical concept. The default value of site weight is 0.

Whether a member belongs to a site or not is not limited by its physical locations. When a

DNS resolving is being located in a site, the member of the highest-weighted site will be

chosen.

Note: The maximum sum of the configurable sites and regions is 64.

sdns site distance

This command is used to set the distance between two SDNS sites. The “distance”

parameter is an integer. The smaller the value, the shorter the physical distance between

the two SDNS sites; the bigger the value, the longer the physical distance between the

two SDNS sites.

[no] sdns site member

This command is used to add a member to the specified site. The command “no sdns site

member” is used to remove a member from the site.

no sdns site distance

This command is used to remove the distance settings between two specified SDNS sites.

no sdns site location

This command is used to remove the specified SDNS site.

clear sdns site all

This command is used to delete the SDNS settings, including sites and distance.

clear sdns site distance

This command is used to remove all the SDNS distance settings.

clear sdns site location

185

This command is used to remove all the SDNS site settings.

show sdns site [site_name]

Chapter 12 Global Server Load Balancing

This command is used to display the specified SDNS site settings. If “site name” is null,

display all the SDNS sites settings.

show sdns sitemap [site_name1] [site_name2]

This command is used to display the distance settings between the two specified sites. If

no site name is specified, it will display all distance settings defined between the sites. If

only one site is specified, it will display all the distance settings to the specified site.

SDNS Proximity

[no] sdns proximity {site|region_name} [priority]

This command is used to define a proximity rule, i.e., a relationship between a range of IP

addresses (defined by “source ip” and “net mask”) and a site/region (defined by

“site/region name”). If the source IP of a request is in the specified IP address range, that

request is considered in the specified site/region. The “priority” parameter is optional. By

default, the priority for a rule is set to 0.

If the host method of a domain name is configured as “proximity” by the command “sdns

host method”, only the “site name” parameter is valid. The system will locate a resolving

request on the specified site according to the specified IP range and the priority, and then

locate it on the site which is determined by the values configured by the command “sdns

site distance”.

If the host method of a domain name is configured as “region” by the command “sdns

host method”, the “site|region name” parameter is corresponding to a pool. The system

will locate a resolving request on the specified site or region according to the specified IP

range and the priority, and then return the host IPs in term of the rules of the pool.

Note: It is allowed for two proximity rules to overlap on the source IP addresses.

SDNS will perform longest match when that happens. For instance, it is possible to

define the following two rules:

AN(config)#sdns proximity 210.52.24.0 255.255.255.0 dallas

AN(config)#sdns proximity 210.52.0.0 255.255.0.0 south

Where, “dallas” and “south” are two sites. This means that if an address is in

210.52.24/24, it is considered in “dallas”. If it is in 210.52.0.0/16but not in 210.52.24/24,

it is considered in “south”. By default, we use a longest match to determine the best

match rule. If the best matching rule cannot be determined by a longest match, “priority”

will be used. Here the matching rule with the highest priority will be chosen.

clear sdns proximity

186

This command is used to clear all the proximity rules.

show sdns proximity [all]

Chapter 12 Global Server Load Balancing

This command is used to display all proximity rules. If the optional parameter “all” is

typed, all the manual and IP region created rules are displayed. And these ones preceded

with a sharp “#” are rules created by IP region.

sdns ipregion proximity {site|region} [priority]

This command is used to define an SDNS proximity rule for specified IP region. If the

source IP address of a DNS request hits any entry in the specified IP region, it will be

considered as in the specified SDNS site/region.

ipregion_name The name of IP region.

site|region The name of site/region defined in SDNS.

priority This parameter is optional. It is used to set the proximity

priority of the SDNS site/region, and the default value is

65534.

show sdns ipregion proximity

This command is used to display all SDNS proximity rules for IP regions.

no sdns ipregion proximity

This command is used to remove SDNS proximity rules for a specified IP region.

ipregion_name The name of IP region.

clear sdns ipregion proximity

This command is used to clear all SDNS proximity rules for IP regions.

SDNS Overflow Chain

[no] sdns overflow chain

This command allows users to create an overflow chain. TCP connection based on

overflow algorithm requires an overflow chain that defines how a member/site handles

any overflow traffic. An overflow chain is a list of members. This command creates an

empty chain. Use the command “no sdns overflow member” to remove members from

the chain.

sdns overflow member

187

Chapter 12 Global Server Load Balancing

This command is used to add a member into a specified overflow chain.

no sdns overflow member

This command is used to remove the specified member from the overflow chain specified

by the “chain_name” parameter.

show sdns overflow [chain_name]

This command is used to show the contents of the specified overflow chain. If no chain

name is specified, the APV appliance will display all overflow chains.

sdns persistent timeout

The command is used to set SDNS persistent timeout (in seconds). The default timeout

time is 3600 seconds.

no sdns persistent

The command is used to restore SDNS persistent timeout to its default value 3600

seconds.

SDNS Region

sdns region location [region_weight]

This command allows users to create an SDNS region specified by the “region name”

parameter. The “weight” parameter is optional and its default value is 0. When a DNS

resolving reaches a region (by proximity), the comparisons of the weights will be done. If

the weight of this region’s parent region is higher, the pool which the parent region is

corresponding to will return an IP address. It is no need to compare the weight of this

region with the weight of its child region. The maximum sum of the configurable regions

and sites is 64.

sdns region division {region|site_name}

This command is used to add a specified site or region into the region specified by

“region_name”.

no sdns region division {region|site_name}

This command is used to remove a specified region or site from an SDNS region.

no sdns region location

This command allows users to remove an SDNS region.

clear sdns region location

188

This command allows users to remove all SDNS regions.

show sdns region [region_name]

Chapter 12 Global Server Load Balancing

This command is used to display all the SDNS regions’ information, including name, ID,

bandwidth limit, weight, its parent region and child region.

clear sdns secondary

The command is used to reset all SDNS configurations except the member settings.

SDNS Bandwidth

sdns bandwidth {region|site|member|vip|host}

{region|site|member|host_name|ip address}

[region|site]

This command allows users to define the maximum bandwidth and the statistical mode of

a region, site, member, VIP or host.

The following modes are for member, site, region or VIP bandwidth:

Mode Meaning

Inout bandwidth=inbound + outbound

In bandwidth=inbound

Out bandwidth=outbound

Maxinout bandwidth=max (outbound, inbound)

Halfinout bandwidth= (outbound + inbound)/2

inbound

outbound

member

outbound

The following modes are for host based bandwidth management:

inbound

Mode Meaning

Request and response bandwidth=client req + client rsp + server req + server rsp

Request bandwidth=client req + server req

Response bandwidth=client rsp + server rsp

189

Client request

Chapter 12 Global Server Load Balancing

Client APV Server

Client response

Different numbers stand for the different modes:

Server request

Server response

� For member/site/region/VIP: 1–inout; 2–in; 3–out; 4–maxinout; 5–halfinout;

� For host: 6–request and response; 7–request; 8–response.

no sdns bandwidth {region|site|member|vip|host}

{region|site|member|host_name|ip address} {region|site_name}

This command is used to delete the maximum bandwidth of a region, site, VIP or host.

clear sdns bandwidth

This command is used to remove all the bandwidth settings.

show sdns bandwidth [region|site|member|vip|host]

[region|site|member|host_name|ip_address]

This command is used to display the region/site/member/ip/host bandwidth information.

If the “region|site|member|vip|host” parameter is null, display all the bandwidth

information.

SDNS Alias

sdns alias

This command is used to set an alias name of a domain name for SDNS bandwidth.

alias_name The assigned alias name of a domain name, and it must be

in the “www.xyz.com” format.

host_name Specify the domain name in the “www.xyz.com” format.

no sdns alias

This command allows users to delete an alias name of the specified domain name.

clear sdns alias

This command is used to remove all the SDNS aliases.

190

show sdns alias [alias_name]

Chapter 12 Global Server Load Balancing

This command is used to display the host information of the specified alias name. If no

alias is specified, display the host information of all aliases.

SDNS Pool

sdns pool method {region|site}

[pool_type]

This command allows users to create an SDNS pool for the specified region or site for the

domain name. The pool’s name is the same as the region or site name.

host_name The domain name.

pool_method It can be Round Robin (rr), Weighted Round Robin(wrr),

IP Overflow(ipo), Hash IP (hi), Persistent IP (pi) or Simple

Network Management Protocol (snmp).

number_of_vips The number of returned VIPs number when using method

to choose VIPs from the pool.

pool_type It can be A or CNAME type.

sdns pool rule {region|site}

This command is used to create an SDNS rule for a region/site. A rule should be

associated with a pool, or region/site. Through the rule, a domain name and a pool can be

associated together.

pool_method It can be Round Robin (rr), Weighted Round Robin (wrr),

IP Overflow (ipo), Hash IP (hi), Persistent IP (pi) or Simple

Network Management Protocol (snmp).

number_of_vips The number of returned VIPs number when using method

to choose VIPs from the pool.

sdns pool snmp {region|site} {asc|des} [weight1]

[snmp_service2] [weight2] [snmp_service3] [weight3]

This command is used to configure the SNMP services for a pool with “snmp” method.

asc|des Ascending mode or descending mode.

191

Chapter 12 Global Server Load Balancing

If users select only one service, users need not set the weight for the service. SDNS will

resolve a host name to the related IP address which has the maximum value of the SNMP

service for the “des” mode, or the minimum value for the “asc” mode.

When users select more than one SNMP service, they need to set the weight for each

SNMP service.

no sdns pool snmp

The command is used to remove specific SNMP configurations from an SDNS pool.

sdns pool ip {host|rule_name} [weight]

This command allows users to add a VIP into a pool specified by the “pool_name”

parameter under the specified host or rule. Before adding a VIP to a pool, the pool should

be defined firstly by using the “sdns pool method” command.

host|rule_name The domain name or the rule name which the pool is

corresponding to.

pool_name The region or site name which matches the pool.

vip The IP address needed to be added into the pool. A pool

can only have up to 32 VIPs.

weight Optional, and is used when the pool method is Weighted

Round Robin. The default setting is 1.

sdns persistence timeout

This command is used to set the timeout value for the “pi” pool method. The default

timeout value is 60 minutes.

no sdns pool ip {host|rule_name}

This command is used to delete a VIP from the specified pool under a host or a rule.

no sdns pool method

This command allows users to delete the specified pool under a host.

no sdns pool rule

This command is used to remove a rule from the specified pool.

show sdns pool {host|rule_name}

This command is used to display SDNS host/rule and pool information.

192

show sdns pool_ip

This command is used to display IP information about SDNS pools.

show sdns snmp group [group_name]

The command is used to display SDNS SNMP groups.

show sdns snmp interval

Chapter 12 Global Server Load Balancing

The command is used to display SDNS data collection interval by SNMP in seconds.

show sdns snmp ip

This command is used to display the SNMP configuration information about the VIPs in

the address pool.

no sdns snmp ip

The command is used to remove a host’s SNMP configuration.

clear sdns snmp ip

This command is used to clear the SNMP configuration information about the VIPs in the

address pool.

sdns host rule

This command allows users to associate the specified rule with the specified host.

no sdns host rule

This command is used to delete the relationship between an SDNS host and a rule.

clear sdns pool {host|rule_name}

This command allows users to remove the pool under a host/rule.

show sdns rule

This command is used to display all the rules and related host names and pools.

sdns pool ipo preempt {on|off}

This command is used to turn on/off the SDNS pool ipo preemption for the pool using

“ipo” method. If it is set to on, the VIPs with the highest priority in the pool will be

selected; otherwise, the last selected VIPs in the pool will be chosen until they all don’t

work anymore, no matter whether there are healthy VIPs with higher priorities or not.

193

Chapter 12 Global Server Load Balancing

sdns pool ipo reset [desired_priority]

This command is used to manually preempt when SDNS pool ipo preemption is off. The

“desired priority” parameter is optional, and it defaults to 0. If the “desired_priority”

parameter is specified, the healthy VIPs with the desired priority in the pool using “ipo”

method will be selected by using this command. If no healthy VIP with the desired

priority in the pool is available, the healthy VIPs with the highest priority in the pool will

be selected. If the “desired_priority” parameter is not specified, the healthy VIPs with the

highest priority in the pool will be selected.

sdns snmp group service

This command allows users to create an SDNS SNMP service group. The command

should be configured on HTTP proxy cache servers.

no sdns snmp group service

The command is used to remove an SDNS SNMP group.

sdns snmp group member

This command is used to add an SNMP service into an SNMP group. This command

should be configured on HTTP proxy cache servers. Users can decide what SNMP

information should be collected by configuring different SNMP services. The SNMP

services include 6 types:

Service Type Meaning

cpu CPU usage

mem Memory usage

totalconn Total concurrent connections

newconn New connections

throughput Throughput

user User-defined SNMP service

no sdns snmp group member

The command is used to remove an SDNS SNMP group member.

sdns snmp ip [snmp_port]

This command allows users to set the SNMP configurations for a host. This command

should be configured on HTTP proxy cache servers.

snmp_community Specify the SNMP community, which is required for secure

information exchange.

snmp_port Specify the port number used by SNMP. Optional, and

defaults to 161.

194

sdns snmp interval

Chapter 12 Global Server Load Balancing

This command is used to set the SDNS data collection interval by SNMP. This command

should be configured on HTTP proxy cache servers. The interval time defaults to 300

seconds. Its minimum value is 30 seconds.

sdns snmp version [v1|v2c]

This command is used to set the version of the SNMP protocol used for data collection.

The SNMP version v1 and v2c are supported. By default, the version v2c is used.

SDNS IANA

sdns iana import {http|ftp}

This command is used to get an IANA file from the address in HTTP/FTP format.

show sdns iana

By using this command, when you enter an IP address, the corresponding country name

will be returned.

SDNS Host

sdns host method [chain_name]

This command allows users to assign a load balance algorithm to an SDNS host. The

current methods include grr (Global Round Robin), vwgrr (VIP-based Global Weighted

Round Robin), gco (Global Connection Overflow) and glc (Global Least Connection),

proximity, ipo (IP Overflow) and region. Note: If the method is “gco”, the administrator

is required to supply an overflow chain. Otherwise, the “chain name” parameter should

not be specified. SDNS host method is defaulted to grr.

sdns host ttl

This command is used to set the host’s TTL (Time to Live) value on an SDNS server

instead of the value received from an SDNS HTTP proxy APV. The parameter “host

name” is required to be in the format of “www.xyz.com”. The “TTL” value should be in

seconds (0 second means no cache).

show sdns ttl [host_name]

This command is used to display the host’s TTL settings. If a host name is specified, the

TTL about this host will be displayed. If no host name is specified, the TTL settings about

all existing hosts will be displayed.

no sdns host ttl

195

Chapter 12 Global Server Load Balancing

This command is used to delete the specified host’s TTL setting on an SDNS server.

clear sdns ttl

This command is used to clear all the hosts’ TTL settings in an SDNS server.

no sdns host method

This command is used to reset the method for the specified host to its default method grr.

show sdns host [host_name]

This command is used to display the specified SDNS host information, including name,

method, TTL, the number of up VIPs, the number of down VIPs, and total traffic. If the

“host_name” parameter is null, display all the hosts’ information.

SDNS Backup

sdns backup ip

This command is used to add a backup IP address for a host’s DNS resolving. The backup

IP address is used for DNS resolving when and only when all the other IP addresses are

not available.

host_name The domain name to be resolved.

ip The backup IP address used for DNS resolving.

show sdns backup ip [host_name]

This command is used to display all the backup IP addresses for a host. If no host is

specified, all the backup IP addresses of all the hosts will be displayed.

host_name Optional and specify the domain name to be resolved.

no sdns backup ip

This command is used to remove a backup IP address for a host’s DNS resolving:

host_name The domain name to be resolved.

ip The backup IP address used for DNS resolving.

clear sdns backup ip [host_name]

196

Chapter 12 Global Server Load Balancing

This command is used to remove all the backup IP addresses for a host. If no host is

specified, all the backup IP addresses of all the hosts will be removed.

host_name Optional and specify the domain name to be resolved.

SDNS Full DNS

sdns cname

This command is used to set a new CNAME RR (Resource Record) for a host. The

“host_name” and the “alias” parameters should be in the format of “www.xyz.com”.

sdns pool cname

This command is used to add a CNAME RR of a host to a pool.

no sdns cname

This command is used to delete a CNAME RR for a host.

no sdns pool cname

This command is used to remove a CNAME RR of a host from the pool defined by the

“pool_name” parameter.

clear sdns cname

This command is used to remove all SDNS hosts’ CNAME RR.

show sdns cname [domain_name]

This command is used to display all SDNS hosts’ CNAME RR information.

sdns ipv6

This command is used to add a new IPv6 RR (Resource Record) for a domain name. The

“host_name” parameter is configured in the format of “www.xyz.com”. The

“ipv6_address” parameter should be configured in the format of “ff:fe::0”.

show sdns ipv6

The command is used to display all SDNS hosts’ IPv6 information.

no sdns ipv6

The command is used to delete an IPv6 RR from specified host.

clear sdns ipv6 [host_name]

197

Chapter 12 Global Server Load Balancing

This command is used to clear the SDNS host’s IPv6 RRs. If a host name is specified, the

IPv6 RRs about this host will be cleared. If no host name is specified, the IPv6 RRs about

all existing hosts will be cleared.

sdns pool ipv6

This command is used to add an IPv6 address into SDNS pools. The “ipv6_address”

parameter should be configured in the format of “ff:fe::0”.

no sdns pool ipv6

The command is used to remove an IPv6 address from a specified pool.

sdns recursion {on|off}

This command allows users to turn on/off the SDNS recursive query function.

SDNS DPS (Dynamic Proximity System)

� SDNS DPS Server

sdns dps {on|off}

This command is used to turn on or off the SDNS dynamic proximity function.

sdns dps master {on|off}

This command is used to start or stop an SDNS DPS master, to get and send a list of local

DNS addresses to DPS detectors. The “port” parameter specifies the master broadcast

port number, which is optional and defaults to 55456.

sdns dps interval send

This command is used to set the interval of sending a list of local DNS IP addresses.

sdns dps interval query

This command is used to set the interval of an SDNS dynamic proximity query.

show sdns dps interval {send|query}

This command is used to display the SDNS dynamic proximity send or query interval.

sdns dps history

This command is used to set the time span (in seconds) of history data that a detector

detects. The “interval” parameter defaults to 9000 seconds.

show sdns dps history

198

Chapter 12 Global Server Load Balancing

The command is used to display the time span of the the detected SDNS dynamic

proximity history data.

sdns dps member

This command is used to add a DPS server into the DPS member list, so that DPS

detectors can allow or forbid query connections according to the DPS member list. It only

can be applied on the DPS master.

Note: If the member has many interface and many IPs (multiple links), they should

all be added into the DPS master’s member list.

show sdns dps member

The command is used to display SDNS dynamic proximity member information.

no sdns dps member

The command is used to remove an SDNS dynamic proximity member.

clear sdns dps member

The command is used to remove all the SDNS dynamic proximity members.

sdns dps detector [port] [detect_interval]

This command is used to configure/add one SDNS DPS detector, one IP to one site only.

The site must have been already defined in SDNS configuration. The “port” parameter

specifies the detector’s port number, which is optional and defaults to 44544. The

“detect_interval” parameter allows users to set the time interval (in seconds) of detecting

local DNS servers. It defaults to 900.

show sdns dps detector

This command is used to display all the SDNS DPS detectors information, including IP

address, port, interval and location site.

no sdns dps detector

This command is used to remove the specified DPS detector.

clear sdns dps detector

This command is used to clear all the SDNS DPS detectors.

sdns dps method [weight_of_rtt] [weight_of_plr] [weight_of_hops]

This command is used to set the dynamic proximity method of SDNS DPS server. Four

methods are supported: RTT, PLR, HOPS and MIX. The default method is RTT. If you

199

Chapter 12 Global Server Load Balancing

choose the MIX method, the “weight_of_rtt”, “weight_of_pl” and “weight_of_hops”

parameters need be set optionally, which range from 0 to 9. The default weight of the

RTT, PLR or HOPS method is 1.

Dynamic Proximity Method Description

RTT

If the method is set to be RTT, the DPS detector will detect the

round trip time.

PLR

If the method is set to be PLR, the DPS detector will detect the

packet loss rate.

If the method is set to be HOPS, the DPS detector will detect

HOPS

the number of the hops between local DNS and the proximity

site.

MIX

If the method is set to be MIX, the DPS detector will detect a

mixed value (weight *rtt+weight*plr+weight*hops).

show sdns dps method

This command is used to display the SDNS DPS method information.

show sdns dps status

This command is used to display the SDNS DPS status information.

For example:

APV1(config)#show sdns dps status

SDNS DPS service is running.

SDNS DPS Master service is running.

DPS detector status:

10.3.17.19 beijing DOWN

172.16.63.204 chengdu DOWN

Note: “FORBID” status means the DPS detector is up, but member’s IP address is

not in DPS master’s member list. “CONNECTING” status means the TCP

connection has been established, but the queried data has not been returned.

show sdns dps proximity ip [source ip]

This command is used to sort all dynamic proximity rules by IP addresses. The “source

ip” parameter is optional. If it is specified, the corresponding dynamic proximity rule will

be displayed.

show sdns dps proximity site [site_name]

This command is used to sort all dynamic proximity rules by sites. The “site_name”

parameter is optional. If it is specified, the dynamic proximity rule pointing to the site

will be displayed.

clear sdns dps history

200

Chapter 12 Global Server Load Balancing

This command is used to remove the dynamic history data and dynamic proximity rules.

sdns dps dump

This command is used to dump the dynamic history data into proximity rules.

sdns dps write proximity file

This command is used to save all SDNS dynamic proximity rules load onto local storage.

file_name The user assigned name for the file which saves the

configurations.

sdns dps write proximity scp {remote_server_ip|name}

This command is used to store all SDNS dynamic proximity rules to the remote server.

The IP address (in quotation marks) or the name of the server, the user’s name for the

remote machine being accessed (a password prompt for the remote machine will appear),

the remote file path and the remote file name need to be supplied.

sdns dps write proximity tftp

This command is used to save all SDNS dynamic proximity rules to the specified remote

TFTP server.

ip The IP address of the remote TFTP server.

file_name The user’s assigned name for the file which saves

configurations.

show sdns dps localdns [ip_address]

This command is used to display the following information for local DNS addresses:

� IP address: The IP address of a local DNS.

� Default Region: The region which corresponds to the default proximity rule (static

rule with priority 0) that the local DNS hits.

� Best Site: The site which corresponds to the dynamic proximity rule that the local

DNS hits.

� RTT: Round-trip time in millisecond.

� RLR: Packet loss rate, in %.

� Hops: The number of the hops between local DNS and the proximity site.

Example:

201

Chapter 12 Global Server Load Balancing

APV(config)#show sdns dps localdns

LocalDNS Default Region Best Site RTT(ms) PLR(%%) Hops

132.236.56.250 N/A beijing 338 0 24

125.46.11.250 N/A beijing 42 0 19

123.2.6.250 N/A shanghai 553 0 22

121.1.3.250 china beijing 170 0 19

152.1.1.248 N/A shanghai 349 0 29

134.214.100.245 N/A beijing 733 0 23

130.207.7.245 N/A shanghai 297 0 21

125.70.254.244 world beijing 40 0 13

130.237.72.238 N/A shanghai 535 0 20

130.206.5.234 N/A shanghai 570 0 31

123.108.255.233 N/A beijing 234 0 21

sdns dps expire

This command is used to set SDNS DPS expire count. The value of the “count”

parameter ranges from 0 to 255. 0 means no expiration.

show sdns dps expire

The command is used to display the count of SDNS dynamic proximity expirations.

� SDNS DPS Detector

sdns dps localdetector [detect_port]

[dps_port] [detect_timeout]

This command is used to start a local SDNS DPS detector daemon on an APV appliance.

detector_name The name of the detector daemon which will be started.

ip IP address, and 0.0.0.0 means listening on all addresses.

interface Interface name, and “all” means selecting all available

interfaces automatically.

detect_port Listen port for local DNS detecting packets. It ranges from

1025 to 65535, and defaults to 53455.

dps_port Listen port for communicating with SDNS DPS. It ranges

from 1025 to 65535, and defaults to 44544.

detect_timeout Timeout for detecting local DNS in seconds. The default

value is 30 seconds.

no sdns dps localdetector

202

Chapter 12 Global Server Load Balancing

The command allows users to terminate a specified local SDNS DPS detector daemon on

an APV appliance.

clear sdns dps localdetector

This command is used to terminate all the local SDNS DPS detector daemons on an APV

appliance.

show sdns dps localdetector

This command is used to display configurations and status of all the local SDNS DPS

detector daemons on an APV appliance.

show sdns dps all

The command is used to display all the SDNS dynamic proximity configurations.

clear sdns dps all

The command is used to remove all the SDNS dynamic proximity configurations.

SDNS Statistics

sdns statistics on all

This command is used to enable SDNS statistics function.

sdns statistics off all

This command is used to disable SDNS statistics function.

sdns statistics on localdns

This command allows users to turn on local DNS statistics of SDNS. To run this

command requires executing the “sdns statistics on all” command first.

sdns statistics off localdns

This command allows users to turn off local DNS statistics of SDNS.

show statistics sdns localdns all

This command is used to display the statistics of all local DNS that have accessed the

SDNS.

show statistics sdns localdns ip

This command is used to display the statistics of the specified local DNS that has

accessed the SDNS.

203

local_dns_ip The IP address of the local DNS.

show statistics sdns localdns host

Chapter 12 Global Server Load Balancing

This command is used to display the local DNS statistics information per host.

show statistics sdns localdns summary

This command is used to display the statistics summary of the local DNS which has

accessed the SDNS.

show statistics sdns vip all

This command is used to display all the SDNS virtual IP statistics information.

show statistics sdns vip status {up|down}

This command is used to display SDNS virtual IP statistics information according to the

status. The status is either up or down.

show statistics sdns vip ip

This command is used to display SDNS virtual IP statistics per IP.

show statistics sdns host [host_name]

This command is used to display the SDNS host’s statistics information.

host_name Specify the host name. If no host name is specified, the

statistics information of all SDNS hosts will be displayed.

show statistics sdns query all

This command is used to display all the SDNS query statistics information.

show statistics sdns query host [host_name]

This new command is used to display the SDNS query statistics information per domain

host.

host_name Optional. Specify the name of the domain host. If no host

name is specified, the SDNS query statistics for all hosts

will be displayed.

Example:

204

Chapter 12 Global Server Load Balancing

AN(config)#show statistics sdns query host

Host Requests Success Failed Lastminhits Lasthourhits Peakminhits Peakhourhits

www.a.com 23 23 0 0 0 12 20

www.b.com 0 0 0 0 0 0 0

www.c.com 0 0 0 0 0 0 0

www.d.com 0 0 0 0 0 0 0

www.e.com 18 18 0 0 0 14 18

clear statistics sdns host

This command is used to remove SDNS host statistics information.

clear statistics sdns localdns

This command is used to remove the statistics information of the local DNS that has

accessed the SDNS.

clear statistics sdns query

This command is used to remove SDNS query statistics information.

clear statistics sdns vip

This command is used to remove SDNS virtual IP statistics information.

205

Chapter 13 Logging

log {on|off}

Chapter 13 Logging

This command is used to enable or disable the system logging function. It defaults to off.

log http {squid|common|combined|welf} [vip|novip] [host|nohost]

This command is used to record HTTP access log messages during proxy.

squid|common

|combined|welf

Specify the format in which HTTP access information is to

be logged. It can be set to one of the standard formats:

squid, welf, common or combined. To set a custom format,

the “log http custom” command should be used.

vip|novip If it is set to “vip”, the VIP (virtual IP) on which the

request is received is logged. When “novip” is used, the

VIP is not logged. The default value for this parameter is

“novip”.

host|nohost If it is set to “host”, the host in the request is logged. When

it is set to “nohost”, the host is not logged. The default

value for this parameter is “nohost”.

To start logging the information of HTTP access, the format of log message is set to squid,

not recording vip and host information.

Example:

AN(config)#log http squid novip nohost

log http custom

This command is used to customize the format, in which HTTP access information is to

be logged. The format must be enclosed in double quotes. The custom format can be

formed using the symbols listed below. Any character in the format string that is not part

of the symbols listed below is copied as is to the log message. So, if required, additional

text can be included in the format string.

Symbols and their meanings:

Symbol Meaning

%a Cache result

%b Bytes returned by proxy to client

%c Client IP address

%d Date stamp

%e HTTP MIME type information

206

Symbol Meaning

%f “PROXY_LOG”, tag can be used to distinguish with other logs.

%g Time stamp (military format)

%h Host name as pulled from client host

%i User-agent

%m HTTP method

%n Full date/time stamp[MM/DD/YYYY:HH:MM:SS +/-0000]

%k Session cookies

%p Proxy IP address, VIP

%q A single double quote

%r HTTP return status code

%s Real Server IP address

%t Unix time stamp

%u Request URL

%v Protocol version

%w Referer

%U Full URL

%R Elapsed time, time-taken

%T Time format compatible with W3C (GMT)

%o Port of virtual service

%N Full date/time stamp [DD/MMM/YYYY:HH:MM:SS +/-0000]

%D SSL session ID

%P Real Server port

Chapter 13 Logging

To start logging HTTP access information, users may customize the format. The

following command sets the format to “%c%d%g%k”, which lets the log system record

the information of client IP address, date stamp, time stamp and session cookies.

AN(config)#log http custom “%c %d %g %k”

no log http

This command is used to disable the HTTP access logging function. By default, HTTP

access logging is enabled.

show log config

This command is used to display the current logging configuration.

clear log config

This command is used to return the logging configuration to default settings.

show log buff {forward|backward} [match_str]

This command is used to display the last 500 logged messages, stored in a buffer, in the

order of either first received (forward) or last received (backward).

Example:

207

AN(config)#show log buff backward

clear log buff

This command is used to clear the log buffer.

log facility

Chapter 13 Logging

This command is used to set the desired log facility to use. The supported facilities are

LOCAL0 to LOCAL7. By default, the facility is set to LOCAL0.

Example:

AN(config)#log facility LOCAL1

log host [port] [udp|tcp] [host_id]

This command is used to set the remote host that is running Syslog, to which the log

messages will be sent.

host_ip The address for the remote host in dotted IP format.

port The remote port. Optional, and defaults to 514.

udp|tcp The protocol to be used, UDP or TCP, which is set to “udp”

by default.

host_id Optional; an identifier to a syslog server. It ranges from 0

to 65535, and defaults to 0. All logs will be sent to the

syslog servers whose host_id is 0 without any filtering. The

host ID of multiple syslog servers can be set to 0

simultaneously

Note: Make certain that the assigned logging host is prepared to receive syslog

messages. Log server is configured through configuring syslogd in the APV

appliance.

AN(config)#log host 10.3.53.3 (Set the remote log host to 10.3.53.3 at udp 514 port.)

AN(config)#log host 10.3.53.3 555 (Set the remote log host to 10.3.53.3 at udp 555 port.)

AN(config)#log host 10.3.53.3 44 tcp (Set the remote log host to 10.3.53.3 at tcp 44 port.)

log source port

This command is used to set the source port from which all log messages should be sent

by the APV appliance. The default value is 514, which is the syslog port.

Example:

208

AN(config)#log source port 555

log level

Chapter 13 Logging

This command is used to set the log level at which the system will either process

messages or ignore them. The valid values for the log level are emerg, alert, crit, err,

warning, notice, info, and debug. Once a level is set, messages below that level will be

ignored. To let all information of debug and those whose level is higher than the level

debug recorded by the log system, configure the following command:

AN(config)#log level debug

log alert [data|count]

This command is used to configure the APV appliance to send an email to the specified

email address, whenever a log message with the specified string “expression” in it is

generated.

id Identify the log alert rule.

interval Specify the interval of sending two consecutive emails, in

minutes. The interval can be any number from 0 to 10000.

When the interval is set to 0, an email is sent the moment a

matching log entry is generated.

data|count By default, the matching log messages are sent as data in

the email. “count” means sending just the count of

matching log messages in the mail.

The configured log alerts can be viewed using the “show log config” command. To

resolve the email address, your name server (DNS) should be set by using the “ip

nameserver” command on the APV appliance.

For example, to set id 1 log alert to send mail to “xyz@arraynetworks.com.cn” whenever

the log message includes the string “sdns” every 1 minutes, you can execute the

following command.

AN(config)#log alert 1 "sdns" "xyz@arraynetworks.com.cn" 1 "data"

Finished with the above setting, the following mail will be received in mailbox.

From: AN

To: Alert Log System Operator(s)

Subject: Log Alert ID: 1 - sdns

MIME-Version: 1.0

Apr 25 21:05:01 CLI: cmd “log alert 2 “sdns” “xyz@arraynetworks.com.cn”

0 “data””

Apr 25 21:05:11 CLI: cmd “sdns on”

209

Apr 25 21:05:12 CLI: cmd “sdns off”

log option logid {on|off}

Chapter 13 Logging

This command is used to enable and disable the function that the log ID is added to log

messages including APV appliance log buffer and log messages that will be sent to log

servers.

log option levelinfor {on|off}

This command is used to enable and disable the function that the level information is

added to the logs that will be sent to log servers.

no log host [port] [protocol]

This command is used to remove the remote host that is running syslog, where the log

messages will be sent. The “protocol” parameter is optional and is set to “udp” by default.

no log alert

This command is used to delete a log alert specified by the “id” parameter.

show log alert

This command is used to show all log alerts configurations.

clear log alert

This command is used to clear all log alerts configurations.

log test

This command is used to generate a test log message at the level “emerg”.

log timestamp {on|off}

This command is used to turn on/off appending timestamp to the log.

log filter

This command is used to create a log filter for a specified syslog host. “host_id” is the ID

set by the "log host", and should be an integer greater than 0. The value of “filter_id' is in

the range from 1 to 3. “filter_string” can’t be empty. The filter string is case insensitive.

no log filter [filter_id]

This command is used to clear the defined log filters.

210

Chapter 13 Logging

filter_id Optional; it is set to 0 by default. If it is set to 0, all filters

set on this host will be cleared.

211

Chapter 14 Link Aggregation

The link aggregation configuration commands are designed for the users to set the vital

parameters to use this new functionality.

bond name

This command allows users to assign a name to the specified bond interface. The APV

appliance supports at most 6 bond interfaces.

bond_id Default bond interface ID (bond1, bond2, bond3, bond4,

bond5 and bond6) for the bond interfaces on the APV

appliance.

bond_name A network interface name specified by an alphanumeric

string; its default values are respectively bond1, bond2,

bond3, bond4, bond5 and bond6.

bond interface [1|0]

This command allows users to add a system interface to the specified bond interface. At

most 12 system interfaces can be added to a bond interface.

The parameter “1|0” can be used to set the interface as one of the primary (1) or backup

(0) interfaces in the bond. Multiple primary or backup interfaces can be set in the bond.

When all the primary interfaces in the bond fail, the backup interfaces will take the place

of primary interfaces to work.

bond_name A network interface name specified by an alphanumeric

string; its default values are bond1, bond2, bond3 and

bond4.

interface_name A network interface name specified by an alphanumeric

names. The interface can be set by using the command

“interface name”.

1|0 1: Sets the interface as one of the primary interfaces in the

bond. By default, 1 applies.

0: Sets the interface as one of the backup interfaces in the

bond.

no bond interface

This command allows users to remove the system interface from the bond interface.

212

show bond [bond_name]

Chapter 14 Link Aggregation

This command is used to display all current system bond interfaces’ information. If the

bond interface name is specified, the command will only show the specified interface’s

information.

clear bond [bond_name]

This command is used to reset the bond interface’s configurations to default. If no bond

interface name is specified, all the bond interfaces’ configurations are removed.

213

Chapter 15 Quality of Service (QoS)

QoS Queue

qos interface [direction] [bandwidth]

This command allows users to configure the QoS feature on the specified interface.

interface_name Specify the name of the QoS interface. It may be system

interface, VLAN interface or bond interface. Note: The

QoS interface does not support MNET interface.

direction IN or OUT, which specifies the input or output direction

respectively. The default value is OUT.

bandwidth The maximum bit rate allowed for all queues on the

specified interface. The suffix can be b, KB, MB, or GB.

The default value is 1 GB.

no qos interface [direction]

This command allows users to delete the QoS configuration on the specified interface.

The “direction” parameter is optional, which specifies to delete the QoS configuration on

the IN or OUT direction of the specified interface.

show qos interface [interface_name] [direction]

This command allows users to view configurations of QoS interfaces.

direction Optional. If specified, the QoS statistics of this interface

will be displayed.

direction Optional. Specify to display the QoS statistics on the IN or

OUT direction.

qos enable [direction]

This command allows users to enable QoS feature on the specified interface. The

“direction” parameter is optional, which specifies to enable QoS feature on the IN or

OUT direction of the specified interface.

qos disable [direction]

This command allows users to disable QoS feature on the specified interface. The

“direction” parameter is optional, which specifies to disable QoS feature on the IN or

OUT direction of the specified interface.

214

Chapter 15 Quality of Service (QoS)

qos queue root [direction] [bandwidth]

[priority] [borrow] [default]

This command allows users to create a QoS root queue on the specified interface.

queue_name An assigned name, in the form of a character string, to the

queue. Note: If the assigned name begins with a numeric

character, then the string needs to be framed in double

quotes.

interface_name Specify the name of QoS interface. It may be system

interface, VLAN interface or bond interface.

direction IN or OUT. Optional and the default value is OUT.

bandwidth Specify the maximum bit rate to be processed by the

queue. Optional and the default value is 1 GB.

priority Optional. The range is from 0 to 7, with 7 being the highest

and 0 being the lowest. The default value is 1.

borrow It can be BORROW or UNBORROW, to configure

whether the specified queue can borrow bandwidth from

the parent or not. Optional, and the default value is

UNBORROW.

default Specify a queue to be the default queue. The packets not

matched by other queues are assigned to this one. Only one

default queue is required. Optional, and the default value is

NONDEFAULT

no qos queue root

This command allows users to delete a QoS root queue.

show qos queue root [queue_name]

This command allows users to view configurations of all QoS root queues. The

“queue_name” parameter is optional, which specifies to display the configuration of the

specified QoS root queue.

qos queue sub [bandwidth] [priority] [borrow]

[default]

This command allows users to create a QoS sub queue for a root queue on the specified

interface.

215

Chapter 15 Quality of Service (QoS)

queue_name An assigned name, in the form of a character string, to the

sub queue. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

parent_queue The parent queue of the sub queue being configured. It

may be a root queue or a sub queue (sub-queues can also

have their sub-queues).

bandwidth Specify the maximum bit rate to be processed by the sub

queue. Optional, and the default value is 1GB.

priority Optional. The range is from 0 to 7, with 7 being the highest

and 0 being the lowest. The default value is 1.

borrow It can be BORROW or UNBORROW, to configure

whether the specified sub queue can borrow bandwidth

from the parent or not. Optional, and the default value is

UNBORROW.

default Specify the sub queue to be the default sub queue. The

packets not matched by other sub queues are assigned to

this one. Only one default sub queue is required. Optional,

and the default value is NONDEFAULT.

no qos queue sub

This command allows users to delete a QoS sub queue.

show qos queue sub [queue_name]

This command allows users to view configurations of all QoS sub queues. If

“queue_name” is supplied, this command will display configurations of the specified

QoS sub queue.

show qos queue all

This command allows users to view all configurations of all QoS queues (including root

queues and sub queues).

clear qos interface [direction]

This command allows users to clear configurations of the specified QoS interface. The

“direction” parameter is optional, which specifies to clear configuration on the IN or

OUT direction of the specified interface.

216

QoS Filter Rule

Chapter 15 Quality of Service (QoS)

qos filter < src_addr>

[priority]

This command allows users to configure a QoS filter to classify packets into a scheduling

class. A filter specified determines any statically-defined packet classification rules.

filter_name Specify a name to the filter for statistics.

queue_name Specify the name of the queue to which matching packets

are directed. Note: If the assigned name begins with a

numeric character, then the string needs to be framed in

double quotes.

src_addr Dotted IP notation for the source subnet (e.g. 10.2.41.0).

0.0.0.0 is a full wildcard.

smask Dotted IP notation for the mask of the source IP address

(e.g. 255.255.255.0). 0.0.0.0 is a full wildcard.

sport Source port. 0 is a wildcard. Effective only when the

protocol is “tcp” or “udp”.

dst_addr See “src_addr” above.

dmask See “smask” above.

dport See “sport” above.

proto Protocol type (TCP, UDP or any).

priority Optional. Priority of the filter (1-255), which defaults to 1.

“255” is the highest priority and “0” is the lowest.

Here,

� “fltr_name” is a unique string; it is useful to display the statistic information of QoS.

� “queue_name” is used to establish certain logic between a Scheduler and the filter

(Classifier).

� “dst_addr” and “src_addr” are dotted-decimal addresses of the destination and the

source respectively, and each has a netmask.

� “dport” and “sport” are the port number of the destination and the source

respectively.

� “proto” is a protocol type defined for IP packets.

217

Chapter 15 Quality of Service (QoS)

� “priority” is a number from 1 to 255. If two filters are satisfied with the mbuf, then

the filter with higher priority will be used; if the priority of them is the same,

round-robin method is used.

When the filter value (dst_addr, dmask, dport, src_addr, smask, sport, proto) 0 or 0.0.0.0

is used, it is taken as a wildcard.

no qos filter

This command allows users to delete an L4 QoS filter rule.

show qos filter [fltr_name]

This command allows users to view configurations of all QoS filter rules. If “fltr_name”

is supplied, the configuration of the specified QoS filter rule will be displayed.

Other QoS Commands

show qos all

This command allows users to view all QoS configurations.

clear qos all

This command allows users to clear all QoS configurations.

show statistics qos [interface_name] [direction]

This command allows users to view QoS statistics.

interface_name Optional. If specified, the QoS statistics of this interface

will be displayed.

direction Optional. Specify to display the QoS statistics on the IN or

OUT direction.

clear statistics qos [interface_name] [direction]

This command allows users to clear QoS statistics.

interface_name Optional. If specified, the QoS statistics of this interface

will be displayed.

direction Optional. Specify to display the QoS statistics on the IN or

OUT direction.

218

Chapter 16 Administrative Tools

Configuration Management Commands

admin aaa {on|off}

Chapter 16 Administrative Tools

This command is used to enable or disable the external authentication feature.

admin aaa method [radius|tac_x]

This command is used to configure the external authentication method. Users can choose

RADIUS or TACACAS server. The parameter defaults to “RADIUS”.

admin aaa server {es01|es02}

This command is used to configure an external authentication server. The first parameter

is used to specify the server ID. You can choose “es01” or “es02”. A second

authentication will be tried on the server es02 if it is failed on server es01. The

parameters “hostname_ip”, “port” and “secret” are used to configure the detailed

information of the server.

Example:

AN(config)#admin aaa server es01 “10.1.31.1” 1812 radiusceret

AN(config)#admin aaa server es02 radius_host 1812 radiusceret

no admin aaa server {es01|es02}

This command is used to remove an external authentication server configuration.

clear admin aaa all

This command is used to clear all external authentication configurations.

show admin aaa all

This command is used to displays all “admin aaa” configurations.

passwd enable [password_string]

This command allows users to set or change the enable password that allows access to the

Enable and Config modes for the appliance. A password string may be up to 8 characters

in length. Once users enter this command, the appliance will prompt users for password

and confirmation. The password should be enclosed in double quotes. The

“password_string” parameter is optional and the default value is empty, which means no

password. To set the password to empty, just press “Enter” on your keyboard when the

CLI prompts for an enable mode password.

219

user [enable|config]

Chapter 16 Administrative Tools

This command allows administrators to create new users, or change the password and

access privilege of existing users. If the input user name does not exist, the system will

create the new user account. If the user name already exists, administrators can change

the password and access privilege of this user.

user_name Set the user name. The assigned user name can be up to 16

alphanumeric characters.

Special characters like “,\t:+&#%$^()!@~*?"=|\\/\” are

not allowed for the “user_name” parameter. “$” is just

allowed as the final character of the user name.

password Set the login password of the user. The password can be up

to 80 alphanumeric characters. If the password string

begins with a numeric character or includes any keystroke

symbol, such as “!” or “$”, the entire password must be

enclosed within double quotes.

enable|config This is an optional parameter, it is used to set the user’s

access privilege to be “enable” or “config”. The default

value is “config”.

passwd user

� enable: Users assigned with this access privilege are

only allowed to run the commands of Enable mode,

and cannot access the Config mode.

� config: Users with this access privilege are allowed to

run all commands on the APV appliance to make

changes to any part of the appliance configurations.

This command allows users to change the password associated with an established user.

By employing this command, a prompt for the new assigned password will appear.

show users

This command allows system administrators to view users with authorization for access

to the APV appliance along with the encrypted password assigned to each user.

no user

This command is used to remove a user from the list of authorized users.

clear users

220

Chapter 16 Administrative Tools

This command is used to remove all users from the list of authorized users.

system license [validate|novalidate]

This command allows users to enter a license key for the APV appliance. Without a valid

license key, the ArrayOS will not auto reload configuration and ArrayOS will not run

properly.

validate The default option. After the user enters the license key and

executes this command to import the key, the system will

first validate the key. If validating succeeded, the system

will import the license key and also save it.

novalidate With this option used, The system will import the license

key and save it, without any validation.

system reboot

This command is used to reboot the APV appliance. The last saved (by using the

command “write memory”) system configuration will be used to configure the APV

appliance.

system shutdown

This command is used to halt all functions of the APV appliance and disable the CLI. A

manual reboot of the APV appliance will be necessary to reinstate CLI control.

system dump

This command is used to turn on/off system dump function when the system is panic.

When the system is panic and it is on, the system running information will be stored in

the file system for future use.

show system dump

This command is used to display the status of system dump function.

system console reset

This command is used to reset the system console. After executing this command, “Reset

console” will prompt in the screen.

config terminal [force]

This command allows users to gain access to the commands required to configure the

APV appliance. Deploying the optional parameter will force any existing Config sessions

to end.

221

config timeout

Chapter 16 Administrative Tools

This command allows users to set the “timeout” limit as to when a configuration session

will be terminated by another configuration session after the specified period of inactivity.

The timeout value is measured in seconds, ranging from 30 to 36000 (1 hour). The

default setting is 180 seconds (3 minutes). If there are no other sessions trying to enter the

Config mode, the current session will stay active.

show config timeout

This command allows users to view the configured timeout setting.

clear config timeout

This command allows users to clear the configured timeout setting, thus returning it to the

default setting of 180 seconds (3 minutes).

statmon on

This command allows users to start statmon daemon process. The statmon process is

responsible for monitoring the system running status. The process collects and saves the

status information about system running, network traffic and SDNS running at fixed

intervals, and then displays the information in graphs on the WebUI. If the process is

already running, the following message will be printed: Statmon is already running!

statmon off

This command allows users to stop statmon daemon process. The statmon process is

responsible for monitoring the system running status. The process collects and saves the

status information about system running, network traffic and SDNS running at fixed

intervals, and then displays the information in graphs on the WebUI. If the process is

already stopped, the following message will be printed: Statmon is not running!

statmon purge

This command is used to purge statistics unused for some time already. The time is

specified by the parameter “number_of_days_unused”.

statmon clear

This command is used to clear the existing statistics information for graphs, including the

statistics table (item list), recorded in the file “/ca/etc/statmon.idx” and the statistics data,

recorded in the file “/var/crash/statmon/*.rrd”.

show statmon status

This command is used to display the current statmon daemon status.

write file

222

Chapter 16 Administrative Tools

This command is used to save the current running configurations to a backup file on the

local storage.

file_name The user’s assigned name for the file where the

configurations are saved.

write memory

This command allows users to save the current configuration to the file and assigns it to

the boot configuration data.

show memory

This command allows users to display the memory critical information relating to the

APV appliance.

Example:

The following lines describe system connection resource usage:

ITEM SIZE LIMIT USED FREE REQUESTS

TCP small pcb: 64, 20000, 426, 19574, 4490795

TCP pcb: 288, 20000, 1, 19999, 5219107

Each connection owns a “pcb” data structure. There are two kinds of “pcb” data structure;

“small pcb” where size is 64 bytes is for TCP connections in “TIME_WAIT” state. “pcb”

for all the other TCP connections has bigger size: 288 bytes. The “LIMIT” column tells

the total number of data structure items. “USED” refers the number of items in use. The

“Free” indicates left items that may be used. The “REQUEST” is the accumulation of

total usages and is always incremented.

TCP connection is valuable system resource. When it is used up, new customer requests

can’t be served. The number of total TCP connections is decided by system memory size

as follows:

� 4GB: 2M (2064352) connections

� 1GB: 512K (516088) connections

� 512MB: 40000 connections

� 256MB: 20000 connections

config file

This command allows users to change the config from terminal, or restore a config from

local storage or file on network devices by simply supplying the saved file’s name.

config memory

223

Chapter 16 Administrative Tools

This command allows users to restore the configuration from the last “write memory”

operation.

config net tftp

This command allows users to load configuration data stored on a TFTP server. The IP

address (in quotation marks) or the name of the TFTP server and the remote file name

need to be supplied.

config net scp {remote_server_ip|name}

This command allows users to load configuration data stored on an SCP server. The IP

address (in quotation marks) or the name of the SCP server, the user’s name for the

remote machine being accessed (a password prompt for the remote machine will appear)

and the remote file path need to be supplied.

config net http

This command allows users to download a configuration file from a Web server. The

“http_url” parameter is used to specify the URL address of the configuration file. For

example, if you want to download the file “array.conf” from the Web server

“www.xyz.com”, the “http_url” parameter should be “http://www.xyz.com/array.conf”.

write net tftp [file_name]

This command is used to store the current configuration to the specified remote TFTP

server.

ip_tftp The IP address of the TFTP server.

file_name The name of the remote file in which the configuration data

is saved. It is optional, and defaults to “ca.cfg”.

write net scp {remote_server_ip|name}

This command is used to store the current configuration to the remote SCP server. The IP

address (in quotation marks) or the name of the server, the user’s name for the remote

machine being accessed (a password prompt for the remote machine will appear) and the

remote file path need to be supplied.

no config

The command is used to allow users to remove a user-defined configuration from a

previously saved file.

show config file [file_name] [regex]

224

Chapter 16 Administrative Tools

This command is used to display a list of all saved configuration files. If the “file_name”

parameter is supplied, the output will reflect the information about the specified config

file.

clear config file

This command is used remove all user-defined configuration files.

system fallback

This command allows users to boot the APV appliance from the other root version on the

next reboot.

no system fallback

This command is used to disable the system fallback functionality.

clear config secondary

This command allow users to restore all the settings on the APV appliance except the

“primary” settings (restored by the command “clear config primary”), including settings

about NAT, FWD, SNMP, log, domain server, proxy server, etc.

clear config primary

This command allow users to restore the basic network settings to the default value,

including settings about IP address, cluster, access list, group, WebUI, Enable level

password, “array” user password, etc. At the same time, all the users in the system except

the “array” user will be removed.

This command cannot be executed if there are other configurations based on these basic

network settings. In this situation, please execute the command “clear config secondary”

first to delete the related configurations, and then execute the command “clear config

primary” again.

clear config all

This command allows users to restore all settings on the APV appliance.

clear config factorydefault

This command is used to reset the APV appliance box to factory default settings.

Different from the existing command “clear config all”, this command will clean

imported SSL key files so that previous user configuration influence will be totally

removed.

show running [pattern]

225

Chapter 16 Administrative Tools

This command is used to display the current configuration of your APV appliance and all

active function settings for the current configuration of the APV appliance. The optional

parameter “pattern” calls for a string for the APV appliance to search for. For example

“show running tcp” will display all file lines with the string TCP.

show startup [pattern]

This command allows users to view previously saved configuration by using the

command “write memory”. The optional parameter “pattern” calls for a string for the

APV appliance to search for. For example “show running tcp” will display all file lines

with the string TCP.

show version

This command is used to display the system specific data such as host name, Array

Networks software version, system CPU, available memory and total memory, latest

booting time, licensed features, and system up time.

Example:

AN(config)#show version

ArrayOS Rel.TM.8.2.0.4 build on Fri Jun 10 12:18:09 2011

Host name : AN

System CPU : Intel(R) Pentium(R) CPU G6950 @ 2.80GHz

System Module : X8SIE-LN4

System RAM : 3918812 kbytes.

System boot time : Fri Jun 24 11:33:28 GMT (+0000) 2011

Current time : Fri Jun 24 11:44:09 GMT (+0000) 2011

System up time : 12 mins,

Platform Bld Date : Thu Jun 23 11:36:44 UTC 2011

SSL HW : HW ( 1X8D ) Initialized

Compression HW : No HW Available

Power supply : 1U, AC

Network Interface : 8 x Gigabit Ethernet copper

Model : Array APV 1600

Serial Number : 0437A3345200010001544134427220

Licensed Features : WebWall Clustering L4SLB L7SLB Caching

SSL tProxy SwCompression LLB GSLB QoS

MultiLang DynRoute FFO IPv6

License Key : 83e89607-d5635173-88bdf7e6-952e5116-05b301c0-00000000-0495d8

ab-99999999

Array Networks Customer Support

Telephone : 877-992-7729 (877-MY-ARRAY)

Email : support@arraynetworks.net

Update : please contact support for instructions

Website : http://www.arraynetworks.net

Other Root Version

226

Rel.TM.8.2.0.3 build on Fri May 20 18:16:09 2011

show tech

Chapter 16 Administrative Tools

This command is used to display real-time statistics of the current running system and

network.

monitor

This command allows users to monitor a command string executed every few seconds so

that a variance can be observed. This is an interactive command and the user will be

prompted for additional information.

webui {on|off}

This command allows users to enable or disable the Web User Interface.

webui language

This command is used to set the WebUI login language.

login_language It can be en (English), cn (Simplified Chinese) and jp

(Japanese).

show webui

This command is used to display the WebUI port and login language information.

webui ip

This command is used to allow users to set the WebUI IP address. After executing the

command, the APV appliance will only accept the connections at the specific IP address.

Note: WebUI may not work if the WebUI IP address is not an interface IP address.

clear webui ip

This command is used to delete the WebUI IP address. After executing the command, the

APV appliance will accept the connections at any IP address.

webui port

This command allows users to set the port that the APV appliance will accept Web User

Interface commands from the Web. The port must be designated within the range of 1024

to 65000. The default port is 8888.

clear webui port

This command is used to reset the WebUI port to the default port 8888.

227

xmlrpc {on|off} [https|http]

Chapter 16 Administrative Tools

This command allows users to enable the XML-RPC function, which allows

administrators to gain access to the APV appliance and configure the ArrayOS from

remote locations. The optional field “https|http” allows the APV appliance to post HTTPS.

This optional parameter defaults to “https”.

xmlrpc port

This command allows users to set the designated port for the XML-RPC to listen on. The

“port” parameter ranges from 1025 to 65000. The default port is 9999.

show xmlrpc

This command is used to display the current state of the XML-RPC function as well as

the designated port assigned.

clear xmlrpc

This command is used to reset the XML-RPC port designation to the default value of port

9999.

system shutdown

This command is used to halt all functions of the APV appliance and disable the CLI. A

manual reboot of the APV appliance will be necessary to reinstate CLI control. Users

should wait five to ten seconds after employing this command before terminating power

to the appliance.

system update

This command allows users to import a new software version directly from Array

Networks. Once the user employs this command, using a URL supplied by Array

Networks, the APV appliance will import the updated material and reboot the system. All

specific configuration parameters will also be imported from the most recently saved file.

Example:

AN(config)#system update http://192.168.10.10/Rel_8_2_0_4.click

This will upgrade your system from http://192.168.10.10/Rel_8_2_0_4.click

Power outages or other systems failures may corrupt the system.

It is highly recommended that you save your configuration on an

external system prior to upgrading or downgrading.

Any configuration changes that have not been "saved" will be lost.

After a successful patch the system will be rebooted.

Array Networks, Inc.

Type "YES" to confirm upgrade: YES

228

Caution:

Chapter 16 Administrative Tools

1. If executing this command via an SSH connection and if the connection is lost

during update procedure, the APV appliance will not be able to complete the update

process.

2. Do not disconnect the connections to the APV appliance during the system

updating process.

ssh {on|off}

This command allows users to enable or disable SSH access to the APV appliance.

ssh regenerate keys

This command is used to regenerate host keys for SSH server in ArrayOS. After this

command is executed, the SSH server will use the newly generated keys as its host key.

SSH clients must be updated with the new public keys of the SSH server to connect with

the server.

[no] pager

This command is used to allow users to set the number of lines for a page display. Any

value between 0 and 255 may be entered. If users enter zero for the value, the APV

appliance will display the number of lines configured within the current window.

show pager

This command is used to display the configured number of lines for a page display.

system component update

This command allows users to update the components on APV appliances from an HTTP

or FTP URL.

system component revert

This command allows users to revert the last component update operation.

Configuration Synchronization Commands

The Configuration Synchronization feature of the APV appliance allows administrators to

transfer configuration information among APV appliances within the same network.

Synconfig commands are executed via SSH, therefore SSH must be enabled.

[show|no|clear] synconfig peer

229

Chapter 16 Administrative Tools

This command is used to define a peer within the network. The parameter “name” is a

quoted string that specifies the peer’s name (not necessarily DNS name) and “ip”

specifies the peer’s system IP address, which is NOT interface dependent.

The “no” version of this command is used to remove a specific peer entry. The “clear”

version is used to clear all peer settings. The “show” version is used to show the details

for all peer nodes currently configured.

synconfig to

This command is used to manually synchronize the user node to the peer specified by

“name” immediately. If “name” is “all”, all the nodes defined via the “synconfig peer”

command will be synchronized. The nodes will receive the running configuration from

the current APV appliance. Prior to applying the new configuration, the “clear config

secondary” is applied to the receiving node(s). This will remove all the existing

configurations except for the IP related settings that are preserved. The related IP settings

unaffected include system IP addresses, IP route, host name, MNET, VLAN, WebWall,

accesslist, accessgroup, LLB and WebUI IP address. At the end of the synchronization,

the running configuration for the newly synchronized node is written to the disk as the

current configuration. This preserves the configuration across reboots.

synconfig from

This command allows users to synchronize the “current configuration” from the peer

specified by “name” to this node; the peer name must be first defined by the command

“synconfig peer”. The newly synchronized configuration is NOT saved on disk unlike

“synconfig to”. The user should save the running configuration to disk by using the

“write memory” command.

synconfig rollback local

This command is used to revert the last synchronization executed on the local node from

the peer specified by “name”. The previous synchronization may have been invoked

using the “synconfig” command on the local node or “synconfig to” from the peer

specified by “name”. The operation only affects the local node.

synconfig rollback peer

This command is used to revert the last synchronization executed on the peer specified by

“name” from the local node. The previous synchronization would have been invoked

when the user applied the “synconfig to” command on the other node. The operation

affects the specified node other than the user’s node. If “name” is “all”, all the nodes

previously defined via the “synconfig peer” command will be affected.

show synconfig status from [peer_ip]

This command is used to display the results of synchronization from other peers to the

local node. The “peer_ip” parameter is optional, and should be input in quotes. If

230

Chapter 16 Administrative Tools

“peer_ip” is null, the command will show the list of peer nodes from which the local node

has been synchronized. The time, remote IP and status will be displayed.

show synconfig status history

This command is used to show the history of the last 50 synchronization events executed

on the local node. The time of the command, the peer and the command will be displayed.

If a command fails, the error of the command will be displayed on the next line.

show synconfig diff

This command is used to show the difference between the running configuration on the

local node and the saved configuration on the peer specified by “name”.

SDNS Configuration Synchronization Commands

The SDNS Configuration Synchronization feature of the APV appliance allows

administrators to synchronize SDNS configurations and BIND 9 zone files except SDNS

member configurations from an APV appliance to its peers.

synconfig sdns peer

This command allows users to define a peer for SDNS configuration synchronization.

SDNS configurations are synchronized from the local peer to a specified remote peer. The

“peer_name” parameter specifies the name of a peer. “peer_ip” is the IP address of the

peer.

synconfig sdns to

This command allows users to start SDNS synchronizing to the specified remote peer.

no synconfig sdns peer

This command allows users to remove the specified peer for SDNS configuration

synchronization.

show synconfig sdns peer

This command is used to display the IP address and name of the all the SDNS

synchronization peers.

clear synconf sdns peer

The command is used to delete all the SDNS synchronization peers.

231

SNMP Commands

Chapter 16 Administrative Tools

SNMP (Simple Network Management Protocol) is a widely used network monitoring and

control protocol. Data is passed from SNMP agents, which are hardware and/or software

processes reporting activity in each network device (hub, router, bridge, etc.) to the

workstation console used to oversee the network. The agents return information

contained in a MIB (Management Information Base), which is a data structure that

defines what is obtainable from the device and what can be controlled. The ArrayOS

currently supports the SNMP GET requests, but not SNMP SET requests.

snmp {on|off}

This command allows users to enable, or disable the SNMP feature.

snmp on [default|v3]

This command allows users to set the SNMP versions which are supported by the APV

appliance SNMP agent. “default” means that the SNMP agent supports three SNMP

versions: v1, v2 & v3. “v3” means that SNMP agent only supports SNMP version 3.

show snmp

This command allows users to display all the information concerning the SNMP

configuration.

Example:

AN(config)#show snmp

snmp community reindeer

snmp location server room 6

snmp contact admin@example.com

snmp host 10.2.21.1 rudolph

snmp enable traps

clear snmp

This command is used to reset the SNMP settings to default configurations.

snmp community

This command allows users to define the relationship between the NMS (Network

Management Station) and the SNMP agent. This string acts as a password to control or

limit access from the NMS to the SNMP agent. The string can be changed only when

SNMP agent is off. The string for this command may be 0 to 32 characters in length. The

default string is public.

232

Chapter 16 Administrative Tools

Note: For the sake of security, it is strongly recommended to modify the default

SNMP community string to avoid possible system information interception.

Example:

AN(config)#snmp community reindeer

no snmp community

This command is used to reset the community default to public.

snmp contact

This command allows users to establish a contact individual should system situations

require it. The “contact_name” parameter may be up to 128 characters in length enclosed

in quotes. Example:

AN(config)#snmp contact “admin@example.com”

no snmp contact

This command allows users to remove the designated contact information.

snmp location

This command allows users to configure the physical location of the APV appliance. The

“location” string may be up to 128 characters in length.

Example:

AN(config)#snmp location “server room 6”

no snmp location

This command is used to remove the previous location entered for the APV appliance.

snmp host [1|2|3] [user_name|community_name] [engine_id]

[auth_password] [authNopriv|authPriv] [priv_password]

This command allows users to set the SNMP host’s IP address, in standard dotted format,

and its corresponding user or community string for where traps should be sent.

host_ip Set the IP address for the SNMP host.

1|2|3 Set the SNMP trap version. The default setting is 1.

user_name|community_name Set the trap community string for SNMP v1 and v2,

and set the trap user for SNMP v3. The default is

233

“public”.

Chapter 16 Administrative Tools

engine_id Authoritative engine ID of remote SNMP trap receiver

for SNMP v3. It is a HEX string less than 32

characters.

auth_password Authentication password. It should be no less than 8

characters.

authNopriv|authPriv Specify the security authorization level. The default

setting is “authNopriv” which means no private

password needed.

priv_password Set the private password for data encryption used in

“authPriv” mode. Its length is not less than 8

characters.

no snmp host

This command is used to remove an SNMP host.

snmp enable traps

This command is used to enable the APV appliance to send generic and enterprise traps.

no snmp enable traps

This command is used to disable the SNMP traps.

snmp ipcontrol {on|off}

This command is used to enable or disable access control based on the source IP of an

SNMP client. The default setting is off. This is to control SNMP GET requests following

VACM.

snmp ippermit

This command is used to add a source NET into the permitted client list for SNMP GET

requests.

source_ip The host or network IP address in traditional dotted IP

format.

netmask The appropriately designated netmask.

no snmp ippermit

234

Chapter 16 Administrative Tools

This command is used to remove the specified source NET from the permitted client list.

snmp v3user [authNopriv|authPriv]

[priv_password]

This command is used to add one user into SNMP v3 user database for GET request

authentication. This is to control SNMP GET requests following USM.

user_name The assigned user name may be up to 16 alphanumeric

characters in length.

auth_password Authentication password. It should be not less than 8

characters.

authNopriv|authPriv Specify the security authorization level. The default setting

is “authNopriv”. A private password is needed in

“authPriv” mode, but not in “authNopriv” mode.

priv_password Set the private password for encryption in “authPriv”

mode. Its length is not less than 8 characters.

no snmp v3user

This command is used to remove a specified user from SNMP v3 user database in SNMP.

Troubleshooting Commands

ping {ip|hostname}

This command is used to generate a network connectivity echo request directed toward

the specified IP address or host name.

traceroute {ip|hostname}

This command allows users to trace the route information of a packet, or the request for

that packet travels. When the user supplies the IP address, or host name, the APV

appliance will display the devices and network locations used to process the request for

that IP address or host name.

nslookup {ip|hostname}

This command allows users to verify the IP address for the given host name or the reverse.

If you want to verify the host name for an IP address, please double quote the IP address.

The information that will be displayed by employing this command includes the server

from which the data is pulled as well as the host name or IP address.

support

235

Chapter 16 Administrative Tools

This command allows the “test” users to access the APV appliance from off site locations

via the assigned IP address and netmask.

show support

This command is used to display the configured IP address and netmask for remote

access to the APV appliance.

clear support

This command is used to remove the configured IP and netmask from the support

function.

Debug Commands

debug enable

This command is used to prepare to start collecting the debugging data. After the

command is executed, the APV appliance will first clean the files (sys_debug.tar.gz and

sys_core.tar.gz) the collected debugging data is written into, and then create a new file

(such as englog.20090810_154747) in /var/crash/sys_debug/debug directory to store

englog messages.

debug disable

This command is used to stop collecting the debugging data. After the command is

executed, the APV appliance will firstly generate a tar file (sys_debug.tar.gz) to store the

collected debug data, and then clean up the collected debug data in the system.

The following is the generated tar file, which only contains the debug information

collected from the moment of executing the command “debug enable” to the moment of

executing the command “debug disable”.

/var/crash/sys_debug.tar.gz

tcpdump

ssldump

debug.tar.gz (including englog, pipe and loopback information)

debug corefile [core_files_number]

This command is used to set the number of the system core files to be collected. The

value of the number ranges from 0 to 10. The default value is 0, which means do not

collect any core file.

236

Chapter 16 Administrative Tools

Note: Administrators must first execute this command to set the number of core files

to be collected before executing the command “debug snapshot system” to collect

core files (sys_core.tar.gz and app_core.tar.gz). If the value of the number is not

specified, the system will not collect any core file.

debug snapshot system

This command is used to take a snapshot for the system activities and generate the

following four files to save the snapshot information by categories:

� sys_snap.tar.gz

� sys_log.tar.gz

� sys_core.tar.gz

� app_core.tar.gz

All these files will provide more comprehensive system running information for

administrators to do better debugging. Administrators can collect the desired files for the

system running information they need.

debug snapshot proxy [level]

This command is used to take a snapshot for the proxy activities. The output is written

into the englog file.

level Optional. It can be set to “1” or “3”. “1” means the least

data and “3” means the most data. It defaults to 3.

debug snapshot all [level]

This command is used to take a snapshot for proxy and system activities. The output is

written into the englog file.

level Optional. It can be set to “1” or “3”. “1” means the least

data and “3” means the most data. It defaults to 3.

show debug file

This command is used to display all the generated tarball files in the system, including

sys_snap.tar.gz, sys_log.tar.gz, sys_core.tar.gz, app_core.tar.gz, and sys_debug.tar.gz.

Example:

AN(config)#show debug file

File Size Time

sys_snap 774001 May 31 18:22:48 2010

237

sys_snap.0 775002 May 31 18:21:48 2010

sys_snap.1 785003 May 31 18:20:01 2010

sys_log 424000123 May 31 18:22:49 2010

sys_log.0 456231245 May 31 18:21:49 2010

sys_log.1 347234345 May 31 18:20:02 2010

sys_core 200000123 May 31 18:22:12 2010

app_core 142343446 May 31 18:22:12 2010

sys_debug 92000 May 31 18:22:22 2010

debug ftp [file_name]

Chapter 16 Administrative Tools

This command allows users to export the files (sys_snap.tar.gz, sys_log.tar.gz,

sys_core.tar.gz, app_core.tar.gz or sys_debug.tar.gz) storing the debugging data into the

specified remote FTP server. A time stamp will be inserted into the name of each exported

file to differentiate from other files on the FTP server.

user_name Specify the user name of the remote FTP server.

remote_ftp_ip Specify the IP address of the remote FTP server.

file_name Specify the name of the exported file on the FTP server,

without the suffix ".tar.gz". It defaults to "all", which

means exporting all the latest tarball files (sys_snap,

sys_log, sys_core, app_core and sys_debug) to the remote

FTP server.

debug scp {username@remote_scp_ip|host} [file_name]

This command allows users to export the files storing the debugging data into the

specified remote SCP server. A time stamp will be inserted into the name of each

exported file to differentiate from other files on the SCP server.

username@remote_scp_ip|host Specify the user name and the IP address or host

name of the remote SCP server.

file_name Specify the name of the exported file on the remote

SCP server, without the suffix ".tar.gz". It defaults to

"all", which means exporting all the latest tarball files

(sys_snap, sys_log, sys_core, app_core and

sys_debug) to the remote SCP server.

debug monitor {on|off}

This command allows users to turn on/off the monitor module. Once the monitor is on, it

will trace the status of the APV appliance and the status information will be logged into a

predefined file named monitor.out0.

238

debug monitor import ftp

Chapter 16 Administrative Tools

This command allows users to import a customized script from a remote server via ftp. In

the customized script, users can input the CLIs which can display the system information

they want, and then import the customized script, so that they can collect the debugging

information which they want. Please turn off “debug monitor” before executing this

command.

debug monitor import scp

This command allows users to import a customized script from a remote server via SCP.

On the customized script, users can input the CLIs which can display the system

information they want, and then import the customized script, so that they can collect the

debugging information which they want. Please turn off “debug monitor” before

executing this command.

username@remote_address:filepath It requires to be framed in double quotation

marks, such as “test@172.16.13.12:/home/test”.

debug monitor export ftp

This command allows users to export the monitor result file to a remote server via ftp.

Please turn off “debug monitor” before executing this command.

debug monitor export scp

This command allows users to export the monitor result file to a remote server via SCP.

Please turn off “debug monitor” before executing this command.

username@remote addres:filepath It requires to be framed in double quotation

marks, such as “test@172.16.13.12:/home/test”.

show debug monitor

This command is used to display the monitor configurations, including its status and the

customized scripts imported by the users.

debug trace ssl [encrypt|plain]

This command is used to trace the SSL activities. The output is written into the englog

file. When the parameter “encrypt|plain” is set to “encrypt”, the encrypted data in SSL

communication packets will be directly written into the englog file. If it is set to “plain”,

the encrypted data in SSL communication packets will be decrypted first and then be

written into a new generated file. The parameter defaults to “encrypt”.

debug trace live ssl [encrypt|plain]

239

Chapter 16 Administrative Tools

This command is used to trace the SSL activities live. The output is displayed on the

screen. When the parameter “encrypt|plain” is set to “encrypt”, the encrypted data in SSL

communication packets will be directly displayed on the screen. If it is set to “plain”, the

encrypted data in SSL communication packets will be decrypted first and then be

displayed on the screen. The parameter defaults to “encrypt”.

debug trace live tcp [tcpdump_argument]

This command is used to trace TCP activities live. The output is displayed on the screen.

tcpdump_argument The argument of TCPDUMP which is a packet analyzer. It

specifies what TCP activities live will be traced.

debug trace tcp all [tcpdump_argument]

This command is used to trace TCP activities on all the interfaces.

tcpdump_argument The argument of TCPDUMP which is a packet analyzer. It

specifies what TCP activities will be traced.

debug trace tcp loopback [tcpdump_argument]

This command is used to trace TCP activities on loopback interfaces. The output is

written into a new generated file (such as tcpdump_lo0.20090810_160302) in

/var/crash/sys_debug/debug directory.

tcpdump_argument The argument of TCPDUMP which is a packet analyzer. It

specifies what TCP activities will be traced.

debug trace tcp nic [tcpdump_argument]

This command is used to trace TCP activities on all the NICs. The output is written into a

new generated file (such as tcpdump_port1.20090810_160508) in

/var/crash/sys_debug/nic_trace directory.

tcpdump_argument The argument of TCPDUMP which is a packet analyzer. It

specifies what TCP activities will be traced.

debug trace tcp pipe0 [tcpdump_argument]

This command is used to trace the TCP activities on pipe0. The output is written into a

new generated file (such as tcpdump_pipe0.20090810_160410) in

/var/crash/sys_debug/debug directory.

240

Chapter 16 Administrative Tools

tcpdump_argument The argument of TCPDUMP which is a packet analyzer. It

specifies what TCP activities will be traced.

debug usage mbuf

This command is used to enable to track the usage of mbufs by the system. To stop the

trace, use command “no debug usage mbuf”. Users can then use “show debug usage

mbuf” to see the result as below:

AN#show debug usage mbuf

Mbuf usage Statistics

index: 1, app: 0x201993a8

Total mbufs: 2094848

Module Name no of mbufs (col 1) no of mbufs (col 2)

ID_0: 2094847 2094847

ID_1: 1 0

ID_21: 0 1

debug trace proxy

This command is used to trace the proxy activities. The output is written into the englog

file.

debug trace live proxy [src_ip] [src_port] [dst_ip] [dst_port] [and|or]

This command is used to trace the proxy activities live. The output is displayed on the

screen.

src_ip The source IP to be traced. It defaults to 0.0.0.0, which

means all source IP addresses will be traced live.

src_port The source port to be traced. It defaults to 0, which means

all source ports will be traced live.

dst_ip The destination IP to be traced. It defaults to 0.0.0.0, which

means all destination IP addresses will be traced live.

dst_port The destination port to be traced. It defaults to 0, which

means all destination ports will be traced live.

and|or The relationship between the configured parameters

(source ip, source port, destination ip, destination port).

"and" will match exact parameters (source ip, source port,

destination ip, destination port) and only show those that

match. "or" will show the output that matches any one of

the given parameters. The default value is "or".

241

Remote Access Commands

telnet “host port”

Chapter 16 Administrative Tools

This command is used to create a Telnet connection to a remote host. ArrayOS supports

all standard Telnet parameters under the Unix system. For details, please refer to the

technical documentation about Telnet command. This command can be used in Enable

mode.

host port Specify the IP address and the port of the remote host.

Note: The parameter(s) configured for this command must be double quoted. If you

need to set attributes for the parameters, you should enclose the parameters and the

attribute values with single quotes, and then with double quotes. For example, telnet

“‘192.168.1.24 -l admin’”.

Example:

AN#telnet “‘172.16.2.182 -4’”

Trying 172.16.2.182...

Connected to 172.16.2.182 -4.

Escape character is '^]'.

Trying SRA secure login:

User (root): array

Password:

[ SRA accepts you ].................succeed

ssh remote “user@hostname”

This command is used to create an SSH connection to a remote host. ArrayOS supports

all standard SSH parameters under the Unix system. For details, please refer to the

technical documentation about OpenSSH command. This command can be used in

Enable mode.

user@hostname Specify the user name and the name or IP address of the

remote host.

Note: The parameter(s) configured for this command must be double quoted. If you

need to set attributes for the parameters, you should enclose the parameters and the

attribute values with single quotes, and then with double quotes. For example, ssh

remote “‘192.168.1.24 –p 8888’”.

Example:

AN#ssh remote “root@172.16.85.240”

root@172.16.85.240's password:

242

Chapter 16 Administrative Tools

Linux libh-server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686

GNU/Linux

Welcome to Ylmf_OS!

* Information: http://www.ylmf.com/

0 packages can be updated.

0 updates are security updates.

Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1

root@libh-server1:~#

243

Chapter 17 Monitoring

Assigning Graph Items via the CLI

Chapter 17 Monitoring

Administrators may also establish custom graph items via the commands. To assign the

custom graph items through the CLI, you should change your access level to the Config

level at first by executing the command “config terminal”.

graph name

This command is used to add a new custom graph. The maximum length of the assigned

new graph name is 20 alphanumeric characters.

graph rename

This command is used to rename a custom graph. The maximum length of the assigned

new name is 20 alphanumeric characters.

graph settings displaymode {nostack|stack}

This command is used to set the display mode of the custom graph. You can set the

“nostack” mode or the “stack” mode. The default mode is “nostack”.

graph item [service]

[order] [legend_string]

This command is used to add an item to the specified graph.

graph_name Custom graph name that the administrator has defined.

module_name The graphed module. You can select one from the modules,

which include System, TCP, Compress, Proxy, SSL, LLB,

SLB Real, Ethernet, IP, UDP, ICMP, and SLB Virtual.

type It depends on the module that the administrator has chosen.

The following sheet “Default Legend String” shows the

relation between module, type and the default legend

string.

scale The scale of the graph. The range is from 1 to 1,000,000.

color You may set it for the particular “type” being configured. It

is recommended that the administrators set the different

colors to separate the types for ease of reading the

graphical output. Administrators can set one of the

following colors: red, green, blue, cyan, magenta, yellow,

purple, pink, lightpink, turquoise, and slateblue. The

244

default color is red.

Chapter 17 Monitoring

order The order of the legend. Administrator can choose a

number from 1 to 999.

legend_string Optional. The administrator can set it anyway or choose the

default setting. The default settings depend on the module

and type that the administrator has chosen. The default

legend strings are described in the following sheet.

Default Legend String

Module Name Type Legend String (default)

CPU Utilization System CPU Utilization (%)

System

TCP

System Memory Utilization System Memory Utilization (%)

Total Connections System Total Connections (/sec)

Total Requests System Total Requests (/sec)

LISTEN Connections TCP LISTEN Connections

SYN_SEND Connections TCP SYN_SENT Connections

SYN_RCVD Connections TCP SYN_RCVD Connections

ESTABLISHED Connections TCP ESTABLISHED Connections

CLOSE (CLOSE_WAIT+CLOSING+

LAST_ACK+FIN_WAIT_1+

FIN_WAIT_2) Connections

TCP CLOSE

(CLOSE_WAIT+CLOSING+

LAST_ACK+FIN_WAIT_1+FIN_WAIT

_2) Connections

TIME_WAIT_Connections TCP TIME_WAIT Connections

Total Connections TCP Total Connections

Active Opens TCP Active Opens (/sec)

Passive Opens TCP Passive Opens (/sec)

Retransmission Segments TCP Retransmission Segments (/sec)

Total Bytes In TCP Total Bytes In (bytes/sec)

Total Bytes Out TCP Total Bytes Out (bytes/sec)

Total Packets In TCP Total Packets In (/sec)

Total Packets Out TCP Total Packets Out (/sec)

Total Packets Dropped TCP Total Packets Dropped (/sec)

Bytes In TCP Outside Bytes In (bytes/sec)

Bytes Out TCP Outside Bytes Out (bytes/sec)

Packets In TCP Outside Packets In (/sec)

Packets Out TCP Outside Packets Out (/sec)

Packets Dropped TCP Outside Packets Dropped (/sec)

245

Chapter 17 Monitoring

Module Name Type Legend String (default)

Compression Ratio for Compressible Compression Compression Ratio for

Data

Compressible Data (%)

Compression Ratio for All Data

Compression Compression Ratio for All

Data (%)

Total Bytes In Compression Total Bytes In (bytes/sec)

Compression

Proxy

Total Bytes Out Compression Total Bytes Out (bytes/sec)

Compressible Bytes In

Compression Compressible Bytes In

(bytes/sec)

Compressible Bytes Out

Compression Compressible Bytes Out

(bytes/sec)

Non-compressible Bytes - Low Resources

Compression Non-compressible Bytes -

Low Resources (/sec)

Non-compressible Bytes - No

Compression Non-compressible Bytes -

Compression Client

No Compression Client (/sec)

Non-compressible Bytes - Document Compression Non-compressible Bytes -

Type

Document Type (/sec)

Non-compressible Bytes - Generated Compression Non-compressible Bytes -

Responses

Generated Responses (/sec)

Non-compressible Objects - Low Compression Non-compressible Objects -

Resources

Low Resources (/sec)

Non-compressible Objects - No

Compression Non-compressible Objects -

Compression Client

No Compression Client (/sec)

Non-compressible Objects - Document Compression Non-compressible Objects -

Type

Document Type (/sec)

Non-compressible Objects - Response Compression Non-compressible Objects -

Code

Response Code (/sec)

Client Established Connections Proxy Client Established Connections

Server Established Connections Proxy Server Established Connections

Cache Hit Ratio Proxy Cache Hit Ratio (%)

Cache Memory Utilization Proxy Cache Memory Utilization (%)

Client Established Connections per Proxy v1 Client Established Connections

Virtual

per Virtual

Cache Hit Ration per Virtual Proxy v1 Cache Hit Ratio per Virtual (%)

Total Requests Proxy Total Requests (/sec)

Total Redirect Responses Generated by Proxy Total Redirect Responses

Proxy

Generated by Proxy (/sec)

Cache Hit - Total Responses Send From Proxy Cache Hit - Total Responses Send

Cache

From Cache (/sec)

Cache Hit - Using Cache Proxy Cache Hit - Using Cache (/sec)

Cache Hit - Not Modified Proxy Cache Hit - Not Modified (/sec)

Cache Miss - Not Found Proxy Cache Miss - Not Found (/sec)

Cache Miss - Response Noncacheable

Proxy Cache Miss - Response

Noncacheable (/sec)

Cache Miss - Request Noncacheable

Proxy Cache Miss - Request

Noncacheable (/sec)

Cache Miss - Server Error Proxy Cache Miss - Server Error (/sec)

Cache Miss - Error Responses Proxy Cache Miss - Error Responses

246

Chapter 17 Monitoring

Module Name Type Legend String (default)

(/sec)

SSL

LLB

Response Code - 100 Proxy Response Code - 100 (/sec)

Response Code - Other 100 Proxy Response Code - Other 100 (/sec)

Response Code - 200 Proxy Response Code - 200 (/sec)

Response Code - 206 Proxy Response Code - 206 (/sec)

Response Code - Other 200 Proxy Response Code - Other 200 (/sec)

Response Code - 301 Proxy Response Code - 301 (/sec)

Response Code - 302 Proxy Response Code - 302 (/sec)

Response Code - 304 Proxy Response Code - 304 (/sec)

Response Code - Other 300 Proxy Response Code - Other 300 (/sec)

Response Code - 400 Proxy Response Code - 400 (/sec)

Response Code - 401 Proxy Response Code - 401 (/sec)

Response Code - 404 Proxy Response Code - 404 (/sec)

Response Code - Other 400 Proxy Response Code - Other 400 (/sec)

Response Code - 502 Proxy Response Code - 502 (/sec)

Response Code - 503 Proxy Response Code - 503 (/sec)

Response Code - Other 500 Proxy Response Code - Other 500 (/sec)

Response Code Invalid Proxy Response Code Invalid (/sec)

Total Requests per Virtual Proxy v1 Total Requests per Virtual (/sec)

Total Redirect Responses Generated by Proxy v1 Total Redirect Responses

Proxy per Virtual

Generated by Proxy per Virtual (/sec)

Cache Hit per Virtual - Using Cache

Proxy v1 Cache Hit per Virtual - Using

Cache (/sec)

Cache Hit per Virtual - Not Modified

Proxy v1 Cache Hit per Virtual - Not

Modified (/sec)

Cache Miss per Virtual - Not Found

Proxy v1 Cache Miss per Virtual - Not

Found (/sec)

Cache Miss per Virtual - Response Proxy v1 Cache Miss per Virtual -

Noncacheable

Response Noncacheable (/sec)

Cache Miss per Virtual - Request Proxy v1 Cache Miss per Virtual -

Noncacheable

Request Noncacheable (/sec)

Open Connections SSL Open Connections

Total Requested Connections SSL Total Requested Connections (/sec)

Total Accepted Connections SSL Total Accepted Connections (/sec)

Total Records Received SSL Total Records Received (/sec)

Total Records Sent SSL Total Records Sent (/sec)

Total Bytes Received SSL Total Bytes Received (/sec)

Total Bytes Sent SSL Total Bytes Sent (/sec)

Total Concurrent TCP Connections LLB Total Concurrent TCP Connections

Total Concurrent UDP Connections LLB Total Concurrent UDP Connections

Total Concurrent ICMP Connections LLB Total Concurrent ICMP Connections

247

Chapter 17 Monitoring

Module Name Type Legend String (default)

Total Inbound TCP Connections

LLB Total Inbound TCP Connections

(/sec)

Total Outbound TCP Connections

LLB Total Outbound TCP Connections

(/sec)

Total TCP Connections LLB Total TCP Connections (/sec)

SLB Real

Ethernet

IP

UDP

ICMP

Total UDP Connections LLB Total UDP Connections (/sec)

Total ICMP Connections LLB Total ICMP Connections (/sec)

Total Outstanding Requests SLB Real Total Outstanding Requests

Total Open Connections SLB Real Total Open Connections

Outstanding Requests SLB Real server5 Outstanding Requests

Open Connections SLB Real server5 Open Connections

Total Hits for all SLB Reals

SLB Real Total Hits for all SLB Reals

(/sec)

Total Hits SLB Real server5 Total Hits (/sec)

Successful Responses

SLB Real server5 Successful Responses

(/sec)

Total Frames In Ethernet Total Frames In (/sec)

Total Frames Out Ethernet Total Frames Out (/sec)

Total Bytes In Ethernet Total Bytes In (bytes/sec)

Total Bytes Out Ethernet Total Bytes Out (bytes/sec)

Frames In Ethernet Outside Frames In (/sec)

Frames Out Ethernet Outside Frames Out (/sec)

Bytes In Ethernet Outside Bytes In (bytes/sec)

Bytes Out Ethernet Outside Bytes Out (bytes/sec)

Total Packets Received IP Total Packets Received (/sec)

Total Packets Sent IP Total Packets Sent (/sec)

Total Bytes Received IP Total Bytes Received (bytes/sec)

Total Bytes Sent IP Total Bytes Sent (bytes/sec)

Total Bytes In UDP Total Bytes In (bytes/sec)

Total Bytes Out UDP Total Bytes Out (bytes/sec)

Total Packets In UDP Total Packets In (/sec)

Total Packets Out UDP Total Packets Out (/sec)

Total Packets Dropped UDP Total Packets Dropped (/sec)

Total Bytes In ICMP Total Bytes In (bytes/sec)

Total Bytes Out ICMP Total Bytes Out (bytes/sec)

Total Packets In ICMP Total Packets In (/sec)

Total Packets Out ICMP Total Packets Out (/sec)

Total Packets Dropped ICMP Total Packets Dropped (/sec)

SLB Virtual Total QoS URL Hits SLB Virtual Total QoS URL Hits (/sec)

248

Chapter 17 Monitoring

Module Name Type Legend String (default)

Total QoS Hostname Hits

SLB Virtual Total QoS Hostname Hits

(/sec)

Total Persistent Cookie Hits

SLB Virtual Total Persistent Cookie Hits

(/sec)

Total QoS Cookie Hits SLB Virtual Total QoS Cookie Hits (/sec)

Total Default Hits SLB Virtual Total Default Hits (/sec)

Total Persistent URL Hits

SLB Virtual Total Persistent URL Hits

(/sec)

Total Static Hits SLB Virtual Total Static Hits (/sec)

Total QoS Network Hits

SLB Virtual Total QoS Network Hits

(/sec)

Total Backup Hits SLB Virtual Total Backup Hits (/sec)

Total Cache Hits SLB Virtual Total Cache Hits (/sec)

Total Regex Hits SLB Virtual Total Regex Hits (/sec)

Total Rewrite Cookie Hits

SLB Virtual Total Rewrite Cookie Hits

(/sec)

Total Insert Cookie Hits

SLB Virtual Total Insert Cookie Hits

(/sec)

Total QoS Clientport Hits

SLB Virtual Total QoS Clientport Hits

(/sec)

Total Header Hits SLB Virtual Total Header Hits (/sec)

QoS URL Hits SLB Virtual v1 QoS URL Hits (/sec)

QoS Hostname Hits SLB Virtual v1 QoS Hostname Hits (/sec)

Persistent Cookie Hits

SLB Virtual v1 Persistent Cookie Hits

(/sec)

QoS Cookie Hits SLB Virtual v1 QoS Cookie Hits (/sec)

Default Hits SLB Virtual v1 Default Hits (/sec)

Persistent URL Hits SLB Virtual v1 Persistent URL Hits (/sec)

Static Hits SLB Virtual v1 Static Hits (/sec)

QoS Network Hits SLB Virtual v1 QoS Network Hits (/sec)

Backup Hits SLB Virtual v1 Backup Hits (/sec)

Cache Hits SLB Virtual v1 Cache Hits (/sec)

Regex Hits SLB Virtual v1 Regex Hits (/sec)

Rewrite Cookie Hits

SLB Virtual v1 Rewrite Cookie Hits

(/sec)

Insert Cookie Hits SLB Virtual v1 Insert Cookie Hits (/sec)

QoS Clientport Hits SLB Virtual v1 QoS Clientport Hits (/sec)

Header Hits SLB Virtual v1 Header Hits (/sec)

249

Appendix I SNMP OID List

SNMP OID List

1 .1.3.6.1.4.1.7564 This file defines the private CA SNMP MIB extensions.

2 .1.3.6.1.4.1.7564.4.1.0 Current system total available memory.

3 .1.3.6.1.4.1.7564.16.1.1.0 Current status of the reverse proxy cache - on or off.

4 .1.3.6.1.4.1.7564.16.1.2.0

Total number of requests received by the reverse proxy

cache.

5 .1.3.6.1.4.1.7564.16.1.3.0 Total GET requests received by the reverse proxy cache.

6 .1.3.6.1.4.1.7564.16.1.4.0

Total HEAD requests received by the reverse proxy

7 .1.3.6.1.4.1.7564.16.1.5.0

cache.

Total PURGE requests received by the reverse proxy

cache.

8 .1.3.6.1.4.1.7564.16.1.6.0 Total POST requests received by the reverse proxy cache.

9 .1.3.6.1.4.1.7564.16.1.7.0

Number of current client connections (e.g. from the

browsers).

10 .1.3.6.1.4.1.7564.16.1.8.0 Number of current backend server connections.

11 .1.3.6.1.4.1.7564.16.1.9.0 Requests redirected to HTTPS.

12 .1.3.6.1.4.1.7564.16.1.10.0 Requests redirected based on regex match.

13 .1.3.6.1.4.1.7564.16.1.11.0 Requests forwarded with rewritten url.

14 .1.3.6.1.4.1.7564.16.1.12.0 Locations rewritten to HTTPS.

15 .1.3.6.1.4.1.7564.16.1.13.0 Locations rewritten based on regex match.

16 .1.3.6.1.4.1.7564.16.1.14.0 Cache skip, cache off.

17 .1.3.6.1.4.1.7564.16.1.15.0

18 .1.3.6.1.4.1.7564.16.1.16.0

We found the requested URL in the cache. The object

was fresh and we did not have to revalidate. The object

was served from our cache.

We got an IMS header in the request. We validated the

timestamp and decided that the client's copy of this object

is fresh. So we generated a 304 response and sent it out to

the client.

19 .1.3.6.1.4.1.7564.16.1.17.0 Cache hit, reply with Precondition Failed.

20 .1.3.6.1.4.1.7564.16.1.18.0

21 .1.3.6.1.4.1.7564.16.1.19.0

The requested object was found in the cache. However,

the request required revalidation (due to client generated

revalidate, proxy generated revalidate or proxy generated

forced miss).

The request does not result in a cache table search.

Something in the request made us deem it non-cacheable

(e.g. very long URL, a 'Cache-Control: no-store' header

etc).

22 .1.3.6.1.4.1.7564.16.1.20.0

Count of times the cache table was searched, no matching

entry was found and a new entry was created. However,

note that sometimes, an entry is created temporarily (e.g.

for an IMS request resulting in a 304) and is deleted after

sending it out to the client (delayed delete).

23 .1.3.6.1.4.1.7564.16.1.21.0 Cache miss, create new entry, resp noncacheable.

24 .1.3.6.1.4.1.7564.16.1.22.0

Cache hit reply using cache + cache reply with 'not

25 .1.3.6.1.4.1.7564.18.1.1.0

modified'.

Current maximum possible number of entries in the

vrrpTable, which is 255 * (number of interfaces for which

a cluster is defined). 255 is the max number of VIPs in a

250

SNMP OID List

Appendix I SNMP OID List

cluster.

26 .1.3.6.1.4.1.7564.18.1.2.0 Current number of entries in the vrrpTable.

27 .1.3.6.1.4.1.7564.18.1.3 A table containing clustering configuration.

28 .1.3.6.1.4.1.7564.18.1.3.1

An entry in the vrrpTable. Each entry represents a cluster

VIP and not the cluster itself. If a cluster has n VIPs, then

there will be n entries for the cluster in the vrrpTable (0

SNMP OID List

Appendix I SNMP OID List

64 .1.3.6.1.4.1.7564.19.1.3.2.1.3 Name of the real service.

65 .1.3.6.1.4.1.7564.19.1.3.2.1.4 Metric used to balance real services within the group.

66 .1.3.6.1.4.1.7564.19.2.1.1 Real service statistics table.

67 .1.3.6.1.4.1.7564.19.2.1.1.1

An rsStatsTable entry containing the statistics of one real

service.

68 .1.3.6.1.4.1.7564.19.2.1.1.1.1 Reference index for each real service.

69 .1.3.6.1.4.1.7564.19.2.1.1.1.2 Name of the real service.

70 .1.3.6.1.4.1.7564.19.2.1.1.1.3 Real service IP address.

71 .1.3.6.1.4.1.7564.19.2.1.1.1.4 The port number of the real service.

72 .1.3.6.1.4.1.7564.19.2.1.1.1.5 Number of outstanding requests to the real service.

73 .1.3.6.1.4.1.7564.19.2.1.1.1.6 Number of open connections to the real service.

74 .1.3.6.1.4.1.7564.19.2.1.1.1.7 The total number of requests sent to the real service.

75 .1.3.6.1.4.1.7564.19.2.1.1.1.8 The health status (up or down) of the real service.

76 .1.3.6.1.4.1.7564.19.2.2.1 A statistics table for virtual service.

77 .1.3.6.1.4.1.7564.19.2.2.1.1

A vsStatsTable entry containing the statistics of one

virtual service.

78 .1.3.6.1.4.1.7564.19.2.2.1.1.1 Reference index for each virtual service.

79 .1.3.6.1.4.1.7564.19.2.2.1.1.2 Name of the virtual service.

80 .1.3.6.1.4.1.7564.19.2.2.1.1.3 IP address of the virtual service.

81 .1.3.6.1.4.1.7564.19.2.2.1.1.4 Port number of the virtual service.

82 .1.3.6.1.4.1.7564.19.2.2.1.1.5 Number of QoS URL policy hits for the virtual service.

83 .1.3.6.1.4.1.7564.19.2.2.1.1.6

Number of QoS Hostname policy hits for the virtual

service.

84 .1.3.6.1.4.1.7564.19.2.2.1.1.7

Number of Persistent Cookie policy hits for the virtual

service.

85 .1.3.6.1.4.1.7564.19.2.2.1.1.8 Number of QoS Cookie hits for the virtual service.

86 .1.3.6.1.4.1.7564.19.2.2.1.1.9 Number of Default policy hits for the virtual service.

87 .1.3.6.1.4.1.7564.19.2.2.1.1.10

Number of Persistent URL policy hits for the virtual

service.

88 .1.3.6.1.4.1.7564.19.2.2.1.1.11 Number of Static policy hits for the virtual service.

89 .1.3.6.1.4.1.7564.19.2.2.1.1.12

Number of QoS Network policy hits for the virtual

service.

90 .1.3.6.1.4.1.7564.19.2.2.1.1.13 Number of QoS URL policy hits for the virtual service.

91 .1.3.6.1.4.1.7564.19.2.2.1.1.14 Number of Backup policy hits for the virtual service.

92 .1.3.6.1.4.1.7564.19.2.2.1.1.15 Number of Cache hits for the virtual service.

93 .1.3.6.1.4.1.7564.19.2.2.1.1.16 Number of Regex policy hits for the virtual service.

94 .1.3.6.1.4.1.7564.19.2.2.1.1.17

Number of Rewrite Cookie policy hits for the virtual

95 .1.3.6.1.4.1.7564.19.2.2.1.1.18

service.

Number of Insert Cookie policy hits for the virtual

service.

96 .1.3.6.1.4.1.7564.19.2.3.1 A statistics table of the group.

97 .1.3.6.1.4.1.7564.19.2.3.1.1

A gpStatsTable entry containing the statistics of one

group.

98 .1.3.6.1.4.1.7564.19.2.3.1.1.1 Reference index for each group.

99 .1.3.6.1.4.1.7564.19.2.3.1.1.2 Name of the group.

100 .1.3.6.1.4.1.7564.19.2.3.1.1.3 Total hits for the group.

101 .1.3.6.1.4.1.7564.20.1.2.0 Number of vhosts currently configured.

102 .1.3.6.1.4.1.7564.20.2.1.0 Total number of open SSL connections (all vhosts).

103 .1.3.6.1.4.1.7564.20.2.2.0 Total number of accepted SSL connections (all vhosts).

104 .1.3.6.1.4.1.7564.20.2.3.0 Total number of requested SSL connections (all vhosts).

252

SNMP OID List

Appendix I SNMP OID List

105 .1.3.6.1.4.1.7564.20.2.4 SSL vhost statistics table.

106 .1.3.6.1.4.1.7564.20.2.4.1 sslTable entry for one vhost.

107 .1.3.6.1.4.1.7564.20.2.4.1.1 The SSL table index.

108 .1.3.6.1.4.1.7564.20.2.4.1.2 Name of the SSL vhost.

109 .1.3.6.1.4.1.7564.20.2.4.1.3 Open SSL connections for vhostName.

110 .1.3.6.1.4.1.7564.20.2.4.1.4 Number of accepted SSL connections for vhostName.

111 .1.3.6.1.4.1.7564.20.2.4.1.5 Number of requested SSL connections for vhostName.

112 .1.3.6.1.4.1.7564.20.2.4.1.6 Number of resumed SSL sessions for vhostName"

113 .1.3.6.1.4.1.7564.20.2.4.1.7 Number of resumable SSL sessions for vhostName.

114 .1.3.6.1.4.1.7564.20.2.4.1.8 Number of session misses for vhostName.

115 .1.3.6.1.4.1.7564.22.1.0 Status of VIP statistics gathering - on or off.

116 .1.3.6.1.4.1.7564.22.2.0

The hostname that the VIP is representing (hostname of

the appliance).

117 .1.3.6.1.4.1.7564.22.3.0 The current time in the format of MM/DD/YY HH:MM.

118 .1.3.6.1.4.1.7564.22.4.0 Total number of ip packets received on all VIPs.

119 .1.3.6.1.4.1.7564.22.5.0 Total number of ip packets sent out on all VIPs.

120 .1.3.6.1.4.1.7564.22.6.0 Total number of IP bytes received on all VIPs.

121 .1.3.6.1.4.1.7564.22.7.0 Total number of IP bytes sent out on all VIPs.

122 .1.3.6.1.4.1.7564.22.8 A table of VIP statistics.

123 .1.3.6.1.4.1.7564.22.8.1

An entry in the ipStatsTable which is created for each

VIP.

124 .1.3.6.1.4.1.7564.22.8.1.1 The VIP statistics table index.

125 .1.3.6.1.4.1.7564.22.8.1.2 The VIP address.

126 .1.3.6.1.4.1.7564.22.8.1.3 Total number of IP packets received on the VIP.

127 .1.3.6.1.4.1.7564.22.8.1.4 Total number of bytes received on the VIP.

128 .1.3.6.1.4.1.7564.22.8.1.5 Total number of packets sent out on the VIP.

129 .1.3.6.1.4.1.7564.22.8.1.6 Total number of bytes sent out on the VIP.

130 .1.3.6.1.4.1.7564.22.8.1.7 The time statistics gathering was enabled for the VIP.

131 .1.3.6.1.4.1.7564.23.1.0

The number of network interfaces presented on this

system.

132 .1.3.6.1.4.1.7564.23.2.0

The total accumulated number of octets received on all

the active interfaces (loopback is not included).

133 .1.3.6.1.4.1.7564.23.3.0

The total accumulated number of octets transmitted out

134 .1.3.6.1.4.1.7564.23.4

on all the active interfaces (loopback is not included).

A table of interface statistics. The number of entries is

given by the value of infNumber.

135 .1.3.6.1.4.1.7564.23.4.1 An infTable entry for one interface.

136 .1.3.6.1.4.1.7564.23.4.1.1

137 .1.3.6.1.4.1.7564.23.4.1.2 Name of the interface.

A unique value for each interface. Its value ranges

between 1 and the value of infNumber. The value for

each interface must remain constant at least from one

re-initialization of the entity's network management

system to the next re- initialization.

138 .1.3.6.1.4.1.7564.23.4.1.3

The current operational state of the interface (up or

down).

139 .1.3.6.1.4.1.7564.23.4.1.4 The interface's IP address.

140 .1.3.6.1.4.1.7564.23.4.1.5

The total number of octets received on the interface,

141 .1.3.6.1.4.1.7564.23.4.1.6

including framing characters.

The number of packets, delivered by this sub-layer to a

higher (sub-) layer, which were not addressed to a

253

142 .1.3.6.1.4.1.7564.23.4.1.7

143 .1.3.6.1.4.1.7564.23.4.1.8

144 .1.3.6.1.4.1.7564.23.4.1.9

145 .1.3.6.1.4.1.7564.23.4.1.10

146 .1.3.6.1.4.1.7564.23.4.1.11

147 .1.3.6.1.4.1.7564.23.4.1.12

148 .1.3.6.1.4.1.7564.23.4.1.13

149 .1.3.6.1.4.1.7564.23.4.1.14

150 .1.3.6.1.4.1.7564.24.1.1.0

151 .1.3.6.1.4.1.7564.24.1.2.0

SNMP OID List

Appendix I SNMP OID List

multicast or broadcast address at this sub-layer.

The number of packets, delivered by this sub-layer to a

higher (sub-) layer, which were addressed to a multicast

or broadcast address at this sub-layer.

The number of inbound packets which were chosen to be

discarded even though no errors had been detected to

prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be

to free up buffer space.

For packet-oriented interfaces, the number of inbound

packets that contained errors preventing them from being

deliverable to a higher-layer protocol. For characteroriented

or fixed-length interfaces, the number of inbound

transmission units that contained errors preventing them

from being deliverable to a higher-layer protocol.

For packet-oriented interfaces, the number of packets

received via the interface which were discarded because

of an unknown or unsupported protocol. For

character-oriented or fixed-length interfaces that support

protocol multiplexing the number of transmission units

received via the interface which were discarded because

of an unknown or unsupported protocol. For any interface

that does not support protocol multiplexing, this counter

will always be 0.

The total number of octets transmitted out of the

interface, including framing characters.

The total number of packets that higher-level protocols

requested be transmitted, and which were not addressed

to a multicast or broadcast address at this sub-layer,

including those that were discarded or not sent.

The total number of packets that higher-level protocols

requested be transmitted, and which were addressed to a

multicast or broadcast address at this sub-layer, including

those that were discarded or not sent.

For packet-oriented interfaces, the number of outbound

packets that could not be transmitted because of errors.

For character-oriented or fixed-length interfaces, the

number of outbound transmission units that could not be

transmitted because of errors.

The number of syslog notifications that have been sent.

This number may include notifications that were

prevented from being transmitted due to reasons such as

resource limitations and/or non-connectivity. If one is

receiving notifications, one can periodically poll this

object to determine if any notifications were missed. If

so, a poll of the logHistoryTable might be appropriate.

Indicates whether logMessageGenerated notifications will

or will not be sent when a syslog message is generated by

the device. Disabling notifications does not prevent

syslog messages from being added to the

logHistoryTable.

254

152 .1.3.6.1.4.1.7564.24.1.3.0

153 .1.3.6.1.4.1.7564.24.2.1.0

154 .1.3.6.1.4.1.7564.24.2.2

155 .1.3.6.1.4.1.7564.24.2.2.1

156 .1.3.6.1.4.1.7564.24.2.2.1.1

SNMP OID List

Appendix I SNMP OID List

Indicates which syslog severity levels will be processed.

Any syslog message with a severity value greater than

this value will be ignored by the agent. note: severity

numeric values increase as their severity decreases, e.g.

error(4) is more severe than debug(8).

The upper limit on the number of entries that the

logHistoryTable may contain. A value of 0 will prevent

any history from being retained. When this table is full,

the oldest entry will be deleted and a new one will be

created.

A table of syslog messages generated by this device. All

'interesting' syslog messages (i.e. severity

Appendix I SNMP OID List

168 .1.3.6.1.4.1.7564.25.9.0

SNMP OID List

number of ClickTCP segments transmitted containing one

or more previously transmitted octets.

The total number of segments received in error (e.g., bad

ClickTCP checksums).

169 .1.3.6.1.4.1.7564.25.10.0

The number of ClickTCP segments sent containing the

RST flag.

170 .1.3.6.1.4.1.7564.25.11

A table containing ClickTCP connection-specific

information.

A conceptual row of the ctcpConnTable containing

information about a particular current TCP connection.

171 .1.3.6.1.4.1.7564.25.11.1

Each row of this table is transient, in that it ceases to exist

when (or soon after) the connection makes the transition

to the CLOSED state.

172 .1.3.6.1.4.1.7564.25.11.1.1 A unique value for each clicktcp connection.

173 .1.3.6.1.4.1.7564.25.11.1.2 The state of this TCP connection.

The local IP address for this TCP connection. In the case

174 .1.3.6.1.4.1.7564.25.11.1.3

of a connection in the listen state which is willing to

accept connections for any IP interface associated with

the node, the value 0.0.0.0 is used.

175 .1.3.6.1.4.1.7564.25.11.1.4 The local port number for this TCP connection.

176 .1.3.6.1.4.1.7564.25.11.1.5 The remote IP address for this TCP connection.

177 .1.3.6.1.4.1.7564.25.11.1.6 The remote port number for this TCP connection.

178 .1.3.6.1.4.1.7564.27.1.1.0 The number of real services being checked.

179 .1.3.6.1.4.1.7564.27.1.2 Health Check statistics table.

180 .1.3.6.1.4.1.7564.27.1.2.1

An hcStatsTable entry containing health check statistics

for one real service.

181 .1.3.6.1.4.1.7564.27.1.2.1.1 Reference index for each real service being checked.

182 .1.3.6.1.4.1.7564.27.1.2.1.2 Real service name.

183 .1.3.6.1.4.1.7564.27.1.2.1.3 Health Check IP address.

184 .1.3.6.1.4.1.7564.27.1.2.1.4 Health Check port.

185 .1.3.6.1.4.1.7564.27.1.2.1.5 The status (UP/DOWN) of the health check.

186 .1.3.6.1.4.1.7564.27.1.2.1.6

The reason why the health check is being marked

UP/DOWN.

187 .1.3.6.1.4.1.7564.27.1.2.1.7 The number of times the health check is down.

188 .1.3.6.1.4.1.7564.27.1.2.1.8 The number of times the health check is up.

189 .1.3.6.1.4.1.7564.27.1.2.1.9 The number of connections attempted.

190 .1.3.6.1.4.1.7564.27.1.2.1.10 The number of successful connections.

191 .1.3.6.1.4.1.7564.27.1.2.1.11 The number of connection failures.

192 .1.3.6.1.4.1.7564.28.1.0 Total number of bytes received.

193 .1.3.6.1.4.1.7564.28.2.0 Total number of bytes sent.

194 .1.3.6.1.4.1.7564.28.3.0 Number of bytes received per second.

195 .1.3.6.1.4.1.7564.28.4.0 Number of bytes sent per second.

196 .1.3.6.1.4.1.7564.28.5.0 Peak received bytes per second.

197 .1.3.6.1.4.1.7564.28.6.0 Peak sent bytes per second.

198 .1.3.6.1.4.1.7564.28.7.0 Number of currently active transaction.

199 .1.3.6.1.4.1.7564.30.1.0 Current percentage of CPU utilization.

200 .1.3.6.1.4.1.7564.30.2.0 Number of connections per second.

201 .1.3.6.1.4.1.7564.30.3.0 Number of requests per second.

202 .1.3.6.1.4.1.7564.31.1.0 Total DNS requests.

203 .1.3.6.1.4.1.7564.31.2.0 Total successful DNS resolvings.

256

SNMP OID List

Appendix I SNMP OID List

204 .1.3.6.1.4.1.7564.31.3.0 Total failed DNS resolvings.

205 .1.3.6.1.4.1.7564.31.4.0 Total DNS requests in the last second.

206 .1.3.6.1.4.1.7564.31.5.0 Total successful DNS resolvings in the last second.

207 .1.3.6.1.4.1.7564.31.6.0 Total failed DNS resolvings in the last second.

208 .1.3.6.1.4.1.7564.31.7.0 Peak DNS requests in a second.

209 .1.3.6.1.4.1.7564.31.8.0 Peak successful DNS resolvings in a second.

210 .1.3.6.1.4.1.7564.31.9.0 Total DNS requests in the last minute.

211 .1.3.6.1.4.1.7564.31.10.0 Total successful DNS resolvings in the last minute.

212 .1.3.6.1.4.1.7564.31.11.0 Total failed DNS resolvings in the last minute.

213 .1.3.6.1.4.1.7564.31.12.0 Peak DNS requests in a minute.

214 .1.3.6.1.4.1.7564.31.13.0 Peak successful DNS resolvings in a minute.

215 .1.3.6.1.4.1.7564.31.14.0 Total DNS requests in the last hour.

216 .1.3.6.1.4.1.7564.31.15.0 Total successful DNS resolvings in the last hour.

217 .1.3.6.1.4.1.7564.31.16.0 Total failed DNS resolvings in the last hour.

218 .1.3.6.1.4.1.7564.31.17.0 Peak DNS requests in an hour.

219 .1.3.6.1.4.1.7564.31.18.0 Peak successful DNS resolvings in an hour.

220 .1.3.6.1.4.1.7564.31.19.0 Total DNS requests in the last day.

221 .1.3.6.1.4.1.7564.31.20.0 Total successful DNS resolvings in the last day.

222 .1.3.6.1.4.1.7564.31.21.0 Total failed DNS resolvings in the last day.

223 .1.3.6.1.4.1.7564.31.22.0 Peak DNS requests in a day.

224 .1.3.6.1.4.1.7564.31.23.0 Peak successful DNS resolvings in a day.

225 .1.3.6.1.4.1.7564.31.24.0 Total DNS requests in the last 5 seconds.

226 .1.3.6.1.4.1.7564.31.25.0 Total successful DNS resolvings in the last 5 seconds.

227 .1.3.6.1.4.1.7564.31.26.0 Total failed DNS resolvings in the last 5 seconds.

228 .1.3.6.1.4.1.7564.31.27.0 Peak DNS requests in 5 seconds.

229 .1.3.6.1.4.1.7564.31.28.0 Peak successful DNS resolvings in 5 seconds.

230 .1.3.6.1.4.1.7564.251.1 This trap is sent when the agent starts.

231 .1.3.6.1.4.1.7564.251.2 This trap is sent when the agent terminates.

232 Float

233 Synlogseverity

A single precision floating-point number. The semantics

and encoding are identical for type 'single' defined in

IEEE Standard for Binary Floating-Point, ANSI/IEEE Std

754-1985. The value is restricted to the BER serialization

of the following ASN.1 type: FLOATTYPE ::= [120]

IMPLICIT FloatType (note: the value 120 is the sum of

'30'h and '48'h) The BER serialization of the length for

values of this type must use the definite length, short

encoding form. For example, the BER serialization of

value 123 of type FLOATTYPE is '9f780442f60000'h.

(The tag is '9f78'h; the length is '04'h; and the value is

'42f60000'h.) The BER serialization of value

'9f780442f60000'h of data type Opaque is

'44079f780442f60000'h. (The tag is '44'h; the length is

'07'h; and the value is '9f780442f60000'h.

The severity of a syslog message. The enumeration

values are equal to the values that syslog uses + 1. For

example, with syslog, emergency=0.

257

ArrayOS APV 8.2 CLI Handbook - Index of

ArrayOS APV 8.2 CLI Handbook - Index of ... View more ArrayOS APV 8.2 CLI Handbook - Index of

Delete template?

Save as template ?

ArrayOS APV 8.2 CLI Handbook - Index of ArrayOS APV 8.2 CLI Handbook - Index of