Defines an authentication-method list for access authentication. See the Foundry Security Guide for more information.

EXAMPLE:

To configure an access method list, enter a command such as the following:

ServerIron(config)# aaa authentication web-server default local

This command configures the device to use the local user accounts to authenticate access to the device through the Web management interface. If the device does not have a user account that matches the user name and password entered by the user, the user is not granted access.

To configure the device to consult a RADIUS server first for Enable access, then consult the local user accounts if the RADIUS server is unavailable, enter the following command:

ServerIron(config)# aaa authentication enable default radius local

Syntax: aaa authentication snmp-server | web-server | enable [implicit-user] | login default <method1> [<method2>] [<method3>] [<method4>] [<method5>] [<method6>] [<method7>]

The snmp-server | web-server | enable [implicit-user] | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

The implicit-user parameter configures the device to prompt for only a password when a user attempts to access the Privileged EXEC or CONFIG level of the CLI. By default, the device prompts for both a username and a password. This parameter is valid only with the enable access type.

The <method1> parameter specifies the primary authentication method. The remaining optional <method> parameters specify the secondary methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Value column in the following table.

Table 6.1: Authentication Method Values  

Method Value	Description
tacacs or tacacs+	A TACACS/TACACS+ server. You can use either parameter. Each parameter supports both TACACS and TACACS+. You also must identify the server to the device using the tacacs-server command. See "tacacs-server" .
radius	A RADIUS server. You also must identify the server to the device using the radius-server command. See "radius-server" .
local	A local user name and password you configured on the device. Local user names and passwords are configured using the username... command. See "username" .
line	The password you configured for Telnet access. The Telnet password is configured using the enable telnet password... command. See "enable telnet password" .
enable	The super-user “enable” password you configured on the device. The enable password is configured using the enable super-user-password... command. See "enable" .
none	No authentication is used. The device automatically permits access.

Possible values: see above

Default value: N/A

Configures authorization for controlling access to management functions in the CLI. Foundry devices support RADIUS and TACACS+ authorization.

• When RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can execute a command he or she has entered.

• Two kinds of TACACS+ authorization are supported: Exec authorization determines a user’s privilege level when they are authenticated; Command authorization consults a TACACS+ server to get authorization for commands entered by the user

EXAMPLE:

You enable command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Foundry device to perform RADIUS authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:

ServerIron(config)# aaa authorization commands 0 default radius

Syntax: [no] aaa authorization commands <privilege-level> default tacacs+ | radius | none

The <privilege-level> parameter can be one of the following:

• 0 – Authorization is performed for commands available at the Super User level (all commands)

• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands)

• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)

When TACACS+ exec authorization is configured, the Foundry device consults a TACACS+ server to determine the privilege level for an authenticated user. To configure TACACS+ exec authorization, on the Foundry device, enter the following command:

ServerIron(config)# aaa authorization exec default tacacs+

Syntax: [no] aaa authorization exec default tacacs+ | none

Possible values: see above

Default value: N/A

Configures RADIUS or TACACS+ accounting for recording information about user activity and system events. When you configure accounting on a Foundry device, information is sent to an accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.

EXAMPLE:

To send an Accounting Start packet to a TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:

ServerIron(config)# aaa accounting exec default start-stop tacacs+

Syntax: [no] aaa accounting exec default start-stop radius | tacacs+ | none

You can configure accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Foundry device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:

ServerIron(config)# aaa accounting commands 0 default start-stop radius

Syntax: [no] aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none

The <privilege-level> parameter can be one of the following:

• 0 – Records commands available at the Super User level (all commands)

• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)

• 5 – Records commands available at the Read Only level (read-only commands)

You can configure accounting to record when system events occur on the Foundry device. System events include rebooting and when changes to the active configuration are made.

The following command causes an Accounting Start packet to be sent to a TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed:

ServerIron(config)# aaa accounting system default start-stop tacacs+

Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none

Possible values: see above

Default value: N/A

Configures standard Access Control Lists (ACLs), which permit or deny packets based on source IP address (in contrast to extended ACLs, which permit or deny packets based on source and destination IP address and also based on IP protocol information). You can configure up to 99 standard ACLs. You can configure up to 1024 individual ACL entries. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation of 1024 total ACL entries.

EXAMPLE:

To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.

ServerIron(config)# access-list 1 deny host 209.157.22.26 log
ServerIron(config)# access-list 1 deny 209.157.29.12 log
ServerIron(config)# access-list 1 deny host IPHost1 log
ServerIron(config)# access-list 1 permit any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 1 out
ServerIron(config-if-1)# write mem

The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.

Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]

Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]

Syntax: [no] access-list <num> deny | permit any [log]

Syntax: [no] ip access-group <num> in | out

The <num> parameter is the access list number and can be from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.

The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.

If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.

The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.

The any parameter configures the policy to match on all host addresses.

The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy.

The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.

Possible values: see above

Default value: N/A

Configures extended ACLs, which permit or deny packets based on the following information:

• IP protocol

• Source IP address or host name

• Destination IP address or host name

• Source TCP or UDP port (if the IP protocol is TCP or UDP)

• Destination TCP or UDP port (if the IP protocol is TCP or UDP)

EXAMPLE:

To configure an extended ACL that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the following commands.

ServerIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log
ServerIron(config)# access-list 101 permit ip any any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 101 in
ServerIron(config)# write mem

Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>] [log]

Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]

Syntax: [no] ip access-group <num> in | out

The <num> parameter indicates the ACL number and can be from 100 – 199 for an extended ACL.

The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.

The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:

• icmp

• igmp

• igrp

• ip

• ospf

• tcp

• udp

The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.

The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.

If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.

The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any.

The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http. You can enter one of the following operators:

• eq – The policy applies to the TCP or UDP port name or number you enter after eq.

• gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.

• lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.

• neq – The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.

• range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range parameter. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range must be lower than the last number in the range.

• established – This operator applies only to TCP packets. If you use this operator, the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to "1") in the Control Bits field of the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See Section 3.1, "Header Format", in RFC 793 for information about this field.

  ---

  NOTE: This operator applies only to destination TCP ports, not source TCP ports.

  ---

The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. The device recognizes the following well-known names. For other ports, you must specify the port number.

• TCP port names recognized by the software:

  • bgp
  • dns
  • ftp
  • http
  • imap4
  • ldap
  • mms
  • nntp
  • pop2
  • pop3
  • pnm
  • rtsp
  • smtp
  • ssl
  • telnet

• UDP port names recognized by the software:

  • bootps
  • bootpc
  • dns
  • ntp
  • radius
  • radius-old
  • rip
  • snmp
  • snmp-trap
  • tftp

The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.

Possible values: see above

Default value: N/A

If both the GSLB ServerIron and the site ServerIron support distributed health check feature, configures the interval at which the site ServerIron reports the health check information to the GSLB ServerIron for the GSLB distributed health check feature.

EXAMPLE:

On the site ServerIron, enter a command such as the following:

SITE-ServerIron(config)# agent-health-report-interval 7

Syntax: [no] agent-health-report-interval <seconds>

Possible values: 2 – 120 seconds

Default value: N/A

Enables a larger Ethernet frame size for VLAN aggregation. This feature changes the maximum Ethernet size to 1530 bytes.

EXAMPLE:

ServerIron(config)# aggregated-vlan

Syntax: aggregated-vlan

Possible values: N/A

Default value: Disabled

Restricts management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device through Telnet (CLI), the Web (Web management interface), or SNMP (IronView).

If you want to restrict access for some of the management platforms but not all of them, use one or two of the following commands:

• snmp-client – restricts IronView access and all other SNMP access. See "snmp-client" .

• telnet client – restricts Telnet access. See "telnet client" .

• web client – restricts web access. See "web client" .

EXAMPLE:

To restrict all management access to the Foundry device to the host with IP address 209.157.22.26, enter the following command:

ServerIron(config)# all-client 209.157.22.26

Syntax: [no] all-client <ip-addr>

Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.

Default value: N/A

Adds a static ARP entry.

EXAMPLE:

ServerIron(config)# arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3

This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The entry is for a MAC address connected to ServerIron port 3.

Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]

The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number of static entries allowed on the device. To determine the maximum number of entries, enter the show default values command. To increase the maximum, use the system-max static-arp command.

The <ip-addr> command specifies the IP address of the device that has the MAC address of the entry.

The <mac-addr> parameter specifies the MAC address of the entry.

The ethernet <portnum> command specifies the port number attached to the device that has the MAC address of the entry.

The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. Use this parameter when the port is a member of more than one port-based VLAN and you want the ARP entry to apply only to a specific VLAN.

Possible values: See above

Default value: None configured

Creates an AppleTalk protocol VLAN on a Foundry switch or router. When first assigned, all ports are assumed by default to be members of the VLAN. VLAN membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports, enter the following commands.

ServerIron(config)# atalk-proto

ServerIron(config-atalk-proto)# static e9 e13

ServerIron(config-atalk-proto)# no dynamic

ServerIron(config-atalk-proto)# exit

Syntax: atalk-proto [name <string>]

The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.

Possible values: N/A

Default value: N/A

Configures the Foundry device to display a message when a user enters the Privileged EXEC CLI level.

EXAMPLE:

ServerIron(config)# banner exec $ (Press Return)
Enter TEXT message, End with the character '$'.
You are entering Privileged EXEC level
Don’t foul anything up! $

Syntax: [no] banner exec <delimiting-character>

A delimiting character is established on the first line of the banner exec command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner exec command.

Possible values: N/A

Default value: N/A

Configures the Foundry device to display a message on the Console when a user establishes a Telnet session. This message indicates where the user is connecting from and displays a configurable text message.

EXAMPLE:

ServerIron(config)# banner incoming $ (Press Return)
Enter TEXT message, End with the character '$'.
Incoming Telnet Session!! $

When a user connects to the CLI using Telnet, the following message appears on the Console:

Telnet from 209.157.22.63
Incoming Telnet Session!!

Syntax: [no] banner incoming <delimiting-character>

A delimiting character is established on the first line of the banner incoming command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner incoming command.

Possible values: N/A

Default value: N/A

Configures the Foundry device to display a message on a user’s terminal when he or she establishes a Telnet CLI session.

EXAMPLE:

To display the message “Welcome to ServerIron!” when a Telnet CLI session is established:

ServerIron(config)# banner motd $ (Press Return)
Enter TEXT message, End with the character '$'.
Welcome to ServerIron! $

Syntax: [no] banner <delimiting-character> | [motd <delimiting-character>]

A delimiting character is established on the first line of the banner motd command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner motd command.

When you access the Web management interface, the banner is displayed on the login panel.

Possible values: N/A

Default value: N/A

Configures the device to use BootP as the primary boot source.

EXAMPLE:

ServerIron(config)# boot system bootp

Syntax: boot system bootp

Possible values: N/A

Default value: primary flash

Configures the device to use the primary flash location as the primary boot source. This is the default primary boot source.

EXAMPLE:

ServerIron(config)# boot system flash primary

Syntax: boot system flash primary

Possible values: N/A

Default value: primary flash

Configures the device to use the secondary flash location as the primary boot source.

EXAMPLE:

ServerIron(config)# boot system flash secondary

Syntax: boot system flash secondary

Possible values: N/A

Default value: primary flash

Configures the device to use a TFTP server as the primary boot source.

EXAMPLE:

ServerIron(config)# boot sys tftp 192.22.33.44 current.img

EXAMPLE:

boot> ip address 192.22.33.44 255.255.255.0

boot> ip default-gateway 192.22.33.1

You now can proceed with the boot system tftp... command.

Syntax: boot system tftp <ip-addr> <filename>

Possible values: N/A

Default value: primary flash

Configures a Layer 2 broadcast packet filter. You can filter on all broadcast traffic or on IP UDP broadcast traffic.

EXAMPLE:

To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter the following commands:

ServerIron(config)# broadcast filter 1 any

ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3

ServerIron(config-bcast-filter-id-1)# write mem

EXAMPLE:

To configure two filters, one to filter IP UDP traffic on ports 1 – 4, and the other to filter all broadcast traffic on port 6, enter the following commands:

ServerIron(config)# broadcast filter 1 ip udp

ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4

ServerIron(config-bcast-filter-id-1)# exit

ServerIron(config)# broadcast filter 2 any

ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6

ServerIron(config-bcast-filter-id-2)# write mem

EXAMPLE:

To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to two ports within the VLAN, enter the following commands:

ServerIron(config)# broadcast filter 4 ip udp vlan 10

ServerIron(config-bcast-filter-id-4)# exclude-ports eth 1 eth 3

ServerIron(config-bcast-filter-id-1)# write mem

Syntax: [no] broadcast filter <filter-id> any | ip udp [vlan <vlan-id>]

The <filter-id> specifies the filter number and can be a number from 1 – 8. The software applies the filters in ascending numerical order. As soon as a match is found, the software takes the action specified by the filter (block the broadcast) and does not compare the packet against additional broadcast filters.

You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being sent on the specified ports but allows other types of broadcast traffic.

If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to all broadcast domains (VLANs) on the device.

As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter you are configuring. You specify the ports to which the filter applies at the filter's configuration level.

Syntax: [no] exclude-ports ethernet <portnum> to <portnum>

Or

Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum>

These commands specify the ports to which the filter applies.

Possible values: see above

Default value: N/A

Specifies the maximum number of broadcast packets the device can forward each second. By default the device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those devices by throttling the broadcasts at the Foundry device.

EXAMPLE:

ServerIron(config)# broadcast limit 30000

Syntax: broadcast limit <num>

Possible values: 0 – 4294967295

Default value: N/A

Assigns an administrative ID to the device.

EXAMPLE:

ServerIron(config)# chassis name routernyc

Syntax: chassis name <text>

Possible values: Up to 32 alphanumeric characters

Default value: Null string

Changes the number of seconds between polls of the power supply and fan status.

Use the show chassis command to display the hardware status.

EXAMPLE:

To change the hardware poll time from 60 seconds (the default) to 30 seconds:

ServerIron(config)# chassis poll-time 30

Syntax: chassis poll-time <num>

Possible values: 0 – 65535

Default value: 60

Disables or re-enables status polling for individual power supplies and fans. When you disable status polling, a fault in the power supply does not generate a trap in the system log.

EXAMPLE:

To disable polling of power supply 2, enter the following command:

ServerIron(config)# no chassis trap-log ps2

Syntax: [no] chassis trap-log ps1 | ps2 | fan1 | fan2

Possible values: see above

Default value: all traps enabled

Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in "Privileged EXEC Commands" .

This command will automatically activate and deactivate daylight savings time for the relevant time zones.

EXAMPLE:

ServerIron(config)# clock summer-time

Syntax: clock summer-time

Possible values: N/A

Default value: N/A

Allows you to define the time zone of the clock. This parameter is used in conjunction with the clock set command or for timestamps obtained from a SNTP server. The clock set...command is configured at the privileged EXEC level of the CLI.

EXAMPLE:

ServerIron(config)# clock timezone us eastern

Syntax: clock timezone gmt | us <time-zone>

Possible values: The following time zones can be entered for US or GMT:

US time zones: alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, pacific, samoa

GMT time zones: gmt+12, gmt+11, gmt+10...fmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12

Default value: gmt + 00

Reduces the number of up-status confirmations the software requires before bringing a port up for use. This command is useful for network interface cards (NICs) that are designed to come up very quickly in certain applications and are sensitive to the slight delay caused by the Foundry ports as they wait for the multiple status indications before coming up. You can configure a Foundry device to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port.

By default, Foundry devices wait for multiple indications that a port is good before bringing the port up. Specific types of networking devices are sensitive to the very slight delay caused by the multiple status indications. In this case, you can use one of the following methods to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port. You can set the parameter globally for all 10/100 ports.

EXAMPLE:

By default, Stackable devices bring a 10/100 Base-Tx port up after receiving ten consecutive up-status indications for the port. You can reduce this number to as few as one indication.

To reduce the up-status indications required to bring up 10/100 ports on a Stackable device, enter the following commands:

ServerIron(config)# confirm-port-up 1

ServerIron(config)# write mem

Syntax: [no] confirm-port-up <num>

The <num> parameter specifies the number of indications required by the software and can be from 1 – 10. The default for Stackable devices is 10.

Possible values: 1 – 10

Default value: 10

Times out idle serial management sessions.

By default, a Foundry device does not time out serial CLI sessions. A serial session remains open indefinitely until you close it. You can configure the device to time out serial CLI sessions if they remain idle for a specified number of minutes. You can configure an idle timeout value from 0 – 240 minutes. The default is 0.

EXAMPLE:

To configure the idle timeout for serial CLI sessions, enter a command such as the following:

ServerIron(config)# console timeout 20

This command configures the idle timeout value to 20 minutes.

Syntax: [no] console timeout <num>

The <num> parameter specifies the number of minutes the serial CLI session can remain idle before it times out. You can specify from 0 – 240 minutes. The default is 0 (sessions never time out).

Possible values: 0 – 240 minutes

Default value: 0 (sessions never time out)

Configures a host RSA public and private key pair for SSH. The host RSA key pair is stored in the Foundry device’s system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session key and encryption method with the SSH clients trying to connect to it.

EXAMPLE 1:

To generate a public and private host RSA key pair for the Foundry device:

ServerIron(config)# crypto key generate rsa
ServerIron(config)# wri mem

A host RSA key pair is stored in the system-config file, and SSH is enabled on the device.

EXAMPLE 2:

To delete the host RSA key pair from the system-config file:

ServerIron(config)# crypto key zeroize rsa
ServerIron(config)# wri mem

The host RSA key pair is deleted from the system-config file, and SSH is disabled on the device.

Syntax: crypto key generate | zeroize rsa

Possible values: N/A

Default value: N/A

Creates a new seed for generating a random number that is used for generating the dynamically created server RSA key pair for SSH.

EXAMPLE:

ServerIron(config)# crypto random-number-seed generate

Syntax: crypto random-number-seed generate

Possible values: N/A

Default value: N/A

Creates a Decnet protocol VLAN on a Foundry switch or router. All ports will by default be assigned to the VLAN when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a dynamic member port (on module 1), enter the following commands.

ServerIron(config)# decnet-proto

ServerIron(config-decnet-proto)# static e 1/15 to 1/16

ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18

Syntax: decnet-proto

Possible values: N/A

Default value: N/A

When you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always members of at least one VLAN.

EXAMPLE:

To change the VLAN ID for the default VLAN, enter the following command at the global CONFIG level of the CLI:

ServerIron(config)# default-vlan-id 1001

Syntax: default-vlan-id

Possible values: Enter a value from 1 – 4095, but ensure that the ID is not already in use. For example, if you have already defined VLAN 10, do not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers .

Default value: 1

This parameter must be defined when the feature, DHCP Assist, is enabled on a Foundry switch. A gateway address must be defined for each sub-net that will be requesting addresses from a DHCP server. This allows the stamping process to occur. Each gateway address defined on the switch corresponds to an IP address of the ServerIron interface or other device involved.

Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet in a round robin fashion.

Up to 32 gateway lists can be defined for each switch.

EXAMPLE:

ServerIron(config)# dhcp-gateway-list 1 192.95.5.1

ServerIron(config)# int e 2

ServerIron(config-if-2)# dhcp-gateway-list 1

Syntax: dhcp-gateway-list <num> <ip-addr>

Possible values: N/A

Default value: N/A

You can use the enable command to assign three levels of passwords to provide a range of access points for various users within the network.

The three levels are:

• Super user: This user has unlimited access to all levels of the CLI. This level is generally reserved for system administration. The super user is also the only user that can assign a password access level to another user.

• Configure Port: This user has the ability to configure interface parameters only. The user can also view any show commands.

• Read only: A user with this password level is only able to view show commands. No configuration is allowed with this password access type.

EXAMPLE:

ServerIron(config)# enable super-user-password Alexis

ServerIron(config)# enable read-only-password Jim

ServerIron(config)# enable port-config-password Bill

Syntax: enable super-user-password | read-only-password | port-config-password <text>

Possible values: Up to 32 alphanumeric characters can be assigned in the text field.

Default value: No system default

Configures the device to perform command authorization and command accounting for commands entered at the console.

EXAMPLE:

ServerIron(config)# enable aaa console

Syntax: enable aaa console

Possible values: N/A

Default value: N/A

By default, passwords are never visible, even in the configuration file. If you want passwords to be visible in the configuration file, use the enable password-display command. The next time you display the configuration file, the passwords will be visible along with the commands used to set them. This command takes effect immediately.

EXAMPLE:

ServerIron(config)# enable password-display

Syntax: [no] enable password-display

Possible values: N/A

Default value: Disabled

Removes the stop page display characteristic for the write terminal command. For example, by default, when a user enters the command write terminal the full configuration will generally involve more than a single page display. You are prompted to enter the return key to view the next page of information. When this command is enabled, this page-by-page prompting will be removed and the entire display will roll on the screen until the end is reached.

To re-enable the stop page display characteristic, enter the no enable skip-page-display.

EXAMPLE:

To remove the page-by-page display of configuration information, enter the following:

ServerIron(config)# enable skip-page-display

Syntax: enable skip-page-display

Possible values: N/A

Default value: Disabled

Enables users of IronView or other SNMP management applications to configure RADIUS authentication parameters on the ServerIron.

EXAMPLE:

To enable IronView users to configure RADIUS authentication parameters on the ServerIron, enter the following:

ServerIron(config)# enable snmp config-radius

Syntax: enable snmp config-radius

Possible values: N/A

Default value: Disabled

Enables users of IronView or other SNMP management applications to configure TACACS/TACACS+ authentication parameters on the ServerIron.

EXAMPLE:

To enable IronView users to configure TACACS/TACACS+ authentication parameters on the Foundry device, enter the following:

ServerIron(config)# enable snmp config-tacacs

Syntax: enable snmp config-tacacs

Possible values: N/A

Default value: Disabled

Allows you to use local access control or a RADIUS server to authenticate telnet access to the ServerIron.

EXAMPLE:

ServerIron(config)# enable telnet authentication

Syntax: [no] enable telnet authentication

Possible values: N/A

Default value: Disabled

Allows you to assign a password for Telnet session access. To close a Telnet session, enter logout.

EXAMPLE:

ServerIron(config)# enable telnet password secretsalso

Syntax: enable telnet password <text>

Possible values: Up to 32 alphanumeric characters can be assigned as the password.

Default value: No system default.

Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.

EXAMPLE:

ServerIron(config)# end

ServerIron#

Syntax: end

Possible values: N/A

Default value: N/A

Moves activity up one level from the current level. In this case, activity will be moved to the privileged level.

EXAMPLE:

To move from the global level, back to the privileged level, enter the following:

ServerIron(config)# exit

ServerIron#

Syntax: exit

Possible values: N/A

Default value: N/A

Configures the Fast Port Span feature, which allows faster STP convergence on ports that are attached to end stations.

EXAMPLE:

To enable Fast Port Span:

ServerIron(config)# fast port-span

EXAMPLE:

To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally:

ServerIron(config)# fast port-span exclude ethernet 1

Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum>... | to <portnum>]

Possible values: Valid port numbers

Default value: Enabled

Configures the Fast Uplink Span feature, which reduces the convergence time for uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning).

EXAMPLE:

To configure a group of ports for Fast Uplink Span, enter the following commands:

ServerIron(config)# fast uplink-span ethernet 1 to 4

Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>... | to <portnum>]

Possible values: Ports that have redundant uplinks on a wiring closet switch.

Default value: Disabled

Allows you to turn flow control (802.3x) for full-duplex ports on or off (no). By default, flow control is on. To turn the feature off, enter the command no flow-control.

EXAMPLE:

ServerIron(config)# no flow-control

To turn the feature back on later, enter the following command:

ServerIron(config)# flow-control

Syntax: [no] flow-control

Possible values: N/A

Default value: on

Changes the default negotiation mode for Gigabit ports on Chassis devices. You can configure the default Gigabit negotiation mode to be one of the following:

• Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually configured configuration information (or the defaults if an administrator has not set the information). This is the default for Chassis devices (including the TurboIron/8).

• Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. This is still the default for Stackable devices.

• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.

See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide for more information.

EXAMPLE:

To change the mode globally to negotiation-off, enter the following command:

ServerIron(config)# gig-default neg-off

To override the global default on an individual Gigabit port, see "gig-default" .

Syntax: gig-default neg-full-auto | auto-gig | neg-off

Possible values: see above

Default value: neg-full-auto

Changes the CLI to the GSLB affinity configuration level. See "GSLB Affinity Commands" for information about the commands at this level.

EXAMPLE:

To configure an affinity definition, enter commands such as the following:

ServerIron(config)# gslb affinity
ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0
ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22

These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the 192.108.22.0/22 prefix to a VIP on slb-1 at the “atlanta” site, when available. The ServerIron sends all other clients to a VIP on slb-1 at the “sunnyvale” site when available.

Syntax: gslb affinity

This command places the CLI at the affinity configuration level.

Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>

You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address. Use one of the following parameters:

• The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use this method, you must specify both parameters.

• The <si-ip-addr> parameter specifies the site ServerIron’s management IP address.

The <ip-addr> <ip-mask> or <ip-addr> /<prefix-length> parameter specifies the prefix. You can specify a mask from 0.0.0.0 – 255.255.255.254. If you instead specify a prefix length, you can specify from 0 – 31 bits.

If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a result, an address that does not match another affinity definition uses the zero affinity definition by default. If you do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose addresses are not within a prefix in an affinity definition.

Possible values: see above

Default value: N/A

Changes the TCP port number used by the GSLB protocol. By default, a GSLB ServerIron uses TCP port 182 to exchange GSLB information with other ServerIrons, including the site ServerIrons. You can change the GSLB protocol port if needed. For example, if other devices in the network also use port 182, but for other applications, you need to change the protocol on those devices or on the ServerIrons.

EXAMPLE:

To change the GSLB protocol port number on a ServerIron, enter commands such as the following:

ServerIron(config)# gslb communication 1882
ServerIron(config)# write memory
ServerIron(config)# end
ServerIron# reload

The first command changes the TCP protocol port from 182 to the specified port number, in this example 1882. The subsequent commands save the configuration change to the startup-config file and reload the software to place the change into effect.

Syntax: [no] gslb communication <tcp-portnum>

The <tcp-portnum> parameter specifies the TCP port number you want the ServerIron to use for exchanging GSLB information with other ServerIrons.

Possible values: a valid TCP port number

Default value: 182

Changes the CLI to the GSLB zone configuration level. See "GSLB DNS Zone Commands" for information about the commands at this level.

EXAMPLE:

To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter the following commands:

ServerIron(config)# gslb dns zone-name foundrynet.com
ServerIron(config-gslb-dns-foundrynet.com)# host-info www http
ServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp

The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp. The GSLB ServerIron will provide global SLB for these two hosts within the zone.

Syntax: [no] gslb dns zone-name <name>

The <name> parameter specifies the DNS zone name.

Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>

The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host name. Enter only the host portion of the name. For example, if the fully qualified host name is www.foundrynet.com, do not enter the entire name. Enter only “www”. The rest of the name is already specified by the gslb dns zone-name command. You can enter a name up to 32 characters long.

The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global SLB. You can specify one of the following:

• FTP – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)

• TFTP – the well-known name for port 69

• HTTP – the well-known name for port 80

• IMAP4 – the well-known name for port 143

• LDAP – the well-known name for port 389

• NNTP – the well-known name for port 119

• POP3 – the well-known name for port 110

• SMTP – the well-known name for port 25

• TELNET – the well-known name for port 23

The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4 health check on the specified port.

Possible values: see above

Default value: N/A

Changes the CLI to the GSLB policy configuration level. See "GSLB Policy Commands" for information about the commands at this level.

EXAMPLE:

ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)#

Syntax: gslb policy

Possible values: N/A

Default value: N/A

Enables the GSLB protocol on a site ServerIron in a GSLB configuration. The GSLB protocol is enabled by default on the GSLB ServerIron but is disabled by default on the site ServerIrons.

EXAMPLE:

ServerIron(config)# gslb protocol

Syntax: [no] gslb protocol

Possible values: N/A

Default value: N/A

Changes the CLI to the GSLB site configuration level. See "GSLB Site Commands" for information about the commands at this level.

EXAMPLE:

To identify two server sites, each of which has two ServerIrons, enter the following commands:

ServerIron(config)# gslb site sunnyvale
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210
ServerIron(config)# gslb site atlanta
ServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111
ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112

These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS replies.

Syntax: [no] gslb site <name>

The <name> parameter is a text string that uniquely identifies the site on the GSLB ServerIron. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks.

Syntax: [no] si-name [<name>] <ip-addr>

The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotatio