[Layer 4 Advanced Menu] synatk - SYN Attack Detection Menu smtport - Service Mapping Table Real Port Menu fqdnreal - FQDN Server Menu pps - PPS per Service and Real Collection Menu imask - Set virtual and real IP address mask nmask - Set session mask mnet - Set management network mmask - Set management subnet mask pmask - Set persistent mask pprefix - Set ipv6 persistent prefix length intrval - Set SLB session attack inspection interval allowlim - Set SLB session attack alert allowable limit mstat - Set measuring period for HTTP related statistics ftpdage - Set FTP Data session age fparselen - Set buffer length for filter content based classification proxyage - Set inactive session aging for proxy processing satisrt - Set the application satisfied response time threshold servdown - Set traffic behavior in case service is down or disabled sesscap - Set the capacity of sessions entries pipthr - Set throughput for PIP table utilization dtcap - Set the size of data table percent of available memory for AX submac - Enable/disable Source MAC address substitution direct - Enable/disable Direct Access Mode spl4hash - Enable/disable L4 hash level for SP selection by hypervisor grace - Enable/disable graceful real server failure slntcls - Enable/disable silent TCP connection closure tso - Enable/disable TCP segmentation Offload (TSO) clrbkp - Enable/Disable clear backup matrix - Enable/disable Virtual Matrix Architecture vmasport - Enable/disable VMA with source port vmadip - Enable/disable VMA with destination IP drctrss - Direct Port to NUMA RSS Menu hwhash - Set hash level for HW-based core selection tpcp - Enable/disable Transparent Proxy Cache Protocol vstat - Enable/disable Virtual Service Statistics dynaddr - Enable/disable client NAT using dynamic address rtsvlan - Enable/disable using VLAN info for real server lookup pvlantag - Enable/disable preserving vlan tag during packet forwarding vlanbind - Enable/disable Ingress VLAN For Session Table Binding portbind - Enable/disable Ingress Port For Session Table Binding rstchk - Enable/disable TCP RST Secure Sequence Number Check |
srvckdata - Enable/disable server return data check clsrst - Enable/disable Session clear on RST subdmac - Enable/disable DMAC substitution valcksum - Enable/disable Application Engine Checksum Offloading riphash - Enable/disable Include RIP in AUX table hashing sessvpt - Enable/disable session VPT update sessrts - Enable/disable session rtsrcmac update sessdrop - Enable/disable drop client traffic that matches fastage session fastage - Session table fast-age (1 sec) period bit shift slowage - Session table slow-age (2 min) period bit shift millisec - Enable/disable millisecond resolution for timers rtsiplkp - Enable/Disable RTS-IP lookup vmacbkp - Enable/Disable VMAC use on backup switch fmrport - Enable/Disable fine tuning of multi RPORT LB nonhttp - Set Non-HTTP traffic behavior for filters iptos - Enable/disable IP ToS preservation in Proxy mode for filters enhance - Enable/Disable URL string rebind over cookie cookieim - Enable implicit cookie insert mode preserve - Enable/disable Preserve Port Mode pport - Set sequential or random pport selection memmng - Memory Management Menu cur - Display current Layer 4 advanced configuration |
Command Syntax and Usage | |
---|---|
synatk | |
Displays the SYN Attack Detection menu. To view this menu, see /cfg/slb/adv/synatk SYN Attack Detection Configuration Menu. | |
smtport | |
Displays Service Mapping Table (SMT) Real Port menu. To view this menu, see /cfg/slb/adv/smtport Advanced SMT Real Server Port Configuration Menu. Using this menu you can add or remove real server service ports that process client traffic by-passing the server, meaning that this service port’s client request is not processed by the server processor. Note: Alteon skips the SMT table lookup when DAM is enabled. This ensures that server processing is performed on traffic returning from the server. | |
fqdnreal | |
Displays the FQDN Server menu. To view this menu, see /cfg/slb/adv/fqdnreal FQDN Server Configuration Menu. | |
pps | |
imask <IP subnet mask (such as 255.255.255.0)> | |
Configures the real and virtual server IP address mask using dotted decimal notation. Default: 255.255.255.255 | |
nmask <IP subnet mask (such as 255.255.255.0)> | |
A global mask for redirection of filter network binding. This mask has lower priority than the filter source mask (smask) or the destination mask (dmask). In network binding filter redirection, if the filter source mask (smask) or the destination mask (dmask) are not specified, the real server is selected based on the network mask. Default: 0.0.0.0 | |
mnet <IP address> | |
Typically, network administrators use the management network to monitor real servers and services. By configuring real server direct management access parameters, administrators can access the real services being load balanced. Defines the source IP addresses allowed direct (non-Layer 4) access to the real servers for administration and monitoring purposes. When this option is not defined, anyone can directly access the servers. | |
mmask <IP subnet mask (such as 255.255.255.0)> | |
The IP address mask used with the mnet to select management traffic that is allowed direct access to real servers. Default: 255.255.255.255 | |
pmask <IP subnet mask (such as 255.255.255.0)> | |
Specifies the client IP persistence session mask for the virtual service. Server persistence ensures that all connections of a specific client session reach the same real server. Default: 255.255.255.255 | |
pprefix <1-128> | |
Specifies the persistence prefix length for IPv6 clients. The persistence feature ensures that all connections from a specific IPv6 client or client network (prefix) to a certain virtual service are load balanced to the same real server. Values: 0 – 128 Default: 128 | |
intrval <time window for collecting sessions (0-3600)> | |
Sets the interval in seconds for checking the number of SLB sessions Alteon has received. At the configured interval, Alteon checks if the number of sessions is within the configured limits defined in the allowlim parameter. Values: 0 – 3600 Default: 0 | |
allowlim <allowable limit (1-1048563)> | |
Sets the maximum number of sessions Alteon can receive at any given period. If the number of sessions exceeds this limit, Alteon generates a syslog message and an SNMP trap to alert the administrator that Alteon is under SLB attack. Values: 1 – 12,582,834 new sessions Default: 12,582,834 new sessions | |
mstat <Statistics measuring period in seconds (1-3600)> | |
Sets the measuring period for acceleration, HTTP, and SSL offloading statistics. The current statistics always show the results of the previous measuring period. Because numbers are updated at the end of every measuring period, a longer period gives better average results but lowers the ability to see real-time monitoring values. Any change in the measuring period value also resets the statistics. Note: Only enabled objects are shown in the statistics. Values: 1 – 3600 seconds Default: 15 seconds | |
ftpdage (0-5) | |
Sets the timeout value, in seconds, of the FTP data session. Prevents an FTP data session entry in Active FTP operation mode from timing out before the FTP data SYN packet arrives from the server. In such cases, Alteon forwards the SYN packet to the client using the real server IP. Values: 0-5 Default: 07 | |
fparselen <buffer length in bytes (0-18200)> | |
Specifies how much content (in bytes) Alteon collects when classifying traffic by content class or AppShape++ script. Relevant only for HTTP content. Default: 0 | |
proxyage <Session age in seconds (1-86400)> | |
Sets the Application Engine timeout in seconds. This allows sessions to continue in a delayed binding forceproxy environment. Default: 1800 | |
satisrt <satisfied response time threshold in milliseconds [1-999999]> | |
Sets the global satisfied response time threshold. You can configure the application satisfied response time threshold globally at /cfg/slb/adv/satistr (default is 500 ms) or locally per service at /cfg/slb/virt/service/satisrt (default is inherit the global setting). Based on this threshold, Alteon calculates the frustrated threshold as 4 times the satisfied latency threshold. When a transaction response is below the frustrated threshold, its event log will be marked as exception. | |
sesscap <400|200|100|75|50|25|12> | |
Specifies the percentage of the regular session table size to be allocated for the session table. When set to below 100 percent, Alteon reduces the size of the session table, freeing memory for more concurrent proxy connections. When set to above 100 percent, Alteon increases the size of the session table if enough RAM memory is installed in the device. Full (base) table size (100%) is 2M entries per SP (500K per vADC CU), (except for an Alteon VA with 2 GB RAM where the base is 128K entries). Default: 50 (25 on Alteon platform 4208) Note: This change does not take effect unless the configuration is saved and the Alteon device rebooted. | |
pipthr (0-99) | |
Sets the threshold (percentage) for the PIP table utilization. Alteon sends an alert when the PIP table utilization has passed the specified threshold. Default: 0 (means that there is no alert threshold) | |
dtcap (0-25) | |
Specifies the percentage of free memory allocated to the Dynamic Data Store. Default: 10 | |
submac disable|enable | |
Globally enables or disables substituting the client source MAC address with the Alteon MAC address. By default, in packets destined for servers in a server load balancing environment, the source MAC address is not modified and the client request is forwarded to the server with the MAC address of the client. You can substitute the client source MAC address for the packets going to the server with the Alteon MAC address using source MAC address substitution. Note: Source MAC address substitution can also be enabled per real service using the command /cfg/slb/real/adv/submac. Global MAC address substitution supersedes real service MAC address substitution. Default: disable | |
direct disable|enable | |
Enables or disables Direct Access Mode. Direct Access Mode (DAM) allows any client to communicate with any real server’s load balanced service, and any number of virtual services can be configured to load balance a real service. DAM enables both client and server processing on the same port to handle traffic that requires direct access to real servers. DAM is necessary for applications such as: ![]() ![]() ![]() Default: enable | |
spl4hash disabled|enabled | |
This command only appears in Alteon vADC. Specifies the parameter used by the hypervisor to perform hashing that selects the SP to which the traffic is sent. ![]() ![]() Default: disabled | |
grace disable|enable | |
Specifies whether Alteon enables graceful server failure which allows existing sessions to remain bound to a server after the server has been placed in the service failed state. If all load balanced services supported on a server fail to respond to connection requests within the specified number of attempts, then the server is placed in the server failed state. While in this state, no new connection requests are sent to the server. However, if graceful real server failure is enabled, state information about existing sessions is maintained and traffic associated with existing sessions continues to be sent to the server. All load balanced services on a server must fail before Alteon places the server in the server failed state. The server is brought back into service as soon as the first service is proven to be healthy. Additional services are brought online as they are subsequently proven to be healthy. Values: ![]() — If sessdrop is disabled, the session is revived. — If sessdrop is enabled, the session is dropped. For TCP traffic, a session reset is sent. ![]() — If sessdrop is either enabled or disabled and server health checking is down, either because the server is down or there is server failure, the session is revived. — If sessdrop is disabled, and if the real server is disabled either through configuration or operationally, the following prompt displays: Graceful real server failure is enabled, fastage existing sessions? [y/[n]] ![]() ![]() — If sessdrop is enabled, and if the real server is disabled either through configuration or operationally, the following prompt displays: Graceful real server failure is enabled, fastage existing sessions? [y/[n]] ![]() ![]() Default: disable | |
tso disabled|enabled | |
TCP segmentation offload (TSO) reduces the CPU overhead of TCP/IP on fast networks by relying on the network interface controller (NIC) to segment the data and then add the TCP, IP, and data link layer protocol headers to each segment. This frees CPU resources for higher data level processing and improves full proxy throughput. Notes ![]() ![]() Default: Disabled on VA platforms, Enabled in standalone mode | |
slntcls disable|enable | |
This option closes the proxy TCP connection (force proxy mode) to the client or server, depending on the context, without sending any notification. This is useful in cellular networks where FIN and RST packets that close TCP connections can incur significant energy consumption overhead for handsets. Default: disable | |
clrbkp disable|enable | |
Specifies whether to clear or preserve the session entries of the backup server when the primary server resumes the service by returning online and assuming the primary role. Values: ![]() ![]() Default: disable | |
matrix disable|enable | |
Enables or disables the use of Virtual Matrix Architecture (VMA). Virtual Matrix Architecture (VMA) is a hybrid architecture that takes full advantage of the distributed processing capability in Alteon. With VMA, Alteon makes optimal use of system resources by distributing the workload to multiple processors, which improves performance and increases session capacity. VMA also removes the topology constraints introduced by using Direct Access Mode (DAM). Default: enable | |
vmasport enable|disable | |
Specifies whether to enable the Virtual Matrix Architecture source port for workload distribution. ![]() ![]() Default: disable | |
vmadip enable|disable | |
Specifies whether to include the processor destination IP address in VMA. Default: disable | |
drctrss | |
Default: disable | |
hwhash <l3|l4> | |
This command only appears in Alteon VA and standalone. Specifies the parameter used by the switch to perform hashing that selects the CPU core/SP to which the traffic is sent. ![]() ![]() Note: On Alteon 5208 platforms, hwhash L4 is supported only on 10 G ports, not on 1G ports. Default: l3 | |
tpcp disable|enable | |
Enables or disables the TPCP (Transparent Proxy Cache Protocol). TPCP is used for WAP load balancing when server selection is performed by the RADIUS server. The RADIUS server uses TPCP to configure static session entries on Alteon, ensuring it forwards each WAP session to the selected server. A static session entry added via TPCP to Alteon does not age out. The entry is only deleted by another TPCP Delete Session request. Default: disable | |
vstat disable|enable | |
Specifies whether to enable reporting of virtual service statistics. Default: enable | |
dynaddr | |
Specifies whether to perform source NAT using dynamic NAT Address (an address learned from the traffic). The address used for the next hop (NAT) must appear in the session table, as for a regular proxy IP address, and must be mirrored per regular session table mirroring. Alteon does not respond to ARP requests to these dynamic NAT addresses and does not provide high availability failover for these addresses. Default: disable The extraction of the IP address and NAT is performed using the global snat AppShape++ command. For more information, see the Alteon AppShape™++ Reference Guide. | |
rtsvlan disable|enable | |
Specifies whether to use MAC address and VLAN information, or MAC address only, when looking up responses from the real server in the session table. The Return to Sender (RTS) option enables Alteon to look up responses from the real server in the session table. When you enable RTS, Alteon associates the session with the MAC address of the WAN router. This ensures that the returning traffic takes the same ISP path as the incoming traffic. RTS is enabled on the incoming WAN ports (port 2 and 7) to maintain persistence for the returning traffic. Data leaves Alteon from the same WAN link that it used to enter, thus maintaining persistence. You can also use a VLAN for RTS information on the real server, and include the IP address in the session table look-up. Default: disable | |
pvlantag | |
Enables or disables preserving VLAN tags during packet forwarding. Default: enable | |
portbind disable|enable | |
Specifies whether or not to include the Alteon ingress port number in the session table lookup. Default: enable Note: Disable this option when using asymmetric Layer 2 configurations with session mirroring. | |
vlanbind disable|enable | |
Specifies whether or not to include the VLAN number in the session table lookup (for cases where UDP source ports are identical to destination ports, such as for NTP or SIP). Default: disable | |
rstchk disable|enable | |
Enables or disables the TCP RST secure sequence number check. | |
srvckdata disable|enable | |
Enables or disables the server return data check. Default: disable | |
clsrst disable|enable | |
Specifies how to close the server-side connection when client terminates the session. Note: This option is only relevant when full proxy mode (forceproxy) is disabled. Values: ![]() ![]() Default: enable | |
subdmac disable|enable | |
Globally enables or disables substituting the original destination MAC address with the server MAC address. Values: Enable, Disable Default: enable | |
valcksum disable|enable | |
Default: disable | |
riphash disable|enable | |
Enables or disables including RIP in AUX table hashing. | |
sessvpt | |
Enables or disables updating session VPTs. | |
sessrts | |
Enables or disables session rtsrcmac updates. Values: ![]() ![]() Default: disable | |
sessdrop disable|enable | |
Specifies whether Alteon drops client traffic that matches the existing session in fastage. Values: ![]() — If grace is disabled, the session is revived. — If grace is enabled and server health checking is down, either because the server is down or there is a server failure, the session is revived. — If grace is enabled, and the real server is disabled, either through configuration or operationally, the following prompt displays: Graceful real server failure is enabled, fastage existing sessions? [y/[n]] ![]() ![]() ![]() — If grace is disabled, the session is dropped. For TCP traffic, a session reset is sent. — If grace is enabled and server health checking is down, either because the server is down or there is a server failure, the session is revived. — If grace is enabled, and the real server is disabled either through configuration or operationally, the following prompt displays: Graceful real server failure is enabled, fastage existing sessions? [y/[n]] ![]() ![]() Default: disable | |
fastage <shift the fast-age (xsec) period 0-7 bits> | |
The interval, in seconds, at which Alteon completes a full scan of the session table and removes all entries marked for fastage — TCP and UDP sessions that have been closed with a TCP FIN flag, and sessions that have been identified by the slowage scan as idle for the maximum allowed period. The fastage scan removes TCP and UDP sessions that have been closed with a TCP FIN flag, and sessions that have been identified by the slowage scan as idle for the maximum allowed period. If a large fastage value is defined, a session can remain in the session table for several minutes. Each incremental increase of the scan frequency doubles the length of the interval between scans. Note: This command is relevant for non-proxied connections only. When the dbind option for a service is set to forceproxy, connections are aged immediately. Default: 0 (2 seconds) | |
slowage <shift the slow-age (x min) period 0-14 bits> | |
The interval, in minutes, after which Alteon marks idle or non-TCP sessions for fastage. The slowage scan removes idle or non-TCP sessions from the session table at the specified intervals. If a large slowage value is defined, a session can remain in the session table for months. Each incremental increase of the scan frequency doubles the length of the interval between scans. Default: 0 (2 minutes) | |
millisec | |
Enables or disables millisecond resolution for timers. | |
rtsiplkp enabled|disabled | |
Establishes a Return to Sender (RTS) session when the server is the source and more than one IP address is assigned to the single NIC on the server. When more than one IP address is bound to the server NIC, and RTS is enabled on the server port, Alteon establishes an RTS session with one of the IP addresses as the real server. If this option is disabled and you remove this IP address from the server NIC, a new RTS session can be established with the remaining IP addresses only after rebooting Alteon. When this option is enabled, no reboot is required. Values: ![]() ![]() Default: disabled | |
vmacbkp | |
Enables or disables VMAC substitution on the backup Alteon. ![]() ![]() Default: disable | |
fmrport enable|disable | |
Enables or disables the fine tuning of session load balancing according to the number of rports on a real server. Values: ![]() ![]() Default: disable | |
enhance <enable|disable> | |
Enables or disables the optimization of a rebind cookie over a URL string. Values: ![]() ![]() Default: disable | |
cookieim <d|e> | |
Enables or disables implicit cookie insert mode. Implicit Cookie Insert Mode is designed for Active-Active environments where all Alteon devices actively process traffic without any HA configuration between them to achieve selection of same server (persistency) on all Alteon devices. When enabled, Alteon does not add a persistent entry to the session table, rather it performs a mathematical hash on the real server’s parameters. As long as the SLB configuration is the same on all cluster members, it guarantees selection of the same real server on all cluster members. Values: ![]() ![]() Default: disable | |
preserve <enabled|disabled> | |
When using Alteon as a relay agent, maintains a session when Alteon forwards a request to a server on one port, and the server responds as being on a different port. For example, when Alteon listens on port 67, and the server responds as being on port 68. Default: disabled | |
mactome <enabled|disabled> | |
Globally enables or disables filtering by destination MAC address. The mactome matching condition is met when the destination MAC address belongs to Alteon. For a mactome match to be checked, mactome must be enabled both globally, and on the filter under /cfg/slb/filt/adv. ![]() When the destination MAC address matches a MAC address owned by Alteon, but mactome is disabled on the filter, the mactome match is not checked. ![]() Default: disabled | |
pport <sequential|random> | |
Sets the client NAT port assignment algorithm on a vADC. Values: ![]() ![]() Default: sequential Notes: ![]() ![]() | |
memmng | |
Displays the Memory Management menu. To view this menu, see /cfg/slb/adv/memmng Memory Management Menu. | |
cur | |
Displays the current Layer 4 advanced configuration. |