/cfg/slb/filt <filter number>/adv
Filter Advanced Menu
 
[Filter 1 Advanced Menu]
8021p - 802.1p Advanced Menu
tcp - TCP Advanced Menu
ip - IP Advanced Menu
layer7 - Layer 7 Advanced Menu
proxyadv - Proxy Advanced Menu
redir - Redirection Advanced Menu
security - Security Menu
report - Report Menu
icmp - Set ICMP message type
cont - Set BW contract
revcont - Set BW contract for the reverse session
tmout - Set NAT or L7 lookup session timeout
idsgrp - Set IDS server group for intrusion detection SLB
idshash - Set hash parameter for intrusion detection SLB
thash - Set hash parameter for Filter
mcvlan - Set MCAST NAT egress VLAN Id
goto - Set GOTO filter ID
udpage - Set fast aging for UDP sessions
rtsrcmac - Enable/disable return to source mac addr
reverse - Enable/disable creating session for reverse side traffic
cache - Enable/disable caching sessions that match filter
l3filter - Set the layer 3 filter
sesslog - Enable/disable session logging
rtsport - Enable/disable retention of SIP source port for NAT filter
log - Enable/disable logging
mirror - Enable/disable session mirroring
nbind - Enable/disable subnet binding for redirection
     matchdev – Enable/disable matching traffic to device IP interfaces
cos - Set the class of service persistency string
     mactome - Enable/disable matching traffic to device mac addresses
rtsrctun - Enable/disable return to source tunnel
cur - Display current advanced filter configuration
 
Advanced Filter Menu (/cfg/slb/filt/adv) 
Command Syntax and Usage
8021p
 
Displays the 802.1p Advanced menu. IEEE 802.1p is the specification for prioritizing the network traffic at the Layer 2 level in your Alteon. To view this menu, see /cfg/slb/filt <filter number>/adv/8021p 802.1p Advanced Menu.
Using this menu, you can preserve 802.1p bits in all the frames that pass through Alteon.
tcp
 
Displays the TCP Advanced menu. To view this menu, see /cfg/slb/filt <filter number>/adv/tcp TCP Advanced Menu.
ip
 
Displays the IP Advanced menu. To view this menu, see /cfg/slb/filt <filter number>/adv/ip IP Advanced Menu.
layer7
 
Displays the Layer 7 Advanced menu. To view this menu, see /cfg/slb/filt <filter number>/adv/layer7 Layer 7 Advanced Filter Configuration Menu.
proxyadv
 
Displays the Proxy Advanced menu. To view this menu, see /cfg/slb/filt/adv/proxyadv Proxy Advanced Menu.
Note: When delayed binding is enabled at /cfg/slb/filt/adv/redir/dbind and client proxy is disabled at /cfg/slb/filt/adv/proxyadv/proxy, the redirection filter changes the destination IP address to the real server IP address.
redir
 
Displays the to Redirection Advanced menu. To view this menu, see /cfg/slb/filt<filter number>/adv/redir Redirection Advanced Menu.
When the destination port is set to RTSP (554) at /cfg/slb/filt/dport, the filter automatically works in delayed binding (dbind) mode even if the dbind option is disabled for filter redirection.
security
 
Displays the Security Menu. To view this menu, see /cfg/slb/filt <filter number>/adv/security SLB Filter Advanced Security Menu.
report
 
Displays the Reporting Menu. To view this menu, see /cfg/slb/filt <filter number>/adv/report Reporting Menu.
icmp message type |any| <number> | <type; “icmp list” for list>
 
Specifies the ICMP message type to be filtered. For a list of ICMP message types, see ICMP Message Types. For a detailed description of filtering and ICMP, see the Alteon Command Line Interface Application Guide.
Default: any
cont <BWM Contract (1-1024)>
 
Specifies a bandwidth management contract for traffic to the virtual server. By default, all services under this virtual server are assigned this contract. You can also define the contract at the virtual service level with the /cfg/slb/virt <number>/service <number>/cont command.
All the frames that match this virtual server services are assigned this contract if the previously assigned contract for the frame has lower or equal precedence to the virtual server contract.
Default: 1024
revcont <BW Contract (1-1024)>
 
Specifies a bandwidth management contract for the reverse traffic session. This lets you assign a different bandwidth management contract from the one configured on the ingress filter.
Default: 1024
tmout <even number of minutes (4-32768)>
 
Specifies the length of time, in minutes, that an inactive session remains in the session table.
Every client-to-server session being load balanced is recorded in the session table. When the client ends the session, the session table entry is removed.
In certain circumstances, such as when a client application is abnormally terminated by the client’s system, TCP and UDP connections remain registered in the session table. In order to prevent table overflow, these orphaned entries must be aged out of the session table.
Default: 4
Note: Alteon considers the timeout (tmout) setting configured in a filter as an action of NAT and Layer 7 lookup. For any other actions, the timeout configured for the real server takes precedence over the filter timeout. (For more information about configuring tmout for a real server, see /cfg/slb/real/adv Real Server Advanced Menu.)
proxyip <IP address>
 
Defines the client proxy IP address.
idsgrp <real server group ID (1-1024)|none>
 
Specifies the real server group for Intrusion Detection System (IDS) load balancing. When filtering is used for IDS load balancing, each filter added to an IDS load balancing-enabled port can be assigned a unique IDS real server group.
Values:
*none — Alteon selects a group for IDS forwarding by comparing the source port (/cfg/slb/filt/sport) or destination port (/cfg/slb/filt/dport) of a filter with the port for the IDS group (/cfg/slb/group/idsrprt). The first match becomes the IDS server group.
*1 – 1024
Default: none
idshash sip|dip|sip+dip|sip+sport|dip+dport|all
 
Specifies the hash metric parameter for Intrusion Detection System (IDS) server load balancing.
Values:
*all
*dip — Destination IP
*dip+dport — Destination IP and port
*sip+dip — Source IP and destination IP
*sip — Source IP
*sip+sport — Source IP and port
Default: dip
thash auto|sip|dip|both|sip+sport|dip32
 
Specifies the hash parameter to use for server selection when the server group metric is hash.
Values:
*sip — Performs tunable hash on source IP address for this filter.
*dip — Performs tunable hash on 24 most-significant bits (MSBs) of the destination IP address for this filter.
*both — Performs tunable hash on both the source IP address and the destination IP address at the same time.
*sip+sport — Performs tunable hash on both the source IP address and source port at the same time.
*dip32—Performs tunable hash on a 32-bit destination IP address for the filter. Unless stated otherwise, a hash on an IP address uses 32 bits of the IP address.
Default: auto
mcvlan <VLAN ID (0-4090)>
 
Specifies the VLAN to which the multicast packet must be sent, when performing multicast NAT.
Default: 0
goto <filter ID>
 
Specifies a target filter ID that the filter search should jump to when a match occurs. Filter searching continues from the designated filter ID.
To use this feature, the action on this filter must be set to goto.
This filter does not support Layer 7 classification.
Values: 1 – 2048
Note: The ID specified in this field must be higher than the filter ID (the ID of the object itself).
udpage
 
Specifies the current UDP fast age mode for the filter.
Values:
*onlydns — Alteon runs a UDP fastage scan on DNS applications only.
*disable — Alteon does not run a UDP fastage scan.
*enable — Alteon runs a UDP fastage scan on all applications.
Default: onlydns
icap
 
Specifies the ICAP policy for the filter.
rtsrcmac disable|enable
 
Enables or disables the return of traffic to the source MAC address.
Values:
*enable — Alteon returns the response traffic to the MAC address saved in the session entry and bypasses all routing configuration in the device. This MAC is saved when this session entry is created with the first client request and the update is controlled by sessrts.
*disable — Alteon returns the traffic using the routing table.
Default: disable
Note: When rtsrcmac is enabled, the source port on the traffic is changed. If you wish to preserve source port, enable reverse.
reverse disable|enable
 
Specifies whether to create a session table entry for the server return traffic. Such an entry is required to properly process return traffic from the server when it is necessary to preserve the original source port in the request forwarded to the server.
Default: disable
cache disable|enable
 
Specifies whether to enable caching sessions that match the filter.
Default: enable
Note: Use caution when applying cache-enabled and cache-disabled filters to the same port. A cache-enabled filter creates a session entry so that Alteon can bypass checking for subsequent frames that match the same criteria.
The cache should be disabled if applying a filter to virtual server IP address when performing UDP load balancing.
l3filter disable|enable
 
Specifies whether to enable L3 filters. Enabling this feature forces the non-cached redirection filter to handle the fragment packets as in SLB, by storing the fragment packets and creating a session entry.
Default: disable
sesslog disable|enable
 
Specifies whether to enable or disable session logging.
Session logs are sent to the syslog servers via the data port when the sessions are deleted or aged out. The Alteon switch processor sends the buffered session logging data to the syslog server at regular intervals (every 30 seconds) if the buffer is not completely filled. There will be no session syslog if no sessions have aged out during this duration of 30 seconds.
Note: Syslog servers configured on Alteon must be accessible via the data ports.
Default: disable
rtsport disable|enable
 
Specifies the SIP source port retention mode.
When processing outbound SIP over UDP traffic, there is often a need to preserve the source port.
To support outbound SIP traffic while preserving the source port, the following is required:
*On the filter that matches the outbound traffic, enable the rtsport parameter, and disable the reverse parameter.
*Configure a NAT filter to deal with the returning traffic.
Values:
*enable — Alteon retains the SIP source port.
*disable — Alteon does not retain the SIP source port.
*preserve — Alteon does not perform proxy port translation on the client SIP source port. This mode is allowed only for redirect filters.
Default: disable
log disable|enable
 
Specifies whether to enable or disable generating syslog messages when a filter is matched.
Default: disable
mirror disable|enable
 
Specifies whether to enable or disable session mirroring on the selected filter.
Session mirroring synchronizes the state of active connections with the standby Alteon to prevent service interruptions in case of failover.
Session mirroring is recommended for long-lived TCP connections, such as FTP, SSH, and Telnet connections. Session mirroring for protocols characterized by short-lived connections such as UDP and in many cases HTTP, is not necessary. Radware recommends that you use session mirroring only when you need to maintain the state of a long connection.
When implementing session mirroring, note the following:
*Session mirroring is supported in VRRP active-standby and hot-standby configurations, as well as Switch HA high availability configurations.
*Session mirroring is only supported for Layer 4 SLB sessions and static NAT filtering sessions.
*Session mirroring is supported only for the following protocols and filters:
SIP
FTP
NAT filters
Layer 4 SLB with delayed binding
*Session mirroring is not supported for the following protocols and filters:
Active-active VRRP
RTSP
Layer 7 SLB
Allow, deny, redir filters
*Session mirroring is not supported in IPv6 Server Load Balancing sessions.
*A direct interswitch link between the primary and backup Alteons is necessary to route the NAAP packets.
Default: disable
nbind disable|enable
 
Specifies whether to enable client subnet persistent binding for filter redirection.
Default: disable
matchdev disable|enable
 
Specifies whether the filter should match traffic whose destination is a device IP address (if that IP is part of the match settings destination).
Values:
*all — Match traffic to device IP addresses.
*allexclif — Match traffic to device IP addresses, but exclude interface IP addresses.
*none — Do not match traffic to device IP addresses.
Default: allexclif
cos <"1-32 character class of service string[any|string]">|none
 
Specifies whether the filter should match source IP addresses for which the class of service recorded in the Alteon user data table matches the specified value. The IP address to class of service relation is recorded in the Alteon user data table via an AppShape++ script. For example, using data gathered from RADIUS traffic.
mactome enabled|disabled
 
Locally enables or disables filtering by destination MAC address.
The mactome matching condition is met when the destination MAC address belongs to Alteon.
For a mactome match to be checked, mactome must be enabled both globally under /cfg/slb/adv, and on the filter.
*enabled — When the destination MAC address matches a MAC address owned by Alteon, and mactome is also enabled globally, the mactome match is checked.
When the destination MAC address matches a MAC address owned by Alteon, but mactome is disabled globally, the mactome match is not checked.
*disabled — mactome matching is not checked.
Default: enabled
rtsrctun enabled|disabled
 
Enables a front-end Alteon to reply to a request using the same tunnel through which the request was received when encapsulated traffic is received over multiple tunnels and no IP route is configured for a tunnel.
Default: disabled
cur
 
Displays the current advanced filter configuration.