packetshaper® cli commands in print - symantec · cli in print is a printed version of all the...

PacketShaper®CLI Commands in Print

PacketWise® Version 9.2

© 2013 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER,PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOWEVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and otherBlue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain othercountries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of BlueCoat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third partiesare the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THISDOCUMENT. BLUE COAT PRODUCTS, technical services, and any other technical data referenced in this document are subject toU.S. export control AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT ORIMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONSAND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRYOR IMPORT AFTER DELIVERY TO YOU.

SNMP Research SNMP Agent Resident Module Version 14.2.1.7. Copyright 1989-1997 SNMP Research, Inc.

This product includes software developed by the University of Californsia, Berkeley and its contributors. Portions Copyright © 1982, 1983, 1986, 1989, 1990, 1993 by The

Regents of the University of California. All rights reserved.

Portions Copyright © 1996 by Internet Software Consortium.

Portions Copyright © 1993 by Digital Equipment Corporation.

Portions Copyright © 1990 by Regents of the University of Michigan. All rights reserved.

This product includes software developed by the University of California, Berkeley and its contributors. Portions Copyright © 2001 Mike Barcroft. Portions Copyright © 1990,

1993 by The Regents of the University of California. All rights reserved.

This product incorporates software for zipping and unzipping files.

UnZip 5.42 of 14 January 2001, by Info-ZIP.

Zip 2.3 (November 29th 1999).

Copyright © 1990-1999 Info-ZIP

Portions copyright 1994, 1995, 1996, 1997, 1998, by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright

1996, 1997, 1998, by Boutell.Com, Inc. GIF decompression code copyright 1990, 1991, 1993, by David Koblas ([email protected]). Non-LZW-based GIF compression code

copyright 1998, by Hutchison Avenue Software Corporation (http://www.hasc.com/, [email protected]).

Portions Copyright © 2006 Narciso Jaramillo. <[email protected]>

TACACS+ software Copyright 2000,2001 by Roman Volkov.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials

provided with the distribution.

* The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.

U.S. Government Restricted Rights

Blue Coat software comprises “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. 12.212 (SEPT 1995)

and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for ac-

quisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue

Coat software is provided with “RESTRICTED RIGHTS.” Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR

252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coat’s proprietary rights in them

and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coat’s end user agreement.

Blue Coat Systems, Inc.

420 N. Mary Ave.

Sunnyvale, CA 94085

http://www.bluecoat.com

Revision History

November, 2012 PacketWise 9.2.1

July, 2013 PacketWise 9.2.2

About This Guide

PacketGuide is a browser-based reference for PacketShaper and PolicyCenter users. In addition to compre-hensive reference material, PacketGuide contains solutions to common network-and application-perfor-mance problems.CLI in Print is a printed version of all the commands, in alphabetical order, that are available in PacketWise. These can be found in the Reference section of PacketGuide. This is a compilation of the HTML pages. Al-though any page in PacketGuide can be printed from your browser, Blue Coat provides this PDF for print-ing convenience.This PDF reflects current information at the time the guide was compiled. The most up-to-date content can be found online at:https://bto.bluecoat.com/packetguide/9.2/reference/cli/index.htm

https://bto.bluecoat.com/packetguide/9.2/reference/cli/index.htm

Command Line Overview

The command-line interface (CLI) provides a UNIX-like interface for accessing the PacketWise software. All of the functions available via the browser interface are also accessible with commands listed in this chapter. In addition, a number of CLI commands support diagnostic tasks that are not incorporated in the browser interface.This document organizes the commands in alphabetical order.You can access the command-line interface using one of the following methods:

• Telnet to the unit. See “Using a Remote Login Utility” on page 6.• Connect a PC or workstation to the unit’s console port for a local connection. See “Using a Direct Se-

rial Connection” on page 6.

Note: To enter commands in your browser window, type the unit’s IP address followed by /cli.htm — for

example, http://10.10.10.10/cli.htm.

Command Usage ConventionsA few basic conventions apply to commands:

• Commands are not case sensitive — that is, you can use either uppercase or lowercase characters.• A command can be abbreviated by entering the minimum number of characters required to uniquely

distinguish it from other commands. For example, you can type cl sh instead of class show.• Command syntax can be verified by typing one of the following:

help <command>or<command> ?where <command> is the name of the command for which you want help.

• To issue multiple commands from a single command line, separate the commands with a semicolon (;) — for example, setup show;traffic bandwidth. The semicolon is the equivalent of pressing the Enter key.

Note: When combining multiple commands on one line, do not attempt to run a command file in series with

other commands. The run command executes a separate task and the other commands in the line may not

run in sequence.

• To repeat the last CLI command you entered, type !!. To repeat a previous command, type !<n>, where <n> corresponds to the sequence of the command in the current Telnet or console session. For example, !5 repeats the fifth command you entered in the current session. Use the history command to determine the line number of previous commands. Alternatively, you can scroll through the com-mand history by pressing the up and down arrows. You can also edit previously entered commands, as described below.

• <tclass> refers to a traffic class name. Include the class’s full pathname if it is needed to uniquely iden-tify the class. For example, if HTTP appears in both the Inbound and Outbound subtrees, the explicit path is required to identify a specific HTTP class — for example, /inbound/http.

Editing Previously Entered CommandsIf you make a typing mistake in your command, you don’t need to retype it — you can redisplay the com-mand and edit it. This capability is available via Telnet or SSH, but not via a direct console connection.

Note: If the arrow keys aren’t working, make sure your Telnet client is emulating VT100 arrows. You may need

to enable this option in your client.

Typographical ConventionsThe following typographical conventions are used for command syntax:

Function Technique

Display a previously entered command Press up arrow until the command you want is displayed

Scroll down through the command history Press down arrow

Move cursor to the left Press left arrow

Move cursor to the beginning of the line Press Ctrl+a

Move cursor to the right Press right arrow

Insert characters Position cursor and start typing

Delete character Press Backspace or Delete (characters are deleted to the left of

the cursor)

Delete all characters on the line Press Ctrl+u

Convention Description Example

Boldface Commands class delete web_in

[Square brackets] Optional arguments in a command line class show [<tclass>]

<angle brackets> Required arguments for which you will

supply a name

measure dump <arg>

Pipe character ( | ) The “or” symbol in a command line —

choose one of the options separated by

the | symbol

setup shaping <on|off|bypass>

Accessing the Command-Line InterfaceYou can access the command-line interface using one of the following methods:

• Use a remote login utility. You can use Telnet for clear text or an SSH (Secure Socket Shell) client for encrypted text.

• Connect a PC or workstation to the unit’s console port for a local connection.

Using a Remote Login UtilityYou are free to choose any remote login utility that is available for your operating system. For example, for clear text connections, you can use Telnet. For secure connections, you can choose any SSH client, such as SecureCRT for Windows or OpenSSH for UNIX operating systems.To access the PacketWise command-line interface with a remote login utility:1. First, verify that your workstation can access the unit. See the PacketShaper Quick Start Guide for

installation details.2. If the unit has already been configured for your network, you can connect to it using its IP address, for

example: telnet 10.10.1.100 or ssh 10.10.1.100. When you connect successfully, you will be prompted for the unit’s password.

3. Enter the password and press Enter.

Using a Direct Serial ConnectionTo access the command-line interface via a serial connection:1. Using the provided null-modem cable, attach a workstation or PC to the unit’s port labeled Console.2. Start your terminal emulation program (such as HyperTerminal).3. Verify that you have configured your program with the following values to communicate with the

unit’s console serial port:9600 bps, 8 data bits, 1 stop bit, no parity, no hardware flow controlIf you are using a modem connected to the serial port, the modem must be set to: 9600 bps, 8 data bits, 1 stop bit, no parity, auto-answer (usually ATH1 in the standard Hayes command set), and DTR always on (usually a DIP switch setting). Check the modem manual for details.

4. Power on the unit, if you have not already done so. If it was already turned on, you will need to press Enter several times to make the connection.When you connect successfully, you will be prompted for the unit’s password.

actionfile libraryFor PolicyCenter only

Show the current portfolios of adaptive response action files available for distribution from PolicyCenter to individualPacketShapers.

actionfile library [verbose]

The actionfile library command shows the name of the available portfolios only. Use actionfile library verbose to viewthe names of all the action files within each portfolio.

PacketGuide™ for PacketWise® 9.2

7

actionfile prescribeFor PolicyCenter only

Prescribe a group of adaptive response action files by portfolio name. Use the actionfile library command to determineavailable action file portfolios.

actionfile prescribe <portfolio> default|none|show

<portfolio> Name of portfolio. A portfolio is any sub-folder of PolicyCenter/publish/actionthat contains a group of action files.

default|none|show On a child configuration, the default option allows that child configuration toinherit its portfolio of action files from its parent configuration. (On a parentconfiguration, the default option sets the prescription to unconfigured.) Specifynone if the configuration should not inherit its portfolio. The show option showsthe configuration's current prescribed portfolio of action files.


8

actionfile subscribeFor PolicyCenter only

Configure when and how often PacketShapers assigned to a PolicyCenter configuration update their portfolio of adaptiveresponse action files.

actionfile subscribe asap|scheduled|default

The actionfile subscribe command has the following options:

asap PacketShapers assigned to the configuration will automatically update theiraction file portfolio as soon as an updated portfolio is prescribed.

scheduled PacketShapers assigned to the configuration will wait for the actionfile synccommand before downloading the prescribed portfolio of files.

default If a child configuration is set to default, the child configuration inherits itsaction file subscription behavior from its parent. If a parent configuration is setto default, units assigned to the parent configuration will automatically updatetheir action file portfolio as soon as an updated portfolio is prescribed.

See also: actionfile sync


9

actionfile syncFor units in shared mode only

Issue this command from an individual PacketShaper to immediately download adaptive response action files prescribed forthe unit’s PolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription modehas been set to scheduled with the actionfile subscribe command.

Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set toasap with the actionfile subscribe command.

actionfile sync <seconds>

If you include the optional <seconds> value, the actionfile sync operation runs for the specified number of seconds.


10

agent actionDelete an adaptive response action file, temporarily disable or reenable an existing action file, or modify the value of anexisting parameter. Note that this command will not create a new action file, or add a new parameter to an existing actionfile.

agent action <name> green|red [on <filename>]|[off]|[delete]|[parm <parm-name> <parm-value>]|[resetparms]

<name> Name of the agent. If the agent name has a space, the words must be entered within quotationmarks, for example “My Agent.” If the agent name is a single word, the quotation marks are notnecessary.

green|red Action file will trigger when the green or red threshold is crossed

<[on<filename>]| [off] |[delete]

Specify one of the following:

on: Enables the action file. Specify the name of the action file you want to associate with the agentwith the <filename> variable.

off: Disables the action file

delete: Deletes the action file specification for the agent. The action file is no longer associated withthe agent, but the action file is not removed from the unit or PolicyCenter server.

[parm<parm-name><parm-value>]

Specify the following:

<parm-name>: The name of the action file parameter being modified

<parm-value>: The new value of the parameter

[resetparms] Specify this operation only when action file parameters have been edited and need updating. agentswill not recognizes new action file parameters unless the action file is reset with this variable.

Before you can issue any other agent actionfile commands, you must first issue the commandagent actionfile <name> green|red on <filename>to associate an action file with the agent. You may then issue any of the following commands (see the table above for anexplanation of variables):

agent action <name> green|red off

agent action <name> green|red delete

agent action <name> green|red resetparms

agent action <name> green|red parm <parm-name> <parm-value>

For Example:

agent action "Packet Drops" green on actnfile.cmd

agent action "Packet Drops" green parm ClassName /outbound/Citrix

See also:

Create Command Files


11

agent createdefaultsRecreate the default set of agents. The adaptive response feature must be enabled before you can create default agents withthis command.

agent createdefaults

Note that this command will not overwrite any existing default agents that you may have customized, nor does it remove anynew agents you may have created.

For a list of predefined (default) agents, see Adaptive Response Overview.


12

agent deleteDelete an existing adaptive response agent. Scoring and status information for the agent will no longer appear in the agentpop-up window on the unit's info page or the PolicyCenter configurations page.

agent delete <name>

where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks,for example, “High Bandwidth Host .” If the agent name is a single word, the quotation marks are not necessary.


13

agent intervalSet an evaluation interval for an adaptive response agent, in minutes. An evaluation interval determines how often the agentchecks the status of its target.

agent interval <name> <interval> | default

where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks,for example, “High Bandwidth Host .” If the agent name is a single word, the quotation marks are not necessary. Specify theinterval in minutes, or enter default for the default evaluation interval. The maximum evaluation interval allowed is 99999minutes; the minimum is 1 minute.


14

agent newCreate a new adaptive response agent based on one of the agent templates. Note that this command creates a new agent,but does not allow you to specify parameter values. Once you have created a new agent, issue the command agent parm tochange the parameter values from their default settings. Each PacketShaper or PolicyCenter configuration can have amaximum of 32 agents.

Note: Some agent templates do not allow multiple instances. If you want to create a new agent from the following templates,first delete the existing agent from that template from your unit or PolicyCenter configuration.

High Bandwidth HostNew ApplicationHigh Bandwidth New AppMemory AllocationUnit LimitsSystem Load

agent new <name> <template>

<name> Name you want to assign to the agent. An agent name can have up to 32 alphanumeric characters,including -, _, and . (period). If the agent name has a space, the words must be entered withinquotation marks, for example, “My Agent.” If the agent name is a single word, the quotation marksare not necessary.

<template> Specify one of the following agent templates:

Class ME VariablesDefault TrafficFailed Flow RatioHigh Bandwidth HostHigh Bandwidth New AppHost Info VariablesLink ME VariablesMemory AllocationNew ApplicationNFPM Failed FlowsNFPM Side UnknownPartition ME VariablesPartition UtilizationSystem LoadTraffic PerformanceUnit Limits

Example:

agent new testagent "Class ME Variables"

agent new "agent two" "Class ME Variables"


15

agent offDisable an existing adaptive response agent without deleting it. The agent will no longer return values or create new reports,yet it can be reenabled at any time with the agent on command.

agent off <name>

where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks,for example, “My Agent.”


16

agent onEnable an existing adaptive response agent that has been disabled. The agent will once again return values and create newreports.

agent on <name>

where <name> is the name of the agent to be turned on. If the agent name has a space, the words must be entered withinquotation marks, for example "My Agent."


17

agent overrideFor PolicyCenter / PacketShapers in Shared Configuration Mode

Override an adaptive response agent that a child configuration inherits from a parent configuration, so the agent may bemodified on the child configuration. Inherited agents cannot be modified until they are overridden.

agent override <name>

where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks,for example, “My Agent.”


18

agent parmSpecify the parameter values for an adaptive response agent. The agent must have been already defined with the agent newcommand.

agent parm <name> [<parm-name> <parm-value> | default]

<name> Name of the agent. If the agent name has a space, the wordsmust be entered within quotation marks, for example, “MyAgent.” If the agent name is a single word, the quotation marksare not necessary.

<parm-name> The name of the parameter or threshold to be set. Each agent isbased on a template which has its own parameters. Forparameters associated with each template, see the following:

Class ME VariablesDefault TrafficFailed Flow RatioHigh Bandwidth HostHigh Bandwidth New AppHost Info VariablesLink ME VariablesMemory AllocationNew ApplicationNFPM Failed FlowsNFPM Side UnknownPartition ME VariablesPartition UtilizationSystem LoadTraffic PerformanceUnit Limits

<parm-value> The parameter value for <parm-value>, or enter default for theparameter’s default value. For information on the acceptable anddefault parameter values, see the links above.

default Return the agent to its default values

Examples:

The first example shown below changes the ClassName parameter for the agent testagent so that agent will now monitor theclass /Inbound/Citrix.

agent parm testagent ClassName /Inbound/Citrix

If you don't specify any parameters, the agent parm command shows current and default parameter settings for thespecified agent.

agent parm "System Load"Score ParmsRedThreshold 95(Default: 95)GreenThreshold 90(Default: 90)


19

agent showShow data for one or many adaptive response agents, including information on the agent type and category, thecorresponding plug-in file, any incident report files, and the agent version number.

The agent show command will show values with a timestamp based upon the end of the evaluation interval. This is differentfrom the measure dump command, which shows values with a timestamp that reflects the beginning of the time interval.

agent show [name <name> | templates | [result <score-result>] | [feedback [<unitSN> <name>]]

<name> Name of the agent. If the agent name has a space, the words must be enteredwithin quotation marks, for example “My Agent.” If the agent name is a singleword, the quotation marks are not necessary.

templates Show a list of available adaptive response agent templates

result<score-result>

If the agent is unable to measure its target, the output of the agent showname "<name>" command will display additional Result category of datashowing an explanation of the error and the error code.

You can determine the meaning of an error code by issuing the commandagent show result <score-result>. See the example below.

<unitSN><name>

Used with the agent show feedback command, the <unitSN> parameter isserial number of the unit for which want to view agent data and feedback. Thisparameter is optional—if you do not specify a unit, the agent show feedbackcommand will show data for all agents (and when issued from PolicyCenter, allagents for all configurations.)

The <name> parameter is the name of the agent. If no data exists for a newagent, or there is no agent with the specified name, this command will returnthe output “No feedback available.”

Examples:

The agent show command displays agent information for an individual PacketShaper, or when issued from the PolicyCenterclient, agent information for the configuration you are editing. This information includes data on whether or not the agent hasbeen enabled, the name of the agent, and the last score information.

For PolicyCenter configurations, an I to the left of the agent name indicates that the configuration has inherited that agentfrom a parent configuration. An O to the left of the agent name indicates that the configuration has a local override of anagent that supersedes the agent it inherits from its parent. An exclamation point (!) beside the agent name indicates aconfiguration error. Last Score Information includes the latest value measured by the agent, its status color, and the time anddate of the measurement.

agent show

Status On

Agent Name Status Last Score Information------------------------------------------------------------------------------- Class ME Variables agent On 0 Yellow Wed Jan 12 02:03:00 2005 PST High Bandwidth New App On New score value in 51m 13s. Inbound Default Traffic On 1 Green Wed Jan 12 02:03:00 2005 PST Outbound Default Traffic On 0 Green Wed Jan 12 02:03:00 2005 PST Partition Utilization agent On 0 Green Wed Jan 12 02:03:00 2005 PST Spoofing - Client On 0 Green Wed Jan 12 02:03:00 2005 PST Spoofing - Server On 0 Green Wed Jan 12 02:03:00 2005 PST Syn Attack - Failed Flows On 0 Green Wed Jan 12 02:03:00 2005 PST Traffic Performance agent On 1 Red Wed Jan 12 02:03:00 2005 PST

*NT = No template found for agent.*NF = Either an action or incident file not found.

agent show templatesPacketShaper# agent show templates

PlugIn Incident VerTemplate Name File Report File Num Category-------------------------------------------------------------------------------

20

Quota Bandwidth Host - hostquot.cmd 1.0 Hosts Host Info Variables - hostvar.cmd 1.0 Hosts Failed Flow Ratio - ffratio.cmd 1.0 Hosts NFPM Failed Flow - syn.cmd 1.0 Hosts NFPM Side Unknown - spoof.cmd 1.0 Hosts Link ME Variables - melink.cmd 1.0 User Event EmulationPartition ME Variables - meptn.cmd 1.0 User Event EmulationClass ME Variables - meclass.cmd 1.0 User Event EmulationHigh Bandwidth New App - susapp.cmd 2.0 Application Health New Application - newapp.cmd 1.0 Application Health Default Traffic - dflttraf.cmd 2.0 Application Health High Bandwidth Host - sushost.cmd 3.0 Hosts Traffic Performance - trafperf.cmd 2.0 Network Health Partition Utilization - ptnutl.cmd 3.0 Network Health Memory Allocation - sysmem.cmd 1.0 Unit Health System Load - sysload.cmd 1.0 Unit Health Unit Limits - syslimit.cmd 1.0 Unit Health

Notes:

The PlugIn File column displays a dash (-) unless the agent's template was loaded from an adaptive response plug-infile. For more information about plug-ins, see Download Plug-Ins.The incident report files described in the above output above are the files used by each agent to create incidentreports. Incident report files are different from action files, as they are used only to generate drill-down incidentreports. Do not edit or modify incident report files in any way. Any modifications to an agent’s incident report file couldstop new reports from being generated for that agent.

agent show name "inbound default traffic"

Agent Name Inbound Default Traffic Status On

Template Info Template Name Default Traffic VerNum 2.0 Category Application Health Description This agent monitors the rate (avg-bps) of the default traffic class. This agent can alert you when the amount of traffic not classified (falling into 'default') is too great. This agent must be used with a 'default' (i.e., /Inbound/Default) traffic class.

Threshold Units: % of bandwidth on the partition

Action File Variables: $class-id, $avg-bps Plugin File - Incident File 9.258/agent/cmd/dflttraf.cmd MultiInstance Allowed Interval 1 minute(s)

Score Parms RedThreshold 15(Default: 15) GreenThreshold 7(Default: 7) ClassName /Inbound/default(Default: /Inbound/default)

Color Mappings Green Score < 7 Red Score > 15

Last Score Status Value 1 Color Green Start time Wed Jan 12 02:05:00 2005 PST Finish time Wed Jan 12 02:06:00 2005 PST

New score value in 39s.

If the agent in the example above had a status color of blue, the Last Score Status category would display additional Resultinformation with an explanation of the error and an error code. The example below shows the Last Score Status displayingthis additional Result output.

Last Score StatusValue 0Color Blue

Result Agent score parm not found. (score-result:4569) <--------

21

Starttime Mon Jun 19 08:19:00 2005 PST

Finishtime Mon Jun 19 08:20:00 2005 PST

New score value in 45s.

You can determine the meaning of a Result error code with the agent show result <score-result> command. The followingexample displays information for error code 4569.

agent show result 4569Agent score parm not found.

This next example shows the resultant output when the command agent show feedback is issued for a PolicyCenterconfiguration. (If this command was issued for a unit configuration, it will show only the agents on that individual unit.) TheFeedback Information includes the latest value measured by the agent, its status color, and the time and date of themeasurement.

agent show feedbackUnit Agent Name Feedback Information

065-10000193 ClassMeVar 1 Green Mon Jul 19 22:33:01

2005 LST065-10000193 Hosts 1 Green Mon Jul 19 22:38:01

2005 LST065-10000179 ClassMeVar 2 Yellow Mon Jul 19 22:33:01

2005 LST065-10000179 Hosts 7 Yellow Mon Jul 19 22:38:01

2005 LST065-10000238 PacketDrops 0 Green Mon Jul 19 23:00:06

2005 LST065-10000238 Hosts 1 Green Mon Jul 19 23:00:06

2005 LST

Issue the agent show feedback command with the <unit#> and <name> parameters to display data for one agent on asingle unit.

agent show feedback 025-10000210 "FTP Partition Over Limit"

Score Feedback: Score 18073 Color Red Category User Event Emulation Start Time Fri Oct 15 08:56:02 2005 PDT Finish Time Fri Oct 15 09:56:02 2005 PDT

Incident Report Feedback: File Output 9.258/agent/cmd/complete/155646.htm Result Success. Finish Time Fri Oct 15 09:56:02 2005 PDT


22

arpDisplay and update the Address Resolution Protocol (ARP) table. The ARP table usually does not require user intervention,because it is built automatically by the ARP protocol. If you are reconfiguring or troubleshooting a network problem, you maywant to manipulate the table using the arp command.

arp show|test|add|drop|flush|privadd

show Display the ARP table

test <ipaddress>|<hostname> [<device>]

Look up specified IP address or host name in the ARPtable. When using LEMs, make sure to specify the<device> name or number:

# Name

0 inside 1 outside2 lower_inside or left_inside3 lower_outside or left_outside 4 upper_inside or right_inside 5 upper_outside or right_outside 7 management

Note: The device numbers vary according to the numberof LEMs installed. If two LEMs are installed, the abovenumbers are correct. If only one LEM is installed(regardless of whether it's installed in the upper/right orlower/left position), the LEM interfaces will be assigneddevice numbers 2 and 3. If no LEMs are installed, themanagement port's device number is 3.

add <ipaddress>|<hostname> Add the MAC address entry for the specified IP addressdrop <ipaddress> Drop the specified IP address entry from the ARP tableflush Flush ARP table

privadd <ipaddress> <mac_addr> <device>

Add static ARP entry

This command will add and correlate the specified MACaddress to the IP address without trying to resolve it. Thiswill be a permanent entry in the ARP table and will bedeleted only when the PacketShaper is reset. It can alsobe deleted manually using the arp drop command.

Only the show option can be executed in look mode. All other arp options require touch access.


23

atm addAdd a router. The atm add command enables automatic configuration of routers used in an ATM (Asynchronous TransferMode) network. Note that the ATM feature requires Cisco routers using IOS version 12.0 or later. For a list of additional ATMpre-requisites, see ATM Overview.

Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm add <address> <community>

<address> is the IP address or DNS name of the router.

<community> is the SNMP community string of the router.

To verify that PacketWise was able to detect the IP routes, use the atm routing command. To see the ATM configuration,including partitions that were created for each virtual circuit, use the atm show command.

See also:

atm options

atm override


24

atm communitySet a new SNMP community string on the PacketShaper. If the SNMP community read string on your local router has changedfrom what it was when you configured the ATM feature, you can use the atm community command to set the new string onthe unit. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm community <router> <community>

<router> is the system name or IP address of the router.

<community> is the SNMP community string of the PacketShaper.

In the interval of time before the unit has the new string, you will see that the atm show output no longer shows router orvirtual circuit (VC) information. In addition, the partition show output will no longer show the min/max VC partition sizes youmight have previously set with the atm override command. However, the entire class tree will remain intact. The ATM routingtable will be blank.

After you use this command, the unit will be able to use this new string and communicate successfully with the router on thenext configuration update (which happens every five minutes; or you can force it by resetting the box). The atm showcommand will once again show the router and VC class/partition info, including the CIR/EIR values you might have originallyset using the atm override command. The partition show command will show these CIR/EIR values as the min/max of the VCpartitions and the routing table will be populated once more.


25

atm deleteDelete a router from the ATM configuration. Note: This command is not available on PacketShaper ISP or PacketShaper 900Lite models.

atm delete <router>

<router> is the IP address or DNS name used when the router entry was created, or the Sysname (local system name) of therouter. This command also deletes all traffic classes and partitions created to match the router traffic.


26

atm map addMap a subinterface (ATM virtual circuit) to a specific router interface. This is necessary if two virtual circuits on a router areconfigured with the same VCI and VPI. PacketWise will automatically detect this situation and alert you that you need to do amanual mapping. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm map add <router> <interface> <subif>

where

<router> The SysName or IP address of the router

<interface> The interface number on the router to which you want to map the unknown subinterface

<subif> The subinterface (ATM virtual circuit) number

The atm show command indicates whether a manual mapping is required (this information appears at the bottom of theoutput) and provides you with the subinterface number. For example:

These routes require a manual mapping:SubIf = 281, VPI = 1, VCI = 604

The command to map subinterface 281 to interface 1 on router1 would be:

atm map add router1 1 281

See also:

atm map delete


27

atm map deleteRemove the mapping of a subinterface (ATM virtual circuit) to a specific router interface. Note: This command is not availableon PacketShaper ISP or PacketShaper 900 Lite models.

atm map delete <router> <subif>

where


<subif> The subinterface (ATM virtual circuit) number


28

atm optionsEnable and disable the ATM routing and discovery options for an existing router, or set the default for all new routers createdby subsequent atm add commands. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Litemodels.

atm options routing|discovery on|off default|<router>

By default, both routing and discovery are enabled.

routing Automatically fetch the IP routing tables for this device via SNMP and use in the virtual circuit (VC) trafficclass matching rules; also, create internal routing table in the PacketShaper.

discovery Activate traffic discovery for all VC classes created for this router

default Sets the default for all new routers

<router> The IP address or DNS name used when the router entry was created, or the Sysname (local system name)of the router


29

atm overrideSet Committed Information Rate (CIR) and Excess Information Rate (EIR) values for virtual circuit (VC) partitions. Note: Thiscommand is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm override <router> <interface-number> <vpi> <vci> off|[<cir> <eir>]

Note: After updating the CIR/EIR values with this command, reset the unit so that the new values will take effect.

where:

<router> The SysName of your router (use atm show to get this name)

<interface-number> The identifier of the serial interface on your router associated with the given VC (use atmshow to get this number, shown in parentheses in the command output)

<vpi> The Virtual Path Identifier (VPI) of the given VC; VPI is a field in the ATM cell header thatidentifies the virtual path on which the data will travel from transmitting device to targetdevice. The virtual path contains a bundle of virtual channels.

<vci> The Virtual Channel Identifier (VCI) of the VC; VCI is a field in the ATM cell header thatidentifies the virtual circuit on which a single stream of cells will travel from transmittingdevice to target device. The virtual channel is contained within a virtual path.

off Disables previously-set CIR/EIR override values

<cir> <eir> <eir> corresponds to the Peak Cell Rate (PCR).

Use atm show to check CIR and EIR values.


30

atm route addMap a virtual circuit (VC) to the IP address of the correct BGP (Border Gateway Protocol) neighbor router so that each IP routecan be associated with the correct VC class. This operation is necessary when the SNMP OID for ipRouteIfIndex is missing(1.3.6.1.2.1.4.21.1.2). Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm route add <router> <ip-address> <interface> <vpi> <vci>

where


<ip-address> The IP address of the BGP neighbor router

<interface> The interface number on the router; this number is shown in the output of the atm showcommand for the given VC.

<vpi> The Virtual Path Identifier (VPI) of the given VC; VPI is a field in the ATM cell header thatidentifies the virtual path on which the data will travel from transmitting device to targetdevice. The virtual path contains a bundle of virtual channels.

<vci> The Virtual Channel Identifier (VCI) of the VC; VCI is a field in the ATM cell header thatidentifies the virtual circuit on which a single stream of cells will travel from transmittingdevice to target device. The virtual channel is contained within a virtual path.

The atm routing table will show the association of each BGP route with the correct VC class after the next configuration update(which happens every 15 minutes) or after the next software reset, whichever comes first.


31

atm route deleteDelete a static route mapping that was created with the atm route add command.

atm route delete <router> <ip-address>

<router> is the SysName or IP address of the router.

<ip-address> is the IP address of the BGP neighbor from which you want to remove the mapping.


32

atm route showDisplay routing tables that PacketWise has constructed based on routing information from the router via SNMP polling. Therouter must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper.

atm route show [<router>]

If you specify a <router>, the output shows the IP routing tables associated with the specified router name or IP address. Ifyou don't specify a <router>, the output displays the tables for all routers.

The output displays the subnets, the routing ID number used in the matching rule for the virtual circuit (VC) class, and thefull pathname of the VC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosenautomatically by PacketWise and are used to link a destination address with the VC class to which it belongs.

This command gives the same output as the atm routing command.


33

atm routingDisplay routing tables that PacketWise has constructed based on routing information from the router via SNMP polling. Therouter must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper.

atm routing [<router>]

If you specify a <router>, the output shows the IP routing tables associated with the specified router name or IP address. Ifyou don't specify a <router>, the output displays the tables for all routers.

The output displays the subnets, the routing ID number used in the matching rule for the virtual circuit (VC) class, and thefull pathname of the VC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosenautomatically by PacketWise, and are used to link a destination address with the VC class to which it belongs.

This command gives the same output as the atm route show command.


34

atm showDisplay ATM information. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

atm show [<router>]

Specify a <router> by IP address or DNS name; or omit the parameter to display all configured routers.

Example:

atm show 10.12.27.2

Router Address: SysName:

Traffic Discovery: Auto Routing:

10.12.27.2router1onon

InterfaceName(Number) Act VPI VCI CIR EIR Partitions---------------------------------------------------------------------------Se1/0/0(2)

AT0/0(1)

AT0/0(1)

AT0/0(1)

AT0/0(1)

+

+

+

+

+

1

1

1

1

1

604

604

275

245

225

0

0

0

0

0

45.0M

45.0M

45.0M

45.0M

45.0M

/Inbound/router1-Se1_0_0/PVC_1_604/Outbound/router1-Se1_0_0/PVC_1_604/Inbound/router1-AT0_0/PVC_1_604/Outbound/router1-AT0_0/PVC_1_604/Inbound/router1-AT0_0/PVC_1_275 /Outbound/router1-AT0_0/PVC_1_275/Inbound/router1-AT0_0/PVC_1_245/Outbound/router1-AT0_0/PVC_1_245/Inbound/router1-AT0_0/PVC_1_225/Outbound/router1-AT0_0/PVC_1_225

These routes have been configured manually:Interface = 1, SubIf = 281, VPI = 1, VCI = 604

The output shows each of the router's interface names and hardware port numbers, status ('+' in the Act column indicatesactive; '-' indicates inactive), the VPI (Virtual Path Identifier), the VCI (Virtual Channel Identifier), the CIR and EIR values forthe virtual circuit, and the partition names. The partition name is a combination of the router SysName, the interface nameand number, and the VPI and VCI values.

The bottom of the output may indicate that a route requires a manual mapping or that routes have been configured manually(as the above example shows). See atm map add for more information about mapping.


35

authentication organization addFor PolicyCenter only

PolicyCenter allows network administrators to define up to 256 different organizations, groups of configurations, and a list ofusers that can access those configurations.

Only PolicyCenter administrators can view and manage all units and configurations in the PolicyCenter configuration tree. Ifyou want every PolicyCenter user to have complete access to all PolicyCenter configurations and units, you can make everyuser a PolicyCenter administrator. However, you may find that not all users need such a complete level of access.

You can restrict a user's access to a specific set of PolicyCenter configurations and units by creating a new organization,specifying the configurations and units the users in that organization are allowed to view or manage, then adding users to theorganization.

PolicyCenter administrators can issue this command to add new organizations.

authentication organization add <organization>

where <organization> is the name of the new organization. An organization name can be comprised of up to 32 alphanumericcharacters, periods, underscores, and dashes. The first character of the name must be a letter.

Once you have created a new organization, you can add new users to the organization with the authentication user addcommand.

See also:

authentication organization disable

authentication organization delete


36

authentication organization deleteFor PolicyCenter only

PolicyCenter administrators can issue this command to permanently delete existing organizations. This command will alsodelete the user records of all users assigned to this organization, so they will no longer be able to access PolicyCenter. Totemporarily disable all users in this organization while retaining their user information, issue the command authenticationorganization disable.

authentication organization delete <organization>

where <organization> is the name of the organization to be deleted.

Example:

authentication organization delete org_2

Deleting "org_2" would also delete roles and users within this organization.Continue with the deletion of this organization? (YES): yes


37

authentication organization disableFor PolicyCenter only

PolicyCenter administrators can issue this command to temporarily disable one or all other existing organizations. None of theusers in a disabled organization will be allowed to access PolicyCenter configurations or units, but their user information willbe retained. You can reenable the organization and restore its users' access to PolicyCenter at any time with theauthentication organization enable command.

authentication organization disable <organization>|all

where <organization> is the name of the organization to be temporarily disabled. Select the all option to disable allPolicyCenter organizations except for the default PC organization, which cannot be disabled or deleted.

PolicyCenter also allows you to disable individual users in an organization, while keeping the rest of the organization active.To disable individual users in an organization, use the command authentication user disable.

See also:

authentication organization delete


38

authentication organization enableFor PolicyCenter only

PolicyCenter administrators can issue this command to reenable one or more organizations that were temporarily disabledwith the authentication organization disable command.

authentication organization enable <organization>|all

where <organization> is the name of the new organization. Select the all option to enable all PolicyCenter organizations.

Note: PolicyCenter allows you to disable an entire organization of users and also disable specific individual users within anorganization. This command will reenable an organization, but will not reenable a user that was individually disabled with theauthentication user disable command.


39

authentication organization renameFor PolicyCenter only

Rename an existing organization. Any users assigned to the configuration will remain assigned to the organization after it isrenamed. You must have touch role access to the default PC configuration to issue this command.

authentication organization rename <name> <newname>

where:

<name> Current organization name

<newname> New name for the organization. An organization name can be comprised ofup to 32 alphanumeric characters, periods, underscores, and dashes. Thefirst character of the name must be a letter.

See also: authentication organization show


40

authentication organization showFor PolicyCenter only

View details for your PolicyCenter organization.

authentication organization show [<organization>]

PolicyCenter administrators can issue this command to view details for all PolicyCenter organizations. Organization managerswith touch access to any other organization can view details for that one organization only.

authentication organization show

Organization: PCState: enabled

Organization: Marketing_2State: enabled

Organization: Sales_1 State: enabled

Found 3 organizations


41

authentication session endFor PolicyCenter only

Terminate the current active session of another PolicyCenter user. Only PolicyCenter administrators may end a user session.

authentication session end <id> | <username>

where

<id> User's unique session id. To view the current session IDs for each usercurrently logged in to PolicyCenter, issue the command authenticationsession show.

<username> The user name of the user whose session you want to terminate.


42

authentication session showFor PolicyCenter only

Display information for current user sessions and attempted logins. Only organization managers with touch role access to anorganization may view session information for to that organization. PolicyCenter administrators can view information for allusers.

authentication session show

For example:

auth session show

ID Stat Age Idle Limit Type Access User Name

44c9349b logged in 30 secs 2 secs 60 mins WUI look pbosten44c93480 logged in 112 secs 45 secs 60 mins WUI look lrose44c93353 logged off 411 secs 0 secs 60 mins CLI touch (admin)

Column DescriptionID Identification given to the user session

Stat

The status of the session:

logged in — the user has logged in

logged out — the user has logged out

Age Length of time the session has been active — that is, the amount of time since theuser logged in

Idle Amount of time since the user gave a command; whenever a user gives acommand, the idle value is reset to zero

LimitAmount of time a session is idle before the user will be timed out and logged off;for example, if the limit is 60 minutes, a user will get logged off when nocommands are given for a 60-minute period.

Type Type of interface used: CLI (command-line interface), or WUI (web user interface)Access User's role for accessing PolicyCenter; Look or TouchUserName Name of the user who logged into the session


43

authentication user addFor PolicyCenter only

Add a new user to an organization. Only PolicyCenter administrators and organization managers with touch role access totheir organization may add a new user to that organization. PolicyCenter supports up to 512 different user accounts.

authentication user add <username> <organization> <role> <firstname> <lastname> [<password>]

where:

<username> Login user name for the user. A user name can be comprised of up to 32alphanumeric characters, periods, underscores, anddashes. The first character of the user name must be a letter. EachPolicyCenter user name must be unique; users in different organizationscannot have the same user name.

<organization> Name of the organization to which the user will be added

<role> Specify either look or touch to select a role for the new user. Users withtouch access can view and modify settings for the configurations andunits assigned to their organization through the PolicyCenter web-browseror command-line interfaces, or via the web-browser or command-lineinterfaces of their individual assigned units. Users with look access canonly view these settings in PolicyCenter, but cannot modify them oraccess the individual units.

<firstname><lastname>

New first and last names for the user. Names cannot have spaces;compound names will require a dash or underscore character (e.g., Ann-Marie or Van_Patten).

<password> Specify a login password for the user. A password can be up to 19characters long and include all printable characters, including spaces,periods, underscores, and dashes.


44

authentication user deleteFor PolicyCenter only

Permanently delete a user from an organization. You must have touch role access to an organization in order to delete any ofits users.

When you delete a user currently logged in to PolicyCenter, that user's session is terminated immediately. Note, however,that immediately terminating another user's PolicyCenter session can cause configuration errors if the user was in the processof making a configuration change.

authentication user delete <username>

where <username> is the login name user name for the user you want to delete. This command completely removes theuser's personal record from PolicyCenter. To temporarily disable an individual user while retaining his or her user information,use authentication user disable.


45

authentication user disableFor PolicyCenter only

Temporarily disable a user's login access to PolicyCenter by disabling their user name and password. This command does notdelete user records from an organization, so you can reenable these users at any time without having to recreate their userrecords. (To permanently remove a user record from an organization, issue the command authentication user delete) Youmust have touch role access to the user's organization to issue this command.

authentication user disable <username>|[all <organization> <role>]

where:

<username> User's login user name for accessing PolicyCenter

<organization> Name of the user's organization

<role> Specify either look or touch to disable all look or touch users within anorganization

See also: authentication user enable


46

authentication user enableFor PolicyCenter only

Enable either an individual user or all users with a specific role within the organization. This command reactivates users whowere temporarily disabled with the authentication user disable command. You must have touch role access to the user'sorganization to issue this command.

authentication user enable <username>|[all <organization> <role>]

where:



<role> Specify either look or touch to disable all look or touch users within anorganization

For example:

authentication user enable jsmith

authentication user enable all org_2 look

Though this command will enable individual users or all users with a specific role, if the organization itself is disabled, theseusers will still be unable to access PolicyCenter.

See also: authentication organization enable


47

authentication user nameFor PolicyCenter only

Change an existing user's first and last names in their user record. You must have touch role access to the user's organizationto issue this command.

authentication user name <username> <firstname> <lastname>

where:


<firstname><lastname>

New first and last names for the user. Names cannot have spaces;compound names will require a dash or underscore character (e.g., Ann-Marie or Van_Patten).

To add a new user to an organization, use the command authentication user new


48

authentication user passwordFor PolicyCenter only

Modify a user's login password. A password can be up to 19 characters long and include all printable characters, includingspaces, periods, underscores, and dashes.

authentication user password <username> [<password>]

where <usename> is the login name for the user, and <password> is the new login password for the user.


49

authentication user renameFor PolicyCenter only

Change the user name for an existing PolicyCenter user. You must be a PolicyCenter administrator or have touch role accessto the user's organization to issue this command.

authentication user rename <user> <newname>

where:

<user> User's current login user name for accessing PolicyCenter

<newname> New user name for the user. A user name can be comprised of up to 32alphanumeric characters, periods, underscores, and dashes. The firstcharacter of the user name must be a letter.

To change a user's first and last names in their user record, use the command authentication user name.


50

authentication user setFor PolicyCenter only

Assign a new role for the user. Users with touch access can view and modify settings for the configurations and unitsassigned to their organization through the PolicyCenter web-browser or command-line interfaces, or via the web-browser orcommand-line interfaces of their individual assigned units. Users with look access can only view their configuration settings,but can neither modify them nor access the individual units via PolicyCenter.

authentication user set <username> <role>

where:


<role> Specify either look or touch to select a role for the user


51

authentication user showFor PolicyCenter only

Show detailed user records for an entire organization, or a single user. You must have touch role access to the configurationto issue this command.

authentication user show [<username>]|{all <organization> [<role>]}

where:



<role> Specify either look or touch to view just those users within anorganization with a look or touch role.

authentication user show exampleuser

login name: exampleuser (Joe Smith)Login time: 2006-03-13 12:30:56 Pacific Standard TimeLogout time: 2006-07-18 18:06:17 Pacific Daylight TimeOrganization: Retailer2 Role: Touch


52

banner showNote: The banner show command replaces the sys banner command, available in previous PacketWise versions.

Display the messages (such as "Packet shaping: off") that are initially shown after logging into PacketWise. You can use thebanner show command to display all of the unit's configuration errors, warning messages, and notices. (This sameinformation is displayed in the Info tab of the browser interface.)

banner show [verbose]

The verbose option displays additional information, such as the date and time and the type of message (notice, warn, etc.).

For example:

banner show

Packet shaping: off.

Power supply 1 FAILED.

INSIDE interface down


53

catDisplay the contents of a file.

cat <filename>


54

cdChange your current directory.

cd <dir>

For example, type cd 9.258/ to change to the unit's data disk.


55

class capture-idsCreate a text file named classids.txt that contains a list of all well-known class identification values. The classids.txt file islocated on the unit's system disk, in the LOG directory (9.256/log), or, if you issue this command from PolicyCenter, in thefolder <install_directory>/Blue Coat/PolicyCenter/log. This command is useful when using SNMP — the class ID is the indexinto tables of real-time class and partition data. For example, the well-known ID for /Inbound is 1 and the ID for /Outbound is2.

class capture-ids

If you use the cat or more command to view the contents of this file, a list appears with the class ID next to each class name.This list includes all classes that can be auto-discovered — not just the ones currently in the traffic tree. Part of the ID listappears below.

1 /Inbound2 /Outbound3 /Inbound/Inside4 /Inbound/Outside5 /Inbound/Default6 /Inbound/Global7 /Inbound/Global/IP8 /Inbound/Global/TCP9 /Inbound/Global/UDP10 /Inbound/Global/Miscellaneous11 /Inbound/Global/DECnet12 /Inbound/Localhost13 /Inbound/SameSide15 /Inbound/OutsideVPNTunnel50 /Outbound/Inside51 /Outbound/Outside52 /Outbound/Default53 /Outbound/Global54 /Outbound/Global/IP55 /Outbound/Global/TCP


56

class categoryAssign a traffic class to a host accounting category. (See host accounting categories for details on creating the categories.)Once you have assigned a class to a category, the bytes sent and received for the class will get tallied into the assignedcategory for both the source and destination hosts. Note: This command is not available on the PacketShaper 900 Litemodels.

class category <tclass> none|<category-name>

You can assign multiple classes to each category, if you like. The <tclass> must be a leaf class; that is, you cannot assign acategory to a class that has any child classes.

Note: You cannot create a child class after the parent has been assigned to a host accounting category.

To remove a traffic class from a host accounting category, use:

class category <tclass> none


57

class compress offapplicable to legacy compression tunnels only; the equivalent comand for enhanced tunnels is tunnel class set compression

Turn off compression for a class. If reports indicate that a particular application is not experiencing much compression(perhaps because it is encrypted or already compressed on your network), you can improve response times by turningcompression off for the class.

class compress <tclass> off

Note that Xpress automatically turns off compression for services that won't benefit from compression (SSL, for example). Fora list of non-compressible services, use the setup compression show services command.


58

class compress onapplicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel class set algorithm

Turn on compression for all services in an Outbound class. This command allows you to experiment with compression on aclass basis and can be used for fine-tuning.

class compress <tclass> on [default|override <compressionType> [<dictionaryId>]|nondefault<compressionType> [<dictionaryId>]]

default Uses the predefined compression type for the service(s)in the class; If you used the override parameter toselect a different compression type, you can usedefault to return to the default (predefined) type. Or, ifyou used the nondefault parameter to turn oncompression for services that aren’t normallycompressed, use default to return to the defaultsettings.

Note: Typing the default parameter is optional. (Inother words, typing class compress <tclass> on andclass compress <tclass> on default does the samething.)

override Changes the compression type to be applied to alltraffic flows in the class

nondefault Specifies the compression type to be applied to anyservices in the class that don’t have a predefined type.If the class contains any services that have apredefined compression type, this command will notoverride their predefined type.

Note: Blue Coat has tried to optimize the defaultcompression settings of each service for highcompression gains and low latency. Assigning acompression method to a previously uncompressedservice may affect computational resources and latencyas well as compression efficiency.

The <compressionType> can be any compression dictionary supported by the unit; the supported types will vary according tothe model and amount of memory in the unit. To see a list of compression types, look at the setup compression show typescommand output. A dictionary will be created when a new compression type is used; any classes that subsequently specifythis same compression type will share this group dictionary.

With the optional <dictionaryId> parameter, you can assign an ID (1-128) to a particular class. By doing so, a dictionary willbe created specifically for this class to use. By giving a class its own dictionary, you can potentially improve compressionresults. However, these additional dictionaries consume extra compression memory, so be sure to assign IDs only to yourmost critical and/or active classes. If you have classes with data patterns similar to a class that has its own dictionary, youmay want to share the dictionary with these other classes; you can do this by assigning the similar classes the same<dictionaryID> and <compressionType>. If a class has a dictionary ID, it is indicated in the class show <tclass> output.

Note: Xpress will not allow you to change the compression type or assign a dictionary ID to a class when compression isenabled. Therefore, before changing the compression type or assigning a dictionary ID, you must turn compression off.

Examples

In this first example, suppose the outbound/georgia class has a predefined compression type of cna-1M and you want tooverride this type with zlib-L9. Use this command:

class compress outbound/georgia on override zlib-L9

Or, in the next example suppose the outbound/idaho class contains services that don’t have a predefined compression typeand you want to see if the cna-4M type has any effect on compression results. Use this command:

class compress outbound/georgia on nondefault cna-4M

If you want the outbound/georgia class to have its own dictionary, you can assign it a dictionary ID. In the following example,the ID is 1:

59

class compress outbound/georgia on override zlib-L9 1


60

class copyCopy a traffic class and its children to another parent in the traffic tree.

class copy <tclass> <new_parent> [children]

Specify the explicit path and class name for the traffic class to be copied and the receiving parent traffic class. For example:

class copy /inbound/HTTP/Gifs /inbound/HTTP/Graphics

Note: Any defined top talkers, top listeners or RTM settings are not copied with a traffic class.


61

class criteriaCertain services, such as Citrix and Oracle, can be further classified by application-specific criteria. For example, you cancreate a traffic class for a specific Citrix application or an Oracle database. You can use the class criteria commands todisplay the attributes that can be specified in a matching rule for these applications and to discover the values that can bespecified for the attributes.

class criteria attributes|recent|track

attributes Display the available application-specific criteria

recent Show recently tracked criteria values for a class

track Enable or disable criteria tracking for a class

The application-specific criteria format in a matching rule is:

<application>:<attribute>:<value>

where <application> and <attribute> are as described in the table below, and <value> is specific to your configuration andclassification requirements.

This table shows available applications, attributes, and sample values.

Application Service Type Attribute Example of Value

Citrix Citrix-ICA applicationclientpriority

PeopleSoftpat-pc0

DCOM DCOM UUID 1cbcad78-df0b-4934-b558-87839ea501c9

DICOM DICOM serverclient

DICOM_STORAGEDICOM_ECHO

FTP FTP-Data-Clear FileName *.mp3

Web HTTP hosturlcontent-typeuser-agent

207.78.98.18/Images/*.jpegimage/gifMozilla/4.0

HTTP-Tunnel

HTTP-Tunnel hostport

207.78.98.1880

ICMP ICMP type echo

NNTP NNTP-Clear GroupName alt.binaries.*microsoft.public.games

Oracle Oracle-netv2 dbname corp

PostgreSQL PostgreSQL dbname corp

RTCP RTCP-I encodingmediaclock

GSMv8000

RTP RTP-I encodingmediaclocktofromuser-agentsource

dynamic, [email protected] [email protected] *X*Lite*207.78.98.18

62

destination 207.78.98.18

Notes:

For SIP attributes, you can enter asubstring of the attribute. Forexample, to match all Motorolamodels, you can enter Motorola forthe user-agent criteria.The asterisk (*) wildcard is supportedfor user-agent.

SMTP SMTP-Clear SenderEmail *@bluecoat.com

SOAP SOAP-HTTP hosturlcontent-typeuser-agent

207.78.98.18 /Images/*.jpeg image/gifMozilla/4.0

SSL SSL common name optionslink.etrade.com

WAP WAP WAPURI *.bluecoat.com

Note: In order to add an application-specific matching rule to a class, the class' service type must be the one indicated in theService Type column above. For example, to classify by Oracle database name, the class must be based on the Oracle-netv2service.

You can use the class criteria commands to identify the specific values to use in application-specific matching rules. First,you use class criteria attributes to get a list of applications and attributes that can be used in matching rules. Next, you useclass criteria track to enable tracking on a specific class. Then, you use class criteria recent to see a list of recent values forthe class; the output will provide you with the information you need to create an application-specific matching rule.

The following example shows how you can use the class criteria track and class criteria recent commands to identify theSIP user-agent for RTP-I traffic:

PacketShaper# class criteria track /inbound/RTP-I/Default RTP user-agent

After a period of time in which VoIP calls are made, issue the following command:

PacketShaper# class criteria recent inbound/RTP-I/Default Traffic Class: /Inbound/RTP-I/Default Application: RTP Attribute: user-agent (SIP User-Agent)

Recent Attribute Values (most recent first)------------------------------------------------------------------------------ 1. *X*Lite*

The above output indicates that *X*Lite* is the string that should be specified as the SIP user-agent criterion.

Command Change HistoryRelease Modification

8.2.0

UUID attribute for DCOM added

dynamic encoding attribute for RTP added (for classification of dynamic codecnumbers)

Wilcard (*) support added for RTP-I user-agent attribute.


63

class deleteRemove a class from the traffic tree.

class delete <tclass> [children]

<tclass> The name of the traffic class to delete. The class' explicit hierarchical path must be supplied only if the classname itself is not unique.

[children] Specify to delete all of the class' child classes; this parameter is required in order to delete a class that haschildren

If you delete a class that was created by traffic discovery and you have traffic discovery turned on, the class is likely toappear again in your traffic class tree.

Note: Do not use the class delete command to remove virtual circuit classes. Instead, use the frame delete or atm deletecommand.


64

class discoverEnable or disable traffic discovery within a specific class. For class discovery to take effect, traffic discovery must be enabledat a global level using the setup discover command.

class discover <tclass> [inside|outside|both|off]

<tclass> The name of the traffic class within which you are enabling or disabling trafficdiscovery. The class' explicit hierarchical path must be supplied only if the classname itself is not unique.

[inside|outside|both|off] Specify the location of the server for which you want traffic to be discovered, oroff to turn off discovery for this class. If you don't specify one of these options,the action defaults to turning on traffic discovery — effectively using the bothsetting.


65

class group deleteDelete a custom service group. When you delete a group, the services in that group are moved into the Unassigned group.Note that you cannot delete the built-in groups. (See Note for PolicyCenter Users below.)

class group delete <group_name>

where <group_name> is the name of the custom group.

Example:

class group delete CorpApps

Note for PolicyCenter users: PolicyCenter allows you to delete overridden built-in groups as well as local custom servicegroups; service groups in an inherited state cannot be deleted. If you want to inherit a service group from the parentconfiguration, you can simply delete the local or overridden service group. When you delete an overridden service group, thefollowing operations take place:

The child configuration inherits the parent’s group of the same name.This group will contain all the services defined in the inherited group except for any services that were moved out of thegroup when the group had been overridden. These services will stay in the group that they had been moved into.If the overrriden group contained other services that were moved into it, these services will go into Unassigned afterthe group is deleted.

See also:

Service Groups Best Practices


8.5.1 class group command introduced


66

class group moveMove all services from one service group into another, or move one service into a different group. You can move services intoa built-in or custom group.

class group move {<group_name> | <group_name>:<service_name>} <group_name>

Examples:

To move all the services in the Multimedia group into Mygroup:

class group move multimedia mygroup

To move service Citrix from the RemoteAccess group into the ClientServer group:

class group move RemoteAccess:citrix ClientServer

Notes:

To move a service back into its default group, use the class group reset command.Services in the NonIPv4 group cannot be moved to other groups.




67

class group newCreate a custom service group. PacketWise includes 25 built-in service groups, but if these don't suit your needs, you cancreate your own groups. For example, if you have created user-defined services for your custom applications, you may wantto create a custom group for them. You can create up to 25 custom service groups.

class group new <group_name> <description>

where <group_name> can be up to 31 characters (including hyphens, underscores, and periods) and <description> cancontain up to 80 characters. If the description contains spaces, you must enclose the text string in quotes.

Example:

class group new CorpApps "Corporate applications"

See also:

class group delete




68

class group overrideFor PolicyCenter / PacketShapers in Shared Configuration Mode

Override a service group that a child configuration has inherited from a parent configuration. Use this command if you don'twant the service group to inherit any more changes from the parent.

class group override <group_name>

where <group_name> is the name of the built-in or custom service group that has been inherited.

Note: After overriding a service group, if you then want to re-inherit it from the parent configuration, you can delete theoverridden group. Or, you can re-inherit all service groups from the parent with the class group reinherit all command.

See also:


class group delete

class group show

class group reinherit




69

class group reinheritFor PolicyCenter / PacketShapers in Shared Configuration Mode

Delete all service groups from the current configuration and re-inherit the service groups from the parent configuration. Usethis command when a child configuration contains a number of local overridden service groups and you decide that you wantthe configuration to go back to inheriting the parent's groups.

class group reinherit all

Notes:

You may decide to perform this operation if, after modifying service groups in a child configuration, you end up withconfiguration errors (service conflicts) that you can't resolve.Use the class group show command to confirm that each service group has the I (Inherited) marker, indicating thegroup is inherited from the parent configuration. Any local custom groups you had in the child configuration will nolonger appear on the group list.

See also:


class group override

class group show




70

class group resetReturn all services back to their default groups or return a single service back to its default group. Use this command if youhave moved services around to different groups and then discover you made a mistake or have changed your mind.

class group reset <service_name> | all

where <service_name> is the name of the service that you want to return to its default built-in group.

Examples:

To move the Citrix service back into its original, default group:

class group reset citrixService citrix successfully reset to its default group (RemoteAccess).

To return all moved services back to their default built-in groups:

class group reset allAll services reset to their default group.

Note: If you had created any custom groups, these groups will remain after the reset all, although they will no longercontain any services.




71

class group showDisplay a list of all group names and their descriptions, details about a particular group, or a list of all services and the groupto which each belongs. You can also use this command to find out to which group a particular service belongs.

class group show [<group_name> | service | {service <service_name>}]

Examples:

To display a list of all groups and their descriptions:

class group show

To list all groups and all the services that belong to each group:

class group show service

To display details for a particular group:

class group show healthcare

Name : Healthcare Description : Healthcare related applications Num services : 2

Services in Healthcare group DICOM Digital Imaging and Communications in Me HL7 Health Level Seven (HL7)

To find out to which group a service belongs:

class group show service ftp service:"ftp" belongs to group:"Internet"




72

class hostsDisplays a list of all host references in matching rules and host lists. A host may be listed as an IP address, a DNS name, oran LDAP DN (Lightweight Directory Access Protocol domain name) for a host list entry. If more than one matching rulecontains the same host reference, the host is shown only once.

class hosts

Host reference127.0.0.3

DNS name-www.lycos.comwww.excite.com

IP address127.0.0.3206.79.171.51... 198.3.98.99

If a DNS name resolves to more than one address, the first address is listed followed by an ellipsis (...). To list the additionaladdresses, use the dns lookup command.

If there is a problem resolving a DNS name, the third column shows the DNS error message.


73

class idChange or view a traffic class identification number. The numeric ID of a class is used for Simple Network ManagementProtocol (SNMP) and the measurement engine. It must be unique and does not change when the class is renamed.

class id <tclass> [<number>]

<tclass> The name of the traffic class whose ID you are changing. The class' explicit hierarchical pathmust be supplied only if the class name itself is not unique.

[<number>] The new unique number for the traffic class

Note: Class IDs should be changed in special circumstances only, for example when you want class IDs to be the same acrossmultiple PacketShapers. Changing class IDs can lead to erroneous reporting of data if you choose an ID value that waspreviously used by another class.

To see the current ID for a traffic class, type class id <tclass>. To see the ID for all services, use the class services idcommand.


74

class licensesLimit the number of TCP flows allowed simultaneously in the given class, where the number of flows admitted to a class isbased on a fixed number instead of the available bandwidth.

class licenses <tclass> off|<number>

where <number> is the maximum number of TCP flows to admit.

After <number> flows are active on the specified traffic class, new flows are given the admission control treatment defined bypolicy admit.

Specify the off option to remove the limit on the number of flows.

After you have limited the flows with the class licenses command, you can use the traffic licenses command to see thenumber of flows currently in use.


75

class loadLoad a new traffic configuration file. This command will load the traffic tree and everything related to the classes in the tree,such as policies and partitions. This feature can be used to share configurations with other units. You can FTP a savedconfiguration to the system disk root (9.256/) of another PacketShaper unit and then activate it with the class loadcommand.

Note: Issuing the class load command will revert a unit in shared mode back to local mode.

class load <path>

The following example loads a config.ldi file from the system disk root directory:

class load 9.256/config.ldi

The class load command prompts for confirmation, then overwrites the existing cfg/config.ldi file with the file you specify.


76

class moveRelocate a traffic class by assigning it to a new parent class. Unlike using the class copy command, the class will no longerreside under its original parent, but will be moved to a new location in the tree structure.

class move <tclass> <new parent> [children]

Use the literal children to move all of the class' children as well; otherwise, only the parent class will be moved and thechildren will be promoted a level.

Note: When moving a traffic class, you cannot change the direction. For example, you cannot move a traffic class from/Inbound to /Outbound.


77

class newCreate a new traffic class.

class new <parent_name> <name> [nodefault] <rule>

<parent_name> The parent class for the new traffic class. You must use the explicit hierarchicalpathname if the class name is not unique - for example, /inbound/http.

<name> A unique name for the new traffic class, up to 31 characters long. Use onlyalphanumeric characters and the following special characters: underscore ( _ ), hyphen (- ), and period ( . ). Specify only the class name, without the leading tree hierarchypathname.

[nodefault] A Default match-all class will not be created (applicable when creating a child class). Forexample, if you don't specify the nodefault parameter when creating theInbound/HTTP/WebSurfing class, PacketWise will also create an Inbound/HTTP/Defaultclass. If you do specify the nodefault parameter, the Inbound/HTTP/Default class willnot be created.

<rule> A matching rule defines a traffic class' attributes. A class can contain multiple matchingrules, which are treated as separate, distinct rules. To define one or more rules for atraffic class, see class rule. For matching rule details, see Matching Rule Details.

Notes:

You cannot create a child class if the parent has been assigned a host accounting category.If your unit is within one traffic class of its capacity, PacketWise will not let you create any more classes. This is due tothe possibility that two classes will be created in some circumstances. For example, when you create the first child classfor a parent, a Default class automatically gets created.

Creating a Class for a Specific File Type

Specify GIF file downloads:

class new inbound/http graphics outside service:http web:url:"*.gif"

Specify MP3 files downloaded via FTP:

class new inbound/ftp ftp_mp3_downloads outside service:ftp-data-clear ftp:filename:*.mp3

Creating a Class for a Specific Host or Port

Target any traffic from an external host:

class new inbound competitor outside host:145.34.0.2 service:http

Specify web traffic to a port other than port 80, the normal web port:

class new inbound web_in inside service:http port:8080

Creating a Class for a Specific URL, IP Address, or Host List

Specify a URL (http://altman.com/support/support.htm):

class new inbound altman outside service:http host:altman.com web:url:"/support/support.htm"

For security purposes, you can classify TCP traffic based on the origin of the connection. To do this, create a traffic class thatspecifies an outside TCP client. Create this type of class only after you are satisfied that traffic discovery has sufficientlyidentified traffic on your network. Otherwise, it will prevent the discovery of more specific services.

class new inbound mystuff outside tcp client

Specify an IP address if you do not have a DNS server configured:

class new inbound server_guru inside 203.160.106.3

Specify a host list (a set of IP addresses and/or DNS names):

class new inbound/servers inside host:any outside list:servers

78

Creating a Class for an IPv6 Subnet

class new inbound ipv6-2 inside net:2001:db8:1234:5678::/64

Creating a Class for ICMP or IGMP Traffic

When creating a symmetrical traffic class for the ICMP or IGMP protocols, we recommend that you explicitly specify theprotocol for both the inside and outside interface. For example:

class new /Inbound/ABQ ICMP inside ICMP outside ICMP

To create an asymmetrical traffic class for ICMP or IGMP, where traffic is classified on either the inside or the outsideinterface:

class new /Inbound/ABQ ICMP inside ICMP

or

class new /Inbound/ABQ ICMP outside ICMP


79

class noteAnnotate a traffic class.

class note <tclass> "<note>"

This note appears in the class show display. Non-printing characters are not allowed.


80

class overrideFor PolicyCenter only

Override an inherited traffic class by creating a local copy of the traffic class.

class override <tclass>

You must make a local copy of an inherited traffic class before you can change the class on the individual unit.


81

class ownerSpecify an owner name for a traffic class.

class owner <tclass> “<ownername>”

The owner name can be up to 32 characters and the following special characters are not allowed: quote (“), ampersand (&),backslash (\), and non-printing characters.

The owner name appears in the class show display. This field can be used as a search criteria for customer portal pages.


82

class publishFor PolicyCenter only

This command publishes a traffic class on a child configuration to the traffic tree of its parent. The traffic class is then clearedfrom the child configuration, so it will inherit that class from its parent configuration. Include the children parameter to alsopublish all child classes of the selected traffic class. If the published class uses a host list, that host list is also published to itsparent.

class publish <tclass> [children]

See Publish an Individual Traffic Class from a Child Configuration to its Parent for details on this operation.

Note: Classes based on service groups can be published only if the parent configuration has the service group in itsconfiguration.


83

class renameRename a traffic class.

class rename <tclass> <new tclass>

The class to be renamed must be specified with its full pathname; do not specify the path for the new class name. (The pathfrom the original name is used.) For example:

class rename inbound/test sap

When renaming a class you are not allowed to change just the case; for example, you cannot rename HTTP to http.

Note: If you rename a class and that class has an event associated with it, the class name is not automatically updated in theevent registration. Therefore, after renaming a class, you will need to re-register the event with the new class name.


84

class resetClears all classes, policies, and partitions and reverts to either the default or model tree.

class reset [model]

The model option resets the configuration to a pre-configured tree that can be used as is, or modified to suit your needs.This tree organizes network traffic into folders of common categories, such as VoIP, risky websites, business-criticalapplications and data, and recreational websites and applications. It includes classes based on service groups or URLcategories.

If you reset the tree without the model option, the tree is reset to the default—a bare-bones traffic tree that includes/Inbound and /Outbound classes with a Default class for each, and a Localhost class for the inbound and outbound directions.You can build out this tree by turning on traffic discovery or by manually creating classes for the type of traffic you want totrack.

Issue this command from PolicyCenter to clear the class tree of any regular PolicyCenter unit or sharable configuration; nodraft configuration is required.

Note: Use the config save CLI command to back up your configuration before resetting the tree; this gives you the capabilityof restoring the traffic tree and configuration if you change your mind.


8.7.1 model option introduced


85

class ruleAdd or delete matching rules.

class rule add <tclass> <rule>

class rule delete <tclass> <rule_id>

The maximum number of matching rules per traffic class depends on the PacketShaper model. (See PacketShaper orPacketShaper ISP Configuration Limits.) If a traffic class has more than one matching rule, PacketWise compares the flow tothe first specification. If it doesn't find a match, it moves to the class' next matching rule.

Matching rules are identified by a rule ID in brackets [ ]. You can determine the rule ID by using the command: class show<tclass>

See Matching Rule Details for additional information.

Examples:

Create a new Oracle class with three matching rules. The first matches on an inside host IP address of 190.160.0.207, thesecond matches on 190.160.0.208, and the third on 190.169.0.254.

class new /outbound oracle inside service:oracle host:190.160.0.207class rule add /outbound/oracle inside service:oracle host:190.160.0.208class rule add /outbound/oracle inside service:oracle host:190.169.0.254

Create a new FTP class with two matching rules, one for the outside and the other for the inside.

class new inbound/ftp ftp_mp3_downloads outside service:ftp-data-clear ftp:filename:*.mp3class rule add inbound/ftp/ftp_mp3_downloads inside service:ftp-data-clear ftp:filename:*.mp3

Recall that if a traffic class has more than one matching rule definition, PacketWise compares the flow to the firstspecification. If it doesn't find a match, it moves to the class' next rule. Traffic that matches any of a class' matching rules willfall into the class.

If the info page has flagged one or more of your classes with the configuration error message attrib iqosMatchingRule = “???”, Failed to add matching rule to traffic class, you have exceeded the maximum number of matching rules available on yourPacketShaper model. (In the CLI, you can display configuration error messages with the class show <tclass> command.) Tofree up resources, you need to remove one or more classes or matching rules. Configuration errors will disappear once thetotal number of matching rules is less than the unit’s limit. If you find that you are consistently exceeding your unit’smaximum configuration limits, you should consider upgrading your PacketShaper.


86

class servicesList the services available in PacketWise. These services are also listed in Applications, Protocols and Services Classified byPacketWise.

class services [<service name>]|[plug-ins] [id]

<service name> The name of a service; you can type the complete name, or just thefirst few letters

[plug-ins] List only services that were individually added to (plugged into) thesoftware — that is, services not built into PacketWise

[id] List the internal ID numbers associated with each service name.Service ID numbers are recorded in flow detail records (FDRs). SinceFDRs record the service ID, not the service name, the class servicesid command would be useful for someone interpreting FDR data with aprotocol analyzer or other tool that displays FDR data.

The <service name> option is useful for narrowing down the service list to a particular name you are looking for. Thefollowing example lists all the services that start with AOL:

class services aol

AOL-IM AOL - Instant Messenger & ICQ Client-ServerAOL-IM-File AOL-IM - Point to Point File TransferAOL-IM-ICQ AOL - Instant Messenger & ICQ2000AOL-IM-IMAGE AOL-IM-Image - Point to Point ChatAOL-IM-Talk AOL-IM - Point to Point Talk


87

class setMake a traffic class an exception class, or configure a class to allow its policy to be inheritable.

class set <tclass> inherit|standard|exception

inherit Inheritable traffic classes have policies that can be applied to other classes when the other classdoesn't have its own policy. Specific rules apply to how PacketWise decides which policy a classshould inherit; see Inheritance Rules for details. The output of the class show command indicates(with an I flag) which classes have an inheritable policy.

standard Standard traffic types have no exception or inheritable attributes.

exception Exception traffic classes are always positioned above non-exception classes in the tree. When youmake a class an exception class, you redefine the search order that PacketWise uses to find a matchfor traffic flow. The exception attribute can be applied to all classes except /Inbound, /Outbound, andany default match-all classes. Marking a traffic class as an exception ensures that it is ordered first inthe subtree, overriding the tree's built-in hierarchical order.


88

class showDisplay traffic class information for a specific class or the entire traffic tree.

class show [<tclass> | verbose <tclass> | since <seconds>] | [id]

Use the verbose option to list all host lists referenced by a traffic class. The since option shows only classes auto-discoveredwithin the last number of <seconds>.

When you specify a class, configuration details such as matching rule and policy information are displayed. Each matching ruleis prefaced by a rule ID number. The class ID — used for extracting data via SNMP — is also displayed as the last line of theoutput. For example:

class show dhcp

Traffic Class: /Outbound/DHCPPartition: /OutboundClass Flags: autocreatedRule Types: optimized Current guaranteed rate 0 excess rate 0 Matching Rules:

[52 ] insideoutside

any hostany host

service:Clientservice:DHCP-S

any portany port

UDP

[54 ] insideoutside

any hostany host

service:Clientservice:DHCP-C

any portany port

UDP

[53 ] insideoutside

any hostany host

service:DHCP-Sservice:Client

any portany port

UDP

[55 ] insideoutside

any hostany host

service:DHCP-Cservice:Client

any portany port

UDP

no policyClass id (for SNMP and Measurement Engine): 1069 Compression: Override (pred1-256K) Dictionary Id: 1

The Class Flags indicate class attributes:

autocreated — The class was created with the traffic discovery feature.

built-in — One of the classes built into PacketWise (such as Inbound and Outbound). Built-in classes cannot bedeleted.

cacheable — The class is cacheable (that is, a class based on an IP address that is on the same side as thecache).

discovering — Traffic discovery is turned on for this class.

exception — The class is treated as an exception, overriding PacketWise’s default ordering.

inherited — The policy for the class is inheritable.

policy — The class has a policy. (The specific policy type is shown next to Policy Flags near the bottom of theoutput.)

The Rule Types indicate the type of matching rule:

optimized — The class is optimized. An optimized class is one that was auto-discovered or one that wasmanually created with a simple matching rule (service type, IP address, or port number).

address-is-cacheable — The class has a pure IP address-based matching rule that is on the same side as thecache (on the inside, by default). It can be an individual IP address, a range of IP addresses, an address with amask, or host lists. These classes can be cached unless an error in the tree configuration is causing cacheabilityproblems.

match-all — This class is a match-all class (protocol = any, service = any; for example, a Default bucket).

If you are using the compression feature in legacy mode and have set compression options for the class, you may see one ofthe following:

Compression: Off (disabled) — Compression has been turned off for this class (using the class compress offcommand)

Compression: Override — A compression type has been specified for this class, overriding the default type (using

89

the class compress on override command). The compression type is indicated in parentheses, for example(pred1-256K). If a dictionary ID was assigned, it is also indicated.

Compression: On — Compression has been turned on for this class (using the class compress on nondefaultcommand). The compression type is indicated in parentheses, for example (pred1-256K). If a dictionary ID wasassigned, it is also indicated.

Note: In enhanced mode, use the tunnel class show command to see per-class compression overrides.

If you don't specify a class, all classes in the traffic tree are displayed, but with less detail. When displaying the entire traffictree with the class show command (as shown in the following example), several flags indicate class attributes, type ofmatching rule, and legacy compression options (described above).

class show

Derivation: (I)nherited (O)verride (U)nderride (L)ocalClass Flags: (A)utocreated (D)iscovering (E)xception (I)nherit (P)olicy (C)acheableRule Types: (o)ptimized (m)atch-all (a)ddress is cacheableCompression: (c)ompression specified (d)isable compression

Class Name Flags Partition Name

Inbound Localhost 10.7.38.0 CUSTOMER mysite.org DefaultOutbound Localhost 10.7.38.0 CUSTOMER mysite.org Default

m /Inbound E P /Inbound a /Inbound P ma /Inbound C a /Inbound IP m /Inbound m /Outbound E P /Outbound a /Outbound ma /Outboun C a /Outbound IP m /Outbound


90

class testTest a traffic flow against the present classification tree in order to determine the flow's class, partition, and policy.

class test <direction> <protocol> [<inhost:inport> <outhost:outport>]

<direction> inbound or outbound

<protocol> tcp, udp, icmp, netbeui, ipx, appletalk, decnet, fna, sna, lat, or misc

<inhost:inport><outhost:outport>

The inside and outside IPv4 or IPv6 addresses and port numbers to test(required for IP protocols only: TCP, UDP, ICMP)

You must supply both an inside and an outside address. Use 0.0.0.0:0 as aplaceholder if you don't have an address to test on one of the sides.

If the hosts are IPv6 addresses, surround the IPv6 address with squarebrackets. For example, [2000:1:2::1]:3456 where 3456 is the port number.

This information simulates a flow, returning the following information:

Traffic Class The traffic class in the current traffic tree into which the flow would beclassified

Partition The partition associated with the matching traffic class. If the traffic doesn'thave its own partition, the parent partition is used.

Policy The matching policy. If the matching traffic class has no applied policy, thepolicy is inherited. See Inheritance Rules.

Note: The class test command will only match traffic classes that have "any" for the server location.

Examples:

class test inbound appletalk

Traffic class --> /Inbound/AppleTalk Partition --> /Inbound Policy --> /Inbound/Default

class test inbound tcp 216.110.182.168:80 0.0.0.0:0

Traffic class --> /Inbound/HTTP Partition --> /Inbound Policy --> /Inbound/Default

class test inbound TCP [2001:db8:1234:5678::1]:1234 [2001:db8::100]:3456

Traffic class --> /Inbound/ipv6-1 Partition --> /Inbound Policy --> /Inbound/Default

Notes:

The class test command can be used to test basic classification for IP protocols, but is not intended to test every typeof classification PacketWise offers. Its purpose is to check a particular IP address or port number to determine how thetraffic is classified into existing port-based and IP address-based classes in the traffic tree. The command does notinclude fields for specifying more complex types of classification such as MAC address or device.The class test command requires touch access.


91

class undeleteFor PolicyCenter only

Issue this command to restore a class marked for deletion from a draft configuration. If the class has any child classes, theywill also be restored.

class undelete <tclass>


92

class user-groupList the names of user groups in a specific Active Directory domain or in all domains.

class user-group <domain_name>|all

This command is part of the user awareness feature and requires that a BCAAA server be installed and configured.

If you have a long list of user groups, some may scroll off the screen; if you want to be able to scroll through the list, use oneof the following techniques:

Output the list to a text file, for example: class user-group all > grouplist. When the command prompt redisplays,the file has finished saving. (This might take a while.) To display the list a page at a time: more grouplistTurn on session logging in your remote login utility (such as Putty or SecureCRT) before issuing the class user-groupall command. You can then open the log file in a text editor.When creating a class in the Sky or Advanced UI, the Group Name field offers ways to list and search for user groups.


9.2.2 class user-group command introduced


93

class user-services deleteRemove a user-defined service.

class user-services delete <serviceName>|all

where <serviceName> is the name of the service you want to delete. Use the all parameter to delete all user-definedservices.

Example:

class user-services delete TDemployees

Notes:

Service names are case sensitive. You must enter the service name with the same upper/lower case with which it wascreated.Use the class user-services show command to see a list of services that have been user-defined.


8.4.3 all parameter introduced8.4.1 class user-services command introduced


94

class user-services newCreate a custom service in order to identify and categorize traffic that is not currently classified by PacketWise, or that isclassified into a different service. This command allows you to create services for in-house applications on your network. Theservice can be defined by a signature (hex or string) and/or by port numbers.

class user-services new <serviceName> [signature:<hex>|<string> offset:<offset_value>] [port:<nnn[-nnn]>][packets:<packet_value>] [ipproto:TCP|UDP] [description:<string>]

<serviceName>The name of the service, up to 30 characters long. Use only alphanumeric characters and thefollowing special characters: underscore ( _ ), hyphen ( - ), and period ( . ). The service nameis case sensitive.

signature

The signature can be specified in hexadecimal format or as a quoted string.

The string can be up to 30 characters long, is case sensitive, and must be enclosed inquotation marks.

The hex representation can be up to 30 characters long. It must begin with 0x.

offset Starting position of the signature in the payload (after the header). Valid values for the offsetare 0-1499.

packets

Number of inbound or outbound data packets in each new flow that will be inspected for thesignature. Up to 10 packets in each direction can be inspected.

Note: Packets in each direction are counted separately. For example, a value of 8 tells thePacketShaper to look for the signature in the first eight inbound packets and first eightoutbound packets of each new flow.

port The port number or a range of port numbers. If the port option is not specified, thePacketShaper will inspect traffic on all ports.

ipproto Type of IP protocol (UDP or TCP)

description A description of the user-defined service, enclosed in quotation marks; up to 80 characterslong.

The following types of traffic are candidates to be classified as a user-defined service:

1) traffic that PacketWise has identified as an unknown service,

2) applications that have user-configurable ports (such as peer-to-peer and instant messaging)

Services that are associated with well-known ports (such as HTTP on port 80, FTP on port 21, and NNTP on port 119) cannotbe classified into a user-defined service.

Examples:

class user-services new TDemployees signature:"TD Employee" offset:6 packets:1 description:"TD EmployeeDatabase"

class user-services new BCpayroll signature:0x424320706179726F6C6C offset:0 description:"BC Payrollapplication"

Notes:

You can use a third-party network protocol analyzer, such as EtherPeek or Wireshark, to analyze a trace to get thesignature.You can create up to 10 user-defined services (UDS).The user-defined services are auto-discoverable.The user-defined services are stored in the config.ldi configuration file.

See also:

class user-services show

class user-services delete

Command Change History

95

Release Modification8.4.1 class user-services command introduced


96

class user-services showDisplay a list of user-defined services.

class user-services show [<serviceName>]

Example:

class user-services show

User Defined Services

1. Name:BCpayroll serviceid:645 signature:0x424320706179726f6c6c offset:0 packets:2 ipproto:TCP/UDP description:"BC Payroll application"

2. Name:TDemployees serviceid:647 signature:"TD Employee" offset:6 packets:1 ipproto:TCP/UDP description:"TD Employee Database"


8.4.1 class user-services command introduced


97

class usersList the names of users in a specific Active Directory domain or all domains.

class users <domain_name>|all

This command is part of the user awareness feature and requires that a BCAAA server be installed and configured.

A long list of users will scroll off the screen; if you want to be able to scroll through the list, use one of the followingtechniques:

Output the list to a text file, for example: class users all > userlist. When the command prompt redisplays, the filehas finished saving. (This might take a while.) To display the list a page at a time: more userlistTurn on session logging in your remote login utility (such as Putty or SecureCRT) before issuing the class users allcommand. You can then open the log file in a text editor.When creating a class in the Sky or Advanced UI, the User field offers ways to list and search for users.


9.2.1 class users command introduced


98

class web-app disableDisables the service of a web-based application (such as Facebook or YouTube). After a service is disabled, the traffic will getclassified as HTTP or SSL. You might want to disable a service when you prefer to control the traffic by its URL category. Forexample, you can disable the Facebook service and then control all social networking traffic with a single Social NetworkingURL category class. This technique helps conserve classes and provides an easy way to report on and control how much HTTPis on the network.

class web-app disable <service>

where <service> is the name of the web application to disable. To see a list of web services that can be disabled, use thehelp class web-app command. For example, the help output includes the followin:

The following values are currently supported for this argument:

Facebook Youtube MySpace Orkut Flickr Meebo GoogleVideo Ogg Smugmug Ofoto Motion WebShots

PolicyCenter Support

Web services cannot be disabled in PolicyCenter; this feature is supported in local mode only. If PolicyCenter pushes a class toa PacketShaper that is in shared mode, and that class uses a service that has been disabled locally on the PacketShaper, theclass will still be created. However, traffic will not get classified into the class as long as the service is disabled.

Notes:

If the web browser interface is open when you enable/disable the service, you will need to refresh the browser windowto load the configuration change.When a web application is disabled, you cannot create a class for that service in the CLI, Advanced UI, or Sky UI. Theapplication will not appear on the Services drop-down list in the Sky or Advanced UIs after it has been disabled.Disabled web applications will not get classified into the service group to which the service belonged.If a class already exists for a disabled web application, the class will still appear in the traffic tree but will no longer getany class hits. It will not have a configuration error. It is not necessary to remove plug-ins for web services that have been disabled.

See also:

class web-app enable

class web-app show


8.7.1 class web-app command introduced


99

class web-app enableRe-enables a web application (such as Facebook or YouTube) after it has been disabled. You would use this command if youchange your mind about disabling a service and want to start classifying the service separately again.

class web-app enable <service>

where <service> is the name of the web application to enable. To see a list of web services that are currently disabled, usethe class web-app show command.

Notes:

If the web browser interface is open when you enable/disable the service, you will need to refresh the browser windowto load the configuration change.To verify that the service has been re-enabled, use the class web-app show command. The service should not be listedin the output of the show command.After you have re-enabled a web service, you can manually create classes based on this service or let the PacketShaperauto-discover the class. If the class already existed in the tree, it will start getting class hits once the service is re-enabled.

See also:

class web-app disable

class web-app show




100

class web-app showLists the services that have been disabled with the class web-app disable command.

class web-app show

Example:

class web-app show

Classification of the following Web applications is disabled: Facebook YouTube




101

cmpCompare two files. This command generates no output if the files don't differ; if they differ, the byte and line number at whichthe first difference occurred is reported. Bytes and lines are numbered beginning with one (1).

cmp [-ls] file1 file2 [skip1] [skip2]

The following options are available:

-l Print the byte number (decimal) and the differing byte values (octal) for each difference.

-s Print nothing for differing files; return exit status only.

The optional arguments skip1 and skip2 are byte offsets from the beginning of file1 and file2, respectively, where thecomparison will begin. The offset is decimal by default, but may be expressed as an hexadecimal or octal value by precedingit with a leading 0x or 0.


102

setup compression show (compression show)applicable to legacy compression tunnels only

Display compression status. Use this command to check whether compression is enabled, list the IP address and status ofactive tunnel partners, and see details about the services that have active flows being compressed.

setup compression show [hosts|<ip-addr>|services|types|summary|all] [main|lower|upper|left|right]

or

compression show [hosts|<ip-addr>|services|types|summary|all] [main|lower|upper|left|right]

where:

hosts Lists the hosts and partners that can use thecompression facility. For example, if you have used thesetup compression hosts and/or setup compressionpartners commands to limit the hosts and PacketShapersthat can use compression, the setup compressionshow hosts command will list the allowed hosts andpartners.

If you have changed the default value of theAllow/Exclude inside hosts on list, Allow/Excludeoutside hosts on list, and/or Allow/ExcludePacketShapers on partner list system variables fromallow to exclude, the setup compression show hostscommand will display the hosts and partners that areexcluded from compression.

<ip-addr> Displays compression information for the specified IPaddress, such as compression type and status and tunnelpartner (more detail appears below)

services Lists non-compressible services. To avoid inducinglatency unnecessarily, services that are unlikely toachieve useful gains from compression are notcompressed. Voice Over IP, video streaming, andencrypted data are examples of non-compressible traffic.

types Lists the compression dictionaries supported by the unit;the supported types will vary according to the model andamount of memory in the unit. The default dictionary isalso listed; to change the default dictionary, use thesetup compression dictionary command.

summary Show a tunnel summary in tabular form. For each tunnel,the tabular output lists the tunnel partner, quality,savings, and state. Note that the summary does not listthe specific classes and services that are beingcompressed.

all In addition to compression status, the output includes thelists from the services, types, and hosts options.

main|lower|upper|left|right Display tunnels associated with a particular PacketShaperdevice:

main — built-in interfaceupper — upper LEMlower — lower LEM right — right LEMleft — left LEM

Note: If a unit is assigned to a PolicyCenter configuration with compression dictionary that the unit cannot support, the unitwill substitute a smaller compression dictionary of the same type. For example, if a 1700 model is assigned to a PolicyCenterconfiguration configured with a CNA-32M dictionary, the unit will use the largest CNA dictionary supported, in this case, CNA-16M. If the unit does not have the assigned compression plug-in, it will use its currently configured compression dictionary.

Sample output for setup compression show:

103

Tunnel Interface: main Tunnel Partner: 172.21.26.45 Tunnel Status: Normal Operation (Up: 12m 4s, Idle: 9s) Tunnel Quality: 100 Tunnel Savings: 56 KBpm

Compressors Type %Bytes Saved

-----------------------------------------------------------------------------------------GROUP DICTIONARY cna-1M 70% ( 19 secs old) DNS cna-1M 18% ( 19 secs old) NetBIOS-IP-SSN cna-1M 70% ( 53 secs old) Microsoft-ds cna-1M 70% ( 50 secs old) ICMP cna-1M 45% ( 32 secs old) SNMP-Mon cna-1M 70% ( 53 secs old) LDAP-Clear cna-1M ----% (125 secs old) Observed cna-1M 29% ( 60 secs old)

Compression: On Memory: 9879 KB / 204800 KB Tunnels: 1 Active, 0 Idle, 1 Total

Tunnel Status can be one of the following:

Normal Operation — A compression tunnel has been established in both directions, and the unit is ready to compressand decompress data.Compressing — The unit is currently compressing data.Decompressing — The unit is currently decompressing data.Passthru operation (Decompressing) — Compressible packets are not being sent through the compression tunnel. Whencompressed packets are retransmitted because the tunnel partner is not acknowledging that it received the packets,PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normaloperation after it gets an acknowledgement for the retransmitted packets.

Tunnel Quality can range between 0 and 100, with a value of 100 indicating best tunnel quality. It is derived fromunderlying metrics such as packet loss. Poor tunnel quality could be caused by problems with your network configuration orservice provider. See Compression Troubleshooting for more information.

Tunnel Savings is the bytes saved per minute, due to compression.

If the tunnel is currently compressing data, the output includes details about each of the services that are being compressed.

Column Description

Compressors Lists the name of each class and service being compressed

Type

Lists the compression dictionary the service is using. The dictionary name indicates the type ofalgorithm (such as cna, predictive, or zlib), number of passes (with one pass, data iscompressed once; with two passes, the compressed data is compressed again), and the size.For example, pred2-512K uses the predictive type of algorithm, does two passes, and has a512K dictionary.

%Bytes Saved

Indicates the percentage of bytes saved, due to compression. This value is calculated bysubtracting pre-compression bytes (the size without any compression) and post-compressionbytes (the size after compressible bytes were compressed) and dividing this difference by pre-compression bytes.

If ----% appears in the %Bytes Saved column, either compression savings were negligible orthe service has flows that were recently compressed (more than 2 minutes ago), but are notcurrently being compressed. A service will be dropped from the list if it hasn't beencompressed in 999 seconds.

Occasionally, you may have Observed listed as a compressor in the setup compression show output (as shown in theexample above). When Xpress is unable to identify the service for any traffic that is sent through the compression tunnel, thetraffic gets categorized into Observed.

If you include a specific IP address, you can display additional compression information about the host or PacketShaper. TheCompression Type field in the setup compression show output indicates the type of host: Shaper (PacketShaper), Initiator,or Recipient. The output varies, depending on the type of host.

For example, if 172.21.18.253 is a recipient host, the setup compression show output includes the forwarding MACaddress:

104

setup compression show 172.21.18.253

IP Address: 172.21.18.253 INSIDE Compression Type: Recipient Forwarding Address: 00:90:27:54:a7:d5

Or, if 192.168.130.101 is an initiating host, the output lists the tunnel partner and tunnel status:


IP Address: 192.168.130.101 OUTSIDECompression Type: InitiatorTunnel Partner: 172.21.0.85Tunnel Status: Normal operation (Up: 1m 48s, Idle: 29s)

If 172.17.56.201 is a PacketShaper unit, the output includes the tunnel savings and tunnel status:


Tunnel Interface: main Tunnel Partner: 172.17.56.201 Tunnel Status: Normal operation (Up: 30s, Idle: 0s) Tunnel Quality: 100 Tunnel Savings: 8618 KBpm

Compressors Type %Bytes Saved ------------------------------------------------------------------------------ GROUP DICTIONARY cna-1M 72% ( 0 secs old) HTTP cna-1M 72% ( 0 secs old) ICMP cna-1M 0% ( 11 secs old)

Tunnel Status can be one of the following:

Normal Operation — The unit is currently compressing and decompressing data.Compressing — The unit is currently compressing data.Decompressing — The unit is currently decompressing data.Tunnel is not up — The compression tunnel has not been set up (see Compression Status for details on why the tunnelwas not set up)Partner not available — The data from the active PacketShaper will not be compressed because the tunnel partner doesnot allow tunnel traffic from the active PacketShaper (the unit from which you issued the setup compression showcommand). In other words, the PacketShaper on the other side of the tunnel has not configured the activePacketShaper to use the compression facility — it is not on its list of PacketShapers that are allowed to use thecompression facility.Passthru operation (Decompressing) — Compressible packets are not being sent through the compression tunnel. Whencompressed packets are retransmitted because the tunnel partner is not acknowledging that it received the packets,PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normaloperation after it gets an acknowledgement for the retransmitted packets.

To display a compression tunnel summary:

setup compression show summary

Compression Tunnel Summary ============================================================================= Configuration: Tunneling: On Device Partner Quality Savings State ----------------------------------------------------------------------------- lower 172.17.58.109 100 4022 KBpm Normal 17m 24s upper 172.17.59.103 100 4063 KBpm Normal 17m 24s upper 172.17.59.108 100 3842 KBpm Normal 17m 24s main 172.17.56.104 100 8914 KBpm Normal 17m 24s main 172.17.56.109 100 1229 KBpm Normal 17m 24s upper 172.17.58.105 100 3684 KBpm Normal 17m 24s main 172.17.56.107 100 10267 KBpm Normal 17m 24s upper 172.17.58.106 100 1263 KBpm Normal 17m 24s main 172.17.56.102 100 9038 KBpm Normal 17m 24s upper 172.17.56.102 100 3979 KBpm Normal 17m 25s upper 172.17.59.106 100 4035 KBpm Normal 17m 25s upper 172.17.56.109 100 4028 KBpm Normal 17m 25s

upper 172.17.59.102 100 3999 KBpm Normal 17m 25s

105

Totals: Tunnels: 13 Active: 13 Idle: 0 Unidirectional: 0 Bidirectional: 0 Passthru: 0 Memory: 260845 KB / 704437 KB

Compression Status

If the compression tunnel is not up, you will see an additional field, Compression Status, which gives you additionalinformation about why a tunnel could not be created. These messages are described below.

Message Description

Disabled because compression isoff

The data from the specified host will not be compressed because thecompression feature has been turned off on the active PacketShaper. Usethe setup compression on command to enable compression.

Disabled because shaper is not inallowed partner list

or

Disabled because shaper x.x.x.xis not in allowed partner list

The data from the specified host will not be compressed because the tunnelpartner has not been configured to use the compression facility (using thesetup compression partners command). To see which partners(PacketShaper units) have been configured to use compression, type setupcompression show hosts.

Disabled because host is not inlist of allowed hosts

The data from the specified host will not be compressed because it is notconfigured to use the compression facility (using the setup compressionhosts command). To see which hosts have been configured to usecompression, type setup compression show hosts.

Disabled because host appears tobe on both sides

This message means that the host is trying to be an initiator and recipientat the same time, a situation that is not allowed. Resetting the unit shouldresolve this problem.

Note: You may get this message if your site router is on the inside —compression will not work with inside routers.

Process started, probe sent __ago, no answer, resend in __

A probe packet was sent to look for a tunnel partner, but a PacketShaperunit did not reply; another probe will be sent in the specified number ofseconds/minutes

Compression was restarted, canprobe now

Compression was turned off and then turned back on and there currentlyaren't any flows going through the PacketShaper for this host; a probe willbe sent to look for a tunnel partner

Host can probe now The host has been identified, but a probe packet has not yet been sent tosee if a tunnel partner exists

Probe sent __ ago, can probenow

A probe packet was sent, but a tunnel partner did not reply; another probewill be sent. (If you want to force a probe, use the setup compressionreprobe command.)


106

config backupFor PolicyCenter only

Make a backup copy of a PolicyCenter configuration. After you issue the config backup command, you will be prompted toconfirm that you want to create a backup of the specified configuration. Enter the word Yes, or press the Enter key. Backupconfigurations will appear in the PolicyCenter configuration tree with a "-backup" after the configuration name.

config backup [<cfg_path>]

Restore a backup copy of a PolicyCenter configuration with the config restore command.


107

config clearFor PolicyCenter / PacketShapers in Shared Configuration Mode

Clears all non-default configuration values from the named configuration. If none is named, it clears the current configuration.Clearing a child configuration means that the child will derive its sharable attributes and settings from its parent configuration.If you clear a parent configuration, its child configurations will no longer inherit any values from its parent.

config clear [<cfg_path>]


108

config cpFor PolicyCenter only

Copies an existing configuration to a new or existing configuration. Include the -r (recursive) option to include the selectedconfiguration's child configurations in the copy operation. Note that if the configuration to be copied and the destinationconfiguration both have a child configuration with the same name, the destination configuration's child will be overwritten. Ifthe <source cfg_path> argument is omitted, it copies the current active configuration.

This command does not allow a parent configuration to be copied to its child configuration with the "-r" option. You also maynot copy to a draft configuration, or to any configuration that has a draft anywhere in its configuration hierarchy. Theindividual serial-number configuration of a PacketShaper is unique to that unit, and cannot be copied to another location inthe configuration tree unless you also rename the new copy of the unit configuration as a part of the copy operation.

config cp [-r] [<source cfg_path>] <dest cfg_path>

Where the <source cfg_path> is the source configuration to be copied, and the <dest cfg_path> is the destination for thenew copy of that configuration. Specify a slash (/) for the <dest cfg_path> value to copy the source configuration to the rootof the configuration tree.

See also config mv for details on moving PolicyCenter configurations


109

config dumpFor PolicyCenter / PacketShapers in Shared Configuration Mode

This command prints out the current effective configuration objects’ formats and attributes in something like LDAP datainterchange format. Useful mainly for development and diagnostic purposes.

config dump

See also:

config save


110

config editFor PolicyCenter only

Locks the current configuration, creates a draft copy of that configuration if a draft does not exist, and opens the draftconfiguration for display and modification. If a draft copy of that configuration already exists, this command only opens thedraft configuration for display, but does not create a new draft.

config edit <cfg_path>

Draft configurations impose limitations not present in other configurations. Once you have created a draft copy of aconfiguration, neither the original configuration or any of its parent or child configurations can be modified until the draftconfiguration is permanently committed or deleted.

If, for example, you had a PolicyCenter configuration tree with the following configurations

/parent_cfg

/parent_cfg/child1

/parent_cfg/child1/grandchild1

/parent_cfg/child2


the command config edit parent_cfg/child1 would lock the configurations /parent_cfg, /parent_cfg/child1 and/parent_cfg/child1/grandchild, and would create a new draft configuration called parent_cfg/child1-draft. The configurationtree would then appear as follows:

/parent_cfg (locked)

/parent_cfg/child1 (locked)

/parent_cfg/child1-draft (locked)

/parent_cfg/child1/grandchild1 (locked)

/parent_cfg/child2


A draft configuration can only be edited by one PolicyCenter user at a time--no other user can modify a draft until the firstuser logs out of PolicyCenter or sets the focus of his PolicyCenter session on another configuration (for example, by using theconfig view or config edit commands and specifying another configuration). However, while one user is modifying a draft,other users are allowed to view (but not change) the draft.

Once you have made the required modifications to a draft configuration, you can test that configuration on one or morePacketShapers with the command draft try, or permanently commit the changes using the command draft commit.


111

config errorsDisplay configuration errors for the unit. When issued from PolicyCenter, this command displays errors for the PolicyCenterconfiguration currently being edited.

config errors

Note: Configuration errors are also shown in the output of the banner show command.


112

config informationFor PolicyCenter only

View information for when a specified configuration was last modified, and the user name and organization of the PolicyCenteruser that made the changes.

config information [<cfg_path>]

For example:

config information /config1 Configuration Information for: /config1 Modification Details: User Name : JSmith Organization : IT Date : December 28, 2006 08:08:07 (Local Time)


113

config loadLoad saved configuration files (such as config.ldi and config.cmd). Sharable settings are saved in files with the .ldi fileextention, while nonsharable settings are saved in the .cmd file.

This command can load the traffic tree, partitions, policies, host lists, events, agents, basic settings (such as shaping, trafficdiscovery, compression, and adaptive response), security settings (such as passwords and login access protocols), SNMP,SNTP, email, and Syslog settings, site router, DNS server, and gateway addresses, domain names, time zones, and networkinterface settings.

Note: Use the setup show command to see a list of sharable and nonsharable settings that are stored in the configurationfiles.

config load <file> [<cfg_path>] [complete]

<file> The location and name of a saved configuration file. Include the .ldi file extention to load just an.ldi file, or omit the file extention and include the complete parameter to load both a .ldi and a.cmd file with the specified filename.

By default, this command loads files from the PacketShaper system disk (9.256/) or thePolicyCenter directory. To load saved files from a PacketShaper data disk (9.258/ or 9.1026/) or adifferent folder, specify the entire path.

For example, to load the configuration files test.ldi and test.cmd from the PacketShaper data disk,type:

config load 9.258/test complete

<cfg-path> When you issue this command from PolicyCenter, include the path of the PolicyCenterconfiguration to which you want to load the file(s).

[complete] Include the complete parameter to load the saved .ldi and .cmd files. If this parameter isomitted, the command will load only the sharable settings in the .ldi file.

<path> is the location and name of a saved .ldi file. For example, to load a file named test.ldi that is in the system disk root,use:

config load 9.256/test

The config load command discards the current configuration and institutes the loaded configuration; it does not merge theloaded configuration with the pre-existing one. The new configuration settings are then stored in 9.256/CFG/config.ldi.

Keep in mind that the .ldi file includes the unit’s password, and if you load the configuration on another unit, you will changeits password. If you want to load a traffic configuration on another unit without changing the password, use the class loadcommand instead of the config load command.

Note: The PacketWise image version is stored in the .ldi file if it was set in PolicyCenter. If the image version on a unit isdifferent from the image version stored in an .ldi file you are loading, you may see an image configuration error message afterissuing the config load command in local mode. You can clear the error by giving the setup version none command. Theerror message does not appear in shared mode.

See also:

config save


8.3.1 [complete] parameter added, which can load both .cmd and .ldi files.


114

config modeFor PolicyCenter / PacketShapers in Shared Configuration Mode

Tells you whether a unit is in local or shared mode.

config mode

Note: This command does not enable or disable the LDAP client, which is normally initialized with config setup and disabledwith config unset.

See also:

config setup

config unset


115

config mvFor PolicyCenter only

Moves a configuration to another location within the PolicyCenter configuration tree. This command copies the specified sourceconfiguration to the destination configuration name, switches any assigned units from their source sharable configuration tothe new destination configuration, and deletes the source configuration. Note that you cannot move the /defaultconfiguration or the individual unit configurations of PacketShapers that have not been assigned to a sharable configuration.

If the configuration is a parent configuration with child configurations, the selected configuration's child configurations will beincluded in the move operation.

Note: You may not move a configuration under a draft configuration, or to any configuration that has a draft anywhere in itsconfiguration hierarchy. The unique serial-number configuration for units running a version of PacketWise released before7.5.0 cannot be moved from the configuration root while the unit is still assigned to that configuration, although the unitsthemselves can be assigned to any sharable PolicyCenter configuration via the CLI command unit assign. You can, however,copy a pre-7.5.0 unit's serial-number configuration to another location, and then assign the unit to that renamedconfiguration.

If the source configuration name is omitted, this command will assume the current active configuration is the configuration tobe moved. You must, however, specify the destination configuration path.

config mv [<source_cfg_path>] <dest_cfg_path>

Where the <source_cfg_path> is the source configuration to be moved, and the <dest_cfg_path> is the destination for thatconfiguration. If the first <cfg_path> value is omitted, PolicyCenter will move the current active configuration. Specify a slash(/) for the <dest_cfg_path> value to move the source configuration to the root of the configuration tree.

See also:

config copy


116

config newFor PolicyCenter only

Creates a new, empty configuration with the given name. You can use this command to create a new configuration at the topof the configuration tree, or to add a new child configuration under an existing parent.

config new <cfg_path>

examples:

config new newchild

config new /otherparent/newchild


117

config owner setFor PolicyCenter only

Assign a configuration to a specified organization. Include the -r (recursive) option to assign the selected configuration and allits child configurations to the same organization.

A child configuration can only be assigned to a different organization than its parent if the parent configuration is assigned toPC, the default PolicyCenter organization. If the parent configuration is assigned to any other organization, all of its childconfigurations must be assigned to that same organization.

For example, if the parent configuration /parent is assigned to the PC organization, its child /parent/child can be assigned toPC or any other existing organization. However, if the parent config /parent is assigned to any other organization besides PC,such as New_York, then the child configuration /parent/child must also be assigned to that New_York organization.

You must be logged as a PolicyCenter administrator to issue this command. You may not change the organization on aconfiguration that has a draft anywhere in its configuration hierarchy.

config owner set [-r] </cfg-path> <organization>

Examples:

config owner set -r /TriStateConfig New_York

config owner set /PacificNorth/Corvallis Oregon


118

config owner showFor PolicyCenter only

Lists PolicyCenter configurations and the organization to which those configurations are assigned. Include the </cfg-path>parameter to view the organization for that single configuration, or omit the parameter to view the assigned organization forall PolicyCenter configurations. You must have touch access to PC, the default PolicyCenter organization, in order to issue thiscommand.

config owner show [</cfg-path>]

Example:

config owner show

Configuration Owner Organization901-20000132 PCdefault PCbranch_west California los_angeles California portland California san_francisco Californiabranch_east PC new_york East_Sales raleigh East_Sales washington_dc East_Salesbranch_central Manufacturing


119

config publishFor PolicyCenter only

This command publishes a child configuration to its parent, replacing classes and settings in the parent configuration withclasses and settings in the child configuration. The child configuration is then cleared, so it will inherit its entire configurationfrom the new settings of parent.

Use this command to publish discovered traffic classes to a parent configuration, or to publish a prototype configuration thatshould be inherited by all child configurations under the same parent. If the <cfg_path> argument is omitted, this commandpublishes the current active configuration.

config publish [<cfg_path>]

Note: PolicyCenter cannot publish traffic classes from or to a draft configuration. This command will not work if either theparent or child configuration is a draft configuration.


120

config rmFor PolicyCenter only

Removes a configuration or group of configurations from PolicyCenter. If the configuration name is omitted, this command willassume the current active unit configuration is the configuration to be deleted.

config rm [-r] [<cfg_path>]

This command cannot delete a configuration if it or any of its child configurations have units assigned to them. Before youdelete a configuration that has a unit assigned to it, be sure to reassign the units to another configuration. Include the -r(recursive) argument to delete both the selected configuration and all its child configurations. Omit the -r argument to deletea configuration with no children.

Note: The default configuration can’t be removed.

See also:

config clear


121

config resetFor PolicyCenter / PacketShapers in Shared Configuration Mode

When issued from the command-line interface of an individual PacketShaper, this command disables the unit's connection tothe PolicyCenter directory server, returning the unit to local mode and setting the unit's sharable attributes to their factory-default state. The config reset command will not remove a unit entry from the PolicyCenter directory server, and unit's non-sharable settings (IP address, DNS and management port settings, etc.) will not be changed. To completely remove the unitentry from PolicyCenter, use unit clean.

When you issue this command from the PolicyCenter command-line interface, PolicyCenter will disable communicationbetween PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contactPacketShapers in shared mode. To restore the connection between PolicyCenter and the directory server, use config setup.

config reset

Note: If you want to return a unit to local mode without clearing the unit's sharable attributes, use config unset, instead.You may restore a unit's previous PolicyCenter configuration at any time by resetting its connection to the directory serverwith the config setup command.

See also:

config setup


122

config saveSave the current configuration's sharable settings in an .ldi file and its nonsharable settings in a .cmd file.

config save [<cfg-path>] <file> [unit]

<cfg-path> To save a PolicyCenter configuration, specify the path of the configuration you want tosave.

<file> Specify a filename up to eight characters long. The .ldi and.cmd extensions areautomatically added to the configuration file name.

By default, this command saves the files to the PacketShaper system disk (9.256/) orthe PolicyCenter directory. To save the files to a data disk (9.258/ or 9.1026/) of aPacketShaper or a different folder, specify the entire path.

For example, to save a configuration in files named test.ldi and test.cmd on thePacketShaper data disk, type:

config save 9.258/test

[unit] When issuing this command from PolicyCenter, you can include the unit parameter tosave a unit's local sharable and nonsharable settings. If this parameter is omitted, theconfig save command will save a configuration's inherited and local settings.

This command can save the traffic tree, partitions, policies, host lists, events, agents, basic settings (such as shaping, trafficdiscovery, compression, and adaptive response), security settings (such as passwords and login access protocols), SNMP,SNTP, email, and Syslog settings, site router, DNS server, and gateway addresses, domain names, time zones, and networkinterface settings. Use the setup show command to see a list of sharable and nonsharable settings that are stored in theconfiguration files.

The config save and config load commands are useful for experimenting with different configuration settings. For example,you can save your current settings, make changes to the configuration (such as create new partitions or policies), and thenreturn to the original configuration if you prefer it. You can create as many configurations as you like.

This feature can also be used to share configurations with other units. You can FTP the two saved configuration files to thesystem or data disk of another PacketShaper unit and then activate it with the config load command.

Note: Keep in mind that the .ldi file includes the unit’s password, and if you load the configuration on another unit, you willchange its password. If you want to load a configuration on another unit without changing the password, use the class loadcommand instead of the config load command.

See also:

config load


8.3.1 Command modified to create both .ldi and .cmd files.


123

config secureFor PolicyCenter only

Issue this command to enable or disable Secure LDAP communication between PacketShapers assigned to this configurationand PolicyCenter.

config secure [<cfg_path>] on|off

Note: Before you issue this command to enable secure LDAP, you must access the PolicyCenter command-line interface onthe PolicyCenter directory server and run the ds ssl enable command. This command calls creates and instalsl certificatesthat the directory server requires for SSL, then restarts the directory server.


124

config setupFor PolicyCenter only

Configures the unit to access shared configurations in Lightweight Directory Access Protocol (LDAP). Initializes the LDAP clientto communicate with the directory server and establish the default unit configuration name. A unit's initial PolicyCenterconfiguration is based on its DNS name (if known) or IP address. When this command is complete, the unit will obtain itsconfiguration from the directory server, replacing any previous local setup, policy, or other sharable configuration values. Ifyou add the optional convert option, the configuration of the unit is preserved.

config setup <ldap_host>[<:port>] [secure | unsecure] [<directory_server_password>] [convert]

Where:

<ldap-host> DNS name or IP address of a PolicyCenter Directory Server

<:port> TCP port number to connect to on the Directory Server

secure| nonsecure Specify secure to establish a secure LDAP connection between the PacketShaper and thePolicyCenter directory server, or specify nonsecure for a standard LDAP connection.

<directory_server_password> Password for the PolicyCenter directory server. This password was called the PolicyCenterSuper-User password in previous versions of PacketWise.

[convert] Specify the convert option to convert the unit's existing configuration into a newPolicyCenter configuration with the same attributes and values. Because the unit’s newPolicyCenter configuration will be based upon its previous configuration, the unit willcontinue to operate the same in PolicyCenter as it did in local mode. If you do not selectthe convert option, the unit’s new PolicyCenter configuration is cleared, and will havedefault settings only.

If you previously issued the command config unset to disable communication between PolicyCenter and the directory server,you can issue the command config setup <ldap_host>[<:port>] [secure | unsecure][<directory_server_password>] from the PolicyCenter configuration (the configuration for the PolicyCenter software) torestore communications between PolicyCenter and the directory server. Note that this use of the config setup commanddoesn't support the convert option.

See also:

setup reset for PolicyCenter


125

config show(for PolicyCenter only)

Lists available PolicyCenter configurations. Depending on the subcommand, shows the available configurations and unit statusinformation. Useful for monitoring units, verifying the PolicyCenter configuration hierarchy, or determining software imageversions.

config show all|units|versions|{details <unit name>|<unit serial number>}

all Displays a table of all units subscribing to the directory server, the configurationthey are assigned to, IP address, and status. If a unit has not recently updated itsstatus entry, the time since last update is noted as its 'Out of Contact' time. Thestatus column reports whether a unit has found any errors in its configuration.

units Displays a table of all units that are posting status to the directory server, withserial number, group/unit name, model, and domain name.

versions Displays a table of all units that are posting status to the directory server, withserial number, IP address, and image version.

details <unit name>|<unitserial number>

Shows all status information reported by the unit to its status entry in the directoryserver. You can designate the unit by its unit configuration name (e.g.'/default/austin') or its serial number (e.g. '100-10000105').

The example output below shows a configuration tree with fourteen configurations, including the configuration for thePolicyCenter server itself, configuration 901-20000132. The other configurations at the top of the configuration tree aredefault, branch_west, branch_east and branch_central.

The branch_west, branch_east and branch_central configurations each have three child configurations with an assigned unit.The names of each of these child configurations are indented in the Configuration Name column, to show that they are childconfigurations under another parent. Information on the individual PacketShapers, such as unit name, IP address, Out ofContact time, and the status of the unit is displayed beside the unit's assigned configuration.

/025-10001808# config show

Configuration Name Unit Name IP Address Out OfContact Status

901-20000132 901-20000132 172.21.7.50 OKdefaultbranch_west main_site 172.21.29.129 OK los_angeles shaper_1 172.21.29.130 OK portland shaper_2 172.21.29.135 OK san_francisco shaper_3 172.21.29.139 OKbranch_east new_york shaper_4 172.21.18.75 OK raleigh shaper_5 172.21.18.45 OK washington_dc shaper_6 172.21.18.99 OKbranch_central denver shaper_7 172.21.25.160 OK madison shaper_8 172.21.25.170 OK oklahoma_city shaper_9 172.21.27.203 OK


126

config unsetFor PolicyCenter / PacketShapers in Shared Configuration Mode

This command disables directory server access for a unit, and returns the unit to local mode. The config unset commandremoves a unit entry from the PolicyCenter directory server, so the PacketShaper no longer appears on the PolicyCenterConfigurations tab, but allows the unit to retain its last PolicyCenter configuration after it returns to local mode. To set theunit to local mode and return its configuration to a factory-default state, use config reset.

config unset

When you issue this command from the PolicyCenter command-line interface, PolicyCenter will disable communicationbetween PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contactPacketShapers in shared mode. To restore the connection between PolicyCenter and the directory server, use config setup.

Note: If this command does not completely remove a unit entry from PolicyCenter, that entry may be manually removed viathe unit clean command.

See also:

config reset


127

cpCopy a file on the unit's system or data disk.

cp <file1> <file2>


128

dateView or set the date and/or time. When initially setting the date and time, use setup timezone.

date [<yyyymmddhhmm>[<.ss>]]

Note that this command has the same functionality as the setup date command.

Note: You should always do a system reset immediately after changing the date so that the underlying time-sensitivescheduled operations of the PacketShaper can be correctly initialized.


129

dns lookupList the IP address(es) associated with a domain name. PacketWise keeps the mapping data up to date so that when a sitechanges an IP address, the matching rule knows about the change.

dns lookup <hostname>

If the name that you enter is different from the canonical or official name, the canonical name record (CNAME) is displayed atthe end of the address list. A canonical name record defines an alias for the official host name, facilitating the transition froman old name to a new name.

Some sites return multiple addresses to a lookup query. The PacketWise classification process compares the traffic flows tothe address lists when looking for a match.


130

dns namesList all domain names and addresses that are configured in traffic class matching rules.

dns names

Domain Name IP Address TTL Age RQSNCRP Error(luna-corp.bluecoat.com)...

192.168.0.33 3600 647 Q(m10-pat-corp.bluecoat.com)...

192.168.0.207 3600 427 Qpercy.xyz.com (204.202.49.73) 86400 12512 Q

The resolved values are shown in parentheses. The other columns in the output are described below.

TTL: The time interval that the DNS entry may be cached before the source of the information should again be consulted.

Age: The time, in seconds, since PacketWise received the last name refresh.

R: If a name server cannot be reached, the entry's retry count is incremented. This is a high-level retry, and each one mayinclude multiple queries to each name server. If the retry value is greater than 9, an asterisk is displayed in this column. Ifthe retry value is zero, nothing is displayed in the column.

Q: Displays a Q if PacketWise sent a query and received a response for the name.

S: Displays an S if PacketWise learned the name's address (or vice versa) by spying on DNS traffic instead of making a query.

N: The number of successful responses received since the one containing this address. If the value is 0, nothing is displayedin the column.

C: The number of responses received before getting one without any new addresses. This is the length of a round-robin cycle.If the value is 1, nothing is displayed in the column.

R: The number of matching rules that refer to this name. It will be incremented by one while a name is being resolved. If thevalue is 1, nothing is displayed in this column.

P: Displays a P if PacketWise is currently resolving this name.

Error: Shows the problem (if any) encountered by the last refresh attempt. Some possible errors are:

name not found: The authoritative server for this domain has no such name.

server offline: The resolver could not reach the authoritative name server, either directly or indirectly through thelocally-configured name servers.

rqst refused: The name server knows (or might know) but won't tell you.

no data record: The name exists, but does not have an address (or vice versa).

internal error: The name server is not functioning.


131

dns refreshClear the resolved DNS values — that is, names and IP addresses — in the names database. The entries then are repopulatedat the next ten-second polling interval.

dns refresh

Immediately after executing dns refresh, if you use the dns names command, the resolved values will be listed as<unknown> in the output. These entries are repopulated at the next polling interval.


132

dns rlookupFind the host name associated with an IP address.

dns rlookup <ipaddress>


133

dns serversList the DNS servers, their online/offline status, and the time since the servers either timed out or responded to a DNSrequest.

dns servers

Address192.168.0.33192.168.0.22

Statuson lineunknown

Idle4


134

dns traceThis is a troubleshooting command that should be used only with the guidance of Customer Support.


135

draft commitMerge changes made to a draft copy of a configuration into the original target configuration. After merging the changes,PolicyCenter reassigns any PacketShapers using the draft configuration back to their original target configuration, then deletesthe draft. Once a draft has been committed, PolicyCenter removes the configuration locks on the draft's parent and siblingconfigurations, so other PolicyCenter users may edit them.

draft commit <config-draft>

Example:

draft commit myconfig-draft


136

draft discardDiscard a draft copy of configuration without merging any of the changes into the original target configuration. If anyPacketShapers were assigned to this draft configuration with the draft try command, you will not be able to discard the draftconfiguration until the units are assigned back to their original target configuration with the draft revert command. Thiscommand also removes the configuration locks on the draft's parent and sibling configurations, so other PolicyCenter usersmay edit them.

draft discard <config-draft>

Example:

draft discard myconfig-draft


137

draft revertReassign any PacketShapers using a draft configuration back to their original target configuration. The changes made to thedraft configuration are retained, and the draft's parent and sibling configurations remain locked.

draft revert <config-draft>

Example:

draft revert myconfig-draft


138

draft tryFor PolicyCenter only

Applies a modifed draft configuration to one or more selected PacketShapers, allowing you to test the draft configurationbefore you apply it to a larger group of units. You re-issue this command to assign additional PacketShapers to a draft,though the draft may not be modified while any PacketShaper is trying it.

Note: The Try operation is only available for PacketShapers running PacketWise 7.5.0 or later releases.

draft try [<cfg_path>] [all | <<unit_name>|<unit_sn> <unit_name>|<unit_sn> ....>]

If you don’t like the result, you can revert the PacketShapers running the draft configuration back to their original targetconfiguration with the command draft revert. If the test goes well and you would like to make the draft changes permanent,you can commit the draft to the original configuration with the command draft commit. Once a draft configuration has beencommited, all shapers running or inheriting from the target configuration will get the draft changes.


139

draft viewFor PolicyCenter only

Change the focus of your PolicyCenter session to the selected draft configuration, but only with read access. (You will only beallowed to view, but not modify, the draft configuration.) You can also use this command to release your session’s lock on adraft configuration you are finished editing, so another PolicyCenter user can access and edit the draft.

draft view [<cfg_path>]

Note: To edit and modify a draft configuration issue the command config edit <config_path>.


140

duDisplay the unit's system disk usage.

du


141

echoDisplay a line of text.

echo <string>


142

email queueDisplay or delete messages in the email queue.

email queue show|display <message-id>|delete (<message-id>|all)

Examples:

To display the email queue:

email queue show

To display the contents of message 1:

email queue display 1

To delete all messages in the email queue:

email queue delete all


143

email retryDeliver mail immediately, rather than waiting for next retry.

email retry


144

email testVerify the email configuration by sending a test message to individual recipients.

email test <recipient> [<recipient>] [<recipient>] [<recipient>]


145

event deleteDelete an event and all its registrations.

event delete <name>


146

event emailAdd or delete an email recipient for event notifications.

event email add [<recipient> ... <recipient>]

event email delete [<recipient> ... <recipient>]|all

Separate recipients with a space. You can add up to four recipient addresses.

To use the command-prompt mode, use:

event email add


147

event log resetDelete current and archived event log files.

event log reset


148

event log statusDisplay information about current and archived event log files, such as their location, current capacities, and limitations.

event log status


149

event newDefine a new event. When you define an event, you specify a measurement variable in an expression — that is, the conditionfor which you want to be notified. In addition, you can define a default event-checking interval. The maximum number ofevents that can be defined is 32. Defined events are not active until registered.

To initiate the command-prompting mode use:

event new

You may exit 'event new' at any time by typing 'exit'Name of the event: WebQoSType of object to be tested: Link, Partition, or traffic Class: (class):Measurement Engine variable to be tested: tcp-conn-aborts%Default checking interval [1m,1h] (1m):Enter a relational operator. When you register this event later,you will supply a threshold on 'tcp-conn-aborts%' that triggers the event.The event can be triggered when 'tcp-conn-aborts%'becomes >, >=, <, or <= the threshold.Relational operator ( >, >=, <, or <= ) (>):

As an alternative to the prompting mode, you can use a single command line to create an event, as follows:

event new <name> <expression> [<default checking interval>]

<name> Event names must begin with an alphabetic character and contain only alphabeticcharacters, numbers, and underscores, up to a maximum of 32 characters. Notethat you cannot use hyphens in event names.

<expression> The expression specifies the condition that will be checked and requiresadherence to the following syntax:<variable>[.<object type>] <relational operator> <constant>

Where:

<variable>.<object type> is one of the PacketWise measurement variables withan appended object type — that is, a link, partition, or class. This object type isrequired for most variables — those that are common to link, partition, and classobjects. Some variables are unique to the object type. For example, peak-excess-bps is relevant only to partitions, so it does not need the object-typequalifier in this syntax. Later, when you register the event, you will supply aspecific name for the object type. For a list of measurement variables, use themeasure show command.

<relational operator> is one of the following: <, <=, =, >=, or >.

<constant> is a placeholder for the threshold value. Use the $n syntax — forexample, $1 or $2. When you register an event, you supply a value that issubstituted for this constant in the expression.

Example of an expression: tcp-rtx-pkts% > 30

[<default checking interval>] The default frequency that PacketWise will use to check for this event. When youregister this event, you can substitute a different interval. For standardPacketShaper units, you can specify 1m (one minute) or 1h (one hour). ForPacketShaper ISP units, you can specify 1m or 4h.

Examples:

event new NetworkInefficiency tcp-efficiency%.link<$1 1m

event new WebQos tcp-conn-aborts%.class>$1 1h

For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situationsof Interest.

Note: An alternative way to monitor a specific class, link, or partition and receive notification when a threshold crossing hasoccurred is to create User Event Emulation agents with the adaptive response feature.


150

event overrideFor PolicyCenter only

Override the inherited user event by creating a local copy of the event.

event override <event_name>

You must make a local copy of an inherited user event before you can change the user event on the child configuration.


151

event registerInitiate event-checking and notification for an event. The maximum number of events that can be registered at one time is32. To use the command-prompting mode, simply use event register, otherwise use the following command syntax.

event register <event name>(<object>,<threshold>,<re-arm>) [<checking interval>] [email] [trap] [syslog][limit=<n>]

<event name> An existing predefined or user-defined event

<object> The name of a link, partition, or class that is relevant to the event definition

<threshold>The value used to trigger event notification. The value is substituted in the event'sexpression, which you defined with the event new command. If the condition in theexpression occurs, it triggers the event notification that is registered for the event.

<re-arm>

The value that tells PacketWise that it's okay to once again send event notifications. Afterthe initial notification occurs for the threshold crossing, additional event messages —traps, email, or syslog — will not be sent until the re-arm condition occurs. The purposeof the re-arm value is to prevent excessive event notification.

[<checkinginterval>]

The frequency at which this condition should be checked. For standard PacketShaperunits, you can specify 1m (one minute) or 1h (one hour). For PacketShaper ISP units,you can specify 1m or 4h.

[email] [trap][syslog] The notification mechanism for this event — email, trap, or Syslog.

[limit=<n>] The number of notifications to be sent within the 24-hour period from midnight tomidnight. If you omit this option, the number of notifications is limitless.

Example:

event new WebQos tcp-conn-aborts%.class>$1 1h

event register WebQos(inbound/outside/http,70,50) 1m email limit=20

Note that in the above example, the event was defined with a default interval of one hour. When the event was registered,the specific class was identified with a threshold of 70%, a re-arm level of 50%, a 1-minute interval, and a limit of 20notifications within a 24-hour period.

When an event exceeds the predefined threshold value, the event is in violation and the PacketShaper will automatically sendout notification. PacketShaper will also send a notification when the re-arm level is crossed, allowing you to be alertedautomatically when the event has been cleared.

For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situationsof Interest.


152

event resetReset the user events system. This command removes all user-defined events and unregisters all events (user-defined andpredefined).

event reset

Note: Issuing the event reset command from the PolicyCenter command line interface can incorrectly trigger an errormessage stating that the operation failed, even if the operation executed correctly


153

event showDisplay email notification recipients, available events (both user-defined and predefined), registered events, and their status.

event show


154

event test-emailVerify the event email configuration with a test email.

event test-email


155

event unregisterStop checking an event.

event unregister <registration-id>|all

Use event show to display the registration IDs.


156

exitLog out of a PacketWise connection.

exit


157

frame addAdd a Frame Relay Access Device (FRAD). The frame command enables automatic configuration of Frame Relay AccessDevices (FRADs). Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

frame add <address> <community>

<address> is the IP address or DNS name of the FRAD.

<community> is the SNMP community string of the FRAD.


158

frame communitySet a new SNMP community string on the PacketShaper. If the SNMP community read string on your local FRAD has changedfrom what it was when you configured the Frame Relay feature, you can use the frame community command to set thenew string on the unit. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

frame community <frad> <community>

<frad> is the system name or IP address of the FRAD.

<community> is the SNMP community string of the PacketShaper.

In the interval of time before the unit has the new string, you will see that the frame show output no longer shows FRAD orPVC information. In addition, the partition show output will no longer show the min/max PVC partition sizes you might havepreviously set with the frame override command. However, the entire class tree will remain intact. The frame routing tablewill be blank.

After you use this command, the unit will be able to use this new string and communicate successfully with the FRAD on thenext configuration update (which happens every five minutes; or you can force it by resetting the box). The frame showcommand will once again show the FRAD and PVC class/partition info, including the CIR/EIR values you might have originallyset using the frame override command. The partition show command will show these CIR/EIR values as the min/max ofthe PVC partitions and the routing table will be populated once more.


159

frame deleteDelete a Frame Relay Access Device. Note: This command is not available on PacketShaper ISP or PacketShaper 900 Litemodels.

frame delete <frad>

<frad> is the IP address or DNS name used when the FRAD entry was created, , or the Sysname (local system name) of theFRAD. This command also deletes all traffic classes and partitions created to match the FRAD traffic.

The frame delete command deletes the specified FRAD but does not clear the user-entered BGP neighbor information (thatis, the static routes entered with the frame route add command). To clear out these entries you will need to issue the resetcommand.


160

frame optionsEnable and disable the frame relay routing and discovery options for an existing FRAD, or set the default for all new FRADscreated by subsequent frame add commands. Note: This command is not available on PacketShaper ISP or PacketShaper900 Lite models.

frame options routing|discovery on|off default|<frad>

By default, both routing and discovery are enabled.

routing Automatically fetch the IP routing tables for this device via SNMP and use in the Permanent VirtualCircuit (PVC) traffic class matching rules; also, create internal routing table in the PacketShaper.

discovery Activate traffic discovery for all PVCs created for this frame device

<frad> The IP address or DNS name used when the FRAD entry was created, or the Sysname (local systemname) of the FRAD


161

frame overrideSet Committed Information Rate (CIR) and Excess Information Rate (EIR) values for PVC partitions. Note: This command isnot available on PacketShaper ISP or PacketShaper 900 Lite models.

frame override <frad> <interface-number> <dlci> off|[<cir> <eir>]

Note: After updating the CIR/EIR values with this command, reset the unit so that the new values will take effect.

Where:

<frad> The system name of your FRAD (use frame show to get this name)

<interface-number> The identifier of the serial interface on your FRAD associated with the given PVC (useframe show to get this number, shown in parentheses in the command output)

<dlci> The Data Link Control Identifier (DLCI) of the given PVC

off The option used if CIR/EIR values have already been set via this command and you wantto disable them.

<cir> <eir> EIR, as used in PacketWise frame relay support, refers to the amount over the CIR suchthat CIR + EIR = maximum rate possible.

Use frame show to check CIR and EIR values. The new values will be preceded by "LMIOverride:".


162

frame route addMap a PVC to the IP address of the correct BGP (Border Gateway Protocol) neighbor router so that each IP route can beassociated with the correct PVC class. This operation is necessary when the SNMP OID for ipRouteIfIndex is missing(1.3.6.1.2.1.4.21.1.2). Note: This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

frame route add <frad> <ip-address> <interface> <dlci>


<ip-address> is the IP address of the BGP neighbor router.

<interface> is the interface number on the router; this number is shown in the output of the frame show command for thegiven PVC.

<dlci> is the data link connection identifier. A number of a switched virtual circuit in a Frame Relay network that tells theFrame Relay how to route the data. The DLCI field identifies which logical circuit the data travels over.

The frame routing table will show the association of each BGP route with the correct PVC class after the next configurationupdate (which happens every 15 minutes) or after the next software reset, whichever comes first.


163

frame route deleteDelete a static route mapping that was created with the frame route add command. Note: This command is not available onPacketShaper ISP or PacketShaper 900 Lite models.

frame route delete <frad> <ip-address>


<ip-address> is the IP address of the BGP neighbor from which you want to remove the mapping.


164

frame route showDisplay routing tables that PacketWise has constructed based on routing information from the FRAD via SNMP polling. TheFRAD must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. Note:This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

frame route show [<frad>]

If you specify a <frad>, the output shows the IP routing tables associated with the specified FRAD name or IP address. If youdon't specify a <frad>, the output displays the tables for all FRADs.

The output displays the subnets, the routing ID number used in the matching rule for the PVC class, and the full pathname ofthe PVC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically byPacketWise, and are used to link a destination address with the PVC class to which it belongs.

This command gives the same output as the frame routing command.


165

frame routingDisplay routing tables that PacketWise has constructed based on routing information from the FRAD via SNMP polling. TheFRAD must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. Note:This command is not available on PacketShaper ISP or PacketShaper 900 Lite models.

frame routing [<frad>]

If you specify a <frad>, the output shows the IP routing tables associated with the specified FRAD name or IP address. If youdon't specify a <frad>, the output displays the tables for all FRADs.

The output displays the subnets, the routing ID number used in the matching rule for the PVC class, and the full pathname ofthe PVC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically byPacketWise, and are used to link a destination address with the PVC class to which it belongs.

This command gives the same output as the frame route show command.


166

frame showDisplay Frame Relay Access Device (FRAD) information. Note: This command is not available on PacketShaper ISP orPacketShaper 900 Lite models.

frame show [<frad>]

Specify a <frad> by IP address or DNS name; or omit the parameter to display all configured FRADs.

Example:

FRAD Address: SysName:

Traffic Discovery: Auto Routing:

10.12.27.2frad1onon

InterfaceName(Number) Act DLCI CIR EIR Partitions---------------------------------------------------------------------------Se1(3)

Se1(3) +

+

100

200 0

0

1.5M

1.5M

/Inbound/frad1-Se1/PVC_100/Outbound/frad1-Se1/PVC_100/Inbound/frad1-Se1/PVC_200/Outbound/frad1-Se1/PVC_200

The output shows the FRAD's interface name and hardware port number, interface status ('+' in the Act column indicatesactive), the DLCI, the CIR and EIR values for the PVC, and the partition names.


167

frame statisticsDisplay statistics for the frame relay PVCs and associated partitions. Note: This command is not available on PacketShaperISP or PacketShaper 900 Lite models.

frame statistics

The displayed rates include:

Actual Measured at the FRAD serial interface

Part Measured at the PacketWise partition

Target Maximum possible rate for the partition when in shaping is turned on, taking into account Forward/BackwardExplicit Congestion Notification (FECN/BECN) counts and traffic on the PVC that bypasses the unit

All displayed rates are one-minute moving averages. The percentage values indicate the one-minute average percentage offrames with FECN or BECN bits set.


168

ftpStart a client FTP session on a PacketShaper unit.

ftp <ipaddress>


169

ftpgetUse File Transfer Protocol (FTP) to copy a file from an FTP server to a PacketShaper. The file is automatically copied in binarymode.

ftpget [<user>[:<password>]@]<host> <srcfile> <destfile>

[<user>[:<password>]@]<host>

<user> is the user name to be used when FTP logs intothe <host> (the IP address or dns name of the FTPserver). If <password> is omitted, the password istransmitted empty or blank. The default user name andpassword if both items are omitted are user=anonymousand [email protected].

<srcfile> Name of the file to be retrieved; specify a path if the fileis not on the server’s default directory

<destfile>

Name of the new file to be created on the PacketShaper.The filename must have an 8.3 format.

Notes:

The full path must be specified even if the file is inthe unit’s root directory. For example, if9.256/test.cmd is specified for the <destfile>, the<srcfile> will be copied to the root directory of thesystem disk (9.256/) and will be named test.cmd.For more information about the drives anddirectories on the PacketShaper, see PacketShaperDirectories.If <destfile> is not in 8.3 filename format, the FTPclient will hang.

For example:

ftpget [email protected] test.cmd 9.256/test.cmd

If you want to transfer files on a regular basis, you can use the schedule command with the ftpget and ftpput commands tocreate a command file. See schedule new.


170

ftpputUse File Transfer Protocol (FTP) to copy a file from the PacketShaper to an FTP server. The file is automatically copied inbinary mode. This command is useful for transmitting PacketWise logs and diagnostic files to another machine.

ftpput [<user>[:<password>]@]<host> <srcfile> <destfile>

[<user>[:<password>]@]<host>

<user> is the user name to be used when FTP logs intothe <host> (the IP address or dns name of the FTPserver). If <password> is omitted, the password istransmitted empty or blank. The default user name andpassword if both items are omitted are user=anonymousand [email protected]

<srcfile>

Name of the file to be retrieved from the PacketShaper

Note: The full path must be specified even if the file is inthe unit’s root directory. For example, if 9.256/test.cmdis specified for the <srcfile>, the test.cmd file in the rootdirectory of the system disk (9.256/) will be copied. Formore information about the drives and directories on thePacketShaper, see PacketShaper Directories.

<destfile>Name of the new file to be created; specify a path if youdon’t want to create the file in the server’s defaultdirectory

ftpput [email protected] 9.258/log/events events


171

headDisplay the first few lines of a file.

head [-<number>] <filename>

The <number> refers to how many lines are displayed; the default is 10 lines. For example, this displays the first 10 lines ofthe file myfile.cmd:

head myfile.cmd

This displays the first 20 lines of the file myfile.cmd:

head -20 myfile.cmd


172

helpList available commands. Specify a command to view its syntax and usage details.

help [<command>]


173

highav addDefine an access router for the access-link monitoring (high availability) feature. This feature allows PacketShaper to dealwith imperfect load-balancing and has the ability to respond to the occurrence of WAN link failure. When high availability isenabled, PacketWise can adjust partitions appropriately to prevent overloading any given WAN link and to account for lostavailable capacity due to router or link failure. High availability has two modes: basic and advanced.

highav add <address> <community>

where

<address> IP address of the router<community> SNMP community string (password) for the router

Example:

highav add 10.10.10.10 pAss4WoRD


174

highav communityChange the community string of a high availability router. Use this command when the community string changes after youhave already defined the router with the highav add command.

highav community <address/sysname> <community>

where

<address/sysname> The router’s IP address or system name<community> New SNMP community string (password) for the router


175

highav deleteRemove an existing router from the high availability configuration.

highav delete <address/sysname>


176

highav disableDisable link monitoring (basic mode) as well as link overload protection (advanced mode, if enabled).

highav disable


177

highav enable advancedEnable two high availability features: link monitoring/resizing (as in basic mode) and link overload protection. With the linkmonitoring/resizing feature, the PacketShaper polls the configured router(s) every 30 seconds to assess the status (link up orlink down) of the WAN link interfaces. If a link goes down, PacketWise will automatically adjust the total available capacity bysubtracting out the capacity of the down link. With link overload protection, PacketWise can help prevent the overloading ofan interface. PacketWise will use SNMP polling to access the actual throughput of each configured WAN link interface. If aninterface approaches its configured capacity, PacketWise will pace the traffic sent through that interface to preventoverloading the link and reduce the number of retransmissions. This is accomplished by adjusting the size of the Inbound andOutbound partitions.

highav enable advanced

To turn off the advanced mode of high availability, use the highav disable command.


178

highav enable basicEnable the link monitoring/resizing high availability feature. When this feature is enabled, PacketWise polls the configuredrouter(s) every 30 seconds to assess the status (link up or link down) of the WAN link interfaces. If a link goes down,PacketWise will automatically adjust the total available capacity by subtracting out the capacity of the down link.

highav enable basic

Suppose you have two routers, A and B. Router A has two 200K interfaces and Router B has one 100K interface. The totalavailable capacity is 500K (unless you have set up an override — see highav override). Now suppose one of Router A’s 200Klinks goes down. With basic high availability enabled, PacketWise will not only detect the down link, it will also automaticallyreduce the total available capacity by the capacity of the down link (500K minus 200K = 300K).

To turn off the basic mode of high availability, use highav disable.


179

highav interface addDefine the WAN link interface used on a previously-defined access router.

highav interface add <address> <interace number/name> <inbound-bps> <outbound-bps>

where

<address> The router’s IP address or sysname

<interfacenumber/name>

The name (ifname) or index number (ifindex) that identifies the interface. Examples ofinterface names are ethernet 3/1 and serial 0/1.

It is recommended that you identify the interface by name, not index, because ifnames areunique and persistent while index numbers can change dynamically. If you are using Cisco IOSv12.1 or above and have configured the router to make the ifindex persistent, you can safelyidentify the interface by index number. Note that ifname was not available in Cisco IOS beforev11.1.

Instructions for finding the ifName and ifIndex values for Cisco router interfaces

<inbound-bps>

Maximum inbound throughput that is expected to pass through the interface. Rates may bespecified as integer bits per second, followed by a “k” (thousands), “M” (millions), or “G”(billions).

<outbound-bps> Maximum outbound throughput that is expected to pass through the interface

Adding an interface will increase the router’s available bandwidth unless you have set override values. The lowest value(override versus sum of interfaces) takes precedence. For example, suppose a router has two 400K interfaces and you haveset an override of 600K. If you add another 200K interface, the override will take precedence (in other words, the router’savailable bandwidth will still be 600K). Make sure that you adjust your override after adding a new interface.


180

highav interface deleteDelete a previously-defined interface from the high availability configuration.

highav interface delete <address> <interface number/name>

where

<address> The router’s IP address or sysname<interface number/name> The name or SNMP index number of the interface you want to remove

Deleting an interface may reduce the router’s available bandwidth, depending on the override value. For example, suppose arouter has two 400K interfaces and you have set an override of 600K. If you then delete an interface, the router’s availablebandwidth would be reduced to 400K; the override would be ignored since it’s greater than the sum of the router’s interfaces.


181

highav interface modifyModify the settings for a previously-defined WAN link interface.

highav interface modify <address> <interace number/name> <inbound-bps> <outbound-bps>

where

<address> The router’s IP address or sysname<interfacenumber/name> The name or SNMP index number whose settings you want to modify

<inbound-bps>

Maximum inbound throughput that is expected to pass through the interface. Rates may bespecified as integer bits per second, followed by a “k” (thousands), “M” (millions), or “G”(billions).

<outbound-bps> Maximum outbound throughput that is expected to pass through the interface


182

highav overrideConfigure the inbound and outbound speed of the router. When an override is set, PacketWise uses this speed for calculatingthe WAN link capacity for the router, as opposed to using the sum of the interfaces.

highav override <address> {<inbound-bps> <outbound-bps>} | none

where

<address> The router’s IP address or sysname<inbound-bps><outbound-bps>

|none

Maximum inbound and outbound throughput that is expected to pass through the router. Ratesmay be specified as integer bits per second, followed by a “k” (thousands), “M” (millions), “G”(billions).

To remove the override, use none.

This optional approach might be used in a situation with multiple WAN access line interfaces on a router. If you don’t expectto get perfect load balancing between the interfaces, you can configure a smaller value for the router than for the sum of theinterfaces. If both interfaces are up, PacketWise would use the override value for the router when calculating the WAN accessline capacity available for the router. If one of the interfaces goes down, PacketWise would use the capacity configured for theactive interface (the values configured with the highav interface add command).


183

highav showShow current high availability configuration and status. The output indicates the overall high availability capacity as well asthe settings of each interface and router.

highav show

High Availability: Mode = BasicAccess Set: In 500k Out 500k

Total Available Capacity: In 500k Out 500k

Router Address: 192.168.176.5Active: yes

SysName: testnetrouter.bluecoat.comOverride Capacity: No Override Set

Interface: + ET0(1) speed: 10.0M

Interface Capacity: In 200k Out 200k

Router Address: 192.168.176.2Active: yes

SysName: router1Override Capacity: In 300k Out 300k

Interface: + ET0(1) speed: 10.0M

Interface Capacity: In 200k Out 200k

Interface: + ET2(3) speed: 1.5MInterface Capacity: In 200k Out 200k

The table below describes the output.

High Availability The current high availability mode (basic, advanced, or disabled)

Access Set Inbound and Outbound access link speed. In basic mode, these values are the sameas Total Available Capacity.

With link overload protection (a feature of advanced mode), these values are basedon actual throughput observed through SNMP polling. More detailed informationabout observed minimum values are also listed.

Total Available Capacity The total bps available based on the values configured for the interfaces androuters. It is the sum of the routers’ capacities. A router’s capacity is determined bythe values set with the highav override command or by summing all the interfaces’capacities (if no override has been set).

When high availability is enabled and a link becomes inactive, the Total AvailableCapacity will reflect this reduction of available bandwidth (that is, the inactive link’scapacity will be subtracted out, assuming it is less than the override value).

Router The router’s IP address and sysname that were configured with the highav addcommand, the router status (active vs. inactive), and the override capacity (if onewas set with the highav override command).

Interface Interface name, SNMP index number, and the inbound and outbound capacities thatwere configured with the highav interface add command. If you see “Unknown” forthe interface name, your router’s OS may not support the ifname variable. Forexample, ifname was not available in Cisco IOS before v11.1.

A “+” indicates the interface is active; a “-” indicate the interface is inactive.

184

If advanced mode is enabled, the actual bps throughput (based on SNMP polling) islisted.


185

historyThe history command displays the last 20 commands that were entered into the command line interface; each command isprefixed by a number. Any command on the history list can be executed by using the !<n> command, where <n> is thenumber next to the command on the history list.

history

For example:

history

31: setup show32: help me dump33: help class rule34: help setup secure35: traffic flow -tuO36: traffic flow -tIPc /inbound/default37: setup shaping on38: setup discovery on39: traffic tree40: link show41: class show /inbound/default42: traffic bandwidth /inbound43: help class new44: hostdb show45: sys info46: traffic bandwidth47: cat 9.256/log/bootlog48: ls 9.258/diag49: setup shaping off50: setup discovery off

Typing !40 would repeat the links show command.


186

hl addAdd entries to an existing host list. When specifying multiple names and/or addresses, separate each with a space.

hl add <hostlist> <host> [<host> ...]

where <hostlist> is an existing host list name, and <host> can be specified in any of the following ways:

Type of <host> ExampleHost IP address

192.168.1.10

Range of IP addresses

Use a dash — with no spaces — between the low and high addressin the range.

192.168.1.100-192.168.1.200

Address of the subnet; the CIDR number specifies the number ofconstant bits in the address range 192.168.10.0/24

Range of subnet addresses; the CIDR number specifies the numberof constant bits in the address range

Use a dash between the low and high address in the range. Spacesare not allowed before or after the dash or slash characters.

192.168.10.0-192.168.20.0/24

DNS name

Note: Do not use domain names if you will be using the host listwith the host sidedness feature.

www.yourcompany.com

Example:

hl add competitors yourcompany.com 192.168.1.00-192.168.1.200


187

hl deleteRemove one or more items from an existing host list.

hl delete <hostlist> <host> [<host> ...]

where <hostlist> is an existing host list name, and <host> can be specified in any of the following ways:


192.168.1.10



192.168.1.100-192.168.1.200




192.168.10.0-192.168.20.0/24

DNS name www.yourcompany.com

Note: You can only remove hosts the way they were originally added to the host list. For instance, suppose you add a host tothe host list by specifying a single IP address. The only way to remove the host is by specifying the single address. Youcannot remove this host by entering a range of addresses, a subnet, or a range of subnet addresses.


188

hl newCreate a host list by defining a unique name and specifying the DNS names, IP addresses, and/or subnets that should beincluded in the list. You can combine names and addresses in the same list. When specifying multiple names and/oraddresses, separate each with a space.

hl new <hostlist> [<host> [<host> ...]]

where <hostlist> is a descriptive name, up to 127 characters; the slash (/) and backslash (\) characters may not be used.

The <host> can be specified in any of the following ways:


192.168.1.10



192.168.1.100-192.168.1.200




192.168.10.0-192.168.20.0/24

DNS name

Note: Do not use domain names if you will be using the host listwith the host sidedness feature.

www.yourcompany.com

Host lists are useful when creating classes based on hosts, defining hosts and partners that can use compression, assigninghosts to sides, retrieving host accounting data, and defining exception lists for adaptive response host agents.

The hl new command accepts any addresses and/or names that are syntactically correct. It does not validate the existenceof the entries.

To add entries to the host list after it's created, use the hl add command.

Examples:

hl new BigGifs www.yourcompany.com 192.168.0.116

hl new insidelist


189

hl overrideFor PolicyCenter / Units in shared mode only

Override an inherited host list by creating a local copy of the list.

hl override <list-name>

You must make a local copy of an inherited host list before you can change the host list on the child configuration.


190

hl refreshUpdate the host lists with the latest data from the DNS server.

hl refresh


191

hl resolveDisplay the addresses that are mapped to a particular host list name.

hl resolve <hostlist>

Example:

hl resolve BigGifs

ldap:///biggifs,ou=hostlists,ou=m10-pat,ou=pscfg,o=bluecoat.com: 198.3.99.199,192.168.0.116, 204.71.177.35


192

hl rmRemove a host list from the directory configuration.

hl rm <hostlist>

Host lists cannot be removed if they are currently being used (for example, in a class matching rule, in a compression host orpartner list, or a host side list).


193

hl showDisplay a list of all defined host lists or show the details of a specific host list.

hl show [<list_name>]

To show all host lists and all host values:

hl show *

Host values are listed alphabetically or by top-level domain order.


194

host accounting categoriesCreate the names of categories to be used in the host accounting feature. For example, an ISP can create categories such as“premium,” “standard,” or “free,” and then assign traffic classes to the appropriate category. This would allow the serviceprovider to charge different rates for premium and standard traffic and discount traffic to free services (such as the ISPsupport computers). Note: This command is not available on the PacketShaper 900 Lite models.

host accounting categories none|<category> [<category> ...]

You must create all your categories at once, separating each name with a space. The total string of category names must be200 characters or less. Forty four is the maximum number of categories you can create, assuming sufficient resources on yourPacketShaper.

Note that you cannot issue this command while the measurement engine is in the process of starting or resetting.

After creating categories, use the class category command to assign traffic classes to the categories.

You cannot selectively add or delete categories. If you later want to modify your category list, you must use the hostaccounting categories command and specify the complete list of categories you want to have. You will then need to resetthe unit to create the new categories in the measurement database. Note that the host accounting measurement data will becleared when you create categories, so make sure you retrieve your measurement data before adding categories.

Each category name is actually the name of a measurement variable. If you give the measure show host accountingcommand, you will see the host accounting categories listed as variables.

To remove all categories, use:

host accounting categories none


195

host accounting enableEnable or disable recording of per-host accounting data in the measurement engine database. The host accounting featureallows you to store and retrieve measurement data per IP address, without having to create a traffic class for each user. Thisfeature is especially useful with dynamic partitions, which create subpartitions for each IP address or subnet. You can usehost accounting to see total bytes sent and received per IP address. Note: This command is not available on thePacketShaper 900 Lite models.

host accounting enable <mode> [<interval-minutes> [<max-samples>]]

<mode>

Specify the host location for which you want to record data:

inside record data for inside hosts

outside record data for outside hosts

both record data for inside and outside hosts

none turn off host accounting<interval-minutes>

Number of minutes between each recorded sample (the default is 10, theminimum is 1, and the maximum is 1440 minutes)

<max-samples>

Maximum number of samples that can be stored in the host database (default is1,000,000). This value needs to be greater than the concurrent host limit on yourunit (this limit varies by model). <max-samples> may require someexperimentation. Try a large number (such as 3,000,000) and see if the unitstores host data for a sufficient length of time. If it stores only three weeks ofdata (and you need it to store a month's worth), you'll need to increase the<max-samples> value. Bear in mind that the larger number of samples youstore, the more disk space you’ll need.

Note that you cannot issue this command while the measurement engine is in the process of starting or resetting.

The building of the host accounting measurement data file can take awhile; the more categories and samples you have, thelonger it takes to build the file. While the file is building, you will not be able to issue any commands in the current remotelogin session. If you open another session while you’re waiting, you can issue any command except for the measure showcommand.

Note that any pre-existing host accounting data will be cleared when the data file is built, so make sure you retrieve yourmeasurement data before enabling host accounting (see measure dump).

After you enable host accounting host accounting measurement data will not begin recording again until the next full interval.For example, assume <interval-minutes> is 2 and you reset the unit. When you give the measure show command, themessage indicates "Measurement engine is waiting until 15:03 to start." At 15:03 all other measurement groups will beginrecording, but host accounting will not begin recording until 15:04 (the next interval).

To disable recording, use:

host accounting enable none


196

host accounting retrieveRetrieve host accounting data. You can display the data on the screen or save it into a comma separated value (.CSV) file.You can select hosts by IP address, CIDR subnet, or membership in a host list. Note: This command is not available on thePacketShaper 900 Lite models.

host accounting retrieve [dns] <ip-addr>|<subnet>/<cidr>|<hostlist>|all from <start-date-time> to <end-date-time> [into <file>|to <file>]

[dns] Specify dns to include DNS names, when available, in the output (insteadof IP addresses)

<ip-addr>

<subnet>/<cidr>

<hostlist>

all

Designate the hosts you want to retrieve data for, using one of thefollowing specifications:

<ip-addr> — host IP address

<subnet>/<cidr> — the name of the subnet; the CIDR number specifiesthe number of constant bits in the address range

<hostlist> — the name of a host list file

all — all entries in the time range

from <start-date-time>

to <end-date-time>

Specify the starting and ending date and/or time to retrieve data for. The<start-date-time> and <end-date-time> are required parameters — youmust specify a date, a time, or the date and time. If a time is omitted,midnight is assumed; if a date is omitted, today’s date is assumed. Datesand times can be entered in the following formats:

M/D (for example, 5/3 — midnight of May 3)

M/D HH:MM (for example, 5/3 13:15 — 1:15pm on May 9

HH:MM (for example, 9:00 — 9am today

You can also specify a relative date — for example, -7 for 7 days ago.

Note: If the end date is after today’s date, PacketWise assumes the dateyou meant was last year’s date. If the end date is before the current dateand after the start date, PacketWise will display the requested data (ifany exists).

into <file> |to <file>

The into literal dumps the records to the file named <file>. If <file>already exists, the records will be appended to the existing file.

The to literal also dumps the records to the file named <file>, but itoverwrites the contents of <file> if it already exists.

If no path is specified, the file is stored in the current directory (thesystem disk, by default). To make sure you have enough disk space, youmay want to specify a directory on a data disk (9.258/ or 9.1026/).

If into <file> or to <file> is omitted, the records appear on the screen.

The output contains, for each specified host, a comma-separated-values list of the total bytes recorded over the time periodas well as the total for each category.

host accounting retrieve dns all from 14:12 to 14:14

# 26-Jul-2001 14:12:00 to 26-Jul-2001 14:14:00“host”,”bytes”,”web”,”overhead”“r2.us.rmi.yahoo.com”,9085,9085,0“ck101.rmi.yahoo.com”,377,377,0“store.yahoo.com”,1684,1684,0......“10.7.6.62”,42,0,0“pal.ads.vip.sc5.yahoo.com”,1289,1289,0

Or, to see the total usage for the month of March for all of the hosts in a certain subnet:

host accounting retrieve 192.168.1.0/24 from 3/1 00:00 to 3/31 23:59

Note: You can also use the measure dump command to retrieve host accounting data.

197

host accounting showList the recording parameters for host accounting that were set with the host accounting enable command. It also lists all thecategories that were created with the host accounting categories command, along with the traffic classes assigned to eachcategory (with the class category command). Note: This command is not available on the PacketShaper 900 Lite models.

host accounting show

Recording Mode: bothSample Interval: 5 minutes

Allocated Samples: 1000000

Category Traffic Class---------------------------------------------------web /Inbound/http /Outbound/httpoverhead /Inbound/ICMP /Outbound/ICMP


198

hostdb cacheDisplay the current connections in the IP classification-accelerator cache, or list the class name and matching rule of a specificIP address in the cache. The cacheing feature stores qualified IP address-based classes in a cache, thereby increasing thespeed in which PacketWise classifies flows on the inside of the unit. This feature is primarily used on PacketShaper ISPmodels. For more information about the accelerator cache, see the First Steps to Using the PacketShaper ISP.

hostdb cache [<ipaddress>]

If you don’t specify an IP address, the output lists the current connections in the host cache:

hostdb cache

IP Address Direction Class-----------------------------------------------------------10.7.38.100 inbound mysite.org10.7.38.100 outbound mysite.org10.7.6.81 outbound default10.7.39.12 outbound default10.7.6.12 outbound default10.7.40.1 outbound default

The following example lists details about a specific IP address (10.7.38.100) in the cache. It indicates the class name andmatch rule that has been cached for a particular host.

hostdb cache 10.7.38.100

Traffic Class: /Inbound/10.7.38.0/CUSTOMER/mysite.orgMatch rule used for this host, 10.7.38.100:

[1 ] inside host 10.7.38.100 any port IP outside any host any portTraffic Class: /Outbound/10.7.38.0/CUSTOMER/mysite.orgMatch rule used for this host, 10.7.38.100: [1 ] inside host 10.7.38.100 any port IP outside any host any port


199

hostdb infoDisplay the host IPv4 or IPv6 address, user name, average and current connections, current guaranteed and excessbandwidth, and throughput information. Hostdb info shows more detailed rate information than the hostdb showcommand.

The host database is a record of all hosts that have active connections through the unit. Once a host closes its connection,the host will be purged from the database. In addition, the unit will clear host entries if they aren't active for approximatelyten minutes. Thus, the hostdb is a real-time list of hosts.

hostdb info [<sort-switch>] [<number-switch>] [<switch>|all] [<host_addr>|<host_name> [<mask>]]

[<sort-switch>] Specify one of the following switches:

-sf or sortfpm (sort hosts by flows per minute in descending order)-sp or sortfail (sort hosts by rate of failed new TCP connections)-sr or sortrate (sort hosts by current rate in descending order)

Note: Because the host database changes even as the hostdb info command isexecuted, the returned list of hosts will not always display in decending order.

[<number-switch>] Specify the number of hosts to display:

-n <number>

[<switch>|all] Specify one of the following switches:

-a or active (currently connected hosts only)-o or outside (hosts outside the unit)-i or inside (hosts inside the unit)-u or unknown

Note: The active switch can be used in conjunction with the other switches.

Or, use all to show information for all hosts in the database.

When you omit the <switch>|all parameter, the command displays hosts that haveaccessed the unit within the last five minutes, but may not be currently connected.

[<user-switch>] Specify a user name to display hosts for:

-user <user_name>

If the user name contains spaces, it must be enclosed in quotes. Specifying thedomain name is optional.

[<host_addr>|<host_name>] Specify either a host's IP address or name.

[<mask>] The host's subnet mask

The following example shows information for all the hosts in the database:

hostdb info

IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute --- User to PS rate avg rate Client Server Failed-----------------------------------------------------------------------------------------------11.1.2.121 I 53 908ms 187k 113k 221k 439 0 0 cal\jsmith11.1.2.122 I 52 912ms 122k 108k 212k 422 0 0 cal\mjohnson11.1.2.123 I 54 910ms 133k 106k 216k 416 0 0 cal\speters11.1.2.124 I 51 907ms 169k 110k 218k 439 0 0 cal\bturnbull11.1.2.125 I 51 911ms 128k 109k 214k 428 0 0 cal\panderson

200

11.1.2.126 I 54 907ms 178k 114k 218k 439 0 0 cal\rcilk11.1.2.127 I 52 907ms 169k 110k 218k 439 0 0 cal\dgiordano11.1.2.128 I 54 907ms 184k 114k 218k 439 0 0 cal\jgrell11.1.2.129 I 50 908ms 179k 114k 219k 439 0 0 cal\egiovanetti

The displayed information includes:

IP Address Identifies the IPv4 or IPv6 host that is connected through the unit. This field is followed byeither an I or O, indicating the location of the host (Inside or Outside) relative to the unit.

Conn The number of connections

RTT to PS The round-trip time from the host to the PacketShaper

Cur rate The current rate for the host in Kbps

1 Min avg A one-minute moving average for the host's rate in Kbps

Peak rate The highest rate the host's connection has reached. This is the sum of the inbound andoutbound traffic, relative to the host.

New Flows Per Minute Shows the rate of initiation of new flows from this host (as Client) and to this host (as Server).This rate can be limited via the policy flowlimit command. The Failed column shows the rateof new TCP connections per minute that the host initiated but failed, either because the hostreceived an immediate RST response or received no response at all. IP addresses with manyfailed connections are good candidates for more scrutiny; they may be overloaded servers,clients initiating port scans or systems involved as an initiator or recipient of attacks.

A "+" next to a host's New Flows Per Minute value indicates load shedding is occurring or hasrecently occurred. For example, if the Failed column for a host lists 105+, that host has flowsthat are being shed. For more information about load shedding, see setup loadshedding.

User User name associated with the IP address. Note that the user awareness feature requires thatBCAAA be installed and configured.

Note: Since most web browsers open multiple simultaneous connections, a web policy set to 100 Kbps may actually allow, forexample, 400 Kbps per PC if the browser is configured to allow four simultaneous connections. This impacts the peak flownumbers for a class.

The following example shows details about a specific host:

hostdb info 65.174.190.201

IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute ---User to PS rate avg rate Client Server Failed ----------------------------------------------------------------------------------------------65.174.190.201 O 2 34ms 296k 301k 913k 0 0 0

1 entries matching 65.174.190.201 255.255.255.255

In the output of the hostdb info command, some of the fields are not populated and list their values as 0. To see informationabout the recent throughput of known hosts use the hostdb show command instead.

To display the top 5 bandwidth users:

hostdb info -sr -n 5

IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute ---User to PS rate avg rate Client Server Failed ----------------------------------------------------------------------------------------------65.174.190.201 O 2 30ms 298k 296k 773k 0 0 0 192.168.0.7 I 8 --- 297k 299k 773k 3 0 0 2001:db8:1234:5678::1 O 0 88ms 1326 3811 140k 0 0 0 192.168.0.175 I 1 --- 1047 779 51k 4 12 0 12.104.153.33 O 0 --- 11 45 63k 0 0 0

5 entries

201

To find an infected host on the network, you can display the top 10 hosts that have the most failed flows during the lastminute:

hostdb info -sp -n 10

To find a host that might be propagating a virus or worm, you can display the top 10 hosts with the most flows:

hostdb info -sf -n 10


9.2.1 <user-switch> added; User column added to output9.1.1 Support for IPv6 flows


202

hostdb rtostatsDisplay a list of hosts that have sent premature retransmission timeout (RTO) segments.

hostdb rtostats

On some server systems the TCP stack uses a short retransmission time interval, which causes premature RTO. This results inunnecessary packet retransmissions on low-speed links, which waste bandwidth.

PacketWise controls retransmission timeouts for inbound and outbound retransmissions by discarding premature RTOsegments. If PacketWise detects a premature retransmission (retx), it delays that packet for an additional time period, basedon measured host latency. If an acknowledgment is received before the retransmission is to be forwarded, the retransmissionis discarded.

The hostdb rtostats command shows which hosts are experiencing premature RTO. The output also indicates how oftenPacketWise "clamped down" on RTO segments.

With this RTO clamping feature, needless retransmissions (shown as outClampedSegs and inClampedSegs in the hostdbrtostats output) are discarded. The term segment refers to a TCP datagram. RTO clamping works only when shaping isturned on.


203

hostdb showDisplay the host IPv4 or IPv6 address, estimated access speed, number of speed changes, the number of TCP and UDP flowsthat a specified host has processed, the amount of time the host has been idle, the status of the match rule cache, andcompression status.

hostdb show [<switch>|all] [main|lower|upper|left|right] [<host_addr>|<host_name> [<mask>]]

[<switch>|all] Specify one of the following switches:

-a or active (currently connected hosts only)-o or outside (hosts outside the unit)-i or inside (hosts inside the unit)-u or unknown

When using the legacy compression feature, the following additional switches areavailable:

-d or decompressor (PacketShaper units that are decompressing)initiator (hosts that are initiating legacy compression)recipient (hosts that are legacy compression recipients)

Note: The active switch can be used in conjunction with the other switches.

Or, use all to show information for all hosts in the database.

When you omit the <switch>|all parameter, the command displays hosts that haveaccessed the unit within the last five minutes, but may not be currently connected.

[main|lower|upper|left|right] Type of PacketShaper interface to show hosts for:

main — built-in interfaceupper — upper LEMlower — lower LEMright — right LEMleft — left LEM

[<host_addr> | <host_name>] Specify either a host's IP address or name.

[<mask>] The host's subnet mask

Note: No output will be displayed if both of the main LEM ports are disconnected and watch mode is enabled.

hostdb show

LEM "Main":

IP Address Side Speed/Effective TCP/UDP Time I O I R S NC--------------------------------------------------------------------------------1.2.3.4 OUT 0/0 0/0 288s ? ? n n n n1.255.255.255 N/A 0/0 0/0 288s ? ? n n n n10.1.1.16 OUT 0/19 0/0 23s ? ? n n n n

10.1.1.20 OUT 0/25153 1/0 83s ? ? n n n n10.1.1.27 OUT 0/510.7k 1/0 20s ? ? n n n n10.1.1.45 OUT 0/876 2/0 234s ? ? n n n n10.1.1.120 out 0/1 0/1 2s ? ? n n n n10.100.99.32 OUT 0/170.3k 1/0 31s ? ? n n n n

172.21.0.20 OUT 0/394.2k 0/0 11s ? ? n n n n172.21.0.84 out 0/21 0/0 202s ? ? n n n n172.21.1.26 OUT 0/784 0/0 154s ? ? n n n n

2001:db8:1234:5678::2 IN 1.5M/1.5M 6/1 0s ? ? n n n n

2001:db8:1234:5678::1 in 0/0 0/0 30s ? ? n n n n

The displayed fields include:

IPAddress

IPv4 and IPv6 addresses of hosts that have communicated through the PacketShaper

204

Side Inside or Outside host. If N/A is displayed, the traffic seen from the host is broadcast or multicast.

Note: The capitalization (IN versus in and OUT versus out) indicates PacketShaper's level of confidence for thehost's side. If a packet's source host is seen on the inside interface, there is high confidence the host is on theinside of the PacketShaper (IN — all caps). It is then assumed with low confidence that the packet's destinationhost is on the outside interface (out — lowercase). If the host is set to the wrong side, you can override thissetting with the hostdb side set command. Having accurate host sidedness is important for Xpress compression.

Speed Estimated access speed of the connection in bits per second

Effective Effective rate

TCP/UDP Number of TCP connections or UDP sessions currently used by this host. If these fields contain zeroes, the hostis not currently communicating through the unit.

Idle Time Amount of time, in seconds, since a packet was received for/from the host

Cache The status of the match rule cache:I — entry has been cached for the Inbound directionO — entry has been cached for the Outbound direction? — currently unknown whether the entry for the corresponding direction is in the cacheN — entry cannot be cached for the corresponding direction

Compress Indicates the type of host, with respect to legacy compression.

Note: The compression information should be disregarded in enhanced tunnel mode.

A "y" in a column indicates:

I — the host is a legacy compression initiator (sending compressed data)R — the host is a legacy compression recipient (receiving compressed data)S — the host is a legacy compression PacketShaperNC — no legacy compression tunnel to the host was created because the host was previously defined as arecipient and then became an initiator (or vice versa). In this indeterminate state, PacketWise will not set up acompression tunnel to this host. If you see a host with the NC flag enabled, you should reset the unit.

The following example shows details about a specific PacketShaper:

hostdb show 172.21.0.85

IP Address: 172.21.0.85 OUTSIDETime since last touched: 8194 secsCurrent References: TCP 0 UDP 0 Speed: 0 BpsEffective: 113k BpsCompression Type: ShaperTunnel Savings: 88 BpmTunnel Status: Compressing (Up: 6h 39m 14s, Idle: 0s)

Notes:

The Compression Type indicates the type of host: Shaper (PacketShaper), Initiator (a host that is sendingcompressed data), or Recipient (a host that is receiving compressed data). The Tunnel Savings is the bytes saved perminute, due to compression. For descriptions of Tunnel Status and Compression Status messages, see setupcompression show.The compression-related columns provide information about hosts using legacy compression only; the informationshould be disregarded when running enhanced mode (use the tunnel remote show or tunnel local show commandsinstead).


9.1.1 Support for IPv6 flows


205

hostdb side autoEnable automatic side detection. In this mode (the default), PacketWise automatically determines whether a host is inside oroutside, relative to the PacketShaper. This is appropriate for many network topologies; however, for complex topologies, youcan manually override the automatic host side detection and force the placement of certain hosts or subnets on theappropriate side (see hostdb side manual).

hostdb side auto

After you turn on automatic side detection, the current settings display. For example:

Mode: AutomaticInside: Host list: none

Outside: Host list: none

See also:

hostdb side default


206

hostdb side defaultSet host side detection to its default mode (auto mode). If the unit is subscribed to PolicyCenter, the default option tellsPolicyCenter to delete the setting in the local configuration and inherit from the parent configuration.

hostdb side default

See also:

hostdb side auto

hostdb side manual


207

hostdb side manualEnable manual side mode; this is necessary when PacketWise isn't able to automatically detect the correct side for certainhosts, such as when using Xpress in a direct standby configuration or with a load-balanced network. When this mode isenabled, you can force the placement of certain hosts on the appropriate side (inside or outside). This is done by using thehostdb side set command to assign hosts or host lists to the inside or outside. The side lists are not actually used untilmanual side mode is enabled.

hostdb side manual

After you turn on manual mode, the current settings display:

Mode: ManualInside: Host list: none 192.21.18.175 192.21.18.177 192.21.18.178-192.21.18.180

Outside: Host list: none

For any host that isn’t assigned to a specific side when manual side mode is enabled, PacketWise will use its normalmechanism for determining and setting a side. In other words, the sides of all other hosts are detected automatically.

See also:

hostdb side default


208

hostdb side resetClear the side settings for a particular host or all hosts. The next time PacketWise sees a flow from that address it will again try to figure outwhether the host is inside or outside. This might be necessary if a particular host is seen on the wrong side — you can add the host to theproper side list (inside or outside) and then reset the host so that PacketWise will rediscover the host and place it on the correct side. To seewhich side PacketWise considers a host to be on, use the hostdb show command.

hostdb side reset all|<ip-addr>

Example:

To clear the side setting for 224.0.1.3:

hostdb side reset 224.0.1.3

If you immediately issue the hostdb show command, you'll see that the entry in the Side column for this particular host has been cleared.

IP Address Side Speed/Effective TCP/UDP IdleTime

CacheI O

Compress I R S NC

-------------------------------------------------------------------------------------------------------------10.10.1.5210.1.1.81224.0.1.310.1.5.110.7.12.2010.7.10.106 entries

inout

inoutout

10.0M/4.5M 0/44756 0/0 0/0 0/0 0/0

3/0 1/0 0/0 0/0 0/0 0/0

50s0s38s3s24s0s

? ?I ?N O? OI ?? ?

n y n ny n n nn n n nn n n nn n n nn n y n


209

hostdb side rmRemove a host from the manually configured side list. Use this command if you no longer want a particular host assigned to aside. After you remove a host, PacketWise will determine and assign a side to the host, using its normal mechanism.

hostdb side rm list:<hostlist>|<ip-addr>|<subnet>/<cidr>|hosts|all

list:<hostlist>Name of the host list file to be removed from the side list

Note: This does not delete the list — use the hl rm command if you wantto delete the list.

<ip-addr>

Host IP address or a range of IP addresses to be removed from the sidelist

To specify a range, use a dash — with no spaces — between the low andhigh address in the range (for example, 192.168.1.100-192.168.1.200).

<subnet>/<cidr>

The address of the subnet or a range of subnet addresses to be removedfrom the side list; the CIDR number specifies the number of constant bitsin the address range

To specify a subnet range, use a dash between the low and high addressin the range (for example, 192.168.10.0-192.168.20.0/24). Spaces arenot allowed before or after the dash or slash characters.

hosts Removes all individually defined IP addresses, ranges, and subnets (butnot host lists)

all Removes all hosts from the inside and outside lists, including host lists

Note: To verify the host was removed, use the hostdb side show command.

Examples:

hostdb side rm 172.17.72.0-172.17.75.0/22

hostdb side rm list:outside_list


210

hostdb side setAssign hosts to the inside or outside. This is necessary when PacketWise isn’t able to automatically detect the correct side forcertain hosts, such as when using Xpress in a direct standby configuration or with a load-balanced network.

hostdb side set inside|outside list:<hostlist>|<ip-addr>|<subnet>/<cidr>

Designate inside or outside hosts, using one of the following specifications:

list:<hostlist>

The name of a host list created with the hl new command; only one hostlist per side is allowed.

Note: Host lists are the recommended method of specifying hosts.However, you cannot use a host list that contains domain names.

<ip-addr>Host IP address or a range of IP addresses

To specify a range, use a dash — with no spaces — between the low andhigh address in the range (for example, 192.168.1.100-192.168.1.200).

<subnet>/<cidr>

The address of the subnet or a range of subnet addresses; the CIDRnumber specifies the number of constant bits in the address range

To specify a subnet range, use a dash between the low and high addressin the range (for example, 192.168.10.0-192.168.20.0/24). Spaces arenot allowed before or after the dash or slash characters.

Notes:

After you assign hosts to sides, you will need to enable manual side mode with the hostdb side manual command.For any host that isn't assigned to a specific side when manual side mode is enabled, PacketWise will use its normalmechanism for determining and assigning a side.To remove a host after you have assigned it to a side, use the hostdb side rm command.To view a list of hosts assigned to each side, use the hostdb side show command.A maximum of 32 entries can be assigned to the inside and outside. An entry can be a single IP address, a range of IPaddresses, a subnet, a subnet range, or a host list. Only one host list can be assigned to a side.For details on using the hostdb side commands for troubleshooting purposes, see Compression Troubleshooting.

Examples:

In this example, host lists named inside_list and outside_list were created with the hl new command. Inside_list contains alist of hosts and subnets that are known to be on the inside of PacketShaper and outside_list contains the hosts known to beon the outside of PacketShaper. To assign each of the hosts in inside_list an inside designation, use this command:

hostdb side set inside list:inside_list

To assign each of the hosts in outside_list an outside designation, use this command:

hostdb side set outside list:outside_list

And then enable manual mode:

hostdb side manual

Each time you assign IP addresses or subnets with the hostdb side set command, the specified hosts are added to theappropriate side — you do not overwrite previous settings. For example, the following two commands will assign two hosts tothe outside:

hostdb side set outside 192.21.18.172hostdb side set outside 192.15.17.45

However, this rule does not apply to host lists since only one host list is allowed per side. If you assign a host list to a sidethat already has a host list defined, this list will override the one that was previously defined.


211

hostdb side showDisplay host side settings. The current mode (auto vs. manual) is displayed, along with the list of hosts assigned to each side.

hostdb side show

Mode: ManualInside: Host list: inside_list 192.21.18.175 192.21.18.177 192.21.18.178-192.21.18.180>

Outside: Host list: outside_list


212

hostdb topusersDetermine which hosts or users are consuming the most bandwidth. You can configure PacketShaper to track the Top Talkers(hosts which initiate the most traffic) and Top Listeners (hosts which receive the most traffic).

To display statistics for the top 20 bandwidth users per traffic class — either receivers or senders — use the followingcommands:

hostdb topusers start <tclass> [talk|listen]

hostdb topusers stop <tclass> [talk|listen]

hostdb topusers reset <tclass> [talk|listen]

hostdb topusers show [<tclass>] [talk|listen]

start Starts tracking top hosts (talkers or listeners) for a traffic class

stop Stops tracking top hosts for a traffic class

reset Clears the list of top hosts and restarts the host-tracking process

show

Displays the hosts or users that have used the highest percentage of bandwidth in the class since tracking wasstarted. The list is cleared with the hostdb topusers reset <tclass> command or when you reset the unit.

A host stays on the top-20 list until another host uses more bandwidth, at which point the host may drop off the listentirely or move further down the list. For example, suppose top talkers is turned on for the Inbound/HTTP class,and cnn.com is the top consumer with 22%. If another host, yahoo.com, later consumes more bandwidth thancnn.com, yahoo.com might go to the top of the list and cnn.com would drop lower on the list.

Notes:

A total of 32 Top Talkers and Top Listeners (combined) can be enabled at one time. Thus, you can enable both TopTalkers and Top Listeners for up to 16 different classes. Or, if you enable one or the other (just Top Talkers or just TopListeners), you can track top hosts on 32 different classes.For non-IP traffic, PacketWise does not track sessions or hosts. Therefore, traffic for non-IP protocols (IPX, AppleTalk,NetBEUI, DECnet, FNA, and SNA) will not appear in the Top Talker or Top Listener lists.The Group Name column in the output shows one of the user group names to which the user belongs. If a top userbelongs to more than one one group, an ellipses will appear. To see all the group names for a user, use the setupbcaaa server-test command. Note that the only group names that display are ones for which a user group class hasbeen created. The user may belong to other Active Directory groups, but they will not be listed for the user unless aclass exists for that group.

Examples

To start top talker tracking on the Inbound/HTTP class:

hostdb topusers start inbound/http talk

To see a list of top talkers in the Inbound/HTTP class:

# hostdb topusers show inbound/http talk

Top talker analysis for inbound class HTTP.Duration: 02:09:187 active entries.

User Name Group Name DNS Name Percent IP Address-----------------------------------------------------------------------------------------------------------------------------------N/A N/A a184-84-222-35.deploy.akamaitechnologies.com 52 184.84.222.35N/A N/A a184-84-222-107.deploy.akamaitechnologies.com 24 184.84.222.107john.smith group-sales No such name 7 10.200.10.129N/A N/A 20052lpweb01.redcrossblood.org 4 174.120.176.2N/A N/A 75.126.14.205-static.reverse.softlayer.com 4 75.126.14.205N/A N/A server-205-251-203-169.lax3.r.cloudfront.net 2

213

205.251.203.169N/A N/A a184-84-222-115.deploy.akamaitechnologies.com 1 184.84.222.115

# hostdb topusers show

2 active top user sessions.

Direction Class T/L Duration----------------------------------------------------inbound HTTP talker 02:13:13outbound HTTP listener 02:13:13


214

imageUpgrade to a new version, revert to a previous version, or display the current, backup, and bootloader versions.

image [load|revert|show]

image load [//<hostname>/]<filename> [[<user>] <passwd>]

image revert

image show

Notes:

The image load command creates a backup of the current image before loading the new image. In case the imagefails to load, PacketWise automatically reverts to the backup image.If a remote image load is aborted (for example, when a corrupted image is detected) and the image load isreattempted, the backup image on the system disk (9.256/bin/backup.zoo) is lost, and the current and backup imageson the data disk become the same image version. Therefore, if you revert the image at this point, it will simply revertto the same version as the current one. This happens only when you specify an FTP location for the image load path.You can avoid this potential problem by putting the image on the box (using FTP, for example) and then loading it withthe image load command, specifying the local path to the .zoo file.On PacketShaper units with 16M Flash, there may be problems reverting to the backup image. For example, supposeyou start with v8.1.1, load v8.3.1, and then revert to the v8.1.1 image. This operation will perform successfully.However, if you then try to use the image revert command to switch back to v8.3.1, the command will not succeed.The workaround is to use the image load command to reload the 8.3.1 image. If you are still having problems, you candelete unnecessary files on the system disk (9.256/).


215

image libraryFor PolicyCenter only

Show the current library of image files available for distribution from PolicyCenter to individual PacketShapers.

image library units|policycenter [alt]

The image library units command shows the version name and type, build time and build variations for availablePacketWise images. The image library policycenter command displays information for PolicyCenter executable files. Usethe optional alt with either command to view additional details such as checksum, file size, the time the file was lastmodified, and the publishing server.

Example output of this command:

image library units

Name Type Versionram.zoo STD PacketWise v6.0.1g1 2003-07-09ram.zoo STD PacketWise v6.1.2g1 2005-02-09latest.zoo STD PacketWise v7.0.0g1 2005-07-19

image library policycenter

Name Type VersionPC700g1 PC pc7.0.0g1 PolicyCenterPC701g1 PC pc7.0.1g1 PolicyCenterPC701g1 PC pc7.0.1g1 PolicyCenter Update


216

image prescribeFor PolicyCenter only

Prescribe an image for a PolicyCenter configuration by filename, version, or checksum. Use the image library command todetermine these values for available images.

Once you prescribe an image for units assigned to a PolicyCenter configuration, do not manually load a different image on aunit until you change the image prescribed via PolicyCenter, or turn off image prescription with the image prescribe nonecommand. Otherwise, the unit will realize that its new image is different from its prescribed image, and will re-download andreload its prescribed image during its next scheduled synchronization window.

image prescribe <filename>|version=<version>|checksum=<checksum>| default|none|show

<filename> The filename of the image file you wish to prescribe to a PolicyCenterconfiguration.

<version> The version number of the image file you wish to prescribe to a PolicyCenterconfiguration.

<checksum> The checksum value of the image file you wish to prescribe to a PolicyCenterconfiguration.

default|none|show Specify default if the configuration should inherit its image from a parentconfiguration, or specify none if the configuration should not inherit its image.The show option shows the configuration's current effective image.

Examples:

image prescribe std610

image prescribe version=v6.1.0g1

image prescribe checksum=1094692686


217

image subscribeFor PolicyCenter only

Configure when and how often PacketShapers assigned to a PolicyCenter configuration update image files.

image subscribe asap|scheduled|default

The image subscribe command has the following options:

asap PacketShapers assigned to the configuration will automatically update theirimage files as soon as they are prescribed.

scheduled PacketShapers assigned to the configuration will wait for the image synccommand before downloading prescribed files.

default If set to default, the PolicyCenter configuration inherits its image subscriptionbehavior from its parent configuration.

See also: image sync


218

image syncFor units in shared mode only

Issue this command from an individual PacketShaper to immediately download the image file prescribed for the unit’sPolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has beenset to scheduled with the image subscribe command.

Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set toasap with the image subscribe command.

image sync

See also: image subscribe


219

image updateFor PolicyCenter only

Determine when PolicyCenter updates its library of available images and plug-ins from the Blue Coat support website.

image update [nightly|manual|default|now]

nightly PolicyCenter attempts to update its library of images and plug-ins nightly,typically during the very early hours of the morning (local time).

manual PolicyCenter does not automatically update its image and plug-in library untilyou issue the command image update now. This is the default behavior.

default Returns the image update mode to its default state (manual).

now The command image update now enables PolicyCenter to immediately beginupdating its image and plug-in library.


220

ipfilterCreates an IP filter that configures a PacketShaper to filter traffic based on IP address.

ipfilter discard|onlyaccept|passthrough <device> src|dst <ipaddress> [<mask>]

discard Configures the IP filter to discard packets arriving on <device> with the src|dst IP addressas <ipaddress>.

onlyaccept Configures the IP filter to only accept packets arriving on <device> with the src|dst IPaddress as <ipaddress>.

passthrough Configures the IP filter to pass through packets arriving on <device> with the src|dst IPaddress as <ipaddress>.

<device>

The PacketShaper interface on which the IP filter will act. Depending on the PacketShapermodel and configuration, available interfaces may include the following:

insideoutsidebackup_insidebackup_outsideleft_insideleft_outsidelower_insidelower_outsideright_insideright_outsideupper_insideupper_outside

To see a list of available interfaces on your PacketShaper, enter a question mark (“?”) asthe device argument. For example:

ipfilter discard ?

src|dst<ipaddress>[<mask>]

Specifies whether the IP filter applies to traffic originating from (src) or directed to (dst)the specified host.

<ipaddress> The IP address of the specified host

[<mask>] The net mask of the specified host

Note: To filter all traffic to and from a specified host, you must create an IP filters for thehost as both the source (src) and destination (dst) of network traffic.

You can create up to 2,000 IP filters on a PacketShaper; filter entries are saved in the PacketShaper configuration file.

Examples

This example creates an IP filter that will discard all traffic on the upper inside interface that originates from the host with theIP address 10.1.1.14:

ipfilter discard upper_inside src 10.1.1.14

This example creates an IP filter that will only accept traffic on the upper outside interface that originates from the host withthe IP address 10.10.1.1. All other traffic not otherwise managed by an IP filter is discarded.

ipfilter onlyaccept upper_outside src 10.10.1.1

This example creates an IP filter that allows all traffic destined for the IP address 10.1.10.1 to pass through the insideinterface.

ipfilter passthrough inside dst 10.1.10.1

Note: For each IP filter, PacketWise assigns a unique eight-digit alphanumeric identifier, such as “DC73DA16”. Theseidentifiers are used to specify an IP filter for removal when using the ipfilter clear command. To see a list of all configured IPfilters and their identifiers, use the ipfilter show command.

See also:

221

ipfilter clear

ipfilter iponly

ipfilter show


8.2.0 Command introduced


222

ipfilter clearRemoves all IP filers (default) or the ip filter that you specify.

ipfilter clear [<id>]

ipfilterclear

Removes all IP filters. To remove all IP filters from a PolicyCenter configuration, access thatconfiguration via the config view command, then issue the CLI command ipfilter clear; no draftconfiguration is necessary

[<id>]

Removes the IP filter identified by [<id>]. To delete a single IP filter from a PolicyCenter sharableconfiguration, create a draft version of that configuration and then issue the command ipfilter clear<id> from the draft. The deleted filter will be permanently deleted when you commit the draft.

To see a list of all configured IP filters and their identifiers, use the ipfilter show command.

Examples

This example removes all configured IP filters from the PacketShaper.

ipfilter clear

This example removes only the IP filter with the identifier “DC73DA16”.

ipfilter clear DC73DA16

\

See also:

ipfilter

ipfilter iponly

ipfilter show




223

ipfilter iponlyConfigures a PacketShaper to relay only IP traffic.

ipfilter iponly on|off

on Creates an IP filter that relays only IP traffic (applies to all interfaces).off (Default). Configures the PacketShaper to relay both IP and non-IP traffic.

See also:

ipfilter

ipfilter clear

ipfilter show




224

ipfilter showShows all configured IP filters.

ipfilter show

Returned data include the status of the ipfilter iponly setting (whether or not the PacketShaper will relay only IP or both IPand non-IP traffic), the unique identifier of the IP filter, number of hits (instances where the IP filter rule matched a packet),and the configuration of the IP filter.

Example

In this example, the PacketShaper is configured to relay both IP and non-IP traffic, and one passthrough IP filter has beenconfigured on the outside interface:

ipfilter show

Relay all traffic.

Exclude Filters: total 1

[DC73DA16] hits 0 Outside src 172.21.1.44 (ffffffff) --> passthru Include filters: total 0

ipfilters MIB:[ 0] outs 0 [ 1] onlyAccepts 0[ 2] onlyExcludes 0 [ 3] nonIpDiscarded 0[ 4] atalkDiscarded 0 [ 5] ipxDiscarded 0[ 6] netbiosDiscarded 0 [ 7] snaDiscarded 0[ 8] fnaDiscarded 0 [ 9] decDiscarded 0

See also:

ipfilter

ipfilter clear

ipfilter iponly




225

links showDisplay the programmed link speeds with current link statistics (current rate, one-minute average, and peak rate).

links show

Interface Speed Cur 1 Min Peak rate avg rate ----------------------------------------------------Inside 1000000000 7220 6178 357kOutside 100000000 2519 294 84kManagement 100000000 1894 685 6294

If traffic shaping is enabled, the output will also show statistics for each direction. For instance:

Direction Speed Cur 1 Min Peak rate avg rate ----------------------------------------------------Inbound 1500000 2966 602 3821 Outbound 1500000 1866 600 9096

Notes:

The Inside and Outside statistics measure the traffic that enters the unit through these ports. Localhost traffic is notincluded in the Inside and Outside statistics.When compression is enabled, the Inbound/Outbound traffic use compressed sizes in rate measurements.Inbound accelerated traffic is measured after rate control is applied. The Inbound measurement does not measureaccelerated traffic that exits the PacketShaper through the Inside interface.The In and Out display on the LCD panel use the same measurements as the Inbound Outbound display in the linksshow command.The bps values for the management port represent Localhost traffic only. (applicable to units with MGMT ports)Use the setup link command to configure the inbound and outbound link speeds.


226

lookSet read-only access when accessing the command-line interface. Note that this command does not set the access of thebrowser user interface.

look

CLI commands that modify the PacketShaper's configuration are not available in look mode. Similarly, you cannot retrievesensitive information or issue commands that would impact the performance of the unit, nor can you create, edit, or deleteclasses, policies, or partitions. You can show settings, but you cannot change them in look mode. To see what commands areavailable in look mode, type the first word of the command (such as setup, class, partition, or policy) and press Enter. Ifyou have look access and attempt a command that changes the configuration, a message notifies you that the commandrequires touch access.

To enable read-write access, use the touch command.


227

lsDisplay system or data disk directory listings.

ls [<directory> | <file>]...


228

measure backupBack up measurement data files. After you have backed up your data files, you can use the backups in case data laterbecomes corrupted. You may also want to create a backup to archive all the current data on a unit. For details on restoringmeasurement data, see measure restore.

When you back up data files, you have the choice of backing up all measurement groups or a specific group (link day, linkmonth, partition day, partition month, class day, or class month). Or, if you are using the host accounting feature, you canback up host accounting data.

measure backup {link|partition|class day|month}|{host accounting}|{all groups} [compress][<user>[:<password>]@<host>] <destfile>

link|partition|class

day|month

Backs up a specific set of measurement variables: link, partition, orclass

day backs up one-minute samples (of which at least a day’s worth ofdata is stored); month backs up hourly samples (at least one monthof one-hour data is stored on standard PacketShaper models and atleast two months of four-hour data is stored on ISP models)

host accountingBacks up host accounting data (if host accounting is enabled)

Note: Host accounting is not available on the PacketShaper 900 Litemodels.

all groups

Backs up all measurement groups (link day, link month, partition day,link month, class day, class month, and host accounting—if enabled).The data is backed up into different files with automatically generatedfilenames. The new filenames for the backups combine a portion of theunit's serial number with a number 0-6. For example, if the serialnumber is 065-10001072, the bulk backup filenames will look like this:

link day 00010721.datlink month 00010722.datpartition day 00010723.datpartition month 00010724.datclass day 00010725.datclass month 00010726.dathost accounting 00010720.dat

[compress]Compresses the measurement data while uploading to an FTP server(saves disk space); the data is compressed using a proprietarycompression format

[<user>[:<password>]@<host>]

<user> is the user name to be used when FTP logs into the <host>(the IP address or dns name of the FTP server). If <password> isomitted, the password is transmitted empty or blank. The default username and password if both items are omitted are user=anonymousand [email protected].

<destfile>

Name of the new file to be created on the remote FTP server; specifya path if you don’t want to create the file in the user’s defaultdirectory. It’s a good idea to include the group and data type in thename, for example link_mo.dat for one month of link data.

When using the all groups option, the destination filenames areautomatically generated as described above. You can specify adestination directory for <destfile>, or to back up the files into thedefault directory, you can omit <destfile>.

Note: You cannot back up data files onto the unit itself.

For example, to back up the hourly samples of link measurement data into a file named link_mo.dat:

measure backup link month compress john:[email protected] link_mo.dat

To back up all measurement data into the directory /home/user/backups:

measure backup all groups john:[email protected] /home/user/backups/

Here are a few things to keep in mind:

229

Some of the measurement data files are quite large (such as the one that stores class day data) and can take severalminutes to back up, particularly if the FTP server is across a WAN link.

Warning: While data is being backed up, the measurement engine stops recording data. Existing data will still beavailable for dumps and reports but keep in mind that certain features (such as Top Ten and user events) will notfunction properly without current data.

The time at which the measurement engine is stopped is used as the end time for data dumps.The measurement engine will not record any data in the intervals during which it was stopped or started.After the backup is complete, you have an opportunity to restart the measurement engine.


230

measure cumvarNote: The measure cumvar command is intended as a troubleshooting tool to be used with the guidance of CustomerSupport.

Use this command to display a base measurement value. A base measurement variable is the accumulated value that issampled to generate the measurement engine time-series data.

measure cumvar <type> <element> <var>

<type> The element type of the element whose variable is to be viewed: link, partition, or class

<element> The name of the element whose variable is to be viewed: link (inbound or outbound), partition name, or classname. This command is valid for "leaf" classes only — that is, classes that do not have children. If you specifya non-leaf class, it will display a variable value of zero.

<var> The variable to be viewed. This may be a simple variable, the high 32 bits of a 64-bit variable, indicated bythe suffix "Hi", or a particular histogram value, indicated by the suffix "[<name>]", where <name> is thehistogram index name.

For example, use the measure show command to get a list of variables for a measurement type, then use measurecumvar to display the value:

measure cumvar class outbound/outside/http class-hits

Base value of "class-hits" on "class outbound/outside/http" is 18.


231

measure dumpDisplay a list of comma-separated measurement values at the command line or redirect the measurement data to a file.When you redirect the data to a file, you can generate graphs using a spreadsheet application.

This command provides four selections for ordering the output (one is required):

by elementby variable

by timeby event


232

measure dump by elementList measurement data totals for a specific element, such as a particular link (Inbound or Outbound), partition, class, or hostIP address. You can list data for one or more measurement variables for a designated duration (such as 1 day or 2 weeks).The measurement data can be displayed onscreen or stored in a delimited text file. The by element option dumps the samedata as the by var option, except the output is structured differently. (examples that compare by var and by elementoutput)

measure dump link|partition|class|host [group day|month|accounting] [immediate|leaf|all] [<link-name>|<partition-name>|<class-name>|<host-ip-addr>...] [endtime [<date>]<time>] by element <duration> [to<file>] [sort] <var>...

link|partition|class|host Specify the type of data to be dumped.

Note: In order to dump host measurement data, you must enable host accounting.

[group day|month|accounting] Dumps data from a specific measurement group — day, month, or accounting (if hostaccounting is enabled).

If you don’t specify a group, PacketWise will choose the group that appears to mostappropriate for the interval and/or duration you have specified. For example, if youspecify an interval of 15 minutes, PacketWise assumes you want to dump the datafrom the day group. Or if you specify an interval of 2 hours, PacketWise assumes youwant to dump the data from the month group. You can use the group option tooverride the default behavior.

[immediate|leaf|all] immediate — dumps data for the specified class and direct child classes (notgrandchildren classes)

leaf — dumps data for leaf classes only (that is, child classes that don't have anychildren); this is the default setting for class data

all — dumps data for the complete branch: the specified class, direct child classes, andall other classes that are descendants of the child classes.

Note: The immediate and leaf options are not applicable to link data.

If classes or partitions were deleted during this measurement interval, they will appearin the output list.

Examples that compare immediate, leaf, and all options

<link-name>|<partition-name>|<class-name><host-ip-addr>

List one or more names of the elements you want to dump; that is, specific classnames, partition names, links (inbound or outbound), or host IP addresses. A specificname is not required if you want to dump all link, partition, class, or host data.

Note: As mentioned above, host accounting must be enabled in order to getmeasurement data on specific hosts.

[endtime [<date>]<time>] Specify a fixed end date and time for the data dump. The <date> should be in theformat YYYYMMDD and the <time> should be in the format HHMM. The <date> isoptional, but the <time> is required.If endtime is omitted, the current date and time (“now”) are used.

<duration> Time duration over which to total the values. Duration must be specified as one of: sfor seconds, m for minutes, h for hours, d for days, w for weeks.

to <file> Use the to literal to specify that the records should be dumped to a text file named<file>. If to <file> is omitted, the records are dumped to stdout.

Note: This text file can be downloaded from PacketShaper's system disk (9.256/) to aPC. You can then import the data into another program (such as Microsoft Excel) forfurther analysis.

[sort] Use the sort literal to sort each dumped interval by the first variable, in descendingorder.

<var>... Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To listthe available variables, specify ? for this parameter. When listing host accounting data,you can specify element, bytes, kbytes, or host accounting categories for the <var>.

233

Examples:

measure dump class all inbound/http by element 1m peak-bps

measure dump partition inbound/sales-dept by element 1d peak-bps partition-over-limit-msecs

measure dump class outbound/ftp by element 2d avg-bps class-hits policy-hits

An example that lists host accounting data (when host accounting is enabled):

measure dump host all by element 20m sort bytes web mail

"time:08-May-2002 15:30:00""host","bytes","web","mail""10.3.10.1",6181803,6260,0"10.1.1.40",3922184,0,0"165.212.11.125",1905799,0,0"10.10.254.85",1479605,0,562"10.7.19.4",790212,16906,2073"10.10.254.8",557468,540480,1088

The above example lists each host that had an open connection during the time period (the last 20 minutes), the totalnumber of bytes that each host sent and/or received, and the number of bytes transferred in the "web" and "mail" hostaccounting categories. (The "web" and "mail" categories were previously defined with the host accounting categoriescommand.)

See also:

measure dump by time

measure dump by var


234

measure dump by eventList measurement data for adaptive response agents. For example, you can retrieve the score values and colors for eachadaptive response agent in a certain time period.

measure dump <cdf-type> all [<agent-name>] [endtime [<date>]<time>] by event <count>|<duration> [to<file>] [sort] <var>...

where:

<cdf-type> The <cdf-type> can be one of the following:

agent1 retrieves scoring values and status color data forall agentsagent2 retrieves measurement data for High BandwidthNew App agentagent3 retrieves measurement data for High BandwidthHost agentagent4 retrieves measurement data for TrafficPerformance agentsagent5 retrieves measurement data for PartitionUtilization agents

[<agent-name>] Name of the agent, enclosed in quotes. For example:"Outbound Default Traffic"

For a list of available agent names, use the agent showcommand.

[endtime [<date>]<time>] Specify a fixed end date and time for the data dump. The<date> should be in the format YYYYMMDD and the<time> should be in the format HHMM. The <date> isoptional, but the <time> is required.If endtime is omitted, the current date and time (“now”)are used.

to <file> Use the to literal to specify that the records should bedumped to a text file named <file>. If to <file> isomitted, the records are dumped to stdout.

Note: This text file can be downloaded fromPacketShaper's system disk (9.256/) to a PC. You canthen import the data into another program (such asMicrosoft Excel) for further analysis.

[sort] Use the sort literal to sort each dumped interval by thefirst variable, in descending order.

<count> Retrieve data for a selected number of evaluation intervals<duration> Retrieve all data recorded over the selected duration.

Use one of the following formats to indicate a timeduration: Ns for seconds, Nm for minutes, Nh for hours,Nd for days, Nw for weeks.

<var> The following measurement variables are available foreach agent type:

agent1 variables: score-value, score-color, score-result

Note: Score colors are reported by thefollowing values: 0=green, 1=red, 2=yellow,3=blue. The score result has a value of 0 ifthe agent successfully measured its target.Otherwise, the score result will return anerror code.

agent2 variables: element, sample-interval-msecs,namelist, avg-bps

agent3 variables: element, sample-interval-msecs, host-ip, direction, avg-bps. Direction is displayed as:

235

1=Inbound, 0=Outbound.

agent4 variables: element, sample-interval-msecs, class-id, network-efficiency

agent5: element, sample-interval-msecs, class-id, avg-bps

Examples:

The following command dumps data by <count>, and returns the data for the past two evaluation intervals for all agents (theagent1 <cdf-type>).

me dump agent1 all by event 2 score-value score-color score-result

"time","agent1","score-value","score-color","score-result""13-Jan-2005 03:24:00","Class ME Variables agent",0,2,0"13-Jan-2005 03:24:00","High Bandwidth Host",2,0,0"13-Jan-2005 03:24:00","Inbound Default Traffic",1,0,0"13-Jan-2005 03:24:00","Outbound Default Traffic",0,0,0"13-Jan-2005 03:24:00","Partition Utilization agent",0,0,4557"13-Jan-2005 03:24:00","Spoofing - Client",0,0,0"13-Jan-2005 03:24:00","Spoofing - Server",0,0,0"13-Jan-2005 03:24:00","Syn Attack - Failed Flows",0,0,0"13-Jan-2005 03:24:00","Traffic Performance agent",2,1,0"13-Jan-2005 03:23:00","Class ME Variables agent",0,2,0"13-Jan-2005 03:23:00","High Bandwidth Host",2,0,0"13-Jan-2005 03:23:00","Inbound Default Traffic",1,0,0"13-Jan-2005 03:23:00","Outbound Default Traffic",0,0,0"13-Jan-2005 03:23:00","Partition Utilization agent",0,0,4557"13-Jan-2005 03:23:00","Spoofing - Client",0,0,0"13-Jan-2005 03:23:00","Spoofing - Server",0,0,0"13-Jan-2005 03:23:00","Syn Attack - Failed Flows",0,0,0"13-Jan-2005 03:23:00","Traffic Performance agent",0,0,4557

To display data for a specific agent you can include the <agent-name>, enclosed in quotes:

measure dump agent1 all "Inbound Traffic Performance" by event 5 score-value "agent1:Inbound Traffic Performance""time","score-value""12-Oct-2005 11:06:00",87"12-Oct-2005 11:05:00",100"12-Oct-2005 11:04:00",95"12-Oct-2005 11:03:01",92"12-Oct-2005 11:02:00",97

The command below returns data for a <duration>, displaying the last recorded minute of information for the agent3 <cdf-type> (the High Bandwidth Host agent).

me dump agent3 all by event 1m host-ip direction avg-bps"21-Jul-2005 13:51:00","High Bandwidth Host",174351134,0,56"21-Jul-2005 13:51:00","High Bandwidth Host",2887062186,0,1824"21-Jul-2005 13:51:00","High Bandwidth Host",2887061257,0,32"21-Jul-2005 13:51:00","High Bandwidth Host",2887059946,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887057727,0,40"21-Jul-2005 13:51:00","High Bandwidth Host",2887062278,0,16"21-Jul-2005 13:51:00","High Bandwidth Host",2887061761,0,24"21-Jul-2005 13:51:00","High Bandwidth Host",2887063396,0,16"21-Jul-2005 13:51:00","High Bandwidth Host",2887063331,0,16"21-Jul-2005 13:51:00","High Bandwidth Host",2887057710,1,224"21-Jul-2005 13:51:00","High Bandwidth Host",2887062068,0,16"21-Jul-2005 13:51:00","High Bandwidth Host",2887057428,0,344"21-Jul-2005 13:51:00","High Bandwidth Host",2887059941,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887061002,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887059960,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887059943,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887060739,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887064948,0,24"21-Jul-2005 13:51:00","High Bandwidth Host",2887064955,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",2887063300,0,16"21-Jul-2005 13:51:00","High Bandwidth Host",2887062919,0,8"21-Jul-2005 13:51:00","High Bandwidth Host",167837972,0,72"21-Jul-2005 13:51:00","High Bandwidth Host",2887059250,1,120


236

measure dump by timeDump different time intervals of measurement data, with the most recent time listed first. As with the by element and byvar options, by time lists measurement data totals for a specific element, such as a particular link (Inbound or Outbound),partition, class, or host IP address. You can list data for one or more measurement variables for a designated duration (suchas 1 day or 2 weeks). Specific to the by time option, the amount of time in each interval must be specified; for example, youcan break down the data into 10-minute intervals.

measure dump link|partition|class|host [group day|month|accounting] [immediate|leaf|all] [<link-name>|<partition-name>|<class-name>|<host-ip-addr>...] [endtime [<date>]<time>] by time[element]all|<count>|<duration> <interval> [to <file>] [sort] <var>...











<link-name>| <partition-name>| <class-name>|<host-ip-addr>



[endtime [<date>]<time>] Specify a fixed end date and time for the data dump. The <date> should be in theformat YYYYMMDD and the <time> should be in the format HHMM. The <date> isoptional, but the <time> is required.

If endtime is omitted, the current date and time (“now”) are used.

by time [element] Use time to get a time-series data dump. Specify element to list the output asseparate elements (links, partitions, classes, or hosts) within the time-series order. Forexample, when you specify element for a class, data for each class is output on aseparate row.

Example:

measure dump class all inbound by time element all 1d peak-bps

Result:

"03-May-1998 15:27:02","/Inbound/Global/AppleTalk",0"03-May-1998 15:27:02","/Inbound/Global/NetBIOS",12858

When you omit element, the output is displayed as a table, with column headers anda column for each element's data.

237

Example:

measure dump class all inbound by time all 1d peak-bps

Result:

"class" "time","/Inbound/Global/AppleTalk-peak-bps","/Inbound/Global/NetBIOS-peak-bps""03-May-1998 15:27:02",0,25,12858"02-May-1998 15:54:35",0,32,98,11966"01-May-1998 15:15:33",0,4,2,15882"30-Apr-1998 15:30:30",0,0,0,23965

all|<count>|<duration> Dump all available records for the specified interval; or dump the most recent <count>intervals; or dump all of the intervals within <duration> of the current time. Durationmust be specified as one of: s for seconds, m for minutes, h for hours, d for days, wfor weeks.

<interval> Specify the interval time as one of: s for seconds, m for minutes, h for hours, d fordays, w for weeks.

to <file> Use the to literal to specify that the records should be dumped to the file named<file>. If to <file> is omitted, the records are dumped to stdout.

[sort] Use the sort literal to sort each dumped interval by the first variable, in descendingorder. If sort is specified, a "by time element" dump format is used, even if a "by time"format was specified.

<var>... Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To listthe available variables, specify ? for this parameter. When listing host accounting data,you can specify bytes, kbytes, or host accounting categories for the <var>.

Examples

In the following example, the avg-bps and peak-bps variables are displayed for the Inbound partition. The duration is oneweek (1w) and the interval is one day (1d). In the output, each interval is a different record.

measure dump partition all inbound by time 1w 1d avg-bps peak-bps

"partition:/Inbound""time","avg-bps","peak-bps""09-Jun-2003 13:00:01",1707,2555221"08-Jun-2003 13:00:01",2484,1796609"07-Jun-2003 13:00:01",0,0"06-Jun-2003 13:00:01",0,0"05-Jun-2003 13:00:01",3436,8655317"04-Jun-2003 13:00:01",983,2263233"03-Jun-2003 13:00:01",4175,4219764

Here are some additional examples:

measure dump class inbound/global by time 5 1h avg-bps

measure dump class all by time 5 1h avg-bps

measure dump class all inbound/global by time element 5 1h avg-bps

measure dump partition all inbound by time 1d 1h avg-bps peak-bps

measure dump class all endtime 200105261700 by time 5 1h bytes

To get data for just the /inbound and /outbound classes:

measure dump class immediate / by time 10m 1m bytes

An example that lists host accounting data:

measure dump host all by time 1H 10m sort bytes web mail

"time","host","bytes","web","mail"..."08-May-2002 14:00:00","65.54.192.248",0,0,0"08-May-2002 14:00:00","10.7.31.21",0,0,0

238

"08-May-2002 13:50:00","10.10.254.9",18661010,51819,1091"08-May-2002 13:50:00","10.10.254.102",2658874,968143,8081...

The above example lists for each interval in the specified time period, hosts that had an open connection during the interval,the total number of bytes that each host sent and/or received for the time interval (10 minutes), and the number of bytestransferred in the "web" and "mail" host accounting categories. (The "web" and "mail" categories were previously defined withthe host accounting categories command.)

See also:

measure dump by element

measure dump by var


239

measure dump by varList measurement data totals for a specific element, such as a particular link (Inbound or Outbound), partition, class, or hostIP address. You can list data for one or more measurement variables for a designated duration (such as 1 day or 2 weeks).The measurement data can be displayed onscreen or stored in a delimited text file. The by var option dumps the same dataas the by element option, except the output is structured differently. (examples that compare by var and by elementoutput)

measure dump link|partition|class|host [group day|month|accounting] [immediate|leaf|all] [<link-name>|<partition-name>|<class-name>|<host-ip-addr>...] [endtime [<date>]<time>] by var <duration> [to<file>] [sort] <var>...











<link-name>|<partition-name>|<class-name>|<host-ip-addr>



[endtime [<date>]<time>] Specify a fixed end date and time for the data dump. The <date> should be in theformat YYYYMMDD and the <time> should be in the format HHMM. The <date> isoptional, but the <time> is required.If endtime is omitted, the current date and time (“now”) are used.

<duration> Time duration over which to total the values. Use one of the following: s for seconds,m for minutes, h for hours, d for days, w for weeks.

to <file> Use the to literal to specify that the records should be dumped to the file named<file>. If to <file> is omitted, the records are dumped to stdout.

[sort] Use the sort literal to sort each dumped interval by the first variable, in descendingorder. If sort is specified, a "by time element" dump format is used, even if a "by time"format was specified.

<var>... Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To listthe available variables, specify ? for this parameter. When listing host accounting data,you can specify bytes, kbytes, or host accounting categories for the <var>.

Examples:

240

measure dump partition all /inbound/http by var 8h avg-bps peak-bps

measure dump class /inbound/http by var 1d to daily.out avg-bps

measure dump class all /inbound/http by var 1w sort peak-bps pkts

"time:17-Jun-1998 18:21:48""class-var","/Inbound/HTTP/Default","/Inbound/HTTP/gifs""peak-bps",229729,86944"pkts",39,26

An example that lists host accounting data for a specific host:

measure dump host 152.163.209.65 by var 30m sort bytes web mail

"time:08-May-2002 15:20:00""host-var","152.163.209.65""bytes",2730"web",2316"mail",0

See also:

measure dump by element

measure dump by time


241

measure resetReset the measurement configuration to its factory-default state. This command clears the measurement data stored on theunit’s data disk(s). Resetting may be necessary after upgrading the software. (See the last paragraph below for furtherexplanation.)

measure reset [link|partition|class|host|<cdf-type>]

With the optional [link|partition|class|host|<cdf-type>] parameters, you can selectively clear different types ofmeasurement data. The <cdf-type> parameter is applicable to adaptive response agents. The <cdf-type> can be one of thefollowing:

agent1: clears measurement data for all agentsagent2: clears data for the High Bandwidth New App agentagent3: clears data for the High Bandwidth Host agentagent4: clears data for Traffic Performance agentsagent5: clears data for Partition Utilization agents

If a parameter is not specified, all types of measurement data are cleared.

After you issue the command, you are prompted to confirm your reset request. Accumulated measurement data is clearedand the unit resets. Measurement and reporting data will not be available for several minutes.

After measure reset executes, the measurement engine begins running as a background process. During the first tenminutes following the reset, do not attempt to load a new software image, as the file transfer will conflict with measurementengine processing.

You will need to reset measurement data in order to use new measurement variables introduced in new PacketWise softwareversions. To help you determine whether you need to reset measurement data, the output from the measure showcommand indicates if the measurement reset has been done. For example, if the message “A Measurement Reset of this typehas not been done” appears in the measure show class output, PacketWise has detected that you upgraded to aPacketWise image that has new measurement variables of the type you listed. To enable the new variables of that type, youneed to issue the measure reset class command.


242

measure restoreRestore measurement data files to the measure directory on the unit’s data disk (9.258/measure). Use this command torestore data in case data became corrupted after the last backup or if you want to copy measurement data to another unit.

If you are restoring measurement data files to a different unit from which they were backed up, note the following:

The unit to which you are restoring the data must be the same model, use the same software version, and have thesame specifications as the unit from which you backed up the data. For example, you can back up data from a 1024-class PacketShaper 7500 running PacketWise 8.6 software and restore it to this same model, but you cannot restore itto a 2048-class PacketShaper 10000, a 1024-class PacketShaper 3500, or a 1024-class PacketShaper 7500 runningPacketWise v8.5.

Before restoring, rename the measurement data files with the serial number of the target unit. Example:

The serial number of the unit from which the files were backed up is 065-10001072.The serial number of the target unit is 065-10001183.The filename of the link day data is 00010721.dat. "1072" is the serial number portion that must be renamed.Rename 00010721.dat to 00011831.dat.Rename all the other data files in a similar fashion.

It is recommended that you back up all the measurement data on the target unit before using the measure restorecommand.

If the measurement data was backed up with the compress option, the measure restore command will automaticallydecompress as it restores the data.

Warning: While data is being restored, the measurement engine stops recording data and measurement data will not beavailable for dumps or reports. In addition, certain features (such as Top Ten and user events) will not function properlywithout current data.

measure restore {link|partition|class month|day}|{host accounting}|{all groups}[<user>[:<password>]@<host>] [<srcfile>]

link|partition|class

day|month

Restores a specific set of measurement variables: link, partition, orclass

day restores one-minute samples (data recorded in one-minutesintervals); month restores hourly samples (data recorded every houron standard models, every four hours on ISP models)

host accountingRestores host accounting data

Note: Host accounting is not available on the PacketShaper 900 Litemodels.

all groupsRestores all groups of measurement data (link day, link month,partition day, link month, class day, class month, and host accounting—if enabled)

[<user>[:<password>]@<host>]

<user> is the user name to be used when FTP logs into the <host>(the IP address or dns name of the FTP server). If <password> isomitted, the password is transmitted empty or blank. The default username and password if both items are omitted are user=anonymousand [email protected].

<srcfile>

Name of the file to be restored; specify a path if the file is not in theuser’s default directory. If you are restoring all groups, enter asource directory for <srcfile>, or omit <srcfile> to restore from thedefault directory.

For example, to restore the link data that was backed up into a file named link_mo.dat:

measure restore link month john:[email protected] link_mo.dat

Or, to restore all groups of measurement data that were backed up into the directory /home/user/backups:

measure restore all groups john:[email protected] /home/user/backups

Notes:

The time at which the measurement engine is stopped is used as the end time for data dumps.

243

The measurement engine will not record any data in the intervals during which it was stopped or started.After the restoration is complete, you have an opportunity to restart the measurement engine.

Restore Failures

If the restoration process fails or gets interrupted before completion, the measurement data will not be available. You can tryrestoring the data again, but if you are unable to restore the data successfully, you will need to perform a measure reset onthat type of data (for example, measure reset link if you were unable to restore link data).

If the measure restore command fails when restoring host accounting data (for example, you mistyped the filename or thefile didn't exist), you do not need to do a measure reset. Instead, turn off host accounting and re-enable it . See hostaccounting enable for details.

See also:

measure backup


244

measure showUse the measure show command to check the measurement engine status, to see whether the measurement engine needsto be reset, or to display the details for a specific measurement type.

measure show

The resulting display indicates if the engine is running, starting, or stopped. The output displays one line of status for eachelement in the measurement volume. Each line contains the element type, the sample interval (m=minutes and h=hours),the number of recorded samples, and the number of samples that can be recorded.

Measurement engine is runningA complete Measurement Reset has not been done.

class day Interval: 1m Samples: 1474560/ 1474560class month Interval: 1h Samples: 122439/ 761856link day Interval: 1m Samples: 20160/ 20160link month Interval: 1h Samples: 2436/ 8928partition day Interval: 1m Samples: 214396/ 737280partition month Interval: 1h Samples: 3424/ 380928host accounting Interval:20m Samples: 1000000/ 1000000agent1 score Interval: 1m Samples: 223199/ 223200agent4 perf Interval: 1m Samples: 644/ 223200agent5 util Interval: 1m Samples: 69/ 223200agent2 newap Interval: 1m Samples: 1146/ 223200agent3 host Interval: 1m Samples: 223191/ 223200

If the message "A complete Measurement Reset has not been done" appears in the measure show output (as shown above),PacketWise has detected that you upgraded to a PacketWise image that has new measurement variables. To enable the newvariables, you need to issue the measure reset command.

Displaying Measurement Element Status

To display the status of a particular element type, use:

measure show link|partition|class|host|<cdf-type>

where <cdf-type> can be one of the following:

agent1: all agentsagent2: High Bandwidth New App agentagent3: High Bandwidth Host agentagent4: Traffic Performance agentsagent5: Partition Utilization agents

Example:

measure show class

Measurement engine is runningclass base interval: 60 (secs)

A Measurement Reset of this type has not been done.

class day Interval: 1m Samples: 438/ 368640class month Interval: 1h Samples: 0/ 190464

If the message “A Measurement Reset of this type has not been done” appears in the measure show output (as shownabove), PacketWise has detected that you upgraded to a PacketWise image that has new measurement variables of the typeyou listed. To enable the new variables of that type, you need to issue the measure reset [link|partition|class|host]command (for example, measure reset class in the above example).

Listing Measurement Variables

Display the status and available variables for a particular measurement group.

measure show [link|partition|class|host|<cdf-type>] [day|month|<type>]measure show host accounting

Examples:

245

measure show class day

Group: class dayInterval time: 60 (seconds)Interval count: 1440 (minimum)Path: 9.258/measure/CL_DAY.datSamples: max 1474560 current 1474560Overruns: 1105612862Last sample: at 13-Jan-2005 03:04:00Next sample: 13-Jan-2005 03:05:00 to near 13-Jan-2005 03:06:00Variable(s): element sample-interval-msecs sample-interval-overruns bytes pkts tcp-data-pkts tcp-retx-pkts tcp-early-retx-toss-pkts guar-rate-fails guar-rate-allocs peak-tcp-conns tcp-conn-inits tcp-conn-exits tcp-conn-server-refuses tcp-conn-server-ignores tcp-conn-aborts tcp-conn-self-denies peak-guar-rate-flows tcp-retx-bytes non-compressible-bytes postcompression-bytes precompression-bytes tunneled-postcompression-bytes tunneled-precompression-bytes class-hits policy-hits conn-speed-hist peak-bps license-overflows licenses-total licenses-peak total-delay-threshold service-level-threshold% total-delay-msec total-delay-histogram server-delay-msec server-delay-histogram network-delay-msec network-delay-histogram slow-transactions service-level-errors total-trans trans-bytes round-trip-time-msecs client-flood-block peak-ipdg-conns web-response-2XX web-response-3XX web-response-4XX web-response-5XX pkt-exchange-time-msecs pkt-exchange-time-samples sample-interval-secs kbytes avg-bps avg-pps tcp-retx-pkts% tcp-efficiency% tcp-early-retx-toss-pkts% tcp-conn-server-refuses% tcp-conn-server-ignores% tcp-conn-aborts% tcp-conn-self-denies% precompression-avg-bps postcompression-avg-bps compressible-bytes pkt-exchange-time-avg <app-availability%> server-flood-block total-delay-median total-delay-avg service-level% server-delay-median server-delay-avg network-delay-median network-delay-avg trans-bytes-avg avg-round-trip-time bytes-saved-by-compression bytes-saved-by-compression% <normalized-network-delay-avg> tunneled-postcompression-avg-bps tunneled-precompression-avg-bps tunneled-bytes-saved-by-compression% tunneled-compression-bandwidth-multiple% compression-bandwidth-multiple%

Note: Any variable, such as <normalized-network-delay-avg>, enclosed in angle brackets is experimental and may beremoved from PacketWise in the future. You can use this variable, but do not type the angle brackets. Any variable enclosedin square brackets will be removed in the next version of PacketWise.

Overruns (listed in the output above) occur when the measurement daemon misses a full (1-minute) interval.

The following example displays the available variables for the measurement group agent3:

me show agent3 host

Group: agent3 hostInterval time: 60 (seconds)Interval count: 0 (minimum)Path: 9.258/cmeasure/AG_HOST.datSamples: max 223200 current 223186Overruns: 1086109980Last sample: at 19-Jul-2005 10:17:01Next sample: 19-Jul-2005 10:17:01 to near 19-Jul-2005 10:17:01Variable(s): element sample-interval-msecs host-ip direction avg-bps


246

measure startRestart the measurement engine after it has been stopped with the measure stop command.

measure start

Typically, you will be given the option to restart the ME after backing up or restoring data so you will not have to issue themeasure start command yourself. However, if the unit resets in the middle of the backup or restore process, the ME will bein a suspended (stopped) state. After rebooting, you will need to restart the measurement engine with the measure startcommand. If a reset occurs during the restore process, you will also need to reset the measurement data for the group youwere trying to restore. For example, if you were restoring class data when the unit reset, you will need to issue the measurereset class command.

After you issue the measure start command, PacketWise will begin recording measurement data (although not for theinterval in which it was started).


247

measure stopStop or pause the measurement engine. The measurement engine is automatically stopped before backing up or restoringmeasurement data (see measure backup and measure restore) and automatically restarted after the operation is complete.

measure stop

After you issue this command, PacketWise will stop recording measurement data until you restart the measurement enginewith the measure start command. Data will not be recorded for the interval in which it was stopped.

Warning: Use the measure stop command with caution. When the measurement engine is stopped, no data will berecorded. Some features, such as Top Ten and user events, will not function properly without current data.


248

mibIn addition to the SNMP Management Information Base (MIB) files, PacketWise supports a variety of other internal MIBs.These internal MIBs contain data such as MAC cache and DNS information. These diagnostic commands are intended to beused only under the guidance of Customer Support and are not covered in this guide.

For information about the PacketShaper SNMP MIB, see SNMP Overview.


249

mkdirMake a directory on the unit's system or data disk.

mkdir <dir>


250

moreDisplay the named file, showing a single page and pausing before displaying the next page. More than one filename can bespecified.

more [-<number>] <filename>

Providing an optional number will display the specified number of lines on one page.


251

mvMove or rename a file on the unit's system or data disk.

mv <file1> <file2>


252

net nicView network statistics such as packets transmitted and discarded. These statistics are accumulated since the lastPacketShaper reset.

net [nic {<device>}]|ip|pna

nic Show Ethernet statistics. The parameters inside and outside represent ports 0 and 1, respectively. To display bothinside and outside statistics, omit this parameter.

ip Show IP statistics

pna Show network statistics

where <device> is the interface name or number:

DeviceName

DeviceNumber

inside 0outside 1lower_insideleft_inside 2

lower_outsideleft_outside 3

upper_insideright_inside 4

upper_outsideright_outside 5

management 7

Note: The device numbers vary according to the number of LEMs installed. If two LEMs are installed, the above numbers arecorrect. If only one LEM is installed (regardless of whether it's installed in the upper/right or lower/left position), the LEMinterfaces will be assigned device numbers 2 and 3. If no LEMs are installed, the management port's device number is 3.


253

net switchniciShaper commands are not supported in PacketWise 8.4.1 and higher.


254

packetcapture addSpecify the type of traffic for which you want to capture packets. The packet capture feature can capture packets for futureanalysis, allowing you to analyze detailed information about the packets, such as the source and destination IP addresses andprotocols used. You can capture packets for traffic classes, IP addresses and ranges, subnets, host lists, port numbers andranges, Xpress tunnels, and NICs.

packetcapture add class:<tclass> | list:<hostlist> | host:<ipaddr> | net:<ipaddr>/<cidr> | range:<low>-<high> | port:<low>-<high> | tunnel:<tunnel name> | nic:<interface pair> [<ipaddr>|<ipaddr>/<cidr>]

class:<tclass>

Name of the traffic class. Specify the complete path if the class exists in bothInbound and Outbound. The class can be based on any protocol, including IPv6.

You can capture packets from multiple classes, but you must add them one class ata time.

Packet capture can only capture packets for leaf classes (classes without anychildren). For example, if your Inbound/HTTP class has child classes (such as/Inbound/HTTP/Critical), you cannot capture packets on /Inbound/HTTP.

Example: class:inbound/default

list:<hostlist>Name of the host list created with the hl new command

Example: list:finance

host:<ipaddr>IP address or domain name of an IPv4 host; IPv6 hosts are not supported.

Examples: host:172.21.18.160, host:west.us.com

net:<ipaddr>/<cidr>The address of the IPv4 subnet; the CIDR number specifies the number of constantbits in the address range. IPv6 subnets are not supported.

Example: net:10.0.0.0/8

range:<low>-<high>Range of IPv4 addresses, separated by a dash

Example: range:192.21.18.160-192.21.18.170

port:<low>-<high>Range of port numbers, separated by a dash

Examples: port:80, port:1000-3000

tunnel:<tunnel name>Name of the static or dynamic Xpress tunnel

Example: tunnel:london

nic:<interface pair>[<ipaddr>|<ipaddr>/<cidr>]

Network Interface Card (NIC)

where <interface pair> is one of the following

main, mgmt, lem_upper, lem_lower, lem_left, lem_right, or backup

Example: nic:main

Optionally, a host or a subnet can be specified for the NIC pair.

Example: nic:main 10.0.0.0/8

Notes:

When the NIC filter is used, all other filters will be removed.Two output files will be created: one for packets captured as they arereceived by the NIC's Inside port (xxxxxxin.dmp) and one for packetscaptured as they leave the NIC on its Output port (xxxxxxot.dmp). Thexxxxxx part of the filename specifies the date and time of the capture file.The packetcapture limit packets command does not apply to NIC filters sincethis filter captures raw packets from the NIC card without any processing bythe PacketShaper.

Packet capturing doesn't begin until after the feature is enabled (see packetcapture on). When you no longer want to capturepackets for a filter you have added, use the packetcapture remove command.

255

See also:

Sniff Without a Sniffer


8.4.1 Change to NIC filter: traffic on the management port can be captured8.2.2, 8.3.1 Added option to filter by host or subnet at the NIC level

8.2.0 NIC filter added

8.1.1 Additional filters for IP addresses and ranges, subnets, host lists, ports, andXpress tunnels


256

packetcapture limit packetsSet the number of packets (1–255) that will be captured per flow. If you don’t specify a limit, an unlimited number of packetswill be captured. By limiting the number of packets per flow, you will be able to capture more flows. Note that the number ofpackets per flow is for both directions combined, so if both directions are being logged, the number of packets is the sum ofthe two directions.

packetcapture limit packets <n>

where <n> is the number of packets per flow. Typical limit values are 10 or 20.

If you want to remove the limit, use:

packetcapture limit packets none

Note: The limit packets option does not apply to NIC filters.


257

packetcapture offDisable packet capture and close the log file.

packetcapture off

After packet capture is turned off, you can FTP the file to an FTP server and use a protocol analyzer — such as EtherPeek — tolook at the contents of the file. Use the packetcapture status command to determine the filename to FTP. If you like, you canuse the File Browser to download the .DMP file (see Download a File).

See also:



258

packetcapture onEnable packet capture. After capture is turned on, PacketWise will create a .dmp file in TCPDump format and start capturingpackets into this file.

The packetcapture on command checks to verify that there is enough space on the PacketShaper data disk before launchingthe packet logger utility. If there is insufficient space on the data disk to write a full packetcapture dump file, thePacketShaper CLI displays a warning that there is not enough memory to activate the feature. Remove any unnecessary filesfrom the data disk before reissuing the command.

Note: Before you can enable packet capture, you must add at least one item to the capture list (see packetcapture add). Youmay also want to limit the number of packets that are captured per flow (see packetcapture limit packets).

packetcapture on

The file is stored in the pktlog directory on the unit’s data disk (9.1026/pktlog) and is named according to the day and timepacket capture was enabled. For example, if capture was enabled on the 12th of the month at 9:02:35am, the filename wouldbe 12090235.dmp. When NIC filters are used, two output files are created: one for packets captured as they are received bythe NIC's Inside port (xxxxxxin.dmp) and one for packets captured as they leave the NIC on its Output port (xxxxxxot.dmp).The xxxxxx part of the filename specifies the date and time of the capture file.

Packets are captured until one of the following occurs:

capturing is disabled with the packetcapture off commandthe log file reaches 99% of the maximum log file size (use the packetcapture status command to see the current andmaximum log file sizes; these sizes vary by model based on the amount of memory installed in the unit)

See also:



259

packetcapture removeRemove a filter that was added to the packet capture list (using the packetcapture add command).

packetcapture remove class:<tclass> | list:<hostlist> | host:<ipaddr> | net:<ipaddr>/<cidr> |range:<low>-<high> | port:<low>-<high> | tunnel:<tunnel name> | nic:<interface pair>

class:<tclass>Name of the traffic class. Specify the complete path if the class exists in bothInbound and Outbound.

Example: class:inbound/default

list:<hostlist>Name of the host list

Example: list:finance

host:<ipaddr>IP address or domain name of a host

Examples: host:172.21.18.160, host:west.us.com

net:<ipaddr>/<cidr>The address of the subnet; the CIDR number specifies the number of constant bitsin the address range

Example: net:10.0.0.0/8

range:<low>-<high>Range of IP addresses, separated by a dash

Example: range:192.21.18.160-192.21.18.170

port:<low>-<high>Range of port numbers, separated by a dash

Examples: port:80, port:1000-3000

tunnel:<tunnel name>Name of the static or dynamic Xpress tunnel

Example: tunnel:london

nic:<interface pair>

Network Interface Card (NIC)

where <interface pair> is one of the following

main, lem_upper, lem_lower, lem_left, lem_right, or backup

Example: nic:main

To see a list of the current packet capture filters, use the packetcapture status command.


8.2.0 NIC filter added

8.1.1 Additional filters for IP addresses and ranges, subnets, host lists, ports, andXpress tunnels


260

packetcapture statusList the current packet capture settings. The status report indicates whether packet capture is enabled, the name and locationof the log file, the file format, the maximum and current size of the log file, the number of packets in the current log file, andwhich items are being logged.

packetcapture status

Example output:

Packet capture status: OK Packet capture: On - Logging Log file directory: 9.258/pktlog Log file name: 15153739.dmp Log file format: tcpdump Maximum log size: 12582912 bytes Current log size: 640 bytes (0%) Packets in current log: 8 Captured option(s): IP Host: 10.1.1.70 Subnet mask 255.255.255.255 class:/Inbound/Default Port Range: 80 - 80 IP Range: 192.21.18.160-192.31.18.170 Captured tunnel(s): none

Notes:

The maximum log size is a predetermined fixed amount, based on the amount of memory in your unit, as well as otherfeatures that use memory (such as the number of concurrent flows).When a NIC filter is configured, the packetcapture status output will show the status of two output files: one for theInside port and one for the Outside.


261

partition applyCreate a static partition for a traffic class.

partition apply <tclass> <minBps>|<minPct>|uncommitted [<maxBps>|<maxPct>|none|fixed]

<tclass> This traffic class and all of its children are partitioned together (those that are notalready separately partitioned), so this traffic class becomes the root of a partitionedsubtree of traffic classes.

<minBps> | <minPct> |uncommitted

The minimum size of the new partition, specified in bits per second (minBps) or as apercentage of the parent partition’s minimum size (minPct). If <minPct> is used, youmust include the percent sign (for example, 10%). See Sizing a Static Partition foradditional details and examples. The minimum partition size is 1000 bps (1024 bps onPacketShaper 3500, 7500, and 10000 models).

The sum of all the partitions within either Inbound or Outbound can exceed the linksize, allowing you to oversubscribe the link.

Use the literal uncommitted to indicate that the guaranteed minimum allocation iswhatever is not committed to other partitions. Normally uncommitted is used only bythe default Inbound and Outbound partitions.

[<maxBps> | <maxPct> | none| fixed]

Limit the maximum bandwidth used by a burstable partition. The maximum can bespecified in bits per second (maxBps) or as a percentage of the parent maximum(maxPct). If <maxPct> is used, you must include the percent sign (for example, 10%).The maximum must be greater than the minimum.

Specify none to allow the partition to use any available bandwidth. Specify fixed toprevent a partition from exceeding the <minBps> or <minPct> size. If you do notspecify burstable or fixed, the partition defaults to burstable.

Notes:

In order for partitions to take effect, traffic shaping must be enabled. See setup shaping.When creating partitions, make sure you don’t allocate bandwidth in such a way that Inbound/Default andOutbound/Default get “starved” — that is, there is no bandwidth available for these classes. If this happens, trafficclassification and policies may not work as expected.Although a partition can be set as high as 4 Gbps on a PS12000, bandwidth enforcement becomes inaccurate above 2Gbps. Therefore, it is recommended that partitions be set to 2 Gbps or less.

Examples:

Create an inbound burstable partition (no maximum limit specified) of 10000 bps:

partition apply inbound/outside/http 10k

Create an inbound burstable partition of 20000 bps with the ability to borrow additional bandwidth from other partitions, if itis available, up to 30000 bps:

partition apply inbound/outside/http 20k 30k

Create a burstable partition for SAP that is 30% of the link (Inbound partition) size, with a maximum size of 40%:

partition apply inbound/sap 30% 40%

In the above example, if the link size is 1.5 Mbps, the SAP partition would get a minimum of 450 Kbps and a maximum of 600Kbps.


262

partition dynamic applyCreate a dynamic per-user partition for a traffic class. Can be specified by IP address or by subnet.

Note: Before you can create dynamic per-user partitions, you must create a static partition for the class using the partitionapply command.

To create a dynamic partition which handles traffic for an IP address:

partition dynamic apply <tclass> per-address <side> <minBps>|<minPct>|uncommitted<maxBps>|<maxPct>|none|fixed

<tclass> Name of the traffic class having a static partition you would like to subdivide for eachuser

<side> Side (inside or outside) of the PacketShaper on which the user is located

<minBps> |<minPct> |uncommitted

Minimum amount of bandwidth to be assigned to each user, specified in bits per second(minBps) or as a percentage of the parent partition’s size (minPct). If <minPct> is used,you must include the percent sign (for example, 10%). The minimum subpartition size is1000 bps (1024 bps on PacketShaper 3500, 7500, and 10000 models).

Use the literal uncommitted to indicate that the guaranteed minimum allocation iswhatever is not committed to other partitions.

Set this field to zero (0) to have PacketWise allocate bandwidth equitably to eachsubpartition, so that the total of all subpartitions equals the static partition's size.

Note: Minimum subpartition size is usually best handled by setting this field to zero andsetting a maximum number of subpartitions (using the partition dynamic cap command).However, you must use a non-zero size if you want to implement per-session guaranteedrates within rate policies for this same traffic.

<maxBps> |<maxPct> |none | fixed

Maximum amount of bandwidth to be assigned to each subpartition, specified in bits persecond (maxBps) or as a percentage of the parent partition’s size (maxPct). If <maxPct>is used, you must include the percent sign (for example, 10%).

Specify a <maxBps> value if you want to enforce a cap on each user or subnet even ifmore bandwidth is available. Managed bandwidth service providers are most frequently inthis position, needing to cut off usage at agreed-upon, paid-for limits. If you don’t want amaximum, specify none. Specify fixed to prevent a subpartition from exceeding the<minBps> or <minPct> size.

Even if this field is left blank, the limit on the static, parent partition still restricts the totalbandwidth for the aggregate of all subpartitions.

To create a dynamic partition which handles traffic for a subnet:

partition dynamic apply <tclass> per-subnet /<cidr> <side> <minBps>|<minPct> <maxBps>|<maxPct>|none

<tclass> Name of the traffic class having a static partition you would like to subdivide for eachuser

/<cidr> CIDR number specifying the number of constant bits in the address range

<side> Side (inside or outside) of the PacketShaper on which the user is located

<minBps> |<minPct> |uncommitted

Minimum amount of bandwidth to be assigned to each user, specified in bits per second(minBps) or as a percentage of the parent partition’s size (minPct). If <minPct> is used,you must include the percent sign (for example, 10%). The minimum sub partition size is1000 bps (1024 bps on PacketShaper 3500, 7500, and 10000 models).


Set this field to zero (0) to have PacketWise allocate bandwidth equitably to eachsubpartition, so that the total of all subpartitions equals the static partition's size.

Note: Minimum subpartition size is usually best handled by setting this field to zero and

263

setting a maximum number of subpartitions (using the partition dynamic cap command).However, you must use a non-zero size if you want to implement per-session guaranteedrates within rate policies for this same traffic.

<maxBps> |<maxPct> |none | fixed

Maximum amount of bandwidth to be assigned to each subpartition, specified in bits persecond (maxBps) or as a percentage of the parent partition’s size (maxPct). If <maxPct>is used, you must include the percent sign (for example, 10%).

Specify a maximum value if you want to enforce a cap on each user or subnet even ifmore bandwidth is available. Managed bandwidth service providers are most frequently inthis position, needing to cut off usage at agreed-upon, paid-for limits. If you don’t want amaximum, specify none. Specify fixed to prevent a subpartition from exceeding the<minBps> or <minPct> size.

Even if this field is left blank, the limit on the static, parent partition still restricts the totalbandwidth for the aggregate of all subpartitions.

After the dynamic partition is set up, whenever a new user begins generating flows in that class, a subpartition will be createdfor the user on the fly. The per-user partition remains in existence until it's re-used for new flows by the same user or neededby another user. A subpartition may be given to another user if there have not been any recent flows in the partition. To bemore precise, a subpartition may be given to another user if 30 seconds have passed without any flows or if it's been fiveminutes since an established flow has sent any packets.


264

partition dynamic capSet the maximum number of active users allowed in the dynamic partition, and, optionally, create an overflow partition forusers to tap into if the cap is exceeded.

partition dynamic cap <tclass> <maxusers> [<overflowMinBps>|<overflowMinPct>|uncommitted<overflowMaxBps>|<overflowMaxPct>|none|fixed]

<tclass> Name of the traffic class having a dynamic partition for which you would like to set acap

<maxusers> Maximum number of per-user partitions that can be created in this traffic class

<overflowMinBps> |<overflowMinPct> |uncommitted

Minimum amount of bandwidth in the overflow partition, specified in bits per second(overflowMinBps) or as a percentage of the parent partition’s size (overflowMinPct). If<overflowMinPct> is used, you must include the percent sign (for example, 10%). Theminimum overflow subpartition size is 1000 bps (1024 bps on PacketShaper 3500, 7500,and 10000 models).


<overflowMaxBps>| <overflowMaxPct>| none | fixed

Maximum amount of bandwidth in the overflow partition, specified in bits per second(overflowMaxBps) or as a percentage of the parent partition’s size (overflowMaxPct). If<overflowMaxPct> is used, you must include the percent sign (for example, 10%).When a value is specified, the overflow partition can use available excess bandwidth ifneeded.

Specify none to allow the overflow partition to use any available bandwidth. Specifyfixed to prevent the partition from exceeding the <overflowMinBps> or<overflowMinPct> specification.

If you don’t specify a value, the overflow partition has a fixed size; when it’s not usingits reserved bandwidth, that bandwidth is available to other traffic.

To remove the cap on a dynamic partition:

partition dynamic cap <tclass> none

See also:

partition dynamic apply


265

partition dynamic removeRemove a dynamic partition. The partition reverts to being static.

partition dynamic remove <tclass>


266

partition dynamic summaryShow all the configured dynamic partitions and the number of users currently using each partition. Users that are not activecan be replaced by new users.

partition dynamic summary

Example:

partition dynamic summary

Partition --- Users --- --- Current User Details --- Name Current Cap Active Idle Gone LongGone-----------------------------------------------------------------Inbound http

7 none 3 0 3 1

After a dynamic partition is set up, whenever a new user begins generating flows in that class, a subpartition will be createdfor the user on the fly. The per-user partition remains in existence until it's re-used for new flows by the same user or neededby another user. A subpartition may be given to another user if there have not been any recent flows in the partition.

A subpartition is considered Idle if it has not been active for 300 seconds (5 minutes). Idle subpartitions still have flowswhich are sending packets. A subpartition is considered Gone if the flows associated with it have been gone 30 seconds orless, or LongGone if they have been gone more than 30 seconds. When the dynamic partition cap has been reached, newsubpartitions are created from LongGone and Gone partitions.

In other words, a subpartition may be given to another user if 30 seconds have passed without any flows or if it's been fiveminutes since an established flow has sent any packets.


267

partition removeRemove a static partition from a traffic class. The bandwidth allocated to this traffic class is returned to the parent partition.

partition remove <tclass>

Note: Do not use this command to remove Frame Relay partitions.


268

partition showDisplay current partition usage for static, dynamic, or both types of partitions.

partition show [<tclass>] [static|dynamic {<ip-addr>|<subnet>/<cidr>|<ip-addr-range>}|clear|config]

where:

<tclass> Displays partition statistics for the specified traffic classstatic Lists only static partitionsdynamic Lists only dynamic partitionsdynamic {<ip-addr>|<subnet>/<cidr>|<ip-addr-range>}

Lists only dynamic partitions for the specified IP address, subnet, CIDR, orrange of IP addresses

clear

Resets the displayed partition statistics and then displays a partition list. Notethat the statistics will not necessarily show as zero after this reset, becausetraffic activity could be recorded instantaneously.

Note: The clear option is not applicable in conjunction with the <tclass>option.

config Displays the minimum and maximum usage. The usage maximum is apartition's burst limit.

Examples:

To display partition statistics for all partitions, omit all parameters.

PacketShaper# partition show

Partition name Size Grntd Prior Curr 1-Min Min / Max Excess Usage Avg Peak-------------------------------------------------------------------------------/Inbound 1.5M 1.5M 0 0 1024 1024 2048 3687 537k /Inbound/MPEG-Audio 500k 1.5M* 0 0 0 0 0 0 0 /Inbound/WinMedia 0 1.5M* 0 0 0 0 0 0 0-------------------------------------------------------------------------------/Outbound 1.5M 1.5M 0 0 0 0 1143 405 6986/Outbound 1.5M 1.5M 0 0 0 0 1143 405 6986 /Outbound/157 0 1.5M 0 0 0 0 0 0 0 /Outbound/157 0 1.5M 0 0 0 0 0 0 0 /Outbound/157/74.125.77.99 0 100k 0 0 0 0 0 0 0 /Outbound/157/74.125.77.102 0 100k 0 0 0 0 0 0 0 /Outbound/157/10.2.2.100 0 100k 0 0 0 0 0 0 0 /Outbound/157/91.189.90.41 0 100k 0 0 0 0 0 0 0 /Outbound/157/74.125.77.104 0 100k 0 0 0 0 0 0 0 /Outbound/157/74.125.79.102 0 100k 0 0 0 0 0 0 0 /Outbound/157/91.189.90.40 0 100k 0 0 0 0 0 0 0

This output lists both minimum and maximum partition size settings. It also lists the rate of priority traffic. In addition, itdisplays an asterisk (*) next to any minimum or maximum value that isn't "pure" — that is, if the programmed value wasadjusted due to (1) oversubscription or (2) the use of the strings fixed or none. The adjusted values, not the programmedvalues, are listed, followed by an asterisk.

The Usage field represents the current bandwidth assigned to the partition, including guaranteed rate and excess rate forclasses with rate policies, and any bandwidth currently allocated to classes with priority policies. Current rate and one-minuteaverages are bits-per-second rates.

To list only dynamic partitions:

PacketShaper# partition show dynamic

Partition name Size Grntd Prior Curr 1-Min

269

Min / Max Excess Usage Avg Peak------------------------------------------------------------------------------- /Inbound/10.2.12.171 0 1.0M 0 0 4608 4608 2804 944 3325 /Inbound/10.9.50.93 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.47 0 1.0M 0 0 0 0 4 13 53 /Inbound/10.9.50.27 0 1.0M 0 0 0 0 0 8 214 /Inbound/152.86.13.0 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.60 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.48 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.44 0 1.0M 0 0 0 0 0 0 0 /Inbound/8.81.20.0 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.92 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.51.3 0 1.0M 0 0 0 0 0 9 33 /Inbound/10.9.50.75 0 1.0M 0 0 0 0 0 39 1943 /Inbound/114.185.22.0 0 1.0M 0 0 0 0 56 33 302 /Inbound/10.9.50.1 0 1.0M 0 0 0 0 61 39 62 /Inbound/10.9.50.109 0 1.0M 0 0 0 0 276 122 655 /Inbound/10.9.51.13 0 1.0M 0 0 0 0 18 38 238 /Inbound/114.86.25.0 0 1.0M 0 0 1280 1280 265 178 338

------------------------------------------------------------------------------- /Outbound/157/224.0.0.251 0 100k 0 0 0 0 0 0 0

To list dynamic partitions in a subnet (CIDR=24):

PacketShaper# partiton show dynamic 10.9.50.0/24

Partition name Size Grntd Prior Curr 1-Min Min / Max Excess Usage Avg Peak------------------------------------------------------------------------------- /Inbound/10.9.50.49 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.93 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.47 0 1.0M 0 0 0 0 0 2 53 /Inbound/10.9.50.27 0 1.0M 0 0 0 0 0 2 214 /Inbound/10.9.50.60 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.48 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.44 0 1.0M 0 0 0 0 5 7 27 /Inbound/10.9.50.92 0 1.0M 0 0 0 0 0 0 0 /Inbound/10.9.50.75 0 1.0M 0 0 0 0 0 10 1943 /Inbound/10.9.50.1 0 1.0M 0 0 0 0 9 30 233 /Inbound/10.9.50.109 0 1.0M 0 0 0 0 535 127 655


8.6.1 static and dynamic parameters added


270

pc autodeploy server intervalFor PolicyCenter only

Once the auto-deployment server is enabled, PolicyCenter will send auto-deployment messages for unconfigured units onceevery 300 seconds, the default auto-deployment server interval. If you want PolicyCenter to send messages for theunconfigured units more or less often, select a different interval. This command can only be issued by network administratorswith touch-role access to the PC organization.

pc autodeploy server interval <time in seconds>|default

<time inseconds>

The number of seconds between the RSVP auto-deployment messages sentfrom the auto-deployment server

default Select the default parameter to return the auto-deployment interval to itsdefault value of 300 seconds


271

pc autodeploy server showFor PolicyCenter only

Display settings for the auto-deployment server. This command shows whether the auto-deployment server is enabled ordisabled, and displays the current server interval; how often PolicyCenter will attempt to send the auto-deployment messagesfor the unconfigured units if the server is enabled. The default interval is 300 seconds. This command can only be issued bynetwork administrators with access to the PC organization.

pc autodeploy server show

Example output from this command:

Auto-Deployment Server Configuration:Server State : offServer Interval : 300 (seconds)

To enable or disable the auto-deployment server, use the command pc autodeploy server state.


272

pc autodeploy server stateFor PolicyCenter only

Enable the PolicyCenter auto-deployment server, so PolicyCenter will send an RSVP auto-deploy messages for the specificunconfigured PacketShapers. These messages will first assign each unit its own IP address, netmask, unit name and gateway,then subscribe the unit to PolicyCenter where it will be assigned to its complete configuration (if specified). This command canonly be issued by network administrators with touch-role access to the PC organization.

Note: Blue Coat strongly recommends disabling the auto-deployment server before you add a new unit entry. This gives youadditional time to specify a target host IP address, DNS server or domain name for the entry before you reenable the serverand allow it to send the entry information to an unconfigured unit. If you do not disable the server, unit entry information willbe sent at the beginning of the next auto-deployment server interval, possibly before the unit entry has been fully specified.

pc autodeploy server state on|off|default

on Enable the auto-deployment server. Once the auto-deployment server is enabled,PolicyCenter will attempt to contact the unconfigured units listed in the auto-deployment table.

off Disable the auto-deployment server. PolicyCenter will not attempt to contact anyunconfigured units until the server is reenabled.

Note: If you want the auto-deployment feature to configure multiple units at thesame time, you may want to temporarily disable the auto-deployment server whileyou add all the unit entries into the auto-deployment table, then reenable theserver when the table is complete. In this way, PolicyCenter will contact andconfigure all the specified units at once, rather than contacting one unit at a timeas you add each new unit entry.

default Return the auto-deployment server to its default off setting.

Display current auto-deployment server settings with the command pc autodeploy server show.


273

pc autodeploy unit addFor PolicyCenter only

Add a new unit to the list of PacketShapers to be configured via the auto-deployment feature by creating an entry for thatunit in the auto-deployment table. After a unit entry has been added to the auto-deployment table and the auto-deploymentserver is enabled, PolicyCenter will send an RSVP auto-deploy messages for the unconfigured PacketShapers listed in thetable. These messages will first assign each unit its own IP address, netmask, unit name and gateway, then subscribe theunit to PolicyCenter where it will be assigned to its sharable configuration (if specified). This command can only be issued bynetwork administrators with touch-role access to the PC organization.

Blue Coat strongly recommends disabling the auto-deployment server before you create a new unit entry. This gives youadditional time to specify a target host IP address, PolicyCenter configuration, DNS server or domain name for the entrybefore you reenable the server and allow it to send the entry information to an unconfigured unit. If you do not disable theserver, unit entry information will be sent at the beginning of the next auto-deployment server interval, possibly before theunit entry has been fully specified.

pc autodeploy unit add <unit ip address> <netmask> <unit name> <gateway>

<unit ipaddress>

The IP address you want to give a new, unconfigured unit. Each unit entrymust have a unique IP address.

<netmask> The subnet mask of the unconfigured unit. The auto-deploy feature will sendan auto-deploy message to the subnet of the unit unless the recommendedtarget IP address is also specified.

<unitname>

Assign a name to the new unit to identify the unit in PolicyCenter. The namecan be 20 characters long, including a-z, A-Z, -,_, and . (period). Spaces arenot allowed in the unit name.

A unit name can only be set on units running PacketWise version 7.2.1 andlater. Auto-deployed units running PacketWise 7.1.0 /7.1.1 will display a unitname based upon the unit's serial number.

<gateway> The IP address PacketShaper uses to reach other networks

A PacketShaper uses this gateway to route unit-initiated transactions to anon-local address — for example, FTP transfers initiated from a PacketShaperto a server on a non-local network. Frequently, the gateway address is thesame as the site router address.

Example:

pc autodeploy unit add 172.22.29.129 255.255.0.0 UnitOne 172.22.0.1

Important: After issuing the pc utodeploy unit add command to create the initial unit entry in the auto-deployment table,you should issue the pc autodeploy unit target command to specify a host IP address, that is, the IP address of any machine(host) that sits behind a single unconfigured unit. PolicyCenter will send the auto-deploy message directly to the specifiedhost, thereby ensuring that the unconfigured unit sees the auto-deploy message and avoiding the potential problem of arouter not forwarding the packets sent to the subnet. If no target is specified, the auto-deploy message will be sent to thesubnet of the unconfigured unit. (See Auto-Deployment Setup—Configuring Network Routers for important details on auto-configuring units without a target host IP.


274

pc autodeploy unit configurationFor PolicyCenter only

The PolicyCenter auto-deployment feature allows you to specify an existing PolicyCenter configuration for the unconfiguredunit. If set, when the unit subscribes to PolicyCenter, it will automatically be assigned to that configuration. If you do notspecify a configuration, the unit will be assigned to a blank configuration at the root of the PolicyCenter configuration tree.This command can only be issued by network administrators with touch-role access to the PC organization.

Note: If you assign an unconfigured unit to a PolicyCenter configuration that is invalid or does not exist, the unit will displayerrors on the PolicyCenter configurations page. You can remove these errors by reassigning the unit to a valid PolicyCenterconfiguration.

pc autodeploy unit configuration <unit ip address> <configuration path>

<unit ipaddress>

The ip address of the unconfigured unit

<configurationpath>

The complete path of the PolicyCenter configuration

Example:

The following command will assign the unit 172.22.29.129 to the PolicyCenter configurationUnitedStates/WestCoast/LosAngeles.

pc autodeploy unit configuration 172.22.29.120 UnitedStates/WestCoast/LosAngeles

See also: Create a PolicyCenter Configuration for details on creating PolicyCenter configurations prior to auto-deploying units.


275

pc autodeploy unit dnsFor PolicyCenter only

The PolicyCenter auto-deployment feature allows you to specify a DNS server for the unconfigured unit. If specified, the DNSserver will be set on the unconfigured unit as a part of the unit auto-deployment. This command can only be issued bynetwork administrators with touch-role access to the PC organization.

Important: Blue Coat strongly recommends that you specify the DNS server and domain for a unit so that the unit cansubscribe to PolicyCenter using the DNS name of the PolicyCenter server rather than the server's IP address. This will allowyou to migrate the directory server to a different computer without affecting any of the units. If a unit is subscribed toPolicyCenter via the server’s IP address, migrating PolicyCenter to a different server may require you to access the unit,unsubscribe the it, then resubscribe the unit to the new IP address.

pc autodeploy unit dns <unit ip address> <dns server address>

<unit ipaddress>

The IP address of the unconfigured unit

<dns serveraddress>

The IP address of the unit's DNS server unit

pc

Example:

pc autodeploy unit dns 172.22.18.170 10.1.1.16


276

pc autodeploy unit domainFor PolicyCenter only

Specify a domain for a unit to be configured via the PolicyCenter auto-deployment feature. If set, the unit's domain nameattribute will be configured with the specified value during auto-deployment. Although setting a domain for the unit isoptional, Blue Coat highly recommends that you specify a domain for each unit you want to configure with the auto-deployfeature. This command can only be issued by network administrators with touch-role access to the PC organization.

If the domain name is set on the unit, that unit will subscribe to the PolicyCenter directory server using the unit's domainname, a recommended procedure which allows for easier recovery in the event of server failure. If the domain name is notset, the unit will subscribe to the directory server using the Directory Server's IP address.

Important: Blue Coat strongly recommends that you specify the domain name and DNS server for a unit so that the unit cansubscribe to PolicyCenter using the DNS name of the PolicyCenter server rather than the server's IP address. This will allowyou to migrate the directory server to a different computer without affecting any of the units. If a unit is subscribed toPolicyCenter via the server’s IP address, migrating PolicyCenter to a different server may require you to access the unit,unsubscribe it, then resubscribe the unit to the new IP address.

pc autodeploy unit domain <unit ip address> <domain name>

<unit ipaddress>

IP address of the unconfigured unit

<domainname>

Domain name of the unconfigured unit

Example:

pc autodeploy unit domain 172.22.29.129 mycompany.com


277

pc autodeploy unit refreshFor PolicyCenter only

When a unit is configured via the auto-deployment feature, the auto-deployment table will not show the unit has changedfrom unconfigured to configured until the auto-deploy daemon on the server runs again. If the auto-deployment server isdisabled, or you want to update the table before the next interval, issue the pc autodeploy unit refresh command to viewupdated unit status entries. This command can only be issued by network administrators with touch-role access to the PCorganization.

pc autodeploy unit refresh all|<unit ip address>

all Update all unit entries in the auto-deployment table

<unit ipaddress>

Specify the IP address of a specific unit entry to update just that entry in theauto-deployment table

Note: By default, the auto-deploy daemon runs every 300 seconds. You can specify a new interval with the command pcautodeploy server interval.


278

pc autodeploy unit removeFor PolicyCenter only

Remove unit entries from the PolicyCenter auto-deployment table. This command can only be issued by networkadministrators with touch-role access to the PC organization.

Warning: Once unit entries are removed, you cannot put them back in the table without individually reconfiguring eachentry.

pc autodeploy unit remove all|<unit ip address>|configured

all Remove all unit entries from the PolicyCenter auto-deployment table

<unit ipaddress>

Specify the IP address of a specific unit entry to remove just that entry fromthe auto-deployment table

configured Remove only entries for units that have already been successfully configuredwith the PolicyCenter auto-deployment feature


279

pc autodeploy unit showFor PolicyCenter only

Show current configuration settings and status information for unit entries listed in the auto-deployment table. This commandcan only be issued by network administrators with access to the PC organization.

pc autodeploy unit show all|configured|unconfigured|<unit ip address>

all|configured|unconfigured Specify a parameter to display the following information for allunits listed in the auto-deployment table, only those unitsthat have been successfully configured with the auto-deployment feature, or those units that are still unconfigured.

IP addressNetwork MaskUnit NameGateway addressState (whether or not the unit will be sent auto-deployment message)Status (whether or not the unit has been successfullyconfigured

<unit ip address> Specify the IP address of a single unconfigured unit to displaymore detailed information about that unit's individual entry inthe auto-deployment table. In addition to the information inthe bullet list above, this command also displays the followingadditional values:

DNS serverDomainTarget IPAttempts (number of times the unit has been sent anauto-deploy message)Timestamp (the time at which the unit was sucessfullyconfigured)

Examples:

This first example shows general information for all units in the auto-deployment table

pc autodeploy unit show all

IP Address Netmask Unit Name Gateway State Status-----------------------------------------------------------172.22.29.129 255.255.0.0 Unit_One 172.22.0.1 on unconfigured 172.22.29.130 255.255.0.0 Unit_Two 172.22.0.1 on unconfigured172.22.29.131 255.255.0.0 UnitFour 172.22.0.1 on unconfigured 172.22.29.132 255.255.0.0 UnitFive 172.22.0.1 on unconfigured

This next example shows detailed status and configuration information for one specific unit entry.

pc autodeploy unit show 172.22.29.129

Unit setup details:IP Address &nbsp172.22.29.129Netmask 255.255.0.0Unit Name UnitOneGateway 172.22.0.1DNS Server 10.1.1.16Domain mycompany.comConfiguration BranchOffices/WestCoast

Unit auto-deployment details:Target host IP 172.22.7.50State onStatus unconfiguredAttempts 0

280

pc autodeploy unit stateFor PolicyCenter only

Enable or disable auto-deployment for any individual unconfigured unit listed in the PolicyCenter auto-deployment table.When you add an unconfigured unit entry to the auto-deployment table, this value will automatically be set to on, meaningthat the PolicyCenter will soon send an auto-deploy message for that unit. If you do not want PolicyCenter to contact andconfigure that unit with its next auto-deployment message, set the unit state to off. You can set the unit state back to onwhen you want an auto-deployment message to reach that unit. This command can only be issued by network administratorswith touch-role access to the PC organization.

Note:This command turns auto-deployment messages off and then back on for individual unconfigured units. You can turn offauto-deployment messages for all unconfigured units by disabling the PolicyCenter auto-deployment server with the pcautodeploy server state command.

pc autodeploy unit state <unit ip address> on|off

<unit ipaddress>

The IP address of the unconfigured unit

on Allow PolicyCenter to send an auto-deploy message for the specifiedunconfigured unit

off Do not allow PolicyCenter to send an auto-deploy message for the specifiedunconfigured unit


281

pc image libraryFor PolicyCenter only

Show the current library of PacketWise image files available for distribution from PolicyCenter to individual PacketShapers.This command can only be issued by network administrators with access to the PC organization.

pc image library units|policycenter [alt]

The pc image library units command shows the version name and type, build time and build variations for availablePacketWise images. The pc image library policycenter command displays information for PolicyCenter executable files. Usethe optional alt with either command to view additional details such as checksum, file size, the time the file was lastmodified, and the publishing server.


pc image library units

Name Type Versionram.zoo STD PacketWise v7.1.0g1 2005-07-09ram.zoo STD PacketWise v7.1.2g1 2006-02-09latest.zoo STD PacketWise v7.5.0g1 2006-12-12

pc image library policycenter

Name Type VersionPC750g1 PC pc7.5.0g1 PolicyCenterPC741g1 PC pc7.4.1g1 PolicyCenterPC701g1 PC pc7.0.1g1 PolicyCenter Update


282

pc image updateFor PolicyCenter only

Determine when PolicyCenter updates its library of available images, executables, and plug-ins from the Blue Coat supportwebsite. This command can only be issued by network administrators with touch-role access to the PC organization.

pc image update [nightly|manual|default|now]

nightly PolicyCenter attempts to update its library of images and plug-ins nightly,typically during the very early hours of the morning (local time).

manual PolicyCenter does not automatically update its image and plug-in library untilyou issue the command pc image update now. This is the default behavior.

default Returns the image update mode to its default state (manual).

now The command pc image update now enables PolicyCenter to immediatelybegin updating its image and plug-in library.


283

pc plugin libraryFor PolicyCenter only

Show the current library of plug-in files available for distribution from PolicyCenter to individual PacketShapers. Thiscommand can only be issued by network administrators with touch-role access to the PC organization.

pc plugin library

The pc plugin library command shows the version name, type, version number, and description for available plug-in files.


pc plugin library

Name Type Version Descriptionntpplug bt03 1.0.0.0 Network News Transport Protocolrogue bt03 1.0.0.0 FileRogue - File Sharing Applicationsms bt03 1.0.0.0 Microsoft SMS pre Windows Service Pack 2


284

pc plugin prescribeFor PolicyCenter only

When you prescribe new plug-in files for configurations with PacketShapers assigned to them, you must also add the plug-infiles to the PolicyCenter server configuration, so the PolicyCenter software can recognize the new classification types. Use thiscommand to prescribe plug-in files for PolicyCenter by filename. Use the pc plugin library command to determine thenames of available files. This command can only be issued by network administrators with touch-role access to the PCorganization.

pc plugin prescribe [<filename> <filename> ...] |show

<filename> The filename of the plug-in file you wish to prescribe to a PolicyCenterconfiguration.

show The show option shows the PolicyCenter configuration's current plug-in files.


285

pc plugin subscribeFor PolicyCenter only

When you prescribe new plug-in files for configurations with PacketShapers assigned to them, you must also add the plug-infiles to the PolicyCenter server configuration, so the PolicyCenter software can recognize the new classification types. Issuethis command to configure when and how often PolicyCenter updates its own plug-in files. This command can only be issuedby network administrators with touch-role access to the PC organization.

pc plugin subscribe asap|scheduled

The pc plugin subscribe command has the following options:

asap PolicyCenter will automatically update its plug-in files as soon as they areprescribed.

scheduled PolicyCenter will wait for the plugin sync command before downloadingprescribed files.

See also: pc plugin sync


286

pc plugin syncFor PolicyCenter only

Issue this command from PolicyCenter to synchronize plug-in files prescribed for the PolicyCenter software configuration. The<seconds> variable allows you to specify in seconds the amount of time that should elapse before the synchronization processbegins. This command is only required when the PolicyCenter prescription mode has been set to scheduled with the pluginsubscribe command. This command can only be issued by network administrators with touch-role access to the PCorganization.

Note: It is not necessary to issue this command if the prescription mode has been set to asap with the plugin subscribecommand.

pc plugin sync <seconds>

To activate a new plug-in for PolicyCenter, use the Windows services panel (Settings > Control Panel > AdministrativeServices > Services) to stop and then restart the PolicyCenter service. When PolicyCenter restarts, it will recognize the plug-in file.

See also: pc plugin subscribe


287

pc portal libraryFor PolicyCenter only

Show the current portfolios of customer portal files available for distribution from PolicyCenter to individual PacketShapers.This command can only be issued by network administrators with touch-role access to the PC organization.

pc portal library [verbose]

The pc portal library command shows the name of the available portfolios only. Use pc portal library verbose to view thenames of all the customer portfolio files within each portfolio.


288

pc radius acctFor PolicyCenter only

Set up or change the configuration of the RADIUS accounting service. This feature allows you to have an audit trail for userlogins. This command can only be issued by network administrators with touch-role access to the PC organization. Note thatPolicyCenter does not allow a RADIUS user to log in with the user name admin.

pc radius acct default | off | on | [primary {<host> <shared_secret> [<port>]}|delete] | [secondary {<host><shared_secret> [<port>]}|delete]

default Return RADIUS accounting to its default off setting

off Disable RADIUS accounting

on Enable RADIUS accounting

<host> IP address or DNS of the RADIUS server

<shared_secret> Specify the designated secret (password)

<port> To access the RADIUS server with a specific port, specify a port number. Otherwise, the default port will beused.

delete Delete this RADIUS accounting server.

for example:

pc radius acct primary 172.21.8.50 secretpwd

See also:

Configure RADIUS servers

Configure Windows IAS


289

pc radius authFor PolicyCenter only

Set up or change the configuration of the RADIUS authentication service. RADIUS authentication is an optional method for usersto log into the PolicyCenter console or browser interfaces. Using third-party RADIUS servers enables you to have centralconfiguration of user accounts. This command can only be issued by network administrators with touch-role access to the PCorganization. Note that PolicyCenter does not allow a RADIUS user to log in with the user name admin.

pc radius auth default | off | on | [primary {<host> <shared_secret> [<port>]}|delete] | [secondary {<host><shared_secret> [<port>]}|delete]

default Return RADIUS authentication to its default off setting

off Disable RADIUS authentication

on Enable RADIUS authentication

<host> IP address or DNS of the RADIUS server

<shared_secret> Specify the designated secret (password)

<port> To access the RADIUS server with a specific port, specify a port number. Otherwise, the default port will beused.

delete Delete this RADIUS authentication server.

for example:

pc radius auth primary 172.21.8.55 secretpwd

See also:

Configure RADIUS servers

Configure Windows IAS


290

pc radius intervalFor PolicyCenter only

Adjust the RADIUS retry interval. By default, the RADIUS client waits five seconds before retrying a login when the RADIUSserver fails to respond. You can select a value between 1 and 30 seconds. This command can only be issued by networkadministrators with touch-role access to the PC organization.

pc radius interval <seconds>|default

See also:

pc radius limit


291

pc radius limitFor PolicyCenter only

Adjust the RADIUS retry limit. By default, if the RADIUS server fails to respond, the RADIUS client will try to log onto theserver three times before reporting a server failure. You can select a value between 1 and 10. If you have specified asecondary authentication host, the RADIUS client will alternate attempts to log onto each server. This command can only beissued by network administrators with touch-role access to the PC organization.

pc radius limit <attempts>|default

See also:

pc radius interval


292

pc radius methodFor PolicyCenter only

Specify PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) for your RADIUSauthentication method, or enter default to return the RADIUS server to its default PAP protocol. This command can only beissued by network administrators with touch-role access to the PC organization.

pc radius method pap|chap|default

See also:

pc radius auth


293

pc radius showFor PolicyCenter only

View current settings for RADIUS authentication and accounting. This command can only be issued by network administratorswith access to the PC organization.

pc radius show

Example output:

pc radius show

Setup values:

Radius Method :CHAP Authentication :off Accounting :off Retry limit :3 Retry interval :5

Service records:

Type Host Port Secret acct1 172.21.18.170 1813 secretpwd acct2 radius.mycompany.com 1813 secretpwd

See also:

pc radius auth

pc radius acct


294

pc replication addFor PolicyCenter only

You can extend your deployment beyond the capacity of the core PolicyCenter directory server by defining additional edgedirectory servers that can each support up to 600 additional PacketShapers. This command can only be issued by networkadministrators with touch-role access to the PC organization. This command can only be issued by network administratorswith touch-role access to the PC organization.

The following command defines and adds a new edge directory server. Select the secure option for secure replication usingLDAPS (Lightweight Directory Access Protocol Over SSL).

pc replication add <DNS|ip-address> [secure]

See also:

Generate SSL Certificates for a PolicyCenter Directory Server




295

pc replication deleteFor PolicyCenter only

Issue this command to delete an unused edge directory server. This command can only be issued by network administratorswith touch-role access to the PC organization.

Important: If you delete a directory server that still has assigned PacketShapers, those units will will no longer receiveconfiguration updates made via PolicyCenter. Before you delete a directory server, you must first issue the unit assigncommand to reassign units to another directory server.

pc replication delete <DNS|ip-address>




296

pc replication initFor PolicyCenter only

You may need to reinitialize an edge directory server if it fails to replicate data from the core server, or if an edge serverconfigured for secure replication did not have the appropriate security certificates when it was first initialized. This commandcan only be issued by network administrators with touch-role access to the PC organization.

pc replication init <DNS|ip-address>




297

pc replication prepareFor PolicyCenter only

Issue the command pc replication prepare to prepare PacketShaper units for data replication before you configure an edgedirectory server. If your units are not correctly prepared for a multiple directory server deployment using this command, anyunits that remain attached to the core directory server may generate excessive replication traffic, leading to large log files,excessive network utilization, and possible directory server failure.

pc replication prepare

This command can only be issued by network administrators with touch-role access to the PC organization.




298

pc replication showFor PolicyCenter only

Show the current status of any configured edge directory servers, including information about the server's IP address,replication status and , current security (LDAPS) settings, and the number of units assigned to each server. The Srv columnof data shows the server number for each edge directory server, which helps identify the server when you make backups ofPolicyCenter. This command can only be issued by network administrators with access to the PC organization.

Note: This command only displays the IP addresses of configured edge servers, even if you initially configured the edgedirectory server by specifying the server’s DNS name.

pc replication show

Example output:

Core Directory Server: 111.111.1.100 unsecure Units 506 Srv IP Address Status LDAPS Units Last contact 1 111.111.2.100 Replicating unsecure 3 133 secs 2 111.111.3.100 Replicating secure 503 0 sec

3 111.111.4.100 Replicating secure 3 102 secs




299

pc setup autobackupFor PolicyCenter only

When the autobackup feature is enabled, PolicyCenter makes a backup of a configuration before it updates that configurationwith changes from a draft. If you later want to revert the changes and restore the configuration to its original state before thedraft was committed, you can restore the backup configuration with the command config restore. This command can only beissued by network administrators with touch-role access to the PC organization.

pc setup autobackup on | off | show

Where:

on Enables the autobackup feature, so a backup copy of configuration is created before any changes arecommitted back that that configuration.

off Disables the autobackup feature. Existing backup copies are not deleted, but no new backup copies willbe created.

show Displays the current on or off setting for the autobackup feature.


300

pc setup dateFor PolicyCenter only

View or set the date and/or time for the PolicyCenter server. This command can only be issued by network administratorswith touch-role access to the PC organization.

pc setup date [[yyyymmdd]hhmm[.ss]]

To define a timezone so PolicyCenter can change its local time automatically at the start and end of daylight savings time, usethe command pc setup timezone.


301

pc setup disablehttpFor PolicyCenter only

Disable nonsecure HTTP access to the PolicyCenter browser interface and force all PolicyCenter users to login via secureHTTPS only. Note that disabling HTTP access will immediately end all current HTTP sessions

pc setup disablehttp on|off|show

If you want to use the PolicyCenter file distribution server to distribute files to PacketShapers in shared mode, you must alsoconfigure the file distribution server for HTTPS.


302

pc setup dnsFor PolicyCenter only

Configure one or more DNS servers for PolicyCenter to access.

pc setup dns none|<ipaddress> ...

Specify up to eight IP addresses, separating each with a space, or use none to clear previously set addresses.


8.3.2 command introduced


303

pc setup domainFor PolicyCenter only

Define a default domain name that PolicyCenter can append to domain name lookups that are not fully qualified.

pc setup domain none|<domain_name>




304

pc setup https certificateFor PolicyCenter only

HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) is a protocol for transferring private documents over theInternet. if you believe the certificate's security was compromised, you can generate a new digital certificate to replace yourexisting certificate. The thumbprint, a sequence of 20 bytes in hexadecimal separated by colons, uses the SHA1 algorithm andis used by Internet Explorer. This command can only be issued by network administrators with touch-role access to the PCorganization.

pc setup https certificate

For example:

pc setup https certificate This operation will generate a new certificates for HTTPS. This will replace your current certificate and may take up to 5 minutes

Please confirm if you really want to proceed (YES): yes


305

pc setup https filedistFor PolicyCenter only

Configure the PolicyCenter file distribution feature to distribute plug-ins, action files, images, and customer portal files via anHTTPS (secure) or HTTP (non-secure) connection. This command can only be issued by network administrators with touch-role access to the PC organization.

pc setup https filedist [on|off|default]

Where:

on PolicyCenter distributes files via an HTTPS (secure) connectionoff PolicyCenter distributes files via an HTTP (nonsecure) connection

default Returns the file distribution feature to its default off setting, transferringfiles via a nonsecure HTTP connection.


306

pc setup https portFor PolicyCenter only

Change the HTTPS (HyperText Transfer Protocol over Secure Sockets Layer) listening port. PolicyCenter is automaticallyconfigured to run HTTP over SSL on port 443; use this command to select a different port. This command can only be issuedby network administrators with touch-role access to the PC organization.

Note: HTTPS is a protocol for transferring private documents over the Internet. Selecting the Secure Login checkbox whenlogging into the PolicyCenter browser interface will tell PolicyCenter to use a secure connection, and the URL will subsequentlybe changed to https://<ip address>. Alternatively, you can type the URL https://<ip address> and the Secure Logincheckbox will be selected automatically.

pc setup https port <port_number>|default

where <port_number> is the new HTTPS port number and default uses the default HTTPS port, 443.

Examples:

To use HTTPS on port 444:

pc setup https port 444 HTTPS service will be restarted on port 444. It may take up to 10 seconds for the new value to takeeffect. Please use "setup https show" to verify the service status.

Or, to use HTTPS on the default port:

pc setup https port default

The HTTPS service will start on the designated port in less than 10 seconds. If the configured port was already in use,PolicyCenter automatically uses the last valid port number specified, or the default value (443). Use the pc setup https showcommand to verify that the port number was accepted.


307

pc setup https showFor PolicyCenter only

Display the status of HTTPS (HyperText Transfer Protocol over Secure Sockets Layer). This command can only be issued bynetwork administrators with access to the PC organization.

The output indicates whether the HTTPS service is running, and on which port. In addition, the output lists the thumbprintsand fingerprints. (The thumbprinting/fingerprinting mechanism makes sure that you are contacting the intended remote host.)The thumbprint, a sequence of 20 bytes in hexadecimal separated by colons, uses the SHA1 algorithm and is used by InternetExplorer. The fingerprint, a sequence of 16 bytes, uses the MD5 algorithm and is used by Firefox browsers.

Note: HTTPS is a protocol for transferring private documents over the Internet. Selecting the Secure Login checkbox whenlogging into the browser interface will tell PolicyCenter to use a secure connection, and the URL will subsequently be changedto https://<ip address>.

pc setup https show

Example output (when the configured port is the same as the port that is actually being used):

HTTPS service is listening on port #: 443 (default)

Certificate Information:Thumbprint(SHA1)=87:CA:93:A1:B3:4D:37:C4:AB:A6:A4:21:C6:25:D3:46:E5:CA:57:60Fingerprint(MD5)=23:92:38:70:61:78:23:B0:9A:EA:35:3E:62:B2:A5:F9

You can use the setup https show command to verify that your port number was accepted. If the configured port (specifiedwith the pc setup https port cmmand) was already in use, PacketWise automatically uses the last valid port number specified,or the default value (443). In this situation, the setup https show output will display a “Fail binding to port” message andindicate the port number that is being used instead. In addition, a notification will appear in the system banner when you logon. For example:

Attention: HTTPS service failed to start on the port configured in the configuration file. Port 443 isused instead.


308

pc setup messageFor PolicyCenter only

Configure a message that will display before logging into PolicyCenter. The message displays before users login via thebrowser login page, or the PolicyCenter console (CLI). This feature is useful for informing users about the company's accesspolicies and consequences for unauthorized use. This command can only be issued by network administrators with touch-roleaccess to the PC organization.

pc setup message {set <message>}|show|default

set <message> Defines the message text. The text should be enclosed in quotationmarks and can be up to 511 characters long.

show Dispays the content of the login messagedefault Clears the message text

Examples

pc setup message set "Access to this system is restricted to authorized users only." Message set to: "Access to this system is restricted to authorized users onl...

pc setup message show

Configured Message: Access to this system is restricted to authorized users only.

Notes

Quotation marks indicate the beginning and end of the login message. You cannot use a quotation mark within thebody of the login message.The message can be configured in the browser interface as well. See PolicyCenter Login Message. To configure a login message for PacketShapers managed by PolicyCenter sharable configurations, see setup message


309

pc setup showDisplay the basic configuration for your PolicyCenter software. This command can only be issued by network administratorswith access to the PC organization.

pc setup show

General Settings: IP address:172.16.16.16 Subnet mask: 255.255.0.0 Gateway:172.16.16.1 DNS server(s):172.16.64.10 Default domain:mycompany.com Date, time, timezone:Thu Dec 9 17:38:52 2006 PST (LosAngeles) SNTP Client:off SNTP Primary Server:time.nist.gov SNTP Secondary Server:time-a.nist.gov SNTP Poll Seconds:300 HTTPS port:443 Syslog:off Auto-Deployment Server Configuration: Server State : off Server Interval : 300 (seconds) RADIUS Setup values: Radius Method :CHAP Authentication :on Accounting :off Retry limit :3 Retry interval :5 RADIUS Service records: Type Host Port Secret auth1 server.mycompany.com 1812 mysecret Directory Server password:myDSpassword


310

pc setup sntpFor PolicyCenter only

Set or display the Simple Network Time Protocol (SNTP) configuration for your PolicyCenter software. SNTP is used tosynchronize the time in PacketWise to a server configured to propagate highly accurate time information through the Internet.This command can only be issued by network administrators with touch-role access to the PC organization.

setup sntp on|off|servers {<primary> [<secondary>]|none}|poll|reset|sync

To define a primary and secondary SNTP server, enter a standard dotted-decimal IP address for <primary> or <secondary>.To view current settings, issue the command pc setup show.


311

pc setup timezoneFor PolicyCenter only

When you configure a time zone, PolicyCenter can change its local time automatically at the start and end of daylight savingstime. It also can retrieve time updates from time servers. This command can only be issued by network administrators withtouch-role access to the PC organization.

pc setup timezone [<name>|custom <tz_spec>]

Each time zone has a unique name — usually the name of the best-known city in that zone. The default time zone is LosAngeles, CA. To display the valid time zones, use setup timezone help.

<tz_spec> is a string defined by POSIX.1 as:

<std><offset>[<dst>[<offset>],<date>[/<time>],<date>[/<time>]]

Where:

<std> and <dst> 3 or more characters specifying the standard and daylight saving time (DST) zone names<offset> [-]hh:[mm[:ss]] specifies the offset west of UTC. The default DST offset is one hour ahead of standard

time<date>[/<time>] Specifies the beginning and end of DST. If this is absent, the system applies US DST rules (first Sunday

of April at 2:00 AM to last Sunday of October at 2:00 AM)<time> hh:[mm[:ss]] with a default of 02:00<date> One of the following forms:

Jn (1<=n<=365): origin-1 day number, not counting February 29

n (0<=n<=365): origin-0 day number, counting February 29, if present

Mm.n.d (0[Sunday]<=d<=6[Saturday], 1<=n<=5, 1<=m<=12): for the dth day of week n of month mof the year, where week 1 is the first week in which day d appears, and 5 stands for the last week inwhich day d appears (which may be either the 4th or 5th week)

For example, you could configure a time zone for Cairo, Egypt with the command:

pc setup timezone custom EET-2EEST,M4.5.5/01:00,M9.5.5/03:00

Current time zone:Time zone name: CustomTime zone desc: Custom time spec in POSIX formatTime zone spec: EET-2EEST,M4.5.5/01:00,M9.5.5/03:00Time zone offset: GMT+02:00DST offset: 60 minutesDST starts: Last Friday of April at 01:00 AMDST ends: Last Friday of September at 03:00 AM

In this example, the standard time, known as EET, is two hours ahead of GMT and daylight savings time, known as EEST, isthe default 60 minutes ahead of EET. Rather than using US default rules, EEST begins on the last Friday of April at 1:00 AMand ends on the last Friday of September at 3:00 AM.


312

pc setup variableFor PolicyCenter only

Change a default variable setting for the PolicyCenter software configuration.

pc setup variable [<variable> <value>|default] | [-reset|-nd]

where <variable> is one of the variables listed below and <value> is the value you want to set the variable to. The default,minimum, and maximum values for each <variable> are listed in the table.

After changing a variable's setting, you will need to stop and then restart the PolicyCenter service order for the change totake effect. To stop and restart the PolicyCenter service:

1. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel > Administrative Services >Services)

2. Select the PolicyCenter service from the list of services. show screen

3. Click the square stop icon to stop the PolicyCenter service.

4. Click the triangle start icon to restart the PolicyCenter service.

To reset all system variables to their defaults, use the pc setup variable -reset command. To reset a specific variable to itsdefault, use the pc setup variable <variable> default command. To see a list of all variables that have non-defaultsettings, use the pc setup variable -nd command.

Variable/Description

DefaultValue

Min.Value

Max.Value

accelerationStrictHostCheckWhen this variable is enabled, outbound TCP flows will be acceleratedonly if the source host is configured (or discovered) on the local deviceand the destination host is configured/discovered as a remote host viathe outbound tunnel. Likewise, inbound accelerated flows will not beintercepted unless the source host is configured/discovered as aremote host via the inbound tunnel and the destination host isconfigured/discovered on the local device.

Certain topologies require this variable to be enabled in order foracceleration to work properly:

Multiple inline PacketShapersHub-and-spoke topologies in which traffic accelerated at theedge PacketShaper will pass through an intermediatePacketShaper at the central site

Notes:

Enabling this variable may result in a slight degradation ofperformance for XTP acceleration, since lookup and validation oflocal and remote hosts are done per packet. SCPS accelerationdoes not have this side effect.If packets pass through the same PacketShaper multiple times,it may be necessary to restrict hosts (using the tunnel discoveryhost command), to manually provision hosts on a particular side(using the hostdb side manual command), or to disable hostdiscovery (using the tunnel discovery command).

0(off)

0(off)

1(on)

autoCreateSameSideWhen this variable is enabled, the SameSide class is createdautomatically. When disabled, the SameSide class will not be auto-created. You may want to disable this variable if traffic is beingmisclassified into the SameSide class.

1(on)

0(off)

1(on)

bridgePassThruWith bridgePassThru enabled, the PacketShaper forwards packets thathave a source and destination MAC address on the same side of theunit. When bridgePassThru is disabled and traffic shaping is enabled,the PacketShaper drop packets that have source and destination MAC

1(on)

0(off)

1(on)

313

addresses on the same side.cmprsnDiffservInteropPreserve TOS (Type-of-Service) IP header values on compressedpackets. When this option is enabled, TOS values will be preserved onIPComp packets. When it is disabled, TOS values will not be preservedon compressed packets.

Note: This variable is applicable to legacy compression tunnels only.

1(on)

0(off)

1(on)

cmprsnDiffservReapplyReapply network-modified TOS IP header values to decompressedpackets. When this option is enabled, the decompressing PacketShaperwill compare the original TOS value of the compressed packets to theTOS value in the IPComp packet’s IP header. If the network modifiedthe TOS value of the IPComp packet, Xpress will apply this modifiedTOS value to the original packets as they are decompressed.

Notes:

The cmprsnDiffservInterop variable must also be enabled.This variable is applicable to legacy compression tunnels only.

0(off)

0(off)

1(on)

cmprsnEnablePackingWhen packing is enabled, multiple packets are combined into a single"super packet," in order to save on overhead. Packing increasescompression rates because less data is being sent out on the wire.

On very busy links, packing doesn't cause much latency because thepackets are bundled and sent off quickly. On less active links, Xpressmay have to wait to get enough packets in a bundle, possibly creatingapplication performance problems. If you are experiencing latency, trylowering the packing hold time or disabling it altogether.


0(off)

0(off)

1(on)

cmprsnFirewallSupportEnables/disables firewall support for the Xpress compression feature. Ifset to 0, Xpress firewall support is disabled; use this setting whenthere is not a firewall between partner units.

When there is a firewall between partner units, you should enablefirewall support by selecting either 1 or 2:

1: Firewall support is enabled only when compression is ON.2: Firewall support stays enabled for persistent flows even afterdisabling compression. When compression is turned off, any TCPflows already hidden from the firewall continue to be hidden(tunneled), but new TCP flows are not hidden.


0 0 2

cmprsnHostEntriesThe maximum number of hosts and partners that can be defined touse the compression facility

* 0 indicates that the default system limit will be used; the systemlimit depends on the amount of memory installed in the unit

0* 2 99999

cmprsnInsideHostModeSet inside host lists to be inclusive or exclusive. If inclusive, inboundtraffic destined to inside hosts on the host list are eligible for tunneling. If exclusive, traffic destined to the listed hosts are not sent throughthe Xpress tunnel but all other inside hosts are eligible for tunneling.Use the tunnel discovery host command to create the list.

0(inclusive)

0(inclusive)

1(exclusive)

cmprsnMaxRetransmissionsThe maximum consecutive retransmissions of a packet before acompression tunnel is shut down

5 0 99

cmprsnOutsideHostModeSet outside host lists to be inclusive or exclusive. If inclusive, outboundtraffic destined to outside hosts on the host list are eligible fortunneling. If exclusive, traffic destined to the listed hosts are not sentthrough the Xpress tunnel but all other outside hosts are eligible for

0(inclusive)

0(inclusive)

1(exclusive)

314

tunneling. Use the tunnel discovery host command to create the list.cmprsnPackingHoldTimeMsecsMaximum number of milliseconds packets will be held for packing.When PacketShaper receives a packet, it is held up to the maximumpacking hold time (10ms by default), waiting to be combined withadditional packets. After that time expires, Xpress compresses all theaccumulated packets into a super packet and sends it out.


10 0 1024

cmprsnPartnerModeSet tunnel partner lists to be inclusive or exclusive. If inclusive, Xpresscreates tunnels only with the listed PacketShapers. If exclusive, Xpressdoes not establish tunnels with the listed PacketShapers; onlyPacketShapers not listed will have tunnels established. Use the tunneldiscovery partner command to create the list.

0(inclusive)

0(inclusive)

1(exclusive)

cmprsnRSVPPathDiscardWhen cmprsnRSVPPathDiscard is disabled (the default), thePacketShaper will respond to an RSVP (Resource Reservation Protocol)message from another PacketShaper and continue to pass the originalRSVP packet to the inside to any other PacketShapers that may bedownstream.

When this variable is enabled, the PacketShaper will respond to theRSVP message but will not send the packet on. Note that the packetwill be discarded only when compression is enabled and when the RSVPpacket is moving inwards.


0(off)

0(off)

1(on)

cmprsnTransparentTriggerThe number of consecutive retransmissions of a packet before Xpressdisables the compression tunnel and sends packets in the clear(uncompressed). The tunnel will resume normal operation after it getsan acknowledgment for the retransmitted packets; if acknowledgmentis not received before the Tunnel shutdown threshold is reached, thetunnel will be shut down.


2 0 99

DiffservClassSortPref Controls the sort order of the traffic tree, with respect to Diffservclasses (those with DSCP marks). Three settings are available:

0 Diffserv classes are sorted below IP-address-based classes, butabove port-based classes (the default).

1 Diffserv classes are sorted above IP-address-based classes

2 Legacy sort order (Diffserv classes are sorted after IP-address-basedclasses, port-based classes, and auto-discovered classes)

Note: The new sort order doesn't take effect until the unit is rebooted.

0 0 2

discoveryThresholdDynamicPortThe number of new connections of an identifiable service to a portgreater than 1024 that must be identified within a one-minutetimeframe before PacketWise creates a class

2 1 1000000

discoveryThresholdNonIPThe number of new non-IP connections of a given type that must beidentified within a one-minute timeframe before PacketWise creates aclass

2 1 1000000

discoveryThresholdNormalThe number of new connections of an identifiable service to a port lessthan or equal to 1024 that must be identified within a one-minutetimeframe before PacketWise creates a class

1 1 1000000

discoveryThresholdPortThe number of new connections to a particular port within a one-minute timeframe before PacketWise creates a Port_#### class in theDiscoveredPorts folder

It may be necessary to increase this value on Internet link100 1 1000000

315

deployments to prevent excessive number of DiscoveredPorts classesbeing created. If you don’t want any Port_#### classes discovered,set this variable to its maximum value.dynPtnActiveReuseSecondsThe number of seconds a dynamic partition will be retained after anestablished flow has sent packets

Note: If no other user needs a dynamic partition, the partition will beretained indefinitely.

300(5 min) 10 7200

(2 hrs)

dynPtnIdleReuseSecondsThe number of seconds a dynamic partition will be retained after anestablished flow has not sent or received packets


30 10 7200(2 hrs)

dynPtnSequestrationCountThe number of partitions reserved for static partitions; all otherpartitions can be used for dynamic or static partitions (applicable toPacketShaper 1200 and 1500 only)

3 0 99

enableCongestionEnable/disable the calculation of packet exchange time. When thisvariable is disabled, the Pkt Exch column on the Monitor Traffic pagewill not appear, RTM will not be available, and the packet exchangetime and RTM measurement variables will always have a value of 0.

After disabling the enableCongestion variable, you should reset theunit.

1(on)

0(off)

1(on)

enableLatencyEnable/disable the calculation of VoIP metrics. When this variable isenabled, PacketWise collects data that measure packet loss, jitter, andlatency for VoIP flows.

Notes:

VoIP metrics can only be measured between PacketShapers withthe VoIP metrics feature enabled.The VoIP metrics feature can measure traffic only from VoIPapplications whose data is classified as RTP-I. For instance,latency metrics are not provided for DialPad, iChat, Vonage, andSkype.

0(off)

0(off)

1(on)

enableSupportForSSHv1Enable/disable support for Secure Shell version 1 (SSH v1) for secureaccess to the PacketShaper. When this variable is enabled, thePacketShaper can be accessed with SSHv1 and SSHv2 clients. Whenthis variable is disabled, only SSH clients using the SSHv2 protocolversion are supported.

Note that this variable doesn’t take effect until the PacketShaper isreset.

1(on)

0(off) 1

(on)

enableWinnyClassificationEnable/disable classification of the Winny service. For optimalperformance, enable only when management of Winny traffic isrequired.

Note: The Winny peer-to-peer application is used primarily in Japan.

0(off)

0(off)

1(on)

flowRecordsIntermediateTimeoutNumber of milliseconds between generation and sending ofintermediate flow detail records when traffic is present

1500 1000 36000

flowRecordsPktr0TimeoutNumber of seconds between generation and sending of Packeteer-0flow records.

3600 10 5000

flowRecordsPktrPTimeoutNumber of seconds between generation and sending of Packeteer-Pflow records.

60 10 5000

flowRecordsResetCountersControls whether or not the counter fields in FDR packets are reset

316

with each intermediate FDR sent

Note: This variable only affects Packeteer-1 and Packeteer-2 formatFDRs: counter fields are always reset in the NetFlow-5 format.

1(on)

0(off)

1(on)

flowRecordsSendIntermediateEnable/disable the intermediate flow detail records feature. When thisvariable is enabled, PacketWise emits intermediate FDRs at the intervalspecified by the flowRecordsIntermediateTimeout variable.

Note: Enable the intermediate flow detail records feature only whenusing a suitably-instrumented collector, such as Cisco-based Netflow-5collectors. IntelligenceCenter does not support intermediate FDRs.

0(off)

0(off)

1(on)

flowRecordsSendPktrPEnable/disable emission of Packeteer-P packets to Packeteer-1 andPacketeer-2 flow detail record collectors. Packeteer-P packets containstatistics that are not related to particular flows, but rather provideinformation about utilization on the PacketShaper at the time flows arerecorded. If this variable is enabled, Packeteer-P records are sent aftereach UDP flow record packet is sent to Packeteer-1 or Packeteer-2collectors (not more than once per minute).

0(off)

0(off)

1(on)

flowRecordsSendPktr0Enable/disable emission of Packeteer-0 packets to Packeteer-1 andPacketeer-2 flow detail record collectors. Packeteer-0 packets aremapping messages that allow collectors to decipher PacketShaper-related information in the FDRs they receive. For example, in the FDR’sClassID field, a value identifies the traffic class. In order for thecollector to understand what class is actually associated with the ID, ituses the class map — a list that contains each traffic class on the unitalong with the identifying number assigned to each class. If thisvariable is enabled, Packeteer-0 mappings are sent out approximatelyonce each hour. Note that this variable needs to be enabled only if thecollector does not know this information through other means.

0(off)

0(off)

1(on)

frameMaxRouteEntriesThe maximum number of route entries PacketWise can import from aFRAD or ATM routing table.

Note: This variable is not supported on the PacketShaper 900 Litemodels.

300 25 2000

graphTimeoutSecondsThe maximum number of seconds a graph can take to generate in thebrowser interface; if the graph takes longer to generate than thisvalue, a system timeout error message will appear.

Note: Increasing this setting can make the browser interface appear to"freeze" while PacketWise is generating some of the more complexgraphs. Sometimes the browser will not display the page until all of thegraphs are generated.

60 1 600(10 min)

hostTspecCacheInsideEnable/disable caching of IP address-based classes on the inside.Change this setting to outside (0) to increase performance ofclassification if the majority of IP addresses in manually created classesare on the outside, rather than the inside. To disable the caching ofinside IP address-based classes, use the setup variablehostTspecCacheInside 0 command. After you reset thePacketShaper, IP address-based classes will be cacheable on theoutside. To re-enable caching for inside classes, use the setupvariable hostTspecCacheInside 1 command.

1(inside)

0(outside)

1(inside)

httpStealth503Control the display of the “503 - Service unavailable” server errormessage when a connection is refused because of admission control(such as a never-admit policy).

0 — The “503 - Service unavailable” message will be customized withthe text “This message is sent by Blue Coat PacketShaper.”1 — The PacketShaper text is not displayed with the “503 - Serviceunavailable” message.2 — PacketWise performs a TCP reset and drops the HTTP request; theerror message will likely be “The attempt to load http://... failed.”

0 0 2

317

LFNSupportWhen enabled, this setting improves performance on Long FatNetworks (LFN) which require larger TCP window sizes. An LFN is along distance network with large bandwidth and long delay; forexample, high-capacity satellite channels are LFNs.

0(off)

0(off)

1(on)

linkOverheadBytesNumber of bytes that are added to each packet to account for WANprotocol header overhead

0 0 256

linkOverheadPptNumber of parts per thousand* by which packet sizes are increased toaccount for link overhead. This adjustment is useful for links that do bitstuffing. (Bit stuffing is the practice of adding bits to a stream of data.Bit stuffing is required by many network and communicationsprotocols, for example to prevent data from being interpreted ascontrol information.)

* to be more precise, it’s actually parts per 1024

35(3.5%) 0 1024

mirrorLinksEnable/disable link state mirroring. With link state mirroring,PacketWise will bring down the second port of a NIC pair if the firstgoes down. This feature allows each PacketShaper to sit between aWAN router and a switch without blocking detection of switch outagesby the router. Link state mirroring is automatically enabled when directstandby is enabled and the redundant management port is connected.

Note: Link state mirroring is not active on the LEM being used for thedirect link; this allows you to disconnect the redundant managementport without impacting connectivity. However, link state mirroring isdisabled when the redundant management link is disconnected.

0(off)

0(off)

1(on)

mplsSecondLabelIndexDesignates the MPLS label stack position (1-5) to be looked at forclassification purposes. By default, PacketWise looks at the top MPLSlabel (1), which identifies the path through the core. If you want toclassify by other MPLS labels (2-5) in the MPLS stack, you need tochange this system variable to identify the stack position.

1 1 5

PolicyFlowLimitForAllClassesEnables/disables the policy flow limit feature. When enabled,PacketWise will enforce all policy flow limits that have been set ontraffic classes. When disabled, all policy flow limits will be ignored. Foradditional information, see policy flowlimit.

1(on)

0(off)

1(on)

probeIntervalSecondsNumber of seconds between the issuance of VoIP latency probes thatmeasure VoIP metrics, enabled by the enableLatency variable.

5 1 60

rtoInboundClampMsecsNumber of milliseconds delay for clamping early retransmission timeouton Inbound packets. Puts a maximum on retransmit time.

1600 0(disable)

3000(3 sec)

rtoOutboundClampMsecsNumber of milliseconds delay for clamping early retransmission timeouton Outbound packets.

1600 0(disable)

3000(3 sec)

syntheticReadTimeoutSecondsNumber of seconds after which a synthetic transaction will end whenthe response received is incomplete

Note: This variable is not supported on PacketShaper ISP models.

5 1 1000

syntheticWriteTimeoutSecondsNumber of seconds after which a synthetic transaction will be canceledif the server fails to respond to a request


60 10 5000

tcpClipInitialWindowWhen tcpClipInitialWindow is enabled, the PacketShaper will alwaysreduce the initial TCP window size to 1x MSS (maximum segment size).

When this variable is disabled, new flows will ramp up faster butenforcement of small rate policies and/or partitions may not work atthe begininng of flows.

1(on)

0(off)

1(on)

318

tcpMssInboundMaximum segment size of TCP packets on Inbound flows. This settingcan help avoid packet fragmentation when using VPN and not beingable to support 1500-byte packets (the default size) through the VPNtunnel.

1460bytes 0 65535

tcpMssOutboundMaximum segment size of TCP packets on Outbound flows

1460bytes 0 65535

tcpSmallMssLinkSpeedLink speeds slower than this value will force the use of smaller MSS(maximum segment size).Prevents PacketWise from changing the MSS on large WAN links.

384000bps 0 512000

tnlDontSpanPacketsWhen packets are being packed into super packets, this variabledetermines whether a packet's contents will be spanned across twosuper packets. By default, packets are not spanned.

1(on)

0(off)

1(on)

tnlInheritInbound Determines how Xpress selects an outbound tunnel when a destinationhost is reachable via multiple routes. When this variable is enabled,Xpress will choose the tunnel that first serviced the inbound flow. Whenthis variable is disabled, Xpress will choose the tunnel it discoveredfirst.

0(off)

0(off

1(on)

tnlLocalArpDiscoveryOne of three mechanisms for discovering local hosts for Xpress tunnels.When localArpDiscovery is enabled, Xpress extracts the source IPaddress from a valid ARP request or response and adds it as a localhost for Xpress tunnels.

This mechanism is enabled by default but only operates when globalhost discovery is enabled with the tunnel discovery command. Thisvariable can be disabled for troubleshooting host discovery on differentnetwork topologies.

Note: This variable is applicable to enhanced tunnels only.

1(on)

0(off)

1(on)

tnlLocalIpDiscoveryOne of three mechanisms for discovering local hosts for Xpress tunnels.When localIpDiscovery is enabled, Xpress extracts the IP addresses ofall inside hosts and adds them to the local host list for Xpress tunnels.



1(on)

0(off)

1(on)

tnlLocalOspfDiscoveryOne of three mechanisms for discovering local hosts (subnets) forXpress tunnels. When OSPF (Open Shortest Path First) routing protocolis configured on a router, the router will broadcast link-stateadvertisement (LSA) messages to its subnets. When localOspfDiscoveryis enabled, Xpress will examine these LSA messages, looking for anysubnets that are local to the PacketShaper. These hosts will then beadded to the local host list.

This mechanism will not work in a redundant topology and is disabledby default. In a non-redundant topology, you have the option ofenabling this variable if you so chose.


0(off)

0(off)

1(on)

tnlRemoteRsvpDiscovery A mechanism for discovering remote hosts for Xpress tunnels. WhenremoteRsvpDiscovery is enabled, Xpress sends RSVP Path requestmessages and if another Xpress unit along the path recognizes the host(host being probed for) as a local host, it will respond with an RSVPResv reply message. If an RSVP Resv reply message is received for ahost, the host will be added to the list of remote hosts.

This mechanism is enabled by default but only operates when globalhost discovery is enabled with the tunnel discovery command. This

1(on)

0(off)

1(on)

319

variable can be disabled for troubleshooting host discovery on differentnetwork topologies.

Note: This variable is applicable to enhanced tunnels only.tnlTcpServerPortThe TCP port number that Xpress tunnels use for transport.

Notes:

Traffic from any user machine sourcing from this port will not beaccelerated.When you change the TCP port number, only new tunnels (thoseformed after the change) will use the new port. If there were anytunnels using the old port, be sure to delete them so that alltunnels use the same port.

64600 1 65535

trafficIsAsymmetricBy turning on this setting, PacketWise will automatically assume allflows are asymmetric and stop TCP Rate Control. In topologies wherethere are a large percentage of asymmetric flows, this may be moreefficient than attempting to apply regular rate control. In addition todisabling rate control, turning on this setting disables all layer 7classification activities (PacketWise must see traffic in both directions inorder to classify layer 7).

0(off)

0(off)

1(on)

userEventExtSnmpVersionEnable/disable the extended SNMP trap for user events. When thisvariable is turned on, there will be an additional field in the trap thatindicates the type of situation that triggered the trap. The fieldindicates violated (when the threshold was exceeded) or rearm (whenthe re-arm value was crossed).

0(off)

0(off)

1(on)

userEventMaxDefinitionsThe maximum number of events that can be user-defined 32 32 128

userEventMaxRegistrationsThe maximum number of events that can be registered 32 32 128

wccpRedirectUseShaperMAC This variable determines which source MAC address will be used forpackets that are rejected by the cache device in WCCP redirectionmode. When this variable is enabled, the MAC address of thePacketShaper will be used as the source. When the variable is disabled,the MAC address of the paired cache device will be used.

This variable should be disabled when the cache device and the clientsare on different subnets in a VLAN topology. Other supportedtopologies should use the default setting (on).

1(on)

0(off)

1(on)

xpressLegacyMemoryRatioPercent of memory to assign to legacy tunnels when in migrationmode. For example, a ratio of 30 would allocate 30 percent of memoryto legacy compression tunnels and 70 percent to enhanced Xpresstunnels.

50 20 80

xpressModeMode for Xpress tunnels.

0 — Legacy mode uses the PacketWise v6.x/7.x tunnelinfrastructure. In legacy mode, the commands and capabilitiesare limited to those that were available in PacketWise 7.x. Atunnel's sole capability in legacy mode is to transportcompressed data.1 — Enhanced mode uses the new PacketWise 8.x tunnelinfrastructure. In enhanced mode, a tunnel serves multiplepurposes and can include one or more of the following features:compression, acceleration, and packing.2 — Migration mode supports both types of tunnels: legacyand enhanced. Use this mode when migrating from earlierversions of PacketWise. For more information about migrationmode, see Information about Migration Mode.

The default mode for new installations is enhanced mode. The defaultfor units that have upgraded to 8.x is migration mode.

1 or 2 0 2

320

pc syslog addFor PolicyCenter only

Add a Syslog server for PolicyCenter. The logging and PolicyCenter syslog audit trails features gives administrators a way tocentrally log and analyze user events and system warning messages. For example, if you are using RADIUS authentication,each failed login attempt to PolicyCenter will be sent to the defined Syslog server.

Adaptive response action files and user events can be configured to send messages to a Syslog server. For example, whenyou register an event, you will be asked if you want to send events to Syslog; you can define and register an event that sendsa message to a Syslog server when retransmissions rise to 30 percent of your network activity. This command can only beissued by network administrators with touch-role access to the PC organization.

You can add up to four servers.

pc syslog add host:<ipaddress> [output:<facility>,<level>] [port:<portnum>] [datetime]

host:<ipaddress> The Syslog server IP address — for example, host:10.7.38.100

output:<facility>,<level>

The facility and severity level — for example, output:local1,6

Up to three outputs can be specified. The default facility is local4and the default level is 7. PacketWise user events are at severitylevel 6; if you want to capture them with Syslog, you must setthe level to 6 or 7.

See Facility Types and Severity Levels for lists of the valid facilitytypes and levels.

port:<portnum> The port number of the Syslog server; if the port isn’t specified,port 514 is used

datetime Include the date and time in the message; the date and time arenot included unless you specify the datetime parameter

For example:

setup syslog add host:10.7.38.100 output:local1,3 datetime

If you need to modify any of the settings later, you need to remove the server and then add it again (see pc syslog remove).

Messages are not sent until you enable the logging feature. See pc syslog state. If you want a PacketWise event to berecorded in a Syslog, you need to specify this option when registering the event (see event register).

Facility Types

You can enter the keyword or value specified in the following table.

Description Keyword ValueKernel kern 0User Processes user 1Electronic Mail mail 2Background System Processes sysd 3Authorization auth 4System Logging sysl 5Printing lpr 6Usenet News news 7Unix-to-Unix Copy Program uucp 8Clock Daemon clkd 9Security sec2 10FTP Daemon ftpd 11NTP Subsystem ntp 12Log Audit audit 13Log Alert alert 14

321

Clock Daemon clkd2 15For Local Use local0–local7 16-23

Severity Levels

You can enter the keyword or value specified in the following table. Set the level to specify which messages to suppress tothe Syslog server. For example, setting the severity level to 3 allows messages with levels 0 – 3 and suppresses messageswith levels 4 – 7. If you don't specify a severity level, 7 is used. With the default severity level, messages of all levels will getsent to the Syslog server.

Description Keyword ValueSystem unusable emerg 0Take immediate action alert 1Critical condition crit 2Error message err 3Warning message warn 4Normal but significant condition notice 5Informational (includes PacketWise user events) info 6Debug message debug 7

At the "warn" level, PacketShaper will send the following types of messages to the Syslog server:

Login failedHard drive statusMeasurement Engine statusDirect standby statusPlug-in status

See PacketShaper Syslog Warn Messages for a list of these messages.

User events that are configured to send a syslog message when a threshold is crossed are sent at the info severity level (6).See event register for more information on configuring an event to send a syslog message.

Adaptive response action files that include the send syslog command can designate the severity level at which the message issent to the Syslog server; any level can be specified.


322

pc syslog rateFor PolicyCenter only

Set the maximum number of syslog messages that will be sent per second. This command can only be issued by networkadministrators with touch-role access to the PC organization.

pc syslog rate <number>

The default rate is 20 messages per second and the valid range is 1-200. You may want to increase the rate if you areexperiencing a problem with your unit.


323

pc syslog removeFor PolicyCenter only

Remove a Syslog server from PolicyCenter. If you need to modify the settings of a server you have added, you will need toremove the server first. This command can only be issued by network administrators with touch-role access to the PCorganization.

pc syslog remove <ipaddress>


324

pc syslog showFor PolicyCenter only

Display the settings for currently defined Syslog servers. This command can only be issued by network administrators withaccess to the PC organization.

pc syslog show [<ipaddress>]

If no <ipaddress> is specified, the setup of all Syslog servers is displayed. For example:

pc syslog show

Status: On Max Rate: 35 Total Sent: 5 Total Lost: 0

Server Addr Facility Level------------------------------------10.7.38.200 local4, 20 warn, 410.7.38.100 local4, 20 warn, 4

If you specify an <ipaddress>, the settings for a single Syslog server are displayed. For example:

pc syslog show 10.7.38.200

Server Addr: 10.7.38.100 UDP Port: 514 DateTime Option: Not Enabled

-------------------------------------Facility Level-------------------------------------local4, 20 warn, 4

Message Format

When viewing the messages at the Syslog server, you will see the format of a Syslog message is as follows:

ReceiveDateTime address SendDateTime module-severity-MNEMONIC: description

ReceiveDateTime The date and time the message was received by the Syslog server (maynot be included, depending on the setup of the Syslog server)

address The PacketShaper’s IP address

SendDateTime The date and time the message was sent to the Syslog server (if thedatetime parameter was specified when defining the syslog server)

module A four-byte string that identifies the type of message. For example, USREis a user event and SYSW is a system warning.

severity A single digit code (0–7) that reflects the severity of the condition; seeSeverity Levels

MNEMONIC A code that uniquely identifies the error message — for example, BAD_WR(bad write) or INSERT_F (insert into a list fails)

description A text string describing the condition

Example message:

Aug 6 17:06:27 10.7.38.5 SYSW-4-LOG_WARN: Hard drive is down.

Or, if the datetime parameter was specified:

Aug 6 17:07:25 10.7.38.5 Mon Aug 6 17:05:01 2001 BST (London) SYSW-4-LOG_WARN: Hard drive is down.


325

pc syslog stateEnable or disable the logging feature so that messages will be sent to the defined syslog server(s). The PolicyCenter Audit Logfeature records configuration and operational changes in PolicyCenter. When you download the Kiwi Syslog Daemon from theKiwi Enterprises website then install and configure the Kiwi Syslog Daemon, you can view audit log messages directly in thePolicyCenter browser interface. This command can only be issued by network administrators with touch-role access to the PCorganization.

pc syslog state on|off|default

Select the default option to set the logging feature to its default off state. To check whether the logging feature is on or off,use the pc syslog show command.


326

http://www.kiwisyslog.com/

pc tacacs acctFor PolicyCenter only

Set up or change the configuration of the TACACS+ accounting service records for your PolicyCenter server. This featureallows you to have an audit trail for user logins. This command can only be issued by network administrators with touch-roleaccess to the PC organization.

To define the TACACS+ accounting service for the PolicyCenter server, use:

pc tacacs acct primary|secondary {<host> <shared_secret> [<port>]}|delete|override

primary|secondaryEnter the literal primary or secondary to indicate which server you aredefining. (The secondary server is used when the primary server isn’taccessible.)

<host> The IP address or DNS name of the TACACS+ accounting server<shared_secret> The designated secret for the server; quotes are not required

[<port>] The port number to access the server; if omitted, the default port 49 isused.

delete Deletes the configuration of the primary or secondary server (whicheveris specified)

override This option is not supported by the pc tacacs command

To turn the service on or off, or to return the service to its default off value, use:

pc setup tacacs acct on|of|default

Example:

pc tacacs acct primary 10.10.10.10 P4assw0rd1

pc tacacs acct secondary 10.10.20.10 Paa55w0rd2

pc tacacs acct on

This example defines a primary accounting server at 10.10.10.10 which has a shared secret of P4ssw0rd, as well as asecondary server at 10.10.20.10. The third command line enables the TACACS+ accounting service. Once this service isconfigured and enabled, PolicyCenter will send a PW_STATUS_START accounting message to the accounting server when auser logs in and a PW_STATUS_STOP message when a user logs off or is disconnected.




327

pc tacacs authFor PolicyCenter only

Set up or change the configuration of the TACACS+ authentication service for your PolicyCenter server. Using third-partyTACACS+ servers enables you to have central configuration of user accounts.

pc tacacs auth primary|secondary {<host> <shared_secret> [<port>]}|delete

primary|secondaryEnter the literal primary or secondary to indicate which server you aredefining. (Note: The TACACS+ client uses the secondary server when theprimary server isn’t accessible or authentication failed.)

<host> The IP address or DNS name of the TACACS+ authentication server

<shared_secret> The designated secret for the server; quotes are not required

[<port>] The port number to access the server; if omitted, the default port 49 isused


override This option is not supported by the pc tacacs command


pc tacacs auth on|off|default

Example:

pc tacacs auth primary 10.10.10.10 CupServ44

pc tacacs auth on

This example first defines a primary authentication server at 10.10.10.10 which has a shared secret of CupServ44. Thesecond command line enables TACACS+ authentication service. Once this is configured and enabled, PolicyCenter will promptusers for user name and password when they log in.




328

pc tacacs methodFor PolicyCenter Only

Select the TACACS+ authentication method for your PolicyCenter server:

ASCII (American Standard Code for Information Interchange): With ASCII, the username and password aretransmitted in clear, unencrypted text.

PAP (Password Authentication Protocol). With PAP, the username and password are transmitted in clear, unencryptedtext. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords(for example, when passwords are stored and maintained in a database external to the TACACS+ server)

CHAP (Challenge Handshake Authentication Protocol). In other environments, CHAP may be preferred for greatersecurity. The TACACS server sends a challenge that consists of a session ID and an arbitrary challenge string, and theusername and password are encrypted before they are sent back to the server.

MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is very similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challengeresponse. Standard CHAP authentication requires that the server stores unencrypted passwords.

pc tacacs method ascii|pap|chap|mschap|default

The default authentication method is ascii.




329

pc tacacs timeoutFor PolicyCenter Only

Set the amount of time for TACACS+ to wait for a response from a server. By default, the TACACS+ client waits 20 secondsbefore retrying a login when the TACACS+ server fails to respond.

pc tacacs timeout <seconds>|default

where <seconds> is a value between 1 and 180 seconds. For example:

pc tacacs interval 20

In this example, the timeout interval is 25 seconds; this interval applies to any configured TACACS+ server.

To return to the default timeout interval, use:

pc tacacs timeout default




330

pingGenerate pings to test connectivity with another device on the network. If the device answers the pings from thePacketShaper, the message "x.x.x.x is alive" or "x packets transmitted, x packets received" will appear. If PacketWise isunable to connect with the device, the message "no answer from x.x.x.x" or "0 packets received" will display.

ping <host> [<timeout>]ping [-s] <host> [<count>]

<host> IP address or DNS name

<timeout>

Number of seconds to transmit packets;if you don't specify a <timeout> value,PacketWise will ping the host for up to10 seconds

[-s] Send a continuous ping

<count>Number of pings to transmit; if youdon't specify a <count> value,PacketWise will ping the host 10 times

Examples of Successful Pings

PacketShaper# ping 172.21.1.26ping (172.21.1.26): 56 data bytes172.21.1.26 is alive

PacketShaper# ping 172.21.1.26 10ping (172.21.1.26): 56 data bytes172.21.1.26 is alive

PacketShaper# ping -s 172.21.1.26 5 ping (172.21.1.26): 56 data bytes64 bytes from 172.21.1.26: icmp_seq=064 bytes from 172.21.1.26: icmp_seq=164 bytes from 172.21.1.26: icmp_seq=264 bytes from 172.21.1.26: icmp_seq=364 bytes from 172.21.1.26: icmp_seq=45 packets transmitted, 5 packets received

Examples of Unsuccessful Pings

PacketShaper# ping 192.168.0.1 ping (192.168.0.1): 56 data bytesno answer from 192.168.0.1

PacketShaper# ping 192.168.0.1 30ping (192.168.0.1): 56 data bytesno answer from 192.168.0.1

PacketShaper# ping -s 192.168.0.1 ping (192.168.0.1): 56 data bytes10 packets transmitted, 0 packets received

PacketShaper# ping -s 192.168.0.1 5ping (192.168.0.1): 56 data bytes5 packets transmitted, 0 packets received


331

plugin libraryFor PolicyCenter only

Show the current library of plug-in files available for distribution from PolicyCenter to individual PacketShapers.

plugin library

The plugin library command shows the version name and type, version number and description for available plug-in files.


plugin library

Name Type Version Descriptionntpplug bt03 1.0.0.0 Network News Transport Protocolrogue bt03 1.0.0.0 FileRogue - File Sharing Applicationsms bt03 1.0.0.0 Microsoft SMS pre Windows Service Pack 2


332

plugin prescribeFor PolicyCenter only

Prescribe plug-in files for a PolicyCenter configuration by filename. Use the plugin library command to determine the namesof available files.

plugin prescribe [<filename> <filename> ...] default|none|show

<filename> The filename of the plug-in file you wish to prescribe to a PolicyCenterconfiguration.

default|none|show Specify default if the configuration should inherit its plug-ins from a parentconfiguration, or specify none if the configuration should not inherit its plug-ins.The show option shows the configuration's current plug-in files.

Note: Issuing the plugin prescribe default command on a configuration withan inherited a plug-in prescription may incorrectly indicate that there are noinherited plug-ins. Use the command plugin prescribe show to correctly showall plug-ins prescribed for that configuration.


333

plugin subscribeFor PolicyCenter only

Configure when and how often PacketShapers assigned to a PolicyCenter configuration update plug-in files.

plugin subscribe asap|scheduled|default

The plugin subscribe command has the following options:

asap PacketShapers assigned to the configuration will automatically update their plug-in files as soon as they are prescribed.

scheduled PacketShapers assigned to the configuration will wait for the plugin synccommand before downloading prescribed files.

default If set to default, the PolicyCenter configuration inherits its plug-in subscriptionbehavior from its parent configuration.

See also: plugin sync


334

policy admitSet the admission-control mechanism for a policy.

policy admit <tclass> squeeze|refuse|"<redirect-URL>" [nontcp|nonweb|web]

<tclass> The traffic class whose policy is to be changed

squeeze|refuse| "<redirect-URL>" This admission-control mechanism determines what happens when there isn'tenough bandwidth to satisfy a guaranteed rate allocation. When the mechanism issqueeze, new connections will get at most 256 bps (1024 bps on PacketShaper7500, 10000, and 12000 models). When the mechanism is refuse, the connectionis refused. For web traffic only, when the mechanism is "<redirect-URL>", theconnection will be redirected to the specified URL.

[nontcp|nonweb|web|all] The traffic type

The policy admit command supports these combinations:

Admission Control Mechanism Traffic Types

squeeze nontcp, nonweb, web

tcp_refuse nonweb tcp

http_refuse web

http_redirect web


335

policy apply discardToss all packets for a class.

policy apply discard <tclass>


336

policy apply ignoreExempt a traffic class from bandwidth allocation and treat the traffic type as "pass-through" traffic.

policy apply ignore <tclass>

By default, any traffic that you haven't explicitly classified is classified as Inbound/Default or Outbound/Default, and isfactored into the bandwidth allocation scheme. When you apply an ignore policy to a traffic class, that traffic type will not beconsidered at all by the bandwidth allocation process. That is, it won't be counted as part of the virtual link traffic undermanagement.


337

policy apply never-admitForce admission control to occur on every use of a policy.

policy apply never-admit <tclass>

The never-admit policy invokes the appropriate admission-control mechanism at the beginning of each session. For TCP andweb traffic, use a never-admit policy to notify users that a service is unavailable. Admission-control mechanisms areconfigured using the policy admit command. For non-TCP traffic, use the policy apply discard command. For TCP non-webtraffic, you can only use the policy admit refuse mechanism with a never-admit policy.

A never-admit policy must be applied to classes on the requesting flow. If a never-admit policy is applied to a classrepresenting the response flow, PacketWise responds as if the policy were a discard policy.

The never-admit policy has proven particularly effective in controlling certain viruses (see Control Attacks). This type of policycan also be used to redirect certain users to alternate URLs. For example, you might redirect a competitor to a URL thatpresents a customized message with a competitive analysis. The redirect option works only on the response side of the HTTPflow, not the request side.


338

policy apply priorityApply a priority-based policy, using the following command:

policy apply priority <tclass> [priority]

<tclass> The traffic class to which to apply the policy

[priority] The priority from 0 to 7, where 7 is highest priority. If this parameter is omitted, priority 3 isused.

Priority-based policies are used to establish a priority for traffic without specifying a particular rate. Use priority policies fortraffic that does not burst, or whenever rate is not your primary objective.


339

policy apply rateApply a rate-based policy to a traffic class.

policy apply rate <tclass> <guar_lo_bps> <guar_hi_bps> [<priority>[[automatic|<excess_lo_bps><excess_hi_bps>] [<excess_limit_bps>]]]

<tclass> The traffic class to which to apply the policy

<guar_low_bps><guar_hi_bps>

The guaranteed rate for this class' low- and high-speed connections (both parameters arerequired, even if you specify the same value). Rates may be specified as integer bits persecond, followed by a “k” (thousands), “M” (millions), or “G” (billions). The guaranteed ratemust be a minimum of 256 bps (1024 bps on PacketShaper 7500, 10000, and 12000 models).

For example, to guarantee 10k to Inbound/HTTP, use the following command:

policy apply rate inbound/http 10k 10k

To allow a policy to use excess rate, specify the following additional parameters:

<priority> The excess rate priority for this traffic class, ranging from 0 (lowest) to 7 (highest)

[automatic] Adjusts scaling automatically at run time

[<excess_lo_bps><excess_hi_bps>]

The excess rate for this class' low- and high-speed connections (if you don't specifyautomatic). If you choose to use this option, both speeds must be specified. The minimumvalue allowed for <excess_lo_bps> is 256 (1024 bps on PacketShaper 7500, 10000, and12000 models).

[<excess_limit_bps>] The maximum excess rate that can be used by this class

Guaranteed rate represents the minimum acceptable service level and thus the minimum acceptable rate to allocate. Low-and high-speed rate specifications are used to scale rate allocation to the user's access speed.

For example, to guarantee 10k to Inbound/HTTP burstable up to 48K at priority 3, use the following command:

policy apply rate inbound/http 10k 10k 3 automatic 38k

Note: Excess rate is expressed differently in the CLI command than in the browser interface. In the browser interface, youspecify 48k for the limit, but in the CLI you specify 38k for the amount of excess (the 48k limit minus the guaranteed rate of10k).

To change the guaranteed rate later, use the policy guaranteed command. To adjust the excess rate, use the policy excesscommand.


340

policy defaultApply the PacketWise-recommended policy to a traffic class.

policy default <tclass>


341

policy delayboundSet the delay bound for a policy to perform non-TCP rate control. PacketWise uses a UDP latency control mechanism to rate-control individual UDP traffic flows and minimize packet loss. PacketWise accumulates incoming UDP packets on a flow-by-flow basis when they are not scheduled for immediate transfer. With the UDP latency control mechanism, you define a delaybound — how long the packets can remain buffered before they become too old to be useful. If UDP flows don't get sentimmediately (because of link congestion, for example), they are placed in a buffer or queue. UDP flows stay in the queue untilthey are sent or until the delay bound time is exceeded, in which case the packets are dropped.

policy delaybound <tclass> [<bound_in_milliseconds>]|default


[<bound_in_milliseconds>] The new delay bound, from 1 to 10,000 milliseconds. The default delay bound is set to200 milliseconds.

Note: Unless you have specific requirements for buffering non-TCP traffic, it is recommended that you do not change thedelay bound size, as it has been optimized for most network environments.

Use the traffic bandwidth command to view rate exceptions — that is, flows that have exceeded the delay bound.


342

policy dscpSubstitute a value into the Differentiated Services Code Point (DSCP) field in each packet for the class. As defined in theDifferentiated Services specification (RFC 2474), the DSCP field is the first six bits of the Type of Service (TOS) field in the IPheader. This field is used by routers to make prioritized routing decisions.

policy dscp <tclass> unchanged|<dscp>

Valid <dscp> values are 0-63, inclusive.


343

policy excessModify a rate-based policy's excess rate allocation.

policy excess <tclass> <priority> [automatic|<lo_speed_bps> <hi_speed_bps>] [<excess_limit_bps>]


<priority> The new highest priority for excess rate allocation

Optional rate allocations can be specified:

automatic Automatically scale the low-speed and high-speed rates

[<lo_speed_bps> <hi_speed_bps>] The new low- and high-speed rates. If you choose to use this option, both speedsmust be specified. The minimum value allowed for <lo_speed_bps> is 256 (1024on PacketShaper 7500, 10000, and 12000 models).

[<excess_limit_bps>] The maximum excess rate that can be used by this class

For example, the following command sets the excess rate limits for the FTP traffic class Inbound/Outside/ftp. It is assigned apriority of 4, and assigns both high- and low-speed users an excess rate of 50,000 bps with a total excess rate limit of200,000 bps:

policy excess /inbound/outside/ftp 4 50k 50k 200k


344

policy failoverConfigure a policy to react to failover mode, replacing the policy's guaranteed rate with a rate that is appropriate for the lossof a router link. Use this command if the unit has been configured to go into failover mode when it detects a problem with asite router link.

policy failover <tclass> none|<speed_bps>

<tclass> Traffic class with the policy that is to be changed

none Remove the failover guaranteed rate from this class

<speed_bps> Guaranteed rate to apply to the class when failover is active. Rates may be specified as integer bitsper second, followed by a “k” (thousands), “M” (millions), or “G” (billions). The guaranteed rate mustbe a minimum of 256 bps (1024 bps on PacketShaper 7500, 10000, and 12000 models).

For example, the following commands set the guaranteed rate for the test class for normal link conditions. The policyfailover command sets the guaranteed rate for the test class when the router link fails and a backup link with less bandwidthis used:

policy apply rate test 100k 100k 5 10k 10k

policy failover test 25k


345

policy flowlimitLimit the rate of new flows to or from a unique host. This command can be used to detect and control a SYN Flood or similardenial-of-service attack directed at a particular host or if the attack is from a specific IP address. Flows exceeding the rateare blocked from passing through the unit. The limits are set to default values of 10,000 flows per minute on client hosts and100,000 flows per minute on servers; depending on your network, you may need to change these defaults for effective controlof SYN floods. Flow limits are automatically set on any classes that have a rate or priority policy assigned to them; if thePolicyFlowLimitForAllClasses system variable is enabled, PacketWise will automatically block any flows that exceed theselimits. (This variable is disabled by default. If you want to enforce flow limit policies, you need to enable thePolicyFlowLimitForAllClasses variable.)

Note: You cannot set a flow limit on a class unless it already has a rate or priority policy assigned to it.

If you want to set or adjust the default limits on a particular class, use:

policy flowlimit <tclass> none|<client-fpm> <server-frm>

<tclass> Traffic class where the policy is located

none Remove the flow limit

<client-fpm> Maximum number of flows per minute to allow from each individual host; valid values are 0 – 600000

<server-fpm> Maximum number of flows per minute to allow to each individual host; valid values are 0 – 600000

Note that the <client-fpm> and <server-fpm> rates include new flows of all types from an individual client or to an individualserver (not just flows of the type of traffic matching this specific traffic class or policy).

PacketWise offers measurement variables to track the number of flows that were blocked due to a server (flow destination)or a client (flow initiator) exceeding the flow limit rate specified in the policy flowlimit command: server-flood-block andclient-flood-block.

If you don't want flow limits to be set automatically for newly created classes, enter the following commands:

policy flowlimit inbound/default nonepolicy flowlimit outbound/default none


346

policy guaranteedModify a rate policy's guaranteed rate allocations.

policy guaranteed <tclass> <lo_speed_bps> <hi_speed_bps>

<tclass> Traffic class whose policy is to be changed

<lo_speed_bps> <hi_speed_bps> New low-speed and high-speed guaranteed rates. Rates may be specified as integerbits per second, followed by a “k” (thousands), “M” (millions), or “G” (billions). Theguaranteed rate must be a minimum of 256 bps (1024 bps on PacketShaper 7500,10000, and 12000 models).

For example, the following command sets the low-speed and high-speed rates (10000 bps for low-speed users and 100000bps for high-speed users) for a class named inbound/jup_202_http:

policy guaranteed inbound/jup_202_http 10000 100000


347

policy mpls-expAdd or change the experimental (EXP) bits field of the MPLS (Multi-Protocol Label Switching) label on a packet. This field canbe used in different ways — for example, some routers use the EXP field to set class of service.

policy mpls-exp <tclass> swap|delete <exp>

<tclass> Traffic class for which you want to modify the experimental bits field of theMPLS label

swap<exp> Marks the EXP field of an MPLS packet with the specified <exp> value (0 – 7)

delete<exp> Deletes the mpls-exp policy on the class

For example, to mark /outbound/http packets with an <exp> value of 7, use this command:

policy mpls-exp /outbound/http swap 7

To remove an mpls-exp policy that has an <exp> value of 7, use this command:

policy mpls-exp /outbound/http delete 7

The mpls-exp policy can be applied only to a class that already has a rate or priority policy. Note that the mpls-exp policy isapplicable only if the packet has an MPLS label. If the packet doesn't have a label, the mpls-exp policy will simply be ignored.If packets don't already have MPLS labelling, you can use the policy mplslabel command to create an MPLS-tagging policy.

If more than one MPLS label exists in the stack, only the outermost packet's EXP field can be marked.


348

policy mplslabelAdd or change an MPLS (Multi-Protocol Label Switching) label on a packet. It can be applied only to a class that already has arate or priority policy defined.

policy mplslabel <tclass> push|swap <mplslabel> | pop <times> | delete <operation>

<tclass> Traffic class for which you want to modify the MPLS labelpush<mplslabel>

Puts an MPLS label in a packet (and creates the MPLS stack if it doesn’t exist);the <mplslabel> is the value of the label to be pushed (0 – 1048575)

swap<mplslabel>

Swaps the topmost label of the MPLS stack with the specified <mplslabel> (0 –1048575)

pop<times>

Pops off the topmost label of the MPLS stack in the packet the specifiednumber of <times>

delete<operation> Deletes the specified <operation> (pop, swap, or push) from the policy

Note that MPLS policies will work only on IP traffic.

A class can have a combination of push, swap, and pop operations in its MPLS policy; the pop operation can be specifiedmultiple times (up to 8). If more than one operation type is specified for a given class, they are executed in the followingorder: pop, swap, push. For example, a class might have a policy that specifies a swap, three pops, and a push. In this case,the three pops occur first, then the swap, and then the push.


349

policy precedenceSubstitute a precedence value for IP-based traffic classes.

policy precedence <tclass> unchanged|<precedence>

<tclass> The traffic class for which you want to change precedence.

unchanged | <precedence> Use unchanged to turn off precedence substitution, restoring precedence to its defaultvalue. Or, enter a precedence value 0-7, where 7 is the highest priority.

Note: The policy precedence command supplements rate and priority policies — that is, a traffic class must have a policyalready applied to it before you use the policy precedence command to substitute a precedence value.


350

policy removeRemove a policy from a traffic class.

policy remove <tclass>


351

policy routeDivert specific traffic to an alternative route by sending the class' traffic to a secondary gateway or router.

Set the MAC address routing for a traffic class.

policy route <tclass> none|<macaddr>

PacketWise substitutes the MAC address and transmits the packet accordingly.


352

policy showDisplay policy information.

policy show <tclass> [clear]

<tclass> Explicit traffic class name whose policy is to be displayed - for example, Inbound/Outside/http

[clear] Reset the associated traffic class and policy hit counts


353

policy substitutePacketWise can detect the speed of a web connection at the first HTTP get request. You can use the policy substitutecommand to re-map the requested URL by substituting a URL that's more appropriate for the speed of the connection.

policy substitute <tclass> none

policy substitute <tclass> above|below <speed> "<pattern>" "<newpattern>"

<tclass> The traffic class to which you are applying the policy

above|below Specify above or below a connection speed to indicate when the URL should be substituted.

<speed> The connection speed that, in conjunction with above or below, triggers the content substitution

"<pattern>" Specify in quotes the current URL pattern, which will be substituted with a new pattern. Wildcardpatterns are not supported. This URL string is compared with the pattern in the /directory/file portionof a URL. PacketWise ignores the http://computer-name portion of a URL when performing matchingor substitution.

"<newpattern>" The URL that you specify for substitution must be the same length as the original URL. The formattingrules are the same as those listed for the <pattern> parameter.

For example, to better serve a low-speed user, you could substitute a text-based web page for the regular home page:

policy substitute inbound/outside/web-in below 28800 "home-1.htm" "home-2.htm"


354

policy testTest a policy to determine what rate will be allocated.

policy test <tclass> <rate_bps>

<tclass> The traffic class whose policy is to be tested

<rate_bps> The access speed to use to determine rate allocation

Example:

Assume the class inbound/http has the following policy settings: 10k guaranteed, burstable at priority 5, limit of 100k. To seehow excess rate is allocated when there is 150 Kbps of demand, use the following command:

policy test inbound/http 150kPolicy Settings Guaranteed rate lo 10k hi 10k Excess rate default priority 5 CAP 90k

Allocation for flow at rate 150000 Guaranteed rate 10000 Excess rate at priority 5 -> 25088 Excess rate total 90000 Excess rate demand 0 0 15k 25k 25k 25k 0 0

This output shows how PacketWise would allocate bandwidth when traffic class inbound/http generates 150 Kbps of demand.The top part of the display summarizes the policy settings. The excess rate (90k, next to CAP) is calculated by subtracting theguaranteed rate from the limit (100k-10k=90k).

The lower portion of the output lets you see how the excess rate is allocated between priority levels, 0-7. The sum of therates allocated at each priority level equals the total excess rate (90k, in this example).


355

policy tosSet a specific type of service for an IP traffic flow. It can be applied only to a class that already has a rate control policydefined.

policy tos <tclass> unchanged|<tos>

<tclass> Explicit traffic class name for which you want to change the type of service

unchanged |<tos> Use unchanged to turn off TOS substitution. Enter a <tos> value according to the followingstandard:8 = minimize delay4 = maximize throughput2 = maximize reliability1 = minimize monetary cost0 = normal service

Values can be combined to define broader results. For example, a value of 3 indicates "maximizereliability and minimize monetary cost."


356

policy vlanAdd or change a VLAN identification (802.1Q) or priority (802.1p) on a packet. It can be applied only to a class that alreadyhas a rate or priority policy defined.

VLAN Priority (802.1p)

To change the priority tag on an 802.1p class:

policy vlan type:8021p <tclass> swap <priority>

<tclass> Traffic class for which you want to modify the VLAN priority tagswap<priority>

Swaps the topmost priority level on the VLAN stack with the specified<priority>, 0 to 7.

For example, to change the VLAN priority to 6:

policy vlan type:8021p vlantestclass swap 6

VLAN Identification (802.1Q)

To modify the identification tag on an 802.1Q class:

policy vlan type:8021q <tclass> push|swap <vlanid> | pop <times> | delete <operation>

<tclass> Traffic class for which you want to modify the VLAN IDpush<vlanid>

Puts an ID entry in a packet (and creates the stack if it doesn’t exist); the<vlanid> is the value of the label to be pushed (0 – 4095)

swap<vlanid>

Swaps the topmost ID of the VLAN stack with the specified <vlanid> (0 –4095)

pop<times>

Pops off the topmost label of the VLAN stack in the packet the specifiednumber of <times>

delete<operation> Deletes the specified <operation> (pop, swap, or push) from the policy

Examples:

policy vlan type:8021q testclass pop 2

policy vlan type:8021q testclass push 1

policy vlan type:8021q testclass swap 6

policy vlan type:8021q testclass delete pop

A class can have a combination of push, swap, and pop operations in its VLAN policy; the pop operation can be specifiedmultiple times (up to 8). If more than one operation type is specified for a given class, they are executed in the followingorder: pop, swap, push. For example, a class might have a policy that specifies a swap, three pops, and a push. In this case,the three pops occur first, then the swap, and then the push.

Note: A VLAN ID swap policy will automatically zero out the existing VLAN priority. To keep an existing non-zero priority valueor to set a priority, be sure to specify a VLAN priority swap policy as well.


357

portal deleteDelete a customer portal account. Note: This command is not available on the PacketShaper 900 Lite models.

portal delete <name>|all


358

portal libraryFor PolicyCenter only

Show the current portfolios of customer portal files available for distribution from PolicyCenter to individual PacketShapers.

portal library [verbose]

The portal library command shows the name of the available portfolios only. Use portal library verbose to view thenames of all the customer portfolio files within each portfolio.


359

portal modifyModify customer account information. Note: This command is not available on the PacketShaper 900 Lite models.

portal modify <name> <password> <directory> <message-of-the-day>

If RADIUS or TACACS+ authentication is enabled, passwords are not used (they are entered at the RADIUS/TACACS+ server).Thus, the syntax when RADIUS or TACACS+ is enabled is:

portal modify <name> <directory> <message-of-the-day>

Parameter Description<name> The existing customer login name

<password>The password for the customer account. If you are using RADIUS or TACACS+authentication, you do not specify a password here —the customer portal willuse the password specified for this user in the RADIUS/TACACS+ server.

<directory>The new name of the customer’s home directory (up to 8 characters); thisdirectory will be created on the unit’s data disk under 9.258/customer(optional)

<message-of-the-day> The new custom message-of-the-day (optional)

If you don’t specify the parameters, PacketWise will prompt you for the information:

portal modify

Enter the name of the customer : mycustEnter the new password : Confirm new password : Enter the new home directory name, 8 characters or less : newdirEnter the new custom message-of-the-day (optional) : All network resources onlineCustomer mycust was modified

Note: You will not be prompted for a password if RADIUS authentication is enabled.

After this is executed, mycust’s home directory will be 9.258/customer/newdir.

Note: You must explicitly type each entry when you use prompted mode. If, for example, you press Enter at the passwordprompt, the new password value becomes (none).


360

portal newCreate a new customer portal account. Note: This command is not available on the PacketShaper 900 Lite models.

portal new <name> <password> <directory> <message-of-the-day>

If RADIUS or TACACS+ authentication is enabled, passwords are not used (they are entered at the RADIUS/TACACS+ server).Thus, the syntax when RADIUS or TACACS+ is enabled is:

portal new <name> <directory> <message-of-the-day>

Parameter Description

<name>

The login name the customer will use; up to 32 characters long, use numbers,letters and underscores — spaces are not allowed. If you are using RADIUS orTACACS+ authentication, this name must match the user name entered in theRADIUS/TACACS+ server.

Note: If the directory name is not specified, then the login name is used forthe directory name. In this case, the login name is limited to 8 charactersbecause the directory name is limited to 8 characters.

<password>The password for the customer account. If you are using RADIUS or TACACS+authentication, you do not specify a password here — the customer portal willuse the password specified for this user in the RADIUS/TACACS+ server.

<directory> The name of the customer’s home directory (up to 8 characters); this directorywill be created on the unit’s data disk under 9.258/customer (optional)

<message-of-the-day>

A text string of 128 characters or less, intended to carry simple messages suchas “System will be down from 5:00 am to 6:00 am” tomorrow (optional)

You must use empty quotes ("") if you don’t want to enter a value for a parameter. For example, to create a user MyCustwith a directory named cust01 (no password, no message of the day), use:

portal new MyCust "" cust01 ""

If you don’t specify any parameters with the portal new command, PacketWise will prompt you for the values.

This is an example of prompted mode:

portal new

Enter the customer login name, password, home directory name (8 characters or less) and an optional custommessage-of-the-day (128 characters or less). Enter the customer's login name, e.g. 'marysmith' : mycustEnter the password : Confirm the password : Enter the customer's home directory name, e.g. 8 characters or less : mycustEnter a custom message-of-the-day (optional): No network outagesCustomer mycust was added.

Note: You will not be prompted for a password if RADIUS authentication is enabled.

After this is executed, a directory 9.258/customer/mycust will exist. The service provider must FTP an INDEX.HTM file to itbefore the mycust customer can use it effectively.

Note: You must explicitly type each entry when you use prompted mode. If, for example, you press Enter at the passwordprompt, the new password value becomes (none).


361

portal prescribeFor PolicyCenter only

Prescribe a group of customer portal files by portfolio name. Use the portal library command to determine availablecustomer portal portfolios.

portal prescribe <portfolio> default|none|show

<portfolio> A portfolio is any sub-folder of PolicyCenter/publish/portal that contains a groupof portal files.

default|none|show Specify default if the configuration should inherit its portfolio of customer portalfiles from a parent configuration, or specify none if the configuration should notinherit its portfolio. The show option shows the configuration's currentprescribed portfolio of customer portal files.


362

portal showDisplay the current customer portal configuration. Note: This command is not available on the PacketShaper 900 Lite models.

portal show

Customer Name Password Directory Message----------------------------------------------------------------------Farnsworths ****** books Inventory starts Friday!Sigma_Air ****** air No scheduled network outages

The Password column does not appear if RADIUS authentication is enabled.


363

portal subscribeFor PolicyCenter only

Configure when and how often PacketShapers assigned to a PolicyCenter configuration update their portfolio of customerportal files.

portal subscribe asap|scheduled|default

The portal subscribe command has the following options:

asap PacketShapers assigned to the configuration will automatically update theircustomer portal portfolio as soon as it is prescribed.

scheduled PacketShapers assigned to the configuration will wait for the portal synccommand before downloading the prescribed portfolio of files.

default If set to default, the PolicyCenter configuration inherits its portal subscriptionbehavior from its parent configuration.

See also: portal sync


364

portal syncFor units in shared mode only

Issue this command from an individual PacketShaper to immediately download customer portal files prescribed for the unit’sPolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has beenset to scheduled with the portal subscribe command. Note: This command is not available on the PacketShaper 900 Litemodels.

Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set toasap with the portal subscribe command.

portal sync

See also: plugin subscribe


365

pwdShow the working directory.

pwd


366

radius acctTest and debug the setup of your RADIUS accounting server. This command sends test accounting messages to the server.

radius acct start|stop|on|off

Specify start to send a test message that tells the accounting server that someone logged in and stop to send a log-off testmessage. The administrator can then verify that these messages are in the accounting server log. They will appear in the logunder the name RadiusAccountingTestUser.

You can use the on and off parameters to send a message to the server that the RADIUS accounting service is on or off.Note that this command does not affect the setup of the accounting service; if the service was enabled with the setup radiusacct on command, it will remain enabled (even if you used the radius acct off to send a test message that the accountingservice is off).


367

radius chaploginSend a test CHAP login request to the RADIUS authentication server. This command is useful for testing and debugging thesetup of your RADIUS authentication server, when Challenge-Handshake Authentication Protocol (CHAP) is used.

radius chaplogin <username> <password>

For example:

radius chaplogin bob 12567

chap ID = 0x1challenge = 37a9aa04189c7ac5c826fde6a52c988fpassword = 12567response = 7610c93540dc90422fb4b077d23dd63a"bob" RADIUS Authentication OKVendor-Specific: access=touch

The above output indicates that the authentication of the user Bob was successful. If authentication fails, you will see one ofthe following messages:

Message What it means What you should do

Authenticationturned off

You need to enable theauthentication service onPacketWise

Use the setup radius auth on command toenable authentication, and then send anothertest login request.

No serverconfigured

The RADIUS authenticationservice is turned on inPacketWise, but the serveris not configured.

Use the setup radius auth primary commandand specify the authentication server’s IPaddress, port number, and shared secret. Thensend another test login request.

Accessrejected byserver

The user name and/orpassword is invalid.

Contact your RADIUS administrator to verify thatyou are using the correct user name andpassword.

Timeout:Unable toobtain aresponse fromserver

The RADIUS authentication service is turned on in PacketWise and the serveris configured. This message could be caused by any of the followingsituations:

Server could be down.

Contact your RADIUS administrator to check thestatus of the RADIUS authentication server.

It’s a good idea to configure a secondary serverto have a backup in case the primary serverfails.

Incorrect IP address forthe server.

Contact your RADIUS administrator to verify thehost name or IP address of the authenticationserver.

The authentication servicemay not be enabled on theRADIUS server side.

Contact your RADIUS administrator to verify thatthe authentication service is enabled on theRADIUS server.

The server may not beconfigured to work as aPacketShaper client.

For information on configuring the RADIUSserver with PacketShaper-specific attributes, seeConfigure RADIUS Servers.

The LAN may be busy ordown. Check the status of the network.


368

radius clearClear the accounting drop count and remove the drop-notice banner. When an accounting request is dropped because theaccounting server was not configured correctly or was unreachable for some reason, PacketWise keeps track of these droppedaccounting requests and displays a banner alerting you that requests have been dropped. You can use the radius clearcommand to clear this banner.

radius clear


369

radius loginSend a test PAP login request to the RADIUS authentication server. This command is useful for testing and debugging thesetup of your RADIUS authentication server, when Password Authentication Protocol (PAP) is used.

radius login <username> <password>

For example:

radius login bob 12567

"bob" RADIUS Authentication OKVendor-Specific: access=touch

The above output indicates that the authentication of the user Bob was successful. If authentication fails, you will see one ofthe following messages:

Message What it means What you should do

Authenticationturned off

You need to enable theauthentication service onPacketWise

Use the setup radius auth on command toenable authentication, and then send anothertest login request.

No serverconfigured

The RADIUS authenticationservice is turned on inPacketWise, but the serveris not configured.

Use the setup radius auth primary commandand specify the authentication server’s IPaddress, port number, and shared secret. Thensend another test login request.

Accessrejected byserver

The user name and/orpassword is invalid.

Contact your RADIUS administrator to verifythat you are using the correct user name andpassword.

Timeout:Unable toobtain aresponse fromserver

The RADIUS authentication service is turned on in PacketWise and the serveris configured. This message could be caused by any of the followingsituations:

Server could be down.

Contact your RADIUS administrator to checkthe status of the RADIUS authentication server.

It’s a good idea to configure a secondary serverto have a backup in case the primary serverfails.

Incorrect IP address for theserver.

Contact your RADIUS administrator to verify thehost name or IP address of the authenticationserver.

The authentication servicemay not be enabled on theRADIUS server side.

Contact your RADIUS administrator to verifythat the authentication service is enabled onthe RADIUS server.

The server may not beconfigured to work as aPacketShaper client.

For information on configuring the RADIUSserver with PacketShaper-specific attributes,see Configure RADIUS Servers.

The LAN may be busy ordown. Check the status of the network.

Error: Replydidn’t containan accesslevel attribute

The user name andpassword are valid, but theuser wasn’t configured withan access level attribute.

Configure the RADIUS server with an accesslevel attribute for this user.


370

radius sessionShow a list of current user sessions (RADIUS, TACACS, ds, local) and detailed information about each session.

radius session

ID Stat Age Idle Limit Type Access User Name3b61a571 live 40 mins 0 secs 60 mins CLI touch bob3b61afb6 live 91 secs 91 secs 60 mins FTP touch john3b61af6a live 167 secs 17 secs 60 mins WUI touch george3b61a571 live 45 mins 0 secs 60 mins CLI touch bob

Column DescriptionID Identification given to the user session

Stat

The status of the session:

live — the session is active

dead — the session timed out

new — the user is in the process of logging in

Age Length of time the session has been active — that is, the amount of time since theuser logged in

Idle Amount of time since the user gave a command; whenever a user gives acommand, the idle value is reset to zero

Limit

Amount of time a session is idle before the user will be timed out and logged off;for example, if the limit is 60 minutes, a user will get logged off when nocommands are given for a 60-minute period

Note: The PacketWise default session life limit is 60 minutes. However, theRADIUS or TACACS+ server can be independently configured with different limitsfor different users and these limits override PacketWise’s.

Type Type of interface used: CLI (command-line interface), WUI (web user interface), orFTP (file transfer protocol)

Access Type of access: Touch, Look, or Portal (if access is through a customer portal)UserName Name of the user who logged into the session


371

radius showDisplay RADIUS client configuration. Use this command to verify that RADIUS authentication and accounting are enabled, tosee the current settings for the retry limit and retry interval, and to view the configuration settings for the primary andsecondary authentication and accounting servers.

radius show

Radius method is CHAPRadius Authentication is ONRadius Accounting is OFFRetry limit: 3Retry interval: 5 auth1 auth2 acct1 acct2----------------------------------------------------------------------------Server 172.23.225.203 172.23.225.213 - -Secret packet packet - -Port 1812 1812 0 0Status Up Unknown Unknown UnknownAttempts 1 0 0 0Success 1 0 0 0Timeout 0 0 0 0 Auth1 last accessed: Wed Jul 11 14:16:48 2007Auth2 was never accessed!

The output also indicates the number of attempts made to connect to each server, the number of successful connections, andthe number of connections that timed out.


372

resetReset the unit. In certain situations, you may need to reboot the unit, for example, after creating host accounting categories,changing system variables, and installing plug-ins.

reset

The statistics that are cleared after you reset the device include: active IP hosts, current speed per host, active flows, peakflows, Top Talkers/Listeners, and dynamic hosts for Xpress tunneling. All counters on the Monitor Traffic page are reset. Alltraffic configurations (such as classes, policies, partitions, and static hosts defined for Xpress tunneling) are preserved whenyou reboot.

To reset all settings to factory default, use the setup reset all command.


373

rmRemove one or more files from the unit's system or data disk.

rm <file>...


374

rmdirRemove a directory from the unit's system or data disk.

rmdir <dir>


375

rtm acceptNote: This command is not available on PacketShaper ISP.

Set an acceptable service level threshold percentage for response time measurement (RTM). The default is 100%.

rtm accept <tclass> <percent>

where <tclass> is the traffic class to be defined.


376

rtm clearNote: This command is not available on PacketShaper ISP.

Zero out response time measurement statistics for all classes.

rtm clear


377

rtm drilldownNote: This command is not available on PacketShaper ISP.

List the hosts with the highest percentage of slow transactions, as defined by the class' Total Delay Threshold. A feature ofthe drilldown command is to suppress hosts that had fewer than N transactions, as they might skew the data.

rtm drilldown <tclass> [<number> [<cutoff>]]

<tclass> Specify a traffic class that tracks response time and has a threshold.

<number> Limit the number of displayed entries (default is 10).

<cutoff> Don't list hosts with fewer than cutoff transactions. This eliminates the hosts whose response figuresaren't meaningful because too few data points were available (few transactions). If you want to includeevery host in the rtm drilldown output, set the optional cutoff parameter to 1.


378

rtm hostsNote: This command is not available on PacketShaper ISP.

Enable or disable worst client/server tracking for a class.

rtm hosts <tclass> enable|disable

where <tclass> is the traffic class to be tracked.


379

rtm showNote: This command is not available on PacketShaper ISP.

Display a summary of the RTM statistics for all traffic classes with response-time data.

rtm show

The display has one row per traffic class with the following information:

Traffic Class The name of the traffic class

Goodness The number of good transactions (those within the Total Delay Threshold) divided by the transactioncount, multiplied by 100. In other words, the percentage of good transactions.

Response Time:Total, Network,Server, Normal

The average number of milliseconds required by the class' transactions.

The value in the Normal column is the component of the transaction time that is directly related tothe transaction size. An increase or decrease in that number does not indicate any change innetwork or server performance and requires no user intervention. This value is not tracked by themeasurement engine.


380

rtm thresholdNote: This command is not available on PacketShaper ISP.

Differentiate between acceptable and unacceptable response by supplying a threshold that defines good performance.PacketWise uses the threshold when evaluating each transaction's total delay figure. If the transaction completes within thetime indicated with the threshold, the transaction is considered "good."

rtm threshold <tclass> <delay>|none [total|network|server]

Specify the delay threshold in milliseconds or remove the threshold using the none literal. The threshold maximum is 99seconds.

If you set a network or server delay threshold in the CLI, the setting will not appear in the browser interface, as these typesof thresholds are not supported in the browser version of PacketWise. (Only total delay threshold can be set in the browserinterface.) Note that using the browser interface to make any changes to a class’ RTM settings will clear the network or serverdelay you set in the CLI.


381

rtm worstNote: This command is not available on PacketShaper ISP.

Display the traffic classes that have the "worst" response-time statistics.

rtm worst [goodness|total|network|server [<number> [<cutoff>]]]

goodness|total|network|server Displays response time measurement data sorted by Total Delay, Network Delay,Server Delay, or Goodness. If a data type is not specified, goodness is the defaulttype.

<number> Limits the number of classes that are displayed. The default value is 10.

<cutoff> Excludes the traffic classes that have less than the number of transactions specifiedby this cutoff value. The default is 10.


382

runRun a command file or script. This command runs in the context of your current directory. The filename must have a cmdsuffix. An output file, <filename>.out, contains the results of command-file execution. To view the contents of this output file,use the cat or more command.

Note: PacketWise's diagnostic commands (arp, dns, ping, net, sys, uptime) and utility commands (cat, cd, cmp, cp, date, du,echo, head, history, ls, mkdir, more, mv, pwd, rm, rmdir, and tail) cannot be executed from a command file or used with theschedule command.


383

schedule deleteDelete a scheduled command execution.

schedule delete <item_id>|all

The scheduled item is removed from the list, but the remaining items are not renumbered. For example, in the following list,item 3 was deleted, leaving items 1, 2, and 4 intact.

This command produces output similar to the following:

Id Time Range Issued Date Command Mail recipients 1: 08:00:00-08:00:40 1 weekday "p2pday.cmd"* [email protected] 2: 18:00:00-18:00:40 1 weekday "p2peve.cmd"* [email protected] 4: 06:00:00-06:00:40 0 daily "test.cmd"*


384

schedule disableDisable a scheduled item so that it won't be executed. If you want to permanently remove the scheduled item, use theschedule delete command.

schedule disable <item_id> | all

where <item_id> is the ID of the item displayed in the schedule show output. Use the all parameter to disable all entries.

After you have disabled an item, it will still be listed in the schedule show output, but [disabled] will appear at the end ofthe line.

Id Time Range Issued Date Command Mail recipients

00000001: 08:00:00-08:00:40 1 weekday "p2pday.cmd"* [email protected] [disabled]

2DA2B03E: 18:00:00-18:00:40 1 weekday "p2peve.cmd"* [email protected]

7EC07402: 06:00:00-06:00:40 1 weekend "p2psat.cmd"* [email protected]

5545F94E: 06:00:00-06:00:40 0 daily "test.cmd"*

To enable the item later, use the schedule enable command.


385

schedule enableEnable a scheduled item that has been disabled with the schedule disable command.

schedule enable <item_id> | all

where <item_id> is the ID of the item displayed in the schedule show output. Use the all parameter to enable all entries.


386

schedule newSchedule a command to execute at a specific time and date. When using the scheduling feature, it’s important that your unithas the correct date and time. Use the date command to check the date and time. If you need to correct the date or time,use the setup date command.

Scheduling is limited to 64 scheduled commands. Scheduled commands that are no longer needed (for example, expiredcommands scheduled to run only once) should be removed from the list via the schedule delete command, so they do notcontinue to consume available resources.

Note for units in shared mode: To permanently delete a command scheduled via PolicyCenter, you must remove thecommand from the unit's sharable PolicyCenter configuration, and not just from the unit itself. If PolicyCenter detects that ascheduled command is on the unit's PolicyCenter configuration but no longer on the unit itself, PolicyCenter will synchronizethe unit's settings with its PolicyCenter configuration to restore that command to the unit. If the time range for the scheduledcommand is not over or the PolicyCenter time zone is not correctly configured, the command may run again. This problemmay occur even if the time zone of the Windows or Solaris server is set correctly.

When setting the time for a scheduled command, keep biannual time changes into consideration. For example, if you set acommand to execute at 2:30am in the United States, the command will not be executed when the clock changes ahead onehour for Daylight Saving Time. You can ensure a command will be executed during a clock change by specifying a time range(such as 02:00-04:00).

schedule new [<day option>] <time_range>[utc] <cmd>|{-f <cmd_file>} [mail:<address>] [id:<item_id>][disable]

[<day option>]

Specifies the day(s) the schedule should run. If you don’t specify the <day option>,the scheduled item will run every day.

Specify one of the following for <day option>:

now

today | + <n>

[once:]<date>[,<date>] …

[once:]weekday | weekend | <dow>[,<dow>] …

[once:]<dom>[,<dom>] …

+<n> is <n> days from today. For example, +1 is tomorrow.

<date> is a specific date in the format mm/dd. The date is assumed to be a futuredate, within the next twelve months. For example, if today is 5/30/02 and you specifythe date 5/29, the item will be scheduled for execution on May 29, 2003. You canspecify up to 10 dates separated by commas.

The once: option, that optionally precedes the <date> and the following options,specifies that the item should be executed once for each of the specified dates. If youdon’t specify once:, the item will be executed on an ongoing basis, according to thedate(s) you specified.

weekday executes the item on weekdays only (Monday through Friday). weekendexecutes the item on weekends (Saturday and Sunday). These two options are usefulfor setting different policies for weekdays and weekends. For example, you mightwant music file sharing to have less bandwidth during the week than on the weekend.

<dow> is the day of the week, specified with the first three letters of the day (mon,tue, wed, thu, fri, sat, sun). If you specify more than one day, each day is separatedby a comma and no space, for example, mon,wed. You can specify up to seven daysof the week.

<dom> is a specific day of the month, for example, 15 for the fifteenth of the month.You can specify up to 31 days, separated by commas.Specifies the time at which the command or command file should be executed. Thesyntax is:

hh:mm[.ss][-hh:mm[.ss]

where hh is the hour from 0 to 23, and mm and ss are minutes and seconds from 0

387

<time_range>[utc]

to 59. For example, to specify the time 5pm, enter 17:00.

If a range is not specified, PacketWise will attempt to execute the command within a40-second window. If you want to allow more time for the command(s) to beexecuted, you can specify a range (for example, 08:00-08:02).

The legacy syntax hhmm.ss is supported for backward compatibility.

Use the optional suffix utc to specify a coordinated universal time (UTC). Specifyingtimes in UTC (similar to Greenwich mean time) is useful when managing units indifferent time zones. For example, 1800Z is 1pm in Eastern standard time and 4pm inPacific standard time.

<cmd> |-f <cmd_file>

You can specify one of the following:

The CLI command <cmd> to be executed. The command should be enclosedin quotation marks.The name of the file (-f <cmd_file>) that contains a list of CLI commands.Specify a path to the <cmd_file> unless the file is in the default directory(9.256/cmd). The filename should be eight characters or less and have a .CMDextension.

[mail:<address>]

Sends the output of the command or command file execution to the specified emailaddress(es), allowing you to confirm that the command executed at the specifieddate and time. You can specify up to four email addresses, separated by commas.

In order to use this feature, you must configure a mail server. See setup email.

[id:<item_id>]

Assigns the specified ID to the scheduled item. <item_id> can be up to eightcharacters long and can contain the numbers 0-9 and the letters A-F and a-f. Thisparameter is primarily used to override inherited entries when using shared mode(PolicyCenter). The ID is shown in the list of scheduled entries via the schedule showcommand. If you don’t specify an ID, PacketWise assigns a random number.

Note: It’s recommended that you allow PacketWise to automatically create the IDrather than manually assign the ID with the id option. If you do manually assign anID, make sure you follow the guidelines for ID names, as described above.

[disable]Disables the scheduled item so that it won't be executed. If you want to enable ordisable the item after it is created, use the schedule enable or schedule disablecommand.

You will typically want to create scheduled items in complementary pairs. For example, you can create one scheduled item fora policy that is applicable during work hours and another schedule for a policy that is applicable after hours.

schedule new weekday 08:00 policy apply rate /inbound/gnutella 4800 9600 2 4800 4800schedule new weekday 18:00 policy apply rate /inbound/gnutella 128k 256k 4 256k 256k

If you use the mail:<address> parameter, an email message containing the command output will be sent to the specified<address> shortly after the schedule is executed.

Note: PacketWise's diagnostic commands (arp, dns, ping, net, sys, uptime) and utility commands (cat, cd, cmp, cp, date, du,echo, head, history, ls, mkdir, more, mv, pwd, rm, rmdir, and tail) cannot be executed from a command file or used with theschedule command.

For situations and examples of when you might want to use the schedule command, see:

Control Instant Messaging

Adjust Management Strategy According to Time of Day


8.3.1 [d] parameter to automatically delete command file removed8.0.1 now <day option> introduced8.0.0 no change


388

schedule showList the currently scheduled commands.

schedule show [-time] [-utc]

[-time]Sorts schedules by time, with the earliest start time listed first.

Without the -time switch, schedules are sorted by ID.

[-utc]

Lists schedules in their original time input. If time was entered in coordinated universal time(UTC) format, the UTC time will be displayed with a Z after the time (for example, 00:00:00-00:00:40Z). If the time was specified in local time, the local time will be displayed.

Without the -utc switch, all times are listed in local time; in other words, any UTC times areconverted to local time on the display. An L displays after the converted UTC time (forexample, 08:00:00-08:00:40L).

This command produces output similar to the following:

Id Time Range Issued Date Command Mail recipients

00000001: 08:00:00-08:00:40 1 weekday "p2pday.cmd"* [email protected] [disabled]

2DA2B03E: 18:00:00-18:00:40 1 weekday "p2peve.cmd"* [email protected]

7EC07402: 06:00:00-06:00:40 1 weekend "p2psat.cmd"* [email protected]

5545F94E: 06:00:00-06:00:40 0 daily "test.cmd"*

Each scheduled event has a unique ID, which can be used to delete items from a schedule. The number in the "Issued"column indicates how many times the command has executed. An asterisk (*) flags command-file items. If [disabled] appears(as in the first entry), the item has been disabled with the schedule disable command and will not be executed.


389

send emailDefine an email message. Include this command in an adaptive response action file to trigger an email notification of a changein the status of a unit or your network.

send email <address> "<subject>" ["<body>"]

<address> Email address of the recipient; up to two addresses can be specified, separated by a space

<subject> Text to be included on the subject line

<body> Text to be included in the body of the email message

The total maximum length of the send email command is 256 characters.

Note: You must first configure a mail server with the setup email command before you can issue the send email command.


390

send syslogDefine a syslog message that will be sent to a syslog server.

send syslog FDBK <severity> <mnemonic> ["<string>"]

<severity> Specify one of the following severity levels: Emergency, alert, critical, error, warn, notice, info, debug

See Severity Levels for more information about security levels.

<mnemonic> Any 9-character string that can be used to categorize the message

"<string>" Text to be included in the syslog entry

Note: You must configure a syslog server with the setup syslog command before you can use you can use send syslogcommand to send an syslog message.

Including this command in an adaptive response action file triggers a syslog message to be sent to a previously defined syslogserver. If you include action file variables in this command, the agent automatically enters the values for the variables as theaction file is run. The user cannot change the values of these variables; their values come from the agent only.

The following example command could be included in an action file for a "High Bandwidth Host" agent:

send syslog FDBK error $agentname "$scorecolor: $namelist is the biggest violator."

The High Bandwidth Host agent will automatically fill in the $agentname, $scorecolor, and $namelist variables with the nameof the agent, the agent's status color at the time the action file was triggered, and the name of the host.


391

send trapDefine an SNMP (Simple Network Management Protocol) trap that will be sent to an SNMP trap listener.

send trap "<name>" <color> ["<description>"]

<name> Name of an agent for which you want to send a trap. If the agent name has a space, enclose it inquotation marks, for example, "My Agent."

<color> Agent's status color at the time of the trap: red, yellow, green, or blue

<description> Description of what happened at the time of a trap

Including this command in an adaptive response action file triggers a trap to be sent to a previously defined SNMP trapdestination. When you include adaptive response agent action file variables in this command, the agent automatically entersthe values for the variables as the file is run. The user cannot change the values of these variables; their values come fromthe agent only.

The following example command could be included in a red action file for a Packet Drops agent:

send trap "$agentname" $scorecolor "$classname is the biggest violator."

The Packet Drops agent will automatically fill in the $agentname, $scorecolor and $classname variables with the name of theagent, the agent's status color at the time of the trap, and the name of the traffic class. If excessive packet drops in thetraffic class /Inbound/HTTP triggered the red action file, the action file variables would made the action file read as follows:

send trap "Packet Drops" red "/Inbound/HTTP is the biggest violator"

Note: In order to send SNMP traps, PacketWise needs to know where to send the traps. See Configure PacketWise for SNMPSupport.


392

setup access defaultWhen issued from the command-line interface of an individual unit, this command returns the security access settings for theunit to its default value, allowing users to access the unit via all available secure and non-secure protocols.

If this command is issued from PolicyCenter for a child configuration, the selected configuration will discard its existingsecurity access settings and inherit all security access settings from its parent configuration. If the parent configuration hasone or more access protocols disabled, the child configuration will disable those protocols as well.

If this command is issued from PolicyCenter for a root-level configuration, the selected configuration will return its securityaccess settings to its default value, enabling all available secure and non-secure protocols for accessing the unit.

Note: To enable or disable a single protocol for accessing the unit, use instead the commands setup access enable or setupaccess disable.

setup access default


393

setup access disableAllow access to a PacketShaper's browser and command-line interfaces (CLI) only via specific access protocols or with asecure connection. By default, all secure and nonsecure access protocols are enabled.

To allow access to the unit only via secure protocols such as secure http (SSL) and secure telnet (SSH), issue the setupaccess disable command to disable all non-secure protocols (FTP, HTTP, Telnet, Echo and SNMP). If you disable all secure andnonsecure protocols, you will only be able to access the unit via a direct console connection.Note: Changing this setting might cause the session to be dropped.

setup access disable all|[secure-http|secure-telnet|ftp|http|telnet|echo|snmp]

Where:

allDisable all secure and nonsecure protocols for accessing your unit. Notethat if you disable all protocols, you will only be able to access the unitvia a direct console connection.

secure-httpHTTP over Secure Sockets Layer protocol (SSL). The browser interfaceuses the SSL protocol to securely access the unit. Disabling this protocolwill disable secure access to the unit via the browser interface.

secure-telnetSecure Shell remote login protocol (SSH). The CLI uses SSH to securelyaccess the unit. Disabling this protocol will disable secure access to theunit via the CLI.

ftp File Transfer Protocol service. This is a nonsecure protocol.http Hypertext Transport Protocol. This is a nonsecure protocol.telnet Network terminal protocol. This is a nonsecure protocol.echo Echo Protocol. This is a nonsecure protocol.

snmp Simple Network Management Protocol service. This is a nonsecureprotocol.


394

setup access enableIssue this command to reenable access to the unit via a service protocol that was previously disabled with the setup accessdisable command. By default, all services are enabled, allowing you to access the unit by all available secure and nonsecureprotocols.

setup access enable all|[secure-http|secure-telnet|ftp|http|telnet|echo|snmp]

Where:

all Enable all secure and nonsecure protocols for accessing your unit.

secure-http HTTP over Secure Sockets Layer protocol (SSL). The browser interfaceuses the SSL protocol to securely access the unit.

secure-telnet Secure Shell remote login protocol (SSH). The CLI uses SSH to securelyaccess the unit.

ftp File Transfer Protocol service. This is a nonsecure protocol.http Hypertext Transport Protocol. This is a nonsecure protocol.telnet Network terminal protocol. This is a nonsecure protocol.echo Echo Protocol. This is a nonsecure protocol.

snmp Simple Network Management Protocol service. This is a nonsecureprotocol.


395

setup access showDisplay access security settings for the unit. The output lists all service protocols available for accessing the unit, andindicates whether each protocol is enabled or disabled.

setup access show

To disable or reenable a protocol for accessing the unit, use the command setup access disable or setup access enable.


396

setup adaptiveresponseTurns all configured adaptive response agents on or off, or returns all agents to their default state.

Note: To enable or disable a single agent, use instead the commands agent on or agent off.

setup adaptiveresponse on|off|default


397

setup bcaaa cacheThis command is useful for troubleshooting issues with the user awareness feature. You can also use this command to see thelists of user and group names being monitored.

setup bcaaa cache stats show

Example:

setup bcaaa cache stats show

IP->User cache:

Max # of nodes : 300 Current # of nodes: 50 Collisions : 0

Positive cache hit: 0 Negative cache hit: 2765 Pending cache hit : 76 Cache miss : 56

Insertion failure : 0 kmalloc failure : 0

User table:

Max # of nodes : 25000 Current # of nodes: 4 Collisions : 0

Cache hit : 0 Cache miss : 0

Insertion failure : 0 kmalloc failure : 0

Groups Of Interest table:

Max # of nodes : 50 Current # of nodes: 3 Insertion failure : 0 kmalloc failure : 0

BCAAA task queue:

Queue being full : 0

**************************************************************** Do you want to display the contents of the following tables ** ----------------------------------------------------------- ** 1) IP-User Table ** 2) User Table ** 3) Groups Of Interest Table ** 4) All ** 5) Exit ****************************************************************

To get more specific information about the cache, users, and groups, choose one of the options on the menu shown at theend of the output. For example, to see which group names are in the Groups of Interest table, select option 3.



398

setup bcaaa force-registerForce synchronization of PacketShaper’s groups of interest table with BCAAA; use this command if BCAAA was down or thePacketShaper was not connected to BCAAA while user group classes were being added or removed on PacketShaper.

setup bcaaa force-register




399

setup bcaaa server-testVerify BCAAA servers are configured properly. After you have configured the BCAAA server(s), you can verify the serverconfiguration by testing whether an IP address returns the correct user name and group names listed in Active Directory.

setup bcaaa server-test <ip-address>

where <ip-address> is a single IPv4 address that you know is assigned to an Active Directory user.

Examples:

If the BCAAA servers are configured properly and the IP address is associated with a user name in Active Directory, the testcommand will return a user name for the IP address that is specified, as well as the names of the groups the user belongs to.

Note: The only group names that display are ones for which a user group class has been created. The user may belong toother Active Directory groups, but they will not be listed for the user unless a class exists for that group.

# setup bcaaa server-test 10.9.116.215

user name: BCAAA\ADMINISTRATORgroup name(s): group-sanjose, group-engineering

Note: If your BCAAA server was configured incorrectly (such as an invalid IP address), it may take several minutes for theCannot establish a connection to the BCAAA server message to return. It may appear that the session has hung, but theprompt will appear after a few minutes.

If there is a problem with the configuration or BCAAA cannot locate the IP address in Active Directory, you will see one of thefollowing error messages in response to the server-test command:

Message Action to Take

BCAAA must be enabled in order to test the configuration. Enable BCAAA: setup bcaaa serviceon

There is no primary server configured. Please configure a primaryserver and try again.

Configure BCAAA server: setup bcaaaservice primary <host> [<port>]

Can't establish a connection to the BCAAA server. Please make sureyou have configured the primary or secondary server properly.

Show BCAAA settings and make surethey are correct: setup bcaaa show

The user name could not be determined for this IP: x.x.x.x Find a valid IP address and issue setupbcaaa test <ip-address> again.

See also:

setup bcaaa timeoutsetup bcaaa showsetup bcaaa service


9.2.2 User group support added9.2.1 Command introduced


400

setup bcaaa serviceConfigure PacketShaper as a Blue Coat Authentication & Authorization Agent (BCAAA) client; this feature enables thePacketShaper to classify and report on user names and group names in Active Directory.

To enable or disable the BCAAA service, use:

setup bcaaa service on|off|default

To configure the settings of the BCAAA servers, use:

setup bcaaa service primary|secondary {<host> [<port>]}|delete|override


<host> The IPv4 address or DNS name of the BCAAA server

[<port>] The port number to access the server; if omitted, the default port 16101is used.


override

For a PolicyCenter child configuration, create local BCAAA settings thatoverride the settings it inherits from its parent configuration. Removethese override settings at any time with the command setup bcaaaprimary|secondary delete.

Example:

This example defines a primary BCAAA server at 10.10.10.10 using the default port and a secondary server at 10.10.20.10using port 903. The third command line enables the BCAAA service.

setup bcaaa service primary 10.10.10.10

setup bcaaa service secondary 10.10.20.10 903

setup bcaaa service on

See also:

setup bcaaa timeoutsetup bcaaa showsetup bcaaa server-test




401

setup bcaaa showDisplay current Blue Coat Authentication & Authorization Agent (BCAAA) settings and the status of each BCAAA server.

setup bcaaa show

Example output:

BCAAA Setup values:

BCAAA Service : on Timeout : 10 seconds

BCAAA Servers:

Type Host Port Status Primary 10.9.112.240 16101 In use Secondary 10.9.112.245 16101 Available

The Status column has the following possible values:

Status DescriptionAttempting toconnect PacketShaper is in the process of trying to establish a connection to this BCAAA server.

In use PacketShaper is connected to this BCAAA server and is using it to look up users.

Available PacketShaper is able to connect to this server but is using another working server (one with an "In use"status) for user lookups.

Failed connection

PacketShaper tried to connect to this BCAAA server but the connection failed. Possible reasons for afailed connection include:

An incorrect IP address is specified.BCAAA is configured to use a different port than PacketShaper.BCAAA server is down.Link is down.No route exists between the networks.

Issue the setup bcaaa show command to refresh the status.

See also:

setup bcaaa service setup bcaaa timeout setup bcaaa server-test




402

setup bcaaa timeoutSpecify the number of seconds that PacketShaper will wait for a response from the BCAAA server when looking up a username.

setup bcaaa timeout <seconds>|default

where <seconds> is a value between 2-30 seconds. The default timeout is 10 seconds.

Example:

setup bcaaa timeout 20

See also:

setup bcaaa service setup bcaaa showsetup bcaaa server-test




403

setup bypassConfigure the bypass behavior when a PacketShaper is powered off or in bypass mode. When bypass is closed (the default),relays close on a powered-off PacketShaper to allow user traffic to pass unhindered between the interface ports. Whenbypass is open, the PacketShaper becomes a point of failure in the traffic path; this setting is required when using the directstandby feature. The setup bypass command simulates the opening and closing of relays.

setup bypass open|close <device>|allsetup bypass show

where <device> is the name of the interface pair (main, left, right, upper, or lower). Use the show parameter to list thebypass state for each device on the PacketShaper.

Example:

To configure a PacketShaper 12000 for direct standby, you need to open the bypass relays for the main device:

setup bypass open main

Notes:

This command only applies to devices that use software to change the power-off bypass state; the PacketShaper12000 supports programmable bypass on all its interface pairs. Note that some devices use physical jumpers and somedo not support bypass.


8.6.3 setup bypass command introduced


404

setup captureCapture PacketWise's configuration. The output can be created in a portable form (without specific IP addresses) or completeform (IP addresses included). The output file includes commands to recreate the configuration.

Note: This command is not intended to be a substitute for backing up PacketWise configurations.

setup capture [[portable|complete] [<filename>]]

[portable | complete] Indicate the format of the output. Portable is the default, if no output format is specified. Theportable file "comments out" the unit-specific details, such as the setup commands for the IPaddresses. The complete file contains address information.

<filename> The filename is limited to an eight-character name with a three-character suffix. If no filename isspecified, the file /cmd/config.cmd is created. If you specify a filename, you must also specify theformat type: portable or complete. If you specify a filename without a suffix, the .cmd suffix isappended to the filename. The file is placed in the /cmd directory, unless you specify an explicitpathname.

Notes:

To restore the captured configuration, use the run command (for example, run config.cmd).Auto-discovered port classes and customer portal customers are not recreated when you run the CMD file created withthe setup capture complete command.When setup capture is run from migration mode, both legacy and enhanced mode configuration will be captured.When the setup capture command is executed while the unit is in legacy tunnel mode, only legacy configurationsettings are captured; the CMD file can be run in legacy or migration mode (not enhanced). When the configuration iscaptured in enhanced mode, only enhanced configuration settings are captured; the CMD file can be run in enhanced ormigration mode (not legacy).The output of the setup capture command displays authentication and privacy passwords in an encrypted format, andnot in plain text. The setup capture command will not capture SNMPv3 authentication and privacy passwords modifiedvia SNMP Set requests in complex mode unless the user is defined with the localizedKey option.


405

setup compressionapplicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel compression

Turn compression on or off.

setup compression on|off|default

on Turns on compression. When compression is turned on, PacketWise will automatically create anduse a tunnel to transport compressed data between compression-enabled PacketShaper units.

off Turns compresssion off.

default Turns compression to default on/off state (off). Note that it does not reset other compression-related settings.

To avoid inducing latency unnecessarily, applications that are unlikely to achieve useful gains from compression are notcompressed. Voice Over IP, video streaming, and encrypted data are examples of non-compressible traffic; to see a completelist of the non-compressible services, use the setup compression show services command. Although Xpress has defaultsettings for which services are compressed, you can override these defaults using commands to turn compression on and offfor individual classes. See the class compress on and class compress off commands.

Note that Xpress compresses data by service type, which is not necessarily the same as a traffic class. For example, the FTPtraffic class has matching rules for several different services: FTP-Cmd-Clear (command channel), FTP-Cmd-Secure (secureFTP command channel, FTP-Data-Clear (FTP data transport channel), and FTP-Data-Secure (secure FTP data transferchannel). PacketWise compresses only the FTP-Cmd-Clear service; the other three services don’t benefit from compression,so they are not compressed.

By default, any host can use the compression facility. If you want to limit the hosts, use the setup compression hostscommand. To limit the PacketShaper units that can be tunnel partners, use the setup compression partners command.

Note: Compression is an option that must be purchased separately.

See also:

Xpress Overview

setup compression show

Compression Measurement Variables


406

setup compression dictionaryapplicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel compression dictionary

Set a different default compression dictionary. The default dictionary is used for all compressed traffic unless it wasoverridden for a particular traffic class with the class compress on override command.

setup compression dictionary <compressionType>|default

Example:

To change the default compression dictionary from cna-1M to cna-4M:

PacketShaper# setup compression dictionary cna-4m

Set default type to: cna-4m

For a list of compression dictionaries supported by your unit, use the setup compression show types command. Thiscommand lists the current default dictionary, as well.

The default option sets the dictionary back its original default. If the unit is subscribed to PolicyCenter, the default optiontells PolicyCenter to inherit the default dictionary from the parent configuration.


407

setup compression hostsLimit the hosts that can use the Xpress dynamic tunneling facility. Hosts can be defined by an IP address, a subnet, anaddress range, or a host list. You can either create a list of the hosts that are allowed to use tunnels (an inclusive list) or alist of hosts that are excluded from tunneling (an exclusive list). By default, the lists include hosts that are allowed to use thetunneling facility; if your list represents hosts that should be excluded from tunneling, change the cmprsnInsideHostMode orcmprsnOutsideHostMode system variable.

When cmprsnInsideHostMode or cmprsnOutsideHostMode is set to 0 (inclusive), the specified hosts on the list are the onlyones allowed to use the tunnel. If an outbound flow's destination host is not on the list of allowed outside hosts, the data willnot be sent through the tunnel; it will be sent through the regular mechanism. Likewise, if an incoming flow's destination hostis not on the list of allowed inside hosts, the flow will be sent through the normal mechanism.

When cmprsnInsideHostMode or cmprsnOutsideHostMode is set to 1 (exclusive), all hosts — except for the hosts on the list —are allowed to use the tunnel. If an outbound flow's destination host is on the list of excluded outside hosts, the data will notbe sent through the tunnel; it will be sent through the regular mechanism. Likewise, if an incoming flow's destination host ison the list of excluded inside hosts, the flow will be sent through the normal mechanism.

Note: Host restrictions apply to new dynamic tunnels formed after the command is issued; they don't apply to existingtunnels. Therefore, it is recommended that you turn off compression (legacy mode or enhanced mode), packing, andacceleration before you add or remove hosts. The same is true for partner restrictions.

Note that if you don’t define any host lists, all hosts can use tunnels. You might want to limit hosts so that Xpress won’tattempt to create tunnels for every host; you can identify a subnet that is connected to a PacketShaper unit to which a tunnelcould be created.

setup compression hosts add <side> <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>

setup compression hosts remove <side> <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>|all

setup compression hosts show

setup compression hosts default <side>

where:

add|remove|default|show

add defines a hostremove deletes a previously-defined host. If the unit is subscribed toPolicyCenter, remove <side> all removes all the hosts in the localconfiguration but does not allow the unit to inherit any hosts from the parentconfiguration.default sets compression hosts to default (no hosts specified) for thedesignated side (inside or outside). If the unit is subscribed to PolicyCenter, thedefault option tells PolicyCenter to remove all the hosts in the localconfiguration and inherit from the parent configuration.show lists the defined tunnel hosts

<side> The host’s location (inside or outside), relative to the unit. Typically insidehosts are located on the LAN and outside hosts are on the WAN or Internet.

<ip-addr>[/<cidr>]<ip-addr> <subnet>list:<hostlist>all

Designate the hosts to be added or removed, using one of the followingspecifications:<ip-addr>[/<cidr>] — host IP address or a CIDR network address; theCIDR number specifies the number of constant bits in the address range<ip-addr> <subnet> — the name of the subnetlist:<hostlist> — the name of a host list fileall — removes all defined hosts so that all hosts can use tunnels

Examples:

setup compression hosts add inside 10.7.38.1

setup compression hosts add outside 10.7.38.0/24

(illustrated example)

To remove all defined outside hosts:

setup compression hosts remove outside all

After this command is issued, no outside hosts will be restricted from using the tunneling facility.

408

To view a list of defined tunnel hosts:

setup compression hosts show

Notes:

You can also define tunnel hosts with the tunnel discovery host command.


409

setup compression ip clearClear the Xpress-IP (XIP) address and VLAN settings for a PacketShaper device. Once settings are cleared, compression willbe disabled on that interface.

setup compression ip clear main|upper|lower|right|left|all

where main is the interface built into the unit and upper|lower|right|left refers to the position of the LEM. The allparameter clears settings on all interfaces; if you clear all XIP addresses, compression will automically be disabled.

Examples:

To clear all compression settings for the upper LEM:

setup compression ip clear upper

Note: If you want to clear the VLAN settings without clearing the Xpress-IP address settings, don't use the setupcompression ip clear command; instead, use the setup compression ip configure command without the VLANparameters. For example:

setup compression ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1

See also:

setup compression ip configure

setup compression ip show


410

setup compression ip configureSet an Xpress-IP (XIP) address for a PacketShaper device; this is required when using the Xpress feature.

setup compression ip configure main|upper|lower|right|left <ipaddr> <mask> [<ingress gateway>]<gateway>|none [<vlanid> [<priority>]]

Where:

main|upper|lower|right|left

PacketShaper device to configure:

main — built-in interfaceupper — upper LEMlower — lower LEMright — right LEMleft — left LEM

<ipaddr>

IP address to assign to the device; each interface must have aunique address. Note that this address is used by the Xpressfeature and is not for managing the PacketShaper.

The XIP address can NOT be the same as the unit'smanagement address or the same address as the secondarycustomer portal address.

The address cannot be:

- loopback address (127.xx.xx.xx) - network address (all host bits 0)- broadcast address (all host bits 1) - class D or class E address

<mask> Subnet mask

<ingress gateway>

IP address of the ingress router (optional). When an <ingressgateway> is configured, it will be used for inbound detunneledpackets (that is, traffic that has been accelerated, compressed,and/or packed in an Xpress tunnel). The <gateway> will beused for outbound tunneled traffic.

<gateway>|noneIP address of the egress router; specify none if there isn't agateway. The gateway is required if the compression partner isnot on the same subnet.

For VLAN environments only:

<vlanid>

802.1Q VLAN ID (0 - 4095)

Notes:

A maximum of three VLAN IDs can be assigned perPacketShaper (one for each device).An Xpress-IP configured with a VLAN must be on adifferent subnet from the management IP address.

<priority> 802.1P VLAN priority (0-7)

If your network isn't using VLAN IDs but you want to set aVLAN priority, you must set a VLAN ID of 0 (zero).

Notes:

If you are using Xpress with PacketShaper’s direct standby feature, the LEM that is used for direct connection cannotbe configured for Xpress. (Note: Direct standby is supported in legacy tunnel mode only.)

The setup compression ip configure command is the same as the tunnel ip configure command. (You may use eithercommand.)

When you assign or change XIP addresses with the setup compression ip configure command, Xpress will tear downexisting tunnels and establish new tunnels using the new Xpress-IP addresses.

If you upgraded from v7.x to v8.x, Xpress will automatically use the same addresses you configured in v7.x.

411

PacketWise 8.0 has the additional requirement that the Xpress-IP address cannot be the same as the management IPaddress. If they are the same, you will see the following error message on the Info tab (in the browser) or in the CLIbanner after you log in: Warning: No XIP addresses have been configured. Compression will be disabled until youconfigure the Xpress-IP address.

Examples:

To set the XIP address of an upper LEM:

setup compression ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1

For VLAN environments, you can specify the VLAN ID and/or VLAN priority. If you specify only one VLAN parameter,PacketWise will assume it is the VLAN ID. In the following example, all compressed packets going through the main interfacewill be assigned a VLAN ID of 2176:

setup compression ip configure main 192.168.0.6 255.255.255.0 192.168.0.1 2176

If you only want to use VLAN priority, you have to set a VLAN ID of zero. For example, to assign a VLAN priority of 2 to allcompressed packets going through the lower LEM interface, you must set the VLAN ID to 0 (zero):

setup compression ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 0 2

To clear the VLAN settings without clearing the Xpress-IP settings, use the setup compression ip configure commandwithout the VLAN parameters:

setup compression ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1

See also:

setup compression ip clear

setup compression ip show


8.2.0No longer required to enable the tnlEnableIngress variable in order to activatethe ingress gateway. (The tnlEnableIngress system variable has beenremoved.)

8.1.1 [<ingress gateway>] option introduced


412

setup compression ip showShow the Xpress-IP address and VLAN settings for a PacketShaper device.

setup compression ip show [main|upper|lower|right|left]

where main is the interface built into the unit and upper|lower|right|left refers to the position of the LEM. If no device isspecified, settings for all interfaces will be listed.

Example:

setup compression ip show main

IP address for main interface: 172.21.18.160 Netmask for main interface: 255.255.255.0 Gateway address for main interface: 172.21.0.1 (Outside at 00:0e:38:42:5f:7f)VLAN id/priority for main interface: none

Notes:

The Gateway address may initially show as "Resolving" while Xpress is in the process of resolving the gateway. Whenyou reissue the command, if Xpress was able to resolve the gateway, the output will show the interface (outside orinside) and the MAC address. "Resolving" may also appear if the link is down.If the tnlEnableIngress system variable is enabled, the output of the show command will list the Ingress Gatewaysettings.


413

setup compression mode setSet the type of tunnel infrastructure that Xpress will support on the PacketShaper: legacy, migration, enhanced. Thiscommand is available regardless of which mode the unit is in.

setup compression mode set legacy | migration [<ratio>] | enhanced | default

Where:

legacy

Uses the PacketWise v6.x/7.x tunnel infrastructure. In legacy mode, the CLIcommands and capabilities are limited to those that were available in PacketWise7.x. A tunnel's sole capabiliity is to transport compressed data. Packing capabilityis available via a system variable.

migration[<ratio>]

Supports both types of tunnels: legacy and enhanced. Use this mode whenmigrating from earlier versions of PacketWise. By default, 50 percent ofcompression memory is allocated to legacy compression tunnels and 50 percent isassigned to enhanced Xpress tunnels. To change the percentage of compressionmemory assigned to legacy Xpress, specify a <ratio> (20-80). For example, a<ratio> of 30 would allocate 30 percent to legacy, 70 percent to enhanced.

enhanced Uses new 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiplepurposes: compression, acceleration, and packing.

default Sets tunnel mode and memory ratio to default values

The new tunnel mode will not take effect until you reset the PacketShaper. After issuing the command, you will be asked ifyou want to reset immediately. If you decline, you will need to issue the reset command at a convenient time in order toactivate the new tunnel mode.

Notes:

Another way to change the mode is to use the tunnel mode set command.Migration mode has special considerations. See Information about Migration Mode for details.

See also:

setup compression mode show

tunnel mode set


414

setup compression mode showDisplay the current setting for Xpress tunnel mode.


Example


Xpress tunnels are configured to run in migration mode.50% of compression memory is assigned to legacy mode.The remaining 50% is assigned to enhanced mode.

See also:

setup compression mode set

tunnel mode show


415

setup compression partnersLimit the PacketShaper units that can use the Xpress dynamic tunneling facility. Xpress tunnel partners can be defined by anIP address, a subnet, an address range, or a host list. You can either create a list of PacketShapers that are allowed to betunnel partners (an inclusive list) or a list of units that are excluded from being partners (an exclusive list). By default, thelists include units that are allowed to be tunnel partners; if your list represents units that should be excluded from tunneling,change the cmprsnPartnerMode system variable.

When cmprsnPartnerMode is set to 0 (inclusive), the specified PacketShapers on the partner list are the only ones allowed tobe tunnel partners. When cmprsnPartnerMode is set to 1 (exclusive), all units — except for the ones on the list — are allowedto be tunnel partners.

Note: Partner restrictions apply to new dynamic tunnels formed after the command is issued; they don't apply to existingtunnels. Therefore, it is recommended that you turn off compression (legacy mode or enhanced mode), packing, andacceleration before you add or remove partners. The same is true for host restrictions.

Note that if you don’t define any partners, any PacketShaper that is part of a tunnel can use the tunneling facility. Forexample, suppose you want to compress data between a central site and several branch offices. If you don’t wantcompression to/from other locations, you can configure an Xpress partner list on your central site PacketShaper so that it setsup tunnels with the PacketShaper units at your branch offices. Xpress would not attempt to create a tunnel to anyPacketShaper not on the partner list.

setup compression partners add <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>

setup compression partners remove <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>|all

setup compression partners default <side>

setup compression partners show

where:


add defines a PacketShaper unit that can be a tunnel partnerremove deletes a previously-defined partner. If the unit is subscribed toPolicyCenter, remove all removes all the partners in the local configuration butdoes not allow the unit to inherit any partners from the parent configuration.default sets tunnel partners to default (no partners specified). If the unit issubscribed to PolicyCenter, the default option tells PolicyCenter to remove allthe partners in the local configuration and inherit from the parent configuration.show lists defined tunnel partners


Designate the PacketShapers to be added or removed, using one of thefollowing specifications:<ip-addr>[/<cidr>] — PacketShaper IP address or range; the CIDR numberspecifies the number of constant bits in the address range<ip-addr> <subnet> — the name of the subnetlist:<hostlist> — the name of a host list fileall — removes all defined compression tunnel partners so that all units can usetunnels

Examples:

setup compression partners add 10.7.38.0-10.7.38.200

setup compression partners add 10.7.38.0/24

To remove all defined tunnel partners:

setup compression partners remove all

After this command is issued, all PacketShapers will be able to use the tunneling facility.

To see a list of defined compression tunnel partners:

setup compression partners show

Notes:

You can also define tunnel partners with the tunnel discovery partner command.

416

setup compression reprobeapplicable to legacy compression tunnels only

Set the mode (automatic or manual) for probing the availability of compression hosts. When compression and direct standbyare both enabled, Blue Coat recommends that automatic reprobe mode be used on PacketShapers at all branch offices.

setup compression reprobe auto|manual|show|default|<ip-addr>

auto

In automatic reprobe mode, Xpress manages connectivity and periodicallysends maintenance probes to ensure that compressed traffic is routed via anavailable path. If a host does not respond to the probe (perhaps because arouter has failed, making the host unreachable through the existing datapath), the unreachable host will be removed from the compression tunnel andXpress will attempt to re-discover it through an alternate path, if one exists.

manual In manual reprobe mode (the default), Xpress sends out a probe when a newflow is detected to a host.

show Display current reprobe settings

defaultSet reprobe mode to default (manual mode). If the unit is subscribed toPolicyCenter, the default option tells PolicyCenter to delete the entry in thelocal configuration and inherit the entry from the parent configuration.

<ip-addr>

IP address of the host to be manually reprobed. The next time data is sent tothe specified IP address, a probe packet will be sent to locate a compression-enabled PacketShaper to which the destination host is connected. If a reply isreceived, PacketShaper will set up a compression tunnel to the PacketShaperclosest to the host, or if a tunnel already exists, it will use the existing tunnel.

Note: The setup compression reprobe command is similar to the tunnel discovery reprobe command that's available inlegacy mode.


417

setup compression tracepathapplicable to legacy compression tunnels only

Discover compression-enabled PacketShaper units between a source PacketShaper and a target host. The current unit (theone from which you are executing the command) is the source; the target is defined when executing the command. Thiscommand is useful for troubleshooting tunnel setup problems.

setup compression tracepath <target> [-i <LEM>] [-h <limit>] [-t <time>]

<target> The IP address of a host

-i <LEM> Xpress interface, where <LEM> is one of the following:

main — built-in interfaceupper — upper LAN Expansion Module (LEM)lower — lower LEMright — right LEMleft — left LEM

If no interface is specified, the main interface will be used.

-h <limit> Maximum number of hops, including routers and PacketShapers (1-123)

Default: 123 hops

-t <time> Maximum time to wait for a response (1-10 seconds)

Default: 2 seconds

Examples:

setup compression tracepath 172.16.2.101

Tracing between 172.16.3.143 [main outside] and 172.16.2.101

1 (hop= 1) 501ms 172.16.3.174/main 2 (hop= 2) 502ms 172.16.3.156/main

--- 172.16.2.101 tracepath statistics ---

2 shapers found in 3 seconds, 2 packets received.

Trace complete.

setup compression tracepath 172.16.2.101 -t 5

Tracing between 172.16.3.143 [main outside] and 172.16.2.101

1 (hop= 1) 1ms 172.16.3.174/main 2 (hop= 2) 1ms 172.16.3.156/main

--- 172.16.2.101 tracepath statistics ---

2 shapers found in 5 seconds, 2 packets received.

Trace complete.

Notes:

If Xpress is unable to find the target host, "Could not resolve the destination host" is displayed.If no PacketShapers are found between the source PacketShaper and the target host, "0 shapers found..." is displayed.This command does not work in look mode or watch mode.Depending on the destination router’s ARP cache, the setup compression tracepath output may not give accurateresults on the first attempt (if the router has to ARP for the destination). Correct results will appear after reissuing thecommand.


418

setup compression xpingapplicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel ping

Test connectivity of a PacketShaper unit to determine the compression tunneling capability between two units. This commandis useful for troubleshooting tunnel setup problems. Xping, similar to the ICMP ping command, sends out two types of testpackets: RSVP (Resource Reservation Protocol) and IPComp (IP Payload Compression Protocol). If the target PacketShaperanswers the xpings from the PacketShaper, a message such as "4 RSVP and 4 IPCOMP packets transmitted, 8 packetsreceived" will appear. If Xpress is unable to connect with the target, a message such as "4 RSVP and 4 IPCOMP packetstransmitted, 0 packets received" will display.

setup compression xping <target> [-i <LEM>] [-c <count>] [-t <time>]

<target> The Xpress-IP address of an interface (main, upper LEM, lower LEM) on a PacketShaper unit

Note: Each interface on a PacketShaper has a unique Xpress-IP address.

-i <LEM> Interface on the source unit from which connectivity is to be tested. <LEM> is one of thefollowing:


If no interface is specified, the main interface will be used.

-c <count> Number of pings (sets of test packets) to transmit (1-10)

Default: 4 (4 RSVP packets, 4 IPComp packets — total of 8 packets transmitted)

-t <time> Maximum time to wait for a reply packet (1-10 seconds)

Default: 2 seconds

Examples:

setup compression xping 172.16.3.164

Xping 172.16.3.164 from 172.16.3.175 (main:outside) Reply from rsvp: 2ms pscomp: 1ms Reply from rsvp: 1ms pscomp: <1ms Reply from rsvp: 1ms pscomp: 1ms Reply from rsvp: 1ms pscomp: 1ms --- 172.16.3.164 xping statistics --- 4 RSVP and 4 IPCOMP packets transmitted, 8 packets received, 0% packet loss round-trip min/avg/max = 0/1/2 ms

setup compression xping 172.16.2.101 -i lower -c 2

Xping 172.16.3.164 from 172.16.3.175 (lower:outside) Reply from rsvp: 2ms pscomp: 1ms Reply from rsvp: 1ms pscomp: 1ms

--- 172.16.3.164 xping statistics --- 2 RSVP and 2 IPCOMP packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 1/1/1 ms

Notes:

If Xpress is unable to find the target PacketShaper, "Could not resolve the destination host" is displayed.This command does not work in look mode or watch mode.

419

setup dateView or set the date and/or time. When initially setting the date and time, use setup timezone.

setup date [<yyyymmddhhmm>[<.ss>]]

Note that this comand has the same functionality as the date command.

Note: You should always do a system reset immediately after changing the date so that the underlying time-sensitivescheduled operations of the PacketShaper can be correctly initialized.


420

setup discoverTurn traffic discovery on or off for the default inbound and outbound classes.

When you turn on traffic discovery, the PacketWise software monitors the traffic going through the unit and classifies thetraffic by service type. The traffic discovery process inserts classes into your traffic tree.

setup discover off|on

Use class services to list supported protocols and services.

Use class discover to enable/disable traffic discovery within a specific class.


421

setup dnsConfigure one or more DNS servers for PacketWise to access.

setup dns none|default|<ipaddress> ...

Specify up to eight IP addresses, separating each with a space, or use none to clear previously set addresses.

Note: At least one DNS server must be configured in order to use the Prefetch acceleration feature (see tunnel accelerationprefetch).


422

setup domainDefine a default domain name that PacketWise can append to domain name lookups that are not fully qualified.

setup domain none|default|<domain_name>


423

setup emailConfigure email settings for use with the scheduled command, adaptive response action files, and/or user event features.

setup email <address>[:<port>] [<sender name>] | none | default

<address> Specify the email server using either its DNS name or IP address.

[:<port>] The default SMTP port is port 25. To specify a non-standard port for email messages, enternumber.

[<sender name>] The <sender name> will appear in the From line of any email message that the user event orscheduled command feature sends out.Specify a complete mail address, including the domain name— for example, [email protected]

Note: In the prompting mode for this command, full form can also be used for the sender — thatis, a quoted name followed by the explicit email address.

For example: "Bob" <[email protected]>

After PacketWise has been configured to send email using the setup email command, use setup show to view theconfiguration.

To clear the email settings:

setup email none

If you are using PolicyCenter, use the default option to remove the local override. This command allows the childconfiguration to inherit the parent's email setting:

setup email default


424

setup failoverBandwidth on a WAN link can change, causing the router to fail over to a secondary link. PacketWise can be configured todetect this failover condition and enforce the new, lower link speed. This feature applies only to site routers that have beenconfigured for failover.

PacketWise polls the site router every two seconds to determine the status of the links. If the site router has two links sharingthe load and one of the links goes down, PacketWise uses the failover settings to adjust its link speed. If the site router has aprimary and a backup link configured, and the primary link fails, PacketWise also handles the failover condition.

setup failover none|show

setup failover none|show|(<primary ifIndex> <secondary ifIndex> [<backup speed>|either])

none Turn off failover mode.

show Display current failover statistics.

<primary ifIndex> Specify the SNMP index number of the first router interface.

<secondary ifIndex> Specify the SNMP index number of the secondary router interface.

<backup speed> Set the speed to be used if failover is activated. Rates may be specified as integer bits persecond, followed by a “k” (thousands), “M” (millions), or “G” (billions).

either Use either when the two interfaces are being used for load balancing, not as primary and backuplinks.

Note: The highav command offers similar functionality.


425

setup flowrecords engineID/engineTypeAssign an identifying number to a PacketShaper, when using the NetFlow-5 flow detail record (FDR) format. EngineID andEngineType are two of the fields in NetFlow-5 headers; you can use either, or a combination, of these fields to identify thePacketShaper that is emitting records. These fields are not relevant for the Packeteer-1 and Packeteer-2 formats.

setup flowrecords engineID|engineType <value>|none|default

<value> An integer (0-255) that identifies the PacketShaper. The default value for engineID and engineTypeis 0.

none Clears the EngineID or EngineType field

default Removes the local settings for the EngineID or EngineType field so that the unit inherits thesettings of the parent configuration. If the parent configuration doesn't have any EngineID orEngineType settings, the local settings will be cleared so that the unit can inherit any futuresettings that are set. The default option is only applicable to shared mode with PolicyCenter.

Example

To assign an ID of 12 to the current PacketShaper:

setup flowrecords engineID 12

All records emitted from this PacketShaper to all defined NetFlow-5 collectors will have a value of 12 in the header's engineIDfield. Thus, the source PacketShaper is easily identifiable when interpreting the flow detail records.


426

setup flowrecords filtersDefines an include or exclude list to specify whether or not flow detail records (FDR) are emitted for traffic that matches thespecified classes, services, and/or subnets. You can use this command in either of two ways:

To define an include list so that flow detail records are always emitted for traffic that matches the specified classes,services, and/or subnets. This approach is recommended when you want flow detail records for only a few specificclasses, services, and/or subnets. Flow detail records will not be emitted for traffic that does not match the class,service, or subnets specified on the include list.

or

To define an exclude list so that flow detail records are never emitted for traffic that matches the specified classes,services, and/or subnets. This approach is recommended when you want flow detail records for all traffic except thatwhich matches the classes, services, and/or subnets on the exclude list.

setup flowrecords filters [add|remove|show] [class|service|subnet] include|exclude [[<class name>|<classid>]|[<service name>]|[<ip:netmask>|<ip/netmask>|<ip>]]

[add|remove|show]

add adds the specified class, service, or subnet to the include or exclude list

remove removes the specified class, service, or subnet from the include or exclude list

show displays the classes, services, and subnets on both the include and exclude lists[class|service|subnet] Indicates that the FDR filter applies to a class, service, or subnet

include|exclude

include specifies that flow detail records will always be emitted for traffic that matchesthe class, service, and/or subnet

exclude specifies that flow detail records will never be emitted for traffic that matchesthe class, service, and/or subnet

<class name>|<classid> The name of the class or the class id

<service name> The name of the service

<ip:netmask> The IP address and subnet mask subject to the IP filter, where netmask is the subnetmask in decimal notation

<ip/netmask> The IP address and subnet mask subject to the IP filter, where netmask is an integer(the CIDR value) that specifies the number of binary 1s in a mask

<ip> The IP address subject to the IP filter

Examples

When you add classes to the include list, FDRs are emitted only for those classes. To add a class to the include list:

setup flowrecords filters add class include /Inbound/SNMP

To add the FTP service to the include list:

setup flowrecords filters add service include ftp

To add subnets specified by IP address in decimal notation to the include list:

setup flowrecords filters add subnet include 10.10.10.01:255.255.255.255

To add subnets specified by IP address and CIDR value to the include list:

setup flowrecords filters add subnet include 10.10.10.01/32

To add an IP address and all of its subnets to the include list:

setup flowrecords filters add subnet include 10.10.10.01

When you add classes, services, and subnets to the exclude list, FDRs are emitted for all classes, services, and subnetsexcept for those specified on the exclude list. For example, to add a class to the exclude list:

427

setup flowrecords filters add class exclude /Inbound/SNMP

To remove a class, service, or subnet from the include or exclude list, use the remove keyword. For example:

setup flowrecords filters remove class include /Inbound/SNMP

setup flowrecords filters remove class exclude /Inbound/SNMP

setup flowrecords filters remove service include ftp

setup flowrecords filters remove subnet include 10.10.10.01

To show all FDR filters:

setup flowrecords filters show

See also:

Flow Detail Records Overview


8.2.0 Integrated command into PacketWise 8.x., and extended functionality so thatthe services and subnets can be added to FDR filter lists.



428

setup flowrecords idDefine the settings for a flow detail record (FDR) collector. Up to four collectors can be defined.

setup flowrecords id [<ID> <collectorDefinition>|off|on|none|default]

<ID> Identifying number of the collector (1, 2, 3, or 4)

<collectorDefinition>

where <collectorDefinition> is

<recordType> <ipaddr> [<port> on|off]

<recordType> is the type of record format to be emitted (netflow-5, packeteer-1,or packeteer-2)

<ipaddr> is the IP address of the collector

<port> is the UDP port number of the collector (default = 9800)

off|on|none|default

on enables the collector. When a collector is enabled, PacketWise will emit flow detailrecords to the collector.

off disables the collector; flow detail records will not be emitted.

none clears the collector settings; the row will be empty in the setup flowrecordsshow output.

default removes the local settings for the ID so that the unit inherits the collectorsettings of the parent configuration. If the parent configuration doesn't have any settingsfor this ID, the local settings will be cleared so that the unit can inherit any futurecollector settings that are set. This command is only applicable to shared mode withPolicyCenter.

You can enable/disable a collector when you are defining it:

setup flowrecords id 1 netflow-5 10.10.10.10 9800 on

or, after a collector has been defined:

setup flowrecords id 1 off

A collector is defined by its record type (NetFlow-5, Packeteer-1, or Packeteer-2) and its location (IP address and UDP portnumber). You can define collectors with the same IP address but different record types, or with the same record type butdifferent IP address. For example, you can create two collectors with the same IP address (but different ports), with onecollector collecting NetFlow data records and the other collecting Packeteer-2 data records.

To view your collector settings, use the setup flowrecords show command.

Examples

To define a collector that collects Packeteer-2 flow detail records:

setup flowrecords id 1 packeteer-2 10.10.10.1 9800 on

Because 9800 is the default port and "on" is the default, you can use the following alternative command:

setup flowrecords id 1 packeteer-2 10.10.10.1

To turn off collector 1 (assuming collector 1 has been previously defined):

setup flowrecords id 1 off

With the above command, PacketWise will stop emitting flow detail records to collector 1, but will retain the collector settings.To start emitting records again, use this command:

setup flowrecords id 1 on

To clear the settings for collector 3:

setup flowrecords id 3 none

See also:

429

setup flowrecords showDisplay the flow detail record (FDR) collector settings. Use this command to see the collectors that have been configured andcheck which ones have been enabled. This command is also useful to look up the ID number associated with a collector (theID is needed for defining and clearing collector settings).

setup flowrecords show

ID RecordType CollectorIP Port Enabled1 packeteer-2 10.10.10.1 9800 on2 netflow-5 10.10.10.2 9800 off34

In the above sample output, two collectors have been defined. The first collector (ID of 1) collects Packeteer-2 flow detailrecords and is currently enabled. The second collector (ID of 2) collects NetFlow-5 records but is not currently disabled.Collector IDs 3 and 4 have not been defined.

See also:

Flow Detail Records Overview


430

setup gatewayConfigure a gateway to handle network operations initiated from the unit. For example, ping, FTP, or image load require agateway for non-local routing.

setup gateway <ipaddress> | none

Specify none if there isn't a gateway or to clear the gateway setting.


431

setup guideExecute the automatic setup feature to configure the unit.

setup guide

For Guided Setup details, see Run Guided Setup.


432

setup heartbeatConfigure the PacketShaper to emit messages (heartbeats) to the Blue Coat heartbeat server. Using the informationcontained in the heartbeat messages, Blue Coat is able to compile statistics on the stability of various software releases andhardware products. The heartbeats can also be used to identify and resolve defects.

setup heartbeat on|off|default|show

Heartbeat emission is enabled by default. Blue Coat recommends that you not disable the feature. Be assured that themessages are encrypted and sent securely via HTTPS. The size of the daily heartbeat message is negligible (30-40K) and hasvirtually no impact on PacketShaper performance.

Examples:

To disable the heartbeat feature:

setup heartbeat off

To find out when/if the last heartbeat message was sent:

setup heartbeat show

Heartbeat : On Most Recent Attempt Status : Heartbeat sent successfully, Jun 17 2010 10:31:06

If PacketShaper isn't able to send the heartbeat, the setup heartbeat show output will indicate the reason for the failure:

DNS resolution errorsTransport protocol errorFile I/O errorsError running certain commandsInsufficient free hard disk space

Notes:

Depending on how long it takes for the configuration system to initialize DNS server entries,the setup heartbeat show output may show a DNS resolution error if the PacketShaper cannot resolve the heartbeatserver name via DNS quickly enough.


8.5.1 setup heartbeat command introduced


433

setup https certificateGenerate a new digital certificate for accessing the PacketWise browser interface with a secure connection (HTTPS). If youbelieve the certificate’s security was compromised, you can use this command to generate a new certificate.

setup https certificate

The certificate size is always 1024 bits and cannot be changed. You can use the setup https show command to see thefingerprint and thumprint that were generated.


434

setup https portChange the HTTPS (HyperText Transfer Protocol over Secure Sockets Layer) listening port. PacketWise is automaticallyconfigured to run HTTP over SSL on port 443; use this command to select a different port.

Note: HTTPS is a protocol for transferring private documents over the Internet. Selecting the Secure Login checkbox whenlogging into the browser interface will tell PacketWise to use a secure connection, and the URL will subsequently be changedto https://<ip address>. Alternatively, you can type the URL https://<ip address> and the Secure Login checkbox will beselected automatically.

setup https port <port_number>|default

where <port_number> is the new HTTPS port number and default uses the default HTTPS port, 443.

Note: If your unit is configured in shared mode with PolicyCenter, the default is the HTTPS port number of the parent group,which may or may not be 443.

Examples:

To use HTTPS on port 444:

setup https port 444HTTPS service will be restarted on port 444. It may take up to 10 seconds for the new value to takeeffect. Please use "setup https show" to verify the service status.

Or, to use HTTPS on the default port:

setup https port default

The HTTPS service will start on the designated port in less than 10 seconds. If the configured port was already in use,PacketWise automatically uses the last valid port number specified, or the default value (443). Use the setup https showcommand to verify that the port number was accepted.

See also:

Secure Logins

Security Alert


435

setup https showDisplay the status of HTTPS (HyperText Transfer Protocol over Secure Sockets Layer). The output indicates whether theHTTPS service is running

and on which port. In addition, the output lists the thumbprints and fingerprints. (The thumbprinting/fingerprinting mechanismmakes sure that you are contacting the intended remote host.) The thumbprint, a sequence of 20 bytes in hexadecimalseparated by colons, uses the SHA1 algorithm and is used by Internet Explorer. The fingerprint, a sequence of 16 bytes, usesthe MD5 algorithm and is used by Firefox browsers.

Note: HTTPS is a protocol for transferring private documents over the Internet. Selecting the Secure Login checkbox whenlogging into the browser interface will tell PacketWise to use a secure connection, and the URL will subsequently be changedto https://<ip address>.

setup https show


HTTPS service is listening on port #: 443 (default)

Certificate Information:Thumbprint(SHA1)=7E:F8:0A:AC:74:D0:A2:65:90:EA:4E:73:DD:D1:CB:C0:42:51:AC:CD Fingerprint(MD5)=99:AA:D9:4F:75:B0:11:5F:00:7A:BB:DC:CB:F1:4F:A4

You can use the setup https show command to verify that your port number was accepted. If the configured port (specifiedwith the setup https port command) was already in use, PacketWise automatically uses the last valid port number specified,or the default value (443). In this situation, the setup https show output will display a “Fail binding to port” message andindicate the port number that is being used instead. In addition, a notification will appear in the system banner when you logon. For example:

Attention: HTTPS service failed to start on the port configured in the configuration file. Port 443 isused instead.

Note: Since the setup show command displays configured values, it lists the configured HTTPS port number, which is notnecessarily the port number currently in effect. Use setup https show to see the HTTPS port number that is in effect.

For information about verifying the certificate, see Secure Logins.


436

setup ipaddressUpdate the unit's IP address and subnet mask. Use dotted-decimal address notation for both the IP address and net mask —for example, 10.10.10.10.

setup ipaddress <addr> <netmask>


437

setup ishaperiShaper commands are not supported in PacketWise v8.4.1 and higher.


438

setup keysSoftware keys enable you to change your product specifications — for example, increasing shaping capacity from 128 Kbps to512 Kbps. Upgrades of this type can be purchased from your reseller. When your order is fulfilled, you will be supplied with akey and installation instructions.

To install a product, use the following key-enabling command:

setup keys add <name> <value> <code>|remove <name> <code>|show

For example:

setup keys add linksize 6M e09w8djjioy123ig

The key name, value, and code are provided with the purchased product.

Note: Upgrades of this type are outside of the scope of your standard PacketCare support contract, and must be purchasedseparately.

Use the setup keys show command to see what keys are installed on your PacketShaper. The output will show (Notapplicable) next to any key that you haven't purchased.


439

setup linkConfigure the access link capacity. To effectively manage the traffic on the link, PacketWise must know the capacity it ismanaging.

Note: PacketWise will enforce the link size that you set.

setup link inbound|outbound|default [<size_bps>|default]

Specify a rate as either a bits-per-second value or a symbolic name, as shown in the following list of valid link sizes.

<n> Size in bits per second

<n>k Size in kilobits per second

<n>m Size in megabits per second

<n>g Size in gigabits per second

T1 1.5 Mbps

E1 2 Mbps

T3 45 Mbps

Examples:

setup link inbound 1500000

setup link outbound 1.5m

setup link inbound T1

Considerations

For full-duplex Ethernet, enter the total link speed for the inbound and outbound rates. Because full-duplex has wiresthat can simultaneously communicate in both inbound and outbound directions, you should enter the same rate forInbound Rate and Outbound Rate. For example, if you have two T1 lines (3 Mbps), you should enter 3M for InboundRate and 3M for Outbound Rate.

For half-duplex Ethernet, split the rate between the inbound and outbound links. For example, if you are managing 10Mbps Ethernet, you could configure 5 Mbps for the inbound rate and 5 Mbps for the outbound rate.

If your unit is using LAN Expansion Modules (LEMs) to manage different WAN links and you don’t want to control eachLEM separately, the rate should be the size of the smallest LEM. For example, if you have two 100 Mbps LEMsmanaging two links, you should specify 100M for the rate.

On the other hand, if you want to control each link separately, the rate should be the sum of the link speeds on alldevices. For example, if the built-in device is controlling a T1 line (1.5 Mbps) and a LEM is managing two T1 lines (3.0Mbps), you should specify 4.5M for the rate. To control traffic across each link separately, you can create a class foreach device (for example, Builtin_LEM and Upper_LEM) and assign partitions that match the link size (1.5M for theBuiltin_LEM class and 3.0M for the Upper_LEM class).

If your unit is using two LEMs to manage a single WAN link, specify the WAN link speed for the rate. Although the Infopage will give you an error message (such as “Link speed of 155 Mbps exceeds outside NIC speed of 100 Mbps”) in thelatter situation, it is still appropriate to specify the actual size of the link for the rate.

When using the direct standby feature in a load-sharing topology, you should set the link speed to the sum of bothWAN links. Because each unit receives copied packets from its partner, the PacketShaper must have overall Inboundand Outbound partition sizes that will support that level of extra traffic. Note: In this situation, you may want to usethe access-link monitoring feature (advanced mode) to monitor the routers’ WAN interfaces and avoid over-subscribingthe WAN bandwidth.

Software configuration determines maximum shaping capacity. See PacketShaper or PacketShaper ISP ConfigurationLimits.

Note: 10BaseT links rarely reach the 10 Mbps limit. Keep Ethernet's practical limits in mind when configuring rates.

440

setup loadInstall a new configuration file and reboot to activate the configuration. This installation replaces the cfg/basic.cfg file.

setup load <path>

Specify the explicit file pathname.

Note: To load the traffic configuration and sharable configuration settings (such as passwords, site router, SNMP, email,SNTP, and Syslog), use the class load command.


441

setup loadsheddingConfigure the load shedding feature. This feature prevents the PacketShaper from being overloaded with packets due toviruses or attacks that spew out a high volume of traffic (such as ICMP or DCOM). Note that this feature is not designed toblock all traffic from infected or misbehaving clients; it is designed to shed just enough traffic to keep the PacketShaper outof an overload condition. It allows enough of the "bad" traffic through so that you can use PacketShaper diagnostic tools(traffic history, hostdb info, policy flowlimit, packetcapture) to analyze and contain the problem.

setup loadshedding enable|disable new on|off clientFPM|serverFPM|failedFPM|TCBConn|UCBConn <value>|default exception add|del list:<hostlist>|<ip-addr>|<dnsname>|all show

where

enable|disable Enable or disable the load shedding feature. Default is disable.

new on|off Drop packets of new flows only (on) or drop packets regardless ofwhether they are new or existing (off). Default is on (but is not ineffect unless load shedding is enabled).

clientFPM|serverFPM|failedFPM|TCBConn|UCBConn<value>|default

Adjust the parameters for new flows per minute (client, server, failed)or connections (TCP or UDP). If the parameters are not specified, thedefault values are used.

New flows per minute is the rate of initiation of new flows from a host(client) or to a host (server). TCBConn is the number of active TCPflows — that a particular host has at a given time. UCBConn is thenumber of non-TCP flows a particular host has at a given time.

Failed flows are TCP flows that do not establish a complete connection,such as TCP connection requests from a SYN flood attack.

The <value> parameter can be any whole number from 10 to1,000,000 (inclusive) for clientFPM, serverFPM and failedFPM. The<value> parameter for TCBConn and UCBConn can be any wholenumber from 0 to 1,000,000, inclusive.

exception add|del list:<hostlist>|<ip-addr>|<dnsname>|all

Add the host list name, IP address, or DNS name of a host to beexcluded from load shedding (packets will not be dropped from theseservers). To specify multiple hosts, use a space between each one. Donot use subnets or ranges of addresses to specify hosts.

For example:

setup loadshedding exception add 10.1.1.1 172.19.5.6 olympia

Use exception del to remove a host that you have previously addedto the host exception list, or exception del all to remove all hosts.(Note: The all parameter is used with del only.)

show Display load shedding settings.

Load shedding is disabled by default. To enable load shedding:

setup loadshedding enable

The load shedding feature drops packets intelligently when the PacketShaper sees an excessive amount of traffic. For clientflows, packets will be dropped as the unit approaches its load capacity and when both of the following conditions are true:

New flows per minute for the client exceeds the clientFPM value, ANDThe number of TCP flows for the client exceeds the TCBConn value OR the number of UDP flows for the client exceedsthe UCBConn value

Load shedding works similarly for server flows per minute. Packets will be dropped as the unit approaches its load capacityand when both of these conditions are true:

New flows per minute for the server exceeds the serverFPM value, AND

442

The number of TCP flows for the server exceeds the TCBConn value OR the number of UDP flows for the server exceedsthe UCBConn value

For failed flows, packets will be dropped as the unit approaches its load capacity and failed flows per minute for the client orserver exceeds the failedFPM value.

Note: To see the current values of each host's new flows per minute, use the hostdb info command.

By default, load shedding will drop packets of new flows only — existing flows will not be dropped. If you want to remove thislimitation, use the following command:

setup loadshedding new off

Use the setup loadshedding show command to display the current, default, minimum, and maximum parameters for loadshedding.

Load Shedding: DisabledShed New Flows Only: Enabled=========================================================================Load Shedding Parameters Current Default Min Max=========================================================================Client FPM 1000000 1000000 10 1000000Server FPM 1000000 1000000 10 1000000Failed FPM 1000000 1000000 10 1000000 TCBConn 100 100 0 1000000UCBConn 100 100 0 1000000

Load Shedding Host Exception List:179.21.1.3 server2.test.com10.1.1.1 main.test.com10.1.1.2 server1.test.com

If you have certain hosts that you want to exclude from load shedding (for example, you don't want load shedding to droppackets from DNS servers), you can create a host exception list. You can either:

Create a host list with the hl new command and then specify the host list with the setup loadshedding exceptionadd list:<hostlist> command.

or

Add the hosts individually with the setup loadshedding exception add <ip-addr>|<dnsname> command.

To see which hosts have exceeded the load shedding thresholds and have flows being shed, use the hostdb info command. A"+" next to the New Flows Per Minute value for Client, Server, or Failed indicates load shedding is occurring or has recentlyoccurred.


8.3.1The minimum value for TCBConn (active TCP flows) and UCBConn (activenon-TCP flows) changed to 0 flows. Previous versions of PacketWise requireda minimum value of 5 flows.



443

setup managementportAvailable only for models with a MGMT port

Enable the Ethernet management port (MGMT) so that the PacketShaper can be accessed and managed only through thisport. When the management port is enabled, the unit cannot be accessed from other networks. Enabling management portaccess will cause loss of remote connectivity to the unit through all other ports.

setup managementport on|off|show

on The PacketShaper can be accessed through the MGMT port only.

off The PacketShaper can be accessed through any port, including the MGMT port.

show Display the current setting for the management port

When considering whether to enable the dedicated management port feature, bear in mind that certain PacketShaper featureswill not function properly unless the network administrator provides outside hosts with a route to reach the PacketShaperthrough the MGMT port. These features include, but are not limited to, the following:

PolicyCenterAccess Link MonitoringFrame Relay and ATMHP OpenViewFlow Detail RecordsAdaptive responseSNMP traps and polling from third-party applicationsSynthetic transactionsCustomer portal traffic (if the portal IP address is set to be the same as the management IP address)

Note: The MGMT port is considered an outside port. Therefore, securing the outside interface will secure the MGMT port aswell. For example, to allow access from only two IP addresses issue the following command: setup secure outside list10.1.1.100 10.1.12.1.


444

setup messageConfigure a message that will display before logging into the PacketShaper. The message displays before you login via thebrowser login page, before logging in using a remote login utility (such as Telnet), and when you first console connect to theunit. This feature is useful for informing users about the company's access policies and consequences for unauthorized use.

setup message {set <message>}|show|default

where

set <message> Defines the message text. The text should be enclosed in quotationmarks and can be up to 511 characters long.

show Dispays the content of the login message

default Clears the message text. In PolicyCenter's shared mode, the unit willthen be able to inherit the message of the parent configuration.

Examples

setup message set "Access to this system is restricted to authorized users only." Message set to: "Access to this system is restricted to authorized users onl...

setup message show

Configured Message: Access to this system is restricted to authorized users only.

Notes

Quotation marks indicate the beginning and end of the login message. You cannot use a quotation mark within thebody of the login message.

If you want to display a message that is longer than 511 characters, you can create a text file that contains yourmessage text. Name the file login.txt and upload it to the 9.256/ directory. The first 2048 characters of the text file willdisplay after any message that is configured with the setup message set command. Thus, the text file is appended tothe message text, allowing the message to have a total approximate length of 2500 characters. Note that quotationmarks are allowed in the login.txt file.

The setup message show command does not display the content of the login.txt file.

No login message is displayed when accessing the PacketShaper via FTP.

The message can be configured in the browser interface as well. See Specify Security Settings.


445

setup modemConfigure a modem setting so that if the modem drops its carrier connection, PacketWise will log out the console user. Besure to configure your modem to drop DSR when the call is disconnected.

setup modem off|on|default

When this option is set to off, the console session will not be logged off until the user types exit at the command line. Forsecurity reasons, if you have a modem connected to the serial port, set this option to on.


446

setup nicSet the PacketShaper's speed and duplex state.

setup nic <device> auto|autoneg-only|{10bt|100bt half|full}|{1000b full}

where <device> is the interface name or number:

DeviceName

DeviceNumber

inside 0outside 1lower_insideleft_inside 2

lower_outsideleft_outside 3

upper_insideright_inside 4

upper_outsideright_outside 5

management 7

Note: The device numbers vary according to the number of LEMs installed. If two LEMs are installed, the above numbers arecorrect. If only one LEM is installed (regardless of whether it's installed in the upper/right or lower/left position), the LEMinterfaces will be assigned device numbers 2 and 3. If no LEMs are installed, the management port's device number is 3.

Specify auto (auto-negotiate) to automatically configure the unit for the appropriate mode. If you do not specify a state, itdefaults to auto.

Notes:

Whenever you wish to change Network Interface Card (NIC) settings, always select auto-negotiate first, then select adifferent value if desired. Do not change from one non-auto setting to another non-auto setting directly; re-negotiationmay fail and In Link Down or Out Link Down appears on the LCD.

The management parameter is only applicable to models with MGMT ports (such as the 3500 and 7500).

Although you can specify different fixed speeds on the Inside and Outside interfaces, such a configuration will result in anetwork interruption if the PacketShaper is turned off because the end devices will not be able to negotiate the correctspeed for the link.

PacketWise does not support a 1000b half-duplex interface

Gigabit Fiber-Optic

If auto is specified for gigabit fiber-optic units and auto-negotiation signals are not received from the other side, thenegotiation will time out in one second and the interface will be set at 1000 fixed. To force auto-negotiation without timingout, use the autoneg-only option. Gigabit Ethernet supports the full-duplex option only.

Gigabit Ethernet

For gigabit Ethernet you can specify auto or 1000b. (1000b actually does the same thing as auto; manual setting to gigabitEthernet is not part of the 802.3 Ethernet standard.) Gigabit Ethernet supports the full-duplex option only.


447

setup passwordConfigure a touch (read/write) or look (read-only) password.

setup password look|touch

You will be prompted to enter the old password, type a new password, and retype the password to confirm. For example:

setup password touch

Old touch password: (none)

New touch password:

Confirm touch password:

Changed the touch password

Passwords can be up to nineteen characters long and are case sensitive. They can consist of a combination of letters,numbers, and all special characters on the U.S. keyboard.

To abort this command and return to the command prompt, press Ctrl+D.

To enable look mode, use the look command. To enable touch mode, use the touch command.

If you forget the touch password, you can use the password recovery method to access the unit and reset the password.


448

setup portal ipAssign a second IP address to the customer portal. This allows customers to directly display the customer portal login pageusing this address instead of the http://x.x.x.x/customer URL.

setup portal ip <address> [<mask>]

where <address> is the IP address assigned to the customer portal and <mask> is the subnet mask for the network wherethe unit resides. The address must be on a different subnet from the main portal address and should not be the same addressas an Xpress-IP address.

To clear the address, use:

setup portal ip none

Notes:

This command is not available on the PacketShaper 900 Lite models.Customer portal IP addresses must be configured before configuring Xpress-IP addresses on the LEMs. If you configurethe Xpress-IP addresses first, you will not be able to configure a customer portal IP address.


449

setup portal messageSet the system-wide message-of-the-day for the customer portal feature. This message is displayed if the customer doesn’thave a specific message configured with the portal new command. Note: This command is not available on thePacketShaper 900 Lite models.

setup portal message <new message>

The message can be up to 128 characters long and must be enclosed in quotes if it contains spaces.


450

setup portal showLists the system-wide message-of-the-day. Note: This command is not available on the PacketShaper 900 Lite models.

setup portal show


451

setup radius acctSet up or change the configuration of the RADIUS accounting service. This feature allows you to have an audit trail for userlogins.

To define the RADIUS accounting service, use:

setup radius acct primary|secondary <host> <shared_secret> [<port>] |delete|override


<host> The IP address or DNS name of the RADIUS accounting server<shared_secret> The designated secret for the server; quotes are not required[<port>] The port number to access the server; if omitted, the default port is used


override Inherits setup of the primary or secondary server from PolicyCenter


setup radius acct on|off|default

Example:

setup radius acct primary 10.10.10.10 bobolink

setup radius acct secondary 10.10.20.10 parrot

setup radius acct on

This example defines a primary accounting server at 10.10.10.10 which has a shared secret of bobolink, as well as asecondary server at 10.10.20.10. The third command line enables RADIUS accounting service. Once this service is configuredand enabled, PacketWise will send a PW_STATUS_START accounting message to the accounting server when a user logs inand a PW_STATUS_STOP message when a user logs off or is disconnected.


452

setup radius authSet up or change the configuration of the RADIUS authentication service. RADIUS authentication is an optional method forusers to log into the PacketWise browser interface, command-line interface, or customer portal or when FTPing to the unit.Using third-party RADIUS servers enables you to have central configuration of user accounts.

setup radius auth primary|secondary <host> <shared_secret> [<port>] |delete|override

primary|secondaryEnter the literal primary or secondary to indicate which server you aredefining. (Note: The RADIUS client uses the secondary server when theprimary server isn’t accessible or authentication failed.)

<host> The IP address or DNS name of the RADIUS authentication server

<shared_secret> The designated secret for the server; quotes are not required[<port>] The port number to access the server; if omitted, the default port is used


override Inherits setup of the primary or secondary server from PolicyCenter


setup radius auth on|off|default

Example:

setup radius auth primary 10.10.10.10 bobolink

setup radius auth on

This example first defines a primary authentication server at 10.10.10.10 which has a shared secret of bobolink. The secondcommand line enables RADIUS authentication service. Once this is configured and enabled, PacketWise will prompt users foruser name and password when they log into PacketWise.


453

setup radius intervalSet the amount of time for RADIUS to wait for a response from a server. By default, the RADIUS client waits 5 secondsbefore retrying a login when the RADIUS server fails to respond.

setup radius interval <seconds>|default

where <seconds> is a value between 1 and 30 seconds. For example:

setup radius interval 20

In this example, the retry interval is 20 seconds; this interval applies to any configured RADIUS server.

To return to the default retry interval, use:

setup radius interval default


454

setup radius limitSet the number of retry attempts the RADIUS client will make to a server before cancelling the login. By default, if theRADIUS server fails to respond, the RADIUS client will try to log onto the server three times before reporting a server failure.If you have specified a secondary server, the RADIUS client will alternate attempts to log onto each server.

setup radius limit <n>|default

where <n> is a value between 1 and 10. For example:

setup radius limit 6

In this example, the RADIUS client will try to log onto the server six times.

To return to the default retry limit, use:

setup radius limit default


455

setup radius methodSelect the RADIUS authentication method: PAP, CHAP, or MSCHAP.

setup radius method PAP|CHAP|MSCHAP|default

PAP (PasswordAuthenticationProtocol)

With PAP, the user name and password are transmitted in clear, unencrypted text. ASCIIor PAP authentication is required for RADIUS configurations that require access to cleartext passwords (for example, when passwords are stored and maintained in a databaseexternal to the RADIUS server).

CHAP (ChallengeHandshakeAuthenticationProtocol)

In some environments, CHAP may be preferred for greater security. The RADIUS serversends a challenge that consists of a session ID and an arbitrary challenge string, and theuser name and password are encrypted before they are sent back to the server.

CHAP is the default authentication method.

MS-CHAP(MicrosoftChallengeHandshakeAuthenticationProtocol)

This protocol is similar to CHAP, but with MS-CHAP authentication, the RADIUS server canstore an encrypted version of a user password to validate the challenge response.Standard CHAP authentication requires that the server stores unencrypted passwords.

Note: MS-CHAP v1 and v2 are supported. PacketWise attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied,PacketWise re-attempts authentication with MS-CHAP v1.


456

setup radius showDisplay the current RADIUS settings. Use this command to verify that RADIUS authentication and accounting are enabled, tosee the current settings for the retry limit and retry interval, and to view configuration settings on each of the RADIUSservers.

setup radius show

Authentication :onAccounting :onRetry limit :3Retry interval :5

Service records:

Type Host Port Secretauth1 10.7.55.1 1812 testing123acct1 10.7.55.1 1813 testing123


457

setup resetReturn to the factory-default configuration and reboot the unit.

setup reset [all|clear]

setreset

Resets the PacketShaper settings (for example, NIC speed and IP address, but not the traffic tree) to thefactory default state, and then reboots the unit

setresetall

Resets all settings and the configuration to the factory default state

Note: Use setup reset all only when you want to reset all configuration settings — basic configuration,the traffic tree with its classes, policies, and partitions; measurement data; and events — to the factory-default settings. This command deletes all custom service groups and returns any moved services back totheir original groups.

setresetclear

Clears all files on the system disk (9.256/), in addition to resetting all settings and the configuration tothe factory default state

These commands reset the unit's IP address to 207.78.98.254, making it unreachable on your network until it is reconfiguredusing Guided Setup. (See Run Guided Setup for details.)

Note: The setup reset command works differently in shared mode.

To reboot the unit without modifying the settings, use the reset command.


8.3.1 The clear parameter is introduced.


458

setup reset (for PolicyCenter)The setup reset command has different results, depending where you issue the command. To reset the PolicyCenter softwareto factory default settings without shutting down the application, issue the command from the PolicyCenter CLI:

setup reset [all]

Specifying all allows you to also change the LDAP server. This command option closes the client application. Wait for a fewseconds then re-launch the client session. You are then prompted for the name of an LDAP server. Omit the all parameter toreset an individual PolicyCenter configuration.

setup reset (issued for a PolicyCenter parentconfiguration)

When issued for a PolicyCenter Parent configuration at the top of the PolicyCenterconfiguration tree, the setup reset command restores default values to the setupsettings of that configuration (and any units assigned to that configuration).

setup reset (issued for a PolicyCenter childconfiguration)

When issued for a child configuration, all the child's setup settings are returned totheir default state and the child configuration will inherit setup parameters from itsparent configuration.

setup reset all PolicyCenter is shut down and on reinvoking the application, you are taken throughGuided Setup. The setup parameters are not changed for either a PolicyCenterconfigurations or units assigned to those configurations.


459

setup secureLimit management access from the inside or outside interface.

setup secure inside|outside on|off|default|list <addr>[:<mask>]...

Use the setup secure outside on command to secure the outside interface, that is, the Internet. For example, when theoutside interface is set to secure, Telnet, HTTP, FTP and ping requests from external sources will not be permitted. By default,the inside and outside interfaces are not secured.

The list parameter enables access to up to 16 IP addresses, separated by spaces. This is an exception list—the interface issecured except for the IP addresses on the list. To specify a subnet, use the format: ipaddress:subnet_mask. The list optionaccepts IP addresses only, not host names. To find the IP address associated with a host name, use the dns lookup CLIcommand.

Notes:

If you secure the interfaces, you will be able to access the unit only via a console connection. The browser interface willbe disabled because you will not have management access over the network. Another way to secure the interface is tospecify a list of IP addresses that can access the unit. For example, setup secure outside list 10.1.1.100 10.1.12.1would allow access from only two IP addresses.

Keep in mind that securing an interface means that queries such as DNS and SNTP cannot be made via the securedinterface. Consider using the list option and including these servers and your gateway in the list.

The WebPulse classification features require access to a number of outside web servers. Therefore, do not completelysecure the outside interface. Instead, use the list option and add the IP addresses of the following servers to theexception list: WebPulse service points (use the setup webpulse show service command to find the IP addresses ofthe one or two fastest servers), the WebPulse map update server (sitereview.bluecoat.com), the support update server(updates.bluecoat.com), the heartbeat server (hb.bluecoat.com), and the traffic information reporting server(cda.bluecoat.com). If you are using a web proxy, you will also need to add this server’s IP address to the list if it willbe accessible via the outside interface.

If you plan on using direct standby, do not set the outside interface to secure. For standby to work, each device mustbe able to communicate with the other device. If you set the outside interface to list, you must add both the partner'sand the unit's IP addresses to the Outside security list.

The PacketShaper will not be able to process local ARP requests via a secured interface.

If you secure the outside interface and your gateway is on the outside, a "gateway not found" message will bedisplayed in the login banner or on the info page. In this state, tasks such as upgrading the software image from a non-local address will be disabled.

The MGMT port (available on certain models) is considered an outside port. Therefore, securing the outside interface willsecure the MGMT port as well.


460

setup shapingWhen shaping is turned on, traffic is classified and measured, and control policies are enforced. When shaping is off, traffic isclassified and measured but not managed.

setup shaping on|off|bypass|passthru|watch

Where:

on Turns traffic shaping on

off Turns off shaping mode (traffic, bypass, passthru, watch)

bypass Sets the unit to pure bypass mode. Bypass mode prevents bothpacket shaping and further network management access; it is as if theunit were removed, and cables connected around it.

passthru Turns off all shaping, classification, and measurement

watch Sets the unit into a non-inline, monitor-only mode. See Watch ModeOverview for additional information.

Notes: The watch mode feature is not available on the PacketShaper900 Lite models. Watch mode can be enabled only when thePacketShaper is set to legacy tunnel mode; it cannot be enabled inmigration or enhanced tunnel mode.


461

setup showDisplay the basic configuration.

setup show

The output is divided into non-sharable (local) and sharable settings. The sharable settings are part of the configuration file(config.ldi). If a configuration is loaded on another unit, the sharable settings will be copied to the other unit (see config saveand config load).

Non-sharable (local) settings:

IP address: 10.1.5.1 Subnet mask: 255.0.0.0 Gateway: 10.1.2.1 DNS server(s): 10.1.1.40 Default domain: example.com Date, time, timezone: Mon Aug 9 14:03:40 2005 PDT (LosAngeles) SNMP sysName: 172.21.18.160 SNMP sysLocation: The physical location of this unit SNMP sysContact: The contact person for this managed unit Inside nic speed: auto-negotiate (100BaseT full-duplex) Outside nic speed: auto-negotiate (1000BaseT full-duplex) Installed Keys: compatibility 1 control on linksize nolimit compression 1

Sharable settings: Site router: (none) Inside interfaces: unsecure Outside interfaces: unsecure Look password: (none) Touch password: (none) Link speed: 1.5M (T1) Packet shaping: off Traffic discovery: on SNMP config mode: simple SNMP look community: public SNMP Trap destinations: (none) Modem on Console: off Email host:port: (none) Email sender: (none) SNTP Client: off SNTP Primary Server: time.nist.gov SNTP Secondary Server: time-a.nist.gov SNTP Poll Seconds: 300 HTTPS port: 443 SSH port: 22 Syslog: off Legacy Compression: on (Migration Mode) Enhanced Compression: off Packing: on Acceleration: off Adaptive Response: on


462

setup siterouterConfigure the IP address of the access router for the managed link.

setup siterouter none|(<addr> [<read-community>])

Alternatively, you can set PacketWise to manage all bandwidth — independent of the destination — by specifying none for thesite router IP address. PacketWise maintains a cache of MAC addresses for non-IP traffic and for IP traffic if the site router isset to none; traffic is not passed when the source and destination addresses are on the same side of the access link.

Also use this command to set the SNMP <read-community> string used by PacketWise to access the router when reacting toa router failover condition.

If you have multiple routers, use the highav add command.

The site router should be set to none if you are using acceleration. If a site router is defined, acceleration will not work.


463

setup snmp accessgroupEach SNMP access group is defined by a group name, a security model (and level), and a set of views that specifies whichtypes of MIB data that access group can read or write.

There are two different commands to modify access group settings. Modify the group settings on a PacketShaper in localmode or a top-level PolicyCenter configuration with the command setup snmp accessgroup modify. Use the commandsetup snmp accessgroup override on a PacketShaper in shared mode or a PolicyCenter child configuration to create a localcopy of a SNMP group that overrides the inherited SNMP group.

setup snmp accessgroup new|modify|override <groupname> [noAuthNoPriv|authNoPriv|authPriv] [read<viewname>] [write <viewname>]}

where

<groupname>

The name of the user group you are creating or modifying. An access group namecan be up to 32 characters; hyphens, underscores, and periods are acceptable. Ifthe group name contains spaces, it must be enclosed in quotations marks, forexample "admin group."

noAuthNoPrivauthNoPrivauthPriv

SNMPv3 access groups support the following security levels:

noAuthNoPriv: Identifies a user for access control, but does not provideauthentication.

authNoPriv: Identifies a user for access control, and authenticates theuser's password.

authPriv: Identifies a user for access control, authenticates the user'spassword, and provides encryption.

If you do not specify a usm security model, the group will use the defaultnoAuthnoPriv.

read<viewname>

Access groups have read (look) access to the information specified by the readview.

To give the group read access to all MIB data, specify the predefined view nameisoAll for the <viewname> parameter. To block all read access, specify isoNone.To limit a group's read access to a subset of available MIB data, enter the name ofa user-defined view created with the setup snmp view command. If you do notspecify a read view, the group will apply the default isoAll setting.

write<viewname>

Access groups have write (touch) access to the information specified by by thewrite view.

To give the group write access to all MIB data, specify the predefined view nameisoAll for the <viewname> parameter. To block all write access, specify isoNone.To limit a group's write access to a subset of available MIB data, enter the name ofa user-defined view created with the setup snmp view command. If you do notspecify a write view, the group will apply the default isoAll setting.

Examples:

setup snmp accessgroup new engineering usm authpriv read isoall write isoall

setup snmp accessgroup new admin usm authpriv read snmpTraps write isoNone

Delete an Access Group

To delete an access group, use:

setup snmp accessgroup delete <groupname>

where <groupname> name of the group you want to delete. Note that you will not be able to delete a group that currentlyhas users assigned to it.

Example:

setup snmp accessgroup delete marketing

464

View Access Group Settings

To view current SNMP access group settings, issue the command:

setup snmp accessgroup show

Example output:

AccessGroupName Model Level ReadViewName WriteViewName Refs Status admin usm authPriv all_mib isoNone 10 ok engineering usm authPriv all_mib Trap 23 ok v2 v2c isoAll isoAll 1 ok v1_users v1 isoAll isoAll 0 ok




465

setup snmp complex add|modify communityWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. The SNMP agent on the PacketShaper will not be able to identify SNMPv1or SNMPv2c requests unless you configure values for the Community Table.

setup snmp complex add|modify community <index> <Name> <SecurityName> <ContextEngineID> <ContextName><TransportTag> <StorageType>

Where:

<Index>An arbitrary index string, up to 31 alphanumeric characters long. The value ofthis field must unique from the index values in other Community tablerecords.

<Name> Specify the SNMP community name, up to 31 alphanumeric characters long

<SecurityName> The security name for this community, which must match the <name>parameter of a USM User table entry.

<ContextEngineID> Enter a dash (-) to specify the local engine ID. PacketWise does not supportany other context engine IDs.

<ContextName>Enter a dash (-) to indicate that SNMPv1 and SNMPv2c requests received withthis community string will be accepted from a sender at any location.PacketWise does not support any other context names.

<TransportTag>

If an snmp community transport tag is specified, a PacketShaper will onlyaccept management requests from a specific list of transport endpoints. This<Transport Tag> parameter must match the <taglist> parameter of a TargetAddress table entry.

If you do not want messages to and from this community to perform sourceaddress checking, then enter a dash (-).

<Storage Type>PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted.This parameter can be defined by the word nonvolatile, or the number 3.

Example:

setup snmp complex add community t0000000 public public - - anywhereTag 3




466

setup snmp complex add|modify notifyWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. You must define notification for the SNMP engine to correctly sendSNMPv1 Traps, SNMPv2c Traps, SNMPv2c Informs, SNMPv3 Traps, or SNMPv3 Informs.

setup snmp complex add|modify notify <Name> <Tag> <Type> <StorageType>

Where:

<Name> The name of this notification<Tag> The name of a set of entries in the Target Address table

<Type>

Specify the type of notification by entering one of the following values:

trapinform

<StorageType>

PacketShapers only support the nonVolatile storage type, indicating that PacketShaperwill remember the entries in this table if the unit is restarted. This parameter can bedefined by the word nonvolatile, or the number 3.

Example:

setup snmp complex add notify Informs InformTag inform nonvolatile




467

setup snmp complex add|modify notifyfltWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

The Notify Filter SNMP table contains individual elements of a filter profile. Define these values to construct a new notificationfilter.

setup snmp complex add notifyflt <ProfileName> <Subtree> <Mask> <Type> <StorageType>

Where:

<ProfileName> The name of a set of entries in the Target Address table

<Subtree>The name or number of the OID of a MIB subtree which, when combined with the<Mask> parameter also defined in this table, will define a family of subtrees to beincluded in or excluded from the filter profile

<Mask>

A series of colon-separated hexadecimal numbers which, together with thecorresponding subtree, define a bit mask for a family of view subtrees. Enter adash (-) if you do not want to configure a mask.

<Type>

Specify the type of notification by entering one of the following values:

trapinform

<StorageType>

PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted. Thisparameter can be defined by the word nonvolatile, or the number 3.

Calculating a Filter Subtree Mask

You can calculate the <Mask> value for the Notify Filter table with a series of ones and zeros that mask out parts of the tree.A zero represents a ‘wild card’ that matches anything, and a one indicates that an exact match is required. For example, thefollowing value would would require an exact match on all fields except the table column (i.e., the 0 in ifEntry.0.2).

OID 1.3.6.1.2.1.2.2.1.0.2Mask 1 1 1 1 1 1 1 1 1 0 1

In the example above, the bits of the mask would be grouped into 8-bit bytes, and then the right end of the last byte paddedwith ones (if necessary) to fill out the last byte:

byte 1 byte 2 1 1 1 1 1 1 1 1 1 0 1 original mask1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 mask padded with 1’sff bf hex value of the padded mask

The <Mask> value for this table would be ff:bf




468

setup snmp complex add|modify notifyfltprWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. These values associate a notification filter profile with a particular set oftarget table entry values. Filter profiles are used to determine whether management targets should receive a particular set ofnotifications.

setup snmp complex add|modify notifyfltpr <snmpTargetParamsName> <Name> <StorageType>

Where:

<snmpTargetParamsName> A <Name> defined in the Target Parameters table<Name> A <ProfileName> defined in the Notify Filter table

<Storage Type>

PacketShapers only support the nonVolatile storage type, indicatingthat the PacketShaper will remember the entries in this table if theunit is restarted. This parameter can be defined by the wordnonvolatile, or the number 3.

Example:

setup snmp complex add notifyfltpr v1ExampleParams wellKnownTraps nonvolatile




469

setup snmp complex add|modify targetaddrWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. Specify target addresses in the Target Address table to determine whereSNMPv3 notifications should be sent.

setup snmp complex add|modify targetaddr <Name> <TDomain> <TAddress> <Timeout> <RetryCount> <TagList><Params> <StorageType> <TMask>

Where:

<Name> A <Name> defined in the Target Parameters table<TDomain> A <ProfileName> defined in the Notify Filter table

<TAddress> A valid dotted-decimal IP address in the network specified by <TDomain>. If the ip address includes a portnumber, there must be a colon between the address and the port number, for example, 127.0.0.1:0

<Timeout>

Specify the maximum round trip time for communications between the PacketShaper and the SNMP targetaddress, in hundredths of a second. Valid timeout values are 0-2147483647.

If an inform message is sent to this address but a response is not received within this specified time frame,the PacketShaper will assume that there will be no response.

<RetryCount> Number of times the PacketShaper should attempt to retransmit an inform message when it does not receivea response. Valid retry values are 0-255.

<TagList>

One or more tag values which select target addresses for a particular operation. This paramter must matchthe <tag> parameter of a Notify table entry in order for the notification to be sent to the <TDomain>address. If you specify more than one tag, the list of tags should be separated by spaces and enclosed inquotation marks.

<Params> The name of a set of entries (as defined by the <name> parameter of a Target Parameters table entry),which contain the SNMP table entry values to be used when generating messages to this address

<StorageType>

PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember theentries in this table if the unit is restarted. This parameter can be defined by the word nonvolatile, or thenumber 3.

<TMask>

Target transport mask mask for <TAddress>, in dotted-decimal format. If the ip address includes a portnumber, there must be a colon between the address and the port number.

For example, if <TDomain> is snmpUDPDomain, a valid mask would be 255.255.255.0:0. This mask isused in conjunction with the <TAddress> to determine if an incoming request has arrived from an authorizedaddress.

Example:

setup snmp complex add targetaddr localHostV1 snmpUDPDomain 127.0.0.1:0 100 3 TrapTag v1ExampleParamsnonvolatile 255.255.255.255:0




470

setup snmp complex add|modify targetprmsWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Configure the Target Parameters table to define the parameters to be used when sending SNMP notifications.

setup snmp complex add targetprms <Name> <MPModel> <SecurityModel> <SecurityName> <SecurityLevel><StorageType>

Where:

<Name> Name of this table entry value

<MPModel> Specify SNMPv1, SNMPv2c or SNMPv3 to indicate which type of notificationshould be sent.

<SecurityModel> Select the security model for this notification by specifying snmpv1, snmpv2cor usm (for SNMPv3)

<SecurityName> The SNMPv3 user or SNMPv1/SNMPv2 community string on whose behalf SNMPmessages will be generated using this entry

<SecurityLevel>

Specify one of the following security levels:

noAuthNoPriv, communication without encryption or authentication.

authNoPriv, Communication without encryption.

authPriv, communication with 3DES, AES-128, AES-192, or AES-256encryption. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

<Storage Type>PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted. Thisparameter can be defined by the word nonvolatile, or the number 3.

Examples:

setup snmp complex add targetprms v1ExampleParams snmpv1 snmpv1 public noauthnopriv nonvolatile setup snmp complex add targetprms v2cExampleParams snmpv1 snmpv2c public authnopriv nonvolatilesetup snmp complex add targetprms v3ExampleParams snmpv3 usm root authnopriv nonvolatile




471

setup snmp complex add|modify usmuserWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP; you must configure least one SNMPv3 user for an SNMP engine to send orreceive SNMPv3 messages on behalf of certain SNMP applications. Create SNMPv3 users by defining the following USM Uservalues for each user.

setup snmp complex add|modify usmuser <EngineID> <Name> <AuthProtocol> <PrivProtocol> <StorageType><TargetTag> <AuthKey> <PrivKey> {localizedkey]

Where:

<EngineID>

The <EngineID> value is for an SNMP user is typically LocalSnmpId, the SNMPagent's own snmpEngineID. A LocalSnmpId can also be specified with a dash (-).To specify a remote SNMP engine with which this user can communicate, enter the24-digit hexadecimal string that is the EngineID of a remote SNMP engine.

<Name> Name of the user

<AuthProtocol>

Select the type of authentication required for messages between this user and theSNMP engine identified by the EngineID in this table, if any.

usmNoAuthProtocol: Messages to or from the user do not requireauthentication.usmHMACMD5AuthProtocol: Messages to or from the user must useauthentication based on the HMAC-MD5 algorithms.usmHMACSHAAuthProtocol: Messages to or from the user must useauthentication based on the HMAC-SHA algorithms.

<PrivProtocol>

Specify usmNoPrivProtocol if the messages from this user do not need to beprotected from disclosure. If this user requires privacy protection, specify the typeof privacy protocol which is used.

usmDESPrivProtocol: CBC-DES Symmetric Encryption Protocolusm3DESPrivProtocol: 3DES-EDE Symmetric Encryption ProtocolusmAES128CfbPrivProtocol: 128- bit AES (Advanced EncryptionStandard)usmAES192CfbPrivProtocol:192- bit AESusmAES256CfbPrivProtocol: 256-bit AES

<StorageType>

PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted

<TargetTag>

If set, this table entry value will enable source address checking for messagesbetween this user and a list of SNMP engines in the Target Address table. If you donot want messages to and from this user to perform source address checking, thenenter a dash (-).

<AuthKey>

User’s authentication password. Enter this table entry value as a string ofalphanumerical characters. To specify a password with more than one word,enclose the words in quotation marks, e.g. "auth key".

Note: This field should only contain a dash (-) if the <AuthProtocol> table entryvalue is set to usmNoAuthProtocol.

<PrivKey>

User’s privacy password. Enter this table entry value as a string of alphanumericalcharacters. To specify a password with more than one word, enclose the words inquotation marks, e.g. "priv key".

Note: This field should only contain a dash (-) if the <PrivProtocol> table entryvalue is set to usmNoPrivProtocol.

[localizedkey]

The setup capture command will not capture authentication and privacy passwordsmodified via SNMP Set requests unless you include this localizedKey option. Thelocalizedkey option requires that authentication and privacy passwords are definedin colon-separated hexidecimal format.

472

Example:

setup snmp complex add usmuser localSnmpID root usmHMACMD5AuthProtocol usmDESPrivProtocol nonvolatileanywhereTag authpass privpass

setup snmp complex add usmuser localSnmpID test usmHMACMD5AuthProtocol usmDESPrivProtocol nonvolatileanywhereTag df:dd:f4:c9:bc:e2:73:96:96:b7:93:69:4e:44:3e:38 9e:ab:b9:db:da:f5:fd:15:44:52:ca:8f:69:f9:56:0blocalizedkey




473

setup snmp complex add|modify vacmaccWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. The Vacm Access table entries represent the access rights for a group ofusers (defined in the Usm Users table). Define the following table entry values to create and maintain a list of access entriesfor each group name. Note that modifying any of attributes in this entry will not update the entries in other tables.

setup snmp complex add|modify vacmacc <GroupName> <ContextPrefix> <SecurityModel> <SecurityLevel><ContextMatch> <ReadViewName> <WriteViewName> <NotifyViewName>

Where:

<GroupName> A user group (and its associated access rights). The group name must bedefined by at least one entry in the Vacm Access table.

<ContextPrefix> Enter a dash (-) for this parameter, as PacketWise does not support contextmatching.

<SecurityModel>

PacketShapers can use the View-based Access Control Model (VACM) to findout whether access to a specified managed object is authorized. Specify oneof the following security models:

snmpv1,snmpv2cusm (for SNMPv3)

<SecurityLevel>

Specify one of the following security levels:

noAuthNoPriv, communication without encryption.Uses a communitystring match for authentication.

authNoPriv, Communication without encryption.Uses a usernamematch for authentication.

authPriv, communication without encryption. Provides authenticationbased on the HMAC-MD5 or HMAC-SHA algorithms.

<ContextMatch>

Specify either exact or prefix to indicate how the context of a request mustmatch the ContextPrefix table entry value. If, for example, an managementrequest is sent in context “Blue Coat”, and the value of ContextPrefix andContextMatch are “Blue”and “prefix,” then the context name from the requestis identified as a valid match to the values in this table entry.

<ReadViewName>

This text string defines the view subtrees accessible for Get, GetNext, andGetBulk requests, and must match the <name> parameter of a Vacm Viewtable entry. If <ReadViewName> is empty, no active view exists for readaccess.

<WriteViewName>This text string defines the view subtrees accessible for Set requests, andmust match the <name> parameter of a Vacm View table entry. If the<WriteViewName> table entry is empty, no active view exists for write access.

<NotifyViewName>

This text string defines the view subtrees accessible for notify access, andmust match the <name> parameter of a Vacm View table entry. If the<NotifyViewName> table entry is empty, no active view exists for notifyaccess.

<Storage Type>PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted.This parameter can be defined by the word nonvolatile, or the number 3.

Example:

setup snmp complex add vacmacc public - snmpv1 noauthnopriv exact ApplicationsView - ApplicationsViewnonvolatile

474




475

setup snmp complex add|modify vacmsecWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. Define the following Vacm Security table values to identify a securitymodel and security name for an SNMP user group. Users within the same group have the same security level.

setup snmp complex add|modify vacmsec <SecurityModel> <SecurityName> <GroupName> <StorageType>

Where:

<SecurityModel>

You can use the View-based Access Control Model (VACM) to find out whetheraccess to a specified managed object is authorized. Specify one of the followingsecurity models:

snmpv1,snmpv2cusm (for SNMPv3)

<SecurityName>A human readable string which identifies an SNMPv3 user name, or an SNMPv2cor SNMPv1 community string. This <SecurityName> parameter must match the<name> parameter of a Usm User table entry.

<GroupName> A user group (and its associated access rights). This <GroupName> parametermust match the <name> parameter of a Vacm Access table entry.

<Storage Type>PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted. Thisparameter can be defined by the word nonvolatile, or the number 3.

Example:

setup snmp complex add vacmsec usm DayShiftSupervisor ShiftSupervisor nonvolatile




476

setup snmp complex add|modify vacmviewWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

One of the commands required to configure SNMP. Enter values in the Vacm View table to define families of view subtrees,and identify what is in each of the read, write and notify views defined in the previous command.

setup snmp complex add|modify vacmview <Name> <subtree> <Mask> <Type> <StorageType>

Where:

<Name> Name of this family of view subtrees

<Subtree> The name or number of the OID of a MIB subtree; e.g., enterprises.99. This value isused with the <Mask> value in this table to define a family of view subtrees.

<Mask>This number is a series of colon-separated hexadecimal numbers which, together withthe corresponding subtree, define a bit mask for a family of view subtrees. Enter adash (-) to omit a mask.

<Type>This table entry value should be set to included if the subtree specified in this table isaccessible in this family of view subtrees, or set to excluded if it is explicitly notaccessible

<StorageType>

PacketShapers only support the nonVolatile storage type, indicating thatPacketShaper will remember the entries in this table if the unit is restarted. Thisparameter can be defined by the word nonvolatile, or the number 3.

Example:

setup snmp complex add vacmview restrictedView system - included nonvolatile

Calculating a View Tree Mask

You can calculate the mask value for the VacmView table with a series of ones and zeros that mask out parts of the tree. Azero represents a ‘wild card’ that matches anything, and a one indicates that an exact match is required. For example, thefollowing value would would require an exact match on all fields except the table column (i.e., the 0 in ifEntry.0.2).

OID 1.3.6.1.2.1.2.2.1.0.2Mask 1 1 1 1 1 1 1 1 1 0 1

In the example above, the bits of the mask would be grouped into 8-bit bytes, and then the right end of the last byte paddedwith ones (if necessary) to fill out the last byte:

byte 1 byte 2 1 1 1 1 1 1 1 1 1 0 1 original mask1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 mask padded with 1’sff bf hex value of the padded mask

The <Mask> value for this table would be ff:bf




477

setup snmp complex delete communityWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Community table entry.

setup snmp complex delete community <index>

Where <Index> is the index name of an existing Community table record.

Example:

setup snmp complex delete community v3community




478

setup snmp complex delete notifyWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Notify table entry.

setup snmp complex delete notify <Name>

Where <name> is the Name entry in the table record to be deleted.

Example:

setup snmp complex delete notify Traps




479

setup snmp complex delete notifyfltWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Notify Filter table entry.

setup snmp complex delete notifyflt <ProfileName> <Subtree>

Where:

<ProfileName> The ProfileName entry (name of the filter profile) in the table record to be deleted<Subtree> The Subtree entry in the table record to be deleted

Example:

setup snmp complex delete notifyflt wellKnownTraps snmpTraps




480

setup snmp complex delete notifyfltprWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Notify Filter Profile table entry.

setup snmp complex delete notifyfltpr <snmpTargetParamsName>

Where <snmpTargetParamsName> is the snmpTargetParamsName entry in the table record to be deleted.

Example:

setup snmp complex delete notifyfltpr v1ExampleParams




481

setup snmp complex delete targetaddrWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Target Addr table entry.

setup snmp complex delete targetaddr <Name>


Example:

setup snmp complex delete targetaddr localHostV1




482

setup snmp complex delete targetprmsWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Target Parameters table entry.

setup snmp delete targetprms <Name>


Example:

setup snmp complex delete targetprms v1ExampleParams




483

setup snmp complex delete usmuserWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP user entry.

setup snmp complex delete usmuser <EngineID> <Name>

Where:

<EngineID The engineID of the user. This will either be the text string LocalSnmpID, or a 24-digit hexadecimal number.

<Name> Name of the user

Example:

setup snmp complex delete usmuser localSnmpID root




484

setup snmp complex delete vacmaccWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Vacm Access table entry.

setup snmp complex delete vacmacc <GroupName> <ContextPrefix> <SecurityModel> <SecurityLevel>

Where:

<GroupName> The groupname entry in the Vacm Access table you want to delete<ContextPrefix> The ContextPrefix entry in the Vacm Access table you want to delete

<SecurityModel>

Specify one of the following numbers to indicate the security model of the tableyou want to delete:

1: snmpv1,2: snmpv2c3: usm (for SNMPv3)

<SecurityLevel>

Specify the number that corresponds to the security levels of the table you wantto delete:

1: noAuthNoPriv, communication without encryption. Uses a communitystring match for authentication.

2: authNoPriv, Communication without encryption. Uses a usernamematch for authentication.

3: authPriv, communication without encryption. Provides authenticationbased on the HMAC-MD5 or HMAC-SHA algorithms.

Example:

setup snmp complex delete vacmacc public - 1 1




485

setup snmp complex delete vacmsecWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Vacm Security table entry.

setup snmp complex delete vacmsec <SecurityModel> <SecurityName >

Where:

<SecurityModel>

Specify one of the following numbers to indicate the security model of the tableyou want to delete:

1: snmpv1,2: snmpv2c3: usm (for SNMPv3)

<SecurityName>The SecurityName entry in the table you want to delete. This entry will be eithera human readable string which identifies the SNMPv3 user name, or a SNMPv2cor SNMPv1 community string.

Example:

setup snmp complex delete vacmsec 3 DayShiftSupervisor




486

setup snmp complex delete vacmviewWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Delete an SNMP Vacm View table entry.

setup snmp complex delete vacmacc <Name> <Subtree>

Where:

<Name> The Name entry in the table record to be deleted<Subtree> The Subtree entry in the table record to be deleted

Example:

setup snmp complex delete vacmview restrictedView system




487

setup snmp complex show allWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in all SNMPv3 tables. Include the optional long parameter to display all records in column with a separateline for each table entry, or specify short to display all records for each table in a single row. If you do not specify either ashort or long parameter, this command will display the tables in the short display format, with all the data for each table ona single line.

Note: If a PacketShaper in shared mode or a PolicyCenter child configuration inherits SNMPv3 settings from a parentconfiguration, the letter I will appear to the left of each table entry, indicating that the setting is inherited.

setup snmp complex show all [short|long]

Example:

community table entries:

Index Name Sec.Name Con.EngineID Con.Name Transport Tag Storage Type- ------------ ------ -------- ------------ -------- ------------- ------------ t0000011 public public 0000091E000+ pwd anywheretag nonVolatile t0000111 public public localSnmpID - - nonVolatile t0000010 eng12 eng12 0000091E000+ test anywheretag nonVolatile local pub1 pub1 0000091E000+ pwd specifictag nonVolatile4 entries.

No entries for the notify table.

No entries for the notifyflt table.

No entries for the notifyfltpr table.

No entries for the targetaddr table.

No entries for the targetprms table.

usmuser table entries:

Con.EngineID Name Auth. Protocol Priv. Protocol Storage Type Target Tag------------ ------ ----------------- ----------------- ------------ ----------localSnmpID public usmNoAuthProtocol usmNoPrivProtocol nonVolatile -

vacmacc table entries:

Group Prefix SecMod. Sec. Level Match Read Write Notify Storage Type------ ------ ------- ------------ ------ ------- ------- ------- ------------public - snmpv1 noAuthNoPriv exact isoAll - isoAll nonVolatile

vacmsec table entries:

Sec. Model Security Name Security Group Storage Type---------- -------------------- -------------------- ------------snmpv1 public public nonVolatile

No entries for the vacmview table.



See also:

setup snmp complex add|modify community


488

setup snmp complex show communityWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Community table. Include the optional long parameter to display all records in column with aseparate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show community [short|long]

Example:

setup snmp complex show community long snmpCommunityEntry records:

Index: t0000001Name: pub1SecurityName: pub1ContextEngineID: 0000091E000000A1AC152BE0ContextName: -TransportTag: anywhereTagStorageType: nonVolatile





See also:

setup snmp complex add|modify community


489

setup snmp complex show notifyWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Notify table. Include the optional long parameter to display all records in column with aseparate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show notify [short|long]

Example:

setup snmp complex show notify longsnmpNotifyEntry records:

Name: InformsTag: InformTagType: informStorageType: nonVolatile

Name: TrapsTag: TrapTagType: trapStorageType: nonVolatile



See also:

setup snmp complex add|modify notify


490

setup snmp complex show notifyfltWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Notify Filter table. Include the optional long parameter to display all records in column with aseparate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show notifyflt [short|long]

Example:

setup snmp complex show notifyflt longsnmpNotifyFltEntry records:

ProfileName: wellKnownTrapsSubtree: snmpTrapsMask: -Type: includedStorageType: nonVolatile



See also:

setup snmp add|modify notifyflt


491

setup snmp complex show notifyfltprWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Notify Filter Profile table. Include the optional long parameter to display all records in columnwith a separate line for each table entry, or specify short to display all records for each table in a single row. If you do notspecify either a short or long parameter, this command will display the tables in the short display format, with all the datafor each table on a single line.


setup snmp complex show notifyfltpr [short|long]

Example:

setup snmp complex show notifyflt longsnmpNotifyFltPrEntry records:

TargetPrmsName: v1ExampleParamsName: wellKnownTrapsStorageType: nonVolatile



See also:

setup snmp complex add|modify notifyfltpr


492

setup snmp complex show targetaddrWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Target Address table. Include the optional long parameter to display all records in columnwith a separate line for each table entry, or specify short to display all records for each table in a single row. If you do notspecify either a short or long parameter, this command will display the tables in the short display format, with all the datafor each table on a single line.


setup snmp complex show targetaddr [short|long]

Example:

setup snmp complex show targetaddr longsnmpTargetAddrEntry records:

Name: localHostV1TDomain: snmpUDPDomainTAddress: 172.21.3.15:0Timeout: 100RetryCount: 3TagList: TrapTagParams: v1ExampleParamsStorageType: nonVolatileTMask: 255.255.0.0:0

Name: localHostV2cTDomain: snmpUDPDomainTAddress: 172.21.3.15:0Timeout: 100RetryCount: 3TagList: InformTagParams: v2cExampleParamsStorageType: nonVolatileTMask: 255.255.0.0:0

Name: opsCenterTDomain: snmpUDPDomainTAddress: 10.1.2.0:0Timeout: 0RetryCount: 0TagList: operationsCenterTagParams: noneStorageType: nonVolatileTMask: 255.255.255.0:0

Name: opsConsoleTDomain: snmpUDPDomainTAddress: 10.1.2.100:0Timeout: 0RetryCount: 0TagList: operationsConsoleTagParams: noneStorageType: nonVolatileTMask: 255.255.255.255:0

Name: SnmpResearchTrapSinkTDomain: snmpUDPDomainTAddress: 172.21.3.15:0Timeout: 100RetryCount: 3TagList: TrapTagParams: v3ExampleParamsStorageType: nonVolatileTMask: 255.255.0.0:0



See also:

setup snmp complex add|modify targetaddr


493

setup snmp complex show targetprmsWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Target Parameters table. Include the optional long parameter to display all records in columnwith a separate line for each table entry, or specify short to display all records for each table in a single row. If you do notspecify either a short or long parameter, this command will display the tables in the short display format, with all the datafor each table on a single line.


setup snmp complex show targetprms [short|long]

Example:

setup snmp complex show targetprms long snmpTargetPrmsEntry records:

Name: v1ExampleParamsMPModel: SNMPv1SecurityModel: snmpv1SecurityName: publicSecurityLevel: noAuthNoPrivStorageType: nonVolatile

Name: v2cExampleParamsMPModel: SNMPv2cSecurityModel: snmpv2cSecurityName: publicSecurityLevel: noAuthNoPrivStorageType: nonVolatile

Name: v3ExampleParamsMPModel: SNMPv3SecurityModel: usmSecurityName: rootSecurityLevel: authNoPrivStorageType: nonVolatile



See also:

setup snmp add|modify targetprms


494

setup snmp complex show usmuserWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Usm User table. Include the optional long parameter to display all records in column with aseparate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show usmuser [short|long]

Example:

setup snmp complex show usmuser long snmpUsmUserEntry records:

EngineID: 0000091E000000A1AC152BE0Name: AdministratorAuthProtocol: usmHMACMD5AuthProtocolPrivProtocol: usmDESPrivProtocolStorageType: nonVolatileTargetTag: anywhereTagAuthKey: authpassPrivKey: privpass

EngineID: 0000091E000000A1AC152BE0Name: rootAuthProtocol: usmHMACMD5AuthProtocolPrivProtocol: usmDESPrivProtocolStorageType: nonVolatileTargetTag: anywhereTagAuthKey: authpassPrivKey: privpass



See also:

setup snmp complex add|modify usmuser


495

setup snmp complex show vacmaccWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Vacm Access table. Include the optional long parameter to display all records in column witha separate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show vacmacc [short|long]

Example:

set snmp complex show vacmacc long

vacmacc table entries:

Group.............: public Prefix............: - Security model....: snmpv1 Security level....: noAuthNoPriv Context match.....: exact Read view.........: isoAll Write view........: - Notify view.......: isoAll Storage type......: nonVolatile



See also:

setup snmp complex add|modify vacmacc


496

setup snmp complex show vacmsecWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Vacm Security table. Include the optional long parameter to display all records in column witha separate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show vacmsec [short|long]

Example:

setup snmp complex show vacmsec long snmpVacmSecEntry records:

SecurityModel: usmSecurityName: DayShiftSupervisorGroupName: ShiftSupervisorStorageType: nonVolatile

SecurityModel: usmSecurityName: EveningShiftSupervisorGroupName: ShiftSupervisorStorageType: nonVolatile

SecurityModel: usmSecurityName: NightShiftSupervisorsGroupName: ShiftSupervisorStorageType: nonVolatile



See also:

setup snmp complex add|modify vacmsec


497

setup snmp complex show vacmviewWARNING: The following CLI command is only available in complex mode (setup snmp configmode complex). Complex modeconfiguration is only recommended for advanced users with previous experience working with SNMPv3, as this mode does notdisplay error messages for incorrectly configured settings that can prevent SNMP from working correctly. Complex modeshould only be used in PolicyCenter to set SNMPv3 values for an individual unit configuration. Any complex mode SNMPv3values set on a PolicyCenter sharable configuration will not be inherited by units assigned to that configuration.

Display all records in the SNMP Vacm View table. Include the optional long parameter to display all records in column with aseparate line for each table entry, or specify short to display all records for each table in a single row. If you do not specifyeither a short or long parameter, this command will display the tables in the short display format, with all the data for eachtable on a single line.


setup snmp complex show vacmview [short|long]

Example:

setup snmp complex show vacmviewsnmpVacmViewEntry records:

Name: OperatorViewSubtree: isoMask: 0Type: includedStorageType: nonVolatile

Name: restrictedViewSubtree: ifEntry.0.2Mask: ff:bfType: includedStorageType: nonVolatile

Name: restrictedViewSubtree: snmpTrapMask: -Type: includedStorageType: nonVolatile

Name: restrictedViewSubtree: snmpTrapsMask: -Type: includedStorageType: nonVolatile



See also:

setup snmp add|modify vacmview


498

setup snmp configmodeSpecify which mode of SNMP you will use to access your PacketShaper. Omit the [simple|complex|default] parameters toview the currently configured setting.

WARNING: Complex mode configuration is only recommended for advanced users with previous experience working withSNMPv3, as this mode does not display error messages for incorrectly configured settings that can prevent SNMP fromworking correctly. Complex mode should only be used in PolicyCenter to set SNMPv3 values for an individual unitconfiguration. Any complex mode SNMPv3 values set on a PolicyCenter sharable configuration will not be inherited by unitsassigned to that configuration.

setup snmp configmode [ simple|complex|default]

where

Parameter Description

simple Simple SNMPv1 configuration relies on IP address-based access lists and community strings forauthentication

complex Complex SNMPv3 configuration allows access to the SNMP configuration tables and providessecurity features for authentication, privacy, and access control

default

When the setup snmp configmode default command is issued for an individual PacketShaper ora PolicyCenter configuration at the top of the PolicyCenter configuration tree, the defaultparameter returns the SNMP mode to the default simple (SNMPv1) setting.

When issued for a PolicyCenter child configuration, that child configuration will clear its local SNMPversion, and inherit its SNMP version from its parent.

Examples:

setup snmp configmode complex

or

setup snmp configmode

SNMP configmode: complex

For additional information on configuring SNMP, see also:

SNMP Overview




499

setup snmp destinationsThe IP address(es) of SNMPv1 trap destination(s). For <ipaddress>, you can specify up to eight IP addresses in dotted-decimal notation, separated by spaces. Note that DNS names are not supported. If the default parameter is specified, all IPaddress destinations are cleared.

Note: if the setup snmp destinations default command is issued from a PolicyCenter child configuration, that configurationwill clear its local destination settings, but will immediately reinherit SNMP destinations defined in its parent configuration. Usethe command setup snmp destinations none to clear all local SNMP destination settings from a PolicyCenter childconfiguration without inheriting additional destinations from the parent configuration.

setup snmp destionations <ipaddress>...|default|none

Example:

setup snmp destinations 172.22.20.156 172.23.21.19


SNMP Overview


500

setup snmp look|touchSet SNMP look or touch community strings (passwords). By default, SNMPv1 and SNMPv2c are turned off until you configurethe look community string.

setup snmp look|touch <string>|default|none

Where

Parameter Description With default settinglook The context-sensitive SNMP look (read) password Look password is cleared (set to public)

touch The context-sensitive SNMP touch (read/write)password Touch password is cleared (set to public)

The community string can contain alphanumeric characters, hyphens, underscores, and periods; all other special charactersshould be avoided.

To see the current settings for the look or touch community string values, use the setup show command.

Examples:

setup snmp look lookpwd1setup snmp look touchpwd2

setup snmp show

SNMP config mode: simpleSNMP look community: lookpwd1SNMP touch community: touchpwd2SNMP Trap destinations: (none)

ViewName SubtreeOID Type Refs Status B isoAll iso included 0 ok B isoNone iso excluded 0 ok


501

setup snmp oidsDisplay a list of SNMP MIB OID names and numbers. Specify all or part of an OID name with the <substring> parameter todisplay only those OIDs that match that substring. The output of this command can help you locate and identify a MIB entryor subtree for an SNMP view.

setup snmp oids <substring>

Example:

setup snmp oids traps n Name Number 436 snmpInTraps 1.3.6.1.2.1.11.19 445 snmpOutTraps 1.3.6.1.2.1.11.29 446 snmpEnableAuthenTraps 1.3.6.1.2.1.11.30 801 snmpTraps 1.3.6.1.6.3.1.1.5

Note: The output of this command can be over 1,000 lines long. You may need to increase the buffer size of your commandwindow in order to view the entire list.




502

setup snmp remoteuserA SNMP remote user defines a user or a management system that receives notification of SNMPv3 traps and informs. Unlike alocal SNMP user, a remote user is not associated with an access group and therefore has only a notify view, rather than aread or write view.

There are two different commands to modify remote user settings. Modify remote user settings on a PacketShaper in localmode or a top-level PolicyCenter configuration with the command setup snmp remoteuser modify. Use the commandsetup snmp remoteuser override on a PacketShaper in shared mode or a PolicyCenter child configuration to create a localcopy of a SNMP remote user that overrides the inherited SNMP remote user.

setup snmp remoteuser new|modify|override <username> [<engine-id>] [auth {md5|sha} <auth-pw>] [priv{des|3des|aes128|aes192|aes256} <priv-pw>]

where

<username>

Name of the user you are creating or modifying. Remote user names canhave up to 32 characters; hyphens, underscores, and periods areacceptable. If the name includes a space, it must be enclosed withinquotation marks, for example "John Doe." Each SNMP remote user namemust be unique.

<EngineID>

An SNMP Engine ID identifies an SNMP engine that will receive trap andinform notifications. The default Engine ID for a remote SNMP user isLocalSnmpId, the SNMP agent's own SNMP Engine. If you omit thisparameter, the remote user will user this default LocalSnmpId Engine ID.

To specify a different remote SNMP engine with which this user cancommunicate, specify the 24-digit hexadecimal Engine ID of a remoteSNMP engine.

auth {md5|sha}

If the remote user requires authentication, specify either the MD5 or SHAauthorization protocol and enter an authentication password for the user. Ifthe remote user does not require authentication, this parameter can beomitted.

<auth-pw> Authorization password for the user. Passwords can have up to 32characters; hyphens, underscores, and periods are acceptable.

priv{des|3des|aes128|aes192|aes256}

Specify one of the following privacy protection protocols if the remote userrequires privacy protection. Otherwise, this parameter is not required.

des: CBC-DES Symmetric Encryption Protocol3des: 3DES-EDE Symmetric Encryption Protocolaes128: 128- bit AES (Advanced Encryption Standard)aes192:192- bit AESaes256: 256-bit AES

<priv-pw> Privacy password for the user. Passwords can have up to 32 characters;hyphens, underscores, and periods are acceptable.

Examples:

setup snmp remoteuser new "Jane Killick" auth md5 authpwd12$ priv aes245 privpwd12!0000091E000000A1AC1512ACsetup snmp remoteuser new "Nonsecure user"

Delete a Remote User

To delete a remote user, use:

setup snmp remoteuser delete <username>

Example:

setup snmp remote user delete "Sean Wood "

View Remote User Settings

To view current remote user settings, issue the command:

503

setup snmp remoteuser show

Example output:




504

setup snmp showDisplay the basic snmp configuration. This command is only available when the unit is in the simple snmp configuration mode.

setup snmp show

The output is divided into SNMPv1/SNMPv2c and SNMPv3 settings. The first two sections of the output display settings for anSNMPv1 or SNMPv2 configuration. If you have configured SNMPv3 views, access groups, users and targets, the informationfor each table entry appears in the ViewName, AccessGroupName, UserName, RemoteUserName and TargetName sections.

The following is an example of the output of the setup snmp show command.

setup snmp show

SNMP config mode: simpleSNMP look community: lookpwd1SNMP touch community: touchpwd2SNMP Trap destinations: 172.21.18.166 172.21.18.167

syslocation: Northwest Corner of Building 4syscontact: Jill Smithsysname: PKTR_9500_42localSnmpID: 0000091E000000A1AC1512AA

ViewName SubtreeOID Type Refs Statusall_mib 1.3.6.1.6.3.1 included 2 okisoAll iso included 10 okisoNone iso excluded 1 okTraps snmpTraps included 1 ok

AccessGroupName Model Level ReadViewName WriteViewName Refs Statusadmin usm authPriv all_mib isoNone 1 okengineering usm authPriv all_mib Traps 2 oktest_1 usm noAuthNoPriv isoAll isoAll 1 okv1only v1 isoAll isoAll 1 okv2 v2c isoAll isoAll 0 ok

UserName GroupName AuthProt PrivProt StatusAmit engineering md5 des okIT engineering md5 des okMarcia admin md5 des ok

RemoteUserName AuthProt PrivProt RemoteEngineID Refs StatusIT_remote md5 aes256 0000091E000000A1AC1512AA 4 oksys admin none none 3 okTodd Gray md5 des 0000091E000000A1AC1512A0 1 ok

TargetName RemoteHost RemoteUserName ViewName Type Ver Ml StatusSystem admin 10.10.14.55 IT_remote isoAll trap v3 um okTarget_it 172.21.18.170 IT_remote isoAll trap v3 um okV1traps 172.21.18.160 public isoAll trap v1 v1 ok


505

setup snmp syscontactThe name of the person managing the unit;<string> can be up to 256 characters long and must be enclosed in quotationmarks if spaces are used. If the default parameter is specified, any existing syscontact value is cleared.

setup snmp syscontact <string>|default

Example:

setup snmp syscontact "Gail Jellison"


SNMP Overview


506

setup snmp syslocationIssue this command to specify the physical location of the PacketShaper (room, floor, building), where <string> can be up to256 characters long and must be enclosed in quotation marks if spaces are used. If desired, specify the default parameter toclear the existing syslocation variable.

setup snmp syslocation <string>|default

Example:

setup snmp sysname "4th floor"


SNMP Overview


507

setup snmp sysnameIssue this command to configure the PacketShaper's fully-qualified domain name for SNMPv1, where <string> can be up to256 characters long and must be enclosed in quotation marks if spaces are used. If the default parameter is specified, theunit's IP address is used for the sysName variable.

setup snmp sysname <string>|default

Example:

setup snmp sysname example.com

If the PacketShaper is using its IP address as a default sysName and the unit's IP address changes, the sysName will updateto the new IP address once the unit resets or an SNMP MIB walk is performed on the unit. For additional information onconfiguring SNMP, see also:

SNMP Overview


508

setup snmp targetCreate new SNMP targets or modify existing SNMP targets to determine where SNMPv3 notifications should be sent.

There are two different commands to modify target settings. Modify target settings on a PacketShaper in local mode or a top-level PolicyCenter configuration with the command setup snmp target modify. Use the command setup snmp targetoverride on a PacketShaper in shared mode or a PolicyCenter child configuration to create a local copy of a SNMP target thatoverrides the inherited SNMP target.

setup snmp target modify|new|override <targetname> <targethost> <remoteuser> [port <port>] [versionv1|v2c|v3] [model v1|v2c|usm] [type trap|inform] [view <notifyView>][timeout <seconds>] [retry <n>]

where

<targetname>

Name of the target you are creating or modifying. Target names can have up to 32 characters;hyphens, underscores, and periods are acceptable. If the target name includes a space, it mustbe enclosed within quotation marks, for example "target four."

Note: A target name can be any text string, and does not have to be related to the targetsystem or remote user name.

<targethost> IP address of a remote IP host, in dotted-decimal format.

<remoteuser>

If the new target will use both the v3 protocol version and the usm security model, you mustalso specify a remote user.

To associate an existing remote user with this target, specify a user already defined by thecommand setup snmp remoteuser. To create a new remote user for this target with alocalSnmpId and no authorization or privacy protection, specify the name for the new remoteuser. Note that remote users created with this command will not appear in the Remote Userstable.

<port> Port number on the remote host to which the notifications will be sent.versionv1|v2|v3

Specify v1, v2 or v3 to indicate which SNMP version of notifications the user will receive. Thedefault SNMP version is v3.

modelv1|v2|usm

Select the security model for this notification by specifying v1 (for SNMPv1), v2 (for SNMPv2c),or usm (for SNMPv3). The default security models for the different versions of SNMP are asfollows:

SNMPv1: defaults to v1SNMPv2c: defaults to v2SNMPv3: defaults to usm

typetrap|inform

Specify whether the user should receive trap notifications or just informs. If no parameter isspecified, the default setting will be trap.

Note: SNMPv1 supports trap notifications only.

view<notifyview>

To allow the remote user to receive all types of MIB notifications, specify the predefined viewname isoAll for the <notifyview> parameter. To limit the user's access to a subset of availableMIB notifications, enter the name of a user-defined view created with the setup snmp viewcommand. If you do not specify a notify view, the group will apply the default isoAll setting.

timeout<seconds>

Maximum round trip time for communications between the PacketShaper and the SNMP targetaddress, in seconds. Valid timeout values 1-60 , and the default value is 10.

If an inform message is sent to this address but a response is not received within this specifiedtime frame, the PacketShaper will assume that there will be no response.

retry <n> Number of times the PacketShaper should attempt to retransmit an inform message when itdoes not receive a response. Valid retry values are 1-10, and the default value is 3 retries.

Example:

setup snmp target new targ1 10.1.2.3 trapuser

Delete a Target

To delete a target, use:

setup snmp target delete <target>

509

Example:

setup snmp target delete "admin_target"

View SNMP Target Settings

To view current SNMP target settings, issue the command:

setup snmp target show

Example output:

TargetName RemoteHost RemoteUserName ViewName Type Ver Ml Status System admin 10.10.14.55 IT_remote isoAll trap v3 usm ok Target_it 172.21.18.170 IT_remote isoAll trap v3 usm ok V1traps 172.21.18.160 public isoAll trap v1 v1 ok




510

setup snmp userEach SNMP user entry defines a user (login) name, an association with an existing access group, and authentication andprivacy keys that a management system can use to access the PacketShaper. This user name is not related to any other usernames such as those defined for RADIUS or PolicyCenter access.

There are two different commands to modify user settings. Modify user settings on a PacketShaper in local mode or a top-level PolicyCenter configuration with the command setup snmp user modify. Use the command setup snmp useroverride on a PacketShaper in shared mode or a PolicyCenter child configuration to create a local copy of a SNMP user thatoverrides the inherited SNMP user.

Note: If you have not yet defined access groups for your SNMP users, use the CLI command setup snmp accessgroup tocreate one or more access groups before you add users to these groups.

setup snmp user new|modify|override <username> <groupname> [auth {md5|sha} <auth-pw>] [priv {des|3des|aes128|aes192|aes256} <priv-pw>]

where

<username>

Name of the user you are creating or modifying. A user name can have upto 32 characters; hyphens, underscores, and periods are acceptable. If thename includes a space, it must be enclosed within quotation marks, forexample "Jane Doe." Each SNMP user name must be unique.

<groupname> User's access group

auth {md5|sha}

If the user's access group uses the usm (SNMPv3) security model with theauthNoPriv or authpriv security levels, Specify either the MD5 or SHAauthorization protocol and enter an authentication password for the user.

If the user's access group uses the v1 (SNMPv1) or v2 (SNMPv2c) securitymodel or an noAuthNoPriv security level, this parameter is not required.

<auth-pw> Authorization password for the user. Passwords can have up to 32characters; hyphens, underscores, and periods are acceptable.

priv{des|3des|aes128|aes192|aes256}

Specify one of the following privacy protection protocols only if the user'saccess group uses the authpriv security level. Otherwise, this parameter isnot required.

des: CBC-DES Symmetric Encryption Protocol3des: 3DES-EDE Symmetric Encryption Protocolaes128: 128- bit AES (Advanced Encryption Standard)aes192:192- bit AESaes256: 256-bit AES

<priv-pw> Privacy password for the user. Passwords can have up to 32 characters;hyphens, underscores, and periods are acceptable.

Examples:

setup snmp user new "Kim Johnson" snmpv3Eng auth md5 authpwd123 priv aes245 privpwd123

setup snmp user new "v1_user" snmpv1Group

setup snmp user modify "Kim Johnson" snmpv3Eng auth md5 new_pwd1 priv aes245 new_pwd2

Delete a User

To delete a user, use:

setup snmp user delete <username>

Example:

setup snmp user delete "Ken Traum"

View Users' Group and Security Settings

To view current SNMP user settings, issue the command:

511

setup snmp user show

Example output:

setup snmp user show

UserName GroupName AuthProt PrivProt Status Amit engineering md5 des ok Example_v1 v1only none none ok IT engineering md5 des ok Jane Doe engineering md5 des ok Kim Johnson admin md5 des ok Tom Jones authnopriv md5 none ok VP_Marcia admin md5 des ok Wendy Ho engineering md5 des ok




512

setup snmp viewAn SNMP view filters objects from the entire MIB and defines a subset of MIB objects. Every SNMP access group has views forread and write access which either allow or limit that group's access to MIB objects. There are two predefined views; isoAlland isoNone. The isoAll view gives a group access to all MIB information, and the isoNone view blocks all access.

If you want your SNMP groups to have either complete access or no access to all MIB information, your groups only need touse the built-in isoAll or isoNone views. If, however, you want a group to access just a subset of MIB information, you willhave to create a new view that describes those MIB object identifiers (OIDs) that should be included or excluded.

There are two different commands to modify view settings. Modify view settings on a PacketShaper in local mode or a top-level PolicyCenter configuration with the command setup snmp view modify. Use the command setup snmp viewoverride on a PacketShaper in shared mode or a PolicyCenter child configuration to create a local copy of a SNMP view thatoverrides the inherited SNMP view.

setup snmp view add|modify|new|override <viewName> <OID> [included|excluded]

where

<viewname>

Name of the view you are creating or modifying. A view name can be up to 32 characters;hyphens, underscores, and periods are acceptable.If the name includes a space, it must beenclosed within quotation marks, for example "admin view." Each SNMP view name must beunique.

<OID>

The <OID> parameter may be an OID name, number, or an initial OID name and a number,e.g., packeteerMibs, 1.3.6.1.4.1.2334.2 or packeteerMibs.1.4

This parameter also supports the use of asterisks as wildcards for OID numbers, forexample, interfaces.*.*.1

Note: To view a list of SNMP MIB OID names and numbers, use the command setup snmpoids.

included|excludedSelect included if the OID subtree should be included in this view, or excluded if it isexplicitly not accessible. If you do not specify an include or exclude parameter, the OID willautomatically be included.

The setup snmp view new command only allows you to specify a single OID. To include or exclude an additional OID in theview, use the command setup snmp view add.

Examples:

setup snmp view new sysadmin 1.3.6.1.6.3.18 excludesetup snmp view add sysadmin 1.3.6.1.6.3.15.1.2.2 exclude

There are two different commands to modify view settings. Modify view settings on a PacketShaper in local mode or a top-level PolicyCenter configuration with the command setup snmp vew modify. Override and modify inherited settings on aPacketShaper in shared mode or a PolicyCenter child configuration with the command setup snmp view override.

When you modify or override snmp view settings, all OIDs defined for that view are removed and replaced with the one OIDspecified in the setup snmp view modify or setup snmp view overide command. To add additional OIDs to the modifiedview, use setup snmp view add.

Examples:

setup snmp view modify sysadmin 1.3.6.1.6.3.19 excludesetup snmp view add sysadmin 1.3.6.1.6.3.15.1.2.2 exclude

Delete a View

To delete a view, use:

setup snmp view delete <viewName>

Example:

setup snmp vew delete IT_view

Display View Settings

To display current SNMP view settings, issue the command:

513

setup snmp view show

Example output is shown below. The letter B before the isoAll and isoNone view names indicate that these views are built-in,and cannot be modified or deleted.

setup snmp view show

ViewName SubtreeOID Type Refs Status adminview 1.3.6.1.6.3.1 included 8 ok iface_view 1.3.6.1.2.1.2 included 12 okB isoAll iso included 24 okB isoNone iso excluded 2 ok sysadmin 1.3.6.1.6.3.15.1.2.2 excluded 3 ok 1.3.6.1.6.3.19 excluded Traps snmpTraps included 5 ok




514

setup sntpSet or display the Simple Network Time Protocol (SNTP) configuration. SNTP is used to synchronize the time in PacketWise toa server configured to propagate highly accurate time information through the Internet.

setup sntp on|off|servers {<primary> [<secondary>]|none}|poll|reset|sync

Enter a standard dotted-decimal IP address.


515

setup ssh keygenGenerate new key pairs for accessing the PacketWise command-line interface (CLI) with a secure connection. If you believethe key’s security was compromised, you can use this command to generate new keys.

setup ssh keygen [<size>]

where <size> can be 512, 768, or 1024 bits; 1024 is the default size. If you are using SSHv1, you should choose 512 or1024. If you are using SSHv2, specify either 768 or 1024.

You can use the setup ssh show command to see the fingerprints that were generated.


516

setup ssh portChange the SSH (Secure Shell) listening port. PacketWise is automatically configured to run SSH on port 22; use thiscommand to select a different port.

Note: Secure Shell is a program and protocol that provides strong authentication and secure communications for logging ontoa remote computer. For secure connections to the PacketWise command-line interface, you can choose any SSH client, suchas SecureCRT for Windows or OpenSSH for UNIX operating systems.

setup ssh port <port_number>|default

where <port_number> is the new SSH port number and default uses the default SSH port, 22.

Note: If your unit is configured in shared mode with PolicyCenter, the default is the SSH port number of the parent group,which may or may not be 22.

Examples:

To use SSH on port 25:

setup ssh port 25SSH service will be restarted on port 25. It may take up to 10 seconds for the new value to take effect.Please use "setup ssh show" to verify the service status.

Or, to use SSH on the default port:

setup ssh port default

The SSH service will start on the designated port in less than 10 seconds. If the configured port was already in use,PacketWise automatically uses the last valid port number specified, or the default value (22). Use the setup ssh showcommand to verify that the port number was accepted.


517

setup ssh showDisplay the status of SSH (Secure Shell). The output indicates whether the SSH service is running and on which port. Inaddition, the output lists the RSA1, DSA, and RSA fingerprints. (The fingerprinting mechanism makes sure that you arecontacting the intended remote host.) The fingerprint appears as a sequence of 16 octets in hexadecimal, separated bycolons.

Note: Secure Shell is a program and protocol that provides strong authentication and secure communications for logging ontoa remote computer. For secure connections to the PacketWise command-line interface, you can choose any SSH client, suchas SecureCRT for Windows or OpenSSH for UNIX operating systems.

setup ssh show


SSH service is listening on port #: 22 (default)

DSA key fingerprint is:fc:b9:01:88:cf:02:74:50:5e:e1:c0:f7:ab:e9:62:92 RSA key fingerprint is:2f:77:8a:d6:ff:72:2f:f6:7d:b3:87:53:60:80:a3:ec RSA1 key fingerprint is:9d:fd:1f:8f:bc:29:16:29:f8:a7:b6:a0:6b:c2:5e:a7

You can use the setup ssh show command to verify that your port number was accepted. If the configured port (specifiedwith the setup ssh port command) was already in use, PacketWise automatically uses the last valid port number specified, orthe default value (22). In this situation, the setup ssh show output will display a “Fail binding to port” message and indicatethe port number that is being used instead. In addition, a notification will appear in the system banner when you log on. Forexample:

Attention: SSH service failed to start on the port configured in the configuration file. Port 22 is usedinstead.

Note: The output of the setup show command lists the SSH port number that was configured, which is not necessarily theport number currently in effect. Use setup ssh show to see the SSH port number that is in effect.


518

setup ssl cipherstrengthControls the strength of ciphers that PacketShaper allows.

setup ssl cipherstrength weak|strong|show

When this option is set to strong, PacketShaper does not allow ciphers that don't have authentication or encryption, nor doesit allow ciphers that don't have at least a 56-bit encryption key. When this option is set to weak (the default), PacketShaperallows ciphers of all strengths, as well as ciphers with no encryption or authentication.


8.6.3 setup ssl cipherstrength command introduced


519

setup ssl secureRenegConfigure secure renegotiation for SSL/TLS, specifying whether to allow PacketShaper to communicate with patched andunpatched SSL clients and servers. Note that patched SSL clients and servers have fixed the SSL/TLS vulnerablilty and useOpenSSL v0.9.8m or higher; unpatched clients/servers use earlier OpenSSL versions.

setup ssl secureReneg off|serverOnly|serverAndClient|default

off Preserves legacy behavior: allows PacketShaper to communicate with all unpatchedand patched SSL clients and servers. This is the default setting.

serverOnly The PacketShaper, as an SSL server, supports renegotiation from patched clientsonly.

serverAndClient

Allows patched and unpatched SSL clients (browsers) to communicate withPacketShaper, and supports renegotiation from patched clients and servers only.

Note: Renegotiation attempts from unpatched clients using SSLv3 protocol will fail,and PacketShaper will terminate the connection. Renegotiation attempts fromunpatched clients using TLSv1 protocol will also fail, but PacketShaper will notterminate the connection; it will send the client a "no renegotiation" alert message.

default Sets secure renegotiation back to its default setting so the configuration can inheritthe setting from the parent configuration.

Notes:

If the PacketShaper is configured to communicate with the Directory Server using Secure LDAP, you must useserverOnly or off mode to allow for successful communication between PacketShaper (acting as an SSL client) andSun DS (acting as an SSL server).ServerOnly mode allows PacketShaper (SSL client) to communicate with SSL servers, such as Blue Coat's heartbeatand update servers, regardless of whether the servers are patched.Use the setup ssl show command to view the current secure renegotiation setting.




520

setup ssl showDisplay PacketShaper's current secure renegotiation setting for SSL/TLS.

setup ssl show

See also:

setup ssl secureReneg




521

setup standbyConfigure a PacketShaper for direct standby mode. The direct standby function allows two PacketShapers to work in aredundant network topology, with each unit connected to a different router. The two units are directly connected to eachother, through the OUTSIDE port on the upper-most or right-most LEM. Both units are considered active and each unit canreceive and forward traffic. When a unit directly receives traffic, it will copy that traffic and transmit it to the other unit. Theother unit will classify the traffic, just as if it had received it directly, but it will never forward the traffic on to the LAN. As aresult, each unit is ready at any time to take over full PacketShaper responsibility should the other unit go down.

Note: The standby feature requires a hardware modification and special cabling. Before enabling standby mode, see ConnectPacketShapers into Redundant Topologies for complete details.

setup standby direct|none|show

Where:

directEnables the unit for direct standby

Notes: PacketShaper's watch mode and direct standby features cannot be used together.

none Disables standby mode

show Displays the status of a standby unit

To enable direct standby mode, use:

setup standby direct

Note: A loss of connectivity could occur right after direct standby is enabled or disabled. This loss of connectivity is transientand recoverable after the new paths and routes have been established. After the paths and routes have stabilized, you mayhave to start a new CLI session.

To check the status of a standby unit:

setup standby show

To disable direct standby mode:

setup standby none


522

setup support showDisplay support status information. The status can be active, expired, or unknown. (See Support Contract Status for moreinformation on each of these states.)

setup support show

In addition to the state of the support contract, the output indicates the date and time of the last support status update. Ifthe contract is expired, the output lets you know how many days left until WebPulse queries will stop. (There is a 30-daygrace period after the contact expires in which PacketShaper continues to query WebPulse for URL categories.)

After renewing your contract (in case of an expired status) or verifying Internet connectivity (in case of an unknown status),you can use the setup support update CLI command to re-check the status of the support contract, or simply wait for thenext automatic check (performed every 24 hours).


8.6.1 setup support command introduced


523

setup support updateRe-check the status of your support contract. You can use this command after renewing your contract (in case of an expiredstatus) or verifying Internet connectivity (in case of an unknown status). Alternatively, you can simply wait for the nextautomatic check (performed every 24 hours).

See Support Contract Status for more information.

setup support update

See also:

setup support show


8.6.1 setup support command introduced


524

setup syslog addAdd a Syslog server. The logging feature gives administrators a way to centrally log and analyze user events and systemwarning messages. For example, if you are using RADIUS authentication, each failed login attempt will be sent to the definedSyslog server.

Adaptive response action files and user events can be configured to send messages to a Syslog server. For example, whenyou register an event, you will be asked if you want to send events to Syslog; you can define and register an event that sendsa message to a Syslog server when retransmissions rise to 30 percent of your network activity.

You can add up to four servers.

setup syslog add host:<ipaddress> [output:<facility>,<level>] [port:<portnum>] [datetime]

host:<ipaddress> The Syslog server IP address — for example, host:10.7.38.100

output:<facility>,<level>

The facility and severity level — for example, output:local1,6

Up to three outputs can be specified. The default facility is local4and the default level is 7. PacketWise user events are at severitylevel 6; if you want to capture them with Syslog, you must setthe level to 6 or 7.

See Facility Types and Severity Levels for lists of the valid facilitytypes and levels.

port:<portnum> The port number of the Syslog server; if the port isn’t specified,port 514 is used

datetime Include the date and time in the message; the date and time arenot included unless you specify the datetime parameter

For example:

setup syslog add host:10.7.38.100 output:local1,3 datetime

If you need to modify any of the settings later, you need to remove the server and then add it again (see setup syslogremove).

Messages are not sent until you enable the logging feature. See setup syslog on. If you want a PacketWise event to berecorded in a Syslog, you need to specify this option when registering the event (see event register).

Facility Types

You can enter the keyword or value specified in the following table.

Description Keyword ValueKernel kern 0User Processes user 1Electronic Mail mail 2Background System Processes sysd 3Authorization auth 4System Logging sysl 5Printing lpr 6Usenet News news 7Unix-to-Unix Copy Program uucp 8Clock Daemon clkd 9Security sec2 10FTP Daemon ftpd 11NTP Subsystem ntp 12Log Audit audit 13Log Alert alert 14Clock Daemon clkd2 15

525

For Local Use local0–local7 16-23

Severity Levels

You can enter the keyword or value specified in the following table. Set the level to specify which messages to suppress tothe Syslog server. For example, setting the severity level to 3 allows messages with levels 0 – 3 and suppresses messageswith levels 4 – 7. If you don't specify a severity level, 7 is used. With the default severity level, messages of all levels will getsent to the Syslog server.

Description Keyword ValueSystem unusable emerg 0Take immediate action alert 1Critical condition crit 2Error message err 3Warning message warn 4Normal but significant condition notice 5Informational (includes PacketWise user events) info 6Debug message debug 7

At the "warn" level, Blue Coat will send the following types of messages to the Syslog server:

Login failedHard drive statusMeasurement Engine statusDirect standby statusPlug-in status

See PacketShaper Syslog Warn Messages for a list of these messages.

User events that are configured to send a syslog message when a threshold is crossed are sent at the info severity level (6).See event register for more information on configuring an event to send a syslog message.

Adaptive response action files that include the send syslog command can designate the severity level at which the message issent to the Syslog server; any level can be specified.


526

setup syslog rateSet the maximum number of syslog messages that will be sent per second.

setup syslog rate <number>

The default rate is 20 messages per second and the valid range is 1-200. You may want to increase the rate if you areexperiencing a problem with your unit.


527

setup syslog removeRemove a syslog server. If you need to modify the settings of a server you have added, you will need to remove the serverfirst.

setup syslog remove <ipaddress>


528

setup syslog showDisplay the settings for currently defined Syslog servers.

setup syslog show [<ipaddress>]

If no <ipaddress> is specified, the setup of all Syslog servers is displayed. For example:

setup syslog show

Status: On Max Rate: 35 Total Sent: 5 Total Lost: 0

Server Addr Facility Level------------------------------------10.7.38.200 local4, 20 warn, 410.7.38.100 local4, 20 warn, 4

If you specify an <ipaddress>, the settings for a single Syslog server are displayed. For example:

setup syslog show 10.7.38.200

Server Addr: 10.7.38.100 UDP Port: 514 DateTime Option: Not Enabled

-------------------------------------Facility Level-------------------------------------local4, 20 warn, 4

Message Format

When viewing the messages at the Syslog server, you will see the format of a Syslog message is as follows:

ReceiveDateTime address SendDateTime module-severity-MNEMONIC: description

ReceiveDateTime The date and time the message was received by the Syslog server (maynot be included, depending on the setup of the Syslog server)

address The PacketShaper unit’s IP address

SendDateTime The date and time the message was sent to the Syslog server (if thedatetime parameter was specified when defining the syslog server)

module A four-byte string that identifies the type of message. For example, USREis a user event and SYSW is a system warning.

severity A single digit code (0–7) that reflects the severity of the condition; seeSeverity Levels

MNEMONIC A code that uniquely identifies the error message — for example, BAD_WR(bad write) or INSERT_F (insert into a list fails)

description A text string describing the condition

Example message:

Aug 6 17:06:27 10.7.38.5 SYSW-4-LOG_WARN: Hard drive is down.

Or, if the datetime parameter was specified:

Aug 6 17:07:25 10.7.38.5 Mon Aug 6 17:05:01 2001 BST (London) SYSW-4-LOG_WARN: Hard drive is down.


529

setup syslog stateEnable or disable the logging feature so that messages will be sent to the defined syslog server(s). If this command is issuedfrom the command-line interface of an individual PacketShaper or a PolicyCenter sharable configuration, it will enable ordisable the syslog servers defined for the selected configuration or unit.

setup syslog state on|off|default

Select the default option to set the logging feature on a PacketShaper to its default off state. To check whether the loggingfeature is on or off, use the setup syslog show command.

Note: If the setup syslog state default command is issued from PolicyCenter for a child configuration, the selectedconfiguration will discard its existing syslog state and inherit its syslog on/off setting from its parent configuration. If thesetup syslog state default command is issued from PolicyCenter for a root-level configuration, the syslog state for thatconfiguration will be returned to the default off setting.


530

setup tacacs acctSet up or change the configuration of the TACACS+ accounting service records. This feature allows you to have an audit trailfor user logins.

To define the TACACS+ accounting service, use:

setup tacacs acct primary|secondary {<host> <shared_secret> [<port>]}|delete|override


<host> The IP address or DNS name of the TACACS+ accounting server<shared_secret> The designated secret for the server; quotes are not required

[<port>] The port number to access the server; if omitted, the default port 49 isused.


override

For a PolicyCenter child configuration, create local TACACS+ settings thatoverride the settings it inherits from its parent configuration. Removethese override settings at any time with the command setup tacacsacct primary|secondary delete.


setup tacacs acct on|off|default

Example:

setup tacacs acct primary 10.10.10.10 P4assw0rd1

setup tacacs acct secondary 10.10.20.10 Paa55w0rd2

setup tacacs acct on

This example defines a primary accounting server at 10.10.10.10 which has a shared secret of P4ssw0rd1, as well as asecondary server at 10.10.20.10. The third command line enables the TACACS+ accounting service. Once this service isconfigured and enabled, PacketWise will send a PW_STATUS_START accounting message to the accounting server when auser logs in and a PW_STATUS_STOP message when a user logs off or is disconnected.




531

setup tacacs authSet up or change the configuration of the TACACS+ authentication service. TACACS+ authentication is an optional method forusers to log into the PacketWise browser interface, command-line interface, or customer portal or when FTPing to the unit.Using third-party TACACS+ servers enables you to have central configuration of user accounts.

setup tacacs auth primary|secondary {<host> <shared_secret> [<port>]}|delete|override

primary|secondaryEnter the literal primary or secondary to indicate which server you aredefining. (Note: The TACACS+ client uses the secondary server when theprimary server isn’t accessible or authentication failed.)

<host> The IP address or DNS name of the TACACS+ authentication server

<shared_secret> The designated secret for the server; quotes are not required

[<port>] The port number to access the server; if omitted, the default port 49 isused


override

For a PolicyCenter child configuration, create local TACACS+ settings thatoverride settings inherited from its parent configuration. Remove theseoverride settings at any time with the command setup tacacsprimary|secondary delete.


setup tacacs auth on|off|default

Example:

setup tacacs auth primary 10.10.10.10 CupServ44

setup tacacs auth on

This example first defines a primary authentication server at 10.10.10.10 which has a shared secret of CupServ44. Thesecond command line enables TACACS+ authentication service. Once this is configured and enabled, PacketWise will promptusers for user name and password when they log into PacketWise.




532

setup tacacs methodSelect the TACACS+ authentication method:

ASCII (American Standard Code for Information Interchange): With ASCII, the username and password aretransmitted in clear, unencrypted text.

PAP (Password Authentication Protocol): With PAP, the username and password are transmitted in clear, unencryptedtext. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords(for example, when passwords are stored and maintained in a database external to the TACACS+ server)

CHAP (Challenge Handshake Authentication Protocol): In other environments, CHAP may be preferred for greatersecurity. The TACACS server sends a challenge that consists of a session ID and an arbitrary challenge string, and theusername and password are encrypted before they are sent back to the server.

MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is very similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challengeresponse. Standard CHAP authentication requires that the server stores unencrypted passwords.

Note: MS-CHAP v1 and v2 are supported. PacketWise attempts authentication with MS-CHAP v2 first. If the remoteserver doesn't support v2 or if authentication is denied, PacketWise re-attempts authentication with MS-CHAP v1.

setup tacacs method ascii|pap|chap|mschap|default

The default authentication method is ascii.

See also:

Configure TACACS+ Authentication Service

Log In and Out with TACACS+




533

setup tacacs showDisplay the current TACACS+ settings. Use this command to verify that TACACS+ authentication and accounting are enabled,to see the timeout setting, and to view configuration settings on each of the TACACS+ servers.

setup tacacs show

TACACS Setup values:

Tacacs Method : ASCII Authentication : on Accounting : off Timeout : 10

TACACS Service records:

Type Host Port Secret auth1 192.21.18.190 49 test




534

setup tacacs timeoutSet the amount of time for PacketWise to wait for a response from the TACACS+ server. If the server doesn't send a replywithin the timeout period, the PacketShaper will disconnect and the authorization attempt will fail. The default timeout periodis 10 seconds.

setup tacacs timeout <seconds>|default

where <seconds> is a value between 1 and 60 seconds.

In the example below, the timeout interval is 25 seconds; this interval applies to any configured TACACS+ server.

setup tacacs timeout 25

To return to the default timeout interval, use:

setup tacacs timeout default




535

setup timezoneWhen you configure a time zone, PacketWise can change its local time automatically at the start and end of daylight savingstime. It also can retrieve time updates from time servers.

setup timezone [<name>|custom <timezone_spec>]

Each time zone has a unique name — usually the name of the best-known city in that zone. The default time zone is LosAngeles, CA. To display the valid time zones, use setup timezone help.

<timezone_spec> is a string defined by POSIX.1 as:

<std><offset>[<dst>[<offset>],<date>[/<time>],<date>[/<time>]]

Where:

<std> and <dst> 3 or more characters specifying the standard and daylight saving time (DST) zone names<offset> [-]hh:[mm[:ss]] specifies the offset west of UTC. The default DST offset is one hour ahead of standard

time<date>[/<time>] Specifies the beginning and end of DST. If this is absent, the system applies US DST rules (first Sunday

of April at 2:00 AM to last Sunday of October at 2:00 AM)<time> hh:[mm[:ss]] with a default of 02:00<date> One of the following forms:

Jn (1<=n<=365): origin-1 day number, not counting February 29

n (0<=n<=365): origin-0 day number, counting February 29, if present

Mm.n.d (0[Sunday]<=d<=6[Saturday], 1<=n<=5, 1<=m<=12): for the dth day of week n of month mof the year, where week 1 is the first week in which day d appears, and 5 stands for the last week inwhich day d appears (which may be either the 4th or 5th week)

For example, you could configure a time zone for Cairo, Egypt with the command:

setup timezone custom EET-2EEST,M4.5.5/01:00,M9.5.5/03:00

setup timezone

Current time zone:Time zone name: CustomTime zone desc: Custom time spec in POSIX formatTime zone spec: EET-2EEST,M4.5.5/01:00,M9.5.5/03:00Time zone offset: GMT+02:00DST offset: 60 minutesDST starts: Last Friday of April at 01:00 AMDST ends: Last Friday of September at 03:00 AM

In this example, the standard time, known as EET, is two hours ahead of GMT and daylight savings time, known as EEST, isthe default 60 minutes ahead of EET. Rather than using US default rules, EEST begins on the last Friday of April at 1:00 AMand ends on the last Friday of September at 3:00 AM.

Note: You should always do a system reset immediately after changing the time zone so that the underlying time-sensitivescheduled operations of the PacketShaper can be correctly initialized.


536

setup traffic-infoEnable/disable traffic information reporting to the WebPulse cloud service. When this feature is enabled, PacketShaper sendsinformation to WebPulse about unknown and P2P non-web applications, for the purpose of threat analysis; WebPulse canthen build on its threat intelligence to help prevent Advanced Persistent Threats and non-web based intrusions. Trafficinformation reporting is enabled by default.

setup traffic-info on|off

Note: The traffic information reporting feature uses the following domains: sitereview.bluecoat.com and cda.bluecoat.com.You must allow access to these domains on your firewall.

See also:

setup traffic-info ignore-list

setup traffic-info show

setup trafffic-info summary

setup traffic-info reset




537

setup traffic-info ignore-listConfigure hosts to exclude from reporting to WebPulse. If a flow has a destination IP of an entry in the ignore-list, the flowwill not be reported to WebPulse.

setup traffic-info ignore-list add <host> | delete <host> | show

where <host> is a single IPv4 address, subnet (in CIDR format), or DNS name.

So that you won't need to manually add all of your private application servers to the ignore-list, private subnets are pre-configured in the list. The ignore-list includes the following subnets:

10.0.0.0/8172.16.0.0/12192.168.0.0/16

Examples:

# setup traffic-info ignore-list add 23.43.113.11223.43.113.112 has been successfully added to ignore-list

# setup traffic-info ignore-list add test.comtest.com has been successfully added to ignore-list

# setup traffic-info ignore-list add 12.10.12.0/2412.10.12.0/24 has been successfully added to ignore-list

# setup traffic-info ignore-list showHosts in ignore-list: 10.0.0.0/8 10.10.12.0/8 172.16.0.0/12 192.168.0.0/16 23.43.113.112 test.com

See also:

setup traffic-info







538

setup traffic-info resetRestore default settings for traffic information reporting. This command enables the traffic reporting feature, clears any hostsadded to the ignore-list, and restores the default ignore-list of private subnets.


Example:

Reset the traffic-info settings and then display the current status.

# setup traffic-info reset

# setup traffic-info status

Traffic Information reporting is enabled

Hosts in ignore-list: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

See also:




setup traffic-info




539

setup traffic-info showDisplay the status and the ignore-list for the traffic information reporting feature.

setup traffic-info status

Sample output:

# setup traffic-info show

Traffic Information reporting is enabled

Hosts in ignore-list: 10.0.0.0/8 10.10.12.0/8 172.16.0.0/12 192.168.0.0/16 23.43.113.112 test.com

See also:


setup traffic-info






540

setup traffic-info summaryDisplay current status of traffic information collection and reporting. The output shows number of flows, bytes, and entriescollected, and when the report was last uploaded to Blue Coat.

setup traffic-info summary

Sample output:

Traffic Information Collection & Reporting Summary ==================================================

Overall Status ---------------------- Flows Collected: 0 Flows not Collected: 16416 Flows Ignored: 0 Upload Count: 0

Upload Bytes: 0.000000K Failed Uploads: 0

Traffic Info Entries: 0 Traffic Info Flows: 0 Traffic Info Bytes: 0

Last Upload Status ---------------------- Successful Upload: -- Last Upload Attempt: Mon Oct 15 09:02:56 2012 Traffic Info Entries: 0 Traffic Info Flows: 0 Traffic Info Packets: 0 Traffic Info Bytes: 0 Failed Attempts: 0

Current Status ----------------------- Traffic Info Entries: 0 Traffic Info Flows: 0 Traffic Info Packets: 0 Traffic Info Bytes: 0 Flows in progress: 0

See also:







541

setup urlcategoryEnables/disables the URL categorization feature. The PacketShaper cannot classify by URL categories unless the feature isenabled; it is disabled by default.

setup urlcategory on|off

When you enable URL categorization, you will have the ability to:

create classes based on specific URL categories, and PacketShaper will then classify web traffic that corresponds toeach of these categories into the appropriate classauto-discover category classes (you must first create an "all categories" class and enable class discovery)

When URL categorization is turned on and the WebPulse Query option is enabled, PacketShaper will send URL queries to theWebPulse cloud service; the service will look up the URL in its extensive database to find the category (or categories)associated with the URL, and send the response back to PacketShaper for classification. If WebPulse is disabled, thePacketShaper will look up the URL in its cache; if the URL is not in the cache, PacketShaper won't be able to classify the webtraffic into a category.

Note: If you have secured the PacketShaper's outside interface, the URL categorization feature requires that you add thefollowing servers to the exception list: the fastest WebPulse service points (use the setup urlcategory show servicecommand to find the IP addresses), the category map update server (sitereview.bluecoat.com), and the support updateserver (updates.bluecoat.com). See setup secure.


9.2.1 command is hidden; replaced with setup webpulse command8.6.1 setup urlcategory command introduced


542

setup urlcategory discoveryEnables/disables discovery of specific URL categories, or all categories. By default, discovery is enabled for each category.You may want to disable discovery of the categories that you aren’t interested in monitoring or controlling. By doing so, youwill not clutter your traffic tree with classes you don't need to track.

setup urlcategory discovery on|off|inherit <category_name>|all

where <category_name> is the exact name of the category. To see a list of category names, use the setup webpulse showcategories command. If the category name has a space, enclose the name in quotes.

If the unit is in shared mode, you can use the inherit option to inherit the category discovery settings from the parentconfiguration.

Example

To disable discovery of the Society/Daily Living category:

setup urlcategory discovery off "Society/Daily Living"

To reenable discovery of all categories:

setup urlcategory discovery on all


9.2.1 command is hidden; replaced with setup webpulse discovery command8.6.1 setup urlcategory command introduced


543

setup urlcategory map-downloadInitiates a download of the latest category mapping file. The category map is a file that maps URL category names withnumeric IDs. PacketShaper refers to the category map to look up the category name after WebPulse has assigned a categoryID to a flow. In addition, PacketShaper uses the category map when listing URL categories that can be assigned to category-based classes.

setup urlcategory map-download

Notes:

When you enable URL categorization, the latest category map is automatically downloaded to your PacketShaper.Thereafter, PacketShaper automatically downloads the category map every day and after a device reset, regardless ofwhether the file has changed or not.The category map changes infrequently (approximately every 18 months).You will see a Success message after the download completes. The category map file is downloaded, replacing thecurrent file (even if the file hasn't changed). The version number is also indicated.The category map version is incremented when a category has been added, renamed, or deleted. The version is notincremented when a description or example changes.


9.2.1 command is hidden; replaced with setup webpulse map-download command8.6.1 setup urlcategory command introduced


544

setup urlcategory resetClears the category cache on the PacketShaper, deletes the cache backup, and returns all categorization settings to theirdefaults. This command returns the feature to its factory default settings: URL categorization is disabled, WebPulse is enabled,and discovery is enabled for all URL categories.

setup urlcategory reset

Notes:

Because this command deletes the cache as well as its backup copy on the PacketShaper data disk, use this commandwith caution. You will have an opportunity to confirm the reset after you enter the command.


9.2.1 command is hidden; replaced with setup webpulse reset command8.6.1 setup urlcategory command introduced


545

setup urlcategory showDisplays additional information about URL categories, WebPulse queries, the category cache, and WebPulse service points.

setup urlcategory show categories|statistics|cache|service

Option Descriptioncategories Display URL category names, IDs, discovery state, and hits

statisticsDisplay URL category statistics: how many flows weren't categorized due to load or because the flowended, number and speed of queries to the WebPulse database, number and speed of queries thatused the DRTR service.

cache Display URL category cache information: number of hits and entries in the domain, directory, andfilename caches. Also indicates when the cache was last backed up to the data disk.

service

Display WebPulse service point information. For each of seven service points, lists the IP address,number of hits and speed of WebPulse database and DRTR requests. Also indicates the health of theservice points.

Tip: The fastest servers appear at the top of the list. Use this command to find out the IP addressesof the fastest servers, then add them to your setup secure outside list (if you are securing theoutside interface).

Examples:

setup urlcategory show statistics

Uncategorized Flows

Current Daily Uncategorized Due to Load: 0 Average Daily Uncategorized Due to Load: 0 Current Daily Uncategorized Due to Flow Ended: 89 Average Daily Uncategorized Due to Flow Ended: 102

Service Points

Current Daily Queries : 161 Current Daily Query RTT : 48 ms Average Daily Queries : 598 Average Daily Query RTT : 51 ms Current Daily DRTR Queries : 3 Current Daily DRTR Query RTT : 966 ms Average Daily DRTR Queries : 0 Average Daily DRTR Query RTT : 0 ms

setup urlcategory show cache

Cache

Daily Queries : 1100 Average Daily Queries : 2417 Cache Hits : 926 Average Daily Cache Hits: 1736 Average Cache Efficiency: 71.83%

Domain Cache

Cache Hits : 872 Average Daily Cache Hits: 1575 Number of Entries : 575 Average Hourly Size : 516

Directory Cache


Filename Cache

546


URL Cache Backup Status: Cache backup successfully updated on Tue Aug 3 14:56:20 2010


9.2.1 command is hidden; replaced with setup webpulse show command8.6.1 setup urlcategory command introduced


547

setup urlcategory testLooks up the specified URL in the PacketShaper’s cache and returns the category/categories for the URL. Use this command tofind out if a URL is in the cache or to see how a URL is being categorized.

setup urlcategory test <url>

where <url> is the URL to be looked up. Follow these guidelines when specifying the URL:

The "www" is optional unless the server can host more than just Web, or if there is another subdomain you want tolook up.Enter the URL exactly as it appears in your browser; you can copy the URL from the browser and paste it into thecommand window.Include https:// to do a lookup for a URL hosted on port 443.

Example:

setup urlcategory test betterppt.com/summit

<<Business/Economy>>

setup urlcategory test nps.gov/yose/

No categorization for nps.gov/yose/ found

Notes:

If the command responds with No categorization for <url> found, the specified <url> is not in the cache. You can usethe setup urlcategory update command to query WebPulse for the category.


9.2.1 command is hidden; replaced with setup webpulse test command8.6.1 setup urlcategory command introduced


548

setup urlcategory updateSends a query to the WebPulse cloud service to look up the category of the URL, and returns the category/categories for theURL. The URL and its category ID are then placed into the cache, overwriting any existing entry. If the setup urlcategory testcommand failed because the URL was not in the cache, you can use the update command to find the category. This commandis also useful if you suspect a change in categorization, such as a recent malware notification.

setup urlcategory update <url>



Examples:

setup urlcategory update betterppt.com/summit

<<Business/Economy>>

setup urlcategory update zynga.com

<<Games>><<Social Networking>>

Notes:

If the command responds with <<Unrated>>, the specified <url> is not in the WebPulse database. Check your spellingand try again.


9.2.1 command is hidden; replaced with setup webpulse update command8.6.1 setup urlcategory command introduced


549

setup urlcategory webpulseEnables/disables queries to the WebPulse cloud service. If WebPulse is disabled and categorization is enabled, PacketShaperqueries only the PacketShaper cache for URL lookups; if the URL is not in the cache, PacketShaper won't be able to classifythe web traffic into a category.

setup urlcategory webpulse on|off

Notes:

Although WebPulse is enabled by default, no category lookups can be performed if URL categorization is off.

In most situations, you will want to enable both WebPulse and URL categorization. In special circumstances, you maywant turn off the WebPulse query, for example, if the PacketShaper is having a problem accessing the WebPulseservice, or when troubleshooting a performance problem. When WebPulse is disabled, URL categorization still functions— it uses the URL entries in the cache.

If you have secured the PacketShaper's outside interface, you need to add the fastest WebPulse service points to theexception list. See setup secure.


9.2.1 command is hidden8.6.1 setup urlcategory command introduced


550

setup variableChange a default variable setting.

setup variable [<variable> <value>|default] | [-reset|-nd]

where <variable> is one of the variables listed below and <value> is the value you want to set the variable to. The default,minimum, and maximum values for each <variable> are listed in the table.

Note: After changing a variable's setting, many variables require that you reset the unit in order for the change to takeeffect.

To reset all system variables to their defaults, use the setup variable -reset command. To reset a specific variable to itsdefault, use the setup variable <variable> default command. To see a list of all variables that have non-default settings,use the setup variable -nd command.

Variable/Description

DefaultValue

Min.Value

Max.Value

accelerationStrictHostCheckWhen this variable is enabled, outbound TCP flows will be acceleratedonly if the source host is configured (or discovered) on the local deviceand the destination host is configured/discovered as a remote host viathe outbound tunnel. Likewise, inbound accelerated flows will not beintercepted unless the source host is configured/discovered as aremote host via the inbound tunnel and the destination host isconfigured/discovered on the local device.

Certain topologies require this variable to be enabled in order foracceleration to work properly:

Multiple inline PacketShapersHub-and-spoke topologies in which traffic accelerated at theedge PacketShaper will pass through an intermediatePacketShaper at the central site

Notes:

Enabling this variable may result in a slight degradation ofperformance for XTP acceleration, since lookup and validation oflocal and remote hosts are done per packet. SCPS accelerationdoes not have this side effect.If packets pass through the same PacketShaper multiple times,it may be necessary to restrict hosts (using the tunnel discoveryhost command), to manually provision hosts on a particular side(using the hostdb side manual command), or to disable hostdiscovery (using the tunnel discovery command).

0(off)

0(off)

1(on)

autoCreateSameSideWhen this variable is enabled, the SameSide class is createdautomatically. When disabled, the SameSide class will not be auto-created. You may want to disable this variable if traffic is beingmisclassified into the SameSide class.

1(on)

0(off)

1(on)

bridgePassThruWith bridgePassThru enabled, the PacketShaper forwards packets thathave a source and destination MAC address on the same side of theunit. When bridgePassThru is disabled and traffic shaping is enabled,the PacketShaper drop packets that have source and destination MACaddresses on the same side.

1(on)

0(off)

1(on)

cmprsnDiffservInteropPreserve TOS (Type-of-Service) IP header values on compressedpackets. When this option is enabled, TOS values will be preserved onIPComp packets. When it is disabled, TOS values will not be preservedon compressed packets.


1(on)

0(off)

1(on)

cmprsnDiffservReapplyReapply network-modified TOS IP header values to decompressedpackets. When this option is enabled, the decompressing PacketShaper

551

will compare the original TOS value of the compressed packets to theTOS value in the IPComp packet’s IP header. If the network modifiedthe TOS value of the IPComp packet, Xpress will apply this modifiedTOS value to the original packets as they are decompressed.

Notes:

The cmprsnDiffservInterop variable must also be enabled.This variable is applicable to legacy compression tunnels only.

0(off)

0(off)

1(on)

cmprsnEnablePackingWhen packing is enabled, multiple packets are combined into a single"super packet," in order to save on overhead. Packing increasescompression rates because less data is being sent out on the wire.

On very busy links, packing doesn't cause much latency because thepackets are bundled and sent off quickly. On less active links, Xpressmay have to wait to get enough packets in a bundle, possibly creatingapplication performance problems. If you are experiencing latency, trylowering the packing hold time or disabling it altogether.


0(off)

0(off)

1(on)

cmprsnFirewallSupportEnables/disables firewall support for the Xpress compression feature. Ifset to 0, Xpress firewall support is disabled; use this setting whenthere is not a firewall between partner units.

When there is a firewall between partner units, you should enablefirewall support by selecting either 1 or 2:

1: Firewall support is enabled only when compression is ON.2: Firewall support stays enabled for persistent flows even afterdisabling compression. When compression is turned off, any TCPflows already hidden from the firewall continue to be hidden(tunneled), but new TCP flows are not hidden.


0 0 2

cmprsnHostEntriesThe maximum number of hosts and partners that can be defined touse the compression facility

* 0 indicates that the default system limit will be used; the systemlimit depends on the amount of memory installed in the unit

0* 2 99999

cmprsnInsideHostModeSet inside host lists to be inclusive or exclusive. If inclusive, inboundtraffic destined to inside hosts on the host list are eligible for tunneling. If exclusive, traffic destined to the listed hosts are not sent throughthe Xpress tunnel but all other inside hosts are eligible for tunneling.Use the tunnel discovery host command to create the list.

0(inclusive)

0(inclusive)

1(exclusive)

cmprsnMaxRetransmissionsThe maximum consecutive retransmissions of a packet before acompression tunnel is shut down

5 0 99

cmprsnOutsideHostModeSet outside host lists to be inclusive or exclusive. If inclusive, outboundtraffic destined to outside hosts on the host list are eligible fortunneling. If exclusive, traffic destined to the listed hosts are not sentthrough the Xpress tunnel but all other outside hosts are eligible fortunneling. Use the tunnel discovery host command to create the list.

0(inclusive)

0(inclusive)

1(exclusive)

cmprsnPackingHoldTimeMsecsMaximum number of milliseconds packets will be held for packing.When PacketShaper receives a packet, it is held up to the maximumpacking hold time (10ms by default), waiting to be combined withadditional packets. After that time expires, Xpress compresses all theaccumulated packets into a super packet and sends it out.


10 0 1024

cmprsnPartnerModeSet tunnel partner lists to be inclusive or exclusive. If inclusive, Xpress

552

creates tunnels only with the listed PacketShapers. If exclusive, Xpressdoes not establish tunnels with the listed PacketShapers; onlyPacketShapers not listed will have tunnels established. Use the tunneldiscovery partner command to create the list.

0(inclusive)

0(inclusive)

1(exclusive)

cmprsnRSVPPathDiscardWhen cmprsnRSVPPathDiscard is disabled (the default), thePacketShaper will respond to an RSVP (Resource Reservation Protocol)message from another PacketShaper and continue to pass the originalRSVP packet to the inside to any other PacketShapers that may bedownstream.

When this variable is enabled, the PacketShaper will respond to theRSVP message but will not send the packet on. Note that the packetwill be discarded only when compression is enabled and when the RSVPpacket is moving inwards.


0(off)

0(off)

1(on)

cmprsnTransparentTriggerThe number of consecutive retransmissions of a packet before Xpressdisables the compression tunnel and sends packets in the clear(uncompressed). The tunnel will resume normal operation after it getsan acknowledgment for the retransmitted packets; if acknowledgmentis not received before the Tunnel shutdown threshold is reached, thetunnel will be shut down.


2 0 99

DiffservClassSortPref Controls the sort order of the traffic tree, with respect to Diffservclasses (those with DSCP marks). Three settings are available:

0 Diffserv classes are sorted below IP-address-based classes, butabove port-based classes (the default).

1 Diffserv classes are sorted above IP-address-based classes

2 Legacy sort order (Diffserv classes are sorted after IP-address-basedclasses, port-based classes, and auto-discovered classes)

Note: The new sort order doesn't take effect until the unit is rebooted.

0 0 2

discoveryThresholdDynamicPortThe number of new connections of an identifiable service to a portgreater than 1024 that must be identified within a one-minutetimeframe before PacketWise creates a class

2 1 1000000

discoveryThresholdNonIPThe number of new non-IP connections of a given type that must beidentified within a one-minute timeframe before PacketWise creates aclass

2 1 1000000

discoveryThresholdNormalThe number of new connections of an identifiable service to a port lessthan or equal to 1024 that must be identified within a one-minutetimeframe before PacketWise creates a class

1 1 1000000

discoveryThresholdPortThe number of new connections to a particular port within a one-minute timeframe before PacketWise creates a Port_#### class in theDiscoveredPorts folder

It may be necessary to increase this value on Internet linkdeployments to prevent excessive number of DiscoveredPorts classesbeing created. If you don’t want any Port_#### classes discovered,set this variable to its maximum value.

100 1 1000000

discoveryThresholdUrlCategoriesThe number of new flows belonging to a particular URL category thatmust be identified within a one-minute time frame before PacketWisecreates a class for the category

1 1 1000000

dynPtnActiveReuseSecondsThe number of seconds a dynamic partition will be retained after anestablished flow has sent packets 300

(5 min) 10 7200(2 hrs)

553

Note: If no other user needs a dynamic partition, the partition will beretained indefinitely.dynPtnIdleReuseSecondsThe number of seconds a dynamic partition will be retained after anestablished flow has not sent or received packets


30 10 7200(2 hrs)

dynPtnSequestrationCountThe number of partitions reserved for static partitions; all otherpartitions can be used for dynamic or static partitions (applicable toPacketShaper 1200 and 1500 only)

3 0 99

enableCongestionEnable/disable the calculation of packet exchange time. When thisvariable is disabled, the Pkt Exch column on the Monitor Traffic pagewill not appear, RTM will not be available, and the packet exchangetime and RTM measurement variables will always have a value of 0.

After disabling the enableCongestion variable, you should reset theunit.

1(on)

0(off)

1(on)

enableLatencyEnable/disable the calculation of VoIP metrics. When this variable isenabled, PacketWise collects data that measure packet loss, jitter, andlatency for VoIP flows.

Notes:

VoIP metrics can only be measured between PacketShapers withthe VoIP metrics feature enabled.The VoIP metrics feature can measure traffic only from VoIPapplications whose data is classified as RTP-I. For instance,latency metrics are not provided for DialPad, iChat, Vonage, andSkype.

0(off)

0(off)

1(on)

enableSTUNclassificationEnable/disable classification of the STUN (Session Traversal Utilities forNAT) protocol. Audio/video flows are first classified as STUN and thenas RTP/RTCP. When enabled, PacketShaper will auto-discover the STUNclass.

If your network has a lot of STUN traffic, you may want to disableSTUN classification to improve performance.

Note: RTP/RTCP will still be classified even when STUN classification isdisabled.

1(on)

0(off)

1(on)

enableSupportForSSHv1Enable/disable support for Secure Shell version 1 (SSH v1) for secureaccess to the PacketShaper. When this variable is enabled, thePacketShaper can be accessed with SSHv1 and SSHv2 clients. Whenthis variable is disabled, only SSH clients using the SSHv2 protocolversion are supported.

Note that this variable doesn’t take effect until the PacketShaper isreset.

1(on)

0(off) 1

(on)

enableVoIPUseragentAutoDiscoveryRTP auto-discovery is based on the VoIP user-agent attribute whenthis variable is enabled. When this variable is disabled (as it is bydefault), RTP auto-discovery is based on the RTP-I encoding attribute.

When this variable is enabled and RTP-I is auto-discovered, it willauto-discover child classes based on VoIP user agent traffic (such asRTP-I-Motorola_VT1000 and RTP-I-Google_Talk).

0(off)

0(off)

1(on)

enableWinnyClassificationEnable/disable classification of the Winny service. For optimalperformance, enable only when management of Winny traffic isrequired.

Note: The Winny peer-to-peer application is used primarily in Japan.

0(off)

0(off)

1(on)

554

flowRecordsIntermediateTimeoutNumber of milliseconds between generation and sending ofintermediate flow detail records when traffic is present

1500 1000 36000

flowRecordsPktr0TimeoutNumber of seconds between generation and sending of Packeteer-0flow records.

3600 10 5000

flowRecordsPktrPTimeoutNumber of seconds between generation and sending of Packeteer-Pflow records.

60 10 5000

flowRecordsResetCountersControls whether or not the counter fields in FDR packets are resetwith each intermediate FDR sent

Note: This variable only affects Packeteer-1 and Packeteer-2 formatFDRs: counter fields are always reset in the NetFlow-5 format.

1(on)

0(off)

1(on)

flowRecordsSendIntermediateEnable/disable the intermediate flow detail records feature. When thisvariable is enabled, PacketWise emits intermediate FDRs at the intervalspecified by the flowRecordsIntermediateTimeout variable.

Note: Enable the intermediate flow detail records feature only whenusing a suitably-instrumented collector, such as Cisco-based Netflow-5collectors. IntelligenceCenter does not support intermediate FDRs.

0(off)

0(off)

1(on)

flowRecordsSendPktrPEnable/disable emission of Packeteer-P packets to Packeteer-1 andPacketeer-2 flow detail record collectors. Packeteer-P packets containstatistics that are not related to particular flows, but rather provideinformation about utilization on the PacketShaper at the time flows arerecorded. If this variable is enabled, Packeteer-P records are sent aftereach UDP flow record packet is sent to Packeteer-1 or Packeteer-2collectors (not more than once per minute).

0(off)

0(off)

1(on)

flowRecordsSendPktr0Enable/disable emission of Packeteer-0 packets to Packeteer-1 andPacketeer-2 flow detail record collectors. Packeteer-0 packets aremapping messages that allow collectors to decipher PacketShaper-related information in the FDRs they receive. For example, in the FDR’sClassID field, a value identifies the traffic class. In order for thecollector to understand what class is actually associated with the ID, ituses the class map — a list that contains each traffic class on the unitalong with the identifying number assigned to each class. If thisvariable is enabled, Packeteer-0 mappings are sent out approximatelyonce each hour. Note that this variable needs to be enabled only if thecollector does not know this information through other means.

0(off)

0(off)

1(on)

frameMaxRouteEntriesThe maximum number of route entries PacketWise can import from aFRAD or ATM routing table.

Note: This variable is not supported on the PacketShaper 900 Litemodels.

300 25 2000

graphTimeoutSecondsThe maximum number of seconds a graph can take to generate in thebrowser interface; if the graph takes longer to generate than thisvalue, a system timeout error message will appear.

Note: Increasing this setting can make the browser interface appear to"freeze" while PacketWise is generating some of the more complexgraphs. Sometimes the browser will not display the page until all of thegraphs are generated.

60 1 600(10 min)

hostTspecCacheInsideEnable/disable caching of IP address-based classes on the inside.Change this setting to outside (0) to increase performance ofclassification if the majority of IP addresses in manually created classesare on the outside, rather than the inside. To disable the caching ofinside IP address-based classes, use the setup variablehostTspecCacheInside 0 command. After you reset thePacketShaper, IP address-based classes will be cacheable on theoutside. To re-enable caching for inside classes, use the setup

1(inside)

0(outside)

1(inside)

555

variable hostTspecCacheInside 1 command.httpStealth503Control the display of the “503 - Service unavailable” server errormessage when a connection is refused because of admission control(such as a never-admit policy).

0 — The “503 - Service unavailable” message will be customized withthe text “This message is sent by Blue Coat PacketShaper.”1 — The PacketShaper text is not displayed with the “503 - Serviceunavailable” message.2 — PacketWise performs a TCP reset and drops the HTTP request; theerror message will likely be “The attempt to load http://... failed.”

0 0 2

ipUserCacheNegativeTTLThe number of seconds an IP will be stored in the PacketShaper cache,when the IP lookup does not result in a user.

1800 300 86400

ipUserCachePositiveTTL The number of seconds an IP-user name mapping will be stored in thePacketShaper cache. By default, the user mappings are stored for onehour. Because querying the cache is faster than querying the BCAAAserver, you can accelerate user name look ups by increasing the cachetimeout. However, the tradeoff is that stale mappings could causeincorrect user name identification.

3600 300 86400

latencyProbeDiscardAllows the PacketShaper to be configured to discard VoIP latencyprobes after responding. If VoIP devices located on the Inside of thePacketShaper are sensitive to VoIP latency probes, enabling thisvariable will prevent potential VoIP call drops.

0 0 1

LFNSupportWhen enabled, this setting improves performance on Long FatNetworks (LFN) which require larger TCP window sizes. An LFN is along distance network with large bandwidth and long delay; forexample, high-capacity satellite channels are LFNs.

0(off)

0(off)

1(on)

linkOverheadBytesNumber of bytes that are added to each packet to account for WANprotocol header overhead

0 0 256

linkOverheadPptNumber of parts per thousand* by which packet sizes are increased toaccount for link overhead. This adjustment is useful for links that do bitstuffing. (Bit stuffing is the practice of adding bits to a stream of data.Bit stuffing is required by many network and communicationsprotocols, for example to prevent data from being interpreted ascontrol information.)

* to be more precise, it’s actually parts per 1024

35(3.5%) 0 1024

mirrorLinksEnable/disable link state mirroring. With link state mirroring,PacketWise will bring down the second port of a NIC pair if the firstgoes down. This feature allows each PacketShaper to sit between aWAN router and a switch without blocking detection of switch outagesby the router. Link state mirroring is automatically enabled when directstandby is enabled.

Note: When direct standby is enabled and a LEM port is being used forthe standby direct link, link state mirroring will be disabled on this LEM,but enabled on all other INSIDE/OUTSIDE pairs. If the built-in Standbyport on the PS12000 is being used, link state mirroring will be enabledon all INSIDE/OUTSIDE pairs.

0(off)

0(off)

1(on)

mplsSecondLabelIndexDesignates the MPLS label stack position (1-5) to be looked at forclassification purposes. By default, PacketWise looks at the top MPLSlabel (1), which identifies the path through the core. If you want toclassify by other MPLS labels (2-5) in the MPLS stack, you need tochange this system variable to identify the stack position.

1 1 5

nicUseBuiltinStandby Controls which interface is used for direct standby on a PacketShaper12000. When enabled, the built-in 10/100/1000Base-T Standby port isused for direct standby. When disabled, the outside interface of the 1 0 1

556

right-most bridge pair on an installed LEM is used for direct standby.This variable does not take effect until the PacketShaper is reset.

Note: This variable is applicable to the PacketShaper 12000 only.

(on) (off) (on)

PolicyFlowLimitForAllClassesEnables/disables the policy flow limit feature. When enabled,PacketWise will enforce all policy flow limits that have been set ontraffic classes. When disabled, all policy flow limits will be ignored.Disabled is the appropriate setting for PacketShapers deployed in proxyor NAT environments. For additional information, see policy flowlimit.

0 (off)

0(off)

1(on)

probeIntervalSecondsNumber of seconds between the issuance of VoIP latency probes thatmeasure VoIP metrics, enabled by the enableLatency variable.

5 1 60

rtoInboundClampMsecsNumber of milliseconds delay for clamping early retransmission timeouton Inbound packets. Puts a maximum on retransmit time.

1600 0(disable)

3000(3 sec)

rtoOutboundClampMsecsNumber of milliseconds delay for clamping early retransmission timeouton Outbound packets.

1600 0(disable)

3000(3 sec)

syntheticReadTimeoutSecondsNumber of seconds after which a synthetic transaction will end whenthe response received is incomplete


5 1 1000

syntheticWriteTimeoutSecondsNumber of seconds after which a synthetic transaction will be canceledif the server fails to respond to a request


60 10 5000

tcpClipInitialWindowWhen tcpClipInitialWindow is enabled, the PacketShaper will alwaysreduce the initial TCP window size to 1x MSS (maximum segment size).

When this variable is disabled, new flows will ramp up faster butenforcement of small rate policies and/or partitions may not work atthe begininng of flows.

1(on)

0(off)

1(on)

tcpMssInboundMaximum segment size of TCP packets on Inbound flows. This settingcan help avoid packet fragmentation when using VPN and not beingable to support 1500-byte packets (the default size) through the VPNtunnel.

1460bytes 0 65535

tcpMssOutboundMaximum segment size of TCP packets on Outbound flows

1460bytes 0 65535

tcpSmallMssLinkSpeedLink speeds slower than this value will force the use of smaller MSS(maximum segment size).Prevents PacketWise from changing the MSS on large WAN links.

384000bps 0 512000

tnlDontSpanPacketsWhen packets are being packed into super packets, this variabledetermines whether a packet's contents will be spanned across twosuper packets. By default, packets are not spanned.

1(on)

0(off)

1(on)

tnlInheritInbound Determines how Xpress selects an outbound tunnel when a destinationhost is reachable via multiple routes. When this variable is enabled,Xpress will choose the tunnel that first serviced the inbound flow. Whenthis variable is disabled, Xpress will choose the tunnel it discoveredfirst.

0(off)

0(off

1(on)

tnlLocalArpDiscoveryOne of three mechanisms for discovering local hosts for Xpress tunnels.When localArpDiscovery is enabled, Xpress extracts the source IPaddress from a valid ARP request or response and adds it as a localhost for Xpress tunnels.

This mechanism is enabled by default but only operates when globalhost discovery is enabled with the tunnel discovery command. Thisvariable can be disabled for troubleshooting host discovery on different

1(on)

0(off)

1(on)

557

network topologies.

Note: This variable is applicable to enhanced tunnels only.tnlLocalIpDiscoveryOne of three mechanisms for discovering local hosts for Xpress tunnels.When localIpDiscovery is enabled, Xpress extracts the IP addresses ofall inside hosts and adds them to the local host list for Xpress tunnels.



1(on)

0(off)

1(on)

tnlLocalOspfDiscoveryOne of three mechanisms for discovering local hosts (subnets) forXpress tunnels. When OSPF (Open Shortest Path First) routing protocolis configured on a router, the router will broadcast link-stateadvertisement (LSA) messages to its subnets. When localOspfDiscoveryis enabled, Xpress will examine these LSA messages, looking for anysubnets that are local to the PacketShaper. These hosts will then beadded to the local host list.

This mechanism will not work in a redundant topology and is disabledby default. In a non-redundant topology, you have the option ofenabling this variable if you so chose.


0(off)

0(off)

1(on)

tnlRemoteRsvpDiscovery A mechanism for discovering remote hosts for Xpress tunnels. WhenremoteRsvpDiscovery is enabled, Xpress sends RSVP Path requestmessages and if another Xpress unit along the path recognizes the host(host being probed for) as a local host, it will respond with an RSVPResv reply message. If an RSVP Resv reply message is received for ahost, the host will be added to the list of remote hosts.



1(on)

0(off)

1(on)

tnlTcpServerPortThe TCP port number that Xpress tunnels use for transport.

Notes:

Traffic from any user machine sourcing from this port will not beaccelerated.When you change the TCP port number, only new tunnels (thoseformed after the change) will use the new port. If there were anytunnels using the old port, be sure to delete them so that alltunnels use the same port.

64600 1 65535

trafficIsAsymmetricBy turning on this setting, PacketWise will automatically assume allflows are asymmetric and stop TCP Rate Control. In topologies wherethere are a large percentage of asymmetric flows, this may be moreefficient than attempting to apply regular rate control. In addition todisabling rate control, turning on this setting disables all layer 7classification activities (PacketWise must see traffic in both directions inorder to classify layer 7).

0(off)

0(off)

1(on)

uiDefaultSkyThe user interface that appears after logging in to the browserinterface: Blue Coat Sky or the original (legacy) user interface.

1(Sky)

0(legacy)

1(Sky)

userEventExtSnmpVersionEnable/disable the extended SNMP trap for user events. When thisvariable is turned on, there will be an additional field in the trap that 0 0 1

558

indicates the type of situation that triggered the trap. The fieldindicates violated (when the threshold was exceeded) or rearm (whenthe re-arm value was crossed).

(off) (off) (on)

userEventMaxDefinitionsThe maximum number of events that can be user-defined 32 32 128

userEventMaxRegistrationsThe maximum number of events that can be registered 32 32 128

userSessionIdleTimeoutThis variable controls how many seconds it takes for an idle loginsession to get purged from the system. You might need to increasethis value if the session times out before PacketShaper canauthenticate a login password, for example, when there is latency onthe network or they are using a RADIUS or TACACS implementation.Note that this variable does not apply to idle sessions that havealready been authenticated—just new sessions that have not yet beenauthenticated. Introduced in PacketWise 9.2.2.

30 30 360(6 min)

wccpRedirectUseShaperMAC This variable determines which source MAC address will be used forpackets that are rejected by the cache device in WCCP redirectionmode. When this variable is enabled, the MAC address of thePacketShaper will be used as the source. When the variable is disabled,the MAC address of the paired cache device will be used.

This variable should be disabled when the cache device and the clientsare on different subnets in a VLAN topology. Other supportedtopologies should use the default setting (on).

1(on)

0(off)

1(on)

xpressLegacyMemoryRatioPercent of memory to assign to legacy tunnels when in migrationmode. For example, a ratio of 30 would allocate 30 percent of memoryto legacy compression tunnels and 70 percent to enhanced Xpresstunnels.

50 20 80

xpressModeMode for Xpress tunnels.

0 — Legacy mode uses the PacketWise v6.x/7.x tunnelinfrastructure. In legacy mode, the commands and capabilitiesare limited to those that were available in PacketWise 7.x. Atunnel's sole capability in legacy mode is to transportcompressed data.1 — Enhanced mode uses the new PacketWise 8.x tunnelinfrastructure. In enhanced mode, a tunnel serves multiplepurposes and can include one or more of the following features:compression, acceleration, and packing.2 — Migration mode supports both types of tunnels: legacyand enhanced. Use this mode when migrating from earlierversions of PacketWise. For more information about migrationmode, see Information about Migration Mode.

The default mode for new installations is enhanced mode. The defaultfor units that have upgraded to 8.x is migration mode.

1 or 2 0 2


9.2.2 userSessionIdleTimeout variable introduced8.7.1 nicUseBuiltinStandby variable introduced8.6.1 discoveryThresholdUrlCategories variable introduced8.5.3 Default setting for PolicyFlowLimitForAllClasses was changed to off8.5.1 uiDefaultSky variable introduced8.3.2 latencyProbeDiscard variable introduced

8.3.1diffservClassSortPref and mplsSecondLabelIndex variables introduced

browserHttpAcceleration variable removed

559

8.2.0autoCreateSameSide, cmprsnRSVPPathDiscard, tcpClipInitialWindow,and wccpRedirectUseShaperMAC variables introduced

tnlEnableIngress variable removed8.1.1 enableSupportForSSHv1 variable introduced8.0.1 tnlInheritInbound, userEventExtSnmpVersion variables introduced

8.0.0

The following variables were introduced: flowRecordsSendIntermediate,flowRecordsIntermediateTimeout, flowRecordsResetCounter,enableLatency, probeIntervalSeconds, enableWinnyClassification

The following Xpress variables were introduced: tnlLocalArpDiscovery,tnlLocalIpDiscovery, tnlLocalOspfDiscovery, tnlRemoteRsvpDiscovery,tnlDontSpanPackets, tnlTcpServerPort, accelerationStrictHostCheck


560

setup web-proxyEnable/disable the web proxy feature. When this feature is enabled, the configured web-proxy server handles the WebPulserequests, category map downloads, heartbeat emissions, support status updates, and plug-in and image updates. Becausesome PacketWise features (such as URL categories) access external servers on the Internet, you must configure an explicitweb proxy for the PacketShaper if your company’s security policy requires that all outbound traffic go through a proxy. Thetopology should look like this:

LAN Switch-->PacketShaper-->Proxy--->Router-->Internet

setup web-proxy on|off

See also:

setup web-proxy server

setup web-proxy show

setup web-proxy default


8.6.1 setup web-proxy command introduced


561

setup web-proxy defaultReturns web proxy settings to their defaults so that they can be inherited from the parent configuration.

setup web-proxy default

See also:




8.6.3 default option introduced8.6.1 setup web-proxy command introduced


562

setup web-proxy serverConfigure the IP address and port of the web proxy server. All PacketWise features that access external servers on theInternet will go through the proxy server. This server handles WebPulse requests, category map downloads, heartbeatemissions, support status updates, and plug-in and image updates.

setup web-proxy server <ip-address>:<port>

The <ip-address> of the web proxy server must be reachable by the PacketShaper.

Example:

setup web-proxy server 10.9.66.12:8000

Note: If you are securing the outside interface, you need to add this server’s IP address to the exception list. See setupsecure. You may also need to add to the firewall's white list, if required.

See also:

setup web-proxy





563

setup web-proxy showDisplay the web proxy settings.


Sample output:

Web Proxy Settings Status : on Server IP : 10.9.66.12 Server port : 8000

See also:

setup web-proxy





564

setup webpulseEnables/disables the WebPulse enhanced classification feature. When WebPulse is enabled, the PacketShaper can classify byURL categories, web applications, and web operations. It is disabled by default.

setup webpulse on|off

When you enable WebPulse, you will have the ability to:

create classes based on specific URL categories, and PacketShaper will then classify web traffic that corresponds toeach of these categories into the appropriate classauto-discover category classes (you must first create an "all categories" class and enable class discovery)create classes based on specific web applications and operationsauto-discover web application classes

When WebPulse is turned on and the WebPulse Query option is enabled, PacketShaper will send URL queries to the WebPulsecloud service; the service will look up the URL in its extensive database to find the categories, web applications, and/oractions associated with the URL, and send the response back to PacketShaper for classification. If WebPulse is disabled, thePacketShaper will look up the URL in its cache; if the URL is not in the cache, PacketShaper won't be able to classify the webtraffic into a category.

Note: If you have secured the PacketShaper's outside interface, the WebPulse feature requires that you add the followingservers to the exception list: the fastest WebPulse service points (use the setup urlcategory show service command tofind the IP addresses), the category map update server (sitereview.bluecoat.com), and the support update server(updates.bluecoat.com). See setup secure.


9.2.1 setup webpulse command is introduced; replaces setup urlcategorycommand (now hidden)


565

setup webpulse cache-testLooks up the specified URL in the PacketShaper’s local cache and returns the category, web application, and operation namesfor the URL. Use this command to find out if a URL is in the cache or to see how a URL is being categorized.

setup webpulse cache-test <url>



# setup webpulse cache-test facebook.com

Category: Social NetworkingWeb application: FacebookOperation: Unknown

# setup webpulse cache-test groupon.com

No categorization for groupon.com found.

Notes:

If the command responds with No categorization for <url> found, the specified <url> is not in the cache. You can usethe setup webpulse cache-update command to query WebPulse for the category.


9.2.1 setup webpulse cache-test command introduced; replaces setupurlcategory test command (now hidden)


566

setup webpulse cache-updateSends a query to the WebPulse cloud service to look up the category, web application, and operation of the URL. The URL andits category ID, web application ID, and operation ID are then placed into the URL cache, overwriting any existing entry. Ifthe setup webpulse cache-test command failed because the URL was not in the cache, you can use the cache-updatecommand to find the category, web application, or operation. This command is also useful if you suspect a change incategorization, such as a recent malware notification.

setup webpulse cache-update <url>



If the command responds with <<Unrated>>, the specified <url> is not in the WebPulse database. Check your spelling andtry again.

Examples:

# setup webpulse cache-update craigslist.org

Category: ShoppingWeb application: CraigslistOperation: Unknown

# setup webpulse cache-update youtube.com

Category: Open/Mixed Content, Audio/Video ClipsWeb application: YouTubeOperation: Unknown


9.2.1 setup webpulse cache-update command introduced; replaces setupurlcategory update command (now hidden)


567

setup webpulse discoveryEnables/disables discovery of specific URL categories, or all categories. By default, discovery is enabled for each category.You may want to disable discovery of the categories that you aren’t interested in monitoring or controlling. By doing so, youwill not clutter your traffic tree with classes you don't need to track.

setup webpulse discovery on|off|inherit <category_name>|all

where <category_name> is the exact name of the category. To see a list of category names, use the setup urlcategoryshow categories command. If the category name has a space, enclose the name in quotes.

If the unit is in shared mode, you can use the inherit option to inherit the category discovery settings from the parentconfiguration.

Example

To disable discovery of the Society/Daily Living category:

setup webpulse discovery off "Society/Daily Living"

To reenable discovery of all categories:

setup webpulse discovery on all


9.2.1 setup webpulse discovery command introduced; replaces setup urlcategorydiscovery command (now hidden)


568

setup webpulse map-downloadInitiates a download of the latest WebPulse mapping files for identifying URL category names, web application names, andweb operation names.

setup webpulse map-download

The WebPulse maps support the following features:

URL categorization: The category map associates URL category names with numeric IDs. PacketShaper refers to themap to look up the category name after WebPulse has assigned a category ID to a flow.Web application identification: The web application map associates web application names with numeric IDs, andlists the operation IDs applicable to the application. PacketShaper refers to the map to look up the application nameafter WebPulse has assigned an application ID to a flow. In addition, PacketShaper uses the map to determine whichoperations are applicable to an application, for example, to create a class for a specific operation for a web application(such as Facebook-Post_Messages, Gmail-Upload_Attachment).

Notes:

When you enable WebPulse, the latest map files are automatically downloaded to your PacketShaper. Thereafter,PacketShaper automatically downloads the maps every day and after a device reset, regardless of whether the fileshave changed or not.You will see a Success message after the download completes. The map files are downloaded, replacing the currentfiles (even if the file hasn't changed). The version number is also indicated.The map version is incremented when a category, web application, or operation has been added, renamed, or deleted.


9.2.1 setup webpulse command introduced; replaces setup urlcategory map-download command (now hidden)


569

setup webpulse resetClears the URL cache on the PacketShaper, deletes the cache backup, and returns all WebPulse settings to their defaults. Thiscommand returns the feature to its factory default settings: WebPulse is enabled and discovery is enabled for all URLcategories.

setup webpulse reset

Notes:

Because this command deletes the cache as well as its backup copy on the PacketShaper data disk, use this commandwith caution. You will have an opportunity to confirm the reset after you enter the command.


9.2.1 setup webpulse reset command introduced; replaces setup urlcategoryreset command (now hidden)


570

setup webpulse showDisplays additional information about WebPulse statistics, caches, service points, and so forth.

setup webpulse show categories|statistics|cache|service|applications|operations

Option Descriptioncategories Display URL category names, IDs, discovery state, and hits

statisticsDisplay WebPulse statistics: how many flows weren't processed due to load or because the flowended, number and speed of queries to the WebPulse database, number and speed of queries thatused the Dynamic Real-Time Rating (DRTR) service.

cache

The URL caches contain URLs and their category, application, and operation IDs. This commanddisplays statistics about the URL caches: number of hits and entries in the domain, directory, andfilename caches. Also indicates when the cache was last backed up to the data disk.

Examples of URLs that go in each type of cache:

Domain cache: bluecoat.com Directory cache: nps.gov/yose Filename cache: cnn.com/forum/viewforum.php?f=1

service

Display WebPulse service point information. For each of eight service points, the output lists the IPaddress, number of hits and speed of the WebPulse Rating Service (RS) database and DynamicReal-Time Rating (DRTR) requests. Also indicates the health of the service points.

Tip: The fastest servers appear at the top of the list. Use this command to find out the IPaddresses of the fastest servers, then add them to your setup secure outside list (if you aresecuring the outside interface).

applications Display name and supported operations for each web applicationoperations List all supported web operation names

Examples:

setup webpulse show statistics

Unprocessed Flows

Current Daily Unprocessed Due to Load: 0 Average Daily Unprocessed Due to Load: 0 Current Daily Unprocessed Due to Flow Ended: 89 Average Daily Unprocessed Due to Flow Ended: 102

Service Points

Current Daily Queries : 161 Current Daily Query RTT : 48 ms Average Daily Queries : 598 Average Daily Query RTT : 51 ms Current Daily DRTR Queries : 3 Current Daily DRTR Query RTT : 966 ms Average Daily DRTR Queries : 0 Average Daily DRTR Query RTT : 0 ms

setup webpulse show cache

Cache

Daily Queries : 1100 Average Daily Queries : 2417 Cache Hits : 926 Average Daily Cache Hits: 1736 Average Cache Efficiency: 71.83%

Domain Cache

Cache Hits : 872 Average Daily Cache Hits: 1575 Number of Entries : 575

571

Average Hourly Size : 516

Directory Cache


Filename Cache


URL Cache Backup Status: Cache backup successfully updated on Tue Aug 3 14:56:20 2010


9.2.1 setup webpulse show command introduced; replaces setup urlcategoryshow command (now hidden)


572

synthetic addCreate a new synthetic transaction. Using synthetic transactions allows PacketWise to initiate ICMP, web, or other TCPtransactions at periodic intervals to verify the availability of critical hosts.

Note: The synthetic transaction feature is not available on PacketShaper ISP models.

synthetic add <interval>[,<repeat>] [<id>] “<url>”

<interval> Number of minutes between issuance of the transaction (the maximum intervalis 1440)

[,<repeat>] Number of times to issue the request on the established TCP connection(default is 1; the maximum is 100)

<id>

String that identifies the synthetic transaction; if omitted, PacketWise willautomatically create a unique eight-character ASCII ID for each transaction.

Note: Do not specify a transaction ID for a synthetic transaction on aPolicyCenter sharable configuration, as PolicyCenter requires that eachsynthetic transaction has a unique auto-generated transaction ID.

“<url>”

Type of transaction to issue, in the following format:

“<type>://<host>[:<port>][/<path>]”

where:

<type> is http, https, icmp, pop3, smtp, ftp, echo, or custom

Note: The <type> must be entered in lowercase.

<host> is the IP address or DNS name of the host

<port> is the TCP port number to connect to; the default varies by type (forexample, for http the default is port 80)

<path> is additional information necessary for the request (such as a directoryname or a file name)

Additional information about each type:

The http type will issue a GET request for the file specified by the <path> parameter. (The default port is 80.)The https type does an SSL handshake and issues a GET request for the file specified by the <path> parameter. (Thedefault port is 443.)The icmp type sends a ping request to the designated server, using the ICMP-ECHO Protocol (RFC 792). Example:synthetic add 17,2 "icmp://www.bluecoat.com"The smtp and pop3 types also do not send or receive mail; they issue a single command over the channel to elicit aresponse. (The default port is 25.)The ftp type will issue a single retrieve command (RETR) for the file specified in the <path> parameter but doesn’t doany user authentication. (The default port is 21.)The echo type sends a string to the designated host and the host echos it back. TCP echo requires that the target hosthave an echo server process running and listening on port 7. The optional <path> argument has the format<length>[/<fill>] where <length> is the number of bytes to send on each request (the default is 512) and <fill> is astring to fill the request buffer. The <fill> string can be up to 511 bytes.

For example:

“echo://test.domain.com/10/xyz”

The above example sends requests containing xyzxyzxyzx (10 bytes).

The custom type allows you to specify a series of requests to be sent alternatively for as many messages as requestedby the <repeat> parameter. The request strings are separated by the “|” character. For example:

“custom://my.test.com:25/HELO|MAIL FROM:<bob>|RCPT TO:<brett>|DATA|hey|.”

The above example sends a simple message to a mail server on port 25 (the default port for SMTP).

573


8.3.1Auto-generated transaction IDs are required for synthetic transactions onPolicyCenter configurations

The <url> parameter supports IP addresses as well as DNS names8.0.1 icmp <type> introduced8.0.0 no change


574

synthetic deleteDelete a synthetic transaction. (Note: The synthetic transaction feature is not available on PacketShaper ISP models.)

synthetic delete <id>

where <id> is the identifying name specified in the synthetic add command. To view IDs of all synthetic transactions, use thesynthetic show command.

When a synthetic transaction is deleted, its corresponding Inbound/SyntheticTransactions or Outbound/SyntheticTransactionstraffic class is not deleted, so that measurement data can still be retrieved from that traffic class. Even after the synthetictransaction is deleted, network traffic may still be classified in that traffic class until the class is also manually removed.


575

synthetic optionsCreate traffic classes for the hosts specified in synthetic transactions. The classes will be created in the SyntheticTransactionsclass. (Note: The synthetic transaction feature is not available on PacketShaper ISP models.)

synthetic options create-classes show|on|off|default

The default value is on. If you have already created traffic classes for your critical hosts and you want synthetic transactionmeasurement data to be recorded in these classes, set this option to off.

Notes:

If you use the CLI command synthetic options create-classes on to create traffic classes for synthetic transactionshosts and then later issue the command synthetic options create-classes off to turn off this option, any trafficclasses already created for previous synthetic transactions will remain a part of the configuration’s traffic tree.

When the synthetic option create-classes default command is issued for an individual Packetshaper or aPolicyCenter parent configuration at the top of the PolicyCenter configuration tree, this command restores the defaulton value. When this command is issued for a PolicyCenter child configuration, the child configuration clears its localsetting and inherits the synthetic option create-classes on|off value from its parent configuration.


8.0.1Synthetic transaction classes created as children of Localhost class instead ofin a SyntheticTransactions folder

<host> cannot be an IP address8.0.0 no change


576

synthetic showDisplay information about synthetic transactions. (Note: The synthetic transaction feature is not available on PacketShaperISP models.)

synthetic show

The output displays all the active synthetic transactions, when they are next scheduled to run, and a count of how many TCPconnections have been attempted and were accepted.

Transaction ID URL Interval Repeat Next Scheduled Attempts Connections-----------------------------------------------------------------------------shop1 http://www.cdnow.com

5 1 26-Jul-2001 14:30:38 0 0st4 echo://10.10.10.10/monsters

1 5 26-Jul-2001 14:28:34 0 0st2 http://www.lucent.com/minds/innovating/index.html

3 3 26-Jul-2001 14:30:00 6 5st3 custom://my.test.com:80/HEY YOU

4 1 26-Jul-2001 14:31:17 5 4st1 http://www.amazon.com

2 2 26-Jul-2001 14:30:04 9 9


577

sysThese diagnostic commands are intended to be used only under the guidance of Customer Support and are not covered in thisguide.


578

sys limitsList the PacketShaper's configuration limits. For each object (such as classes, partitions, and policies), the sys limits outputlists the maximum number of objects allowed, currently used, and remaining. For example, you can use this command todetermine how many more classes you can create on your unit.

sys limits

Statically allocated objects Current Remaining Total-------------------------------------------------------------------Traffic classes 800 224 1024Partitions 2 510 512Dynamic Partitions 0 10000 10000Policies 4 1020 1024Matching rules 1896 3224 5120Classes with worst clients/servers 0 16 16Classes with top talkers/listeners 0 12 12TCP flows 36 199964 200000Other IP flows 82 99918 100000Legacy flows 8 9992 10000Concurrent Hosts 6250 93750 100000MAC Cache Entries 321 14679 15000Fragment Cache Entries 0 8000 8000Command Contexts 6 24 30Compression tunnels 1 229 230Compression entries 82 3598 3680

Dynamically allocated objects Current Potential Total

-------------------------------------------------------------------

Matching rule host references 7 10253 10260Host list DS entries 0 24044 24044DNS names 10 59064 59074Customer Portal users 0 1024 1024

Note: "Potential" for each object is an estimate allocating all remaining dynamic memory to thatobject type.

The table below describes the items of interest in the sys limits output.

Object DescriptionStatically Allocated Objects

Traffic classA logical grouping of traffic flows that share the same characteristics — a specific application,protocol, address, or set of addresses. See Traffic Tree Overview (Advanced UI or Blue CoatSky)

Partition A bandwidth pipe assigned to a given traffic class to protect or restrict the total bandwidthavailable to that class. See Partition Overview.

Dynamicpartitions

A type of partition that automatically creates subpartitions on the fly as users become active ina traffic class. This capability allows service providers or enterprise customers to guaranteeeach user a minimum amount of bandwidth at all times. See Create a Dynamic Partition.

Policy A rule assigned to a given traffic class that defines how a single flow will be handled duringbandwidth allocation. See Policy Overview.

Matching rule A set of characteristics that identifies a specific traffic type. See Matching Rules.Classes withworstclients/servers

Clients or servers that have the highest percentage of transactions exceeding the total delaythreshold. See Enable Worst Client and Server Analysis.

Classes withtoptalkers/listeners

An identified traffic class for which PacketWise has been configured to record the host namesor IP addresses of the devices transmitting the greatest amounts of traffic (the "talkers") orreceiving the greatest amounts of traffic (the "listeners"). See Track Hosts that Generate theMost Traffic.

TCP flows Unique sessions using Transmission Control Protocol.Other IP flows Unique sessions using non-TCP Internet protocols.Legacy flows Traffic using a non-TCP/IP protocol, often encapsulated in a TCP or IP wrapper.

Concurrent

The Current count for concurrent hosts is an indication of how many host addresses have beenlearned by the system, that is, the number of entries currently in the host database. Entries inthe host database are not periodically aged out or cleared from memory — instead, they arereused when needed for new hosts. Therefore a value of 0 in the Remaining column does not

579

hosts mean your unit can't accommodate any more hosts — new hosts will simply replace hosts thatare no longer active.

It is normal and expected to see the number of concurrent hosts at its limit.

Compressiontunnels

A communications link that transfers compressed data between two PacketShapers. OnePacketShaper compresses data and sends it through the tunnel and the PacketShaper unit atthe other end of the tunnel decompresses the data. The number of tunnels can vary accordingto the number and size of dictionaries in use. The maximum value is user-definable; seeAdjust System Variables.

Note: The value for compression tunnels in the sys limits command assumes unidirectionaltunnels with a single system default dictionary. The published configuration limits assumesbidirectional tunnels with two system default dictionaries.

Compressionentries

A service, class, or dictionary within a compression tunnel. For example, if HTTP is the firstservice to get compressed through a tunnel, two compression entries are created — one forthe HTTP service and one for its shared group dictionary. If a second compressible service,such as ICMP, is detected and it uses the same group dictionary, only one compression entryis created (for the ICMP service). The maximum value is user-definable; see Adjust SystemVariables.

Dynamically Allocated Objects (maximums can vary, depending on the amount of remaining dynamicmemory)Matching rulehost references Unique domain names in matching rules.

Host list DSentries

A set of IP addresses and/or DNS names that traffic class matching rules can reference. SeeCreate a Host List.

DNS namesUnique domain names used in PacketWise configuration (in matching rules, configured SNTPtime servers, configured RADIUS authentication and accounting servers, etc.) Use the dnsnames CLI command to see a list of domain names in use.

Customer Portalusers Customer accounts set up in the customer portal feature. See Customer Portal Overview.


580

tailDisplay lines or characters from the beginning or end of a file; the default is to display the last 10 lines of the file.

tail [+|-<number>] [c] <filename>

[+|-<number>] A negative number indicates the number of lines or characters to be displayed from the end of the file.A positive number indicates the number of lines or characters to skip at the beginning of the file. Forexample, tail -5 myfile.cmd displays the last five lines of the file and tail +5 myfile.cmd skips the firstfive lines and displays the rest.

[c] Specifies that units are in characters (no argument is necessary for the default unit — lines). Forexample, tail -20c myfile.cmd displays the last 20 characters of the file.

<filename> The name of the file to be displayed.


581

touchSet read/write access to the command-line interface. Note that this command does not set the access of the browser userinterface.

touch

This command prompts for a password. In touch mode, all CLI commands are available.

To enable read-only access, use the look command.


582

traffic activeDisplay the current, maximum, and possible number of sessions for TCP, UDP, and Legacy traffic types. This command is avaluable tool for determining how close the unit is to reaching its capacity. It also gives a histogram of the number of hostentries in various time buckets (based on idle time).

traffic active

TCP UDP Legacy TotalFlows (Current): 13 32 9 54Flows (Maximum): 27 59 13 67Flows (Possible): 50000 25000 5000 80000

Host Entries Histogram (based on idle time):<1s <1min <2min 5min <10min >10min5 13 26 5 7 10184

Type of Flow DescriptionTCP flows Unique sessions using Transmission Control Protocol.UDP flows Unique sessions using non-TCP Internet protocols, such as UDP.Legacy flows Traffic using a non-TCP/IP protocol, often encapsulated in a TCP or IP wrapper.

The value listed for maximum flow is the maximum number that has been displayed when the traffic active command has been executed (since the last reset). In other words, maximum numbers are only recorded when this command is run, so the maximum counts are representative rather than authoritative values.

The possible flows represent the unit's maximum number of concurrent flows allowed on the unit. PacketShaper can support more flows than the indicated number, but these figures represent the ideal maximums for producing optimal results.


583

traffic bandwidthDisplay bandwidth utilization for a partition.

traffic bandwidth [<tclass>] [clear]

[<tclass>] The root traffic class of the partition to display. If you do not specify a traffic class, the outbound partitionstatistics are displayed.

[clear] Clears the accounting data

When traffic shaping is turned off, the traffic bandwidth command displays the aggregate usage summary for both theinbound and outbound directions.

Example: The inbound/http class has a 500k partition, burstable to 1Mb. The class also has a 0k rate policy with priority 3.Here is the output of the traffic bandwidth inbound/http command:

inbound partition HTTPProgrammed min bandwidth 500k max bandwidth 1.0MAdjusted min bandwidth 500k max bandwidth 1.0MLocal 500kreserved rate 0 unreserved rate/limit 0/0reserved peak 0 unreserved peak 0ignored rate 2220ignored peak 12.0Mcurrent guaranteed rate 0 excess rate 0OVERalloc'ed guaranteed 0 excess 0Gain: 0.00 Compensation 0 Excess Rate priority 0 1 2 3 4 5 6 7 demand 0 0 0 0 0 0 0 0 % satisfied 100 100 100 100 100 100 100 100Priority Traffic priority 0 1 2 3 4 5 6 7 pkts relayed 0 0 0 0 0 0 0 0 exceptions 0 0 0 0 0 0 0 0 anticipations 0 0 0 0 0 0 0 0

Refer to the following list for traffic bandwidth details:

min bandwidth The partition size in bits per second (e.g., 500k bps); the Programmed (initially-configured)size and Adjusted (actual) size are displayed.

Note: The Programmed and Adjusted values may differ from one another in a hierarchicalpartition. Because a child partition is a percentage of the parent partition, if a parent getsless bandwidth, the child will also get proportionally less.

max bandwidth Maximum (burstable) partition size; the Programmed (initially-configured) size andAdjusted (actual) size are displayed.

reserved rate The total bandwidth currently in use by rate-based traffic

reserved peak The peak bandwidth usage by rate-based traffic

unreserved rate/limit The total bandwidth currently in use by priority traffic

unreserved peak The peak bandwidth usage by priority-based traffic

ignored rate The current bandwidth in use by ignore-policy traffic classes and uncontrolled traffic

ignored peak The peak bandwidth usage by traffic classes with the ignore policy

current guaranteed rate The total current guaranteed rate usage in bits per second

excess rate The total current excess rate usage in bits per second

OVERalloc'ed guaranteed The amount of guaranteed rate that currently is over-allocated

Excess Ratepriority Priority levels (0-7)

Excess Rate The excess rate demand at each priority level

584

demand

Excess Rate% satisfied The percentage of excess rate demand that is currently being satisfied at each priority level

Priority Trafficpriority Priority levels (0-7)

Priority Trafficpkts relayed Number of packets counted at each priority level

Priority Trafficexceptions

PacketWise uses a rate anticipation mechanism to shape the rate of non-TCP traffic. Whenthis mechanism fails to keep the desired rate from being exceeded, a rate exception iscounted.

Priority Trafficanticipations

When PacketWise determines that the desired rate is in danger of being exceeded, anexception anticipation event is counted.


585

traffic flowDisplay summary information about some or all currently active TCP connections and/or UDP sessions.

traffic flow -tIo TCP overview of non-idle flows

traffic flow -uIo UDP overview of non-idle flows

traffic flow -h lists help with all options

Example:

traffic flow -t

Num TCP Flows total = 115 (all classes)

InAddr OutAddr Idle Svc-------------------------------------------------------------------------------2001:db8:1234:5678::1 2001:db8:1234:5678::2 1s FTP-Cmd-Clear-IPv6 2001:db8:1234:5678::1 2001:db8:1234:5678::2 2s SSL-IPv6 2001:db8:1234:5678::1 2001:db8:1234:5678::2 0s FTP-Cmd-Clear-IPv6 10.9.45.20 10.9.60.138 2s HTTP 10.9.60.109 10.9.60.110 1s SSL 10.9.60.109 10.9.60.110 2s FTP-Data-Clear 2001:db8:1234:5678::1 2001:db8:1234:5678::2 1s SSL-IPv6

To display more detailed information, use:

For TCP flows: traffic flow -t[aAcCfhiILmnNoOpPsSUvVxX]

For UDP flows: traffic flow -u[aAcCfhiInoOpPvVxX]

-a all (same as -pifvs: could wrap around on screen)

-A <addr> address (only show conns for specified address)

-c <class> class (only show info for specified class name)

-C class (show class names)

-f flags (connection flags)

-h help (show this help)

-i idle (show idle time)

-I non-idle (don't show flows idle for one minute or more)

-L license (display license state of TCP flows)

-m mss (show mss info - tcp)

-n <num> num (show up to <num> flows)

-N state (flows not in connected state - tcp)

-o overview (show summary information only)

-O overview (include summary information)

-p ports (show port numbers)

-P <port> port (show only port <port>)

state (display state - tcp)

When the -s flag is used, the output displays the following connection states in the S column:

I=idle — The connection is idle.

C=connecting — Client is trying to establish a TCP connection with server; client sends the first

586

-s

CONNECT/SYN segment to server.

W=ackWait — After sending the CONNECT/SYN segment, the client is waiting from ACK from the server.

X=dataXfer — Both sides of the TCP connection have exchanged SYN/ACK segments.

H=halfDiscon — The client/server has received a first FIN segment from the application and bandwidthresources were released for that half of the connection. The other side of the TCP connection has notreceived the final FIN segment.

D=disconnected — The final FIN is received.

F=fading — An event (such as a Ctrl+C from the application) causes the TCP connection to abort.

-S <stat> state (only display conns in state <stat> - tcp)

-t tcp (show TCP flows)

-u non-TCP IP flows, such as UDP flows, RSVP, ICMP

-U unique host pairs for a given class; only valid with -c

-v service (display service info)

-V <serv> service (display only services matching <serv>)

-xexpanded (show full class names)

Note: Must be used with either the -c or -C option.

-Xexpanded (show full class names in multi-line output format)

Note: Must be used with either the -c or -C option.

When the -f option is used, the Flags column in the output displays one or more of the following:

A Asymmetric

B bad seq or ack

C Fully classified

D data, no SYN or SYN-ACK

I Inbound closed

O Outbound closed

s SYN, no SYN-ACK

S SYN-ACK, no SYN

T Tentative

W Web

If acceleration is enabled, the following additional flags are available:

a Accelerated flow

c Classified non-accelerated flow

n No accelerated partner found

r Acceleration bypass

t Terminated

Note: If the service has not been determined, noted by a dash (-) in the Svc column, the side of the addresses may also beundetermined. For more information on which side of the unit a particular host is on, use the host show command.

587

The traffic flow -tL command puts two columns in the output: LI (representing the inbound part of the TCP flow) and LO(outbound part of the flow). A “+” indicates flows have been granted a license, a “-” indicates flows have been denied alicense.

Note that some flows do not completely shut down, and are therefore listed until the unit is reset. Therefore, the -t or -uoption, combined with the I option, provides a list of non-idle TCP or UDP flows. For example:

traffic flow -tIpc inbound/http

Num TCP Flows total = 3 (class HTTP)InAddr Port OutAddr Port Idle ClasI ClasO Svc---------------------------------------------------------------------------10.10.254.24910.10.254.24910.10.254.249

1119 207.158.237.1711120 207.158.237.1711105 207.158.237.171

808080

22m HTTP HTTP HTTP22m HTTP HTTP HTTP44s HTTP HTTP HTTP

traffic flow -tCx


InAddr OutAddr Idle ClasI ClasO Svc-------------------------------------------------------------------------------172.21.19.102 10.1.1.46 8m /Inbound/Default /Outbound/Default Telnet-Clear172.21.1.39 10.100.99.30 10s /Inbound/Default /Outbound/Default KaZaA-Cmd172.21.1.39 10.1.1.45 5m /Inbound/NetBIOS-IP /Outbound/Default NetBIOS-IP-SSN172.21.1.39 10.1.1.20 15s /Inbound/Microsoft-ds /Outbound/Default Microsoft-ds172.21.1.39 10.1.1.18 8s /Inbound/Default /Outbound/Default -172.21.1.39 10.100.99.30 8s /Inbound/Default /Outbound/Default KaZaA-Cmd

traffic flow -tCX


InAddr OutAddr Idle Svc-------------------------------------------------------------------------------172.21.19.102 10.1.1.46 8m Telnet-ClearInbound Class: /Inbound/DefaultOutbound Class: /Outbound/Default

172.21.1.39 10.100.99.30 21s KaZaA-CmdInbound Class: /Inbound/DefaultOutbound Class: /Outbound/Default

172.21.1.39 10.1.1.45 5m NetBIOS-IP-SSNInbound Class: /Inbound/NetBIOS-IPOutbound Class: /Outbound/Default

172.21.1.39 10.1.1.20 8s Microsoft-dsInbound Class: /Inbound/Microsoft-dsOutbound Class: /Outbound/Default

To view a list of unique host pairs for a traffic class (Inbound/Default):

traffic flow -taUc inbound/defaultNum unique host pairs total = 1 (class Default)InAddr OutAddr # of flows ---------------------------------------------10.9.50.157 10.9.50.75 10

To see if a host is being classified correctly in the expected class:

tr fl -tupXICA 209.210.203.33


InAddr Port OutAddr Port Idle Svc-------------------------------------------------------------------------------192.168.0.7 4721 209.210.203.33 80 19s HTTP Inbound Class: /Inbound/HTTPOutbound Class: /Outbound/HTTP

Num UDP Flows total = 0 (all classes)



588

8.6.1 -U parameter added


589

traffic guaranteedDisplay guaranteed rate utilization for a traffic class subtree.

traffic guaranteed [<tclass>] [clear]

[<tclass>] The root traffic class of the subtree display. The class' explicit path is required only if the class name itselfis not unique. If you do not specify a traffic class, the guaranteed rate information for the entire tree isdisplayed.

[clear] Clears the accounting data

The command output displays a list of all child classes and the following associated information for classes with guaranteedrate policies:

Current number of usersPeak number of usersGuaranteed bandwidth in bpsNumber of guaranteed rate failures


590

traffic historyDisplay recent traffic flows for a specific host or traffic class.

traffic history recent|find <name>

recent Lists recent flows for a specified traffic class. The output includes the date, time, IP address, port number,and URL of each flow in the specified class.

find Lists recent flows for a specified host. The output lists each class that the specified host uses, as well as thedate, time, service name, IP address, port number, and URL of each flow in the class.

<name> With the recent argument, <name> is the traffic class name. With the find argument, <name> is the IPaddress or name of the host to be tracked.

Examples

The traffic history find command is useful for determining the servers that a specified client IP address is transferring datawith, or the clients that are retrieving data from a specific server. It can also be used to determine exactly what type ofnetwork applications a specified PC is using.

traffic history find 10.10.1.6

-----( /Outbound/rsh )-----

07-Jan-2005 10:53:25 rsh 192.21.1.26 1023 raltman-t23.example.com 10.10.1.6 514 test2.example.com

-----( /Inbound/rsh )-----

07-Jan-2005 10:53:25 rsh 192.21.1.26 1023 raltman-t23.example.com 10.10.1.6 514 test2.example.com

The traffic history recent command is useful for analyzing the type of traffic that is falling into a Default class, such asInbound/Default in the following example.

traffic history recent inbound/default

-----( /Inbound/Default )-----

07-Jan-2005 13:01:19 UDP 192.21.1.26 3288 example-40vp63 10.100.10.30 2687 mail.example.com07-Jan-2005 12:59:53 UDP 192.21.1.26 3299 example-40vp63 192.21.0.20 389 dc-dev.example.com07-Jan-2005 12:56:14 UDP 192.21.255.255 7741 192.21.31.251 32808 opslab.example.com07-Jan-2005 12:42:16 TCP 192.21.0.25 9100 10.10.100.24 1995 phogle.example.com07-Jan-2005 12:33:19 UDP 192.21.1.26 2967 example-40vp63 10.10.10.18 2967 test.example.com07-Jan-2005 11:01:29 UDP 192.21.1.26 38293 example-40vp63 10.10.10.89 1046 test.example.com07-Jan-2005 10:51:54 HTTP 192.21.1.26 2606 example-40vp63 216.148.237.145 80 a216-148-237-145.deploy.akamaitechnologies.com07-Jan-2005 10:51:54 HTTP 192.21.1.26 2607 example-40vp63 216.239.53.104 8007-Jan-2005 10:51:54 HTTP 192.21.1.26 2611 example-40vp63 128.242.107.114 80 vrp1.sjc.xpc-mii.net07-Jan-2005 10:44:53 UDP 255.255.255.255 631 192.21.1.34 631



591

traffic licensesShow current license usage for classes that have had the number of TCP flows limited with the class licenses command.

traffic licenses

Sample output:

Traffic --- Licenses --- Class Total In Use----------------------------------------------------Inbound HTTP 40 4

Another way to see the number of active TCP flows for a class is with the traffic flow command (for example, traffic flow -tIpcinbound/http). The output for this command will not only show the total number of licenses available and in use, but will alsodisplay details about each flow.

traffic flow -tIpc inbound/httpNum TCP Flows total = 7 (class HTTP, licenses=7/40)InAddr Port OutAddr Port Idle ClasI ClasO Svc-------------------------------------------------------------------------------192.168.0.4 2694 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2676 216.148.237.36 80 48s HTTP HTTP HTTP 192.168.0.4 2671 64.12.174.57 80 40s HTTP HTTP HTTP 192.168.0.4 2687 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2689 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2670 64.12.174.57 80 39s HTTP HTTP HTTP 192.168.0.4 2690 64.236.43.54 80 39s HTTP HTTP HTTP

Note that the traffic flow command does not require that a limit be set with the class licenses command — it will show thetotal number of active flows in any class you specify.


592

traffic reclassifyRe-examine existing flows to see if they can successfully be classified based on PacketWise's knowledge of new flows thathave started since the unit booted. It is automatically run every 15 minutes and so executing it manually should not normallybe required.

traffic reclassify


593

traffic statisticsShow statistics about current network traffic activity, dropped packets, and packet size distribution.

traffic statistics

Sample output:

Traffic Information Traffic Activity : MEDIUM RxLateDrops : 54507656 RxDrops : 0 Avg Packet Size : 507 Bytes Avg TCP Packet Size : 143 Bytes Avg UDP Packet Size : 507 Bytes TCP = 0.0 %, UDP = 100.0 % Other: 0.0 %

Packet Size Distribution Avg-Size % Share Bucket[0] (0-128B) : 62 Bytes 0.00 % Bucket[1] (128-256B) : 236 Bytes 0.00 % Bucket[2] (256-512B) : 507 Bytes 100.00 % Bucket[3] (512-1024B) : 590 Bytes 0.00 % Bucket[4] (1024+B) : 0 Bytes 0.00 %

Note: The possible levels of Traffic Activity are: low, medium, high, and critical.


8.7.1 traffic statistics command introduced


594

traffic treeThe traffic tree command provides detailed information about how often classes and their associated policies are accessed bythe PacketWise classification process, along with rate information for each class.

traffic tree [<tclass>] [clear]

[<tclass>] The traffic class tree to display, inbound or outbound. If omitted, this defaults to outbound. The class'explicit path must be supplied only if the class name itself is not unique.

[clear] Clears the class and policy hit counts

To view statistics for the entire traffic class tree, use the traffic tree command without supplying a specific class name.

Class name Type Class Policy Cur 1 Min Peak hits hits rate avg rate

-------------------------------------------------------------------------------------/Inbound + n/a 284 366 n/a Localhost PE 964 964 0 8 136k FileMaker 0 n/a 0 0 0 HTTP 0 n/a 0 0 0 POP3 0 n/a 0 0 0 SMTP 0 n/a 0 0 0 SNMP 0 n/a 0 0 0 DNS 0 n/a 0 0 0 NetBIOS-IP 0 n/a 0 0 0 SLP 62 n/a 0 0 487 GRE 0 n/a 0 0 0 ICMP 140 n/a 0 0 108 CiscoDiscovery 2389 n/a 0 142 2391 AppleTalk 1310 n/a 1 3 1058 Default P I 235 4817 140 213 2298/Outbound + n/a 459 301 n/a Localhost PE 968 968 0 3 372k DHCP 0 n/a 0 0 0 FileMaker 13 n/a 0 0 47.9k HTTP 229 n/a 226 289 80.1k EntryPoint 392 n/a 0 0 7338 POP3 12 n/a 0 0 49.0k SMTP 14 n/a 0 0 12.2k Telnet 0 n/a 0 0 0 DNS 29 n/a 0 0 150 NetBIOS-IP 75 n/a 0 0 975k ICMP 129 n/a 0 0 14 Default P I 27 920 3 9 1.3M

The display shows all of the current traffic classes, with flags that indicate if a class has an associated policy (P), if it is aninheritable class (I), and if it is an exception class (E). A plus sign (+) next to a class represents a partition. This list alsoshows the number of times a class and its associated policy have been hit. For TCP and UDP traffic classes, PacketWisecounts traffic flows, except for ICMP, for which packets are counted. For non-IP traffic classes, PacketWise counts packets.The rate statistics for the traffic through the class are also shown.

If a class does not have a policy associated with it, the classification process searches down the tree for a matching siblingthat has an inheritable policy. Typically, the default classes such as /Inbound/Default show more policy hits than class hits.The policy hits for the /Inbound/Default class include policy hits for classes without policies listed earlier in the subtree. Whena class does not have its own policy, it inherits a policy from a sibling in its subtree.

Note: If data is compressed by the PacketShaper, then compressed packet sizes are used in the rate measurements shown inthe traffic tree output. In addition, the rate measurements are calculated after rate control is applied.


595

ttracerouteDetermines the route taken by packets across an IP network. The PacketShaper sends 192-byte ICMP packets to a specifiedhost and lists the hops the packets take to reach the host. This command is useful for troubleshooting networking problems.

ttraceroute <host>

Example:

ttraceroute 206.110.20.121

traceroute to 206.110.20.121 (206.110.20.121), 30 hops max, 192 byte packets

1 172.21.0.1 (172.21.0.1) 1 ms 1 ms 1 ms 2 192.168.15.1 (192.168.15.1) 1 ms 0 ms 1 ms 3 12.104.153.1 (12.104.153.1) 1 ms 1 ms 1 ms 4 12.33.0.2 (12.33.0.2) 2 ms 1 ms 1 ms 5 12.124.47.125 (12.124.47.125) 133 ms 12.124.46.233 (12.124.46.233)195 ms 12.124.47.249 (12.124.47.249) 19 ms 6 12.123.213.74 (12.123.213.74) 8 ms 7 ms 8 ms 7 12.122.11.81 (12.122.11.81) 9 ms 10 ms 11 ms 8 12.123.12.30 (12.123.12.30) 7 ms 16 ms 15 ms 9 192.205.33.110 (192.205.33.110) 7 ms 9 ms 7 ms10 205.171.233.21 (205.171.233.21) 14 ms 8 ms 17 ms11 67.14.12.6 (67.14.12.6) 15 ms 8 ms 9 ms12 205.171.14.166 (205.171.14.166) 9 ms 205.171.14.170 (205.171.14.170) 9 ms 10 ms13 63.145.224.14 (63.145.224.14) 20 ms 19 ms 10 ms14 137.164.22.60 (137.164.22.60) 9 ms 9 ms 9 ms15 137.164.32.165 (137.164.32.165) 10 ms 14 ms 11 ms16 137.164.34.7 (137.164.34.7) 11 ms 12 ms 11 ms17 137.164.13.90 (137.164.13.90) 23 ms 10 ms 11 ms18 206.110.20.121 (206.110.20.121) 13 ms 14 ms 12 ms

Notes:

The three timestamp values returned for each host along the path are the delay (latency) values, typically inmilliseconds (ms), for each packet in the batch (three packets per batch). If the three ICMP packets receive responsesfrom multiple router IP addresses, the response from each router is displayed on a different line.The output lists up to 30 hops. If more than 30 hops are required to reach the specified host, the extra hops will notbe listed.If the PacketShaper is unable to find the target host, "Port or Network is unreachable!" is displayed.




596

tunnel accelerationEnable/disable acceleration globally or for a specific Xpress tunnel. The Xpress acceleration feature improves the performanceof TCP/IP over satellite links or long-delay terrestrial networks. Xpress acceleration allows you to maximize bandwidthutilization, speed up application response times, accelerate the transfer of large files, and minimize the impact of otherproblems that are common on high-latency links. See Xpress Overview for more information.

tunnel acceleration on|off|default [<tunnel>]

where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable acceleration (off) or specify that ituse the global acceleration setting (default). You cannot enable acceleration for a tunnel if acceleration is globally disabled.

By default, acceleration is disabled globally.

Examples:

To turn on acceleration for all tunnels (except for those tunnels that have disabled acceleration):

tunnel acceleration on

To disable acceleration for a tunnel named LA:

tunnel acceleration LA off

Notes:

The site router should be set to none if you are using acceleration. If a site router is defined, acceleration will not work.For best performance, Blue Coat recommends that shaping be enabled when using acceleration.


597

tunnel acceleration abortDisable acceleration and terminate all existing accelerated flows. This command is useful for testing or troubleshootingacceleration.

tunnel acceleration abort

Note that after issuing this command, you will need to use the tunnel acceleration on command when you want to re-enableacceleration.

Example:

tunnel acceleration abort

This command will terminate all accelerated flows.Are you sure you want to continue? (NO): y

Acceleration has been set to "off". Connections aborted.


8.1.1 abort command introduced


598

tunnel acceleration congestion-controlEnable or disable congestion control for accelerated connections on the sender.

tunnel acceleration congestion-control on|off|default

Congestion control is enabled by default. This setting will be appropriate for most network topologies, such as fully-meshednetworks. However, if the network has fixed, dedicated bandwidth, you may want to disable congestion control.

Notes:

When congestion control is disabled, a more aggressive rate control mode will be used.

SCPS requires that congestion control be enabled. If SCPS is enabled when you turn off congestion control, you beasked whether you want to disable SCPS. For example:

tunnel acceleration congestion-control off

Congestion control has been set to "off". This requires SCPS to be disabled. Would you like to disable SCPS? (YES): y

If you choose not to disable SCPS by answering NO, the congestion control OFF setting will be ignored. (In other words,congestion control will still be on.)


8.1.1 congestion-control command introduced


599

tunnel acceleration faststartEnable/disable FastStart for all acceleration tunnels. The FastStart feature accelerates web downloads by reducing the timeneeded to establish each new HTTP connection. Using FastStart, Xpress acknowledges TCP connections immediately withoutwaiting for a connection to be established to the web server. This immediate acknowledgement allows the browser to send itsHTTP GET request right away. Xpress then combines the HTTP GET request with the XTP connection request. This processdelivers the HTTP request to the web server one round-trip faster. For web pages that consist of large numbers of objects,FastStart greatly improves the responsiveness of the web page display.

tunnel acceleration faststart on|off|default

FastStart is enabled by default. There is typically no need to disable FastStart unless you are using SCPS. (Enabling SCPSautomatically disables FastStart.)

Notes:

FastStart works on HTTP traffic running on ports 80 or 8080.It's possible to turn on FastStart while acceleration is disabled (although it will only take effect when acceleration isenabled). If acceleration is off when you enable FastStart, you will be prompted to turn on acceleration.Be aware that FastStart can result in false "connection established" messages.


600

tunnel acceleration prefetchEnable/disable Web Prefetch for all acceleration tunnels. The Web Prefetch feature reduces the time required to download anddisplay web pages. The server-side Xpress/SkyX unit intercepts the HTML pages returned by the web server and beginsretrieving the various embedded graphics and objects on that page. The server-side Xpress then pushes the objects to theremote side of the link where they are served by the client-side Xpress/SkyX unit when requested by the browser, therebyavoiding the network delay.

tunnel acceleration prefetch server|client on|off|default

Note that Prefetch is a two-sided facility, and has a client side and a server side. Prefetch can be enabled and disabledindependently on each side. In satellite configurations, the client Prefetch facility is enabled on the PacketShaper that isacross the satellite link from the Internet. The server Prefetch facility would be enabled on the PacketShaper that is on thesame side of the satellite link as the Internet.

When turning off Prefetch, turn it off on both the client-side and server-side device. If you turn off server Prefetch on onedevice, turn off client Prefetch on the other.

Client Prefetch and Server Prefetch are disabled by default.

Examples:

To turn on Prefetch on the server side:

tunnel acceleration prefetch server on

Notes:

When prefetching is enabled, the PacketShaper and partner must be configured with the address of at least one DNSserver. If more than one DNS server is provided, the prefetch logic will spread its requests equally among them. Toconfigure a DNS server, see setup dns.Client Prefetch requires that FastStart be enabled. If FastStart isn't already enabled when you enable client Prefetch,FastStart will automatically be set to on. For example:

tunnel acceleration prefetch client on

Client prefetch has been set to "on".Enabling client prefetch has also enabled FastStart.


601

tunnel acceleration scpsEnable/disable SCPS-TP (Space Communications Protocol Standards - Transport Protocol) for all acceleration tunnels. SCPS isan alternative to XTP (the default transport protocol).

tunnel acceleration scps on|off|default

When SCPS is enabled, it becomes the transport protocol for the transmission of data over the satellite portion of the link.XTP provides higher performance than SCPS under most conditions, but SCPS is available for organizations that havestandardized on SCPS as the required transport protocol.

SCPS is disabled by default.

Examples:

To turn on SCPS for all tunnels:

tunnel acceleration scps on

Notes:

FastStart and Prefetch are not available when using SCPS.

Turning SCPS on or off will terminate all active accelerated connections.

Outbound link rate is not used.


602

tunnel acceleration showDisplay the global settings for acceleration configuration, such as the settings for acceleration, FastStart, Prefetch, and SCPS.

tunnel acceleration show [flows]

The flows option lists details on each accelerated flow, such as source and destination IP addresses, port number, rate,service, and the Xpress partner's IP address. (See second example below.)

Examples:

tunnel acceleration show

Acceleration: on Congestion control: on SCPS: off FastStart: on Server Prefetch: on Client Prefetch: on

Flows: Number of active accelerated flows: 2245 Maximum number of accelerated flows: 5000

tunnel acceleration show flows

Acceleration: on Congestion control: on SCPS: off FastStart: on Server Prefetch: on Client Prefetch: on

Flows: Number of active accelerated flows: 2245 Maximum number of accelerated flows: 5000

InAddr OutAddr Port Flags Rate0 Rate1 PartnerAddr Svc -------------------------------------------------------------------------------172.21.18.253 172.21.18.254 2426 O Wa 27k 2.1M 172.21.18.225 HTTP

Notes:

The Flags column in the output displays one or more of the following:

a Accelerated flow

c Classified non-accelerated flow

n No accelerated partner found

r Acceleration bypass

A Asymmetric

B bad seq or ack

C Fully classified

D data, no SYN or SYN-ACK

I Inbound closed

O Outbound closed

s SYN, no SYN-ACK

S SYN-ACK, no SYN

T Tentative

W Web

603

If acceleration is off, the tunnel acceleration show output will indicate that other settings (FastStart, Server Prefetch,Client Prefetch) are disabled. For example:

Acceleration: off Congestion control: on SCPS: off FastStart: on (but disabled due to acceleration) Server Prefetch: on (but disabled due to acceleration) Client Prefetch: on (but disabled due to acceleration)


604

tunnel class defaultRestore default acceleration, compression, and packing settings for one or all traffic classes.

tunnel class default <tclass>|all

where <tclass> is the name of the traffic class. Including outbound/ in the <tclass> name is optional. For example, you maytype either http or outbound/http for the traffic class name.

This command will clear the overrides that were set with the following commands:

tunnel class set acceleration

tunnel class set packing

tunnel class set holdtime

tunnel class set algorithm

tunnel class set compression

To clear override settings for all traffic classes:

tunnel class default all

To clear the settings for the outbound/test class:

tunnel class default test


605

tunnel class exportExport enhanced compression overrides for an Outbound traffic class so that the settings can be used in legacy mode. Thiscommand exports compression overrides that were set with the tunnel class set algorithm and tunnel class set compressioncommands. For example, if you had turned off compression for a class in enhanced mode, you can use the tunnel classexport command to have this same setting in legacy mode.

tunnel class export <tclass>

where <tclass> is the name of the traffic class. Including outbound/ in the <tclass> name is optional. For instance, you maytype either http or outbound/http for the traffic class name.

To export all overrides, specify outbound for <tclass>. For example:

tunnel class export outbound

This command will export the enhanced compression overrides for the traffictree class /Outbound.

Continue? (NO): y

/Outbound contains 1 or more child classes.

Export the overrides for those classes as well? (YES): y

Notes:

In the export process, the RETD algorithm is converted to ZLIB since RETD isn't available in legacy mode.

After Pred2 dictionaries are exported, they will show up as having half the size in legacy mode as they did in enhancedmode. For example, a class with a Pred2 algorithm and 1M dictionary will have the Pred2-512k dictionary afterexporting.

To verify that the settings were exported to legacy mode, use the class show <tclass> command.

Exporting enhanced class overrides will overwrite any legacy overrides that were previously defined for the class.


606

tunnel class importImport legacy compression overrides for an Outbound traffic class. This command imports compression dictionary overridesthat were set with the legacy command class compress on override. Use this command if you want your traffic classes tohave the same algorithm overrides in enhanced mode that they had in previous versions of Xpress. For example, if you hadapplied the ICNA-2M dictionary to the Citrix-ICA class in PacketWise 7.2, you can use the tunnel class import command toapply the ICNA algorithm with a 2M dictionary size to this class in enhanced mode.

tunnel class import <tclass>

where <tclass> is the name of the traffic class. Including outbound/ in the <tclass> name is optional. For instance, you maytype either http or outbound/http for the traffic class name.

To import all overrides, specify outbound for <tclass>. For example:

tunnel class import outbound

This command will import the legacy compression overrides for the traffictree class /Outbound.

Continue? (NO): y

/Outbound contains 1 or more child classes.

Import the overrides for those classes as well? (YES): y

Notes:

In the import process, the ZLIB algorithm is converted to RETD since ZLIB isn't available in enhanced mode.

After Pred2 dictionaries are imported, they will show up as having twice the size in enhanced mode as they did inlegacy mode. For example, Pred2-256k will become Pred2 with a 512k dictionary size after importing. This is becausePred2 uses two copies of the memory allotted (one for each pass). Note that Pred2 has always worked this way — itjust wasn't previously apparent.

To verify that the settings were imported, use the tunnel class show command.

Importing legacy class overrides will overwrite any enhanced overrides that were previously defined for the class.


607

tunnel class set accelerationEnable/disable acceleration for a specified Outbound class. This command is useful for troubleshooting the accelerationfeature.

tunnel class set acceleration <tclass>|all on|off

where <tclass> is the name of the traffic class. Including outbound/ in the <tclass> name is optional. For example, you maytype either Boston or Outbound/Boston for the traffic class name.

Acceleration overrides will operate with classes based on device, ports, IP addresses, subnets, MAC addresses, VLAN, MPLS, orDiffserv. But if the service is set to anything other than any, the command may not function properly. Therefore, setting anacceleration override on a service-based class is not recommended.

Example:

tunnel class set acceleration NewYork off

Notes:

If acceleration is disabled for a tunnel, you can still enable acceleration for a class but it won't take effect untilacceleration is enabled for the tunnel.

An acceleration override will take effect on new connections only. If the acceleration state is changed on a traffic classwhile an accelerated flow is underway, the override will not apply.

Use the tunnel class show command to see class acceleration settings.

The all option can be useful for troubleshooting acceleration problems: turn acceleration off for all classes and then youcan just turn it on for specific classes.

If you have turned acceleration off for all classes and want to reverse this change, it would be best to return theacceleration settings back to their default (tunnel class default) rather than turn acceleration on for all classes (tunnelclass set acceleration all on).

In order to disable acceleration for a particular class, the acceleration override must be set on the PacketShaper on theclient side of the connection. Class overrides for acceleration are not effective on the server side PacketShaper.


8.1.1 all option introduced


608

tunnel class set algorithmOverride the compression settings for an Outbound traffic class: algorithm, group ID, and dictionary size.

tunnel class set algorithm <tclass>|all <algorithm> [<groupid> [<size>]]

<tclass>Name of the Outbound class

Note: Including outbound/ in the <tclass> name is optional. For example, youmay type either http or outbound/http.

<algorithm>Particular method used to shrink the size of transferred traffic, for example,ICNA, CNA, or PRED2. The default algorithm is CNA. To see a list of validalgorithms, use the tunnel compression show command.

<groupid>

An identifying number (0-255) assigned to a particular class. The defaultgroup ID is 0.

When you assign an ID, a compressor will be created specifically for this classto use. By giving a class its own compressor, you can potentially improvecompression results. However, these additional compressors consume extracompression memory, so be sure to assign IDs only to your most criticaland/or active classes. If you have classes with data patterns similar to a classthat has its own compressor, you may want to share the compressor withthese other classes; you can do this by assigning the similar classes the same<groupid> and <algorithm>.

<size>

Dictionary size specified as bytes. Optionally, you can enter a k (kilobyte) orm (megabyte) after the integer. For example, enter 2m for 2 megabytes or512k for 512 kilobytes.

The default dictionary size is 1 MB.

If there isn't enough RAM available for the <size> you specify, Xpress willselect a size that will work with the available memory.

Use the tunnel class show command to see the classes for which a compression algorithm has been specified.

Example:

tunnel class set algorithm outbound/Citrix icna 2

Notes:

Group IDs and dictionary sizes aren’t applicable to stateless algorithms (such as RETD).If you assign two classes the same algorithm, the same group ID, but different dictionary sizes, both classes will usethe same dictionary size. In other words, one of the classes will not use the dictionary size you specified. (The overridethat is created first will be the one that is used for both classes.)

See also:

Compression Algorithms and Compressors




609

tunnel class set compressionEnable/disable compression for a specified Outbound class. This command allows you to experiment with compression on aclass basis and can be used for fine tuning.

tunnel class set compression <tclass>|all on|off


Example:

tunnel class set compression skype off

Notes:

If compression is disabled for a tunnel, you can still enable compression for a class but it won't take effect untilcompression is enabled for the tunnel.

Use the tunnel class show command to see class compression settings.

The all option can be useful for troubleshooting compression problems: turn compression off for all classes and thenyou can just turn it on for specific classes.

Be aware that a number of services aren’t compressible, so if you turn on compression for all classes, Xpress will wasteresources trying to compress traffic that is uncompressible. If you have turned compression off for all classes and wantto reverse this change, it would be best to return the compression settings back to their default (tunnel class default)rather than turn compression on for all classes (tunnel class set compression all on).




610

tunnel class set holdtimeFor a specific Outbound traffic class, set the amount of time Xpress will wait for additional packets before sending a “superpacket” through an Xpress tunnel. You can either specify the amount of time to wait in milliseconds or indicate the latencytolerance of traffic in the class (pack-n-go, sensitive, or nonsensitive).

tunnel class set holdtime <tclass>|all <milliseconds>|pack-n-go|sensitive|nonsensitive


You can either specify a wait time in milliseconds or choose one of the following categories:

Setting Description Examples

pack-n-go

Traffic that can take advantage of the benefits offered bypacking, but cannot tolerate any delay; sets the wait time to 0ms

If a super packet doesn't already exist, a pack-n-go packetwill be sent through the tunnel immediately. If a super packetalready exists and is waiting for more packets, the packet willbe packed into the super packet and sent immediately.

sensitive Traffic that is sensitive to delay; sets the wait time to thevalue associated with the sensitive category (1 ms by default)

Citrix, MPEG-Audio, MPEG-Video, Skype,Telnet-Clear,Vonage

nonsensitiveTraffic that can handle some latency; sets the wait time tothe value associated with the nonsensitive category (10 ms bydefault)

FTP, KaZaA,Lotus-IM,Oracle, POP3,SMTP

Examples:

To set the packing wait time to 20 ms for the outbound/test class:

tunnel class set holdtime outbound/test 20

To specify a packing wait time appropriate for latency-sensitive traffic:

tunnel class set holdtime skype sensitive

Notes:

If packing is disabled for the class, you can still set the hold time but it won't take effect until packing is enabled.

Use the tunnel class show command to see the classes for which a packing wait time has been set.

To enable/disable packing for a class, use tunnel class set packing.

To change the value associated with a holdtime category, use the tunnel holdtime command. Note that the pack-n-gocategory is always set to 0 ms, and cannot be changed.




611

tunnel class set packingEnable/disable packet packing for a specific Outbound traffic class. When packing is enabled for a class, multiple packets arecombined into a single super packet before being sent through the Xpress tunnel. Since fewer packets are sent, packing saveson overhead introduced by packet headers. However, packing increases latency so you might want to disable it for latency-sensitive traffic. Note that packing is a feature of the Xpress compression key.

tunnel class set packing <tclass>|all on|off


Example:

To turn off packing for Outbound/Skype:

tunnel class set packing outbound/skype off

Notes:

The maximum size of the super packet is determined by the MTU. See tunnel mtu.

You can also enable/disable packing on a per-service basis. See tunnel service set packing. Note that class packingsettings override service settings.

Because different types of traffic can tolerate different amounts of latency, controls are available to fine tune the lengthof time the super packet is held to wait for additional packets to be packed into it. See tunnel class set holdtime.

On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On lessactive links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performanceproblems. If you are experiencing latency, try lowering the packing hold time or disabling packing altogether. Use thetunnel holdtime, tunnel service set holdtime, or tunnel class set holdtime commands to fine tune the packing holdtime.

If packing is disabled for a tunnel, you can still enable packing for a class but it won't take effect until packing isenabled for the tunnel.

Use the tunnel class show command to see class packing settings.

The all option can be useful for troubleshooting packing problems: turn packing off for all classes and then you canjust turn it on for specific classes.




612

tunnel class showDisplay compression and packing settings for traffic classes.

tunnel class show [<tclass>|all]


tunnel class show — lists all classes that the user has changed to a non-default setting with one of the tunnel class setcommands: acceleration, algorithm, compression, packing, and holdtime.

tunnel class show all — lists all Outbound classes

Examples:

tunnel class show

Traffic Class Pack. Holdtime Comp. Algo. Group Size Accel. -------------------- ----- ----------- ----- ----- ----- ---- ------ /Outbound/FTP * * Yes PRED2 0 512K * /Outbound/KaZaA * * * PRED2 2 512K * /Outbound/Telnet * * Yes PRED2 0 512K * /Outbound/Webshots * * No * * * * /Outbound/DCOM No * * * * * *

5 traffic classes shown.

The * means that the setting uses the default value.

tunnel class show ftp

Traffic Class Pack. Packtimer Comp. Algo. Group Size Accel. -------------------- ----- ----------- ----- ----- ----- ---- ------ /Outbound/FTP * * Yes PRED2 0 512K *


613

tunnel compressionEnable/disable compression globally or for a specific Xpress tunnel. Xpress compression shrinks the size of transferred traffic,effectively increasing the amount of bandwidth available on a link. For more information about compression, see XpressOverview.

tunnel compression on|off|{<tunnel> off|default}

where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable compression (off) or specify that ituse the global compression setting (default). You cannot enable compression for a tunnel if compression is globally disabled.

By default, global compression is disabled.

Examples:

To turn on compression for all tunnels (except for those tunnels that have disabled compression):

tunnel compression on

To disable compression for a tunnel named LA:

tunnel compression LA off


614

tunnel compression dictionarySet a different default compression algorithm and dictionary size. The default algorithm and dictionary size is used for allcompressed traffic unless it was overridden for a particular traffic class with the tunnel class set algorithm or the tunnelservice set algorithm command.

tunnel compression dictionary {<algorithm> [<size>]}|default

<algorithm>Particular method used to shrink the size of transferred traffic, for example,ICNA, CNA, or PRED2. The default algorithm is CNA. To see a list of validalgorithms, use the tunnel compression show command.

<size>


The default dictionary size is 1 MB. The range of dictionary sizes available onyour unit is listed in the output of the tunnel compression show command.

The dictionary size is optional. When not specified, a built-in default will beused. Also note that stateless dictionary algorithms, such as RETD, do notneed a size and will be ignored if specified.

defaultResets dictionary algorithm and size to default values (CNA, 1M). If the unit issubscribed to PolicyCenter, the default option tells PolicyCenter to inherit thedefault dictionary from the parent configuration.

Examples:

To change the default compression algorithm to ICNA:

tunnel compression dictionary ICNADefault dictionary algorithm has been set to ICNA.

To change the default dictionary size to 2M:

tunnel compression dictionary ICNA 2mDefault dictionary algorithm has been set to ICNA 2M.

The algorithm and size specified can also be in the legacy format, such as:

tunnel compression algorithm ICNA-2M

Notes:

For a list of compression algorithms and a range of dictionary sizes supported by your unit, use the tunnel compressionshow command. This command lists the current default algorithms (stateful and stateless) and dictionary size, as well.The default algorithm and dictionary size is CNA-1M. For accelerated connections, the default algorithm is RETD forXpress tunnels and DEFLATE for SkyX tunnels. (Note that the algorithms for accelerated connections cannot bechanged.)For more information about algorithms, see Compression Algorithms and Compressors.


615

tunnel compression showDisplay compression information for all tunnels, a specific tunnel, or a DSCP lane. The output includes details about theXpress configuration (such as available algorithms, memory used/available) and current compression statistics so that you cansee how much data is getting compressed.

tunnel compression show [<tunnel> [<lane> [<chain>]]]

Where:

<tunnel>

Name of the static or dynamic Xpress tunnel

To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnel partnerand <device> is main, upper, lower, left, right. For example:172.21.19.10:main

<lane>

Identifying number assigned to a lane in a particular tunnel. A lane is a virtualtunnel within a tunnel and supports situations where groups of packets may havedifferent routes or transmission characteristics, such as in an MPLS environment.Each lane is associated with a particular DiffServ marking (DSCP value). When notrunning in an MPLS environment, the default lane is 0 (zero). For information onenabling Diffserv support, see tunnel diffserv.

<chain>

Identifying number assigned to a chain. A compression chain is a list of algorithmsthat can operate on different portions of a packet or flow. Xpress allows you toapply different types of compression to parts of data within a single packet. Forexample, headers can often be compressed using a custom algorithm thatperforms far better than the general purpose algorithm used for the body data. Anexample of a compression chain is:

HDRIP + HDRUDP + HDRRTP + CNA

Examples:

tunnel compression show

Xpress Configuration:----------------------------- Algorithms: CNA HDRIP HDRRTP HDRTCP HDRUDP HDRXTP ICNA NONE PRED1 PRED2 RETD UDPRT Default Stateless: RETD Default Stateful: CNADefault Dictionary Size: 1M Dictionary Size Range: 64K-16M Xpress Memory: 20448 KB / 262144 KB

Xpress Totals:----------------------------- Total Bytes In: 8509280 Total Bytes Out: 224245 Total Bytes Saved: 8285035

Tunnels: 1Name Partner Bytes In Bytes Out Bytes Saved % Saved--------------------------------------------------------------------------------test2 172.21.18.161 8.11MB 218.98KB 7.90MB 97

To display compression information about a specific tunnel (london, in this example):

tunnel compression show london

Name: london Partner: 172.16.3.178

Up: 19m 34s State: Active

Totals: Sent Bytes: 672758 Compressed Bytes: 672758 Received Bytes: 188666 Decompressed Bytes: 188666 PreCompression bps: 83k PostCompression bps: 2064 PreDecompression bps: 1088 PostDecompression bps: 81k

616

Lane Bytes In Bytes Out Total Bytes Saved Memory Usage------------------------------------------------------------0 9.56MB 258.81KB 9.31MB 1024KB

Description of fields in tunnel compression show output:

Field Description

Sent Bytes Number of bytes sent to the partner through this tunnel (includes compressedand non-compressible bytes), measured since the tunnel was formed

Compressed Bytes Number of compressed bytes sent to the partner through this tunnel, measuredsince the tunnel was formed

Received BytesNumber of bytes received from the partner through this tunnel (includescompressed and non-compressible bytes), measured since the tunnel wasformed

DecompressedBytes

Number of bytes that needed to be decompressed from the partner throughthis tunnel, measured since the tunnel was formed

XTP Precomp Number of XTP accelerated bytes sent through this tunnel, before compressionhas been applied; measured since compression was activated on the tunnel

XTP PostComp Number of XTP accelerated bytes sent through this tunnel, after compressionhas been applied; measured since compression was activated on the tunnel

XTP PreDecomp Number of XTP accelerated bytes received on this tunnel, before decompressionhas been applied; measured since compression was activated on the tunnel

XTP PostDecomp Number of XTP accelerated bytes received on this tunnel, after decompressionhas been applied; measured since compression was activated on the tunnel.

PreCompressionbps

Bandwidth usage before compression has been applied to outbound traffic(includes only traffic that was sent through the compression tunnel). This valueis a moving average calculated at the time the tunnel compression showcommand is issued.

PostCompressionbps

Bandwidth usage after compression has been applied to outbound traffic(includes only traffic that was sent through the compression tunnel). This valueis a moving average calculated at the time the tunnel compression showcommand is issued.

PreDecompressionbps

Bandwidth usage before inbound traffic was decompressed (includes onlytraffic that was sent through the compression tunnel). This value is a movingaverage calculated at the time the tunnel compression show command isissued.

PostDecompressionbps

Bandwidth usage after inbound traffic was decompressed (includes only trafficthat was sent through the compression tunnel). This value is a moving averagecalculated at the time the tunnel compression show command is issued.

The following data is provided on a per-lane basis. If DiffServ support is not enabled, all traffic willgo in Lane 0. If DiffServ is enabled, a lane is created for each unique DSCP value. For moreinformation, see <lane> description above.

Bytes In For compressible outbound traffic, the number of bytes before compression hasbeen applied, measured since the lane was formed

Bytes Out For outbound traffic sent through a compression tunnel, the number of bytesafter compression has been applied, measured since the lane was formed

Total Bytes Saved

The number of bytes that didn’t have to traverse the link, due to compression;allows you to see how many bytes the compression feature actually saved onthe link.

Formula: Bytes In - Bytes Out

Memory Usage Amount of memory dedicated to the body compressors on that lane. Does notinclude decompressors or header compressors.


617

tunnel deleteRemove an existing Xpress tunnel.

tunnel delete <tunnel>|all

The <tunnel> can be static (one that was added with the tunnel new command) or dynamic (one that was auto-discovered).To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IPaddress of the tunnel partner and <device> is main (built-in) or upper, lower, left, or right (LEM). For example:172.21.19.10:main.

To remove all static and dynamic tunnels, use the tunnel delete all command.


618

tunnel diffservEnable/disable DiffServ (Differentiated Services) mode globally or for a specific static Xpress tunnel. DiffServ mode should beenabled when using compression and/or packing on a DiffServ network. If an Xpress tunnel has DiffServ enabled, Xpress willinspect all packets for its DiffServ Code Point (DSCP) value. Within the tunnel, it will create a separate lane for each DSCPvalue. When Xpress sees packets with a DSCP different from those seen before, it will create a new lane associated with thatDSCP. Any packets with that DSCP are then sent through the associated lane.

tunnel diffserv [<tunnel>] on|off|default

When this mode is enabled globally, DiffServ will automatically be enabled on new tunnels unless otherwise specified.

Examples:

To turn on DiffServ mode for all Xpress tunnels (except for those tunnels that have disabled DiffServ mode):

tunnel diffserv on

To disable DiffServ mode for a tunnel named LA:

tunnel diffserv LA off

Notes:

When DiffServ mode is enabled, the tunneled super packets will inherit the DiffServ markings of the original packets.

If a super packet is marked with a different DSCP value while it's inside the MPLS network, the partner PacketShaper atthe other end of the tunnel will remark each of the original packets with this new value.

Xpress supports up to five DSCP values. If your network exceeds the maximum, the super packets in the tunnel will nothave DiffServ markings. However, if the super packet is marked with a different DSCP value while it's inside the MPLSnetwork, the partner PacketShaper will remark each of the original packets with the new value.


619

tunnel discoveryEnable/disable the auto-discovery of hosts and partners for all Xpress tunnels or disable auto-discovery of hosts for a specificstatic Xpress tunnel. If you are manually configuring tunnels and hosts, you will want to disable automatic host discovery sothat the tunnel only uses the hosts you have configured.

Note: This command is applicable to enhanced mode only.

tunnel discovery on|off|{<tunnel> off|default}

Discovery cannot be enabled for enhanced tunnels when running in migration mode.

When auto-discovery is enabled, you may want to limit the hosts and partners that can use the tunneling facility. To do this,use the tunnel discovery host and tunnel discovery partner commands.

When auto-discovery is disabled, Xpress will not automatically discover hosts; you must add the hosts manually with thetunnel local add and tunnel remote add commands.

Example:

To disable automatic host discovery for a specific static tunnel:

tunnel discovery LosAngeles off

In this example, assume that host and partner auto-discovery is enabled globally (with the tunnel discovery on command)and host discovery is disabled for the LosAngeles tunnel using the above command. All tunnels will auto-discover hosts exceptfor the LosAngeles tunnel.

To check the status of tunnel discovery, use the tunnel summary command.


620

tunnel discovery hostLimit the hosts that can use the Xpress tunneling facility. Hosts can be defined by an IP address, a subnet, an address range,or a host list. You can either create a list of the hosts that are allowed to use tunnels (an inclusive list) or a list of hosts thatare excluded from tunneling (an exclusive list). By default, the lists include hosts that are allowed to use the tunnelingfacility; if your list represents hosts that should be excluded from tunneling, change the cmprsnInsideHostMode orcmprsnOutsideHostMode system variable.

When cmprsnInsideHostMode or cmprsnOutsideHostMode is set to 0 (inclusive), the specified hosts on the list are the onlyones allowed to use the tunnel. If an outbound flow's destination host is not on the list of allowed outside hosts, the data willnot be sent through the tunnel; it will be sent through the regular mechanism. Likewise, if an incoming flow's destination hostis not on the list of allowed inside hosts, the flow will be sent through the normal mechanism.

When cmprsnInsideHostMode or cmprsnOutsideHostMode is set to 1 (exclusive), all hosts — except for the hosts on the list —are allowed to use the tunnel. If an outbound flow's destination host is on the list of excluded outside hosts, the data will notbe sent through the tunnel; it will be sent through the regular mechanism. Likewise, if an incoming flow's destination host ison the list of excluded inside hosts, the flow will be sent through the normal mechanism.

Note: Host restrictions apply to new dynamic tunnels formed after the command is issued; they don't apply to existingtunnels. Therefore, it is recommended that you turn off compression, packing, and acceleration before you add or removehosts. The same is true for partner restrictions.

Note that if you don’t define any host lists, all hosts can use tunnels. You might want to limit hosts so that PacketShaperwon’t attempt to create tunnels for every host; you can identify a subnet that is connected to a PacketShaper to which atunnel could be created.

tunnel discovery host add <side> <ip-addr>[/<cidr>]|<network-addr> <subnet>|list:<hostlist>

tunnel discovery host remove <side> <ip-addr>[/<cidr>]|<network-addr> <subnet>|list:<hostlist>|all

tunnel discovery host show

tunnel discovery host default <side>

where:


add defines a hostremove deletes a previously-defined host. If the unit is subscribed toPolicyCenter, remove <side> all removes all the hosts in the localconfiguration but does not allow the unit to inherit any hosts from the parentconfiguration.default sets tunnel hosts to default (no hosts specified) for the designated side(inside or outside). If the unit is subscribed to PolicyCenter, the default optiontells PolicyCenter to remove all the hosts in the local configuration and inheritfrom the parent configuration.show lists the defined hosts

<side>The host’s location (inside or outside), relative to the unit. Typically insidehosts are located on the LAN and outside hosts are on the WAN or Internet, onthe far side of the tunnel.

<ip-addr>[/<cidr>]<network-addr><subnet>list:<hostlist>all

Designate the hosts to be added or removed, using one of the followingspecifications:<ip-addr>[/<cidr>] — host IP address or a CIDR network address; theCIDR number specifies the number of constant bits in the address range<network-addr> <subnet> — the name of the subnetlist:<hostlist> — the name of a host list fileall — removes all defined hosts so that all hosts can use Xpress tunnels

Examples:

tunnel discovery host add inside 10.7.38.1

tunnel discovery host add outside 10.7.38.0/24

(illustrated example)

To remove all defined outside hosts:

tunnel discovery host remove outside all

After this command is issued, no outside hosts will be restricted from using tunnels.

621

To view a list of defined hosts that can use tunnels:

tunnel discovery host show

Notes:

Changes to the discovery host list require that tunnels be restarted. There are two ways to do this. As describedearlier, you can disable compression, packing, and/or acceleration before changing the list (and re-enable when you’redone). Alternatively, if you have all dynamic tunnels, you can change the discovery host list, delete all the tunnels(tunnel delete all), and then let the tunnels reform automatically.You can also define tunnel hosts with the setup compression hosts command.Compression treats host lists differently than acceleration does because compression affects traffic in one directionwhile acceleration affects traffic bidirectionally. For instance, suppose an inside host is on the "inside exclude list" forthe near PacketShaper but there is nothing on either list for the far PacketShaper. With compression, the inside host'srequests will only be compressed in the direction going from near to far; with acceleration, the inside host's requestswill not be accelerated in either direction.


622

tunnel discovery maintenanceCheck the availability of remote hosts by sending maintenance probe packets if a host hasn't responded through the tunnelduring the last 30 seconds. Maintenance probes are recommended when direct standby is enabled in enhanced tunnel mode.When maintenance probes are enabled, Xpress will send a probe packet to non-responsive hosts on a tunnel's remote list, tomake sure they are still available through the existing tunnel. If the host doesn't respond to the probe (perhaps because alink is down), Xpress will use an alternate path (available via the direct standby connection) to tunnel the traffic to the host.Note that if bi-directional traffic to/from a host goes through the tunnel continuously, the maintenance probes are not sent;they are sent only if a host hasn't responded during the last 30 seconds. Once Xpress receives a tunneled packet from theremote host, the 30-second timer will be reset.

If maintenance probes are disabled, Xpress will not be aware that the host isn't available through the current tunnel.

tunnel discovery maintenance on|off|default

Note: The tunnel discovery maintenance command is similar to the setup compression reprobe command that's availablein legacy mode.




623

tunnel discovery partnerLimit the PacketShaper units that can use the Xpress tunneling facility. Xpress tunnel partners can be defined by an IPaddress, a subnet, an address range, or a host list. You can either create a list of PacketShapers that are allowed to be tunnelpartners (an inclusive list) or a list of units that are excluded from being partners (an exclusive list). By default, the listsinclude units that are allowed to be tunnel partners; if your list represents units that should be excluded from tunneling,change the cmprsnPartnerMode system variable.

When cmprsnPartnerMode is set to 0 (inclusive), the specified PacketShapers on the partner list are the only ones allowed tobe tunnel partners. When cmprsnPartnerMode is set to 1 (exclusive), all units — except for the ones on the list — are allowedto be tunnel partners.

Note: Partner restrictions apply to new dynamic tunnels formed after the command is issued; they don't apply to existingtunnels. Therefore, it is recommended that you turn off compression, packing, and acceleration before you add or removepartners. The same is true for host restrictions.

Note that if you don’t define any partners or tunnel passwords, any PacketShaper that is part of a tunnel can use thetunneling facility. For example, suppose you want to compress data between a central site and several branch offices. If youdon’t want compression to/from other locations, you can configure an Xpress partner list on your central site PacketShaper sothat it sets up tunnels with the PacketShaper units at your branch offices. Xpress would not attempt to create a tunnel to anyPacketShaper not on the partner list.

tunnel discovery partner add <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>

tunnel discovery partner remove <ip-addr>[/<cidr>]|<ip-addr> <subnet>|list:<hostlist>|all

tunnel discovery partner default <side>

tunnel discovery partner show

where:


add defines a PacketShaper unit that can be an Xpress tunnel partnerremove deletes a previously-defined partner. If the unit is subscribed toPolicyCenter, remove all removes all the partners in the local configuration butdoes not allow the unit to inherit any partners from the parent configuration.default sets tunnel partners to default (no partners specified). If the unit issubscribed to PolicyCenter, the default option tells PolicyCenter to remove allthe partners in the local configuration and inherit from the parent configuration.show lists defined Xpress tunnel partners


Designate the PacketShapers to be added or removed, using one of thefollowing specifications:<ip-addr>[/<cidr>] — PacketShaper IP address or range; the CIDR numberspecifies the number of constant bits in the address range<ip-addr> <subnet> — the name of the subnetlist:<hostlist> — the name of a host list fileall — removes all defined tunnel partners so that all units can use tunneling

Examples:

tunnel discovery partner add 10.7.38.0-10.7.38.200

tunnel discovery partner add 10.7.38.0/24

To remove all defined tunnel partners:

tunnel discovery partner remove all

After this command is issued, all PacketShapers will be able to use the tunneling facility.

To see a list of defined Xpress tunnel partners:

tunnel discovery partner show

Notes:

Changes to the discovery partner list require that tunnels be restarted. There are two ways to do this. As describedearlier, you can disable compression, packing, and/or acceleration before changing the list (and re-enable when you’redone). Alternatively, if you have all dynamic tunnels, you can change the discovery partner list, delete all the tunnels(tunnel delete all), and then let the tunnels reform automatically.

624

You can also define tunnel partners with the setup compression partners command.


625

tunnel discovery reprobeapplicable to enhanced compression tunnels only

Manually reprobe for the availability of a remote host by sending a probe packet to that host. When compression and directstandby are both enabled, Blue Coat recommends that maintenance probing be used on PacketShapers at all branch offices.

tunnel discovery reprobe <ip>

Note: The tunnel discovery reprobe command is similar to the setup compression reprobe command that's available inlegacy mode.




626

tunnel firewallEnable/disable firewall support globally or for a specific Xpress tunnel. If the PacketShaper will be sending or receivingtunneled traffic through a firewall, this setting must be enabled for those tunnels. Firewall support is disabled by default.

tunnel firewall [<tunnel>] on|off|default

When this setting is enabled globally, firewall support will automatically be enabled on new tunnels unless otherwise specified.

Examples:

To turn on firewall support for all tunnels (except for those tunnels that have disabled firewall support):

tunnel firewall on

To disable firewall support for a tunnel named LA:

tunnel firewall LA off

Notes:

This feature will not work through a NAT device.It is not necessary to enable firewall support on each tunnel partner. When firewall support is enabled on one end ofthe tunnel, it will automatically act as if it is enabled on any tunnel partners (although the firewall setting is not actuallyphysically changed on these partners).It is not recommended to enable firewall support on tunnels used just for acceleration.


627

tunnel holdtimeDefine the packing wait time in milliseconds associated with the packing timer categories. The packing hold time is theamount of time Xpress will wait for additional packets before sending a “super packet” through an Xpress tunnel. Three timercategories are available: global, sensitive, and nonsensitive.

tunnel holdtime global|sensitive|nonsensitive <milliseconds>

Each of the packing timer categories is described below.

Setting Description Default Examples

globalThe default packing wait time for servicesthat don't have a predefined or user-defined value

10 msAbacast, Aimster,Gnutella, KaZaA,YahooMsg

sensitive Traffic that is sensitive to delay 1 msCitrix, MPEG-Audio,MPEG-Video, SkypeData,Telnet-Clear, Vonage

nonsensitive Traffic that can handle some latency 10 ms FTP, SMTP, POP3

Examples:

To change the default packing wait time to 25 ms:

tunnel holdtime global 25

To change the value associated with the nonsensitive category to 30 ms:

tunnel holdtime nonsensitive 30

To set the value associated with the nonsensitive category back to its default setting (10 ms):

tunnel holdtime nonsensitive default

Notes:

If packing is disabled for the class, you can still set the hold time but it won't take effect until packing is enabled.

Use the tunnel service show and tunnel class show commands to see the services and classes for which a packing waittime has been set.

To set a packing wait time for a specific class or service, use tunnel class set holdtime or tunnel service set holdtime.

To enable/disable packing for a class or service, use tunnel class set packing or tunnel service set packing.

A fourth packing timer category is also available (pack-n-go), but its time cannot be adjusted; it's always set to 0ms.


628

tunnel ip clearClear the Xpress-IP (XIP) address and VLAN settings for a PacketShaper device. Once settings are cleared, compression,packing, and acceleration will be disabled on that interface.

tunnel ip clear main|upper|lower|left|right|all

where main is the interface built into the unit, and upper|lower|left|right indicates the position of the installed LEM. Theall parameter clears settings on all interfaces; if you clear all XIP addresses, compression, packing, and acceleration willautomatically be disabled.

Example:

To clear all Xpress settings for the upper LEM:

tunnel ip clear upper

Notes:

If you want to clear the VLAN settings without clearing the XIP address settings, don't use the tunnel ip clearcommand; instead, use the tunnel ip configure command without the VLAN parameters. For example:

tunnel ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1

The tunnel ip clear command is the same as the setup compression ip clear command; you may use either command.

See also:

tunnel ip configure

tunnel ip show


629

tunnel ip configureSet an Xpress-IP (XIP) address or VLAN settings for a PacketShaper device; this is required when using the Xpress feature.

tunnel ip configure main|upper|lower|left|right <ipaddr> <mask> [<ingress gateway>] <gateway>|none[<vlanid> [<priority>]]

Where:

main|upper|lower|left|right

PacketShaper device to configure:

main — built-in interfaceupper — upper LAN Expansion Module (LEM)lower — lower LEMleft — left LEMright — right LEM

<ipaddr>

IP address to assign to the device; each interface must have aunique address. Note that this address is used by the Xpressfeature and is not for managing the PacketShaper.

The XIP address can NOT be the same as the unit'smanagement address or the same address as the secondarycustomer portal address.

The address cannot be:

- loopback address (127.xx.xx.xx) - network address (all host bits 0)- broadcast address (all host bits 1) - class D or class E address

<mask> Subnet mask

<ingress gateway>

IP address of the ingress router (optional). When an ingressgateway is configured, it will be used for inbound detunneledpackets (that is, traffic that has been accelerated, compressed,and/or packed in an Xpress tunnel). The XIP gateway will beused for outbound tunneled traffic.

Note: If PacketShapers configured for Direct Standby are usingthe acceleration feature to accelerate asymmetric traffic, bothDirect Standby partner PacketShapers must be able to accessInside hosts via the units’ Xpress-IP. If Inside hosts are on adifferent subnet from the Xpress-IP, that PacketShaper musthave a Ingress gateway defined.

<gateway>|noneIP address of the egress router; specify none if there isn't agateway. The gateway is required when Prefetch server isenabled.

For VLAN environments only:

<vlanid>

802.1Q VLAN ID (0 - 4095)

Notes:

A maximum of three VLAN IDs can be assigned perPacketShaper (one for each device).An XIP configured with a VLAN must be on a differentsubnet from the management IP address.

<priority> 802.1P VLAN priority (0-7)

If your network isn't using VLAN IDs but you want to set aVLAN priority, you must set a VLAN ID of 0 (zero).

Notes:

If you are using Xpress with PacketShaper’s direct standby feature, the LEM that is used for direct connection cannotbe configured for Xpress. (Note: Direct standby is supported in legacy tunnel mode only.)

630

The tunnel ip configure command is the same as the setup compression ip configure command. (You may use eithercommand.)

When you assign or change Xpress-IP addresses with the tunnel ip configure command, Xpress will tear downexisting tunnels and establish new tunnels using the new Xpress-IP addresses.

If you upgraded from v7.x to v8.x, Xpress will automatically use the same addresses you configured in v7.x.PacketWise 8.x has the additional requirement that the Xpress-IP address cannot be the same as the management IPaddress. If they are the same, you will see the following error message on the Info tab (in the browser) or in the CLIbanner after you log in: Warning: No XIP addresses have been configured. Compression will be disabled until youconfigure the Xpress-IP address.

Examples:

To set the XIP address of an upper LEM:

tunnel ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1

For VLAN environments, you can specify the VLAN ID and/or VLAN priority. If you specify only one VLAN parameter,PacketWise will assume it is the VLAN ID. In the following example, all compressed packets going through the main interfacewill be assigned a VLAN ID of 2176:

tunnel ip configure main 192.168.0.6 255.255.255.0 192.168.0.1 2176

If you only want to use VLAN priority, you have to set a VLAN ID of zero. For example, to assign a VLAN priority of 2 to allcompressed packets going through the lower LEM interface, you must set the VLAN ID to 0 (zero):

tunnel ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 0 2

To clear the VLAN settings without clearing the Xpress-IP settings, use the tunnel ip configure command without the VLANparameters:

tunnel ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1

See also:

tunnel ip clear

tunnel ip show


8.2.0No longer required to enable the tnlEnableIngress variable in order to activatethe ingress gateway. (The tnlEnableIngress system variable has beenremoved.)

8.1.1 [<ingress gateway>] option introduced


631

tunnel ip showShow the Xpress-IP address and VLAN settings for a PacketShaper device.

tunnel ip show [main|upper|lower|left|right]

where main is the interface built into the unit, and upper|lower|left|right indicates the position of the installed LEM. If nodevice is specified, settings for all interfaces will be listed.

Example:

tunnel ip show main

IP address for Main: 172.21.18.161 Netmask for Main: 255.255.0.0 Gateway address for Main: 172.21.0.2 (Outside at 00:a0:cc:63:e1:63) VLAN id/priority for Main: none

Notes:

The Gateway address may initially show as "Resolving" while Xpress is in the process of resolving the gateway. Whenyou reissue the command, if Xpress was able to resolve the gateway, the output will show the interface (outside orinside) and the MAC address. "Resolving" may also appear if the link is down.If the tnlEnableIngress system variable is enabled, the output of the show command will list the Ingress Gatewaysettings.


632

tunnel local addAdd local static hosts to a device. To expedite the population of hosts on an Xpress tunnel, you can use this command toconfigure the subnets, host ranges, and individual hosts that are local to a particular physical interface. Any tunnel formed onthat interface will then assume that those hosts are eligible to receive and send traffic on that tunnel. This command is alsouseful for specifying multicast compression hosts since only unicast hosts are autodiscovered.

tunnel local add <device> <host>|<range>|<subnet>/<cidr>|list:<hostlist>

<device> Device on the PacketShaper:


<host> Host IP address

<range> Range of IP addresses

To specify a range, use a dash — with no spaces — between the low and high address in therange (for example, 192.168.1.100-192.168.1.200).

<subnet>/<cidr> The address of the subnet; the CIDR number specifies the number of constant bits in the addressrange (for example, 10.0.0.0/8)

list:<hostlist> The name of a host list created with the hl new command

Notes:

You cannot use a host list that contains domain names.If you change the contents of a host list after you have added it the device's local list, youwill need to add it again; the local list doesn't automatically update when the host listchanges.

Examples:

tunnel local add main 192.168.0.0-192.168.10.100

Multiple hosts can be added at once, for example:

tunnel local add lower 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12

Notes:

The list of eligible local hosts is communicated to tunnel partners at the time the tunnel is established and is updatedas the list changes.

The list is saved in the unit's configuration and will be re-applied after a system restart. (Note: Dynamic hosts are notsaved.)

Each time you issue the tunnel local add command for a device, the hosts will be added to the current list of localhosts for that device. In other words, you do not need to respecify hosts you've already added.

Use the tunnel local show command to see the local hosts that are associated with a device.

Use the tunnel local delete command to remove local hosts.


633

tunnel local deleteRemove a local static host that was added to a device on a PacketShaper.

tunnel local delete <device> all|<host>|<range>|<subnet>/<cidr>







Examples:

tunnel local delete main 192.168.0.0-192.168.0.100

Multiple hosts can be removed at once, for example:

tunnel local delete lower 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12

Or, to remove all static local hosts from a device:

tunnel local delete main all

Notes:

The hosts and ranges removed must exactly match the way they were configured. For example, if you added10.0.0.0/8 as static local hosts, then that is how it must be specified when removed. Usingthe same example, you cannot remove the specific host 10.1.2.3 if the range originally added was 10.0.0.0/8. Use thecommand tunnel local show to see the list of local static hosts.

The tunnel local delete command removes static hosts that were added with the tunnel local add command. It doesnot delete dynamic hosts that were discovered on a device. To remove dynamic hosts, use the tunnel local flushcommand.

See also:

tunnel local add

tunnel local show


634

tunnel local exportExport a device's list of local static hosts to a named host list. This command converts the existing list attached to a device toa host list; once done, the host list can be transferred to other PacketShapers or modified with the hl add command and re-imported with the tunnel local add command.

tunnel local export <device> list:<hostlist>



list:<hostlist> Descriptive name for the host list (up to 127 characters; the slash (/) and backslash (\)characters may not be used). If the host name already exists, the hosts will be appended to thecontents of the existing list.

Before exporting, you may want to view a list of a device's local hosts; use the tunnel local show command. After exporting,use the hl show command to view the contents of the host list. Note that the lists may look different because Xpress willconsolidate adjacent IP addresses into ranges during the export process.

If the host list name you specify already exists, you will be notified that the exported hosts will be appended to the existinglist. You are given the option of canceling the command if you don't want to do this.

Example:

tunnel local export main list:mylist5

Exporting static list: exporting 172.21.18.0-172.21.18.255 exporting 172.21.19.5-172.21.19.6 exporting 172.21.20.17 exporting 172.21.22.10

Exported 4 entries to hostlist mylist5.


635

tunnel local flushClear local dynamic hosts associated with a device on a PacketShaper. These hosts are auto-discovered by Xpress, notmanually added with the tunnel local add command. You can flush an individual host or a range of hosts. If you move yourPacketShaper and/or hosts on your network, you can use the flush command to flush the hosts that were previouslydiscovered.

tunnel local flush all|{<device> all|<host>|<range>|<subnet>/<cidr>}

all Clears local dynamic hosts discovered on all devices

<device> Device the tunnel is using on the PacketShaper:


<device> all Clears all dynamic hosts discovered on a specific device





Examples:

To clear a range of dynamic hosts discovered on the built-in device (main):

tunnel local flush main 192.113.0.0-192.113.0.100

To clear all dynamic hosts discovered on the lower LEM:

tunnel local flush lower all

To clear all dynamic hosts discovered on all devices:

tunnel local flush all

Note:

To see the list of auto-discovered hosts for a device, use the tunnel local show <device> command.

See also:

tunnel local delete

tunnel local show


636

tunnel local showView a list of local hosts that were dynamically discovered on a device or manually added with the tunnel local add command.

tunnel local show [<device>] [<host>|<subnet>/<cidr>|<subnet> <mask>|<range>] [-n <number>] [-f <file>]

<device>


<host>IP address. Use the <host> parameter to determine whether a particular host is on a hostlist for any device, and if so, which device the host is on and whether the host is on the staticor dynamic host list.

<subnet>/<cidr>Lists the local hosts in the specified subnet; the CIDR number specifies the number ofconstant bits in the address range

Example: 192.168.1.0/24

<subnet><mask>

Lists the local hosts for the designated subnet and mask

Example: 128.10.1.0 255.255.255.0

<range>Lists the local hosts in the specified IP address range

Example: 172.21.18.160-172.21.18.190

-n <number> Limits the number of host entries displayed. For example, if 10 is the <number>, 10 statichost entries and 10 dynamic hosts are displayed.

-f <file>

Saves output to file named <file>. The filename must be 8.3 format (for example,hostfile.txt). The file is created in the current directory unless you specify a different path. Itmay be useful to output the list to a file and then open the file in a text editor to review andsearch.

The maximum number of hosts that the tunnel local show command will display on the console is 1000. If there are morethan 1000 local hosts, you can choose to display the list anyway. Alternatively, you can filter the list to a more manageablesize using the <host>, <subnet>, <range>, or -n <number> parameters.

If a device or host isn't specified, the tunnel local show command lists hosts associated with each device on thePacketShaper.

Examples:

tunnel local show main

Static local list for Inside device: 172.21.18.0/24 172.21.18.16 172.21.19.5 172.21.19.6 172.21.20.17 172.21.22.10 172.50.16.25

Dynamic local list for Inside device: 172.21.1.58

Addresses or ranges in the static local list for Inside: 7.Addresses or ranges in the dynamic local list for Inside: 1.

tunnel local show 172.21.1.41

172.21.1.41 is in the static local list for the Inside device


New parameters added:

<subnet>/<cidr>

637

8.3.1<subnet> <mask><range>-n <number>-f <file>

Maximum number of hosts displayed on the console increased to 1000.

8.2.0

To avoid the display of excessively long host lists, only the first 100 hostentries are listed under Static list and Dynamic list in the tunnel local showoutput. If there are more than 100 host entries, a message will displayindicating that there are too many entries to display.

See also:

tunnel local add

tunnel local delete


638

tunnel logging clearClear the entries in a tunnel's log.

tunnel logging clear <tunnel>

where <tunnel> is the name of a dynamic or static tunnel. To specify a dynamic tunnel, enter the name in the form of<xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) orupper, lower, left, or right (LEM). For example: 172.21.19.10:main.

Example:

To clear a log for a tunnel named london:

tunnel logging clear london

Note:

Log entries are also cleared when the PacketShaper is reset.


639

tunnel logging showDisplay tunnel log entries for a specific dynamic or static tunnel. A log entry is created for a change in tunnel state (forexample, Tunnel going to state: Resolving egress gateway) or when a tunnel setting was modified (for example, Changing"DiffServ" from 0 to 1). Tunnel logs can be useful for looking at a history of tunnel changes and for troubleshooting tunnelproblems.

tunnel logging show <tunnel>


The default log size is 50 entries, but you can change the size to a value between 0 and 500 using the tunnel logging sizecommand.

Examples:

To display a tunnel log for a tunnel named london:

tunnel logging london

Tunnel london events at time 0002687.7485 (50/50)

001 [0002622.2949] Tunnel state transition ("Restarting")002 [0002622.2949] Tunnel going to state: Initializing003 [0002624.2951] Tunnel state transition ("Initializing")004 [0002624.2951] Tunnel going to state: Resolving egress gateway005 [0002624.2951] Tunnel state transition ("Resolving egress gateway")006 [0002624.2951] Tunnel going to state: Resolving ingress gateway007 [0002624.2951] Tunnel state transition ("Resolving ingress gateway")008 [0002624.2951] Tunnel state transition ("Found Ingress gateway")009 [0002624.2951] Tunnel state transition ("Found partner")010 [0002624.2951] Tunnel going to state: Waiting for open reply011 [0002661.6545] Changing "Firewall" from 1 to 0

Notes:

Tunnel logs are automatically created for all tunnels.Once a log has reached its maximum size, older entries will be cleared to make way for newer log entries.Log entries are cleared when the PacketShaper is reset and when you issue the tunnel logging clear command.Each entry has a timestamp, such as [0002622.2949]. The timestamp is the system uptime in seconds andmilliseconds.For descriptions of common tunnel states, see Tunnel States.


640

tunnel logging sizeChange the number of entries recorded in a tunnel's log. The default log size is 50 entries; valid size values are 0-500.

tunnel logging size <tunnel> <size>


Example:

To increase the log size for a tunnel named london to 100 entries:

tunnel logging size london 100


641

tunnel mode setSet the type of tunnel infrastructure that Xpress will support on the PacketShaper: legacy, migration, enhanced. Thiscommand is available regardless of which mode the unit is in.

tunnel mode set legacy|migration [<ratio>]|enhanced|default

Where:

legacy

Uses the PacketWise v6.x/7.x tunnel infrastructure. In legacy mode, thecommands and capabilities are limited to those that were available in PacketWise7.x. A tunnel's sole capability is to transport compressed data. Packing capabilityis available via a system variable.

migration[<ratio>]

Supports both types of tunnels: legacy and enhanced. Use this mode whenmigrating from earlier versions of PacketWise. By default, 50 percent ofcompression memory is allocated to legacy compression tunnels and 50 percent isassigned to enhanced Xpress tunnels. To change the percentage of compressionmemory assigned to legacy Xpress, specify a <ratio> (20-80). For example, a<ratio> of 30 would allocate 30 percent to legacy, 70 percent to enhanced.

enhancedUses new 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiplepurposes and can include one or more of the following: compression,acceleration, and packing.

default Sets tunnel mode and memory ratio to default values

The new tunnel mode will not take effect until you reset the PacketShaper. After issuing the command, you will be asked ifyou want to reset immediately. If you decline, you will need to issue the reset command at a convenient time in order toactivate the new tunnel mode.

The default mode for new installations is enhanced mode. The default mode for units that have upgraded to 8.x depends onwhether watch mode was enabled before the upgrade. If watch mode was enabled in 7.x, the unit will be in legacy mode afterthe upgrade. (This is because watch mode only operates in legacy mode.) If this feature was not enabled in 7.x, the unit willbe in migration mode after the upgrade.

tunnel mode show

Xpress tunnels are running in enhanced mode.

Notes:

Another way to change the mode is to use the setup compression mode set command.Migration mode has special considerations. See Information about Migration Mode for details.

See also:

tunnel mode show

setup compression mode set


642

tunnel mode showDisplay the current setting for Xpress tunnel mode.

tunnel mode show

The default mode for new installations is enhanced mode. The default for units that have upgraded to 8.x is migration mode.

Example

tunnel mode show

Xpress tunnels are configured to run in migration mode.50% of compression memory is assigned to legacy mode.The remaining 50% is assigned to enhanced mode.

See also:

tunnel mode set



643

tunnel mtuSet the Maximum Transmission Unit (MTU) used for packing and acceleration. When packing is enabled via the tunnel packingcommand, packets are combined into a single "super packet" before being sent through the Xpress tunnel; the MTU definesthe maximum size of the super packet. The MTU can be set globally or for an individual tunnel. MTU is the largest datagramthan can be transmitted by an IP interface (without it needing to be broken down into smaller units).

tunnel mtu auto|<mtu>|default

tunnel mtu <tunnel> <mtu>|default

auto | <mtu> |default

Set the global MTU.

auto lets the system set the MTU automatically.

<mtu> is the MTU size in bytes. Valid MTU values are 100-1500; thedefault is 1500.

default removes the local setting so that the unit inherits the MTUsetting of the parent configuration. If the parent configuration doesn'thave an MTU setting, the local setting will be cleared so that the unitcan inherit any future MTU value that is set.

<tunnel><mtu>|default

Set the MTU for a static Xpress <tunnel>.

<mtu> is the MTU size in bytes. Valid MTU values are 100-1500; thedefault is 1500.

default sets a tunnel's MTU to the global MTU setting.

Examples:

To change the global MTU for all tunnels:

tunnel mtu 1450

To change the MTU of a tunnel named tunnel2:

tunnel mtu tunnel2 1440

To have the system select an appropriate MTU for all tunnels:

tunnel mtu auto


644

tunnel newManually add an Xpress tunnel. This tunnel is static, as opposed to the dynamic tunnels that are created automatically, eitherthrough auto-discovery or creation by a tunnel partner. (When a static tunnel is created by one PacketShaper, it appears as adynamic tunnel on the partner PacketShaper.)

tunnel new <device> <ipaddress> <tunnel> [<options>...]

Where:

<device>

PacketShaper device to configure on the local unit:

main — built-in interfaceupper — upper LAN Expansion Module (LEM)lower — lower LEMleft— left LEMright— right LEM

<ipaddress> Xpress-IP address of the partner PacketShaper, or in the case of SkyX tunnels,the IP address of the SkyX device

<tunnel>

Descriptive name to be assigned to the tunnel; the name can be up to 24characters long and may include alphanumeric characters and the followingspecial characters: . - _ : @ # $ % = + [ ] { } Spaces are not allowed.

The following names are reserved for other uses and are prohibited as tunnelnames: acceleration, all, class, compression, default, delete, dictionary,diffserv, discovery, faststart, firewall, force, global, high, holdtime, host,information, ip, local, logging, low, mem, mtu, new, normal, off, on, packing,partner, password, ping, prefetch, priority, remote, remove, scps, service,show, state, static, xtpping, undefined.

Note: Tunnels cannot be renamed so choose your name carefully. If you laterdecide that you want to rename a tunnel, you'll need to remove it and create anew one.

<options>

If you want the tunnel to have special parameters different from the defaultsettings, specify any of the following tunnel settings while creating the tunnel:

acceleration off | default — Disable acceleration for the tunnel or use theglobal setting for acceleration.

compression off | default — Disable compression for the tunnel or use theglobal compression setting.

diffserv on | off | default — Enable/disable Diffserv (Differentiated Services)mode for a specific tunnel. Diffserv mode should be enabled when usingcompression or packing on a Diffserv network.

discovery off | default — Disable automatic host discovery for the tunnel oruse the global discovery setting. When the discovery option is disabled,Xpress will not automatically discover hosts for the tunnel; you must add thehosts manually with the tunnel local add and tunnel remote add commands.

firewall on | off | default — Enable/disable firewall support for the tunnel. Ifthe PacketShaper will be sending or receiving tunneled traffic through afirewall, this setting must be enabled.

mtu <mtu> — Set the Maximum Transmission Unit (MTU) used for packing.The MTU defines the maximum size of the super packet. (100-1500 bytes)

packing off | default — Disable packet packing for the tunnel or use theglobal packing setting. When packing is enabled, multiple packets arecombined into a single super packet before being sent through the Xpresstunnel. Packing saves on overhead and improves compression rates (ifcompression is enabled) because less data is being sent out on the wire.

skyx on | off — When skyx is enabled, the Xpress unit will be able to createan acceleration tunnel with a SkyX device.

645

Notes:

Make sure that "accept-all-xtp" mode is enabled on theSkyX device. If necessary, use the skyx set accept-all-xtp on command to enable this mode.The only other <options> that are applicable to SkyXtunnels are acceleration, compression, and mtu.The SkyX option is intended for accelerating flows betweena PacketShaper unit and a SkyX device. Although Xpressallows you to create a SkyX tunnel between twoPacketShapers, it's not supported or recommended, nordoes it serve any useful purpose.

verbose on | off — When verbose is enabled, messages are displayed as thetunnel is being established; this is useful for troubleshooting tunnel setupproblems.

It is only necessary to statically configure a tunnel on one side of the link. The tunnel creation process will provide the partnerwith the various configuration parameters for the tunnel so that it can be handled the same way in both directions.


646

tunnel packingEnable/disable packet packing globally or for a static compression tunnel. When packing is enabled, multiple packets arecombined into a single super packet before being sent through the compression tunnel. Since fewer packets are sent, packingsaves on overhead introduced by packet headers. Note that packing is a feature of the Xpress compression key.

tunnel packing on|off|{<tunnel> off|default}

where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable packing (off) or specify that it usethe global packing setting (default). You cannot enable packing for a tunnel if packing is globally disabled.

Packing is disabled by default. When this setting is enabled globally, packing will automatically be enabled on newcompression tunnels unless otherwise specified. Those services that can benefit from packing are pre-marked as packingcapable, and traffic in those services will automatically be packed as soon as packing is enabled globally.

Examples:

To turn on packing for all compression tunnels (except for those tunnels that have disabled packing):

tunnel packing on

To disable packing for a tunnel named LA:

tunnel packing LA off

Notes:


In addition to turning packing on and off on a per-tunnel basis, you can enable/disable packing on a per-service and aper-class basis. See tunnel class set packing and tunnel service set packing.

Because different types of traffic can tolerate different amounts of latency, controls are available to fine-tune the lengthof time the super packet is held to wait for additional packets to be packed into it. See tunnel class set holdtime andtunnel service set holdtime.

Due to the inherent delay in the process of combining packets, packing will increase network latency. On very busylinks, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links,Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If youare experiencing latency, try lowering the packing hold time or disabling packing altogether.

Packing is most efficient and effective when dealing with small packets or packets that can be reduced in size withcompression.


647

tunnel passwordFor security purposes, you should configure a community password for Xpress tunnels. This authentication mechanism is usedto determine whether tunnel partners can be "trusted" for purposes of receiving host updates. When partners of anestablished tunnel have matching passwords, the tunnels will be in secure mode and will exchange host updates.

tunnel password [<password>|default]

where

<password> Sets the tunnel password for the PacketShaper. Passwords can be up to nine characters long andare case sensitive. They can consist of a combination of letters, numbers, and all specialcharacters.

default Clears the password

If you type tunnel password without specifying a password, you will be prompted to enter the password. If you press Enterwithout typing a password, the password will be cleared (as if the default option was used).

You will be prompted to type a new password and retype the password to confirm. For example:

tunnel password

For security reasons, a tunnel partner password can be defined. If set,this will restrict tunnel partners to units that share the same password.

Set the new tunnel password: Confirm the new password:

The new tunnel partner password has been set.

Notes:

After a new tunnel password is set, any existing tunnels will be reset (closed). Static tunnels will re-initializethemselves and come back up. Dynamic tunnels will re-establish themselves according to the normal process (forexample, a tunnel will automatically form when flows are destined for hosts on the other side of a PacketShaper).If you forget the tunnel password, you can assign a new password without having to know the old one. Or, to displaythe currently configured password, use the tunnel summary -pw command in touch mode.If passwords are not configured on partner PacketShapers and discovery is off, a tunnel will form, but no data will besent in the tunnel (that is, data will not be compressed, packed, or accelerated), unless remote hosts have beenstatically configured.When discovery is on, but passwords aren't configured or don't match the partner, a tunnel will form, remote hostdiscovery will work, and data will be sent through the tunnel (that is, data will be compressed, packed, and/oraccelerated). However, when passwords aren't correctly configured, local host discovery does not operate and staticallyconfigured local hosts are ignored. While tunnel features still work, host discovery is not as fast and efficient. In thissituation, the tunnel is not operating in secure mode. To check whether a tunnel is in secure mode, use the tunnel show<tunnel> comand; if the output shows Secure Mode: Yes, the tunnel is in secure mode and can exchange host updateswith the partner.If passwords are not configured on partner units and the unit is in migration mode, only remote static hosts are used(remote hosts are not dynamically discovered).The tunnel password is included in the output of the setup capture command.In PolicyCenter, the tunnel password is an inheritable attribute.


648

tunnel pingTest connectivity of an Xpress tunnel or a partner PacketShaper to determine the tunneling capability between two units. Thiscommand is useful for troubleshooting tunnel setup problems. The ping command tests that the partner understandsenhanced Xpress mode and has it enabled.

tunnel ping <tunnel> | {<device> <target ip-address>} [<pingsize> <count>]

<tunnel> Name of the static or dynamic tunnel for which you want to test connectivity.

To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where<xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) orupper, lower, left, or right (LEM). For example: 172.21.19.10:main.

<device> Interface on the local unit from which connectivity is to be tested. <device> is one of thefollowing:


<target ip-address> The Xpress-IP address of an interface (main, upper LEM, lower LEM, left LEM, right LEM) on thepartner PacketShaper


<ping size> Packet size in bytes (50-1500). The default packet size is 32 bytes.

<count> Number of pings to transmit (1-30). The default count is 1.

Ping MessagesThe ping output indicates the round trip time in milliseconds of each packet sent, as well as summary statistics of the numberof transmitted packets, the number of received packets, and a calculation of the percentage of packet loss.

After issuing the ping command, you will see one of the following messages:

Sample Message Description1 packets transmitted, 1packets received, 0% packetloss

Successful ping attempt: Xpress was able to connect to thespecified tunnel/partner

5 packets transmitted, 0packets received, 100%packet loss

Unsuccessful ping attempt: Xpress was not able to connect tothe specified tunnel/partner

20 packets transmitted, 18packets received, 10%packet loss

Partially successful attempt: Xpress was able to connect tothe specified tunnel/partner but some packets were lost

Failed to find a tunnel namedx

Tunnel name is invalid or doesn't exist; you either typed thetunnel name incorrectly or the tunnel isn't up

Use the tunnel show command to see a list of valid tunnelnames and states.

Invalid device nameDevice name is invalid or doesn't exist; you either typed thedevice name incorrectly or the unit doesn't have the deviceinstalled

Operation not permitted. IPaddress is a local XIPaddress.

<target ip-address> entered was on the local unit. It shouldbe the IP address of the partner unit.

Examples:

tunnel ping london32 bytes from 172.21.18.161, seq=0, time=10 ms

649

--- 172.21.18.161 tunnel ping statistics ---1 packets transmitted, 1 packets received, 0% packet loss

tunnel ping 172.31.4.85:main 1000 51000 bytes from 172.31.4.85, seq=0, time=2 ms1000 bytes from 172.31.4.85, seq=1, time=5 ms1000 bytes from 172.31.4.85, seq=2, time=1 ms1000 bytes from 172.31.4.85, seq=4, time=2 ms

--- 172.31.4.85 tunnel ping statistics ---5 packets transmitted, 4 packets received, 20% packet loss

Notes:

If the local PacketShaper isn't able to get a response from the partner, try pinging the IP address using the standardping command. If this ping request is successful, there are two possible explanations. (1) The address is not an XIPaddress. (2) The PacketShaper associated with the XIP is not running PacketWise v8.x. (Only PacketShapers runningv8.x respond to the tunnel ping command.)

If a PacketShaper running v8.1.1 or higher pings a PacketShaper running v8.0.x or v8.1.0 and a <pingsize> isspecified, the response will always come back as 32 bytes, as opposed to the actual size specified. However, the factthat the 8.0.x or 8.1.0 PacketShaper responded means the ping was received. This happens because the previousversions didn't have the <pingsize> parameter.

The tunnel xtpping command is similar to the tunnel ping command, but the difference is that a tunnel xtppingsends XTP packets while a tunnel ping sends ICOMP (protocol 99) packets. The tunnel xtpping command is usefulfor diagnosing any acceleration-related difficulties, especially with routing and/or firewalls. The tunnel ping commandis useful for general tunnel troubleshooting.


8.1.1 [<ping size> <count>] parameters introduced


650

tunnel remote addAdd remote hosts to a static Xpress tunnel or SkyX tunnel. To expedite the population of hosts on a tunnel, you can use thiscommand to configure the subnets, host ranges, and individual hosts that can receive traffic through the tunnel. In addition,if the unit is in migration mode, this command must be used to define hosts for enhanced tunnels. This command is alsouseful for specifying multicast compression hosts since only unicast hosts are autodiscovered.

tunnel remote add <tunnel> <host>|<range>|<subnet>/<cidr>|list:<hostlist>

<tunnel> Name of the static Xpress tunnel or SkyX tunnel





list:<hostlist> The name of a host list created with the hl new command

Notes:

You cannot use a host list that contains domain names.If you change the contents of a host list after you have added it the tunnel's remote list,you will need to add it again; the remote list doesn't automatically update when the hostlist changes.

Examples:

tunnel remote add tunnel3 192.168.0.0-192.168.10.100

Multiple hosts can be added at once, for example:

tunnel remote add tun1 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12

Notes:

If you want to specify the entire Internet as remote to a tunnel, specify the range 0.0.0.0-255.255.255.255 on theedge PacketShaper. You will also need to disable the tnlRemoteRsvpDiscovery system variable. See setup variable.

The list of eligible remote hosts is communicated to tunnel partners at the time the tunnel is established and is updatedas the list changes.

The list is saved in the unit's configuration and will be re-applied after a system restart. (Note: Dynamic hosts are notsaved.)

Each time you issue the tunnel remote add command for a tunnel, the hosts will be added to the current list ofremote hosts for that tunnel. In other words, you do not need to respecify hosts you've already added.

Use the tunnel remote show command to see the remote hosts that are associated with a tunnel.

Use the tunnel remote delete command to remove remote hosts.

Do not add PacketShaper management IP addresses to the remote host list.


651

tunnel remote deleteRemove a remote host that was added to a static Xpress tunnel.

tunnel remote delete <tunnel> all|<host>|<range>|<subnet>/<cidr>

<tunnel> Name of the static Xpress tunnel





Examples:

tunnel remote delete tunnel2 192.168.0.0-192.168.0.100

Multiple hosts can be removed at once, for example:

tunnel remote delete tun1 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12

Or, to remove all static remote hosts from a tunnel:

tunnel remote delete tun1 all

Notes:

The hosts and ranges removed must exactly match the way they were configured. For example, if you added10.0.0.0/8 as static remote hosts, then that is how it must be specified when removed. Using the same example, youcannot remove the specific host 10.1.2.3 if the range originally added was 10.0.0.0/8. Use the tunnel remote showcommand to see the list of remote static hosts.

The tunnel remote delete command removes static hosts that were added with the tunnel remote add command. Itdoes not remove dynamic hosts that were discovered on a tunnel. To remove dynamic hosts, use the tunnel remoteflush command.

See also:

tunnel remote add

tunnel remote show


652

tunnel remote exportExport a tunnel's list of remote static hosts to a named host list. This command converts the existing list attached to a tunnelto a host list; once done, the host list can be transferred to other PacketShapers or modified with the hl add command andre-imported with the tunnel remote add command.

tunnel remote export <tunnel> list:<hostlist>

<tunnel> Name of the static Xpress tunnel

list:<hostlist> Descriptive name for the host list (up to 127 characters; the slash (/) and backslash (\)characters may not be used). If the host name already exists, the hosts will be appended to thecontents of the existing list.

Before exporting, you may want to view a list of a tunnel's remote hosts; use the tunnel remote show command. Afterexporting, use the hl show command to view the contents of the host list. Note that the lists may look different becauseXpress will consolidate adjacent IP addresses into ranges during the export process.

If the host list name you specify already exists, you will be notified that the exported hosts will be appended to the existinglist. You are given the option of canceling the command if you don't want to do this.

Example:

tunnel remote export tunnel4 list:tunnellist4

Exporting static list: exporting 172.21.18.16 exporting 172.21.20.17 exporting 172.21.22.10 exporting 192.168.0.12-192.168.13.99

Exported 4 entries to hostlist tunnellist4.


653

tunnel remote flushClear dynamic hosts associated with a tunnel. These hosts are auto-discovered by Xpress, not manually added with the tunnelremote add command. You can flush an individual host or a range of hosts. If you move your PacketShaper and/or hosts onyour network, you can use the flush command to flush the hosts that were previously discovered.

tunnel remote flush all[sync]|{<tunnel> <host>|<range>|<subnet>/<cidr>}

all Clears dynamic hosts discovered on all tunnels

sync Tunnel endpoints will synchronize dynamic remote hosts by re-exchanging their local host lists

<tunnel> Name of the static or dynamic Xpress tunnel.

<tunnel> all Clears dynamic hosts discovered on a specific tunnel





To see the list of auto-discovered hosts for a tunnel, use the tunnel remote show <tunnel> command.

Example:

To clear a range of dynamic hosts discovered on a tunnel (LA):

tunnel remote flush LA 192.113.0.0-192.113.0.100

To clear all dynamic hosts discovered on a tunnel (LA):

tunnel remote flush LA all

To clear all dynamic hosts discovered on all tunnels:

tunnel remote flush all

See also:

tunnel remote delete

tunnel remote show


8.2.3 Hosts can be cleared from dynamic or static tunnels; previously, hosts couldbe cleared from static tunnels only.


654

tunnel remote showView a list of remote hosts that were dynamically discovered on a tunnel or manually added with the tunnel remote addcommand. You can also use this command to check which tunnel a particular host is using.

tunnel remote show {<host> [<device>]}|{<tunnel> [<host>|<subnet>/<cidr>|<subnet> <mask>|<range>] [-n<number>] [-f <file>]}

<host> IP address of the host



<tunnel> Name of the static or dynamic tunnel for which you want to show hosts

To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where<xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main, upper,lower, right, or left. For example: 172.21.19.10:main

<subnet>/<cidr>Lists the remote hosts in the specified subnet; the CIDR number specifies the number ofconstant bits in the address range

Example: 192.168.1.0/24

<subnet> <mask>Lists the remote hosts for the designated subnet and mask

Example: 128.10.1.0 255.255.255.0

<range>Lists the remote hosts in the specified IP address range

Example: 172.21.18.160-172.21.18.190

-n <number> Limits the number of host entries displayed. For example, if 10 is the <number>, 10 static hostentries and 10 dynamic hosts are displayed.

-f <file>Saves output to file named <file>. The filename must be in 8.3 format (for example,hostfile.txt). The file is created in the current directory unless you specify a different path. It maybe useful to output the list to a file and then open the file in a text editor to review and search.

Examples:

tunnel remote show tunnel3

Remote hosts for tunnel "tunnel3": Static list: <none> Dynamic list: 192.168.92.80 192.168.93.1 192.168.93.254 Addresses or ranges in the static list of remote hosts: 0. Addresses or ranges in the dynamic list of remote hosts: 3.

tunnel remote show 172.21.16.2

Host 172.21.16.2 is using tunnel t72.


New parameters added:

<subnet>/<cidr>

655

8.3.1<subnet> <mask><range>-n <number>-f <file>

Maximum number of hosts displayed on the console increased to 1000.

8.2.0

To avoid the display of excessively long host lists, only the first 100 hostentries are listed under Static list and Dynamic list in the tunnel remoteshow output. If there are more than 100 host entries, a message will displayindicating that there are too many entries to display.

See also:

tunnel remote add

tunnel remote delete


656

tunnel service defaultRestore default compression and packing settings for one or all services.

tunnel service default <service>|all

where <service> is the name of the service. To see a list of valid service names, use the class services command.

This command will clear the overrides that were set with the following commands:

tunnel service set packing

tunnel service set holdtime

tunnel service set algorithm

tunnel service set compression

To clear compression and packing override settings for all services:

tunnel service default all

To clear the settings for the http service:

tunnel service default http


657

tunnel service set algorithmOverride the compression settings for a service: algorithm, group ID, and dictionary size.

tunnel service set algorithm <service>|all <algorithm> [<groupID>] [<size>]

<service>

Name of the service. To see a list of valid service names, use the tunnelservice show command.

A <service> can be a non-aggregate service only. For example, <service> canbe FTP-Cmd-Clear, FTP-Data-Clear, FTP-Cmd-Secure, or FTP-Data-Secure,but it cannot be the aggregate service name FTP.

<algorithm>

Particular method used to shrink the size of transferred traffic, for example,ICNA, CNA, or PRED2. The default algorithm is CNA. To see a list of algorithms,use the tunnel compression show command.

Note: Algorithms overrides do not apply to accelerated connections.Accelerated, compressed traffic always uses the RETD algorithm in Xpresstunnels and the DEFLATE algorithm in SkyX tunnels.

<groupID>

An identifying number (0-255) assigned to a particular class. The defaultgroup ID is 0.

When you assign an ID, a compressor will be created specifically for this classto use. By giving a class its own compressor, you can potentially improvecompression results. However, these additional compressors consume extracompression memory, so be sure to assign IDs only to your most criticaland/or active classes. If you have classes with data patterns similar to a classthat has its own compressor, you may want to share the compressor withthese other classes; you can do this by assigning the similar classes the same<groupID> and <algorithm>.

<size>


The default size is 1 MB.

If there isn't enough RAM available for the <size> you specify, Xpress willselect a size that will work with the available memory.

Use the tunnel service show command to see the services for which a compression algorithm has been specified.

Example:

tunnel service set algorithm CitrixIMA-svr icna 2

Notes:

Group IDs and dictionary sizes aren't applicable to stateless algorithms (such as RETD).If you assign two services the same algorithm, the same group ID, but different dictionary sizes, both services will usethe same dictionary size. In other words, one of the services will not use the dictionary size you specified. (The overridethat is created first will be the one that is used for both services.)If a unit is assigned to a PolicyCenter configuration with compression dictionary that the unit cannot support, the unitwill substitute a smaller compression dictionary of the same type. For example, if a 1700 series unit is assigned to aPolicyCenter configuration configured with a CNA-32M dictionary, the unit will use the largest CNA dictionary supported,in this case, CNA-16M. If the unit does not have the assigned compression plug-in, it will use its currently configuredcompression dictionary.

See also:

Compression Algorithms and Compressors



658

tunnel service set compressionEnable/disable compression for a service. This command allows you to experiment with compression on a service basis andcan be used for fine tuning Xpress.

tunnel service set compression <service>|all on|off

where <service> is the name of the service. To see a list of valid service names, use the tunnel service show command. A<service> can be a non-aggregate service only. For example, <service> can be SkypeCommand or SkypeData, but it cannotbe the aggregate service name Skype.

Notes:

If compression is disabled for a tunnel, you can still enable compression for a service but it won't take effect untilcompression is enabled for the tunnel.

Use the tunnel service show command to see the service compression settings.

The all option can be useful for troubleshooting compression problems: turn compression off for all services and thenyou can just turn it on for specific services.

Be aware that a number of services aren’t compressible, so if you turn on compression for all services, Xpress willwaste resources trying to compress traffic that is uncompressible. If you have turned compression off for all servicesand want to reverse this change, it would be best to return the compression settings back to their default (tunnelservice default) rather than turn compression on for all services (tunnel service set compression all on).




659

tunnel service set holdtimeFor a specific service type, set the time to wait for packets before they are packed and sent through an Xpress tunnel. Youcan either specify the amount of time to wait in milliseconds or indicate the latency tolerance of traffic in the service (pack-n-go, sensitive, or nonsensitive).

tunnel service set holdtime <service>|all <milliseconds>|pack-n-go|sensitive|nonsensitive

where <service> is the name of the service. To see a list of valid service names, use the class services command. A<service> can be a non-aggregate service only. For example, <service> can be Citrix-ICA or Citrix-SB, but it cannot be theaggregate service name Citrix.

You can either specify a wait time in milliseconds or choose one of the following categories:

Setting Description Examples

pack-n-go

Traffic that can take advantage of the benefits offered bypacking, but cannot tolerate any delay; sets the wait timeto 0 ms

If a super packet doesn't already exist, a pack-n-gopacket will be sent through the tunnel immediately. If asuper packet already exists and is waiting for morepackets, the pack-n-go packet will be packed into thesuper packet and sent immediately

no services are setto pack-n-go bydefault

sensitiveTraffic that is sensitive to delay; sets the wait time to thevalue associated with the sensitive category (1 ms bydefault)

Citrix-ICA, MPEG-Audio, MPEG-Video,SkypeData, Telnet-Clear, Vonage-RTP

nonsensitiveTraffic that can handle some latency; sets the wait timeto the value associated with the nonsensitive category(10 ms by default)

FTP-Data-Clear,FTP-Data-Secure,SMTP-Clear, SMTP-Secure, POP3-Clear,POP3-Secure

Many PacketWise services have a built-in holdtime default that is appropriate in most situations. The holdtime commandallows you to fine tune the settings if you need to.

Examples:

To set the packing wait time to 20 ms for the http service:

tunnel service set holdtime http 20

To specify a packing wait time appropriate for latency-sensitive traffic, such as Skype data:

tunnel service set holdtime skypedata sensitive

Notes:

If packing is disabled for the service, you can still set the hold time but it won't take effect until packing is enabled.

Use the tunnel service show command to see the services for which a packing wait time has been pre-configured oruser-defined.

To enable/disable packing for a service, use tunnel service set packing.

To change the value associated with a holdtime category, use the tunnel holdtime command. Note that the pack-n-gocategory is always set to 0 ms. and cannot be changed.



660

tunnel service set packingEnable/disable packet packing for a specific service. When packing is enabled for a service, multiple packets are combinedinto a single super packet before being sent through the Xpress tunnel. Since fewer packets are sent, packing saves onoverhead introduced by packet headers. However, packing increases latency so you might want to disable it for traffic thatwould be adversely affected by delay. Note that packing is a feature of the Xpress compression key.

tunnel service set packing <service>|all on|off

where <service> is the name of the service. To see a list of valid service names, use the tunnel service show command. A<service> can be a non-aggregate service only. For example, <service> can be Lotus-IM-CommC, Lotus-IM-CommS, Lotus-IM-MtgS, or Lotus-IM-SrvrEx, but it cannot be the aggregate service name Lotus-IM.

The services that can benefit from packing are pre-configured as packing capable, and traffic in those services willautomatically be packed as soon as packing is enabled globally. Use the tunnel service show command to see the packingsettings for each service.

Example:

To turn off packing for the SkypeData service:

tunnel service set packing skypedata off

Notes:


You can also enable/disable packing on a per-class basis. See tunnel class set packing. Note that class packing settingsoverride service settings.

Because different types of traffic can tolerate different amounts of latency, controls are available to fine tune the lengthof time the super packet is held to wait for additional packets to be packed into it. See tunnel service set holdtime.

On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On lessactive links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performanceproblems. If you are experiencing latency, try lowering the packing hold time or disabling packing altogether.

If packing is disabled for a tunnel, you can still enable packing for a service but it won't take effect until packing isenabled for the tunnel.

The all option can be useful for troubleshooting packing problems: turn packing off for all services and then you canjust turn it on for specific services.




661

tunnel service showDisplay compression and packing settings for services.

tunnel service show [<service>|all|nondefault]

where <service> is the name of the service. To see a list of valid service names, use the class services command.

tunnel service show — lists all services that do not use the global settings for compression or packing, either becauseXpress pre-defined them to have custom settings or because they were customized by a user. The per-service defaultsettings are: packing enabled for the service, 10 ms hold time, compression enabled for the service, CNA algorithm, group 0,and 1 MB dictionary size. If the service is pre-configured to have a different setting (such as compression off or a non-sensitive packing timer setting) or the service was user-configured to have a different setting (such as with the tunnel serviceset algorithm command), it will be listed in the output of the tunnel service show command.

tunnel service show all — lists all services

tunnel service show nondefault — lists all services that the user has changed to a non-default setting with one of thetunnel service set commands: algorithm, compression, packing, and holdtime.

Examples:

tunnel service show

Service Name Pack. Holdtime Comp. Algo. Group Size Accel. -------------------- ----- ----------- ----- ----- ----- ---- ------ Aimster-Data No * No * * * * Apple-iTunes No * No * * * * Ares No * No * * * * AsheronsCall * 1ms, sen. * * * * * Audiogalaxy No * No * * * * Battle.net * 1ms, sen. * * * * * BGP No * No * * * * BitTorrent No * No * * * * Blubster No * No * * * * BulkDataXfer No * No * * * *

The * means that the setting uses the default value.

If you specify a <service>, the command output will show all services that contain the characters you type (regardless ofwhere they appear in the service name). For example, if you type http for <service>, you will see a list of all services thathave HTTP in the name.

tunnel service show http

Service Name Pack. Holdtime Comp. Algo. Group Size Accel. -------------------- ----- ----------- ----- ----- ----- ---- ------ EarthV-HTTP * * * * * * * HTTP * * * * * * * HTTP-Tunnel * * * * * * * SOAP-HTTP * * * * * * *

4 services shown.


662

tunnel showDisplay tunnel information for all enhanced tunnels, a subset of tunnels, or a specific tunnel. Specifics on each tunnel aredisplayed: tunnel partner, bytes sent and received, and tunnel state. You can sort the list by different criteria (such as age,performance, and activity) and filter the list by IP address, tunnel characteristics, or device.

tunnel show [<tunnel>] | all | [sort <criteria>] [filter <criteria>|<wildcard ipaddress>] [limit <limit>][configuration|state]

Where:

<tunnel>

Name of the static or dynamic tunnel for which you want to show information

To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnelpartner and <device> is main (built-in) or upper, lower, left, or right(LEM). For example: 172.21.19.10:main. Note that some dynamic tunnels mayalso have an ID at the end of the name (for example, 172.21.19.10:main:1);the ID is appended in situations where a static tunnel already had the samename.

all Displays two tunnel lists: open tunnels and a log of recently closed tunnels(historical information)

sort<criteria>

Sorts the tunnel list by one of the following <criteria>:

active - most active tunnel first (tunnels that are not closed)alphabetic - alphabetically (the default) badness - worst performing tunnel first (based on number of compressed,packed, and/or accelerated bytes) goodness - best performing tunnel first (based on number of compressed,packed, and/or accelerated bytes) idle - most idle tunnel firstnewest - newest tunnel firstoldest - oldest tunnel first

filter<criteria> | <wildcardipaddress>

Filters the tunnel list by one of the following <criteria>:

acceleration - display only tunnels that have acceleration enabled active - display only active tunnels (tunnels that are not closed)all - display all tunnelscached - display cached tunnels (including ones that were removed recently) closed - display only closed tunnelscompression - display only tunnels that have compression enableddynamic - display only auto-discovered tunnelsfirewall - display only firewalled tunnelsidle - display only idle tunnels (for example, tunnels that don't have a partneror are in the process of initializing) skyx - display only SkyX tunnelsstatic - display only static (manually configured) tunnelsup - display only tunnels in up statemain - display only tunnels created on the built-in portslower - display only tunnels created on the lower LEM upper - display only tunnels created on the upper LEMright - display only tunnels created on the right LEMleft - display only tunnels created on the left LEM

With <wildcard ipaddress>, you can use the "*" wildcard character with an IPaddress (tunnel show filter 172.16.*)

limit <limit> Maximum number of tunnels to display where <limit> is any integer

configuration

Lists the configuration settings of each tunnel: partner's IP address, device,acceleration, compression, packing, firewall, DiffServ, host/partner discovery,and MTU value. This parameter is not available when you issue this commandfrom PolicyCenter.

stateFor each tunnel, list the reason why the tunnel was last closed (if applicable)and the tunnel’s current state. This parameter is not available when you issuethis command from PolicyCenter.

To display similar information about legacy compression tunnels, use the setup compression show command.

663

Examples:

tunnel show

Tunnels: 3Name Partner Bytes Sent Bytes Recv State -------------------------------------------------------------------------------test 172.21.18.166 0 0 Initializing...tunnel2 172.21.18.170 0 0 Up - Idle172.21.18.160:main 172.21.18.160 547.03KB 126.75KB Up - dataXfer

See Tunnel States for explanations of common states.

tunnel show configuration

Tunnels: 3Name Partner Device Acc Comp Pack Fire Diff Disc MTU -------------------------------------------------------------------------------skyx3 172.21.18.170 Main on OFF OFF OFF OFF OFF* 1500test 172.21.18.165 Main on off ON* off off on 1500tunnel1 172.21.18.160 Main on off off off off on 1500

Attributes set to use default values will display as "on" or "off".Attributes set to specific overrides will display as "ON" or "OFF".A "*" displayed next to an attribute indicates a difference from theGlobal Tunnel values.

tunnel show test

Name: test Partner: 172.21.18.165 Type: static Up: 8m 21s State: Up - DataXfer Idle: 1sLast Closed State: Open request timed out

Secure Mode: YesEgress Device: Outside Egress IP: 0.0.0.0 Egress MAC: 00:00:00:00:00:00 Partner MAC: 00:60:fb:60:49:9a

Tunnel Attributes: Acceleration: on Compression: on Packing: on Firewall: off Diffserv: off Discovery: on Maintenance: off MTU: 1500

Totals: Static Local Hosts: 2 Static Remote Hosts: 1 Dynamic Local Hosts: 0 Dynamic Remote Hosts: 0 Total Sent Packets: 4815 Total Received Packets: 143 Sent Data Bytes: 229834 Received Data Bytes: 15652 Sent Mesg Bytes: 113091 Received Mesg Bytes: 244 Avg Sent Packet Size: 71 Avg Received Packet Size: 111

Lane Packets In Packets Out Bytes Out Avg Pkt/Pkt Eff% Avg Bytes Saved-------------------------------------------------------------------------0 9.74K 4.81K 400.71KB 2 13 22

Explanation of the fields in the tunnel show output:

Field DescriptionStatic Local Hosts Number of local hosts configured on the deviceStatic RemoteHosts Number of remote hosts configured on this tunnel

Dynamic LocalHosts Number of local hosts auto-discovered on the device

Dynamic RemoteHosts Number of remote hosts auto-discovered on this tunnel

Total Sent Number of packets sent to the partner through this tunnel

664

PacketsTotal ReceivedPackets Number of packets received from the partner through this tunnel

Sent Data Bytes Number of bytes of data sent to the partner through this tunnelReceived DataBytes Number of bytes of data received from the partner through this tunnel

Sent Mesg Bytes Number of bytes of tunnel protocol messages sent to the partner through thistunnel

Received MesgBytes

Number of bytes of tunnel protocol messages received from the partner throughthis tunnel

Avg Sent PacketSize

Average packet size sent to the partner through this tunnel

Formula: (Sent Data Bytes + Sent Mesg Bytes) / Total Sent Packets

Avg ReceivedPacket Size

Average packet size received from the partner through this tunnel

Formula: (Received Data Bytes + Received Mesg Bytes) / Total Received PacketsThe following data is provided on a per-lane basis. If DiffServ support is not enabled, all traffic willgo in Lane 0. If DiffServ is enabled, a lane is created for each unique DSCP value. For moreinformation, see tunnel diffserv.Packets In Number of outbound packets sent into the "packer" for packing

Packets Out Number of packed packets sent out of the packer (after packing); in otherwords, the number of super packets

Bytes Out Number of bytes sent through the tunnel (includes data and tunnel protocolmessage traffic)

Avg Pkt/PktAverage number of packets packed into each super packet

Formula: Packets In / Packets OutEff% Packing efficiencyAvg Bytes Saved Average bytes saved per packet due to packing

Notes:

If packing is turned off for a tunnel and it has only one lane (0), the values of Total Sent Packets, Packets In, andPackets Out will be the same.The packet and byte statistics include data traffic and tunnel protocol message traffic.A tunnel is in secure mode when the tunnel is established and both partners have the same tunnel password.For SkyX tunnels, the output from the tunnel show <tunnel> command does not display the ingress and egressdevices. (This information is displayed for regular Xpress tunnels.) To determine the device a SkyX tunnel uses, go tothe xpress tab in the browser interface.If you enable compression for a PolicyCenter sharable configuration before a PacketShaper assigned to thatconfiguration obtains its compression license keys, the PacketShaper may display errors when you issue the CLIcommand tunnel show from that unit. Resolve this problem by turning compression off and then back on from thecommand-line or browser interface of the PacketShaper.


8.0.1 state parameter introduced8.0.0 command introduced


665

tunnel staticConvert a dynamic Xpress tunnel to a static tunnel so that the settings can be fine tuned. Because certain settings (such asmanually adding hosts) can be configured for static tunnels only, you'll need to convert the tunnel to static if you want toadjust these settings.

tunnel static <tunnel> [<new tunnel name>]

where

<tunnel> Name of the dynamic tunnel (for example, 172.21.20.16:main)

<new tunnel name > Descriptive name to be assigned to the tunnel; the name can be up 31 characters long and mayinclude alphanumeric characters and the following special characters: . - _ : @ # $ % = + [ ] { }Spaces are not allowed.

The following names are reserved for other uses and are prohibited as tunnel names:acceleration, all, class, compression, default, delete, dictionary, diffserv, discovery, faststart,firewall, force, global, high, holdtime, host, information, ip, local, logging, low, mem, mtu, new,normal, off, on, packing, partner, password, ping, prefetch, priority, remote, remove, scps,service, show, state, static.

Notes:

Tunnels cannot be renamed so choose your name carefully. If you later decide that youwant to rename a tunnel, you'll need to remove it and create a new one.If you don't specify a <new tunnel name>, Xpress will assign the static tunnel the name ofthe dynamic tunnel.

Example:

tunnel static 172.21.20.16:lower london


666

tunnel summaryDisplay the Xpress tunnel summary. The summary displays the Xpress-IP addresses, the number of Xpress tunnels, currentconfiguration settings, the amount of traffic sent and received through tunnels, compression memory, available algorithms,default compression dictionary, and number of service and class overrides.

tunnel summary [-pw]

The -pw parameter displays the PacketShaper's tunnel password (in touch mode only) in addition to the other tunnelinformation.

Xpress Tunnel Summary:

Xpress tunnels are running in enhanced mode.

Xpress IP Configuration: Main: Address: 172.21.18.163 Netmask: 255.255.0.0 Gateway: 172.21.0.1 Tunnels: active: 3 priority: 2 idle: 2 manual: 2 firewall: 0 SkyX: 0

Tunnel Manager: tunnel count: 3 maximum tunnels: 100 tunnel cache: 0

Tunnel Global Configuration: Acceleration: on Compression: on DiffServ: on Discovery: on Maintenance: off Firewall: on Packing: on Automatic MTU: on (but disabled due to shaping mode) MTU: 1500 Password: <not configured> Acceleration Settings: Congestion control: on SCPS: off FastStart: on Server Prefetch: on Client Prefetch: off Packing Timers: global: 10ms pack-n-go: 0ms latency sensitive: 1ms latency nonsensitive: 10ms

Tunnel Traffic: Received: 16.84M packets (975.44MB) Sent: 27.44M packets (21.72GB)

Compression Memory: Enhanced (free): 118751 KB, 115 MB Enhanced (total): 118751 KB, 115 MB

Algorithms: Stateless: RETD UDPRT Header: HDRIP HDRUDP HDRTCP HDRXTP HDRRTP Normal: NONE RETD CNA ICNA PRED1 PRED2 UDPRT Total: 12 algorithms

Default Algorithm: CNA 1M

Overrides: Service Table Overrides: User-created overrides: 0 Number of services with overrides: 201 Traffic Class Overrides: User-created overrides: 1

667

tunnel xtppingTest connectivity of an Xpress tunnel or a partner PacketShaper. The tunnel xtpping command is similar to the tunnel pingcommand, but the difference is that a tunnel xtpping sends XTP packets while a tunnel ping sends IPComp (IP PayloadCompression Protocol) packets. The xtpping command is useful for diagnosing any acceleration-related difficulties, especiallywith routing and/or firewalls.

Note: Enable the acceleration feature before you issue this command.

tunnel xtpping <tunnel> | {<device> <target ip-address> [<bind ip-address>]}

<tunnel> Name of the static or dynamic tunnel for which you want to test connectivity.

To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where<xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) orupper, lower, left, or right (LEM). For example: 172.21.19.10:main.

<device> Interface on the local unit from which connectivity is to be tested. <device> is one of thefollowing:


<target ip-address> The Xpress-IP address of an interface (main, upper LEM, lower LEM, left LEM, right LEM) on thepartner PacketShaper


[<bind ip-address>] The IP address from which packets appear to originate. If not specified, the source address is theXIP of the interface. By specifying a bind address, the PacketShaper can emit a packet thatappears to be coming from a local host — detecting if a firewall is blocking local traffic, butletting PacketShaper traffic through.

Ping MessagesThe ping output indicates the round trip time in milliseconds of each packet sent, as well as summary statistics of the numberof transmitted and received packets.

After issuing the tunnel xtpping command, you will see one of the following messages:

Sample Message Description

Sent 5 packets, received 5. Successful ping attempt: Xpress was able to connect to thespecified tunnel/partner

Sent 5 packets, received 0. Unsuccessful ping attempt: Xpress was not able to connect tothe specified tunnel/partner

Sent 5 packets, received 4. Partially successful attempt: Xpress was able to connect to thespecified tunnel/partner but some packets were lost

Failed to find a tunnelnamed x

Tunnel name is invalid or doesn't exist; you either typed thetunnel name incorrectly or the tunnel isn't up

Use the tunnel show command to see a list of valid tunnelnames and states.

Invalid device nameDevice name is invalid or doesn't exist; you either typed thedevice name incorrectly or the unit doesn't have the deviceinstalled

Operation not permitted. IPaddress is a local XIPaddress.

<target ip-address> entered was on the local unit. It should bethe IP address of the partner unit.

Examples:

In the following example, all XTP packets were successfully received:

668

tunnel xtpping london...binding to address 172.21.18.16180 bytes from 172.21.18.163: icmp_seq=0 time=1.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=1 time=1.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=2 time=0.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=3 time=1.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=4 time=1.0 ms using XTP (Partner found)Sent 5 packets, received 5.

In the following example, four of five XTP packets were received:

tun xtpping test ...binding to address 172.21.18.16180 bytes from 172.21.18.163: icmp_seq=0 time=1.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=2 time=0.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=3 time=1.0 ms using XTP (Partner found)80 bytes from 172.21.18.163: icmp_seq=4 time=0.0 ms using XTP (Partner found)Sent 5 packets, received 4.

In the following example, no XTP packets were received:

tunnel xtpping main 172.21.18.165...binding to address 172.21.18.161No response from 172.21.18.165.No response from 172.21.18.165.No response from 172.21.18.165.No response from 172.21.18.165.No response from 172.21.18.165.Sent 5 packets, received 0.


8.2.0 xtpping command introduced


669

ul addAdd entries to an existing user list. When specifying multiple names, separate each with a space.

9.2.2 syntax: ul add <user_list> u:<user> | g:<group> [u:<user> | g:<group> ...]

where <user_list> is an existing user list name, and <user> and <group> must be specified in the <domain-name>\<user orgroup name> format. To differentiate between user and group names, you must precede each name with u: or g:.

9.2.1 syntax: ul add <user_list> <user> [<user> ...]

Example of v9.2.2 syntax:

ul add list1 g:cal\group-marketing u:cal\john.smith u:cal\peter.hanson

Note: The syntax for the ul add command has changed between versions 9.2.1 and 9.2.2, and the old command will notwork in v9.2.2. If you are restoring the configuration using a config.cmd created in v9.2.1, any user lists in the configurationmay not be properly populated after the configuration is restored.


9.2.2 Support added for user groups; command syntax modified9.2.1 Command introduced


670

ul deleteRemove one or more users or groups from an existing user list.

9.2.2 syntax: ul delete <user_list> u:<user> | g:<group> [u:<user> | g:<group> ...]

where <user_list> is an existing user list name, and <user> and <group> must be specified in the <domain-name>\<user orgroup name> format.

9.2.1 syntax: ul delete <user_list> <user> [<user> ...]

Note: The syntax for the ul delete command has changed between versions 9.2.1 and 9.2.2, and the old command will notwork in v9.2.2.




671

ul newCreate a user list by defining a unique name and specifying the user and group names that should be included in the list.When specifying multiple names, separate each with a space.

9.2.2 syntax: ul new <user_list> u:<user> | g:<group> [u:<user> | g:<group> ...]

where <user_list> is a descriptive name, up to 127 characters; the slash (/) and backslash (\) characters may not be used.The <user> and <group> must be specified in the <domain-name>\<user or group name> format. To differentiate betweenuser and group names, you must precede each name with u: or g:.

9.2.1 syntax: ul new <user_list> [<user> [<user> ...]]

To add entries to the user list after it's created, use the ul add command.

Examples:

ul new list2 u:ny\pharrison u:ny\speters g:ny\group-sales

ul new list3

Notes:

The syntax for the ul new command has changed between versions 9.2.1 and 9.2.2, and the old command will notwork in v9.2.2. If you are restoring the configuration using a config.cmd created in v9.2.1, any user lists in theconfiguration may not be properly populated after the configuration is restored.The ul new command does not validate the existence of the user and group names.




672

ul overrideFor PolicyCenter / Units in shared mode only

Override an inherited user list by creating a local copy of the list.

ul override <list-name>

where <user_list> is an existing user list name. You must make a local copy of an inherited user list before you can changethe user list on the child configuration.




673

ul publishFor PolicyCenter / Units in shared mode only

Publish a local or overridden user list.

ul publish <list_name>

where <user_list> is an existing user list name.




674

ul reformatThis command ensures v9.2.1 user lists are formatted properly after upgrading to v9.2.2 or higher.

ul reformat upgrade

The upgrade option adds u: before each user name in the list because a prefix is necessary to distinguish user names fromgroup names in v9.2.2+. It performs the operation on all user lists at once.

Note: If you fail to use the upgrade command, user list classification will still work properly. However, you will see an “invalidentries in the list” error if you ever try to modify the list, and you will need to manually add the u: prefix on each user name(or run the ul reformat upgrade command to fix all user lists).


9.2.2 New command


675

ul rmRemove a user list from the directory configuration.

ul rm <user_list>

User lists cannot be removed if they are currently being used in a class matching rule.




676

ul showDisplay a list of all defined user lists or show the details of a specific user list.

ul show [<list_name>]

To show all user lists, as well as the user and group names in each list:

ul show *

User and group names are listed alphabetically.


9.2.2 Support added for user groups9.2.1 Command introduced


677

unit assignFor PolicyCenter only

Assign a unit to a different PolicyCenter configuration.

When a PacketShaper subscribes to PolicyCenter, PolicyCenter creates a unique configuration for that unit at the top of theconfiguration tree, then assigns the unit to that configuration. PacketShapers running PacketWise 7.5 or later releases are notassigned directly to a sharable PolicyCenter configuration. When you assign a unit running 7.5 or later to a sharableconfiguration, the unit remains attached to its individual unique unit configuration, so that unit configuration will appear in theconfiguration tree below the sharable parent configuration to which it is assigned. Because the unit is not directly assigned toa sharable configuration, changes made to the individual unit configuration will not affect its sharable parent configuration.The unit will, however, continue to inherit the settings from its sharable parent.

PacketShapers running versions of PacketWise released before PolicyCenter 7.5.0 can be assigned directly to a PolicyCentersharable configuration. Any change to that individual unit via the command-line or browser interface of the unit will alter thesharable configuration to which it is assigned, and any child configurations of that sharable parent. A unit running a pre-7.5.0version of PacketWise will not appear in the PolicyCenter configuration tree. If you assign multiple units directly to the samesharable configuration, each of these pre-7.5.0 units must have a unique unit name. If you wish to assign a pre-7.5.0 unit toa sharable configuration that already has a unit with the same name, you must first rename one of the units.

unit assign <unit_name>|<unit_sn> [cfg_path]

<unit_name> The name of the unit

<unit_sn> The serial number of the unit

<cfg_path> The path of the unit's new configuration. If you omit this parameter, the unit will be assigned tothe current active configuration.

Note: You cannot assign a unit to a draft configuration. To try a draft configuration on a unit, use the command draft try.


678

unit cleanFor PolicyCenter only

Deletes old unit status entries from the directory server, so that they will no longer clutter the config show command'soutput. You can specify the minimum age of entries to be deleted, where age is the number of seconds since thecorresponding unit has reported status to the directory server. Does not delete any configurations.

unit clean [<age in seconds>]


679

unit collapseFor PolicyCenter only

This command publishes a unit's configuration to its parent, assigns the unit to the parent configuration, then deletes thechild configuration.

Use this command when you want units assigned to a parent configuration to have the same settings as a unit assigned tothe child configuration.

unit collapse <unit_name>|<unit_sn>




680

unit detailsDisplay detailed information about the selected unit, such as model number, serial number, IP address, image version,PolicyCenter information, and the unit's banner messages.

unit details <unit_name>|<unit_sn>



unit details 085-10000215

Serial number 075-10000215Unit name Unit1Model 7500Status update age 19Uptime 136 hrsIP address 172.21.18.160HTTPS port ?Domain name (unknown)Configuration name /defaultImage Version PacketWise v8.2.1Description (none)

banner /compression, notice, 09 Oct 04 14:07, Notice: Compression is turned off.banner /dioutl/power1, warn, 09 Oct 04 14:07, Power supply 1 FAILED.

banner /traffic/setup/shaping_state, notice, 05 Oct 04 14:07, Packet shaping: off.

The status update age is the number of seconds that has elapsed since the unit confirmed its connection to PolicyCenter,while the uptime is the number of hours that the unit has reported a consistent connection. (After resetting the unit, theuptime will be 0.)


681

unit expandFor PolicyCenter only

Create a new child configuration under a unit's current configuration, and assign the unit to the new child.

Use this command when you have several units assigned to a single PolicyCenter configuration, and you want to makeindividual changes on a single unit. The unit assigned to the new child configuration will initially have the same configurationas the units assigned to the parent configuration, but any changes to the new child configuration will affect the only the unitsassigned to that child.

unit expand <unit_name>|<unit_sn> [cfg_name]



<cfg_name> The name the new child configuration


682

unit migrateFor PolicyCenter only

Assign a PacketShaper in shared mode to a different PolicyCenter directory server. When you assign PacketShapers from thecore directory server to a nearby edge directory server, that edge server assumes much of processing load previouslymanaged by the core directory server, allowing for faster response times by both servers.

Important: Only assign PacketShapers running PacketWise version 7.5 or 8.3.x or later releases to an edge directory server.Assigning a unit running an earlier version of PacketWise to an edge directory server can cause errors on the unit. Assignunits with earlier versions of software to the core directory server only.

unit migrate <unit_name>|<unit_sn> <ds host>



<ds host > The IP address of the edge or core directory server to which the unit will be assigned.

unit migrate Shaper1_9500 172.21.29.138


683

unit renameFor PolicyCenter only

Give a new name or assign a different name to a PacketShaper. You can identify the unit by unit name or serial number.

unit rename <unit_name>|<unit_sn> <unit_name>

<unit_name> The name of the PacketShaper; the name can be up 20 characters long and may includealphanumeric characters, dashes (-), underlines (_), and periods (.) and may not contain spaces.

<unit_sn> The serial number of the PacketShaper

The following example identifies a unit by its serial number, and gives it the name ShaperOne.

unit rename 025-10000215 ShaperOne


684

unit showFor PolicyCenter only

Display information for all PacketShapers assigned to PolicyCenter, such as serial number, unit name, the name of its assignedPolicyCenter configuration, the unit's domain name and IP address.

unit show

Note: Although unit names can be up to 20 characters long, the unit show output displays only the first 16 characters of thename.


685

unit versionsFor PolicyCenter only

Identify the software version of each unit assigned to PolicyCenter.

unit versions

For example:

unit versions

Checksum IP Address Type Version4066331225 172.21.18.170 STD v7.0.0g1 2005-07-194066331225 172.21.18.172 STD v7.0.0g1 2005-07-194066331225 172.21.18.173 STD v7.0.0g1 2005-07-192043423021 172.21.18.152 ISP v6.2.0g1 2005-05-19


686

unzipExtract files from a ZIP file. For example, after uploading a zipped set of customer portal pages, you can use the unzipcommand to extract the files.

If no options are specified, all files in the ZIP file are extracted to the current directory and you will be prompted to overwriteexisting files. Optionally, you can specify a list of files to extract or not to extract, and place the extracted files in their owndirectory.

unzip [<modifiers>] <file>[.zip] [<list>] [-x <xlist>] [-d <exdir>]

where valid modifiers are:

-l lists the files in the archive, along with their size, date, and time-n don’t overwrite existing files-o overwrite existing files without prompting

-qquiet operation — gives no feedback during the unzipping process (the command outputdoesn’t list the files as they are being extracted). However, you will still be prompted tooverwrite existing files unless the -o option is used.

When you specify multiple modifiers, you need only one dash — for example, -oq.

The other optional parameters you can use are:

<list>a list of files to be extracted from the archive; separate each filename with a space

Note: You must enter the filenames with the same upper- and lower-case that appears inthe ZIP file.

-x <xlist>

a list of files that should not be extracted from the archive; separate each filename with aspace

Note: You must enter the filenames with the same upper- and lower-case that appears inthe ZIP file.

-d <exdir> the name of the directory to place the extracted files. If the directory doesn’t exist, it will becreated automatically.

Examples:

unzip config.zip <--all the files in the ZIP are extracted

Archive: config.zip inflating: config.ldi extracting: settings.cfg extracting: basic.cfg

unzip -l config <--the files in the ZIP are listed, but not extracted

Archive: config.zip Length Date Time Name -------- ---- ---- ---- 64032 07-30-04 15:20 config.ldi 3364 08-04-04 11:35 settings.cfg 600 12-16-03 09:46 basic.cfg -------- ------- 67996 3 files

unzip -qo test.zip <--all the files in the ZIP are extracted and existing files are automatically overwritten; there is noscreen output because of the -q modifier

unzip config config.ldi settings.cfg <-- only two files in the ZIP are extracted

Archive: config.zipreplace config.ldi? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: config.ldi extracting: settings.cfg

unzip config -d testdir <-- extracts all files and puts them in testdir directory

687

Archive: config.zip inflating: testdir/config.ldi extracting: testdir/settings.cfg extracting: testdir/basic.cfg


688

updateCheck the availability of plug-ins on the Blue Coat update server and download specific or all available plug-ins. Note that thiscommand won't work on all networks (for instance if the corporate LAN is private or a security policy or firewall is in place); inthis situation, you will need to download the plug-in file from the Blue Coat support website using a computer that is notsubject to these restrictions.

update [-id] [class|comp|wui]

where:

-i

Interactive mode — displays a list of available plug-ins and allows you toselect which ones to download. It lists all plug-ins that are applicable forthe version of PacketWise you are using.

You can specify the plug-in(s) you want to download by typing any of thefollowing:

the index number next to the plug-in name (to download a singleplug-in)range of valid index numbers, for instance: 1-3 (to download arange of plug-ins)index numbers and ranges separated by commas, for instance: 2,4,6-8, 10 (to download several plug-ins)all (to download all listed plug-ins)exit (to exit the command without downloading any plug-ins)

-d

Show detailed information about each plug-in, including filename,description, and type

Note: If you want to list details on each plug-in plus have the ability toselect which plug-ins to dowload, use both the -i and -d parameters (forexample, update -id or update -i -d).

By default, the update command checks the availability of all types of new plug-ins. Alternatively, you can specify a plug-intype:

class (classification plug-ins)comp (compression plug-ins)wui (user-interface plug-ins)

The update command copies the plug-in files to the PLG directory on the system disk (9.256/), but are not activated untilyou reset the unit using the reset command.

Example:

update -i

Index Name Version Type------------------------------------------------------1 SMS Pre-SP2 1.0.1.0 Classification2 SSL 1.0.0.0 Classification3 Winny 1.0.0.0 Classification

Do you want to download them now? [1,2-5,7] or [all] or [exit]: 1,3 Downloading file sms.plg... Done! Downloading file winny.plg... Done!


689

uptimeDetermine how long the unit has been up and running. It measures the time since the unit was booted, either from a power-up or a software reset.

uptime


690

versionDisplay the PacketWise software version, model, serial number, and memory capacity. Use the verbose option to list the partnumber, the inside and outside MAC addresses, installed keys, and installed plug-ins.

version [verbose]

The output of version verbose will show (Not applicable) next to any key that you haven't purchased.


691

watch addAdd a router to the watch mode router list (the routers whose traffic is being monitored). Note: The watch mode feature isnot available on the PacketShaper 900 Lite models.

watch add <name> <IP address>|<MAC address>

where

<name> Description of router; up to 32 characters (no spaces are allowed, the only special charactersallowed are colon, dash, underline, and period.)

<IPaddress> |<MACaddress>

IP address of the router, for example 172.21.18.190

MAC address of the router, for example 08:00:20:c0:56:a6

Note: Enter IP address or MAC address — not both.

Example:

watch add router1 10.10.10.10

A PacketShaper in watch mode can monitor traffic from up to 256 routers. You can identify a router by its IP or MAC address;if you enter an IP address, PacketWise will attempt to resolve its MAC address. Note that when the PacketShaper doesn'thave two-way communication with the end host, you will need to define the router by its MAC address. For example, whenthe PacketShaper is connected to a switch's SPAN port, the unit is receiving copies of the packets that go through the switch,but communication is one way so it cannot send ARP requests to determine the router's MAC address. In this case, you wouldneed to define the router by its MAC address, not IP address.

See also:

Watch Mode Overview

Watch Mode Address Resolution

watch delete

watch interval

watch show


692

watch deleteDelete a router from the watch mode router list. Note: The watch mode feature is not available on the PacketShaper 900 Litemodels.

watch remove <name>

where <name> is the name that was defined when the router was added. To see a list of defined router names, use thewatch show command.

Example:

watch remove router1

See also:

watch add


693

watch intervalModify the watch mode resolve interval. The interval is the frequency at which the PacketShaper sends out ARP requests toresolve MAC addresses, when the IP address is configured. The default is 1800 seconds (30 minutes). The minimum intervalis 300 seconds (5 minutes) and the maximum is 7200 seconds (2 hours). Note: The watch mode feature is not available onthe PacketShaper 900 Lite models.

watch interval <seconds>

To see what the current resolve interval is, use the watch show command.


694

watch showDisplay the watch mode configuration. The output lists the current management port, resolve interval, and configured watchmode routers. Note: The watch mode feature is not available on the PacketShaper 900 Lite models.

watch show

Example:

watch show

Watch Mode Status: EnabledManagement Port: Outside port(s)Resolve Interval: 1800 seconds

Name IP Address MAC Address ----------------------------------------------------------------router8 172.21.18.104 (unresolved) router7 172.21.18.103 (unresolved) router6 172.21.18.102 00:10:7b:3c:30:39 router5 172.21.18.101 08:00:20:c0:56:a6 router4 172.21.18.100 00:03:e3:6b:46:c2 router3 172.14.57.180 00:03:e3:6b:46:c2 router2 (none) 01:02:03:04:05:06 router9 172.21.18.106 (unresolved) router10 172.21.18.109 00:60:fb:60:1f:16

The following information is displayed in this screen:

Field DescriptionWatch Mode Status Indicates whether watch mode is currently enabled or disabled

Management Port

Indicates which port PacketWise has determined will be used to manage theunit. Possible choices are:

MGMT The MGMT port (certain models only) Inside The built-in INSIDE portUpper_Inside The INSIDE port on the upper LEMLower_Inside The INSIDE port on the lower LEMRight _Inside The INSIDE port on the right LEMLeft_Inside The INSIDE port on the left LEM Outside port(s) No MGMT or INSIDE port is connected; you can managethe unit through whichever OUTSIDE port is connected to the network

The management port is not user-definable. PacketWise decides which portto use for management access by checking which ports are connected. If anINSIDE or MGMT port isn’t connected to a network, the OUTSIDE port can beused for management. If more than one INSIDE port is connected, only onewill be active and pass traffic; the other connected ports will provideredundant management access. PacketWise decides which port to use formanagement access according to the following order: MGMT (if available),built-in INSIDE, upper/right LEM INSIDE, lower/left LEM INSIDE.

Note: If the Dedicated Management Port feature is enabled, you will only beable to access the unit through the MGMT port; you cannot manage via anyother port.

Resolve Interval The frequency that an ARP request is sent out to resolve an IP address to itsMAC address; the default is 1800 seconds (30 minutes). See watch interval.

NameIP AddressMAC Address

The list of configured routers. If a router is defined by its IP address,PacketWise will poll the router to determine its MAC address and fill it intothe MAC Address column. If unresolved appears in the MAC Address column,the router's MAC address has not yet been resolved. If none appears in the IPAddress column, the router was defined by its MAC address.

Use the watch add command to configure routers and the watch deletecommand to remove them from the list.


695

wccp cache-ip clearClear the IP address of the iShared appliance.

wccp cache-ip clear

See also:

wccp cache-ip set


8.2.0 wccp command introduced


696

wccp cache-ip setDefine the IP address of the iShared appliance. Defining the IP address is optional, but it lets PacketShaper know which cachedevice to use if others are available. When an IP address is configured, the PacketShaper will ignore WCCP messages fromother cache devices.

wccp cache-ip set <ip-address>

Only one IP address can be configured.

See also:

wccp cache-ip clear




697

wccp defaultReturns redirection to its default on/off state. The default is off.

wccp default




698

wccp device addSpecify the PacketShaper interface to be used for WCCP-based traffic redirection. Up to two interfaces on the same LEM canbe specified. Most redirections are on the INSIDE port.

wccp device add <device> [<device>]

where <device> is one of the following:

inside (or main_inside)outside (or main_outside)lower_inside, left_inside, or backup_insidelower_outside, left_outside, or backup_outsideupper_inside or right_insideupper_outside or right_outside

Examples:

wccp device add inside outside

The Main_inside and Main_outside devices have been set

wccp device add inside

The Main_inside device has been set.

Notes:

This command does not enable redirection. (You must use the wccp on command to begin redirection.)When a device isn’t configured, the INSIDE built-in interface will be used for redirection.




699

wccp device defaultReset redirection devices to default state (unconfigured).

wccp device default




700

wccp device removeRemove configured traffic redirection devices.

wccp device remove <device> [<device>]

where <device> is one of the following:


Notes:

After you remove the last device, redirection will automatically be disabled (as if you had run the wccp off command).




701

wccp filter addDefine which outbound traffic PacketShaper will redirect to the cache device (such as to an iShared appliance). This commandallows you to filter which traffic gets redirected, by specifying source and/or destination IP addresses and/or port numbers. Ifno IP addresses or ports are specified, PacketShaper will redirect traffic for all hosts and ports.

wccp filter add src ip all|<ip-address> dst ip all|<ip-address> port all|<port>

The <ip-address> can be one of the following:

<ip-address>Single IP address (for example, of a server)

Note: Domain names cannot be specified.

<ip-address>-<ip-address>

Range of IP addresses, separated by a dash

Example: 192.21.18.160-192.21.18.170

<ip-address>:<netmask>

Subnet and mask

Example: 192.21.18.0:255.255.255.0

<ip-address>/<cidr>Address of the subnet; the CIDR number specifies the number of constant bits in theaddress range

Example: 10.0.0.0/8

The <port> can be a single TCP port number (for example, 80) or a range of port numbers (such as 1-80).

Examples:

To redirect port 80 for all hosts:

wccp filter add src ip all dst ip all port 80

or simply:

wccp filter add port 80

To redirect from a subnet:

wccp filter add src ip 10.7.38.0/24

To redirect all ports for destination servers 1.1.1.1 and 2.2.2.2:

wccp filter add dst ip 1.1.1.1 port all

wccp filter add dst ip 2.2.2.2 port all

To redirect port 80 for destination server 1.1.1.1:

wccp filter add dst ip 1.1.1.1 port 80

Note: If the service ID is set to 0 (zero), PacketShaper will redirect port 80 (HTTP) traffic only and the ports portion of thefilter will be ignored. (See wccp service-id.)




702

wccp filter removeRemove IP addresses and ports that have been configured as redirection filters. After a filter has been removed, this trafficwill no longer be redirected to the cache device (unless all filters are removed, in which case all traffic will get redirected).

wccp filter remove src ip all|<ip-address> dst ip all|<ip-address> port all|<port>

The <ip-address> can be one of the following:

<ip-address>Single IP address

Note: Domain names cannot be specified.

<ip-address>-<ip-address>

Range of IP addresses, separated by a dash

Example: 192.21.18.160-192.21.18.170

<ip-address>:<netmask>

Subnet and mask

Example: 192.21.18.0:255.255.255.0

<ip-address>/<cidr>The address of the subnet; the CIDR number specifies the number of constant bits inthe address range

Example: 10.0.0.0/8

The <port> can be a single TCP port number (for example, 80) or a range of port numbers (such as 1-80).

Examples:

To remove a subnet source filter:

wccp filter remove src ip 10.7.38.0/24

To remove filters for port 80 traffic to destination server 1.1.1.1:

wccp filter remove dst ip 1.1.1.1 port 80

Notes:

You must remove the same filter that was added; you cannot remove a subset. For example, if you added a filter for arange of addresses (1.1.1.1-1.1.1.5), you cannot remove a single address in this range (1.1.1.4).




703

wccp filter showDisplay a list of all redirection filters.

wccp filter show

Example:

wccp filter show

Redirection filters: Source: all, destination: 1.1.1.1, port: 80 Source: 10.7.38.0-10.7.38.255, destination: all, port: all

Total filters: 2




704

wccp offDisable WCCP-based traffic redirection. PacketShaper will no longer redirect traffic to theiShared appliance.

wccp off [<device>] [<device>]

You can simultaneously disable redirection and remove the interfaces for redirection by specifying one or two devices, where<device> is one of the following:


Notes:

If only one device is specified (but two are configured), the specified device will be removed but redirection will still beenabled on the remaining configured device.Redirection stops immediately after the wccp off command is issued. However, the session remains active for about aminute.If no devices are specified, redirection is disabled but devices remain configured.If all configured devices are specified, the devices are removed and redirection is disabled.




705

wccp onEnable WCCP-based traffic redirection to the iShared appliance. By default, redirection is off for PacketShapers andPolicyCenter.

wccp on [<device>] [<device>]

You can simultaneously enable redirection and define the interfaces for redirection by specifying one or two devices, where<device> is one of the following:


If two interfaces are specified, they must be on the same device.




706

wccp passwordSet or clear an MD5 password for authentication.

wccp password set <password> | clear

The password can be up to 19 characters in length. To enter a password containing spaces, enclose the string in quotes. Toavoid confusion, do not use leading or trailing spaces in the password or specify an empty string ("").

Because MD5 authentication is not currently supported in iShared, setting the password in PacketShaper will prevent it frombeing paired.

To view the password, use the wccp show -pw command.

Example

wccp password set "test password"




707

wccp resetRemove all WCCP configuration settings — devices, filters, password, and so forth — returning all settings to their defaults.

wccp reset

You will be asked to confirm the reset before the settings are cleared.




708

wccp service-idSet the WCCP v2 service group ID number.

wccp service-id <id>

where <id> is 0 or a number 51-255. The default service ID is 99, which is the default ID used by iShared. The service IDconfigured on the PacketShaper must match the ID configured on iShared. If service group ID 0 is specified, the PacketShaperwill redirect port 80 (HTTP) traffic only, and the port portion of any defined filters will be ignored.

Note: If iShared disconnects from a service group, all client connections will be disconnected.




709

wccp showShow the current configuration for redirection.

wccp show [all|config|filter|status] [-pw]

where

config Display configuration settings onlyfilter Displays a list of configured filters

statusShows the run-time status of redirection: whether redirection is occurring (an active status), the IPaddress of the cache device PacketShaper is connected to, the number of redirected packets, and thenumber of packets that were returned because the traffic couldn’t be optimized.

all Displays configuration settings and filters

-pw Displays the PacketShaper’s redirection password (in touch mode only) in addition to the otherredirection configuration settings

Examples

wccp showConfiguration: WCCP admin status: enabled Redirection device: Main_inside Service-id: <not configured> (using 99) Cache-ip filter: 172.21.18.160 Password: <not configured> Redirection filters: <configured>

wccp show filterRedirection filters: Source: all, destination: 1.1.1.1, port: 80 Source: all, destination: all, port: 333 Source: 10.7.38.0-10.7.38.255, destination: all, port: all

Total filters: 3

Notes:

The parameters can be strung together in one command. For instance, if you want to view the filters and the status,you can issue the command wccp show filter status.




709

zipCompress one or more files on the PacketShaper into a standard ZIP file. You can use the zip command to compress filesbefore downloading them to a PC. For example, you can compress a set of customer portal files, measurement data dumpsthat have been exported to text files, or diagnostic logs in the 9.258/measure directory.

Files are copied into the ZIP file, not moved.

zip [-r|-q|-v|-h] <zipfile> <filelist>

where

-r recurse into directories — zips all of a directory’s contents, including any nested directories

-q quiet operation — gives no feedback during the zipping process (the command outputdoesn’t list the files as they are being added)

-v verbose operation — lists additional details about the zipping process, such as original filesizes, compressed file sizes, and totals

-h help — displays the zip command usage

<zipfile>name of the zip file (up to 8 characters); typing the ZIP extension is optional — it will beappended automatically

If <zipfile> already exists, the files will be added to the existing file.<filelist> names of files to be zipped, each name separated by a space

Examples:

zip config.zip config.ldi settings.cfg basic.cfg

adding: config.ldi(0) (deflated 94%) adding: settings.cfg(0) (stored 0%) adding: basic.cfg(0) (stored 0%)

zip -q config.zip config.ldi settings.cfg basic.cfg <-- there is no screen output because of the -q modifier

zip -v config.zip config.ldi settings.cfg basic.cfg <-- the v(erbose) option lists additional details

adding: config.ldi(0) (in=64032) (out=4146) (deflated 94%) adding: settings.cfg(0) (in=3364) (out=3364) (stored 0%) adding: basic.cfg(0) (in=600) (out=600) (stored 0%)total bytes=67996, compressed=8110 -> 88% savings


709

packetshaper® cli commands in print - symantec · cli in print is a printed version of all the...

Documents