bluecoat packet shaper cli in print 8.4

PacketShaper CLI Commands in PrintPacketWise Version 8.4.1

Copyright, Trademarks, and Patents Copyright 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, ProxyAV, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. PacketShaper, PacketShaper Xpress; PacketSeeker, and iShared appliances, and PolicyCenter, PacketWise iShared, iShaper and IntelligenceCenter software protected by, or for use under, one or more of the following U.S. Patents: 5,802,106; 6,018,516; 6,038,216; 6,046,980; 6,115,357; 6,205,120; 6,285,658; 6,298,041; 6,412,000; 6,456,630; 6,457,051; 6,460,085; 6,529,477; 6,584,083; 6,591,299; 6,654,344; 6,741,563; 6,847,983; 6,850,650; 6,854,009; 6,928,052; 6,934,255; 6,934,745; 6,970,432; 6,985,915; 7,003,572; 7,012,900; 7,013,342; 7,032,072; 7,035,474; 7,051,053; 7,054,902; 7,103,617; 7,154,416; 7,155,502; 7,203,169; 7,236,459; 7,283,468; and 7,292,531. Other U.S. and international patents pending. SNMP Research SNMP Agent Resident Module Version 14.2.1.7. Copyright 1989-1997 SNMP Research, Inc. This product includes software developed by the University of California, Berkeley and its contributors. Portions Copyright 1982, 1983, 1986, 1989, 1990, 1993 by The Regents of the University of California. All rights reserved. Portions Copyright 1996 by Internet Software Consortium. Portions Copyright 1993 by Digital Equipment Corporation. Portions Copyright 1990 by Regents of the University of Michigan. All rights reserved. This product includes software developed by the University of California, Berkeley and its contributors. Portions Copyright 2001 Mike Barcroft. Portions Copyright 1990, 1993 by The Regents of the University of California. All rights reserved. This product incorporates software for zipping and unzipping files. UnZip 5.42 of 14 January 2001, by Info-ZIP. Zip 2.3 (November 29th 1999). Copyright 1990-1999 Info-ZIP Portions copyright 1994, 1995, 1996, 1997, 1998, by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, by Boutell.Com, Inc. GIF decompression code copyright 1990, 1991, 1993, by David Koblas ([email protected]). Non-LZW-based GIF compression code copyright 1998, by Hutchison Avenue Software Corporation (http://www.hasc.com/, [email protected]). Portions Copyright 2006 Narciso Jaramillo. TACACS+ software Copyright 2000,2001 by Roman Volkov. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. U.S. Government Restricted Rights Blue Coat software comprises commercial computer software and commercial computer software documentation as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue Coat software is provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR 252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coats proprietary rights in them and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coats end user agreement. Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085 http://www.bluecoat.com Revision History February, 2009

PacketWise 8.4.1

2

About This GuidePacketGuideisabrowserbasedreferenceforPacketShaperandPolicyCenterusers.Inadditiontocompre hensivereferencematerial,PacketGuidecontainssolutionstocommonnetworkandapplicationperfor manceproblems. CLIinPrintisaprintedversionofallthecommands,inalphabeticalorder,thatareavailableinPacketWise. ThesecanbefoundintheReferencesectionofPacketGuide.ThisisacompilationoftheHTMLpages.Al thoughanypageinPacketGuidecanbeprintedfromyourbrowser,BlueCoatprovidesthisPDFforprint ingconvenience. ThisPDFreflectscurrentinformationatthetimetheguidewascompiled.Themostuptodatecontentcan befoundonlineat:https://hypersonic.bluecoat.com/packetguide/8.4/reference/cli/index.htm

3

Command Line OverviewThecommandlineinterface(CLI)providesaUNIXlikeinterfaceforaccessingthePacketWisesoftware.All ofthefunctionsavailableviathebrowserinterfacearealsoaccessiblewithcommandslistedinthischapter. Inaddition,anumberofCLIcommandssupportdiagnostictasksthatarenotincorporatedinthebrowser interface. Thisdocumentorganizesthecommandsinalphabeticalorder. Youcanaccessthecommandlineinterfaceusingoneofthefollowingmethods: Telnettotheunit.SeeUsingaRemoteLoginUtilityonpage 6. ConnectaPCorworkstationtotheunitsconsoleportforalocalconnection.SeeUsingaDirectSe rialConnectiononpage 6.

Note: To enter commands in your browser window, type the units IP address followed by /cli.htm forexample, http://10.10.10.10/cli.htm.

Command Usage ConventionsAfewbasicconventionsapplytocommands: Commandsarenotcasesensitivethatis,youcanuseeitheruppercaseorlowercasecharacters. Acommandcanbeabbreviatedbyenteringtheminimumnumberofcharactersrequiredtouniquely distinguishitfromothercommands.Forexample,youcantypeclshinsteadofclassshow. Commandsyntaxcanbeverifiedbytypingoneofthefollowing: help or ? whereisthenameofthecommandforwhichyouwanthelp. Toissuemultiplecommandsfromasinglecommandline,separatethecommandswithasemicolon (;)forexample, setupshow;trafficbandwidth.ThesemicolonistheequivalentofpressingtheEnter key.

Note: When combining multiple commands on one line, do not attempt to run a command file in series withother commands. The run command executes a separate task and the other commands in the line may not run in sequence. TorepeatthelastCLIcommandyouentered,type!!.Torepeatapreviouscommand,type!,where correspondstothesequenceofthecommandinthecurrentTelnetorconsolesession.Forexam ple,!5repeatsthefifthcommandyouenteredinthecurrentsession.Usethehistorycommandtode terminethelinenumberofpreviouscommands.Alternatively,youcanscrollthroughthecommand historybypressingtheupanddownarrows.Youcanalsoeditpreviouslyenteredcommands,asde scribedbelow. referstoatrafficclassname.Includetheclasssfullpathnameifitisneededtouniquelyiden tifytheclass.Forexample,ifHTTPappearsinboththeInboundandOutboundsubtrees,theexplicit pathisrequiredtoidentifyaspecificHTTPclassforexample,/inbound/http.

4

Editing Previously Entered CommandsIfyoumakeatypingmistakeinyourcommand,youdontneedtoretypeityoucanredisplaythecom mandandeditit.ThiscapabilityisavailableviaTelnetorSSH,butnotviaadirectconsoleconnection. Function Display a previously entered command Scroll down through the command history Move cursor to the left Move cursor to the beginning of the line Move cursor to the right Insert characters Delete character Technique Press up arrow until the command you want is displayed Press down arrow Press left arrow Press Ctrl+a Press right arrow Position cursor and start typing Press Backspace or Delete (characters are deleted to the left of the cursor) Press Ctrl+u

Delete all characters on the line

Note: If the arrow keys arent working, make sure your Telnet client is emulating VT100 arrows. You may needto enable this option in your client.

Typographical ConventionsThefollowingtypographicalconventionsareusedforcommandsyntax: Convention Boldface [Square brackets] Description Commands Optional arguments in a command line Required arguments for which you will supply a name The or symbol in a command line choose one of the options separated by the | symbol Exampleclass delete web_in class show [] measure dump

Pipe character ( | )

setup shaping

5

Accessing the Command-Line InterfaceYoucanaccessthecommandlineinterfaceusingoneofthefollowingmethods: Usearemoteloginutility.YoucanuseTelnetforcleartextoranSSH(SecureSocketShell)clientfor encryptedtext. ConnectaPCorworkstationtotheunitsconsoleportforalocalconnection. Using a Remote Login Utility Youarefreetochooseanyremoteloginutilitythatisavailableforyouroperatingsystem.Forexample,for cleartextconnections,youcanuseTelnet.Forsecureconnections,youcanchooseanySSHclient,suchas SecureCRTforWindowsorOpenSSHforUNIXoperatingsystems. ToaccessthePacketWisecommandlineinterfacewitharemoteloginutility: 1. 2. First,verifythatyourworkstationcanaccesstheunit.SeethePacketShaperQuickStartGuidefor installationdetails. Iftheunithasalreadybeenconfiguredforyournetwork,youcanconnecttoitusingitsIPaddress,for example:telnet10.10.1.100orssh10.10.1.100.Whenyouconnectsuccessfully,youwillbepromptedfor theunitspassword. EnterthepasswordandpressEnter.

3.

Using a Direct Serial Connection Toaccessthecommandlineinterfaceviaaserialconnection: 1. 2. 3. Usingtheprovidednullmodemcable,attachaworkstationorPCtotheunitsportlabeledConsole. Startyourterminalemulationprogram(suchasHyperTerminal). Verifythatyouhaveconfiguredyourprogramwiththefollowingvaluestocommunicatewiththe unitsconsoleserialport: 9600bps,8databits,1stopbit,noparity,nohardwareflowcontrol Ifyouareusingamodemconnectedtotheserialport,themodemmustbesetto:9600bps,8databits, 1stopbit,noparity,autoanswer(usuallyATH1inthestandardHayescommandset),andDTRalways on(usuallyaDIPswitchsetting).Checkthemodemmanualfordetails. 4. Powerontheunit,ifyouhavenotalreadydoneso.Ifitwasalreadyturnedon,youwillneedtopress Enterseveraltimestomaketheconnection. Whenyouconnectsuccessfully,youwillbepromptedfortheunitspassword.

6

actionfile libraryFor PolicyCenter only Show the current portfolios of adaptive response action files available for distribution from PolicyCenter to individual PacketShapers. actionfile library [verbose] The actionfile library command shows the name of the available portfolios only. Use actionfile library verbose to view the names of all the action files within each portfolio.

PacketGuide for PacketWise 8.4

7

actionfile prescribeFor PolicyCenter only Prescribe a group of adaptive response action files by portfolio name. Use the actionfile library command to determine available action file portfolios. actionfile prescribe default|none|show default|none|show Name of portfolio. A portfolio is any sub-folder of PolicyCenter/publish/action that contains a group of action files. On a child configuration, the default option allows that child configuration to inherit its portfolio of action files from its parent configuration. (On a parent configuration, the default option sets the prescription to unconfigured.) Specify none if the configuration should not inherit its portfolio. The show option shows the configuration's current prescribed portfolio of action files.


8

actionfile subscribeFor PolicyCenter only Configure when and how often PacketShapers assigned to a PolicyCenter configuration update their portfolio of adaptive response action files. actionfile subscribe asap|scheduled|default The actionfile subscribe command has the following options: asap scheduled default PacketShapers assigned to the configuration will automatically update their action file portfolio as soon as an updated portfolio is prescribed. PacketShapers assigned to the configuration will wait for the actionfile sync command before downloading the prescribed portfolio of files. If a child configuration is set to default, the child configuration inherits its action file subscription behavior from its parent. If a parent configuration is set to default, units assigned to the parent configuration will automatically update their action file portfolio as soon as an updated portfolio is prescribed.

See also: actionfile syncPacketGuide for PacketWise 8.4

9

actionfile syncFor units in shared mode only Issue this command from an individual PacketShaper to immediately download adaptive response action files prescribed for the units PolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has been set to scheduled with the actionfile subscribe command. Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set to asap with the actionfile subscribe command. actionfile sync If you include the optional value, the actionfile sync operation runs for the specified number of seconds.PacketGuide for PacketWise 8.4

10

agent actionDelete an adaptive response action file, temporarily disable or reenable an existing action file, or modify the value of an existing parameter. Note that this command will not create a new action file, or add a new parameter to an existing action file. agent action green|red [on ]|[off]|[delete]|[parm ]| [resetparms] green|red /Inbound/AppleTalk --> /Inbound --> /Inbound/Default

class test inbound tcp 216.110.182.168:80 0.0.0.0:0 Traffic class Partition Policy --> /Inbound/HTTP --> /Inbound --> /Inbound/Default93

Notes:q

q

The class test command can be used to test basic classification for IP protocols, but is not intended to test every type of classification PacketWise offers. Its purpose is to check a particular IP address or port number to determine how the traffic is classified into existing portbased and IP address-based classes in the traffic tree. The command does not include fields for specifying more complex types of classification such as MAC address or device. The class test command requires touch access.PacketGuide for PacketWise 8.4

94

class undeleteFor PolicyCenter only Issue this command to restore a class marked for deletion from a draft configuration. If the class has any child classes, they will also be restored. class undelete PacketGuide for PacketWise 8.4

95

class user-services deleteRemove a user-defined service. class user-services delete where is the name of the service you want to delete. Example: class user-services delete TDemployees Notes:q

q

Service names are case sensitive. You must enter the service name with the same upper/ lower case with which it was created. Use the class user-services show command to see a list of services that have been userdefined.PacketGuide for PacketWise 8.4

96

class user-services newCreate a custom service in order to identify and categorize traffic that is not currently classified by PacketWise, or that is classified into a different service. This command allows you to create services for in-house applications on your network. The service can be defined by a signature (hex or string) and/or by port numbers. class user-services new {[signature:| offset: [port:]]} [packets:] [ipproto:TCP|UDP] [description:] [serviceid:] The name of the service, up to 30 characters long. Use only alphanumeric characters and the following special characters: underscore ( _ ), hyphen ( - ), and period ( . ). The service name is case sensitive. The signature can be specified in hexadecimal format or as a quoted string. signature The string can be up to 30 characters long, is case sensitive, and must be enclosed in quotation marks. The hex representation can be up to 30 characters long. It must begin with 0x. offset Starting position of the signature in the payload (after the header). Valid values for the offset are 0-1499. Number of inbound or outbound data packets in each new flow that will be inspected for the signature. Up to 10 packets in each direction can be inspected. packets Note: Packets in each direction are counted separately. For example, a value of 8 tells the PacketShaper to look for the signature in the first eight inbound packets and first eight outbound packets of each new flow. The port number or a range of port numbers. If the port option is not specified, the PacketShaper will inspect traffic on all ports. Type of IP protocol (UDP or TCP) A description of the user-defined service, enclosed in quotation marks; up to 80 characters long.

port ipproto description

97

An internal identification number (645 to 654 inclusive) to assign to the new service. serviceid Note: Blue Coat recommends that you let PacketShaper automatically assign an available service ID. However, you may want to manually assign an ID if the new service will be part of a sharable configuration in PolicyCenter. Use the class user-services show command to see the IDs.

Examples: class user-services new TDemployees signature:"TD Employee" offset:6 packets:1 description:"TD Employee Database" class user-services new BCpayroll signature:0x424320706179726F6C6C offset:0 description:"BC Payroll application" Notes:q

q q q

q

You can use a third-party network protocol analyzer, such as EtherPeek or Wireshark, to analyze a trace to get the signature. You can create up to 10 user-defined services. The user-defined services are auto-discoverable. User-defined services take precedence over built-in services and plug-ins, allowing existing services to be overriden. The user-defined services are stored in the config.ldi configuration file.

See also: class user-services show class user-services deletePacketGuide for PacketWise 8.4

98

class user-services showDisplay a list of user-defined services. class user-services show [] Example:

class user-services show User Defined Services 1. Name:BCpayroll serviceid:645 signature:0x424320706179726f6c6c offset:0 packets:2 ipproto:TCP/UDP description:"BC Payroll application" 2. Name:TDemployees serviceid:647 signature:"TD Employee" offset:6 packets:1 ipproto:TCP/UDP description:"TD Employee Database"


99

cmpCompare two files. This command generates no output if the files don't differ; if they differ, the byte and line number at which the first difference occurred is reported. Bytes and lines are numbered beginning with one (1). cmp [-ls] file1 file2 [skip1] [skip2] The following options are available: -l -s Print the byte number (decimal) and the differing byte values (octal) for each difference. Print nothing for differing files; return exit status only.

The optional arguments skip1 and skip2 are byte offsets from the beginning of file1 and file2, respectively, where the comparison will begin. The offset is decimal by default, but may be expressed as an hexadecimal or octal value by preceding it with a leading 0x or 0.PacketGuide for PacketWise 8.4

100

setup compression show (compression show)applicable to legacy compression tunnels only Display compression status. Use this command to check whether compression is enabled, list the IP address and status of active tunnel partners, and see details about the services that have active flows being compressed. setup compression show [hosts||services|types|summary|all] [main|lower|upper|left| right] or compression show [hosts||services|types|summary|all] [main|lower|upper|left|right] where: hosts Lists the hosts and partners that can use the compression facility. For example, if you have used the setup compression hosts and/or setup compression partners commands to limit the hosts and PacketShapers that can use compression, the setup compression show hosts command will list the allowed hosts and partners. If you have changed the default value of the Allow/Exclude inside hosts on list, Allow/Exclude outside hosts on list, and/or Allow/Exclude PacketShapers on partner list system variables from allow to exclude, the setup compression show hosts command will display the hosts and partners that are excluded from compression. services Displays compression information for the specified IP address, such as compression type and status and tunnel partner (more detail appears below) Lists non-compressible services. To avoid inducing latency unnecessarily, services that are unlikely to achieve useful gains from compression are not compressed. Voice Over IP, video streaming, and encrypted data are examples of noncompressible traffic. Lists the compression dictionaries supported by the unit; the supported types will vary according to the model and amount of memory in the unit. The default dictionary is also listed; to change the default dictionary, use the setup compression dictionary command.

types

summary Show a tunnel summary in tabular form. For each tunnel, the tabular output lists the tunnel partner, quality, savings, and state. Note that the summary does not list the specific classes and services that are being compressed.101

all main| lower| upper| left|right

In addition to compression status, the output includes the lists from the services, types, and hosts options. Display tunnels associated with a particular PacketShaper device: main built-in interface upper upper LEM lower lower LEM right right LEM left left LEM

Note: If a unit is assigned to a PolicyCenter configuration with compression dictionary that the unit cannot support, the unit will substitute a smaller compression dictionary of the same type. For example, if a 2500 model is assigned to a PolicyCenter configuration configured with a CNA-32M dictionary, the unit will use the largest CNA dictionary supported, in this case, CNA-16M. If the unit does not have the assigned compression plug-in, it will use its currently configured compression dictionary. Sample output for setup compression show: Tunnel Interface: Tunnel Partner: Tunnel Status: Tunnel Quality: Tunnel Savings: Compressors main 172.21.26.45 Normal Operation (Up: 12m 4s, Idle: 9s) 100 56 KBpm Type %Bytes Saved

----------------------------------------------------------------------------------------GROUP DICTIONARY cna-1M 70% ( 19 secs old) DNS NetBIOS-IP-SSN Microsoft-ds ICMP SNMP-Mon LDAP-Clear Observed cna-1M cna-1M cna-1M cna-1M cna-1M cna-1M cna-1M 18% ( 19 secs old) 70% ( 53 secs old) 70% ( 50 secs old) 45% ( 32 secs old) 70% ( 53 secs old) ----% (125 secs old) 29% ( 60 secs old)

Compression: On Memory: 9879 KB / 204800 KB Tunnels: 1 Active, 0 Idle, 1 Total Tunnel Status can be one of the following:q

q q q

Normal Operation A compression tunnel has been established in both directions, and the unit is ready to compress and decompress data. Compressing The unit is currently compressing data. Decompressing The unit is currently decompressing data. Passthru operation (Decompressing) Compressible packets are not being sent through the compression tunnel. When compressed packets are retransmitted because the tunnel partner is not102

acknowledging that it received the packets, PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normal operation after it gets an acknowledgement for the retransmitted packets. Tunnel Quality can range between 0 and 100, with a value of 100 indicating best tunnel quality. It is derived from underlying metrics such as packet loss. Poor tunnel quality could be caused by problems with your network configuration or service provider. See Compression Troubleshooting for more information. Tunnel Savings is the bytes saved per minute, due to compression. If the tunnel is currently compressing data, the output includes details about each of the services that are being compressed. Column Description

Compressors Lists the name of each class and service being compressed Lists the compression dictionary the service is using. The dictionary name indicates the type of algorithm (such as cna, predictive, or zlib), number of passes (with one pass, data is compressed once; with two passes, the compressed data is compressed again), and the size. For example, pred2-512K uses the predictive type of algorithm, does two passes, and has a 512K dictionary. Indicates the percentage of bytes saved, due to compression. This value is calculated by subtracting pre-compression bytes (the size without any compression) and post-compression bytes (the size after compressible bytes were compressed) and dividing this difference by pre-compression bytes. %Bytes Saved If ----% appears in the %Bytes Saved column, either compression savings were negligible or the service has flows that were recently compressed (more than 2 minutes ago), but are not currently being compressed. A service will be dropped from the list if it hasn't been compressed in 999 seconds.

Type

Occasionally, you may have Observed listed as a compressor in the setup compression show output (as shown in the example above). When Xpress is unable to identify the service for any traffic that is sent through the compression tunnel, the traffic gets categorized into Observed. If you include a specific IP address, you can display additional compression information about the host or PacketShaper. The Compression Type field in the setup compression show output indicates the type of host: Shaper (PacketShaper), Initiator, or Recipient. The output varies, depending on the type of host. For example, if 172.21.18.253 is a recipient host, the setup compression show output includes the forwarding MAC address: setup compression show 172.21.18.253 IP Address: 172.21.18.253 INSIDE Compression Type: Recipient Forwarding Address: 00:90:27:54:a7:d5 Or, if 192.168.130.101 is an initiating host, the output lists the tunnel partner and tunnel status: setup compression show 192.168.130.101103

IP Address: Compression Type: Tunnel Partner: Tunnel Status:

192.168.130.101 OUTSIDE Initiator 172.21.0.85 Normal operation (Up: 1m 48s, Idle: 29s)

If 172.17.56.201 is a PacketShaper unit, the output includes the tunnel savings and tunnel status:

setup compression show 172.17.56.201 Tunnel Interface: Tunnel Partner: Tunnel Status: Tunnel Quality: Tunnel Savings: main 172.17.56.201 Normal operation (Up: 30s, Idle: 0s) 100 8618 KBpm

Compressors Type %Bytes Saved -----------------------------------------------------------------------------GROUP DICTIONARY cna-1M 72% ( 0 secs old) HTTP cna-1M 72% ( 0 secs old) ICMP cna-1M 0% ( 11 secs old)Tunnel Status can be one of the following:q q q q

q

q

Normal Operation The unit is currently compressing and decompressing data. Compressing The unit is currently compressing data. Decompressing The unit is currently decompressing data. Tunnel is not up The compression tunnel has not been set up (see Compression Status for details on why the tunnel was not set up) Partner not available The data from the active PacketShaper will not be compressed because the tunnel partner does not allow tunnel traffic from the active PacketShaper (the unit from which you issued the setup compression show command). In other words, the PacketShaper on the other side of the tunnel has not configured the active PacketShaper to use the compression facility it is not on its list of PacketShapers that are allowed to use the compression facility. Passthru operation (Decompressing) Compressible packets are not being sent through the compression tunnel. When compressed packets are retransmitted because the tunnel partner is not acknowledging that it received the packets, PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normal operation after it gets an acknowledgement for the retransmitted packets.

To display a compression tunnel summary: setup compression show summary

Compression Tunnel Summary ============================================================================= Configuration: Tunneling: On104

Device Partner Quality Savings State ----------------------------------------------------------------------------lower 172.17.58.109 100 4022 KBpm Normal 17m 24s upper 172.17.59.103 100 4063 KBpm Normal 17m 24s upper 172.17.59.108 100 3842 KBpm Normal 17m 24s main 172.17.56.104 100 8914 KBpm Normal 17m 24s main 172.17.56.109 100 1229 KBpm Normal 17m 24s upper 172.17.58.105 100 3684 KBpm Normal 17m 24s main 172.17.56.107 100 10267 KBpm Normal 17m 24s upper 172.17.58.106 100 1263 KBpm Normal 17m 24s main 172.17.56.102 100 9038 KBpm Normal 17m 24s upper 172.17.56.102 100 3979 KBpm Normal 17m 25s upper 172.17.59.106 100 4035 KBpm Normal 17m 25s upper 172.17.56.109 100 4028 KBpm Normal 17m 25s upper 172.17.59.102 100 3999 KBpm Normal 17m 25s

Totals: Tunnels: Active: Idle: Unidirectional: Bidirectional: Passthru: Memory: 13 13 0 0 0 0 260845 KB / 704437 KB

Compression StatusIf the compression tunnel is not up, you will see an additional field, Compression Status, which gives you additional information about why a tunnel could not be created. These messages are described below. Message Disabled because compression is off Disabled because shaper is not in allowed partner list Description The data from the specified host will not be compressed because the compression feature has been turned off on the active PacketShaper. Use the setup compression on command to enable compression.

The data from the specified host will not be compressed because the tunnel partner has not been configured to use the or compression facility (using the setup compression partners command). To see which partners (PacketShaper units) have Disabled because shaper x.x. been configured to use compression, type setup compression x.x is not in allowed partner show hosts. list

105

Disabled because host is not in list of allowed hosts

The data from the specified host will not be compressed because it is not configured to use the compression facility (using the setup compression hosts command). To see which hosts have been configured to use compression, type setup compression show hosts. This message means that the host is trying to be an initiator and recipient at the same time, a situation that is not allowed. Resetting the unit should resolve this problem. Note: You may get this message if your site router is on the inside compression will not work with inside routers. A probe packet was sent to look for a tunnel partner, but a PacketShaper unit did not reply; another probe will be sent in the specified number of seconds/minutes Compression was turned off and then turned back on and there currently aren't any flows going through the PacketShaper for this host; a probe will be sent to look for a tunnel partner The host has been identified, but a probe packet has not yet been sent to see if a tunnel partner exists A probe packet was sent, but a tunnel partner did not reply; another probe will be sent. (If you want to force a probe, use the setup compression reprobe command.)

Disabled because host appears to be on both sides

Process started, probe sent __ ago, no answer, resend in __ Compression was restarted, can probe now Host can probe now Probe sent __ ago, can probe now


106

config backupFor PolicyCenter only Make a backup copy of a PolicyCenter configuration. After you issue the config backup command, you will be prompted to confirm that you want to create a backup of the specified configuration. Enter the word Yes, or press the Enter key. Backup configurations will appear in the PolicyCenter configuration tree with a "-backup" after the configuration name. config backup [] Restore a backup copy of a PolicyCenter configuration with the config restore command.PacketGuide for PacketWise 8.4

107

config clearFor PolicyCenter / PacketShapers in Shared Configuration Mode Clears all non-default configuration values from the named configuration. If none is named, it clears the current configuration. Clearing a child configuration means that the child will derive its sharable attributes and settings from its parent configuration. If you clear a parent configuration, its child configurations will no longer inherit any values from its parent. config clear []PacketGuide for PacketWise 8.4

108

config cpFor PolicyCenter only Copies an existing configuration to a new or existing configuration. Include the -r (recursive) option to include the selected configuration's child configurations in the copy operation. Note that if the configuration to be copied and the destination configuration both have a child configuration with the same name, the destination configuration's child will be overwritten. If the argument is omitted, it copies the current active configuration. This command does not allow a parent configuration to be copied to its child configuration with the "-r" option. You also may not copy to a draft configuration, or to any configuration that has a draft anywhere in its configuration hierarchy. The individual serial-number configuration of a PacketShaper is unique to that unit, and cannot be copied to another location in the configuration tree unless you also rename the new copy of the unit configuration as a part of the copy operation. config cp [-r] [] Where the is the source configuration to be copied, and the is the destination for the new copy of that configuration. Specify a slash (/) for the value to copy the source configuration to the root of the configuration tree. See also config mv for details on moving PolicyCenter configurationsPacketGuide for PacketWise 8.4

109

config dumpFor PolicyCenter / PacketShapers in Shared Configuration Mode This command prints out the current effective configuration objects formats and attributes in something like LDAP data interchange format. Useful mainly for development and diagnostic purposes. config dump See also: config savePacketGuide for PacketWise 8.4

110

config editFor PolicyCenter only Locks the current configuration, creates a draft copy of that configuration if a draft does not exist, and opens the draft configuration for display and modification. If a draft copy of that configuration already exists, this command only opens the draft configuration for display, but does not create a new draft. config edit Draft configurations impose limitations not present in other configurations. Once you have created a draft copy of a configuration, neither the original configuration or any of its parent or child configurations can be modified until the draft configuration is permanently committed or deleted. If, for example, you had a PolicyCenter configuration tree with the following configurationsq

/parent_cfg /parent_cfg/child1 /parent_cfg/child1/grandchild1 /parent_cfg/child2 /parent_cfg/child2/grandchild2

q

q

q

q

the command config edit parent_cfg/child1 would lock the configurations /parent_cfg, / parent_cfg/child1 and /parent_cfg/child1/grandchild, and would create a new draft configuration called parent_cfg/child1-draft. The configuration tree would then appear as follows:q

/parent_cfg (locked) /parent_cfg/child1 (locked) /parent_cfg/child1-draft (locked) /parent_cfg/child1/grandchild1 (locked) /parent_cfg/child2 /parent_cfg/child2/grandchild2

q

q

q

q

q

A draft configuration can only be edited by one PolicyCenter user at a time--no other user can modify a draft until the first user logs out of PolicyCenter or sets the focus of his PolicyCenter session on another configuration (for example, by using the config view or config edit111

commands and specifying another configuration). However, while one user is modifying a draft, other users are allowed to view (but not change) the draft. Once you have made the required modifications to a draft configuration, you can test that configuration on one or more PacketShapers with the command draft try, or permanently commit the changes using the command draft commit.PacketGuide for PacketWise 8.4

112

config errorsDisplay configuration errors for the unit. When issued from PolicyCenter, this command displays errors for the PolicyCenter configuration currently being edited. config errors Note: Configuration errors are also shown in the output of the banner show command.PacketGuide for PacketWise 8.4

113

config informationFor PolicyCenter only View information for when a specified configuration was last modified, and the user name and organization of the PolicyCenter user that made the changes. config information [] For example:

config information /config1 Configuration Information for: /config1 Modification Details: User Name : JSmith Organization : IT Date : December 28, 2006 08:08:07 (Local Time)


114

config loadLoad saved configuration files (such as config.ldi and config.cmd). Sharable settings are saved in files with the .ldi file extention, while nonsharable settings are saved in the .cmd file. This command can load the traffic tree, partitions, policies, host lists, events, agents, basic settings (such as shaping, traffic discovery, compression, and adaptive response), security settings (such as passwords and login access protocols), SNMP, SNTP, email, and Syslog settings, site router, DNS server, and gateway addresses, domain names, time zones, and network interface settings. Note: Use the setup show command to see a list of sharable and nonsharable settings that are stored in the configuration files. config load [] [complete] The location and name of a saved configuration file. Include the .ldi file extention to load just an .ldi file, or omit the file extention and include the complete parameter to load both a .ldi and a .cmd file with the specified filename. By default, this command loads files from the PacketShaper flash disk (9.256/) or the PolicyCenter directory /Packeteer/PolicyCenter. To load saved files from the PacketShaper hard drive (9.258/) or a different folder, specify the entire path. For example, to load the configuration files test.ldi and test.cmd from the PacketShaper hard disk, type: config load 9.258/test complete [complete] When you issue this command from PolicyCenter, include the path of the PolicyCenter configuration to which you want to load the file(s). Include the complete parameter to load the saved .ldi and .cmd files. If this parameter is omitted, the command will load only the sharable settings in the .ldi file.

is the location and name of a saved .ldi file. For example, to load a file named test.ldi that is in the flash disk root, use: config load 9.256/test The config load command discards the current configuration and institutes the loaded configuration; it does not merge the loaded configuration with the pre-existing one. The new configuration settings are then stored in 9.256/ CFG/config.ldi. Keep in mind that the .ldi file includes the units password, and if you load the configuration on another unit, you will change its password. If you want to load a traffic configuration on another unit without changing the password, use the class load command instead of the config load command. Note: The PacketWise image version is stored in the .ldi file if it was set in PolicyCenter. If the image version on a unit is different from the image version stored in an .ldi file you are loading, you may see an image configuration error message after issuing the config load command in local mode. You can clear the error by giving the setup version none command. The error message does not appear in shared mode. See also:

115

config save Command Change History Release 8.3.1 Modification [complete] parameter added, which can load both .cmd and .ldi files.


116

config modeFor PolicyCenter / PacketShapers in Shared Configuration Mode Tells you whether a unit is in local or shared mode. config mode Note: This command does not enable or disable the LDAP client, which is normally initialized with config setup and disabled with config unset. See also: config setup config unsetPacketGuide for PacketWise 8.4

117

config mvFor PolicyCenter only Moves a configuration to another location within the PolicyCenter configuration tree. This command copies the specified source configuration to the destination configuration name, switches any assigned units from their source sharable configuration to the new destination configuration, and deletes the source configuration. Note that you cannot move the /default configuration or the individual unit configurations of PacketShapers that have not been assigned to a sharable configuration. If the configuration is a parent configuration with child configurations, the selected configuration's child configurations will be included in the move operation. Note: You may not move a configuration under a draft configuration, or to any configuration that has a draft anywhere in its configuration hierarchy. The unique serial-number configuration for units running a version of PacketWise released before 7.5.0 cannot be moved from the configuration root while the unit is still assigned to that configuration, although the units themselves can be assigned to any sharable PolicyCenter configuration via the CLI command unit assign. You can, however, copy a pre-7.5.0 unit's serial-number configuration to another location, and then assign the unit to that renamed configuration. If the source configuration name is omitted, this command will assume the current active configuration is the configuration to be moved. You must, however, specify the destination configuration path. config mv [] Where the is the source configuration to be moved, and the is the destination for that configuration. If the first value is omitted, PolicyCenter will move the current active configuration. Specify a slash (/) for the value to move the source configuration to the root of the configuration tree. See also: config copyPacketGuide for PacketWise 8.4

118

config newFor PolicyCenter only Creates a new, empty configuration with the given name. You can use this command to create a new configuration at the top of the configuration tree, or to add a new child configuration under an existing parent. config new examples: config new newchild config new /otherparent/newchildPacketGuide for PacketWise 8.4

119

config owner setFor PolicyCenter only Assign a configuration to a specified organization. Include the -r (recursive) option to assign the selected configuration and all its child configurations to the same organization. A child configuration can only be assigned to a different organization than its parent if the parent configuration is assigned to PC, the default PolicyCenter organization. If the parent configuration is assigned to any other organization, all of its child configurations must be assigned to that same organization. For example, if the parent configuration /parent is assigned to the PC organization, its child / parent/child can be assigned to PC or any other existing organization. However, if the parent config /parent is assigned to any other organization besides PC, such as New_York, then the child configuration /parent/child must also be assigned to that New_York organization. You must be logged as a PolicyCenter administrator to issue this command. You may not change the organization on a configuration that has a draft anywhere in its configuration hierarchy. config owner set [-r] Examples: config owner set -r /TriStateConfig New_York config owner set /PacificNorth/Corvallis Oregon


120

config owner showFor PolicyCenter only Lists PolicyCenter configurations and the organization to which those configurations are assigned. Include the parameter to view the organization for that single configuration, or omit the parameter to view the assigned organization for all PolicyCenter configurations. You must have touch access to PC, the default PolicyCenter organization, in order to issue this command. config owner show [] Example: config owner show Configuration 901-20000132 default branch_west los_angeles portland san_francisco branch_east new_york raleigh washington_dc branch_central Owner Organization PC PC California California California California PC East_Sales East_Sales East_Sales Manufacturing


121

config publishFor PolicyCenter only This command publishes a child configuration to its parent, replacing classes and settings in the parent configuration with classes and settings in the child configuration. The child configuration is then cleared, so it will inherit its entire configuration from the new settings of parent. Use this command to publish discovered traffic classes to a parent configuration, or to publish a prototype configuration that should be inherited by all child configurations under the same parent. If the argument is omitted, this command publishes the current active configuration. config publish [] Note: PolicyCenter cannot publish traffic classes from or to a draft configuration. This command will not work if either the parent or child configuration is a draft configuration.PacketGuide for PacketWise 8.4

122

config rmFor PolicyCenter only Removes a configuration or group of configurations from PolicyCenter. If the configuration name is omitted, this command will assume the current active unit configuration is the configuration to be deleted. config rm [-r] [] This command cannot delete a configuration if it or any of its child configurations have units assigned to them. Before you delete a configuration that has a unit assigned to it, be sure to reassign the units to another configuration. Include the -r (recursive) argument to delete both the selected configuration and all its child configurations. Omit the -r argument to delete a configuration with no children. Note: The default configuration cant be removed. See also: config clearPacketGuide for PacketWise 8.4

123

config resetFor PolicyCenter / PacketShapers in Shared Configuration Mode When issued from the command-line interface of an individual PacketShaper, this command disables the unit's connection to the PolicyCenter directory server, returning the unit to local mode and setting the unit's sharable attributes to their factory-default state. The config reset command will not remove a unit entry from the PolicyCenter directory server, and unit's nonsharable settings (IP address, DNS and management port settings, etc.) will not be changed. To completely remove the unit entry from PolicyCenter, use unit clean. When you issue this command from the PolicyCenter command-line interface, PolicyCenter will disable communication between PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contact PacketShapers in shared mode. To restore the connection between PolicyCenter and the directory server, use config setup. config reset Note: If you want to return a unit to local mode without clearing the unit's sharable attributes, use config unset, instead. You may restore a unit's previous PolicyCenter configuration at any time by resetting its connection to the directory server with the config setup command. See also: config setupPacketGuide for PacketWise 8.4

124

config restoreFor PolicyCenter only Restore a backup copy of a PolicyCenter configuration. (Backup configurations appear in the PolicyCenter configuration tree with a "-backup" after the configuration name.) The config restore command does not delete a backup configuration after it copies it to its original configuration, so you can restore a single backup configuration as often as desired. config restore [] Note: When you issue the config restore command, specify the original configuration you want restored, and not the backup configuration. For example: config restore Florida/Miami


125

config saveSave the current configuration's sharable settings in an .ldi file and its nonsharable settings in a .cmd file. config save [] [unit] To save a PolicyCenter configuration, specify the path of the configuration you want to save. Specify a filename up to eight characters long. The .ldi and.cmd extensions are automatically added to the configuration file name. By default, this command saves the files to the PacketShaper flash disk (9.256/) or the PolicyCenter directory /Packeteer/PolicyCenter. To save the files the hard drive (9.258/) of a PacketShaper or a different folder, specify the entire path. For example, to save a configuration in files named test.ldi and test.cmd on the PacketShaper hard disk, type: config save 9.258/test [unit] When issuing this command from PolicyCenter, you can include the unit parameter to save a unit's local sharable and nonsharable settings. If this parameter is omitted, the config save command will save a configuration's inherited and local settings.

This command can save the traffic tree, partitions, policies, host lists, events, agents, basic settings (such as shaping, traffic discovery, compression, and adaptive response), security settings (such as passwords and login access protocols), SNMP, SNTP, email, and Syslog settings, site router, DNS server, and gateway addresses, domain names, time zones, and network interface settings. Use the setup show command to see a list of sharable and nonsharable settings that are stored in the configuration files. The config save and config load commands are useful for experimenting with different configuration settings. For example, you can save your current settings, make changes to the configuration (such as create new partitions or policies), and then return to the original configuration if you prefer it. You can create as many configurations as you like. This feature can also be used to share configurations with other units. You can FTP the two saved configuration files to the flash disk or hard drive of another PacketShaper unit and then activate it with the config load command. Note: Keep in mind that the .ldi file includes the units password, and if you load the configuration on another unit, you will change its password. If you want to load a configuration on another unit without changing the password, use the class load command instead of the config load command. See also: config load Command Change History Release 8.3.1 Modification Command modified to create both .ldi and .cmd files.

126

config setupFor PolicyCenter only Configures the unit to access shared configurations in Lightweight Directory Access Protocol (LDAP). Initializes the LDAP client to communicate with the directory server and establish the default unit configuration name. A unit's initial PolicyCenter configuration is based on its DNS name (if known) or IP address. When this command is complete, the unit will obtain its configuration from the directory server, replacing any previous local setup, policy, or other sharable configuration values. If you add the optional convert option, the configuration of the unit is preserved. config setup [] [secure | unsecure] [] [convert] Where: secure| nonsecure [convert] DNS name or IP address of a PolicyCenter Directory Server TCP port number to connect to on the Directory Server Specify secure to establish a secure LDAP connection between the PacketShaper and the PolicyCenter directory server, or specify nonsecure for a standard LDAP connection. Password for the PolicyCenter directory server. This password was called the PolicyCenter Super-User password in previous versions of PacketWise. Specify the convert option to convert the unit's existing configuration into a new PolicyCenter configuration with the same attributes and values. Because the units new PolicyCenter configuration will be based upon its previous configuration, the unit will continue to operate the same in PolicyCenter as it did in local mode. If you do not select the convert option, the units new PolicyCenter configuration is cleared, and will have default settings only.

If you previously issued the command config unset to disable communication between PolicyCenter and the directory server, you can issue the command config setup [] [secure | unsecure] [] from the PolicyCenter configuration (the configuration for the PolicyCenter software) to restore communications between PolicyCenter and the directory server. Note that this use of the config setup command doesn't support the convert option. See also: setup reset for PolicyCenterPacketGuide for PacketWise 8.4

127

config show(for PolicyCenter only) Lists available PolicyCenter configurations. Depending on the subcommand, shows the available configurations and unit status information. Useful for monitoring units, verifying the PolicyCenter configuration hierarchy, or determining software image versions. config show all|units|versions|{details |} all Displays a table of all units subscribing to the directory server, the configuration they are assigned to, IP address, and status. If a unit has not recently updated its status entry, the time since last update is noted as its 'Out of Contact' time. The status column reports whether a unit has found any errors in its configuration. Displays a table of all units that are posting status to the directory server, with serial number, group/unit name, model, and domain name. Displays a table of all units that are posting status to the directory server, with serial number, IP address, and image version. Shows all status information reported by the unit to its status entry in the directory server. You can designate the unit by its unit configuration name (e.g. '/default/ austin') or its serial number (e.g. '100-10000105').

units versions details |

The example output below shows a configuration tree with fourteen configurations, including the configuration for the PolicyCenter server itself, configuration 901-20000132. The other configurations at the top of the configuration tree are default, branch_west, branch_east and branch_central. The branch_west, branch_east and branch_central configurations each have three child configurations with an assigned unit. The names of each of these child configurations are indented in the Configuration Name column, to show that they are child configurations under another parent. Information on the individual PacketShapers, such as unit name, IP address, Out of Contact time, and the status of the unit is displayed beside the unit's assigned configuration. /025-10001808# config show Out Of Contact

Configuration Name 901-20000132 default branch_west los_angeles portland san_francisco branch_east new_york raleigh washington_dc branch_central denver madison oklahoma_city

Unit Name 901-20000132 main_site shaper_1 shaper_2 shaper_3 shaper_4 shaper_5 shaper_6 shaper_7 shaper_8 shaper_9

IP Address 172.21.7.50 172.21.29.129 172.21.29.130 172.21.29.135 172.21.29.139 172.21.18.75 172.21.18.45 172.21.18.99 172.21.25.160 172.21.25.170 172.21.27.203128

Status OK OK OK OK OK OK OK OK OK OK OK

config unsetFor PolicyCenter / PacketShapers in Shared Configuration Mode This command disables directory server access for a unit, and returns the unit to local mode. The config unset command removes a unit entry from the PolicyCenter directory server, so the PacketShaper no longer appears on the PolicyCenter Configurations tab, but allows the unit to retain its last PolicyCenter configuration after it returns to local mode. To set the unit to local mode and return its configuration to a factory-default state, use config reset. config unset When you issue this command from the PolicyCenter command-line interface, PolicyCenter will disable communication between PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contact PacketShapers in shared mode. To restore the connection between PolicyCenter and the directory server, use config setup. Note: If this command does not completely remove a unit entry from PolicyCenter, that entry may be manually removed via the unit clean command. See also: config resetPacketGuide for PacketWise 8.4

129

cpCopy a file on the unit's flash or hard drive. cp PacketGuide for PacketWise 8.4

130

dateView or set the date and/or time. When initially setting the date and time, use setup timezone. date [[]] Note that this command has the same functionality as the setup date command.


131

dns lookupList the IP address(es) associated with a domain name. PacketWise keeps the mapping data up to date so that when a site changes an IP address, the matching rule knows about the change. dns lookup If the name that you enter is different from the canonical or official name, the canonical name record (CNAME) is displayed at the end of the address list. A canonical name record defines an alias for the official host name, facilitating the transition from an old name to a new name. Some sites return multiple addresses to a lookup query. The PacketWise classification process compares the traffic flows to the address lists when looking for a match.PacketGuide for PacketWise 8.4

132

dns namesList all domain names and addresses that are configured in traffic class matching rules. dns names Domain Name IP Address TTL (luna-corp.bluecoat.com)... 192.168.0.33 3600 (m10-pat-corp.bluecoat.com)... 192.168.0.207 3600 percy.xyz.com (204.202.49.73) 86400 Age 647 427 12512 RQSNCRP Q Q Q Error

The resolved values are shown in parentheses. The other columns in the output are described below. TTL: The time interval that the DNS entry may be cached before the source of the information should again be consulted. Age: The time, in seconds, since PacketWise received the last name refresh. R: If a name server cannot be reached, the entry's retry count is incremented. This is a highlevel retry, and each one may include multiple queries to each name server. If the retry value is greater than 9, an asterisk is displayed in this column. If the retry value is zero, nothing is displayed in the column. Q: Displays a Q if PacketWise sent a query and received a response for the name. S: Displays an S if PacketWise learned the name's address (or vice versa) by spying on DNS traffic instead of making a query. N: The number of successful responses received since the one containing this address. If the value is 0, nothing is displayed in the column. C: The number of responses received before getting one without any new addresses. This is the length of a round-robin cycle. If the value is 1, nothing is displayed in the column. R: The number of matching rules that refer to this name. It will be incremented by one while a name is being resolved. If the value is 1, nothing is displayed in this column. P: Displays a P if PacketWise is currently resolving this name. Error: Shows the problem (if any) encountered by the last refresh attempt. Some possible133

errors are: name not found: The authoritative server for this domain has no such name. server offline: The resolver could not reach the authoritative name server, either directly or indirectly through the locally-configured name servers. rqst refused: The name server knows (or might know) but won't tell you. no data record: The name exists, but does not have an address (or vice versa). internal error: The name server is not functioning.


134

dns refreshClear the resolved DNS values that is, names and IP addresses in the names database. The entries then are repopulated at the next ten-second polling interval. dns refresh Immediately after executing dns refresh, if you use the dns names command, the resolved values will be listed as in the output. These entries are repopulated at the next polling interval.PacketGuide for PacketWise 8.4

135

dns rlookupFind the host name associated with an IP address. dns rlookup PacketGuide for PacketWise 8.4

136

dns serversList the DNS servers, their online/offline status, and the time since the servers either timed out or responded to a DNS request. dns servers Address 192.168.0.33 192.168.0.22 Status on line unknown Idle 4


137

dns traceThis is a troubleshooting command that should be used only with the guidance of Customer Support.PacketGuide for PacketWise 8.4

138

draft commitMerge changes made to a draft copy of a configuration into the original target configuration. After merging the changes, PolicyCenter reassigns any PacketShapers using the draft configuration back to their original target configuration, then deletes the draft. Once a draft has been committed, PolicyCenter removes the configuration locks on the draft's parent and sibling configurations, so other PolicyCenter users may edit them. draft commit Example: draft commit myconfig-draftPacketGuide for PacketWise 8.4

139

draft discardDiscard a draft copy of configuration without merging any of the changes into the original target configuration. If any PacketShapers were assigned to this draft configuration with the draft try command, you will not be able to discard the draft configuration until the units are assigned back to their original target configuration with the draft revert command. This command also removes the configuration locks on the draft's parent and sibling configurations, so other PolicyCenter users may edit them. draft discard Example: draft discard myconfig-draftPacketGuide for PacketWise 8.4

140

draft revertReassign any PacketShapers using a draft configuration back to their original target configuration. The changes made to the draft configuration are retained, and the draft's parent and sibling configurations remain locked. draft revert Example: draft revert myconfig-draft


141

draft tryFor PolicyCenter only Applies a modifed draft configuration to one or more selected PacketShapers, allowing you to test the draft configuration before you apply it to a larger group of units. You re-issue this command to assign additional PacketShapers to a draft, though the draft may not be modified while any PacketShaper is trying it. Note: The Try operation is only available for PacketShapers running PacketWise 7.5.0 or later releases. draft try [] [all | ] If you dont like the result, you can revert the PacketShapers running the draft configuration back to their original target configuration with the command draft revert. If the test goes well and you would like to make the draft changes permanent, you can commit the draft to the original configuration with the command draft commit. Once a draft configuration has been commited, all shapers running or inheriting from the target configuration will get the draft changes.PacketGuide for PacketWise 8.4

142

draft viewFor PolicyCenter only Change the focus of your PolicyCenter session to the selected draft configuration, but only with read access. (You will only be allowed to view, but not modify, the draft configuration.) You can also use this command to release your sessions lock on a draft configuration you are finished editing, so another PolicyCenter user can access and edit the draft. draft view [] Note: To edit and modify a draft configuration issue the command config edit .PacketGuide for PacketWise 8.4

143

duDisplay the unit's flash disk usage. duPacketGuide for PacketWise 8.4

144

echoDisplay a line of text. echo PacketGuide for PacketWise 8.4

145

email queueDisplay or delete messages in the email queue. email queue show|display |delete (|all) Examples: To display the email queue: email queue show To display the contents of message 1: email queue display 1 To delete all messages in the email queue: email queue delete allPacketGuide for PacketWise 8.4

146

email retryDeliver mail immediately, rather than waiting for next retry. email retryPacketGuide for PacketWise 8.4

147

email testVerify the email configuration by sending a test message to individual recipients. email test [] [] []PacketGuide for PacketWise 8.4

148

event deleteDelete an event and all its registrations. event delete PacketGuide for PacketWise 8.4

149

event emailAdd or delete an email recipient for event notifications. event email add [ ... ] event email delete [ ... ]|all Separate recipients with a space. You can add up to four recipient addresses. To use the command-prompt mode, use: event email addPacketGuide for PacketWise 8.4

150

event log resetDelete current and archived event log files. event log resetPacketGuide for PacketWise 8.4

151

event log statusDisplay information about current and archived event log files, such as their location, current capacities, and limitations. event log statusPacketGuide for PacketWise 8.4

152

event newDefine a new event. When you define an event, you specify a measurement variable in an expression that is, the condition for which you want to be notified. In addition, you can define a default event-checking interval. The maximum number of events that can be defined is 32. Defined events are not active until registered. To initiate the command-prompting mode use: event new You may exit 'event new' at any time by typing 'exit' Name of the event: WebQoS Type of object to be tested: Link, Partition, or traffic Class: (class): Measurement Engine variable to be tested: tcp-conn-aborts% Default checking interval [1m,1h] (1m): Enter a relational operator. When you register this event later, you will supply a threshold on 'tcp-conn-aborts%' that triggers the event. The event can be triggered when 'tcp-conn-aborts%' becomes >, >=, =, 30

153

[]

The default frequency that PacketWise will use to check for this event. When you register this event, you can substitute a different interval. For standard PacketShaper units, you can specify 1m (one minute) or 1h (one hour). For PacketShaper ISP units, you can specify 1m or 4h.

Examples: event new NetworkInefficiency tcp-efficiency%.link$1 1h For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situations of Interest. Note: An alternative way to monitor a specific class, link, or partition and receive notification when a threshold crossing has occurred is to create User Event Emulation agents with the adaptive response feature.PacketGuide for PacketWise 8.4

154

event overrideFor PolicyCenter only Override the inherited user event by creating a local copy of the event. event override You must make a local copy of an inherited user event before you can change the user event on the child configuration.


155

event registerInitiate event-checking and notification for an event. The maximum number of events that can be registered at one time is 32. To use the command-prompting mode, simply use event register, otherwise use the following command syntax. event register (,,) [] [email] [trap] [syslog] [limit=] An existing predefined or user-defined event The name of a link, partition, or class that is relevant to the event definition The value used to trigger event notification. The value is substituted in the event's expression, which you defined with the event new command. If the condition in the expression occurs, it triggers the event notification that is registered for the event. The value that tells PacketWise that it's okay to once again send event notifications. After the initial notification occurs for the threshold crossing, additional event messages traps, email, or syslog will not be sent until the re-arm condition occurs. The purpose of the re-arm value is to prevent excessive event notification. The frequency at which this condition should be checked. For standard PacketShaper units, you can specify 1m (one minute) or 1h (one hour). For PacketShaper ISP units, you can specify 1m or 4h. The notification mechanism for this event email, trap, or Syslog. The number of notifications to be sent within the 24-hour period from midnight to midnight. If you omit this option, the number of notifications is limitless.

[] [email] [trap] [syslog] [limit=]

Example: event new WebQos tcp-conn-aborts%.class>$1 1h event register WebQos(inbound/outside/http,70,50) 1m email limit=20 Note that in the above example, the event was defined with a default interval of one hour. When the event was registered, the specific class was identified with a threshold of 70%, a re-arm level of 50%, a 1-minute interval, and a limit of 20 notifications within a 24-hour period. When an event exceeds the predefined threshold value, the event is in violation and the PacketShaper will automatically send out notification. PacketShaper will also send a notification when the re-arm level is crossed, allowing you to be alerted automatically when the event has been cleared. For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situations of Interest.


156

event resetReset the user events system. This command removes all user-defined events and unregisters all events (user-defined and predefined). event reset Note: Issuing the event reset command from the PolicyCenter command line interface can incorrectly trigger an error message stating that the operation failed, even if the operation executed correctlyPacketGuide for PacketWise 8.4

157

event showDisplay email notification recipients, available events (both user-defined and predefined), registered events, and their status. event showPacketGuide for PacketWise 8.4

158

event test-emailVerify the event email configuration with a test email. event test-emailPacketGuide for PacketWise 8.4

159

event unregisterStop checking an event. event unregister |all Use event show to display the registration IDs.PacketGuide for PacketWise 8.4

160

exitLog out of a PacketWise connection. exitPacketGuide for PacketWise 8.4

161

frame addAdd a Frame Relay Access Device (FRAD). The frame command enables automatic configuration of Frame Relay Access Devices (FRADs). Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame add is the IP address or DNS name of the FRAD. is the SNMP community string of the FRAD.


162

frame communitySet a new SNMP community string on the PacketShaper. If the SNMP community read string on your local FRAD has changed from what it was when you configured the Frame Relay feature, you can use the frame community command to set the new string on the unit. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame community is the system name or IP address of the FRAD. is the SNMP community string of the PacketShaper. In the interval of time before the unit has the new string, you will see that the frame show output no longer shows FRAD or PVC information. In addition, the partition show output will no longer show the min/max PVC partition sizes you might have previously set with the frame override command. However, the entire class tree will remain intact. The frame routing table will be blank. After you use this command, the unit will be able to use this new string and communicate successfully with the FRAD on the next configuration update (which happens every five minutes; or you can force it by resetting the box). The frame show command will once again show the FRAD and PVC class/partition info, including the CIR/EIR values you might have originally set using the frame override command. The partition show command will show these CIR/EIR values as the min/max of the PVC partitions and the routing table will be populated once more.


163

frame deleteDelete a Frame Relay Access Device. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame delete is the IP address or DNS name used when the FRAD entry was created, , or the Sysname (local system name) of the FRAD. This command also deletes all traffic classes and partitions created to match the FRAD traffic. The frame delete command deletes the specified FRAD but does not clear the user-entered BGP neighbor information (that is, the static routes entered with the frame route add command). To clear out these entries you will need to issue the reset command.PacketGuide for PacketWise 8.4

164

frame optionsEnable and disable the frame relay routing and discovery options for an existing FRAD, or set the default for all new FRADs created by subsequent frame add commands. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame options routing|discovery on|off default| By default, both routing and discovery are enabled. routing discovery Automatically fetch the IP routing tables for this device via SNMP and use in the Permanent Virtual Circuit (PVC) traffic class matching rules; also, create internal routing table in the PacketShaper. Activate traffic discovery for all PVCs created for this frame device The IP address or DNS name used when the FRAD entry was created, or the Sysname (local system name) of the FRADPacketGuide for PacketWise 8.4

165

frame overrideSet Committed Information Rate (CIR) and Excess Information Rate (EIR) values for PVC partitions. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame override off|[ ] Note: After updating the CIR/EIR values with this command, reset the unit so that the new values will take effect. Where: off The system name of your FRAD (use frame show to get this name) The identifier of the serial interface on your FRAD associated with the given PVC (use frame show to get this number, shown in parentheses in the command output) The Data Link Control Identifier (DLCI) of the given PVC The option used if CIR/EIR values have already been set via this command and you want to disable them.

EIR, as used in PacketWise frame relay support, refers to the amount over the CIR such that CIR + EIR = maximum rate possible. Use frame show to check CIR and EIR values. The new values will be preceded by "LMI Override:".


166

frame route addMap a PVC to the IP address of the correct BGP (Border Gateway Protocol) neighbor router so that each IP route can be associated with the correct PVC class. This operation is necessary when the SNMP OID for ipRouteIfIndex is missing (1.3.6.1.2.1.4.21.1.2). Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame route add is the system name or IP address of the FRAD. is the IP address of the BGP neighbor router. is the interface number on the router; this number is shown in the output of the frame show command for the given PVC. is the data link connection identifier. A number of a switched virtual circuit in a Frame Relay network that tells the Frame Relay how to route the data. The DLCI field identifies which logical circuit the data travels over. The frame routing table will show the association of each BGP route with the correct PVC class after the next configuration update (which happens every 15 minutes) or after the next software reset, whichever comes first.


167

frame route deleteDelete a static route mapping that was created with the frame route add command. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame route delete is the system name or IP address of the FRAD. is the IP address of the BGP neighbor from which you want to remove the mapping.


168

frame route showDisplay routing tables that PacketWise has constructed based on routing information from the FRAD via SNMP polling. The FRAD must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame route show [] If you specify a , the output shows the IP routing tables associated with the specified FRAD name or IP address. If you don't specify a , the output displays the tables for all FRADs. The output displays the subnets, the routing ID number used in the matching rule for the PVC class, and the full pathname of the PVC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically by PacketWise, and are used to link a destination address with the PVC class to which it belongs. This command gives the same output as the frame routing command.PacketGuide for PacketWise 8.4

169

frame routingDisplay routing tables that PacketWise has constructed based on routing information from the FRAD via SNMP polling. The FRAD must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame routing [] If you specify a , the output shows the IP routing tables associated with the specified FRAD name or IP address. If you don't specify a , the output displays the tables for all FRADs. The output displays the subnets, the routing ID number used in the matching rule for the PVC class, and the full pathname of the PVC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically by PacketWise, and are used to link a destination address with the PVC class to which it belongs. This command gives the same output as the frame route show command.PacketGuide for PacketWise 8.4

170

frame showDisplay Frame Relay Access Device (FRAD) information. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame show [] Specify a by IP address or DNS name; or omit the parameter to display all configured FRADs. Example: FRAD Address: SysName: Traffic Discovery: Auto Routing: 10.12.27.2 frad1 on on

Interface Act DLCI CIR EIR Partitions Name(Number) --------------------------------------------------------------------------Se1(3) 100 1.5M /Inbound/frad1-Se1/PVC_100 + 0 /Outbound/frad1-Se1/PVC_100 Se1(3) 200 1.5M /Inbound/frad1-Se1/PVC_200 + 0 /Outbound/frad1-Se1/PVC_200 The output shows the FRAD's interface name and hardware port number, interface status ('+' in the Act column indicates active), the DLCI, the CIR and EIR values for the PVC, and the partition names.PacketGuide for PacketWise 8.4

171

frame statisticsDisplay statistics for the frame relay PVCs and associated partitions. Note: This command is not available on PacketShaper ISP, PacketShaper 900 Lite, 1200, or PacketShaper 1400 Lite models. frame statistics The displayed rates include: Actual Part Target Measured at the FRAD serial interface Measured at the PacketWise partition Maximum possible rate for the partition when in shaping is turned on, taking into account Forward/Backward Explicit Congestion Notification (FECN/BECN) counts and traffic on the PVC that bypasses the unit

All displayed rates are one-minute moving averages. The percentage values indicate the oneminute average percentage of frames with FECN or BECN bits set.PacketGuide for PacketWise 8.4

172

ftpStart a client FTP session on a PacketShaper unit. ftp PacketGuide for PacketWise 8.4

173

ftpgetUse File Transfer Protocol (FTP) to copy a file from an FTP server to a PacketShaper. The file is automatically copied in binary mode. ftpget [[:]@] is the user name to be used when FTP logs into the (the IP address or dns name of the FTP server). If is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and [email protected]. Name of the file to be retrieved; specify a path if the file is not on the servers default directory Name of the new file to be created on the PacketShaper. The filename must have an 8.3 format. Notes:q

[[: ]@]

q

The full path must be specified even if the file is in the units root directory. For example, if 9.256/test.cmd is specified for the , the will be copied to the root directory of the flash disk (9.256/) and will be named test.cmd. For more information about the drives and directories on the PacketShaper, see PacketShaper Directories. If is not in 8.3 filename format, the FTP client will hang.

For example: ftpget [email protected] test.cmd 9.256/test.cmd If you want to transfer files on a regular basis, you can use the schedule command with the ftpget and ftpput commands to create a command file. See schedule new.

174

ftpputUse File Transfer Protocol (FTP) to copy a file from the PacketShaper to an FTP server. The file is automatically copied in binary mode. This command is useful for transmitting PacketWise logs and diagnostic files to another machine. ftpput [[:]@] is the user name to be used when FTP logs into the (the IP address or dns name of the FTP server). If is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and [email protected] Name of the file to be retrieved from the PacketShaper Note: The full path must be specified even if the file is in the units root directory. For example, if 9.256/test.cmd is specified for the , the test.cmd file in the root directory of the flash disk (9.256/) will be copied. For more information about the drives and directories on the PacketShaper, see PacketShaper Directories. Name of the new file to be created; specify a path if you dont want to create the file in the servers default directory

[[: ]@]

ftpput [email protected] 9.258/log/events events


175

headDisplay the first few lines of a file. head [-] The refers to how many lines are displayed; the default is 10 lines. For example, this displays the first 10 lines of the file myfile.cmd: head myfile.cmd This displays the first 20 lines of the file myfile.cmd: head -20 myfile.cmdPacketGuide for PacketWise 8.4

176

helpList available commands. Specify a command to view its syntax and usage details. help []PacketGuide for PacketWise 8.4

177

highav addDefine an access router for the access-link monitoring (high availability) feature. This feature allows PacketShaper to deal with imperfect load-balancing and has the ability to respond to the occurrence of WAN link failure. When high availability is enabled, PacketWise can adjust partitions appropriately to prevent overloading any given WAN link and to account for lost available capacity due to router or link failure. High availability has two modes: basic and advanced. highav add where Example: highav add 10.10.10.10 pAss4WoRD IP address of the router SNMP community string (password) for the router


178

highav communityChange the community string of a high availability router. Use this command when the community string changes after you have already defined the router with the highav add command. highav community where The routers IP address or system name New SNMP community string (password) for the router


179

highav deleteRemove an existing router from the high availability configuration. highav delete


180

highav disableDisable link monitoring (basic mode) as well as link overload protection (advanced mode, if enabled). highav disable


181

highav enable advancedEnable two high availability features: link monitoring/resizing (as in basic mode) and link overload protection. With the link monitoring/resizing feature, the PacketShaper polls the configured router(s) every 30 seconds to assess the status (link up or link down) of the WAN link interfaces. If a link goes down, PacketWise will automatically adjust the total available capacity by subtracting out the capacity of the down link. With link overload protection, PacketWise can help prevent the overloading of an interface. PacketWise will use SNMP polling to access the actual throughput of each configured WAN link interface. If an interface approaches its configured capacity, PacketWise will pace the traffic sent through that interface to prevent overloading the link and reduce the number of retransmissions. This is accomplished by adjusting the size of the Inbound and Outbound partitions. highav enable advanced To turn off the advanced mode of high availability, use the highav disable command.


182

highav enable basicEnable the link monitoring/resizing high availability feature. When this feature is enabled, PacketWise polls the configured router(s) every 30 seconds to assess the status (link up or link down) of the WAN link interfaces. If a link goes down, PacketWise will automatically adjust the total available capacity by subtracting out the capacity of the down link. highav enable basic Suppose you have two routers, A and B. Router A has two 200K interfaces and Router B has one 100K interface. The total available capacity is 500K (unless you have set up an override see highav override). Now suppose one of Router As 200K links goes down. With basic high availability enabled, PacketWise will not only detect the down link, it will also automatically reduce the total available capacity by the capacity of the down link (500K minus 200K = 300K). To turn off the basic mode of high availability, use highav disable.


183

highav interface addDefine the WAN link interface used on a previously-defined access router. highav interface add where The routers IP address or sysname The name (ifname) or index number (ifindex) that identifies the interface. Examples of interface names are ethernet 3/1 and serial 0/1. It is recommended that you identify the interface by name, not index, because ifnames are unique and persistent while index numbers can change dynamically. If you are using Cisco IOS v12.1 or above and have configured the router to make the ifindex persistent, you can safely identify the interface by index number. Note that ifname was not available in Cisco IOS before v11.1. Instructions for finding the ifName and ifIndex values for Cisco router interfaces Maximum inbound throughput that is expected to pass through the interface. Rates may be specified as integer bits per second, followed by a k (thousands), M (millions), or G (billions). Maximum outbound throughput that is expected to pass through the interface

Adding an interface will increase the routers available bandwidth unless you have set override values. The lowest value (override versus sum of interfaces) takes precedence. For example, suppose a router has two 400K interfaces and you have set an override of 600K. If you add another 200K interface, the override will take precedence (in other words, the routers available bandwidth will still be 600K). Make sure that you adjust your override after adding a new interface.


184

highav interface deleteDelete a previously-defined

bluecoat packet shaper cli in print 8.4

Documents