A10 4.1.4-P1 Net PDF
A10 4.1.4-P1 Net PDF
4-P1
Network Configuration Guide
for A10 Thunder® Series and AX™ Series
2 April 2018
© 2018 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking provi-
sions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all Thunder
Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed,
copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document
or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2. sublicense, rent or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this pub-
lication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and ser-
vices are subject to A10 Networks’ standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be
found by visiting www.a10networks.com.
Table of Contents
page 3
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 4
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 5
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 6
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 7
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
router-interface ...........................................................................................................................160
shared-vlan ..................................................................................................................................161
tagged ...........................................................................................................................................161
untagged ......................................................................................................................................161
page 8
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 9
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
route ..............................................................................................................................................227
route-map ....................................................................................................................................228
timers ............................................................................................................................................229
RIP Show Commands........................................................................................................ 229
show ip rip database .................................................................................................................230
show ipv6 rip database .............................................................................................................231
RIP Clear Commands ........................................................................................................ 233
clear ip rip route ..........................................................................................................................233
clear ipv6 rip route .....................................................................................................................233
page 10
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 11
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 12
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 13
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Contents
page 14
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Part I
Layer 2 Networking
Link Trunking
This chapter describes how to configure trunk links on the ACOS device.
• Overview
• Trunk Parameters
• LACP Passthrough
Overview
The ACOS device supports aggregation of multiple Ethernet data ports into logical links, called “trunks”.
Trunks can enhance performance by providing higher throughput and greater link reliability.
Higher throughput is provided by the aggregate throughput of the individual links in the trunk. Greater
link reliability is provided by the multiple links in the trunk. If an individual port in the trunk goes down,
the trunk link continues to operate using the remaining up ports in the trunk.
• Static trunks
• Dynamic trunks – You can enable Link Aggregation Control Protocol (LACP) on Ethernet data
interfaces, to make those interfaces candidate members of dynamically configured trunks.
Link Aggregation Control Protocol (LACP) dynamically creates trunk links. The ACOS implementa-
tion of LACP is based on the 802.3ad IEEE specification. You can configure a maximum of 16
LACP trunks on an ACOS device. An interface can belong to a single LACP trunk.
NOTE: The number of trunks supported and number of ports that can be config-
ured per trunk vary depending on the specific device. In the CLI, use the ?
help command to determine the allowable values. In the GUI, the allow-
able ranges are visible in the configurable fields.
page 17
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Trunk Parameters
Interface parameters for a trunk apply collectively to the entire trunk, as a single interface. For example,
IP addresses and other IP parameters apply to the entire trunk as a single interface.
Trunk Parameters
This section describes the parameter that can be configured for a trunk:
• Port-Threshold Parameters
• LACP Parameters
• Trunk Interface Name – You can assign a name to the trunk, in addition to the numeric ID you
specify when you create the trunk. The name can be 1-63 characters in length, can contain
numbers, upper case and lower case characters, and must not include the following symbols:
~!@#$%^&*()_+|}{:”<>?
• IPv4 and IPv6 parameters – You can assign one or more IPv4 and IPv6 addresses, and config-
ure other IP-related parameters such as IP helper or IPv6 neighbor discovery.
• Dynamic routing – You can configure interface-level OSPF and IS-IS parameters.
• Access list (ACL) – You can filter incoming traffic based on source and destination IPv4 or IPv6
address and protocol port, as well as additional parameters such as ICMP type and code or
VLAN ID.
• ICMP rate limiting – You can enable protection against distributed denial-of-service (DDoS)
attacks such as Smurf attacks, which consist of floods of spoofed broadcast ping messages.
• Layer 3 forwarding – Layer 3 forwarding is enabled by default. You can disable it.
If you want to allow Layer 3 forwarding except between VLANs, a separate option allows you to
disable Layer 3 forwarding between VLANs.
• Port threshold – Minimum number of individual member ports that must be Up in order for the
trunk to be Up. (See “Port-Threshold Parameters” on page 19.)
NOTE: The disable and enable commands at the interface configuration level
for the trunk control Layer 3 forwarding on the trunk but do not com-
pletely disable the trunk. To control all forwarding on the trunk, use the
disable or enable command at the trunk configuration level instead.
page 18
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Trunk Parameters
For more information about these commands, see the “Config Commands: Interface” chapter of the
Command Line Interface Reference.
Port-Threshold Parameters
By default, a trunk’s status remains UP so long as at least one of its member ports is up. You can
change the ports threshold of a trunk to 2-8 ports.
If the number of up ports falls below the configured threshold, the ACOS device automatically disables
the trunk’s member ports. The ports are disabled in the running-config. The ACOS device also gener-
ates a log message and an SNMP trap, if these services are enabled.
NOTE: After the feature has disabled the members of the trunk group, the ports
are not automatically re-enabled. The ports must be re-enabled manually
after the issue that caused the ports to go down has been resolved.
In some situations, a timer is used to delay the ports-threshold action. The configured port threshold is
not enforced until the timer expires. The ports-threshold timer for a trunk is used in the following situa-
tions:
• The port threshold for the trunk is configured during runtime. (If the threshold is set in the
startup-config, the timer is not used.)
LACP Parameters
By default, a trunk’s status remains Up so long as at least one of its member ports is up. You can
change the ports threshold of a trunk to 2-8 ports.
Since a trunk comprises of several member links, if the number of operational members of a trunk goes
below the configured threshold value, the remaining member links are automatically marked as
“blocked” and the trunk is considered non--operational. When the down link is functional again, the
remaining links that were marked blocked are also operational again, making the trunk available for
use.
NOTE: If you administratively disable the LACP feature from members of the
trunk group, the links are not automatically re-enabled. The links must be
re-enabled manually after the issue that caused the links to go down has
been resolved.
page 19
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Trunk Parameters
• LACP trunk ID – ID of a dynamic trunk. Adding an interface to an LACP trunk makes that interface
a candidate for membership in the trunk. During negotiation with the other side of the link, LACP
selects the interfaces to actively participate in the link. When you add an interface, you must
specify whether LACP will run in active or passive mode on the interface. Active mode initiates
link formation with the other end of the link. Passive mode waits for the other end of the link to
initiate link formation. The admin key must match on all interfaces in the trunk. The value can be
1-4096.
• LACP port priority – Priority of the interface for selection as an active member of a link. If the
LACP trunk has more candidate members than are allowed by the device at the other end of the
link, LACP selects the interfaces with the highest port priority values as the active interfaces. The
other interfaces are standbys, and are used only if an active interface goes down. You can spec-
ify 1-65535. A low priority number indicates a high priority value. The highest priority is 1 and the
lowest priority is 65535. The default is 32768.
• LACP timeout – Aging timeout for LACP data units from the other end of the LACP link. You can
specify short (3 seconds) or long (90 seconds). The default is long.
• Mode – Indicate whether you want LACP to operate in Active or Passive Mode. The Active mode
initiates link formation with the other end of the link. In this case, the ACOS device will send the
LACP frame to its link partner. Passive mode waits for the other end of the link to initiate link for-
mation. In this case, the ACOS device will only send an LACP frame if it receives an LACP frame
from the link partner.
• Admin Key – The admin key must match on all interfaces in the trunk. The value can be 10000-
65535.
• Unidirectional Link Detection (UDLD) – UDLD checks the links in LACP trunks to ensure that both
the send and receive sides of each link are operational. UDLD can only be configured on the sin-
page 20
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Trunk Parameters
gle port LACP trunk. UDLD is not supported on multilink LACP trunks. (For more information, see
“Unidirectional Link Detection” on page 22.)
page 21
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Static Trunk Configuration
A link that is blocked by LACP can still receive LACP protocol packets but blocks all other traffic.
UDLD is disabled by default on LACP trunk links. You can enable UDLD on individual LACP trunk inter-
faces.
Heartbeat Timeout
The local port waits for a configurable timeout to receive an LACP protocol packet from the remote
port. If an LACP protocol packet does not arrive before the timeout expires, LACP disables the local
port. You can set the timeout to 1-60 seconds (slow timeout) or 100-1000 milliseconds (fast timeout).
The default is 1 second.
If the remote port begins sending LACP protocol packets again, LACP on the local port re-enables the
port.
Requirements
To operate properly, UDLD must be supported and enabled on both devices that are using LACP trunk
links.
It is recommended to use auto-negotiation on each end of the link to establish the mode (half duplex or
full duplex). Auto-negotiation helps ensure link bidirectionality at Layer 1, while UDLD helps at Layer 2.
page 22
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Static Trunk Configuration
page 23
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Static Trunk Configuration
You must repeat this series of commands for each interface you want to add to a trunk.
The following commands configure trunk 7 with ports 1and 2, and verify the configuration:
page 24
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Dynamic Trunk Configuration
The following commands access the interface configuration level for the trunk and assign a name, an
IPv6 address along with port threshold parameters to the trunk interface:
page 25
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Dynamic Trunk Configuration
NOTE: These steps assume that you have already created an LACP dynamic
trunk. See Use the GUI to Configure an LACP Trunk.
page 26
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Dynamic Trunk Configuration
2. Assign the interface to the LACP trunk, using the following command:
ACOS(config-if:ethernet:1)# trunk-group 4 lacp
ACOS(config-if:ethernet:1-trunk-group:4)#
3. (Optional) Specify the LACP priority of the interface, using the following command:
ACOS(config-if:ethernet:1-trunk-group:4)# port-priority 100
4. (Optional) Specify the aging timeout for LACP data units from the other end of the LACP link, using
the following command:
ACOS(config-if:ethernet:1-trunk-group:4)# timeout short
You can specify short (3 seconds) or long (90 seconds). The default is long.
5. (Optional) Specify the UDLD aging timeout, using the following command:
ACOS(config-if:ethernet:1-trunk-group:4)# udld timeout slow 1
You can specify fast (100-1000 milliseconds) or slow (1-60 seconds). The default is slow 1.
6. (Optional) Configure ports-threshold settings. Specify the minimum number of ports that must
remain up, using the ports-threshold command at the LACP trunk configuration level of the CLI:
ACOS(config)# interface trunk 4
page 27
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Dynamic Trunk Configuration
1. Change the CLI to the configuration level for the trunk interface.
ACOS(config)# interface trunk 4
ACOS(config-if:trunk:4)#
2. For a list of the commands applicable at this level. (For information, see the CLI Reference.)
vThunder(config-if:trunk:4)# ?
access-list Apply ACL rules to incoming packets on this interface
bfd Configure BFD (Bidirectional Forwarding Detection)
clear Clear or Reset Functions
do To run exec commands in config mode
end Exit from configure mode
exit Exit from configure mode or sub mode
icmp-rate-limit Limit ICMP traffic to this interface
icmpv6-rate-limit Limit ICMPv6 traffic to this interface
ip Global IP configuration subcommands
ipv6 Global IPv6 configuration subcommands
isis ISIS
l3-vlan-fwd-disable Disable L3 forwarding between VLANs
lw-4o6 Configure LW-4over6 interface
mtu Interface mtu
name Name for the interface
no Negate a command or set its defaults
ports-threshold Threshold for the minimum number of ports that need to
be UP for the trunk to remain UP
page 28
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
NOTE: The commands listed at this level depend on the device model and the
ACOS software release.
For more information about these commands, see “Config Commands: Interface” on page 105.
LACP Passthrough
LACP passthrough allows the ACOS device to forward traffic on one trunk that originated on another
trunk that is down. With this feature, if an LACP trunk goes down, the other trunk is used to continue
connectivity for the traffic.
This feature can be useful in topologies that use LACP and where multiple ACOS devices connect to the
server farm. In this type of topology, if the ACOS device acts as a proxy for client-server traffic, LACP
passthrough can help prevent sessions from being dropped following failover from one LACP trunk to
another.
LACP passthrough creates a tunnel from one LACP trunk to another through the ACOS device. One end
of the tunnel is connected to clients and the other end of the tunnel is connected to the servers.
page 29
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
In this example, two ACOS devices are connected through redundant device pairs to clients and serv-
ers. Two VLANs are used, 210 and 220. Each ACOS device has trunk interfaces in both VLANs:
Link monitoring is configured to automatically disable all interfaces on a trunk if any of its ports goes
down.
Without LACP passthrough, if trunk 1 goes down, existing client connections on that trunk stop work-
ing. This occurs even if the client traffic begins to arrive on trunk 2. With LACP configured as described
above, the ACOS device continues service for the client-server sessions without interruption.
Notes
• The current release supports LACP passthrough only on untagged VLAN ports. Tagged ports are
not supported in this release.
• Each LACP passthrough tunnel can contain two Ethernet data ports. These ports must be in the
same VLAN and use the same Virtual Ethernet (VE) interface. On of the ports must be connected
to the clients. The other port must be connected to the servers.
• This feature requires use of the link monitoring and automatic disable feature to bring all of a
trunk’s ports down if any of its ports goes down. (See “Link Monitoring” in the System Configuration
and Administration Guide.)
• Similarly, the nexthop devices that connect the ACOS device to the clients and servers must be
configured to bring a trunk down when any of its member ports goes down.
page 30
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
Configuration
This example configures LACP passthrough for the physical interfaces in VLAN 210 in Figure 1.
The following commands configure LACP passthrough between interfaces 6 and 5, and between inter-
faces 10 and 9:
page 31
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
In this example, LACP has dynamically created two trunks, 5 and 10. Trunk 5 contains ports 1 and 2.
Trunk 10 contains port 6.
The following command shows details about the LACP admin keys:
page 32
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
% Admin Key: 3
bandwidth: 1
mtu: 16436
duplex mode: 0
hardware type: 1
type: 0
additional parameter: 0
ref count: 14
% Admin Key: 4
bandwidth: 1
mtu: 1500
duplex mode: 0
hardware type: 2
type: 0
additional parameter: 0
ref count: 6
The following command shows detailed information for all LACP trunks:
page 33
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
LACP Passthrough
page 34
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The Link Layer Discovery Protocol (LLDP) enables network devices to advertise their identity, capabili-
ties, and neighbors on the network. This feature is based on the IEEE 802.1AB standard and the stan-
dard MIB called “LLDP-V2-MIB.”
• http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&i=1&n=IP-MIB&r=vmware&f=LLDP-
V2-MIB.mib&v=v2&t=def
• http://www.ieee802.org/1/files/public/MIBs/LLDP-V2-MIB-200906080000Z.txt
• Overview of LLDP
• Configure LLDP
Overview of LLDP
LLDP allows ACOS devices to discover directly-connected LAN neighbors and allows these neighbors
to discover the ACOS devices. Configure LLDP only in the shared partition.
Since the LLDP protocol can transmit or receive information on system capabilities, but cannot request
specific information from an LLDP agent or acknowledge receipt of information, it is called a “one-way
protocol.”
The Link Layer Discovery Protocol Data Unit (LLDPDU) contains several elements of variable lengths
that comprise the LLCP frame. They carry information on the type, length, and value fields (TLVs),
page 35
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure LLDP
where type identifies the kind of information that is transmitted, length contains the string of octets,
and value is the actual content that is being transmitted. The mandatory information that is transmit-
ted identifies the TLV for the chassis ID, the port ID, the Time to Live, and the end of the LLDP data
packet. It can also contain zero or more optional TLVs. For the duration of an operational port, the
chassis ID and the port ID information will remain the same.
A Time to Live TLV or a non-zero TLV informs the receiving LLDP agent to discard the LLDP data packet
after the indicated time expires. A zero TLV directs the receiving LLDP agent to discard the LLDP packet
immediately. As the name suggests, the End of LLDP data packet indicates that completion of the
LLDP packet.
Configure LLDP
This section describes how to configure LLDP:
page 36
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure LLDP
The example below shows how to enable LLDB on an interface (Ethernet 2):
page 37
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure LLDP
page 38
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes support for VLAN and for VLAN-to-VLAN bridging.
• VLAN Overview
• VLAN-to-VLAN Bridging
VLAN Overview
A VLAN is a Layer 2 broadcast domain. MAC-layer broadcast traffic can be flooded within the VLAN but
does not cross to other VLANs. For traffic to go from one VLAN to another, it must be routed.
You can segment the ACOS device into multiple VLANs. Each Ethernet data port can be a member of
one or more VLANs, depending on whether the port is tagged or untagged:
• Tagged – Tagged ports can be members of multiple VLANs. The port can recognize the VLAN to
which a packet belongs based on the VLAN tag included in the packet.
• Untagged – Untagged ports can belong to only a single VLAN. By default, all Ethernet data ports
are untagged members of VLAN 1.
NOTE: A tagged port is a physical port to which a tagged VLAN is bound, while
an untagged port is a physical port to which an untagged VLAN is bound.
See the Example of Tagged and Untagged Ports section for how these
ports are configured.
On a new or unconfigured ACOS device, as soon as you configure an IP address on any individual Ether-
net data port or trunk interface, Layer 2 forwarding on VLAN 1 is disabled.
When Layer 2 forwarding on VLAN 1 is disabled, broadcast, multicast, and unknown unicast packets
are dropped instead of being forwarded. Learning is also disabled on the VLAN. However, packets for
the ACOS device itself (for example, LACP or OSPF) are not dropped.
page 39
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN Overview
To re-enable Layer 2 forwarding on VLAN 1, use the following command at the global configuration
level of the CLI:
Each VLAN can have one VE. The VE ID must be the same as the VLAN ID. For example, VLAN 2 can
have VE 2, VLAN 3 can have VE 3, and so on.
2. Configure VLAN 10. Bind Ethernet port 1 to a tagged VLAN 10. The 802.1Q tag is 10. Bind a net-
work interface to the tagged port:
page 40
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN Overview
ACOS(config) #vlan 10
ACOS(config-vlan:10)# tagged ethernet 1
ACOS(config-vlan:10)# router-interface ve 10
ACOS(config-vlan:10)# exit
3. Configure VLAN 11. Bind Ethernet port 1 to a tagged VLAN 11. The 802.1Q tag is 11. Bind a net-
work interface to the tagged port:
ACOS(config)# vlan 11
ACOS(config-vlan:11)# tagged ethernet 1
ACOS(config-vlan:11)# router-interface ve 11
ACOS(config-vlan:11)# exit
4. Configure VLAN 5. Bind Ethernet port 7 to an untagged VLAN 5. Bind a network interface to the
untagged port:
ACOS(config)# vlan 5
ACOS(config-vlan:5)# untagged ethernet 7
ACOS(config-vlan:5)# router-interface ve 5
ACOS(config-vlan:5)# exit
page 41
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
Router Interface: ve 5
Router Interface: ve 10
Router Interface: ve 11
VLAN-to-VLAN Bridging
This section contains the following topics:
page 42
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
tightly controlled through the ACOS device without the need to reconfigure the hosts in the separate
VLANs.
VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the network either into the
same VLAN, or into different IP subnets, is not desired or is impractical.
You can configure a bridge VLAN group to forward one of the following types of traffic:
• IP traffic only (the default) – This option includes typical traffic between end hosts, such as ARP
requests and responses.
This option does not forward multicast packets.
• All traffic – This option forwards all types of traffic.
page 43
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
In this example, the ACOS devices are bridging traffic between VLAN 4 and VLAN 5.
Each VLAN to be bridged must be configured on the ACOS device. The normal rules for tagging apply:
• If the interface belongs to more than one VLAN, the interface must be tagged.
page 44
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
Each bridge VLAN group can have a maximum of 8 member VLANs. Traffic from any VLAN in the group
is bridged to all other VLANs in the group. The total number of bridge VLAN groups on the system
(including those in L3V partitions) cannot exceed 255.
If the ACOS device is deployed in gateway mode, a Virtual Ethernet (VE) interface is required in the
bridge VLAN group.
1. Configure each of the VLANs to be bridged. In each VLAN, add the ACOS device’s interfaces to the
VLAN.
2. Configure a bridge VLAN group. Add the VLANs to the group.
If the ACOS device is deployed in routed mode, add a Virtual Ethernet (VE) interface to the group.
Optionally, you can assign a name to the group. You also can change the types of traffic to be
bridged between VLANs in the group.
3. If the ACOS device is deployed in routed mode, configure an IP address on the VE to place the
ACOS device in the same subnet as the bridged VLANs.
ACOS(config)# vlan 2
ACOS(config-vlan:2)# tagged ethernet 2
ACOS(config-vlan:2)# exit
ACOS(config)# vlan 3
ACOS(config-vlan:3)# tagged ethernet 3
ACOS(config-vlan:3)# exit
ACOS(config)# bridge-vlan-group 1
ACOS(config-bridge-vlan-group:1)# vlan 2 to 3
ACOS(config-bridge-vlan-group:1)# exit
page 45
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
• Only the active device in the VRID will respond to ARP requests from devices in the bridged VLAN.
• The active VRRP-A device forwards any traffic passing through the bridge VLAN (destined for
10.1.1.1), and processes any traffic destined for the bridge VLAN VE IP address (10.1.1.2).
• The standby VRRP-A device drops any traffic passing through the bridge VLAN (destined for
10.1.1.1), but will processes any traffic destined for the bridge VLAN VE IP address (10.1.1.2).
• On a failover, the new active device will forward any traffic passing through the bridge VLAN (des-
tined for 10.1.1.3).
The commands in this section configure the topology shown in Figure 2; two ACOS devices deployed in
routed mode to forward IP traffic between VLANs 4 and 5 on IP subnet 10.10.1.x.
Enabling l3-inline-mode and restart-port-list in the configuration are mandatory for VLAN-to-VLAN
bridging with VRRP-A. All interfaces which are part of the bridge VLAN group must be included in the
restart-port-list.
The vrid-lead configuration is used for L3V partitions to follow the vrid-lead of the shared partition.
Since only one VRID can be configured in a given partition when l3-inline-mode is enabled, all L3V par-
titions will end up following same VRID of the shared partition.
page 46
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
On each ACOS device, the following commands configure the VLANs (example shown for Device 1):
ACOS1(config)# vlan 4
ACOS1(config-vlan:4)# tagged ethernet 2
ACOS1(config-vlan:4)# exit
ACOS1(config)# vlan 5
ACOS1(config-vlan:5)# tagged ethernet 3
ACOS1(config-vlan:5)# exit
On each ACOS device, the following commands configure the bridge VLAN group, which includes a VE
(example shown for Device 1):
ACOS1(config)# bridge-vlan-group 1
ACOS1(config-bridge-vlan-group:1)# vlan 4 to 5
ACOS1(config-bridge-vlan-group:1)# router-interface ve 4
ACOS1(config-bridge-vlan-group:1)# exit
ACOS1(config)# interface ve 4
ACOS1(config-if:ve:4)# ip address 10.1.1.2 /24
ACOS1(config-if:ve:4)# exit
ACOS2(config)# interface ve 4
page 47
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
VLAN-to-VLAN Bridging
page 48
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Part II
Layer 3 Networking
• Overview of DHCP
• Enable DHCP
Overview of DHCP
Dynamic Host Configuration Protocol (DHCP) is a mechanism commonly used by clients to auto-dis-
cover their addressing and other configuration information when connected to a network. On ACOS
devices, DHCP configuration supports IP address, subnet masks, default gateway, and classless static
routes (option 121) from the DHCP server.
You can enable use of DHCP to dynamically configure IP addresses on the following types of inter-
faces:
Virtual servers and IP NAT pools are also able to use the DHCP-assigned address of a given data inter-
face. If this option is enabled, ACOS updates the VIP or pool address any time the specified data inter-
face’s IP address is changed by DHCP.
Notes
• DHCP can be enabled on an interface only if that interface does not already have any statically
assigned IP addresses.
• On ACOS devices deployed in gateway (Layer 3) mode, Ethernet data interfaces can have multi-
ple IP addresses. An interface can have a combination of dynamically assigned addresses (by
DHCP) and statically configured addresses. However, if you plan to use both methods of address
configuration, static addresses can be configured only after you finish using DHCP to dynami-
cally configure addresses. To use DHCP in this case, you must first delete all the statically config-
ured IP addresses from the interface.
page 51
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Enable DHCP
• On vThunder models, if single-IP mode is used, DHCP can be enabled only at the physical inter-
face level.
• On devices deployed in Transparent (Layer 2) mode:
• you can enable DHCP on the management interface and at the global level.
• The VIP address and pool NAT address (if used) should match the global data IP address of the
device. Make sure to enable this option when configuring the VIP or pool.
Enable DHCP
Using the GUI
1. Hover over Network in the navigation bar, and select Interface from the drop-down menu.
2. Depending on the type of interface on which to configure this feature, select LAN, Virtual Ethernet
or Trunk from the menu bar.
3. Click Edit in the actions column for the interface on which to configure this feature.
4. Expand the IP section to reveal additional configuration options.
5. Select the checkbox in the DHCP field.
6. Click Update.
To enable DHCP on an interface, use the ip address dhcp command at the configuration level for the
interface:
page 52
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure DHCP Relays
You can configure the ACOS device to relay DHCP traffic between DHCP clients and DHCP servers
located in different VLANs or subnets.
DHCP relay is supported only for the standard DHCP protocol ports:
DHCP is a Client-Server protocol and relies on broadcast communication between the client and server
for packet exchanges. Accordingly, the clients and the servers must be in the same broadcast domain
(Layer 2 VLAN) for this to work, since Layer 3 routers typically do not forward broadcasts. However, in
most deployments it is not practical to have a DHCP server in each Layer 2 VLAN. Instead, it is typical
to use a common DHCP server for all VLANs and subnets in the network.
Notes
• In the current release, the helper-address feature provides service for DHCP packets only.
• The interface on which the helper address is configured must have an IP address.
• The helper address can not be the same as the IP address on any interface or an IP address used
for SLB.
To configure the ACOS device as a DHCP relay, configure the DHCP server IP address as a helper
address on the IP interface connected to DHCP clients. The ACOS device intercepts broadcast DHCP
packets sent by clients on the interface configured with the helper address.
The ACOS device then places the receiving interface’s IP address (not the helper address) in the relay
gateway address field, and forwards the DHCP packet to the server. When the DHCP server replies, the
ACOS device forwards the response to the client.
page 53
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure DHCP Relays
1. Hover over Network in the navigation bar, and select Interface from the drop-down menu.
2. Depending on the type of interface on which to configure this feature, select LAN, Virtual Ethernet
or Trunk from the menu bar.
3. Click Edit in the actions column for the interface on which to configure this feature.
4. Expand the IP section to reveal additional configuration options.
5. Specify an IP address for the IP Helper Address field.
6. Click Add.
7. You can add up to 2 helper addresses per interface.
8. Click Update.
Use the show ip helper-address command shows summary DHCP relay information:
page 54
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure DHCP Relays
Use the detail parameter to view additional detailed DHCP relay information:
IP Interface: ve5
------------
Helper-Address: 100.100.100.1
Packets:
RX: 16
BootRequest Packets : 16
BootReply Packets : 0
TX: 14
BootRequest Packets : 0
BootReply Packets : 14
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
No Route to Dest : 2
page 55
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configure DHCP Relays
IP Interface: ve7
------------
Helper-Address: None
Packets:
RX: 14
BootRequest Packets : 0
BootReply Packets : 14
TX: 14
BootRequest Packets : 14
BootReply Packets : 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
No Route to Dest : 0
Dest Processing Err : 0
Descriptions for the fields in both outputs are available in the Command Line Interface Reference.
page 56
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Part III
Routing Protocols
This chapter provides configuration examples. For detailed CLI syntax information, see the Command
Line Interface Reference.
NOTE: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by VRRP-A failover.
Each IPv6 link can run up to 65535 OSPFv3 processes, on the same link.
Each OSPF process is completely independent of the other OSPF processes on the device. They do not
share any information directly. However, you can configure redistribution of routes between them.
page 59
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF MIB Support
Interface Configuration
The following commands configure two physical Ethernet data interfaces. Each interface is configured
with an IPv4 address and an IPv6 address. Each interface also is added to OSPF area 0 (the backbone
area).
The link-state metric (OSPF cost) of Ethernet 2 is set to 30, which is higher than the default, 10. Based
on the cost difference, OSPF routes through Ethernet 1 will be favored over OSPF route through Ether-
net 2, because the OSPF cost of Ethernet 1 is lower.
interface ethernet 1
ip address 2.2.10.1 255.255.255.0
ipv6 address 5f00:1:2:10::1/64
ipv6 router ospf area 0 tag 1
!
interface ethernet 2
ip address 3.3.3.1 255.255.255.0
ipv6 address 5f00:1:2:20::1/64
ip ospf cost 25
ipv6 router ospf area 0 tag 1
The following commands configure two Virtual Ethernet (VE) interfaces. On VE 3, an IPv4 address is
configured. On VE 4, an IPv4 address and an IPv6 address are configured.
interface ve 3
ip address 1.1.1.2 255.255.255.0
page 60
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Configuration Example
router ospf 2
router-id 2.2.2.2
ha-standby-extra-cost 25
timers spf exp 500 50000
redistribute static metric 5 metric-type 1
redistribute vip only-flagged 500 metric-type 1
redistribute ip-nat
redistribute floating-ip metric-type 1
network 1.1.0.0 0.0.255.255 area 0
network 2.2.10.0 0.0.0.255 area 0
network 3.3.3.0 0.0.0.255 area 0
The following commands configure global settings for OSPFv3 process 1. The router ID is set to
3.3.3.3. A stub area is added, redistribution is enabled, and the SPF timer is changed.
page 61
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Configuration Example
• process-id—Specifies the IPv4 OSPFv2 process to run on the device, and can be 1-65535.
• process-tag—Specifies the IPv6 OSPFv3 process to run on the IPv6 link, and can be 1-65535.
• neighbor-ip-address— Specifies the IP address of the interface for the neighboring device.
• interface-ip-address— Specifies the IP address of the interface of the device on which the OSPF
neighbor exists.
Using OSPFv2, the CLI enables you to indicate an interface IP Address of the ACOS device. Using OSP-
Fv3, the CLI enables you to specify the interface name for a specific neighbor.
Use the following commands to effect changes to clear OSPF neighbor information:
page 62
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Configuration Example
Configuration Examples
The following command clears all neighbors on a specified interface to a specific router:
page 63
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Logging
OSPF Logging
Router logging is disabled by default. You can enable router logging to one or more of the following
destinations:
• Local file
NOTE: Log file settings are retained across reboots but debug settings are not.
NOTE: Enabling debug settings that produce lots of output, or enabling all
debug settings, is not recommend for normal operation.
For additional syntax information, including show and clear commands for router logging, see the
Command Line Interface Reference.
To enable output to a local file, use the following command at the global configuration level of the CLI:
[no] router log file {name string | per-protocol | rotate num | size Mbytes}
To enable output to a remote log server, use the following command at the global configuration level of
the CLI:
page 64
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Logging
To change set the severity level for messages output to the terminal, use the following command at the
global configuration level of the CLI:
• 0 or emergency
• 1 or alert
• 2 or critical
• 3 or error
• 4 or warning
• 5 or notification
• 6 or information
• 7 or debugging
To change the severity level for messages output to the local logging buffer, use the following com-
mand at the global configuration level of the CLI:
To change the severity level for messages output to external log servers, use the following command at
the global configuration level of the CLI:
To change the facility, use the following command at the global configuration level of the CLI:
• local0
• local1
• local2
• local3
• local4
page 65
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Logging
• local5
• local6
• local7
The ipv6 option enables debugging for OSPFv3. Without the ipv6 option, debugging is enabled for
OSPFv2.
The type specifies the types of OSPF information to log, and can be one or more of the following:
• ifsm – Enables debugging for the OSPF Interface State Machine (IFSM).
• nfsm – Enables debugging for the OSPF Neighbor State Machine (NFSM).
• nsm – Enables debugging for the Network Services Module (NSM). The NSM deals with use of
ACLs, route maps, interfaces, and other network parameters.
• packet – Enables debugging for OSPF packets.
CLI Example
These commands create a router log file named “ospf-log”. The per-protocol option will log messages
for each routing protocol separately. The log file will hold a maximum 100 MB of data, after which the
messages will be saved in a backup and the log file will be cleared.
page 66
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Logging
The following command displays the contents of the local router log file:
page 67
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Logging
page 68
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes how to integrate your ACOS device in an IS-IS network environment.
This chapter provides IS-IS configuration examples. For detailed CLI syntax information, see “Config
Commands: Router – IS-IS” on page 279.
NOTE: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by VRRP-A failover.
• Configuring IS-IS
page 69
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring IS-IS
Configuring IS-IS
To configure IS-IS in the sample topology (Figure 3), first enable IS-IS in the ACOS device, enabling it to
send Hello packets to other IS-IS devices in the same area:
The router isis command places you in IS-IS configuration mode. The net command configures the
IS-IS instance on the ACOS device to be in the same area as the upstream router (in this case, 47.0000
as the area-id and 0000.0000.0001 as the system-id). The ACOS device must have the same area-id as
the one configured on the router in order for it to bring up level-1 adjacencies.
The is-type command configures this instance as a level-1 instance; the same is accomplished by mak-
ing sure the area-id in the net command matches the area-id on the router.
The redistribute command allows the VIP to the server farm to be advertised as a route in this IS-IS
area.
NOTE: If you are configuring IS-IS for IPv6, you should also add the metric-
style wide command in your basic configuration.
Next, configure IS-IS on the individual interfaces. To configure IS-IS on an interface, use the interface
command to access the configuration level for the interface, then use the ip router isis | ipv6 router isis
commands. Below is an example to enable IS-IS for IPv4:
page 70
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Verifying Your IS-IS Configuration
page 71
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Verifying Your IS-IS Configuration
page 72
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The ACOS device supports BGP4+ for both IPv4 and IPv6.
This chapter provides configuration examples. For detailed CLI syntax information, see the Command
Line Interface Reference.
NOTE: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by VRRP-A failover.
The route redistributions can be for either static routes, which are manually-configured by an admin, or
the route redistributions can be for dynamic routes that the router has acquired through the normal
operation of the BGP protocol, such as routes learned through BGP peering sessions with other rout-
ers.
page 73
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Using Route Maps to Permit or Deny Updates
Without route maps, every router on the Internet would share all of its information about every other
router to which it is connected, and the sheer volume of traffic would bring the Internet to a grinding
halt, so route maps offer a way to throttle the amount of information that is shared among BGP peers.1
Route maps are configured with one or more rules. Each rule consists of a set of match criteria and an
associated action (permit or deny). The route map can have multiple rules, which are categorized in
ascending order. Once the BGP route map is placed into action, it can be used to filter inbound or out-
bound routing traffic. If traffic is received and there is a positive match for the criteria in one of the
rules, then the action associated with that match criteria will be applied. Assuming the associated
action is to alter the local preference for routes from that peer, then ACOS will make this change before
redistributing these route to other BGP peers.
For example, if you know that a neighboring autonomous system has old equipment that could impede
or slow your network’s traffic, it might be beneficial if you could administratively tell the equipment in
your autonomous system to avoid that other network.
Route maps allow you to accomplish this goal by rewriting the properties or metrics associated with the
paths to this other network.
You could set up one or more match criteria to identify traffic from this slower and older network, such
that if a positive match occurs, ACOS would increase the cost (or decrease the weight) for the paths to
this other network. Doing so would bias traffic away from these paths and encourage the use of other
paths capable of circumventing the slow network.
1.
BGP route summarization, or route aggregation, offers another way to reduce the number of routes that are shared by
consolidating blocks of IP addresses before redistribution. This prevents excessive fragmentation of blocks of IP
addresses and gives ISPs more control over the blocks of IP addresses they own. Route aggregation also helps to con-
serve the limited number of IPv4 addresses.
page 74
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route Selection Based on Local Preference
In this way, ACOS does not simply refuse to accept the route redistributions received from BGP peers in
the slower network. Instead of accepting the routing information received at face value, ACOS “tweaks”
or rewrites the metrics associated with the paths to make them less attractive before passing them
along to the surrounding BGP peers.
A route map acts as a filter for the redistribution of BGP routes sent to peers. Rules are set up within
the route map, consisting of match criteria (the metric upon which we are searching) and an associ-
ated action (for example, setting the local preference value). If a positive match is found then the action
associated with that rule is applied.
For example, you could set a rule within a route map to look for updates from a particular BGP peer
(based on IP address, router ID, or perhaps all routers in a particular Autonomous System Number), and
you could then prevent ACOS from propagating, or redistributing, these updates to the other BGP peers
in its ASN.
Instead of completely blocking routing updates from a nearby ASN, you could specify an action within
the route map that would modify the various metrics to make the associated paths less preferred. For
example, if you knew that a particular BGP peer is an older router that could hinder network perfor-
mance, you could increase the cost of the paths to/from that router by increasing the cost of those
paths by increasing the metric number. Similarly, you could achieve the same goal (of reducing the
attractiveness of the paths associated with this older router and thus directing traffic away from it) by
decreasing the weight for routes learned from this router.
CLI Example
The following commands configure a route map called “RED”. The sequence number for this route-map
is “10”. The rule looks for route updates that have a local preference value of exactly 5000. If a match
occurs, then the action for this route map is to “permit” BGP updates to occur with this router.
At this point, you could apply the route map to an ACOS device that has BGP enabled. You could spec-
ify the AS that this ACOS device belongs to (“333”), the BGP neighbor (10.1.1.1), the name of the route
map (“RED”), and specify whether this route map is affecting inbound or outbound route updates (in),
as shown in the sample commands below.
page 75
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route Selection Based on Local Preference
page 76
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Globally-Enabled Default Route Origination
To configure a BGP routing process to distribute a default route, use the default-information origi-
nate command in the address family or router configuration mode. A valid default route must exist and
be verified to complete this configuration or the default route will not be advertised:
Based on your configuration, BGP will install up to the maximum number of routes in the forwarding
information base (FIB).
Use the maximum-paths command at the BGP configuration level to specify the maximum number of
ECMP paths to a given route destination allowed for BGP: The default maximum-path value is 1. This
value will not be displayed in the show running-config command. With the default setting (maximum-
paths 1), BGP will install the single best ECMP route into the FIB used by the ACOS device to forward
traffic.
NOTE: See the “maximum-paths” CLI command in the Command Line Interface Reference for
more information about enabling this feature at the global configuration level for all
protocols.
The example below shows the BGP portion of an ACOS device configuration. The first set of output
shows a device running IPv4 while the second set of output shows a device running IPv6. In the IPv4
output, the lines of output “neighbor 10.10.10.197 remote-as 197” through “neighbor
60.60.60.197 remote-as 197” show that the ACOS routing engine learned of this route from mul-
tiple neighbors.
page 77
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Equal-Cost Multi-path ECMP Support
ACOS(config-bgp:100)# maximum-paths 8
ACOS(config-bgp:100)# neighbor 10.10.10.197 remote-as 197
ACOS(config-bgp:100)# neighbor 20.20.20.197 remote-as 197
ACOS(config-bgp:100)# neighbor 30.30.30.197 remote-as 197
ACOS(config-bgp:100)# neighbor 40.40.40.197 remote-as 197
ACOS(config-bgp:100)# neighbor 50.50.50.197 remote-as 197
ACOS(config-bgp:100)# neighbor 60.60.60.197 remote-as 197
ACOS(config-bgp:100)# neighbor 3310::197 remote-as 197
ACOS(config-bgp:100)# neighbor 3320::197 remote-as 197
ACOS(config-bgp:100)# neighbor 3330::197 remote-as 197
ACOS(config-bgp:100)# neighbor 3340::197 remote-as 197
ACOS(config-bgp:100)# neighbor 3350::197 remote-as 197
ACOS(config-bgp:100)# neighbor 3360::197 remote-as 197
ACOS(config-bgp:100)# address-family ipv6
ACOS(config-bgp:100-ipv6)# maximum-paths 7
ACOS(config-bgp:100-ipv6)# neighbor 3310::197 activate
ACOS(config-bgp:100-ipv6)# neighbor 3320::197 activate
ACOS(config-bgp:100-ipv6)# neighbor 3330::197 activate
ACOS(config-bgp:100-ipv6)# neighbor 3340::197 activate
ACOS(config-bgp:100-ipv6)# neighbor 3350::197 activate
ACOS(config-bgp:100-ipv6)# neighbor 3360::197 activate
ACOS(config-bgp:100-ipv6)# exit-address-family
ACOS(config-bgp:100)#
The show ip fib command shows that the ACOS device’s forwarding information base (FIB) was able
to learn of 6 different routes to the same destination (7.7.7.0/ 24). Each route had an equal cost (dis-
tance = 20), and each route was learned through a different Ethernet port.
The show ip bgp command displays paths learned through BGP. The ACOS device was connected to 6
different routes, and the Metric column shows that the cost is the same for all routes.
page 78
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
The show ip route database command displays essentially the same information as shown above.
The ACOS device has a FIB that is populated with 6 different routes, of equal cost, to the same destina-
tion.
ACOS 2.7.2 introduced support for a route-map option that performed matching based on the HA or
VRRP-A VRID group, and also based on whether the device was the active or standby in the group. This
option was used to control BGP route redistribution and advertisement decisions using the ACOS
device’s high availability state.
page 79
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
ACOS 2.7.2-P4 extended this feature to support all Interior Gateway Protocols (IGPs) such as OSPFv2,
OSPFv3, ISISv4/6, RIP and RIPng.
NOTE: Prior to ACOS 2.7.2, a route map could perform filtering based on metrics
such as BGP community, IP address, or metric value. However, the 2.7.2
release was the first release in which filtering (or matching) could be per-
formed based on the status of an ACOS device in a high availability con-
figuration.
In this scenario, the ability to perform route map matching based on high availability status offers a
unique way to use BGP (or other IGPs) route redistribution to advertise the paths to the newly-active
ACOS device after switchover has occurred.
You can use the BGP protocol to modify some of the route settings by way of the route map. By chang-
ing the weights or local preference of certain routing paths, you can influence the routes that are adver-
tised or withdrawn in route updates from the ACOS device to its BGP neighbors.
Alternatively, you can just wait for the old routes to time out, at which point they will be automatically
withdrawn from the routing table of the neighboring routers. This will have the effect of directing net-
work traffic to the newly-active ACOS device.
• The leftmost ACOS device is Active and the rightmost ACOS device is Standby.
• The diagram shows a Layer 3 router above the ACOS devices. The router is in autonomous sys-
tem 200, and it is using BGP to share routing updates with the ACOS load balancers. The ACOS
devices are also running BGP and are located within AS 100.
page 80
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
• Static routes connect the ACOS devices to a Layer 3 router, which directs traffic to and from the
real servers.
FIGURE 4 Topology Using BGP Route Map (with VRRP-A High Availability Matching)
In a network environment like that shown above in Figure 4, the Active ACOS device must be relegated
to “standby” mode before it can be upgraded. In turn, the Standby device must also be made “active”.
When this switchover occurs, it is imperative that the routers running BGP receive updated routing
information. This updated routing information will cause the routes to the formerly-active ACOS device
to be avoided, and the routers must also be provided with new routing information about the paths traf-
fic can use to reach the newly active ACOS device.
page 81
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
CLI Example
The following gives an example of a route map configuration. It is based on the network diagram
shown in Figure 4, which has two ACOS devices using VRRP-A for redundancy. To upgrade one of the
active ACOS devices, its status must be changed to standby (and the standby device must be made
active). Then, the new routing information must be pushed to the router above, which is also running
BGP.
The CLI commands below are used to configure VRRP-A on the first (Active) ACOS device.
vrrp-a common
device-id 1
set-id 1
enable
The following CLI commands assign an IP address of 20.1.1.1 to Ethernet interface 1 on the ACOS
device.
interface eth 1
ip address 20.1.1.1
The following CLI commands are used to create a route map called “test1” with a sequence number of
10. A rule is added that checks for a positive match for the active ACOS device in the VRRP-A group 1.
If a positive match is found, then this ACOS device can share its route redistributions with any BGP
peers that pass the match criteria.
The following CLI commands are used at the global configuration level to enable the BGP protocol and
specify the Autonomous System (AS) number of “100” for the Active ACOS device. The BGP peer is
specified in remote AS 200, and the hop count needed to reach this external BGP router is not to
exceed 255 hops. The outbound redistribution of static routes would be allowed to the BGP peer at
30.1.1.1, based upon the match criteria (and associated actions) in the route-map called “test1”.
The following CLI commands are used to configure a static route from the Active ACOS device to the
real servers in the subnet 1.1.1.0 /24, by way of the next-hop router at IP 11.1.1.1.
page 82
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
vrrp-a common
device-id 2
set-id 1
enable
The following CLI commands assign the IP 21.1.1.1 to Ethernet interface 1 on the Standby ACOS
device.
interface eth 1
ip address 21.1.1.1
The CLI commands below create a route map called “test1” with a sequence number of 10. A rule is
added to check for a match for the active ACOS device in the HA (or VRRP-A) group 1. If a positive
match is found, then this ACOS device may share its route redistributions with its BGP peers.
The following CLI commands are used at the global configuration level to enable the BGP protocol and
specify an Autonomous System (AS) number of “100” for the Standby ACOS device. The BGP peer is
specified in remote AS 200, and the hop count needed to reach this external BGP router is not to
exceed 255 hops. The outbound redistribution of static routes could be sent to the BGP peer at
30.1.1.1, based upon the match criteria (and the associated actions) in route-map “test1”.
The following CLI commands are used to configure a static route from the Standby ACOS device to the
real servers in the subnet 1.1.1.0 /24, by way of the next-hop router at IP 12.1.1.1.
NOTE: In the above configuration, only an Active ACOS device can redistribute
its static routes. The Standby ACOS device does not redistribute its
static routes. The reason for this is that the match criteria “permits” the
Active device in an HA (or VRRP-A) pair to send out (redistribute) its
routes. There is no rule in the route map with an explicit “deny” action, but
the deny is implicit, because any Standby HA devices would fail to match
the criteria in the route map, so the Standby HA device would fail to
match the criteria and its routing updates would not be shared.
page 83
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Route-Map High Availability for Interior Gateway Protocols
page 84
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Bidirectional Forwarding Detection (BFD) provides very fast failure detection for routing protocols.
When BFD is enabled, the ACOS device periodically sends BFD control packets to the neighboring
devices that are also running BFD. If a neighbor stops sending BFD control packets, the ACOS device
quickly brings down the BFD session(s) with the neighbor, and recalculates paths for routes affected by
the down neighbor.
BFD provides a faster failure detection mechanism than the timeout values used by routing protocols.
Routing protocol timers are multiple seconds long, whereas BFD provides sub-second failover.
• RFC 5881, Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)
• Multihop
• Authentication
page 85
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BFD Parameters
BFD Parameters
BFD is disabled by default. You can enable it on a global basis.
BFD Echo
BFD echo enables a device to test data path to the neighbor and back. When a device generates a BFD
echo packet, the packet uses the routing link to the neighbor device to reach the device. The neighbor
device is expected to send the packet back over the same link.
BFD Timers
• Global
• Interface
If you configure the timers on an individual interface, the interface’s settings are used instead of the
global settings. Likewise, if the BFD timers are not set on an interface, that interface uses the global
settings. For BGP loopback neighbors, BFD always uses the global timer.
The DesiredMinTXInterval, RequiredMinRxInterval and DetectMult timer fields can be configured at the
interface and the global configuration level. However, the actual timer will vary depending on the Finite
State Machine (FSM) state, through negotiation, and whether or not echo has been enabled.
BGP Support
If you run BGP on the ACOS device, you can enable BFD-based fallover for individual BGP neighbors.
Configuring BFD
In the following example, you will see that the static routes experience a flap when BFD is enabled. The
fields to note are flagged in bold:
page 86
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
i - IS-IS, B - BGP
Timers: Uptime
To enable BFD, use the following command at the global configuration level of the CLI:
ACOS(config)#bfd enable
To enable BFD echo, use the following command at the global configuration level of the CLI:
ACOS(config)#bfd echo
To configure BFD timers, use the following commands. These commands are available at the global
configuration level and at the configuration level for individual interfaces.
The interval value can be 48-1000 ms, and is 800 ms by default. The min-rx value can be 48-1000 ms,
and is 800 ms by default. The multiplier value can be 3-50 and is 4 by default.
page 87
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
To display BFD information for BGP neighbors, use the following command:
Disable BFD
To disable BFD, enter the following command in global configuration mode:
page 88
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
To enable BFD for all OSPF-enabled interfaces, enter the following commands:
Sample Configuration
Your running configuration will display your current BFD with OSPF configuration:
!
interface ethernet 1
ipv6 router ospf area 0 tag 1
ip address 20.0.0.1 255.255.255.0
ip ospf bfd
!
interface ethernet 2
ipv6 router ospf area 0 tag 1
ip address 30.0.0.1 255.255.255.0
!
!
router ospf 1
bfd all-interfaces
network 20.0.0.0/24 area 0
network 30.0.0.0/24 area 0
area 1 virtual-link 40.0.0.1 fall-over bfd
page 89
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
!
!
bfd enable
!
To enable BFD for all OSPFv3-enabled interfaces, enter the following commands:
page 90
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
Sample Configuration
Your running configuration will display your current BFD with OSPF for IPv6 configuration:
!
interface ethernet 1
ipv6 address 2001::1/64
ipv6 router ospf area 0 tag 1
ipv6 ospf bfd
!
interface ethernet 2
ipv6 router ospf area 0 tag 1
ipv6 address 3001::1/64
!
!
router ipv6 ospf 1
router-id 1.1.1.1
bfd all-interfaces
area 1 virtual-link 2.2.2.2 fall-over bfd
!
!
bfd enable
!
page 91
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
To enable BFD for all IS-IS-enabled interfaces, enter the following commands:
Sample Configuration
Your running configuration will display your current BFD with ISIS configuration:
!
interface ethernet 1
ip address 20.0.0.1 255.255.255.0
ip router isis
isis bfd
!
interface ethernet 2
ip address 30.0.0.1 255.255.255.0
ip router isis
isis bfd
!
!
router isis
bfd all-interfaces
net 49.0001.0000.0000.0001.00
!
!
bfd enable
!
page 92
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
To enable BFD for all IS-IS-enabled interfaces, enter the following commands:
Sample Configuration
Your running configuration will display your current BFD with ISIS (for IPv6 support) configuration:
!
interface ve 100
ipv6 address 2ffe:123::1/64
ipv6 router isis
isis bfd
!
router isis
bfd all-interfaces
net 49.0001.0000.0000.0002.00
!
bfd enable
page 93
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
Sample Configuration
Your running configuration will display your current BFD with BGP configuration:
!
router bgp 1
neighbor 1.2.3.4 remote-as 2
neighbor 1.2.3.4 fall-over bfd multihop
!
!
bfd enable
!
In the above command, the first parameter is the IPv4 address of the local interface. You can only use
the IP addresses for interfaces to setup the BFD session. The second parameter is the IPv4 address of
the remote interface that serves as the gateway for the static route.
page 94
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
In the above command, the first parameter is the IPv6 address of the local interface. You can only use
the IP addresses for interfaces to setup the BFD session. The second parameter is the IPv6 address of
the remote interface that serves as the gateway for the static route.
In the above command, the first parameter is the local interface name (Ethernet, VE, or a specified
trunk), and the second parameter is the remote link-local IPv6 address that serves as the gateway.
This command will help configure the interval for any one of the following three parameters and will be
applied to all BFD sessions:
• DesiredMinTxInterval
• RequiredMinRxInterval
• Multiplier
ACOS(config)# interface ve 10
ACOS(config-if:ve:10)# bfd interval 500 min-rx 500 multiplier 4
NOTE: For a BFD session for BGP using a loopback address, for an OSPFv2 vir-
tual link, and for an OSPFv3 virtual link, the ACOS device will always use
the global timer configuration, immaterial of the timer that is configured
at the interface level.
page 95
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuring BFD
Enable Authentication
You may choose an authentication method from the following available choices:
• Simple password
• Keyed MD5
• Keyed SHA1
page 96
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Viewing BFD Status
When demand mode is enabled, after a BFD session is established, a system will be able to verify con-
nectivity with another system at will instead of routinely. Instead of constantly receiving BFD control
packets, the system will request that the other system stop sending BFD Control packets. To verify
connectivity again, the system will explicitly send a short sequence of BFD Control packets to the other
system and receive a response. Demand mode can be configured to work either independently in each
direction, or bidirectionally at the same time.
Asynchronous Mode
The Asynchronous mode is the default mode of operation for BFD. In this mode, systems establish
connectivity and know of each other’s existence by periodically exchanging BFD Control packets. A
session between two connected systems is only declared down after several packets in a row are not
received by the other system. BFD will operate in this mode if you do not configure or enable echo or
demand.
page 97
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Viewing BFD Status
page 98
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The current implementation of the ACOS software supports the generation of generic Internet Group
Multicast Protocol version 2 (IGMPv2) membership query requests. ACOS devices will now generate
IGMP membership queries and facilitate multicast deployments.
NOTE: The ACOS software does not support the complete IGMP protocol or the
generation of generic membership queries for IGMPv3 or Multicast Lis-
tener Discovery (MLDv2).
Previous releases of the ACOS software did not provide support for the IGMPv2 protocol at all, hence it
did not provide IGMP membership query support.
• IGMP membership queries are only generated when IPv4 addresses are configured. If any IPv6
interface addresses are recognized, no queries will be generated.
• Generates generic IGMPv2 membership query request packets.
• The devices will not process any responses for this query request.
• Uses the default values for membership query request wherever possible.
• Provides the ability to configure the time interval for generation of these membership queries per
interface.
• Provides support for this feature with Layer 3 Virtualization (L3V).
IGMP membership queries are supported in routed mode only and will not be supported in non-routed
mode.
page 99
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
In Routed Mode
In Figure 5, the interface for devices 1 and 2 are acting in routed mode, that is, the IP address has been
configured on the interface. When the interface is in routed mode, the device can be configured to gen-
erate IGMPv2 membership queries out of this interface. However, when an IGMP membership query is
received on an interface in routed mode, it will be ignored.
In Non-Routed Mode
In Figure 5, the Device 2 device is acting as a switch and both Eth 11 and Eth12 on the Device 2 device
are in non-routed mode. Eth1 on the Device 1 device and Eth2 on the Device 2 device are configured in
routed mode. Hence Eth1 interface on the Device 1 device and Eth2 on the Device 3 device can be con-
figured to generate IGMP Membership Queries.
In this case, when the Device 2 device receives IGMP Membership Queries on Eth11 (generated by the
Device 1 device) and Eth 12 (generated by the Device 3 device) it will accept these packets and just
switch them as it would any other packet. More importantly, it will not drop these packets since Eth11
and Eth12 on Device 2 are acting in non-routed (switched) mode.
1. Hover over Network in the navigation bar, and select Interface from the drop-down menu.
2. Depending on the type of interface on which to configure this feature, select LAN, Virtual Ethernet
or Trunk from the menu bar.
3. Click Edit in the actions column for the interface on which to configure this feature.
4. Expand the IP section to reveal additional configuration options.
page 100
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
NOTE: These timers are valid only for a particular interface. They must be con-
figured per interface.
To view your IGMP membership request query configuration for a a physical interface, do the following:
To configure IGMP membership request queries on an virtual Ethernet interface, do the following:
ACOS(config)# vlan 50
page 101
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To view your IGMP membership request query configuration for a virtual Ethernet interface, do the fol-
lowing:
page 102
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Part IV
Command Line Interface Reference
This chapter describes the CLI commands for configuring ACOS interface parameters:
• access-list
• bfd
• cpu-process
• disable
• duplexity
• enable
• flow-control
• icmp-rate-limit
• icmpv6-rate-limit
• ip address
• ip address dhcp
• ip allow-promiscuous-vip
• ip cache-spoofing-port
• ip control-apps-use-mgmt-port
• ip default-gateway
• ip helper-address
• ip igmp
• ip nat
• ip ospf
• ip rip authentication
• ip rip receive-packet
• ip rip send-packet
page 105
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• ip rip split-horizon
• ip slb-partition-redirect
• ip stateful-firewall
• ip ttl-ignore
• ipv6 access-list
• ipv6 address
• ipv6 enable
• ipv6 stateful-firewall
• ipv6 ttl-ignore
• isis authentication
• isis bfd
page 106
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• isis circuit-type
• isis csnp-interval
• isis hello
• isis hello-interval
• isis hello-interval-minimal
• isis hello-multiplier
• isis lsp-interval
• isis mesh-group
• isis metric
• isis network
• isis password
• isis priority
• isis restart-hello-interval
• isis retransmit-interval
• isis wide-metric
• l3-vlan-fwd-disable
• lldp enable
• lldp notification
• lldp tx-dot1-tlvs
• lldp tx-tlvs
• load-interval
• lw-4o6
• media-type-copper
• monitor
• mtu
• name
• ports-threshold
• remove-vlan-tag
• snmp-server
page 107
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• trunk-group
To access this configuration level, enter the interface command at the Global configuration level.
If the ACOS device is a member of an aVCS virtual chassis, specify the interface number as follows:
DeviceID/num, where DeviceID is the device’s aVCS ID and num is the interface or trunk number.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
access-list
Description Apply an Access Control List (ACL) to an interface.
Parameter Description
num Number or ID of a configured ACL.
name Name of a configured ACL.
in Applies the ACL to inbound traffic received on the interface.
Default N/A
Mode Interface
Usage The ACL must be configured before you can apply it to an interface. To configure an ACL, see
“access-list” in the Command Line Interface Reference.
You can apply ACLs to Ethernet data interfaces, Virtual Ethernet (VE) interfaces, the
management interface, trunks, and virtual server ports. Applying ACLs to the out-of-band
management interface is not supported.
You can apply ACLs only to the inbound traffic direction. This restriction ensures that ACLs
are used most efficiently by filtering traffic as it attempts to enter the ACOS device, before
being further processed by the device.
Example The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x,
and apply the ACL to the inbound traffic direction on Ethernet interface 4:
page 108
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
bfd
Description Enable or disable BFD on an individual interface.
Parameter Description
authentication key-id { The authentication option specifies the authentication type to be used
md5 | for BFD. You can specify a key-id from 0-255. The authentication options
meticulous-md5 | include the following:
meticulous-sha1 |
md5 – Keyed MD5
sha1 |
•
simple}
• meticulous-md5 – Meticulous keyed MD5
• meticulous-sha1 –Meticulous keyedSHA1
• sha1 – Keyed SHA1
• simple – Simple password
echo [demand] Specify echo mode. You can enable the demand mode to work in conjunc-
tion with the echo function. When demand mode is enabled (and a BFD
session has been established), the system will be able to verify connectiv-
ity with another system at will instead of routinely.
interval ms min-rx ms The interval value is the transmit timer, and it specifies the rate at which
multiplier num the ACOS device sends BFD control packets to its BFD neighbors. You can
specify 48-1000 milliseconds (ms). The default is 800 ms. This timer is
used in Asynchronous mode only.
The min-rx option is the detection timer, and this allows you to specify
the maximum number of ms the ACOS device will wait for a BFD control
packet from a BFD neighbor. The min-rx value can be 48-1000 ms, and is
800 ms by default. This timer is used in Asynchronous mode only.
The multiplier value is the wait multiplier, and this enables you to spec-
ify the maximum number of consecutive times the ACOS device will wait
for a BFD control packet from a neighbor. If the multiplier value is reached,
the ACOS device concludes that the routing process on the neighbor is
down. The multiplier value can be 3-50 and is 4 by default.
Mode Interface
Usage If you configure the timers on an individual interface, the interface’s settings are used instead
of the global settings. Likewise, if the BFD timers are not set on an interface, that interface
uses the global settings. For BGP loopback neighbors, BFD always uses the global timer.
NOTE: For a BFD session for BGP using a loopback address, for an OSPFv2 virtual link, and
for an OSPFv3 virtual link, the ACOS device will always use the global timer regard-
less of the timer that is configured at the interface level.
page 109
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
cpu-process
Description Enable software-based switching or routing of Layer 2/Layer 3 traffic.
Mode Interface
disable
Description Disable an interface.
Syntax disable
Default The management interface is enabled by default. Data interfaces are disabled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-of-band Ethernet
management interface, Virtual Ethernet (VE) interfaces, and loopback interfaces.
The command also applies to trunks. When you disable a trunk at the interface configuration
level for the trunk, Layer 3 forwarding is disabled on the trunk.
In L3V deployments, tagged VLAN ports can be enabled or disabled only from the shared
partition.
Example The following commands access the interface configuration level for trunk 7 and disable
Layer 3 forwarding on the trunk:
page 110
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ACOS(config-if:trunk:7)# disable
duplexity
Description Set the duplex mode for an Ethernet interface.
Paramete
r Description
Full Full-duplex mode.
Half Half-duplex mode.
auto The mode is negotiated based on the mode of the other end of the
link.
Default auto
Mode Interface
Usage This command applies only to physical interfaces (Ethernet ports or the management port).
Example The following command changes the mode on Ethernet interface 6 to half-duplex:
enable
Description Enable an interface.
Syntax enable
Default The management interface is enabled by default. Data interfaces are disabled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-of-band Ethernet
management interface, Virtual Ethernet (VE) interfaces, trunks, and loopback interfaces.
In L3V deployments, tagged VLAN ports can be enabled or disabled only from the shared
partition.
page 111
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
flow-control
Description Enable 802.3x flow control on a full-duplex Ethernet interface.
Default Disabled. The ACOS Ethernet interface auto-negotiates flow control settings with the other
end of the link.
Mode Interface
Usage This command can cause the interface to briefly go down, then come back up again.
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks.
Parameter Description
normal-rate Maximum number of ICMP packets allowed per second on the
interface. If the ACOS interface receives more than the normal
rate of ICMP packets, the excess packets are dropped until the
next one-second interval begins. The normal rate can be 1-
65535 packets per second.
max-rate Maximum number of ICMP packets allowed per second before
the ACOS device locks up ICMP traffic on the interface. When
ICMP traffic is locked up, all ICMP packets on the interface are
dropped until the lockup expires. The maximum rate can be 1-
65535 packets per second. The maximum rate must be larger
than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMP
traffic on the interface, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
Default None
Usage This command configures ICMP rate limiting on a physical, virtual Ethernet, trunk, or loop-
back interface. To configure ICMP rate limiting globally, see “icmp-rate-limit” in the Com-
mand Line Interface Reference. To configure it in a virtual server template, see “slb template
virtual-server” in the Command Line Interface Reference. If you configure ICMP rate limiting fil-
ters at more than one of these levels, all filters are applicable.
page 112
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Log messages are generated only if the lockup option is used and lockup occurs.
Otherwise, the ICMP rate-limiting counters are still incremented but log messages are not
generated.
Example The following command configures ICMP rate limiting on Ethernet interface 3:
icmpv6-rate-limit
Description Configure ICMPv6 rate limiting, to protect against denial-of-service (DoS) attacks.
Parameter Description
normal-rate Maximum number of ICMPv6 packets allowed per second on
the interface. If the ACOS interface receives more than the nor-
mal rate of ICMPv6 packets, the excess packets are dropped
until the next one-second interval begins. The normal rate can
be 1-65535 packets per second.
lockup Maximum number of ICMPv6 packets allowed per second
max-rate before the ACOS device locks up ICMPv6 traffic on the inter-
face. When ICMPv6 traffic is locked up, all ICMPv6 packets on
the interface are dropped until the lockup expires. The maxi-
mum rate can be 1-65535 packets per second. The maximum
rate must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all
ICMPv6 traffic on the interface, after the maximum rate is
exceeded. The lockup time can be 1-16383 seconds.
Default None
Usage This command configures ICMPv6 rate limiting on a physical, virtual Ethernet, trunk, or loop-
back interface. To configure ICMPv6 rate limiting globally, see “icmpv6-rate-limit” in the Com-
mand Line Interface Reference. To configure it in a virtual server template, see “slb template
virtual-server” in the Command Line Interface Reference. If you configure ICMPv6 rate limiting
filters at more than one of these levels, all filters are applicable.
Log messages are generated only if the lockup option is used and lockup occurs.
Otherwise, the ICMPv6 rate-limiting counters are still incremented but log messages are not
generated.
Example The following command configures ICMPv6 rate limiting on Ethernet interface 3:
page 113
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip address
Description Assign an IP address to an interface.
Mode Interface
Usage This command applies only when the ACOS device is used in gateway mode.
You can configure multiple IP addresses on Ethernet and Virtual Ethernet (VE) data interfaces,
trunks, and on loopback interfaces, on ACOS devices deployed in gateway (route) mode.
Each IP address must be unique on the ACOS device. Addresses within a given subnet can be
configured on only one interface on the device. (The ACOS device can have only one data
interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The addresses
appear in show command output and in the configuration in the same order.
The first IP address you add to an interface becomes the primary IP address for the interface.
If you remove the primary address, the next address in the list (the second address to be
added to the interface) becomes the primary address.
It does not matter which address is the primary address. OSPF can run on all subnets
configured on a data interface.
The ACOS device automatically generates a directly connected route to each IP address. If
you enable redistribution of directly connected routes, those protocols can advertise the
routes to the IP addresses.
The ACOS device allows the same IP address to be configured as the ACOS device’s global IP
address, and as a NAT pool address. However, in Layer 2 (transparent) deployments, if you do
configure the same address in both places, and later delete one of the addresses, you must
reload the ACOS device to place the change into effect.
Example The following commands configure multiple IP addresses on an Ethernet data interface, dis-
play the addresses, then delete the primary IP address and display the results.
page 114
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip address dhcp
Description Enable Dynamic Host Configuration Protocol (DHCP) to configure multiple IP addresses on
an Ethernet data interface.
Default Disabled
Mode Interface
Usage You can configure VIPs and IP NAT pools to use the DHCP-assigned address of a given data
interface. If this option is enabled, ACOS updates the VIP or pool address any time the speci-
fied data interface’s IP address is changed by DHCP.
• DHCP can be enabled on an interface only if that interface does not already have any
statically assigned IP addresses.
• On ACOS devices deployed in gateway (Layer 3) mode, Ethernet data interfaces can
have multiple IP addresses. An interface can have a combination of dynamically
assigned addresses (by DHCP) and statically configured addresses. However, if you plan
to use both methods of address configuration, static addresses can be configured only
after you finish using DHCP to dynamically configure addresses. To use DHCP in this
case, you must first delete all the statically configured IP addresses from the interface.
• On virtual appliance models, if single-IP mode is used, DHCP can be enabled only at the
physical interface level.
• On devices deployed in Transparent (Layer 2) mode:
• you can enable DHCP on the management interface and at the global level.
• The VIP address and pool NAT address (if used) should match the global data IP
address of the device. Make sure to enable this option when configuring the VIP or
pool.
page 115
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip allow-promiscuous-vip
Description Enable client traffic received on this interface and addressed to TCP port 80 to be load bal-
anced for any VIP address.
Default Disabled
Mode Interface
Usage This feature also requires configuration of a virtual server that has IP address 0.0.0.0. For more
information, see the Application Delivery and Server Load Balancing Guide.
ip cache-spoofing-port
Description Configure the interface to support a spoofing cache server. A spoofing cache server uses the
client’s IP address instead of its own as the source address when obtaining content
requested by the client.
Default Disabled
Mode Interface
Usage This command applies to the Transparent Cache Switching (TCS) feature. Enter the com-
mand on the interface that is attached to the spoofing cache. For more information about
TCS, including additional configuration requirements and examples, see the Application
Delivery and Server Load Balancing Guide.
Example The following command configures interface 9 to support a spoofing cache server that is
attached to the interface.
ACOS(config-if:ethernet:9)# ip cache-spoofing-port
ip control-apps-use-mgmt-port
Description Enable use of the management interface as the source interface for automated manage-
ment traffic.
page 116
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default By default, use of the management interface as the source interface for automated manage-
ment traffic is disabled.
Mode Interface
Usage The ACOS device uses separate route tables for management traffic and data traffic.
• Management route table – Contains all static routes whose next hops are connected to
the management interface. The management route table also contains the route to the
device configured as the management default gateway.
• Main route table – Contains all routes whose next hop is connected to a data interface.
Also contains copies of all static routes in the management route table, excluding the
management default gateway route. Only the data routes are used for load-balanced
traffic.
By default, the ACOS device attempts to use a route from the main route table for
management connections originated on the ACOS device. The ip control-apps-use-
mgmt-port command enables the ACOS device to use the management route table for
these connections instead.
The ACOS device will use the management route table for reply traffic on connections
initiated by a remote host that reaches the ACOS device on the management port. For
example, this occurs for SSH or HTTP connections from remote hosts to the ACOS device.
Example The following command enables use of the management interface as the source interface
for automated management traffic:
ACOS(config-if:management)# ip control-apps-use-mgmt-port
ip default-gateway
Description Specify the default gateway for the out-of-band management interface.
Default None
Mode Interface
Usage Configuring a default gateway for the management interface provides the following bene-
fits:
• Ensures that reply management traffic sent by the ACOS device travels through the cor-
rect gateway
• Keeps reply management traffic off the data interfaces
The default gateway configured on the management interface applies only to traffic sent
from this interface. For traffic sent through data interfaces, either the globally configured
default gateway is used instead (if the ACOS device is deployed in transparent mode) or an IP
route is used (if the ACOS device is deployed in route mode).
page 117
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To configure the default gateway for data interfaces on an ACOS device deployed in
transparent mode, use the ip default-gateway command at the Global configuration
level. (See “ip default-gateway” in the Command Line Interface Reference.)
NOTE: Normally, if the ACOS device is deployed in transparent mode, outbound traffic
through the management interface is limited to the same subnet. However, out-
bound traffic through data interfaces is not restricted to the same subnet. To per-
form operations that require exchanging files with a host (upgrade, import, export,
and so on) that is in a different subnet from the management interface:
Example The following commands configure an IP address and default gateway for the management
interface:
ip helper-address
Description Configure a helper address for Dynamic Host Configuration Protocol (DHCP).
Default None
Mode Interface
Usage In the current release, the helper-address feature provides service for DHCP packets only.
The ACOS interface on which the helper address is configured must have an IP address.
The helper address can not be the same as the IP address on any ACOS interface or an IP
address used for SLB.
The current release supports DHCP relay service for IPv4 only.
Example The following commands configure two helper addresses. The helper address for DHCP
server 100.100.100.1 is configured on ACOS Ethernet interface 1 and on Virtual Ethernet (VE)
interfaces 5 and 7. The helper address for DHCP server 20.20.20.102 is configured on VE 9.
page 118
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip igmp
Description Configure IGMPv2 membership request queries.
Parameter Description
query-timer Sets the time interval (1-255 seconds) after which your
device (using the interface under which you are configuring
this feature) will initiate an IGMP membership query
request. The default query timer is 125 seconds. This
means that IGMP membership queries will be sent every
125 seconds from the configured interface.
response-timer Sets the time interval (in 1/10 of a second) before which
receiving devices will send an ICMP query message
response to indicate intention to join the IGMP group or not.
The default response timer is 100. This means that receiv-
ing devices have 10 seconds in which to indicate if they will
join the IGMP membership group or not.
Default None
Mode Interface
Usage The configured timer is valid only per interface and it must be set for each individual inter-
face.
Example To configure IGMP membership request queries on a physical interface, do the following:
To view your IGMP membership request query configuration for a a physical interface, do the
following:
page 119
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Example To configure IGMP membership request queries on an virtual Ethernet interface, do the fol-
lowing:
ACOS(config)# vlan 50
ACOS(config-vlan:50)# tagged ethernet 1
ACOS(config-vlan:50)# router-interface ve 50
ACOS(config-vlan:50)# exit
ACOS(config)# interface ve 50
ACOS(config-if:ve:50)# ip address 10.10.10.219 /24
ACOS(config-if:ve:50)# ip igmp generate-membership-query 10 max-resp-time 50
To view your IGMP membership request query configuration for a virtual Ethernet interface,
do the following:
page 120
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To view your IGMP membership request query configuration for a trunk, do the following:
page 121
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip nat
Description Enable source Network Address Translation (NAT) on an interface.
Parameter Description
inside Specifies that this interface is connected to the internal hosts
on the private network that need to be translated into external
addresses for routing.
outside Specifies that this interface is connected to the external net-
work or Internet. Before sending traffic from an inside host out
on this interface, the ACOS device translates the host’s private
address into a public, routable address.
Default None
Mode Interface
Usage On an ACOS device deployed in transparent mode, this command is valid only on Ethernet
data ports. On an ACOS device deployed in route mode, this command is valid on Ethernet
data ports, Virtual Ethernet (VE) interfaces, and trunks.
To use source NAT, you also must configure global NAT parameters. See the ip nat
commands in “Config Commands: IP” on page 163.
In addition, on some AX series models, if Layer 2 IP NAT is required, you also must enable CPU
processing on the interface. (See “cpu-process” on page 110.) This applies to AX models
AX 3200-12, AX 3400, AX 5200-11, and AX 5630.
Example The following commands configure IP source NAT for internal addresses in the 10.1.1.x/24
subnet connected to interface 14. The addresses are translated into addresses in the range
10.153.60.120-150 before traffic from the internal hosts is sent onto the Internet on interface
15. Likewise, return traffic is translated back from public addresses into the private host
addresses.
page 122
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip ospf
Description Configure OSPF interface settings.
Parameter Description
ipaddr Configures the parameter only for the specified IP address. Without
this option, the parameter is configured for all IP addresses on the
interface.
authentication ype of authentication used to validate OSPF route updates sent or
received on this interface:
page 123
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
dead-interval seconds Number of seconds that neighbor OSPF routers will wait for a new
OSPF Hello packet from ACOS before declaring this OSPF router (the
ACOS device) to be down, 1-65535 seconds.
page 124
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
retransmit-interval seconds Number of seconds between retransmissions of link-state advertise-
ments (LSAs) to adjacent routers for this interface, 1-65535 seconds.
Mode Interface
Usage The OSPF router with the highest priority is elected as the DR and the router with the second
highest priority is elected as the BDR. If more than one router has the highest priority, the
router with the highest OSPF router ID is selected. Priority applies only to multi-access net-
works, not to point-to-point networks. If you set the priority to 0, the Thunder Series does not
participate in DR and BDR election.
Example The following command sets the OSPF priority on Ethernet interface 10 to 100:
ip rip authentication
Description Configure IPv4 RIP authentication on the interface.
Parameter Description
key-chain name [name ...] Enables authentication using the specified key chains. (To configure a
key-chain file, use the key chain command at the global configuration
level of the CLI.)
mode {md5 | text} Authentication mode:
page 125
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default None
Mode Interface
• 1 - RIP version 1.
• 2 - RIP version 2 (default).
Mode Interface
ip rip receive-packet
Description Enable the interface to receive RIP packets.
Default Enabled
Mode Interface
• 1 - RIP version 1.
• 2 - RIP version 2 (default).
Mode Interface
page 126
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip rip send-packet
Description Enable the interface to send RIP packets.
Default Enabled
Mode Interface
ip rip split-horizon
Description Configure the split-horizon method. Split horizon prevents the ACOS device from advertising
a route to the neighbor that advertised the same route to the ACOS device.
Parameter Description
poisoned Enables advertisement of a route to the neighbor that advertised
the route to the ACOS device, but sets the metric value to infinity,
thus making the route advertised by the ACOS device unusable by
the neighbor (poisoned reverse).
Mode Interface
Mode Interface
page 127
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip slb-partition-redirect
Description Enable routing redirection on an ingress Ethernet data port that will receive traffic addressed
to the VIP in a private partition.
Mode Interface
Example The following example enables routing redirection on ethernet interface 4 so that traffic
addressed to partition p69 will be received on the partition.
ip stateful-firewall
Description Configure stateful firewall direction for this interface.
Parameter Description
inside Inside (private) interface for the stateful firewall.
outside Outside (public) interface for the stateful firewall.
access-list Access list id. You can specify 1-199.
Mode Interface
page 128
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip ttl-ignore
Description Configures the device to not decrement TTL field contents for IPv4 traffic passing through.
By default TTL decrements for traffic passing through the ACOS device.
Mode Interface
Example The following example programs the device to not decrement TTL field contents for traffic
passing through the ACOS device.
Default None.
Mode Interface
Usage The ipv6 default-gateway command applies only to the management interface. To
configure IPv6 on a data interface, see “ipv6 address” on page 130.
Example The following commands configure an IPv6 address and default gateway on the manage-
ment port:
page 129
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ipv6 access-list
Description Apply an IPv6 Access Control List (ACL) to an interface.
Parameter Description
name Name of a configured IPv6 ACL.
in Applies the ACL to inbound IPv6 traffic received on the inter-
face.
Default N/A
Mode Interface
ipv6 address
Description Configure an IPv6 address on the interface.
Parameter Description
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6 address for the
interface, instead of a global address. Without this option, the
address is a global address.
anycast Configures the address as an anycast address. An anycast
address can be assigned to more than one interface. A packet
sent to an anycast address is routed to the “nearest” interface
with that address, based on the distance in the routing proto-
col.
Default None.
Mode Interface
Usage Use this command to configure the link-local and global IP addresses for the interface.
• The ipv6 address command, used without the link-local option, configures a
global address. If you use the link-local option, the address is instead configured as
the link-local address.
• To enable automatic configuration of the link-local IPv6 address instead, use the ipv6
enable command.
page 130
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To configure IPv6 on the management interface, see “ipv6 (on management interface)” on
page 129.
Example The following command configures a global IPv6 address on Ethernet interface 8:
Example The following command overrides any auto-generated link-local address on interface 6 and
explicitly configures a new link-local address:
ipv6 enable
Description Enable automatic configuration of a link-local IPv6 address on the interface.
Default Disabled
Mode Interface
Usage Use this command to enable automatic configuration of the link-local IPv6 address.
To manually configure the address instead, see “ipv6 address” on page 130.
Example The following command enables an automatically generated link-local IPv6 address on
Ethernet interface 6:
Default Disabled
Mode Interface
page 131
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default Disabled
Mode Interface
Parameter Description
default-lifetime seconds Specifies the number of seconds for which router advertisements sent on
this interface are valid. You can specify 0 or 4-9000 seconds. The value
can not be less than the maximum advertisement interval. If you specify 0,
the host will not use this interface (IPv6 router) as a default route.
You can specify 0-255. If you specify 0, the value is unspecified by this
IPv6 router.
page 132
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
managed-configuration-flag Set the 1-bit “managed address configuration” flag, which enables
{enable | disable} addresses to be available via DHCP.
For more information see RFC 4861, “Neighbor Discovery for IP version 6”:
https://tools.ietf.org/html/rfc4861
max-interval seconds Specifies the maximum number of seconds between transmission of
unsolicited router advertisement messages on this interface. You can
specify 4-1800 seconds.
For more information see RFC 4861, “Neighbor Discovery for IP version 6”:
https://tools.ietf.org/html/rfc4861
prefix Specifies the IPv6 prefixes to advertise on this interface. A maximum of 32
ipv6-addr/prefix-length prefixes can be advertised on an interface.
[options]
The following options are supported:
page 133
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
rate-limit num Specifies the maximum number of router solicitation requests per second
that will be processed on the interface. You can specify 1-100000 mes-
sages per second.
You can specify 0-3600000 ms. If you specify 0, the value is unspecified
by this IPv6 router.
The default is 0.
retransmit-timer seconds Specifies the number of seconds a host should wait between sending
neighbor solicitation messages.
The default is 0.
vrid num Specifies a VRID for which to send router advertisements.
Default IPv6 router discovery is disabled by default. The command options have the default values
specified in the table above.
Mode Interface
IPv6 router discovery is not supported in transparent mode. The ACOS device must be
deployed in gateway mode.
When IPv6 router discovery is enabled on an interface, any new IPv6 addresses that you add
to the interface are automatically added to the set of prefixes to advertise.
Router advertisements are sent to the all-nodes multicast address at an interval that is
uniformly distributed between the minimum and maximum advertisement intervals. If a
host sends a router solicitation message, the ACOS device sends a router advertisement as a
unicast to that host instead.
page 134
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Example The following commands configure an IPv6 address on Ethernet interface 1, enable IPv6
router discovery, change the minimum and maximum advertisement intervals, and add two
prefixes to the prefix advertisement list.
Default By default, an interface’s cost is calculated based on the interface’s bandwidth. If the auto-
cost reference bandwidth is set to its default value (100 Mbps), the default interface cost is
10.
Mode Interface
Replace seconds with the number of seconds this OSPF router will wait for a reply to a hello
message sent out this interface to an OSPF neighbor, before declaring the neighbor to be
offline. You can specify 1-65535 seconds.
Default 40
Mode Interface
page 135
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Replace seconds with the number of seconds this OSPF router will wait between
transmission of hello packets out this interface to OSPF neighbors. You can specify 1-65535
seconds.
Default 10
Mode Interface
Replace num with a specific an OSPFv3 process, 0-255. If you do not use this option, MTU
checking on the interface is disabled for all OSPFv3 processes.
Mode Interface
Parameter Description
ipv6-addr IPv6 address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor, 1-65535.
page 136
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
poll-interval Number of seconds this OSPFv3 interface will wait for a reply
seconds to a hello message sent to the neighbor, before declaring the
neighbor to be offline. You can specify 1-4294967295 sec-
onds.
Default No neighbors on non-broadcast networks are configured by default. When you configure
one, the other parameters have the default settings described in the table above.
Parameter Description
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess (NBMA) network.
point-to-multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
num Specifies an OSPFv3 process, 0-255. If you do not use
this option, MTU checking on the interface is disabled
for all OSPFv3 processes.
Mode Interface
Replace num with the priority of this OSPF process on this interface, 0-255. The lowest
priority is 0 and the highest priority is 255.
page 137
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default 1
Mode Interface
Usage If more than one OSPF router has the highest priority, the router with the highest router ID is
selected as the designated router.
Replace seconds with the number of seconds this OSPF router waits before resending an
unacknowledged packet out this interface to a neighbor. You can specify 1-65535 seconds.
Default 5
Mode Interface
Replace seconds with the number of seconds this OSPF router waits between transmission of
packets out this interface to OSPF neighbors. You can specify 1-65535 seconds.
Default 1
Mode Interface
page 138
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
poisoned Enables advertisement of a route to the neighbor that advertised
the route to the ACOS device, but sets the metric value to infinity,
thus making the route advertised by the ACOS device unusable by
the neighbor (poisoned reverse).
Mode Interface
Syntax [no] ipv6 router isis [ISO routing area tag name]
Default None
Mode Interface
Mode Interface
Usage For OSPFv3, the area tag ID configured on an interface must be the same as the tag ID for the
OSPF instance.
page 139
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Mode Interface
ipv6 stateful-firewall
Description Configure stateful firewall direction for this interface.
Parameter Description
inside Inside (private) interface for the stateful firewall.
outside Outside (public) interface for the stateful firewall.
access-list Access list id. You can specify 1-199.
Mode Interface
ipv6 ttl-ignore
Description Configures the device to not decrement TTL field contents for IPv6 traffic passing through.
By default TTL decrements for traffic passing through the ACOS device.
Mode Interface
Example The following example programs the device to not decrement TTL field contents for traffic
passing through the ACOS device.
isis authentication
Description Configure authentication for this IS-IS interface.
page 140
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
send-only Disables checking for keys in IS-IS packets received by this interface.
[level-1 | level-2]
• level-1 – Disables key checking only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Disables key checking only for Level-2 (inter-area) IS-IS traffic.
mode md5 Enabled MD5 authentication.
[level-1 | level-2]
• level-1 – Enables MD5 only for Level-1 (intra-area) IS-IS traffic.
• level-2 – Enables MD5 only for Level-2 (inter-area) IS-IS traffic.
key-chain name Specifies the name of the certificate key chain to use for authenticating IS-IS
[level-1 | level-2] traffic.
Mode IS-IS
Usage This command overrides the globally configured authentication settings for the IS-IS
instance.
Use the send-only option to temporarily disable key checking, then use the key-chain
option to specify the key chain. To use MD5, use the md5 option to disable clear-text
authentication and enable MD5 authentication. After key-chains are installed on the other IS-
IS routers, disable the send-only option.
Example The following command disables MD5 authentication for IS-IS on interface VE 2. Clear-text
authentication will be used instead.
ACOS(config)# interface ve 3
ACOS(config-if:ve:3)# no isis authentication mode md5
isis bfd
Description Disable BFD.
Mode Interface
page 141
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis circuit-type
Description Specify the IS-IS routing level (circuit type) for this interface.
Default level-1
Mode Interface
isis csnp-interval
Description Configure the interval between transmission of complete sequence number PDUs (CSNPs).
Parameter Description
seconds Specifies the number of seconds to wait between trans-
mission of CSNPs. You can specify 0-65535 seconds.
level-1 | Specifies the IS-IS routing level to which the interval setting
level-2 applies:
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage This command is valid only on broadcast interfaces (network type broadcast).
isis hello
Description Enable padding of IS-IS Hello packets.
Default Enabled
Mode Interface
page 142
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Usage When padding is enabled, extra bytes are added to IS-IS Hello packets to make them equal
to the MTU size of the interface. This option informs neighbors of the interface’s MTU, so that
neighbors do not send Hello packets that are longer than the MTU.
isis hello-interval
Description Configure the interval between transmission of IS-IS Hello packets on this interface.
Parameter Description
seconds Specifies the number of seconds between transmission of Hello
packets to neighbors. You can specify 0-65535 seconds.
level-1 | Specifies the IS-IS routing level to which the interval setting applies:
level-2
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
isis hello-interval-minimal
Description Base the hello interval value on the hello multiplier value.
Parameter Description
level-1 | Specifies the IS-IS routing level to which the interval setting applies:
level-2
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage The minimal option bases the hello interval on the hello multiplier, by setting the hold
time to 1, and dividing the hold time by the hello multiplier:
hello-interval = hold-time % hello-multiplier
hello-interval = 1 % hello-multiplier
page 143
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis hello-multiplier
Description Configure the multiplier used for calculating the neighbor hold time for Hello packets.
Parameter Description
num Specifies the multiplier. You can specify 2-100.
level-1 | level-2 Specifies the IS-IS routing level to which the multiplier
setting applies.:
• level-1 – Intra-area
• level-2 – Inter-area
Default 3
Mode Interface
Usage The hold time specifies the maximum number of seconds IS-IS neighbors should allow
between Hello packets from this IS-IS interface. If the neighbor does not receive a Hello
packet before the hold time expires, the neighbor terminates the adjacency with this IS-IS
router on this interface.
To calculate the hold time, IS-IS multiplies the IS-IS hello interval by the multiplier:
NOTE: If the minimal option is used with the isis hello-interval command, the
hold time is set to 1. This overrides the hold time calculated based on the hello-
multiplier value.
isis lsp-interval
Description Configure the minimum LSP transmission interval.
Replace ms with the minimum number of milliseconds IS-IS will wait between transmission
of LSPs (1-4294967295).
Default 33 ms
Mode Interface
page 144
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Usage The LSP transmission interval helps avoid high CPU utilization on IS-IS neighbors during LSP
floods, by allowing the neighbors time to send, receive, and process LSPs.
isis mesh-group
Description Configure mesh-group membership to control LSP flooding from this interface.
Parameter Description
group-num Specifies the mesh group number. You can specify
1-4294967295. LSPs are flooded to all Level-1 or Level-2 IS-IS
neighbors (as applicable), except to the neighbors who are in the
same mesh group. LSPs are not flooded to the neighbors who
are in the same mesh group as this interface.
blocked Blocks flooding of LSPs on this interface.
Default None
Mode Interface
isis metric
Description Configure the default IS-IS metric (cost) for the interface.
Parameter Description
num Specifies the cost of using this interface as a link in an IS-
IS route. You can specify 1-63.
level-1 | level-2 Specifies the IS-IS routing level to which the default met-
ric setting applies:
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage The default metric is used for SPF calculation. Links with lower metrics are preferred to links
with higher metrics.
The default metric is applicable only when the metric style is narrow. (See “metric-style” on
page 287.)
page 145
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis network
Description Configure the network type.
Parameter Description
broadcast The network is a broadcast network.
point-to-point The network is a point-to-point network.
Default broadcast
Mode Interface
isis password
Description Configure the plain-text password for authentication of Hello packets sent and received on
this interface.
Parameter Description
string Specifies the password.
level-1 | level-2 Specifies the IS-IS routing level to which the password
applies:
• level-1 – Intra-area
• level-2 – Inter-area
Default None
Mode Interface
Usage The password is applicable only if the authentication type is plain-text. (See “isis authentica-
tion” on page 140.)
page 146
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis priority
Description Configure this interface’s priority for Designated Integrated System (DIS) election.
Parameter Description
num Specify the priority (0-127).
level-1 | level-2 Specifies the IS-IS routing level to which the priority
applies:
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage During DIS election, the IS-IS router with the highest priority is elected as the DIS for the LAN.
If more than one IS-IS router has the highest priority, the router that has the IS-IS interface
with the highest MAC address is elected as the DIS.
The priority is applicable only if the network type is broadcast. (See “isis network” on
page 146.)
page 147
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis restart-hello-interval
Description Configure the amount of time this interface waits for acknowledgement from neighbors of
its notification to restart IS-IS, before resending the notification.
Parameter Description
seconds Specifies the number of seconds IS-IS waits to receive an
acknowledgment of its restart notification. You can spec-
ify 1-65535 seconds.
level-1 | level-2 Specifies the IS-IS routing level to which the interval
applies:
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage To notify its IS-IS neighbors of an intent to restart the IS-IS process, the ACOS device inserts a
Restart TLV in IS-IS Hello packets sent to neighbors on this interface. If the an acknowledge-
ment of the restart notification is not received on this interface before the restart hello inter-
val expires, IS-IS resends the notification.
isis retransmit-interval
Description Configure the interval between transmission of LSPs on point-to-point links.
Replace seconds with the number of seconds IS-IS waits before resending an LSP that was
dropped (0-65535). Use a value that is greater than the expected round-trip delay between
any two routers on the attached network.
Default 5
Mode Interface
Usage The retransmit interval is applicable only if the network type is point-to-point. (See “isis net-
work” on page 146.)
page 148
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
isis wide-metric
Description Configure the length of a wide metric on the interface.
Parameter Description
num Specifies the metric length. You can specify 1-16777214.
level-1 | level-2 Specifies the IS-IS routing level to which the metric
applies:
• level-1 – Intra-area
• level-2 – Inter-area
Mode Interface
Usage The wide metric is applicable only if the metric style is set to wide or transition. (See “metric-
style” on page 287.)
l3-vlan-fwd-disable
Description Disable Layer 3 forwarding between VLANs on tis interface.
Default By default, the ACOS device can forward Layer 3 traffic between VLANs.
Mode Interface
Usage This command is applicable only on ACOS devices deployed in gateway (route) mode. If the
option to disable Layer 3 forwarding between VLANs is configured at any level, the ACOS
device can not be changed from gateway mode to transparent mode, until the option is
removed.
The command is valid on physical Ethernet interfaces, Virtual Ethernet (VE) interfaces, trunks,
and on the lead interface in trunks.
However, if the command is configured on a physical Ethernet interface, that interface can
not be added to a trunk or VE.
If the command is used on a trunk or VE and that trunk or VE is removed from the
configuration, the command is also removed from all physical Ethernet interfaces that were
members of the trunk or VE. Likewise, if a VLAN is removed, the command is removed from
any physical Ethernet interfaces that were members of the VLAN.
page 149
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To display statistics for this option, use the show slb switch command. For more
information, see “show slb switch” in the Command Line Interface Reference.
lldp enable
Description Configure this interface to send only, receive only, or send and receive LLDP data packets.
Specify rx to configure the interface to only receive LLDP data packets; specify tx to
configure the interface to only send LLDP data packets. If neither is specified, the interface
can both receive and send LLDP data packets.
lldp notification
Description Configure this port to send notifications.
Mode Interface
lldp tx-dot1-tlvs
Description The TLVs VLAN name and link-aggregation are dictated by 802.1ab Annex E.
Parameter Description
vlan Assign a name to the VLAN and map the VLAN ID to the
VLAN.
link-aggregation Link-aggregation TLV, dictated by 802.1ab 2005 and
802.1ab 2009.
Default Since 802.1ab 2009 and 802.1ab2005 are inherently different, some older devices do support
these TLVs by default. The TLVs will not automatically be included in the transmitted frame.
Mode Interface
page 150
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
lldp tx-tlvs
Description Configure the transmission TLV packets to exclude. All basic TLVs will be included by default.
Mode Interface
load-interval
Description Change the interval for utilization statistics for the interface.
You must specify the amount in 5-second intervals. For example, 290 and 295 are valid
interval values. However, 291, 292, 293, and 294 are not valid interval values.
Mode Interface
To display interface utilization statistics, see the “show interfaces” and “show statistics”
commands in the Command Line Interface Reference.
Example The following command changes the utilization statistics interval for Ethernet interface 1 to
200 seconds:
page 151
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
lw-4o6
Description Configure an LW-4over6 interface.
Parameter Description
inside Configure an LW-4over6 inside interface.
outside Configure an LW-4over6 outside interface.
Mode Interface
media-type-copper
Description Configure a 40G port if you want to use a copper 40G DAC cable.
Default 40G ports on ACOS devices are configured to use fiber cables by default.
Mode Interface
monitor
Description Configure an Ethernet interface to send a copy of its traffic to another Ethernet interface.
Before using this command, you must have first configured a mirror port to accept the
copied (mirrored) traffic. For more information, see the “mirror-port” command in the
Command Line Interface Reference.
page 152
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
both Send a copy of both inbound and outbound traffic to the mirror port.
The mirror port must have already been configured to send both
inbound and outbound mirrored traffic from this monitored port. For
example:
The mirror port must have already been configured to send inbound
mirrored traffic from this monitored port. For example:
The mirror port must have already been configured to accept out-
bound mirrored traffic from this monitored port. For example:
Mode Interface
Usage This command is valid only on Ethernet data interfaces. To specify the port where mirrored
traffic should be sent, use the mirror-port command at the global Config level. For more
information, see the “mirror-port” command in the Command Line Interface Reference.
NOTE: Only one mirror port is supported. All mirrored traffic for the directions you specify
goes to that port.
Example The following commands enable monitoring of input traffic on Ethernet port 5, and enable
the monitored traffic to be copied (“mirrored”) to Ethernet port 3:
page 153
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
mtu
Description Change the Maximum Transmission Unit (MTU) for an Ethernet interface.
Replace bytes with the largest packet size that can be forwarded out the interface (1200-
1500).
NOTE: See Usage section below for details on jumbo frame support.
Mode Interface
If the ACOS device needs to forward a packet that is larger than the MTU of the ACOS egress
interface to the next hop, but the Do Not Fragment bit is set in the packet, the ACOS device
drops the packet and sends an ICMP Destination Unreachable code 4 (Fragmentation
required, and DF set) message to the sender.
To display a counter of how many outbound packets have been dropped because they were
longer than the outbound interface's MTU, use the following command:
The counter is labeled “MTU exceeded Drops”. The counter includes packets that had the Do
Not Fragment bit set and packets that did not have the bit set.
You can enable jumbo support on a global basis. In this case, the MTU is not automatically
changed on any interfaces, but you can increase the MTU on individual interfaces.
• On FTA models, you can increase the MTU on individual Ethernet interfaces up to
12000 bytes.
• On non-FTA models, you can increase the MTU on individual Ethernet interfaces up to
9216 bytes.
name
Description Assign a name to the interface.
Replace string with the name for the interface, 1-63 characters.
page 154
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default None
Mode Interface
Usage This command applies to physical and virtual Ethernet data interfaces, tunnels, and trunks.
This command does not apply to the management interface.
Example The following commands assign the name "WLAN-interface" to an interface and show the
result:
ACOS(config)# interface ve 1
ACOS(config-if:ve:1)# name WLAN-interface
ACOS(config-if:ve:1)# show ip interfaces
Port IP Netmask PrimaryIP Name
-------------------------------------------------------------------
---------
mgm 192.168.20.136 255.255.255.0 Yes
ve1 192.168.217.1 255.255.255.0 Yes WLAN-interface
ve2 50.50.50.1 255.255.255.0 Yes
ports-threshold
Description Configure the minimum port threshold for a trunk.
Parameter Description
number-of-ports Minimum number of ports that must be up in order for
the trunk to remain up. If the number of up ports falls
below the configured threshold, the ACOS device auto-
matically disables the trunk’s member ports. The ports
are disabled in the running-config. You can specify 2-8.
timer Number of seconds to wait after a port goes down
seconds before marking the trunk down, if the configured thresh-
[do-auto-recovery] old is exceeded. You can set the ports-threshold timer to
1-300 seconds.
page 155
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Mode Interface
remove-vlan-tag
Description Remove the VLAN tag from packets to ensure that packets going out of the interface will be
untagged.
NOTE: This command is not available on non-FPGA platforms, and is also not available on
the A10 Thunder Series 3230S(S), 3430(S), and 5330(S) platforms.
Default Disabled
Mode Interface
snmp-server
Description Specify a data interface to use as the source interface for SNMP traps.
Mode Interface
Usage Select a data interfaces from which to send SNMP traps. The interface can be any of the fol-
lowing types:
• Ethernet
• VLAN / VE
• Loopback
When the ACOS device sends an SNMP trap from the specified data interface, the “agent-
address” in the SNMP trap is the data interface’s IP address.
page 156
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Implementation Details:
Example The following command attempts to set a loopback interface as the SNMP trap source. How-
ever, the feature has already been enabled on Ethernet port 1, and only one interface can be
enabled for SNMP traps, so this example shows that the existing trap source will be overwrit-
ten with the new one:
trunk-group
Description Add the interface to a trunk group.
Parameter Description
TrunkID Trunk number, 1-4096.
Default static
Mode Interface
Usage Use this command on each Ethernet data port you want to add to the trunk. When finished,
use the interface trunk TrunkID command to access the configuration level for the
trunk interface.
For more information about trunk configuration, see “Link Trunking” on page 17.
page 157
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
page 158
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• name
• router-interface
• shared-vlan
• tagged
• untagged
To access this CLI level, enter the vlan command from the Global configuration level. For example:
ACOS(config)# vlan 4
ACOS(config-vlan:4)#
If the ACOS device is a member of an aVCS virtual chassis, specify the VLAN ID as follows: DeviceID/
vlan-id, where DeviceID is the
device’s aVCS ID and vlan-id is the VLAN ID.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
name
Description Assign a name to the VLAN.
Replace string with the name for the VLAN, 1-63 characters.
Default The default name for VLAN 1 is “DEFAULT VLAN”. For other VLANs, if a name is not configured,
“None” appears in place of the name.
Mode VLAN
Example The following commands assign the name “Test100” to VLAN 100 and show the result:
page 159
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Untagged Ports: 3 4 5 6 7 9 10
Tagged Ports: None
router-interface
Description Add a virtual Ethernet (VE) router interface to the VLAN. A VE is required in order to configure
an IP address on a VLAN.
Replace ve-num with the VE number, 2-4094. The VE number must be the same as the VLAN
number.
Mode VLAN
Usage This command is valid only on ACOS devices deployed in route mode.
The VE interface on a VLAN must have the same number as the VLAN. For example, in VLAN
69, the VE number also must be 69.
The MAC addresses used by the ACOS device’s physical Ethernet data ports also are used for
VEs. (See the “system ve-mac-scheme” command in the Command Line Interface Reference.)
ACOS(config)# vlan 4
ACOS(config-vlan:4)# router-interface ve 4
page 160
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
shared-vlan
Description Enable the shared management VLAN functionality for the VLAN.
Default Disabled
Mode VLAN
tagged
Description Add tagged ports to a VLAN. A tagged port can be a member of more than one VLAN. An
untagged port can be a member of only a single VLAN.
Parameter Description
port-num Add the specified tagged ethernet port to the VLAN.
Mode VLAN
Example The following command adds ports 4 and 5 to VLAN 4 as tagged ports:
ACOS(config)# vlan 4
ACOS(config-vlan:4)# tagged ethernet 4 to 5
untagged
Description Add untagged ports to a VLAN. An untagged port can be a member of only a single VLAN.
page 161
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
lif lif-num |
trunk trunk-num [to trunk-num] |
}
Parameter Description
port-num Add the specified untagged ethernet port to the VLAN.
Default VLAN 1 contains all ports by default. New VLANs do not contain any ports by default.
Mode VLAN
Example The following command adds port 6 and ports 8-10 to VLAN 4 as an untagged ports:
ACOS(config)# vlan 4
ACOS(config-vlan:4)# untagged ethernet 6
ACOS(config-vlan:4)# untagged ethernet 8 to 10
page 162
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Config Commands: IP
• ip access-list
• ip address
• ip anomaly-drop
• ip as-path
• ip community-list
• ip default-gateway
• ip dns
• ip extcommunity-list
• ip frag buff
• ip frag cpu-threshold
• ip frag max-packets-per-reassembly
• ip frag max-reassembly-sessions
• ip frag timeout
• ip icmp disable
• ip map-list
• ip mgmt-traffic
• ip nat icmp
• ip nat pool
• ip nat pool-group
• ip nat range-list
• ip nat translation
page 163
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• ip nat-global reset-idle-tcp-conn
• ip prefix-list
• ip reroute
• ip route
• ip-list
• ipv4-in-ipv6 frag
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
ip access-list
Description Configures an IPv4 access control list (ACL).
This command changes the CLI to the configuration level for the specified IPv4 ACL, where
the following commands are available:
{
[sequence-number]
{[remark string] |
[deny | permit | l3-vlan-fwd-disable]}
{traffic-type}
{traffic-source}
{traffic-destination}
{more-options}
}
page 164
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
NOTE: If you are configuring an ACL for source NAT, use the permit action. For
ACLs used with source NAT, the deny action does not drop traffic, it simply does
not use the denied addresses for NAT translations.
page 165
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Alternatively, you can use mask-length to specify the portion of the address to
filter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit
subnet.
• fragments – Matches on packets in which the More bit in the header is set (1)
or has a non-zero offset.
• vlan vlan-id – Matches on the specified VLAN. VLAN matching occurs for
incoming traffic only.
• dscp num – Matches on the 6-bit Diffserv value in the IP header, 1-63.
• established – Matches on TCP packets in which the ACK or RST bit is not set.
This option is useful for protecting against attacks from outside. Since a TCP
connection from the outside does not have the ACK bit set (SYN only), the con-
nection is dropped. Similarly, a connection established from the inside always
has the ACK bit set. (The first packet to the network from outside is a SYN/ACK.)
• log [transparent-session-only] – Configures the ACOS device to generate
log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and
deletion of transparent sessions for traffic that matches the ACL rule.
page 166
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Usage The support for named IPv4 ACLs supplements the support for IPv4 ACLs configured by ID.
You can use a named IPv4 ACL in any place a standard or extended IPv4 ACL is supported. In
the CLI, use the name option in front of the IPv4 ACL name.
Example The following commands configure a named, extended IPv4 ACL called “Deny-Rules” to
deny traffic sent from subnet 10.10.10.x to 10.10.20.5:80, and apply the ACL to inbound traffic
received on Ethernet interface 7:
ip address
Description Configure the global IP address of the ACOS device, when the device is deployed in transpar-
ent mode (Layer 2 mode).
Default None.
Usage This command applies only when the ACOS device is deployed in transparent mode. To
assign IP addresses to individual interfaces instead (gateway mode), use the ip address
command at the interface configuration level. (See “ip address” on page 114.)
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
The ACOS device’s table of OSPF interfaces will include the loopback interface. Likewise, the
ACOS device will include the loopback interface in link-state advertisements sent to
neighbor OSPF routers.
page 167
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The ACOS device does not support multiple OSPF networks on a data interface. One OSPF
network configuration can enable at most one network per interface.
For example, assume a data port has 3 IP addresses configured that belong to 3 separate
subnets, S1, S2, and S3. If you configure network S4 with area A.B.C.D, and S4 contains S1, S2,
and S3, then only S1 will be running OSPF. S2 and S3 will not be known to other OSPF
routers.
To work around this limitation, enable OSPF redistribution of directly connected routes so
that OSPF will redistribute S2 and S3 via the network running on S1.
page 168
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip anomaly-drop
Description Enable filtering for IP packets that exhibit predictable, well-defined anomalies. You can ena-
ble filtering for the following types of IP anomalies:
Parameter Description
bad-content Bad content threshold. You can specify a value of 1-
127.
drop-all Drop all IP anomaly packets.
frag Drop all fragmented packets.
ip-option Drop packets with IP options.
land-attack Drop IP packets with the same source and destination
addresses.
out-of-sequence Out of sequence packet threshold. You can specify a
value of 1-127.
packet-deformity Drop packets with deformity. You can specify layer-3
or layer-4.
ping-of-death Drop oversize ICMP packets.
security-attack Drop packets causing a security attack. You can spec-
ify layer-3 or layer-4.
tcp-no-flag Drop TCP packets with no flag.
tcp-syn-fin Drop TCP packets with both syn and fin flags set.
tcp-syn-frag Drop fragmented TCP packets with a syn flag set.
zero-window Zero window size threshold.
page 169
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip as-path
Description Configure an AS-path list for BGP.
Parameter Description
regular-expression Access list name.
deny | permit Action to perform on matching entries.
Default None
ip community-list
Description Specify BGP community attributes.
Parameter Description
num List number.
{expanded | standard} List type and name.
list-name
deny | permit Action to perform for matching communities.
community-number Community number.
local-AS Advertises routes only within the local Autonomous
System (AS), not to external BGP peers.
no-advertise Does not advertise routes.
no-export Does not advertise routes outside the AS boundary.
page 170
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default None
ip default-gateway
Description Specify the default gateway to use to reach other subnets, when the ACOS device is
deployed in transparent mode (Layer 2 mode).
Default None.
Usage This command applies only when the ACOS device is used in transparent mode. If you
instead want to use the device in gateway mode (Layer 3 mode), configure routing.
To configure the default gateway for the out-of-band management interface, use the
interface management command to go to the configuration level for the interface, then
enter the ip default-gateway command. (See “ip default-gateway” on page 117.)
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Example The following command configures an ACOS device deployed in transparent mode to use
router 10.10.10.1 as the default gateway for data traffic:
page 171
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip dns
Description Configure DNS servers and the default domain name (DNS suffix) for hostnames on the
ACOS device.
Default None
ip extcommunity-list
Description Configure an extended community list for BGP.
Parameter Description
num List number.
{expanded | standard} List type and name.
list-name
deny | permit Action to perform for matching communities.
rt | soo Community type and ID:
{AS-num:nn | ipaddr:nn}
• rt – Route-target extended community.
• soo – Site-of-origin extended community.
Default None
page 172
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip frag buff
Description Maximum buffer size used for fragmentation.
Replace num with the maximum number of buffers the ACOS device will allow for
fragmentation sessions. You can specify 10000-3000000 (3 million). The specified maximum
applies to both IPv4 and IPv6.
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
ip frag cpu-threshold
Description Set the CPU usage threshold at which to stop processing fragmented packets.
Parameter Description
max-use The max CPU usage percentage allowed, specified as a number
between 0 and 100. When CPU usage exceeds this threshold,
the CPU will stop processing fragments.
min-use The minimum CPU usage percentage that needs to be main-
tained before the CPU starts processing fragments again. This
value is specified as a number between 0 and 100.
Default The default high is 75% and the default low is 60%.
ip frag max-packets-per-reassembly
Description Maximum number of fragmented packets allowed per reassembly(0 is unlimited) (default 0)
Replace num with the maximum number of fragmented packets the ACOS device will allow
per reassembly. You can specify 2-16.
Default 0
page 173
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip frag max-reassembly-sessions
Description Configure the IP fragment queue size.
Replace num with the maximum number of simultaneous fragmentation sessions the ACOS
device will allow. You can specify 1-200000. The specified maximum applies to both IPv4 and
IPv6.
Default 100000
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
ip frag timeout
Description Configure the timeout for IP packet fragments.
Replace ms with the number of milliseconds (ms) the ACOS device buffers fragments for
fragmented IP packets. If any fragments of an IP packet do not arrive within the specified
time, the fragments are discarded and the packet is not re-assembled. You can specify 4-
16000 ms (16 seconds), in 10-ms increments.
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
ip icmp disable
Description Disable ICMP messages.
Parameter Description
redirect Disables sending of ICMP Redirect messages.
unreachable Disables sending of ICMP Destination Unreachable messages.
page 174
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
Example The following command disables sending of IPv4 ICMP Redirect messages:
ip map-list
Description Configure IP Map List name.
Replace name with the name of the IP Map List. You can specify 1-63.
ip mgmt-traffic
Description Allows a loopback interface IP address to be used as the source interface for management
traffic originated by the ACOS device.
To apply the command only to a specific type of traffic (SNMP, NTP, and so on), use the option
for that traffic type. To apply the command to all management traffic types, use the all
option.
page 175
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• Layer 2/3 Virtualization – This feature is supported only for loopback interfaces that
belong to the shared partition. When this feature is configured, management traffic ini-
tiated from a private partition will use the IP address of the specified loopback interface
as the source address, and will use the shared partition’s data routing table to select the
outbound interface.
Limitations
• The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
• IPv6 interfaces are not supported.
• aVCS is not supported.
Example The following command configures the ACOS device to use loopback interface 2 as the
source interface for management traffic of all types listed above:
page 176
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Point (PPP) traffic through the ACOS device over a Generic Routing Encapsulation (GRE) tun-
nel. PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts.
Default Enabled
Usage NAT ALG for PPTP has additional configuration requirements. For information, see the “NAT
ALG Support for PPTP” section in the “Network Address Translation” chapter of the Applica-
tion Delivery and Server Load Balancing Guide.
ip nat icmp
Description Configure NAT ICMP settings.
Parameter Description
always-source-nat-errors Enable NAT for ICMP messages from inside routers. By default, source IP
addresses of ICMP error messages sent by inside routers are not translated
into NAT addresses.
respond-to-ping Enable ping replies from NAT pool addresses. By default, ping requests
sent to LSN NAT pool addresses are dropped.
Default Disabled
page 177
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
class-list name Specifies a class list. Entries in the class list map internal IP addresses to IP
NAT pools.
list acl-name Specifies an Access Control List (ACL) that matches on the inside
addresses to be translated. (To configure the ACL, see the “access-list”
commands in the Command Line Interface Reference.)
pool pool-or-group-name Dynamically assigns addresses from a range defined in a pool or pool
[msl seconds] group.
[respond-to-user-mac]
The msl option sets the TCP Maximum Segment Life (MSL) for source-NAT
connections that use the specified pool or pool group. This option is useful
for NAT connections to devices with older TCP/IP stacks, where the MSL is
up to 2 minutes, resulting in a wait of up to 240 seconds (4 minutes) after a
FIN before the endpoint can enter a new connection. You can set the MSL
to 1-1800 seconds.
NOTE: This option is valid only for the current session. After the client’s
MAC address expires, the ACOS device will use the routing table to select
the next hop. If the session has traffic from the inside client, the ACOS
device will learn the inside client's MAC address again.
static Statically maps the specified inside address to a specific NAT address.
inside-ipaddr nat-ipaddr
disable | enable Disables or re-enables the static mapping.
vrid num VRRP-A VRID.
Default None
page 178
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• VRRP-A session synchronization is not supported. However, sessions will not be inter-
rupted by failover.
Example The following command configures static inside NAT translation of 10.10.10.55 to
192.168.20.44:
ip nat pool
Description Configure a named set of IP addresses for use by NAT.
Parameter Description
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask Network mask for the IP addresses in the pool.
{subnet-mask | /mask-length}
gateway ipaddr Default gateway to use for NATted traffic.
ip-rr Uses pool IP addresses in round robin fashion. Without this option, IP
address selection from a NAT pool depends on the incoming tuple and
the usage of the NAT pool.
scaleout-device-id device-id Configure the Scale Out device ID to which this IP NAT pool will be
bound (1-64).
vrid num VRRP-A VRID. In the shared partition, you can specify 1-31 or default.
In private partitions, you can specify default.
Default None.
Usage The pool can be used by other ip nat commands. The IP addresses must be IPv4 addresses.
To configure a pool of IPv6 addresses, see “ipv6 nat pool” on page 199.
To enable inside or outside NAT on interfaces, see “ip nat” on page 122.
When you use the gateway option, the gateway you specify is used as follows:
• For forward traffic (traffic from a client to a server), the NAT gateway is used if the source
NAT address (the address from the pool) and the server address are not in the same IP
subnet.
page 179
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• On reverse traffic (reply traffic from a server to a client), the NAT gateway is used if all
the following conditions are true:
• The session is using translated addresses (is source NATted).
• The source protocol port is in the source NAT subnet.
• The destination is not in the source NAT subnet.
For conditions under which the NAT gateway is needed, if no NAT gateway is configured, the
ACOS device uses the default gateway configured for the ACOS device’s other traffic instead.
Example The following command configures an IP address pool named “pool1” that contains
addresses from 30.30.30.1 to 30.30.30.254:
ip nat pool-group
Description Configure a set of IP pools for use by NAT. Pool groups enable you to use non-contiguous IP
address ranges, by combining multiple IP address pools.
Parameter Description
pool-group-name Name of the pool group.
vrid num VRRP-A VRID.
This command changes the CLI to the configuration level for the specified pool group,
where the following command is available:
member pool-name
Default None.
Usage To use a non-contiguous range of addresses, configure a separate pool for each contiguous
portion of the range, then configure a pool group that contains the pools.
The addresses within an individual pool still must be contiguous, but you can have gaps
between the ending address in one pool and the starting address in another pool. You also
can use pools that are in different subnets.
For SLB, a pool group can contain up to 5 pools. Pool group members must belong to the
same protocol family (IPv4 or IPv6). A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the ACOS device selects the pool that
matches the outbound subnet. For example, if there are two routes to a given destination, in
different subnets, and the pool group has a pool for one of those subnets, ACOS selects the
pool that is in the subnet for the outbound route.
page 180
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The ACOS device selects the pool whose addresses are in the same subnet as the next-hop
interface used by the data route table to reach the server.
ip nat range-list
Description Configure a range of IP addresses to use with static NAT.
Parameter Description
list-name Name of the static NAT address range.
local-ipaddr /mask-length Beginning (lowest) IP address in the range of local addresses.
global-ipaddr /mask-length Beginning (lowest) IP address in the range of global addresses.
count number Number of addresses to be translated, 1-200000. The range contains a
contiguous block of the number of addresses you specify.
The block of local addresses starts with the address you specify for local-
ipaddr. Likewise, the block of global addresses begins with the address you
specify for global-ipaddr.
list acl-label Specifies an Access Control List (ACL) that matches on the range-list
addresses to be translated. (To configure the ACL, see the “access-list”
commands in the Command Line Interface Reference.)
Valid options for acl-label include:
• <0-199> —Specifies a numbered ACL.
• name acl-name — Specifies a named ACL.
vrid num VRRP-A VRID.
Default None.
Usage You can configure up to 2000 ranges. You can specify IPv4 or IPv6 addresses within a range.
Example The following command configures an IP address range named “nat-list-1” that maps up to
100 local addresses starting from 10.10.10.97 to Internet addresses starting from
192.168.22.50:
page 181
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ACOS(config)# ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16 count 100
This command changes the CLI to the configuration level for the specified NAT logging
template, where the following commands are available.
Command Description
[no] facility facility-name Specifies the logging facility to use. For a list of available facili-
ties, enter the following command: facility ?
NOTE: This does not conflict with the real server port, which is
the destination port of the logging packet.
page 182
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
NOTE: The source-port command is only applicable to syslog over UDP, and does not
apply to TCP traffic. With syslog over TCP traffic, the source port is determined by
ACOS through Smart NAT.
Default There is no NAT logging template by default. When you configure one, the template options
have the default values as described in the table above.
Usage The template keeps track as to which external clients were mapped to the NAT IP and load
balances multiple IP address requests. Therefore it can be used once VIPs are configured.
Example The following commands show a configuration for external logging of SLB NAT activity.
Log Output:
page 183
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
...
ip nat translation
Description Configure NAT timers.
page 184
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
icmp-timeout Specifies the minimum number of seconds NATted ICMP sessions can remain
{age seconds | fast} idle before being terminated. You can specify 2-15000 seconds, or fast. The fast
option terminates the session as soon as a response is received.
By default, this is not set. For all service ports except UDP 53, the tcp-timeout or
udp-timeout setting is used. For UDP port 53, the SLB MSL time is used.
tcp-timeout seconds Timeout for TCP sessions that are not ended normally by a FIN or RST. You can
specify 2-15000 seconds:
Usage The timeout value you specify is the minimum number of seconds the session can remain
idle. It takes up to 60 seconds following expiration of the configured timeout value for the
session to be removed.
If you specify 2-30 seconds, the timeout takes place very rapidly, as close to the configured
timeout as possible.
If you specify 31-15000 seconds, the timeout value must be divisible by 60, and can be a
minimum of 1 minute. If the timeout is set to a value in the range 31-59, the timeout value is
rounded up to 60. Values in the range 61-14999 are rounded down to the nearest multiple of
60.
Example The following command changes the TCP timeout to 120 seconds:
page 185
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ip nat-global reset-idle-tcp-conn
Description Enable client and server TCP Resets for NATted TCP sessions that become idle.
Default Disabled.
ip prefix-list
Description Configure an IPv4 prefix list.
Parameter Description
list-name Name of the IP prefix list. The name can not contain blanks.
description string Description of the IP prefix list.
seq sequence-num Changes the sequence number of the IP prefix-list rule. The sequence num-
ber can be 1-4294967295.
deny | permit Action to take for IP addresses that match the prefix list.
any | ipaddr /mask-length IP address and number of mask bits, from left to right, on which to match. If
you omit the ge and le options (described below), the mask-length is also
the subnet mask on which to match.
ge prefix-length Specifies a range of prefix lengths on which to match. Any prefix length
equal to or greater than the one specified will match. For example, ge 25
will match on any of the following mask lengths: /25, /26, /27, /28, /29, /30,
/31, or /32.
le prefix-length Specifies a range of prefix lengths on which to match. Any prefix length
less than or equal to the one specified will match. The lowest prefix length
in the range is the prefix specified with the IP address. For example,
192.168.1.0/24 le 28 will match on any of the following mask lengths: /
24, /25, /26, /27, or /28.
Default N/A
Usage You can use IP prefix lists to provide input to the OSPFv2 command “area area-id filter-list” on
page 255.
page 186
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Matching begins with the lowest numbered IP prefix-list rule and continues until the first
match is found. The action in the first matching rule is applied to the IP address. For example,
if the IP prefix list contains the following two rules, rule 5 is used for IP address 192.168.1.9,
even though the address also matches rule 10.
The ge prefix-length and le prefix-length options enable you to specify a range of mask
lengths on which to match. If you do not use either option, the mask-length in the address (/
24 in the example above) specifies both the following:
If you use one or both of the ge or le options, the mask-length specifies only the number of
bits to match. The ge or le option specifies the mask length(s) on which to match.
The following rule matches on any address whose first octet is 10 and whose mask-length is
8:
IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would not.
The following rule uses the le option to extend the range of mask lengths that match:
This rule matches on any address that has 10 in the first octet, and whose mask length is 24
bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/24 would both match this rule.
The following rule permits any address from any network that has a mask 16-24 bits long.
The IP prefix list has an implied deny any rule at the end. This rule is not visible and can not
be changed or deleted. If an IP address does not match any of the rules in the IP prefix list,
the ACOS device uses the implied deny any rule to deny the address.
Sequence Numbering
As described above, the sequence of rules in the IP prefix list can affect whether a given
address matches a permit rule or a deny rule.
When you configure the first IP prefix-list rule, the ACOS device assigns sequence number 5
to the rule by default. After that, the sequence number for each new rule is incremented by
5. If you explicitly set the sequence number of a rule, subsequent rules are still sequenced in
increasing increments of 5. For example, if you set the sequence number of the first rule to 7,
the next rule is 12 by default.
page 187
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
You can explicitly set the sequence number of a rule when you configure the rule. You also
can change the sequence number of a rule that is already configured.
Example The following commands add descriptions to some IP prefix-list rule and display the results:
ip reroute
Description Enter the ip reroute mode to suppress the reroute for a particular protocol.
Usage When routes are added, use of this command specifies not to trigger a route table version
change update for the protocol that will be configured in ip reroute mode. See suppress-pro-
tocols for further information.
ACOS(config)# ip reroute
ACOS(config-reroute)#
ip route
Description Configure a static IP route.
page 188
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
[description string]
}
Parameter Description
destination-ipaddr Specifies the destination of the route. To configure a default route, spec-
{subnet-mask | /mask-length} ify 0.0.0.0/0.
next-hop-ipaddr Specifies the next-hop router to use to reach the route destination. The
address must be in the same subnet as the ACOS device.
distance Distance value for the route, 1-255. Note that The distance value has no
significance for management routes and will be displayed as zero.
partition partition-name Forwards the traffic to the specified L3V partition as the next hop. The
[vrid vrid] vrid option specifies the VRRP-A VRID, if applicable.
description string Description of the static route.
Usage If a destination can be reached by an explicit route (a route that is not a default route), then
the explicit route is used. If an explicit route is not available to reach a given destination, the
default route is used (if a default route is configured).
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Example The following command configures a default route using gateway 10.10.10.1 and the default
metric:
page 189
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
seconds Number of seconds allowed for a TCP handshake to be com-
pleted. If the handshake is not completed within the allowed
time, the ACOS device drops the session. You can specify 1-100
seconds.
Default 4 seconds
Usage The TCP handshake threshold is applicable only when software-based SYN cookies are
active. To enable support for software-based SYN cookies, use the syn-cookie enable
command at the virtual port level. (See the “syn-cookie” command in the Command Line
Interface Reference for more information.)
Example The following command changes the TCP TCP handshake threshold to 15 seconds:
ip-list
Description Configure an IP list.
Default None
ipv4-in-ipv6 frag
Description Configure IPv4-in-IPv6 fragmentation parameters.
Default None
page 190
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To access this configuration level, enter the ip reroute command at the Global configuration level. For
example:
ACOS(config)# ip reroute
ACOS(config-reroute)#
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
• suppress-protocols
suppress-protocols
Description Suppress the reroute trigger for a particular protocol.
Parameter Description
protocol • connected - Physically connected
• ebgp - External Border Gateway Protocol
• ibgp - Internal Border Gateway Protocol
• isis - Intermediate System to Intermediate System protocol
• ospf - Open Shortest Path First protocol
• rip - Routing Information Protocol
• static - Static route
Usage Specify the protocol for suppressing route table version change updates.
Example The following command enters ip reroute mode and then suppresses route table updates
for static routes:
ACOS(config)# ip reroute
ACOS(config-reroute)# suppress-protocols static
ACOS(config-reroute-suppress-protocols)# end
ACOS# config
ACOS(config)# ip route 3.3.3.0 /24 4.4.4.3
page 191
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
page 192
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
• ipv6 access-list
• ipv6 address
• ipv6 default-gateway
• ipv6 neighbor
• ipv6 route
• ipv6 route
• ipv6-in-ipv4 frag
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
page 193
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ipv6 access-list
Description Configure an extended IPv6 ACL.
This command changes the CLI to the configuration level for the ACL, where the following
ACL-related commands are available.
[log]
[log]
Parameter Description
seq-num Sequence number of this rule in the ACL. You can use this option
to resequence the rules in the ACL.
deny | permit Action to take for traffic that matches the ACL:
page 194
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
any | Source IP address(es) to filter.
host host-src-ipv6addr |
net-src-ipv6addr /prefix-length | • any – The ACL matches on all source IP addresses.
object-group name
• host host-src-ipv6addr – The ACL matches only on the
specified host IPv6 address.
• net-src-ipv6addr /prefix-length – The ACL matches on
any host in the specified subnet.
• object-group name – The ACL matches on the object group.
eq src-port | For tcp or udp, the source protocol ports to filter.
gt src-port |
lt src-port | • eq src-port – The ACL matches on traffic from the specified
range start-src-port end-src-port source port.
• gt src-port – The ACL matches on traffic from any source
port with a higher number than the specified port.
• lt src-port – The ACL matches on traffic from any source
port with a lower number than the specified port.
• range start-src-port end-src-port – The ACL matches
on traffic from any source port within the specified range.
any | Destination IP address(es) to filter.
host host-dst-ipv6addr |
net-dst-ipv6addr /mask-length |
object-group name
eq dst-port | For tcp or udp, the destination protocol ports to filter.
gt dst-port |
lt dst-port | • eq dst-port – The ACL matches on traffic from the specified
range start-dst-port end-dst-port destination port.
• gt dst-port – The ACL matches on traffic from any destina-
tion port with a higher number than the specified port.
• lt dst-port – The ACL matches on traffic from any destina-
tion port with a lower number than the specified port.
• range start-dst-port end-dst-port – The ACL matches
on traffic from any destination port within the specified range.
fragments Matches on packets in which the More bit in the header is set (1)
or has a non-zero offset.
vlan vlan-id Matches on the specified VLAN. VLAN matching occurs for
incoming traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP header, 1-63.
established Matches on TCP packets in which the ACK or RST bit is not set.
This option is useful for protecting against attacks from outside.
Since a TCP connection from the outside does not have the ACK
bit set (SYN only), the connection is dropped. Similarly, a connec-
tion established from the inside always has the ACK bit set. (The
first packet to the network from outside is a SYN/ACK.)
log Configures the ACOS device to generate log messages when traf-
fic matches the ACL.
page 195
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
The remark command adds a remark to the ACL. The remark appears at the top of the ACL
when you display it in the CLI. The string can be 1-63 characters. To use blank spaces in the
remark, enclose the entire remark string in double quotes.
Default None
ipv6 address
Description Configure the global IPv6 address of the ACOS device, when the device is deployed in trans-
parent mode (Layer 2 mode).
Parameter Description
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6 address for the interface, instead of a
global address. Without this option, the address is a global address.
anycast Configures the address as an anycast address. An anycast address can be assigned to
more than one interface. A packet sent to an anycast address is routed to the “nearest”
interface with that address, based on the distance in the routing protocol.
Default N/A
Usage This command applies only when the ACOS device is deployed in transparent mode. To
assign IPv6 addresses to individual interfaces instead (gateway mode), use the ipv6
address command at the interface configuration level. (See “ipv6 address” on page 130.)
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
ipv6 default-gateway
Description Specify the default gateway to use to reach other IPv6 networks, when the ACOS device is
used in transparent mode (Layer 2 mode).
page 196
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default N/A
Usage This command applies only when the ACOS device is used in transparent mode. If you
instead want to use the device in gateway mode (Layer 3 mode), configure routing.
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Replace ms with the number of milliseconds (ms) the ACOS device buffers fragments for
fragmented IPv6 packets. If any fragments of an IPv6 packet do not arrive within the
specified time, the fragments are discarded and the packet is not re-assembled. You can
specify 4-16000 ms (16 seconds), in 10-ms increments.
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
page 197
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
redirect Disables sending of ICMPv6 Redirect messages.
unreachable Disables sending of ICMPv6 Destination Unreachable mes-
sages.
Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context com-
mand to specify the device in the chassis to which to apply this command.
Example The following command disables sending of IPv6 ICMP Destination Unreachable messages:
Default Disabled.
Syntax [no] ipv6 nat inside source list list-name pool pool-name
Parameter Description
list-name Name of the source list.
pool-name Name of the address pool.
Default N/A
page 198
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask Network mask for the IP addresses in the pool, 64-128.
mask-length
gateway Next-hop gateway address.
ipv6-addr
ip-rr Uses pool IP addresses in round robin fashion. Without this
option, IP address selection from a NAT pool depends on the
incoming tuple and the usage of the NAT pool.
vrid num VRRP-A VRID.
Default None.
Example The following command configures an IPv6 address pool named “ipv6pool2”:
Parameter Description
pool-group-name Name of the pool group.
vrid num VRRP-A VRID.
This command changes the CLI to the configuration level for the specified pool group,
where the following command is available:
page 199
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
member pool-name
Default None.
Usage To use a non-contiguous range of addresses, configure a separate pool for each contiguous
portion of the range, then configure a pool group that contains the pools.
The addresses within an individual pool still must be contiguous, but you can have gaps
between the ending address in one pool and the starting address in another pool. You also
can use pools that are in different subnets.
For SLB, a pool group can contain up to 5 pools. Pool group members must belong to the
same protocol family (IPv4 or IPv6). A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the ACOS device selects the pool that
matches the outbound subnet. For example, of there are two routes to a given destination,
in different subnets, and the pool group has a pool for one of those subnets, ACOS selects
the pool that is in the subnet for the outbound route.
The ACOS device selects the pool whose addresses are in the same subnet as the next-hop
interface used by the data route table to reach the server.
ipv6 neighbor
Description Configure a static IPv6 neighbor.
Parameter Description
ipv6-addr IPv6 unicast address of the neighbor.
macaddr MAC address of the IPv6 neighbor.
ethernet port-num Ethernet interface connected to the neighbor.
trunk trunkID Trunk interface connected to the neighbor.
tunnel tunnel-num Tunnel interface connected to the neighbor. You can specify 1-128.
vlan-id VLAN for which to add the IPv6 neighbor entry. If you do not specify the VLAN, the
entry is added for all VLANs.
page 200
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Default N/A
Usage The neighbor must be directly connected to the ACOS device’s Ethernet port you specify, or
connected through a Layer 2 switch.
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Example The following command configures IPv6 neighbor 2001:db8::1111:2222 with MAC address
abab.cdcd.efef, connected to the ACOS device’s Ethernet port 5:
Default By default, this option is disabled. Routes are displayed on multiple lines.
Parameter Description
list-name Name of the IP prefix list. The name can not contain blanks.
description string Description of the IP prefix list.
seq sequence-num Changes the sequence number of the IP prefix-list rule. The sequence num-
ber can be 1-4294967295.
deny | permit Action to take for IP addresses that match the prefix list.
any | ipav6ddr/prefix- IP address and number of mask bits, from left to right, on which to match. If
length you omit the ge and le options (described below), the mask-length is also
the subnet mask on which to match.
page 201
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Parameter Description
ge prefix-length Specifies a range of prefix lengths on which to match. Any prefix length
equal to or greater than the one specified will match. For example, ge 25
will match on any of the following mask lengths: /25, /26, /27, /28, /29, /30,
/31, or /32.
le prefix-length Specifies a range of prefix lengths on which to match. Any prefix length
less than or equal to the one specified will match. The lowest prefix length
in the range is the prefix specified with the IP address. For example,
192.168.1.0/24 le 28 will match on any of the following mask lengths: /
24, /25, /26, /27, or /28.
Default N/A
Usage You can use IP prefix lists to provide input to the OSPFv2 command “area area-id filter-list” on
page 255.
The rules for matching and sequence numbering are the same as those for IPv4 prefix lists.
(See “ip prefix-list” on page 186.)
iv6p reroute
Description Enter the ipv6 reroute mode to suppress the reroute for a particular protocol.
Usage When routes are added, use of this command specifies not to trigger a route table version
change update for the protocol that will be configured in ip reroute mode. See suppress-pro-
tocols for further information.
ACOS(config-reroute)#
ipv6 route
Description Configure a static IPv6 route.
page 202
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
[no] ipv6 route static bfd [ethernet num | trunk num | ve num]
ipv6addr next-hop-ipv6addr
Parameter Description
ipv6addr IPv6 unicast address of the route destination.
prefix-length Prefix length, 1-128.
next-hop-ipv6addr IPv6 unicast address of the next-hop gateway to the des-
tination.
distance Distance value for the route, 1-255.
string Description of the static route.
Default N/A
Usage The ethernet, trunk, and ve options are available only if the ipv6addr is a link-local
address. Otherwise, the options are not displayed in the online help and are not supported.
• If you use an individual Ethernet port, the port can not be a member of a trunk or a VE.
If you use a trunk, the trunk can not be a member of a VE.
• After you configure the static route, you can not change the interface’s membership in
trunks or VEs. For example, if you configure a static route that uses Ethernet port 6’s link-
local address as the next hop, it is not supported to later add the interface to a trunk or
VE. The static route must be removed first.
If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.
Example The following command configures a static IPv6 route to destination 2001:db8::3333:3333/
32, though gateway 2001:db8::3333:4444:
Example The following command configures an IPv6 static route that uses Ethernet port 6’s link-local
address as the next hop:
page 203
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
ipv6-in-ipv4 frag
Description Configure IPv6-in-IPv4 fragmentation parameters.
Default None
page 204
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
To access this configuration level, enter the iv6p reroute command at the Global configuration level.
For example:
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
• suppress-protocols
suppress-protocols
Description Suppress the reroute trigger for a particular protocol.
Parameter Description
protocol • connected - Physically connected
• ebgp - External Border Gateway Protocol
• ibgp - Internal Border Gateway Protocol
• isis - Intermediate System to Intermediate System protocol
• ospf - Open Shortest Path First protocol
• rip - Routing Information Protocol
• static - Static route
Usage Specify the protocol for suppressing route table version change updates.
Example The following command enters ipv6 reroute mode and then suppresses route table updates
for static routes:
page 205
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
page 206
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes the syntax for the Routing Information Protocol (RIP) commands. The com-
mands are described in the following sections:
• Enabling RIP
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
Enabling RIP
You can enable RIP for IPv4 and RIP for IPv6. Each version runs independently of the other. The ACOS
device supports a single IPv4 RIP process and a single IPv6 RIP process.
NOTE: Optionally you also can enable RIPv1. RIPv1 and RIPv2 can be enabled
separately for inbound and outbound RIP traffic.
1. Use the router rip global configuration command to enable RIP and access the configuration
level for global IPv4 RIP parameters:
ACOS(config)# router rip
ACOS(config-rip)#
2. From RIP routing configuration mode, use the network command to enable individual networks or
interfaces. For example:
ACOS(config-rip)# network 192.168.10.10/24
page 207
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Interface-level RIP Commands
This is the minimum required configuration. Additional configuration may be required depending on
your deployment.
1. Use the router ipv6 rip global configuration command to enable RIP and access the configura-
tion level for global IPv4 RIP parameters:
ACOS(config)# router ipv6 rip
ACOS(config-rip)#
This is the minimum required configuration. Additional configuration may be required depending on
your deployment.
The commands in this section apply globally to the IPv4 RIP process.
page 208
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
To access the configuration level for a IPv4 RIP process, use the router rip command at the global
configuration level of the CLI.
In addition to global parameters, RIP has parameters on the individual interface level. To configure RIP
on an interface, use the interface command to access the configuration level for the interface, then use
the ip rip command. (See “Config Commands: Interface” on page 105.)
cisco-metric-behavior
Description Enable Cisco-compatible metric behavior. This option affects the display of metric values in
the RIP routing table.
Parameter Description
enable The metric values displayed for routes in the RIP routing table
are the values before modification by this RIP router (the ACOS
device).
disable The metric values displayed for routes in the RIP routing table
are the values after modification by this RIP router (the ACOS
device).
Default disable
Default Disabled
default-metric
Description Configure the default metric value for routes that are redistributed into IPv4 RIP.
page 209
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
Default 1
distance
Description Set the administrative distance for IPv4 RIP routes.
Parameter Description
num Administrative distance, 1-255.
ipaddr/mask-length Network prefix and mask length. The specified distance
is applied only to routes with a matching source
address.
acl-id ACL ID. The specified distance is applied only to routes
that match the source IP address in the ACL.
NOTE: In the ACL, use the permit action, not the deny action.
Usage The administrative distance specifies the trustworthiness of routes. In cases where there are
multiple routes to the same destination, from different routing protocols, the administrative
distance can be used as a tie-breaker.
A low administrative distance value indicates a high level of trust. Likewise, a high
administrative distance value indicates a low level of trust. For example, setting the
administrative distance value for external routes to 255 means those routes are very
untrustworthy and should not be used.
page 210
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
distribute-list
Description Configure filtering of route updates.
Parameter Description
acl-id | ACL or prefix list that specifies the routes to filter. The
prefix list-name action you use in the ACL or prefix list determines whether
matching routes are allowed:
The ACOS device can have one global inbound distribute list and one global outbound
distribute list. Likewise, each interface can have one inbound distribute list and one
outbound distribute list.
page 211
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
For inbound updates, if the interface on which the update is received has a distribute list,
that distribute list is checked before the global distribute list. Likewise, for outbound updates,
the distribute list on the outbound interface is checked before the global distribute list. The
action (permit or deny) in the first distribute list that matches is used.
Every ACL has an implicit “deny any” rule at the end. Traffic that does not match any of the
explicitly configured rules in an ACL will match the implicit deny rule.
Example The following commands allow incoming RIP routes only for network 30.30.30.0/24, and only
when received through Ethernet interface 4:
Example The following commands allow advertisement of RIP routes only for network 10.0.0.0/8, and
only when advertised through VE interface 45:
maximum-prefix
Description Specify the maximum number of routes allowed in the IPv4 RIP route table.
Parameter Description
num Maximum number of RIP routes allowed. You can specify 1-2048.
threshold Percentage of the maximum number of routes at which a warning
is generated. You can specify 1-100. The warnings appear in the
routing log.
neighbor
Description Specify a neighboring IPv4 RIP router.
Replace ipaddr with the IP address of the neighboring IPv4 RIP router.
page 212
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
Default None
Usage Enter the command separately for each IPv4 RIP neighbor.
network
Description Enable IPv4 RIP on a network.
Parameter Description
ipaddr/mask-length Prefix and mask length of a IPv4 RIP network.
interface Interface on which to enable RIP. You can specify the
following types of interfaces:
Default None
page 213
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
offset-list
Description Increase the metric for specific routes.
Parameter Description
acl-id ACL that matches on the routes for which to increase the met-
ric.
in | out Direction to which to apply the metric:
Default Not set. The metric that is otherwise applied to the route by the RIP process is used.
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Replace interface with the interface on which to block RIP broadcasts. You can specify the
following types of interfaces:
page 214
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Replace bytes with the maximum RIP UDP packet size allowed. You can specify 8192-
2147483647 bytes.
Default 8192
page 215
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
redistribute
Description Redistribute route information from other sources into RIP.
Parameter Description
bgp [options] Redistributes route information from Border Gateway Protocol (BGP) into RIP.
For options, see the end of this parameter list.
connected [options] Redistributes route information for directly connected networks into RIP. For
options, see the end of this parameter list.
floating-ip [options] Redistributes route information for floating IP addresses into RIP. For options, see
the end of this parameter list.
ip-nat-list [options] Redistributes routes into RIP for reaching translated NAT addresses allocated
from a range list. For options, see the end of this parameter list.
ip-nat [options] Redistributes routes into RIP for reaching translated NAT addresses allocated
from a pool. For options, see the end of this parameter list.
isis [options] Redistributes route information from Intermediate System to Intermediate Sys-
tem (IS-IS) into RIP. For options, see the end of this parameter list.
lw406 [options] Redistributes routes into OSPF for Lightweight 4over6. (This is an IPv6 Migration
feature.)
ospf [options] Redistributes route information from Open Shortest Path First (OSPF) into RIP.
For options, see the end of this parameter list.
page 216
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
Parameter Description
static [options] Redistributes routes into RIP for reaching networks through static routes. For
options, see the end of this parameter list.
vip Redistributes routes into RIP for reaching virtual server IP addresses.
[only-flagged |
only-not-flagged To control which VIPs are redistributed, use one of the following options:
[options]]
• only-flagged – Redistributes only the VIPs on which the redistribution-
flagged command is used.
• only-not-flagged – Redistributes all VIPs except those on which the redis-
tribution-flagged command is used.
For more information, see the “Usage” information for this command.
Default Disabled. By default, RIP routes are not redistributed. For other defaults, see above.
Usage When you enable redistribution, routes to all addresses of the specified type are redistrib-
uted. The vip option can be used to control which routes to VIPs are redistributed into RIP.
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of the following
methods.
page 217
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
• If you have 10 VIPs and all of them need to be redistributed by RIP, use the redis-
tribute vip command at the configuration level for the RIP process.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the redistribu-
tion-flagged command at the configuration level for each of the 2 VIPs, then use
the redistribute vip only-flagged command at the configuration level for the
RIP process.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistribution-
flagged command at the configuration level for the 2 VIPs that should not be redis-
tributed. Enter the redistribute vip only-not-flagged command at the con-
figuration level for the RIP process. (In this case, alternatively, you could enter
redistribute vip instead of redistribute vip only-not-flagged.)
Example The following commands redistribute floating IP addresses and VIP addresses into RIP:
Example The following commands flag a VIP, then configure RIP to redistribute only that flagged VIP.
The other (unflagged) VIPs will not be redistributed.
route
Description Configure static RIP routes.
Default None
timers
Description Configure RIP timers.
page 218
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv4 RIP Configuration Commands
Parameter Description
update Amount of time between transmission of RIP route updates to
neighbors. You can specify 5-2147483647 seconds.
Usage All RIP routers in the network should use the same timer values. However, the timers should
not be synchronized among multiple routers, since this can cause unnecessary collisions.
version
Description Specify the RIP version to run.
Parameter Description
1 RIP version 1.
2 RIP version 2.
Default 2
Usage The version you specify runs on all RIP interfaces on the ACOS device.
CAUTION: RIPv1 is less secure than RIPv2. It is recommended to run RIPv2 if your other routers
support it.
page 219
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
The commands in this section apply globally to the IPv6 RIP process.
To access the configuration level for a IPv6 RIP process, use the router ipv6 rip command at the
global configuration level of the CLI:
In addition to global parameters, RIP has parameters on the individual interface level. To configure RIP
on an interface, use the interface command to access the configuration level for the interface, then
use the ip rip or ipv6 rip command. (See “Config Commands: Interface” on page 105.)
aggregate-address
Description Configure an aggregate of multiple IPv6 RIP routes.
Replace ipv6addr/ mask-length with the IPv6 address and prefix length of the aggregate. The
aggregate route will be used instead of the individual routes to destinations that match the
aggregate’s address and prefix.
Default None
page 220
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
cisco-metric-behavior
Description Enable Cisco-compatible metric behavior. This option affects the display of metric values in
the RIP routing table.
Parameter Description
enable The metric values displayed for routes in the RIP routing table
are the values before modification by this RIP router (the ACOS
device).
disable The metric values displayed for routes in the RIP routing table
are the values after modification by this RIP router (the ACOS
device).
Default disable
default-information originate
Description Enable generation of a default route into RIP.
Default Disabled
default-metric
Description Configure the default metric value for routes that are redistributed into IPv6 RIP.
Default 1
page 221
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
distribute-list
Description Configure filtering of route updates.
Parameter Description
acl-id | ACL or prefix list that specifies the routes to filter. The
prefix list-name action you use in the ACL or prefix list determines whether
matching routes are allowed:
The ACOS device can have one global inbound distribute list and one global outbound
distribute list. Likewise, each interface can have one inbound distribute list and one
outbound distribute list.
For inbound updates, if the interface on which the update is received has a distribute list,
that distribute list is checked before the global distribute list. Likewise, for outbound updates,
the distribute list on the outbound interface is checked before the global distribute list. The
action (permit or deny) in the first distribute list that matches is used.
page 222
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
Every ACL has an implicit “deny any” rule at the end. Traffic that does not match any of the
explicitly configured rules in an ACL will match the implicit deny rule.
page 223
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
neighbor
Description Specify a neighboring IPv6 RIP router.
Parameter Description
ipv6addr Link-local IPv6 address of the neighboring IPv6 RIP router.
interface Interface on which the neighbor can be reached. You can spec-
ify the following types of interfaces:
Default None
Usage Enter the command separately for each IPv4 RIP neighbor.
offset-list
Description Increase the metric for specific routes.
Parameter Description
acl-id ACL that matches on the routes for which to increase the met-
ric.
in | out Direction to which to apply the metric:
page 224
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
Default Not set. The metric that is otherwise applied to the route by the RIP process is used.
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Replace interface with the interface on which to block RIP broadcasts. You can specify the
following types of interfaces:
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Replace bytes with the maximum RIP UDP packet size allowed. You can specify 8192-
2147483647 bytes.
Default 8192
redistribute
Description Redistribute route information from other sources into RIP.
page 225
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
Parameter Description
bgp [options] Redistributes route information from Border Gateway Protocol (BGP) into RIP.
For options, see the end of this parameter list.
connected [options] Redistributes route information for directly connected networks into RIP. For
options, see the end of this parameter list.
floating-ip [options] Redistributes route information for floating IP addresses into RIP. For options,
see the end of this parameter list.
ip-nat [options] Redistributes routes into RIP for reaching translated NAT addresses allocated
from a pool. For options, see the end of this parameter list.
ip-nat-list [options] Redistributes routes into RIP for reaching translated NAT addresses allocated
from a range list. For options, see the end of this parameter list.
isis [options] Redistributes route information from Intermediate System to Intermediate Sys-
tem (IS-IS) into RIP. For options, see the end of this parameter list.
ospf [options] For options, see the end of this parameter list.
static [options] Redistributes routes into RIP for reaching networks through static routes. For
options, see the end of this parameter list.
vip Redistributes routes into RIP for reaching virtual server IP addresses.
[only-flagged |
only-not-flagged | To control which VIPs are redistributed, use one of the following options:
[options]]
• only-flagged – Redistributes only the VIPs on which the redistribution-
flagged command is used.
• only-not-flagged – Redistributes all VIPs except those on which the redis-
tribution-flagged command is used.
Default Disabled. By default, RIP routes are not redistributed. For other defaults, see above.
page 226
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
Usage When you enable redistribution, routes to all addresses of the specified type are redistrib-
uted. The vip option can be used to control which routes to VIPs are redistributed into RIP.
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of the following
methods.
• If you have 10 VIPs and all of them need to be redistributed by RIP, use the redis-
tribute vip command at the configuration level for the RIP process.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the redistribu-
tion-flagged command at the configuration level for each of the 2 VIPs, then use
the redistribute vip only-flagged command at the configuration level for the
RIP process.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistribution-
flagged command at the configuration level for the 2 VIPs that should not be redis-
tributed. Enter the redistribute vip only-not-flagged command at the con-
figuration level for the RIP process. (In this case, alternatively, you could enter
redistribute vip instead of redistribute vip only-not-flagged.)
route
Description Configure static RIP routes.
Default None
page 227
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IPv6 RIP Configuration Commands
route-map
Description Configure a list of interfaces to use as input to other RIP commands.
Parameter Description
map-name Name of the route map.
in | out Direction to which the map applies:
Default None
page 228
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Show Commands
timers
Description Configure RIP timers.
Parameter Description
update Amount of time between transmission of RIP route
updates to neighbors. You can specify 5-2147483647
seconds.
Usage All RIP routers in the network should use the same timer values. However, the timers should
not be synchronized among multiple routers, since this can cause unnecessary collisions.
page 229
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Show Commands
Mode All
page 230
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Show Commands
Parameter Description
Codes R - RIP
Rc - RIP connected
Rs - RIP static
K - Kernel
C - Connected
S - Static
O - OSPF
I - IS-IS
B - BGP,
v - VIP
V - VIP selected
N - IP NAT group,
n - IP NAT
f - Floating IP
Network Destination network and subnet mask.
Next Hop Next hop IP address.
Metric Cost of the route.
From IP address of the originating router.
If Outgoing interface.
Time Remaining lifetime of the route.
Mode All
page 231
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Show Commands
Parameter Description
Codes R - RIP
Rc - RIP connected
Rs - RIP static
Ra - RIP aggregated
K - Kernel
C - Connected
S - Static
O - OSPF
I - IS-IS
B - BGP,
v - VIP
V - VIP selected
N - IP NAT group,
n - IP NAT
f - Floating IP
Network Destination network and subnet mask.
Next Hop Next hop IP address.
page 232
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Clear Commands
Parameter Description
If Outgoing interface.
Metric Cost of the route.
Tag Tag information of the route.
Time Remaining lifetime of the route.
Parameter Description
ipaddr/mask-length Replace ipaddr/mask-length to clear the route to the
specified network.
rip Clears all RIP routes from the table.
Parameter Description
ipv6addr/mask-length Clears the route to the specified network.
rip Clears all RIP routes from the table.
page 233
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
RIP Clear Commands
page 234
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes the commands for configuring global OSPFv2 and OSPFv3 parameters.
• Enabling OSPF
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
Enabling OSPF
To enable OSPF, use one of the following commands at the global configuration level of the CLI. Each
command changes the CLI to the configuration level for the specified OSPFv2 process ID or OSPFv3
process tag.
Enable OSPFv2
The process-id specifies the IPv4 OSPFv2 process to run on the ACOS device, and can be 1-65535.
Enable OSPFv3
The tag specifies the IPv6 OSPFv3 process to run on the IPv6 link, and can be 1-65535.
page 235
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
NOTE: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by VRRP-A failover.
NOTE: For OSPFv3, the area tag ID configured on an interface must be the same
as the tag ID for the OSPF instance.
In addition to global parameters, OSPF has parameters on the individual interface level. To configure
OSPF on an interface, use the interface command to access the configuration level for the interface,
then use the ip ospf or ipv6 ospf command. (See “Config Commands: Interface” on page 105.)
Show Commands
To display OSPF settings, use the show {ip | ipv6} ospf command.
• bfd
• clear
• default-information originate
• default-metric
• distribute-internal
• ha-standby-extra-cost
• log-adjacency-changes
• max-concurrent-dd
page 236
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
• passive-interface
• redistribute
• router-id
The commands in this section apply throughout the OSPFv2 process or OSPFv3 process in which the
commands are entered.
Parameter Description
area-id Area ID, either an IP address or a number.
num Cost of the default summary route, 0-16777214.
Example The following command assigns a cost of 4400 to default summary routes injected into stub
areas:
page 237
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
Parameter Description
area area-id Beginning area ID (either an IP address or a number).
range Ending area ID.
ipaddr Subnet address for the range.
/mask-length Network mask length for the range.
advertise Generates Type 3 summary LSAs for the areas in the range.
not-advertise Does not generate Type 3 summary LSAs. The networks are
hidden from other networks.
Default There is no default range configuration. When you configure a range, the default advertise-
ment string is advertise.
Example The following command configures a range and disables advertisement of routes into the
areas:
Parameter Description
area-id Area ID.
no-summary ABRs do not send summary LSAs into the stub area.
Default None
Example The following command configures a stub area with area ID 10.2.4.5:
page 238
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
page 239
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
[retransmit-interval seconds]
[transmit-delay seconds]
Parameter Description
area-id Area ID, either an IP address or a number.
ipaddr IP address of the OSPF neighbor at the other end of the link.
authentication Enables authentication on the link.
authentication-key string Specifies a simple text password for authenticating OSPF traf-
[string ...] fic between this router and the neighbor at the other end of the
virtual link. The string is an 8-character authentication pass-
word.
dead-interval seconds Number of seconds this OSPF router will wait for a reply to a
hello message sent to the neighbor on the other end of the vir-
tual link, before declaring the neighbor to be offline. You can
specify 1-65535 seconds.
Default None. When you configure a virtual link, it has the default settings described in the table
above.
page 240
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
Replace mbps with the reference bandwidth, in Mbps. You can specify 1-4294967.
Usage By default, OSPF calculates the OSPF metric for an interface by dividing the reference band-
width by the interface bandwidth. This command differentiates high-bandwidth links from
lower-bandwidth links. If multiple links have high bandwidth, specify a larger reference
bandwidth so that the cost of those links is differentiated from the cost of lower-bandwidth
links.
bfd
Description Enable BFD on all interfaces for which OSPF is running.
Default Disabled
clear
Description Clear all or specific OSPF neighbors.
page 241
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
interface-name [neighbor-id]}
}
Parameter Description
process-id Specifies the IPv4 OSPFv2 process to run on the
device, and can be 1-65535.
process-tag Specifies the IPv6 OSPFv3 process to run on the IPv6
link, and can be 1-65535.
neighbor-id Router-id of the OSPF device.
neighbor-ip-address IP address of the interface for the neighboring device.
interface-ip-address IP address of the interface of the device on which the
OSPF neighbor exists.
Default N/A
Usage Using OSPFv2, the CLI enables you to indicate an interface IP Address of the ACOS device.
Using OSPFv3, the CLI enables you to specify the interface name for a specific neighbor.
Example The following command clears a neighbor on a specified interface to a specified router:
Example The following command clears all neighbors on a specified interface to a specific router:
page 242
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
default-information originate
Description Create a default route into the OSPF domain.
Parameter Description
always Configures the ACOS device to automatically declare itself a
default gateway for other OSPF routers, even if the ACOS device
does not have a default route to 0.0.0.0/0.
metric num Metric for the default route, 0-16777214.
metric-type External link type associated with the default route advertised
{1 | 2} into the OSPF routing domain:
Default This option is disabled by default. If you enable it, the default metric is 10. The default metric
type is 2.
Usage When default-information originate is configured under OSPF, an external LSA for default
route is generated if the Routing Information Base has a default route.
Example The following command creates a default route into the OSPF domain with a metric of 20:
default-metric
Description Set the numeric cost that is assigned to OSPF routes by default. The metric (cost) is added to
routes when they are redistributed.
page 243
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
Default 20
ACOS(config-router)#default-metric 6666
page 244
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
distribute-internal
Description Enable redistribution of ACOS-specific resources as internal routes (type-1 LSAs).
Description
Parameter Description
lw4o6 [options] Redistributes LW4o6 routes into OSPF.
nat64 Redistributes NAT64 routes into OSPF.
floating-ip Redistributes routes into OSPF for reaching floating IP
[options] addresses.
ip-nat Redistributes routes into OSPF for reaching translated
NAT addresses allocated from a pool.
ip-nat-list Redistributes routes into OSPF for reaching translated
NAT addresses allocated from a range list.
vip Redistributes routes into OSPF for reaching virtual server
IP addresses.
vip-only-flagged Same as the vip option, but applies only to VIPs on which
the redistribution-flagged option is enabled.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults, see above.
Usage Routes that are redistributed into OSPF as external routes are redistributed as type-5 link state
advertisement (LSAs). Routes that are redistributed into OSPF as internal routes are redistrib-
uted as type-1 LSAs.
You can enable either external or internal redistribution for a given ACOS-specific resource
type.
Example The following command enables internal distribution into OSPF area 0, of routes to all VIPs
configured on the ACOS device, and assigns cost 11 to the routes:
Example The following command enables internal distribution into OSPF area 1, of routes to VIPs that
have the redistribution-flagged option, and assigns cost 21 to the routes:
page 245
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
21
Example The following command enables internal distribution into OSPF area 5, of routes to floating
IP addresses, and assigns cost 555 to the routes:
Example The following command displays the OSPF IPv4 route table. The routes configured for inter-
nal distribution are indicated by “internal”.
page 246
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
ha-standby-extra-cost
Description Enable OSPF awareness of VRRP-A.
Parameter Description
cost Extra cost to add to the ACOS device’s OSPF interfaces, if the
VRRP-A status of one or more of the device’s VRIDs is Standby
(1-65535).
If the resulting cost value is more than 65535, the cost is set to
65535.
group-num A specific VRRP-A VRID that will incur the specified cost; if
none are specified, all VRIDs will incur the extra cost.
Default Not set. The OSPF protocol on the ACOS device is not aware of the VRRP-A state (Active or
Standby) of the ACOS device.
Usage Enter the command on each of the ACOS devices in the VRRP-A VRID..
log-adjacency-changes
Description Log changes in adjacency state.
Parameter Description
detail Enable the logging of all changes in adjacency state.
disable Disable logging.
Mode OSPFv3
page 247
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
In detail mode, all state changes will be logged. In disable mode, no state changes are
logged.
max-concurrent-dd
Description Set the maximum number of OSPF neighbors that can be processed concurrently during
database exchange between this OSPF router and its OSPF neighbors.
Replace num with the maximum number of neighbors that can be processed at the same
time during database exchange. You can specify 1-65535.
Usage This command is useful in cases where router performance is being adversely affected by
processing of neighbor adjacencies.
passive-interface
Description Disable Link-State Advertisements (LSAs) from being sent on an interface.
Example The following command configures a passive interface on the Virtual Ethernet (VE) interface
on VLAN 3:
ACOS(config-router)#passive-interface ve 3
redistribute
Description Enable distribution of routes from other sources into OSPF.
page 248
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
ip-nat [ipaddr/mask-length
floating-IP-forward-address ipaddr] [options] |
ip-nat-list [options] |
isis [options] |
lw4o6 [options] |
ospf [process-id] [options] |
rip [options] |
static [options] |
vip [ipaddr floating-IP-forward-address ipaddr |
{only-flagged | only-not-flagged}] [options]
}
Parameter Description
bgp [options] Redistributes routes into OSPF for reaching BGP. For options,
see the end of this parameter list.
connected [options] Redistributes routes into OSPF for reaching directly connected
networks. For options, see the end of this parameter list.
floating-ip [options] Redistributes routes into OSPF for reaching floating IP
addresses. For options, see the end of this parameter list.
ip-nat Redistributes routes into OSPF for reaching translated NAT
[ipaddr/mask-length | addresses allocated from a pool.
floating-IP-forward-address ipaddr]
[options] By default, the forward address for all redistributed NAT pool
addresses is 0.0.0.0. To set a floating IP address as the for-
ward address, use the ipaddr/mask-length] option to specify the
NAT pool address. The floating-IP-forward-address ipaddr
option specifies the forward address to use when redistributing
the route to the NAT pool address.
page 249
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
Parameter Description
static [options] Redistributes routes into OSPF for reaching networks through
static routes. For options, see the end of this parameter list.
vip Redistributes routes into OSPF for reaching virtual server IP
[ipaddr addresses.
floating-IP-forward-address ipaddr |
{only-flagged | only-not-flagged}] By default, the forward address for all redistributed VIPs is
[options]
0.0.0.0. To set a floating IP address as the forward address,
use the ipaddr option to specify the VIP address. Use the
floating-IP-forward-address option to specify the forward
address to use when redistributing the route to the VIP.
For more information, see the “Usage” section for this com-
mand.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults, see above.
Usage When you enable redistribution, routes to all addresses of the specified type are redistrib-
uted. You can use the vip option to control which routes to VIPs are redistributed into OSPF.
By default, the ACOS device uses 0.0.0.0 as the forward address in routes that are
redistributed in OSPF type-5 link state advertisement (LSAs). In this case, other OSPF routers
find a route to reach the ACOS device (which is acting as OSPF ASBR), then use the
corresponding next-hop address as the next hop for the destination network. You can
specify a floating IP address to use as the forward address, for individual NAT pools or VIPs.
(See the syntax above.)
page 250
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of the following
methods.
• If you have 10 VIPs and all of them need to be redistributed by OSPF, use the redis-
tribute vip command at the configuration level for the OSPF process.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the redistribu-
tion-flagged command at the configuration level for each of the 2 VIPs, then use
the redistribute vip only-flagged command at the configuration level for the
OSPFv2 process or OSPFv3 process.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistribution-
flagged command at the configuration level for the 2 VIPs that should not be redis-
tributed. Enter the redistribute vip only-not-flagged command at the con-
figuration level for the OSPFv2 process or OSPFv3 process. (In this case, alternatively,
you could enter redistribute vip instead of redistribute vip only-not-
flagged.)
• If the route map configured under slb is not defined then the prefix is not redistributed
(implicit deny).
Example The following commands redistribute floating IP addresses and VIP addresses into OSPF:
Example The following commands flag a VIP, then configure OSPF to redistribute only that flagged VIP.
The other (unflagged) VIPs will not be redistributed.
page 251
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 or OSPFv3
Example The following command enables redistribution of VIPs, and sets tag value 555 to be included
in external LSAs that advertise the route to the VIP:
Example The following command enables redistribution using the route-map under the slb virtual
server and view the routes
router-id
Description Set the value used by this OSPF router to identify itself when exchanging route information
with other OSPF routers.
NOTE: The syntax for this command is slightly different for OSPFv2. See “ospf router-id” on
page 264.
Default The default router ID is the highest-numbered IP address configured on any of the ACOS
device’s loopback interfaces. If no loopback interfaces are configured, the highest-numbered
IP address configured on any of the ACOS device’s other Ethernet data interfaces is used.
NOTE: Setting the router ID is required for OSPFv3 and is strongly recommended for OSP-
Fv2.
Usage The ACOS device has only one router ID. The address does not need to match an address
configured on the ACOS device. However, the address must be an IPv4 address and must be
unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart the OSPF process,
use the clear ip ospf process command.
Example The following commands set the router ID to 3.3.3.3 and reload OSPF to place the new router
ID into effect:
page 252
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
min-delay Specifies the minimum number of milliseconds (ms) the OSPF
process waits after receiving a topology change, before recalcu-
lating its OSPF routes. You can specify 0-2147483647.
max-delay Specifies the maximum number of milliseconds (ms) the OSPF
process waits after receiving a topology change, before recalcu-
lating its OSPF routes. You can specify 0-2147483647.
Default The default min-delay is 500 ms. The default max-delay is 50000 ms.
Usage After you enter this command, any pending route recalculations are rescheduled based on
the new timer values.
• compatible rfc1583
• distance
• distribute-list
• log-adjacency-changes
• maximum-area
• neighbor
page 253
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
• network
• ospf abr-type
• ospf router-id
• overflow database
• summary-address
The commands in this section apply throughout the OSPFv2 process in which the commands are
entered.
The message-digest option enables MD5 authentication. If you omit this option, simple
text authentication is used.
Mode OSPFv2
page 254
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
area-id Area ID, either an IP address or a number.
access acl-id ID of an Access Control List (ACL). The only routes that are
{in | out} advertised are routes to the subnets permitted by the ACL.
prefix list-name ID of an IP prefix list. The only routes that are advertised
{in | out} are routes to the subnets that match the list.
Mode OSPFv2
Usage You can specify an ACL or an IP prefix list. To configure an ACL, see the “access-list” command
in the Command Line Interface Reference, or “ipv6 access-list” on page 194. To configure a pre-
fix list, see “ip prefix-list” on page 186.
Default Disabled. By default, only one OSPF adjacency is allowed on an interface for a given OSPF
process.
Mode OSPFv2
page 255
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
area-id Area ID.
default-information-originate Generates a Type 7 LSA into the NSSA area. (This option takes effect
[metric num] only on Area Border Routers (ABRs)):
[metric-type {1 | 2}]
• metric num – Metric for the default route, 0-16777214. The default
is 20.
• metric-type {1 | 2} – External link type associated with the
route advertised into the OSPF routing domain:
• 1 – Type 1 external route
• 2 – Type 2 external route
no-redistribution Disables redistribution of routes into the area.
no-summary Disables sending summary LSAs into the NSSA.
translator-role Specifies the types of LSA translation performed by this OSPF router
{always | candidate | never} for the NSSA:
Default None
Mode OSPFv2
page 256
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
area-id Area ID.
default Enables the default shortcut behavior. (See below.)
disable Disables shortcutting through the area.
enable Forces shortcutting through the area.
Default None
Mode OSPFv2
Usage A shortcut enables traffic to go through a non-backbone area with a lower metric, regardless
of whether the ABR router is attached to the backbone area.
compatible rfc1583
Description Enable calculation of summary route costs per RFC 1583.
Default Disabled. Summary route costs are calculated based on RFC 2328.
Mode OSPFv2
page 257
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
distance
Description Set the administrative distance for OSPF routes, based on route type.
Parameter Description
num Sets the administrative distance for all route types. You can
specify 1-255.
ospf Sets the administrative distance for specific route types:
{external |
inter-area | • external – Routes that OSPF learns from other routing
intra-area} domains by redistribution.
num • intra-area – Routes within the same OSPF area.
• inter-area – Routes between OSPF areas.
You can use the ospf option with one or more of its subop-
tions. For each route type, you can specify 1-255.
Default For all route types, the default administrative distance is 110.
Mode OSPFv2
Usage The administrative distance specifies the trustworthiness of routes. A low administrative dis-
tance value indicates a high level of trust. Likewise, a administrative distance value indicates
a low level of trust. For example, setting the administrative distance value for external routes
to 255 means those routes are very untrustworthy and should not be used.
distribute-list
Description Filter the networks received or sent in route updates.
page 258
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
acl-id ID of an ACL. Only the networks permitted by the ACL will be
allowed.
in Uses the specified ACL to filter routes received by OSPF from
other sources. The filter applies to routes from all sources.
out Uses the specified ACL to filter routes advertised by OSPF to
route-type other routing domains. The route-type can be one of the follow-
ing:
Default None
Mode OSPFv2
page 259
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Parameter Description
ipaddr IP address of the host.
area area-id OSPF area where the host is located.
cost num Cost of the stub host entry, 0-65535.
Default None
Mode OSPFv2
Usage Routes to the host are listed in router LSAs as stub links.
log-adjacency-changes
Description Log adjacency changes.
Parameter Description
detail Log changes in adjacency state.
disable Disable logging of adjacency state changes.
Mode OSPFv2
maximum-area
Description Set the maximum number of OSPF areas supported for this OSPF process.
Replace num with the maximum number of areas allowed for this OSPF process. You can
specify 1-4294967294.
page 260
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
Default 4294967294
Mode OSPFv2
page 261
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
neighbor
Description Configure an OSPF neighbor that is located on a non-broadcast network.
Parameter Description
ipaddr IP address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor, 1-65535.
Default No neighbors on non-broadcast networks are configured by default. When you configure
one, the other parameters have the default settings described in the table above.
Mode OSPFv2
Usage This command is required only for neighbors on networks. Adjacencies to neighbors on
other types of networks are automatically established by the OSPF protocol.
It is recommended to set the poll-interval to a much higher value than the hello interval.
network
Description Enable OSPF routing for an area, on interfaces that have IP addresses in the specified area
subnet.
page 262
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
area area-id
[instance-id num]
Parameter Description
ipaddr Subnet of the area. You can specify the subnet in CIDR format (ipaddr/
{/mask-length | wildcard-mask} mask-length) or as ipaddr wildcard-mask. In a wildcard-mask, 0s repre-
sent the network portion and 1s represent the host portion. For exam-
ple, for a subnet that has 254 hosts and a 24-bit network mask, the
wildcard-mask is 0.0.0.255.
area area-id Area ID.
instance-id num Range of OSPF instances for which to enable OSPF routing for the
area, 0-255. If you omit this option, OSPF routing is enabled for all
OSPF instances that are running on interfaces that have IP addresses
in the specified area subnet.
Default None
Mode OSPFv2
ospf abr-type
Description Specify the Area Border Router (ABR) type.
Parameter Description
cisco Alternative ABR using Cisco implementation (RFC 3509).
ibm Alternative ABR using IBM implementation (RFC 3509).
shortcut Shortcut ABR (draft-ietf-ospf-shortcut-abr-02.txt).
standard Standard ABR behavior (RFC 2328)
Default cisco
Mode OSPFv2
page 263
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
ospf router-id
Description Set the value used by this OSPF router to identify itself when exchanging route information
with other OSPF routers.
Default For OSPFv2, the default router ID is the highest-numbered IP address configured on any of
the ACOS device’s loopback interfaces. If no loopback interfaces are configured, the highest-
numbered IP address configured on any of the ACOS device’s other Ethernet data interfaces
is used.
Mode OSPFv2
Usage The ACOS device has only one router ID. The address does not need to match an address
configured on the ACOS device. However, the address must be an IPv4 address and must be
unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart the OSPF process,
use the clear ip ospf process command.
Example The following commands set the router ID to 2.2.2.2 and reload OSPF to place the new router
ID into effect:
page 264
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv2 Only
overflow database
Description Specify the maxim number of LSAs or the maximum size of the external database.
Parameter Description
max-lsa [hard | soft] Specifies the maximum number of LSAs per OSPF process, 0-
4294967294.
Mode OSPFv2
summary-address
Description Summarize or disable advertisement of external routes for a specific IP address range. A sum-
mary-address helps reduce the size of the OSPF link-state database.
Parameter Description
ipaddr/mask Specifies the address range.
not-advertise Disables advertisement of routes for the specified range.
tag num Includes the specified tag value in external LSAs for IP
addresses within the specified range. The tag value can be
0-4294967295. The default tag value is 0.
Default None
Mode OSPFv2
page 265
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Configuration Commands Applicable to OSPFv3 Only
page 266
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
process-id Specifies the OSPFv2 process. If you omit this option, settings
for all configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, settings
for all configured OSPFv3 processes are displayed.
ACOS#show ip ospf 0
Routing Process "ospf 0" with ID 1.1.1.1
Process uptime is 3 hours 12 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Graceful Restart
This router is an ASBR (injecting external routing information)
SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 79
Number of areas attached to this router: 1
Area 1 (NSSA)
Number of interfaces in this area is 2(2)
Number of fully adjacent neighbors in this area is 2
Number of fully adjacent virtual neighbors through this area
is 0
Area has no authentication
SPF algorithm last executed 02:07:40.860 ago
SPF algorithm executed 16 times
page 267
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Example The following command shows route information for ABRs and ASBRs:
NOTE: The options are different for OSPFv3. See “show ipv6 ospf database” on page 270.
page 268
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
self-originate
]
Parameter Description
adv-router ipaddr Displays LSA information for the specified advertising
router.
asbr-summary Displays information about ASBR summary LSAs.
max-age Displays information for the LSAs that have reached the
maximum age allowed, which is 3600 seconds.
self-originate Displays information for LSAs originated by this OSPF
router.
external Displays information about external LSAs.
network Displays information about network LSAs.
nssa-external Displays information about NSSA external LSAs.
opaque-area Displays information about Type-10 Opaque LSAs. Type-
10 Opaque LSAs are LSAs with local-area scope (link
state type 10), and are not flooded outside the local area.
opaque-as Displays information about Type-11 LSAs, which are
flooded throughout the Autonomous System (AS).
opaque-link Displays information about Type-9 LSAs. Type-9 LSAs
have link-local scope, and are not flooded beyond the
local network.
router Displays information about router LSAs.
summary Displays information about summary LSAs.
The following suboptions are available for the external, network, nssa-external,
opaque-area, opaque-as, opaque-link, router, and summary options:
Parameter Description
ipaddr Displays LSA information for a specific link-state ID
(expressed as an IP address).
adv-router ipaddr Displays LSA information for the specified advertising
router.
self-originate Displays information for LSAs originated by this OSPF
router.
page 269
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
external Displays information about external LSAs.
page 270
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
grace Displays information about grace LSAs, used during graceful
restart.
inter-prefix Displays information about Inter-Area-Prefix LSAs.
inter-router Displays information about Inter-Area-Router LSAs.
intra-prefix Displays information about Intra-Area-Prefix LSAs.
links Displays information about link LSAs.
network Displays information about network LSAs.
router Displays information about router LSAs.
[adv-router] Displays LSA information for the specified advertising router.
ipaddr
page 271
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
AS-external-LSA
Example The following command shows OSPFv3 information for interface Ethernet 1:
page 272
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
[detail [all]] |
[interface interface-num]]
Parameter Description
process-id Specifies the OSPFv2 process. If you omit this option,
information for all configured OSPFv2 processes are dis-
played.
tag Specifies the OSPFv3 process. If you omit this option,
information for all configured OSPFv3 processes are dis-
played.
ipaddr [detail] Displays information for the specified neighbor. For
detailed information, use the detail option. For summary
information, omit the detail option.
all Includes neighbors whose status is Down. Without this
option, down neighbors are not included in the output.
detail [all] Displays detailed information for all neighbors. To include
down neighbors in the output, use the all option.
interface ipaddr Displays information for neighbors reachable through the
specified IP interface.
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface Instance ID
9.1.1.1 1 Full/Backup 00:00:34 10.1.1.2 ethernet 1 0
page 273
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
kernel |
lw4o6 |
ospf [|process-id] |
rip
selected-vip
static |
vip
]
Parameter Description
process-id Specifies the OSPFv2 process. If you omit this option, informa-
tion for all configured OSPF processes is displayed.
bgp Displays redistributed routes from BGP.
connected Displays redistributed routes to directly-connected networks.
floating-ip Displays redistributed routes to floating IP addresses.
ip-nat Displays redistributed routes to IP addresses assigned from an
IP NAT pool.
ip-nat-list Displays redistributed routes to IP addresses assigned from an
IP NAT range list.
isis Displays redistributed routes from IS-IS.
kernel Displays redistributed kernel routes.
lw4o6 Displays redistributed Lightweight 4over6 routes.
ospf Displays redistributed routes from other OSPFv2 processes.
[process-id]
rip Displays redistributed routes from RIP.
selected-vip Displays redistributed routes to SLB VIPs that are explicitly
flagged for redistribution. This option is applicable if the only-
flagged option was used with the redistribute vip command.
static Displays redistributed static routes.
vip Displays redistributed routes to SLB VIPs that are implicitly
flagged for redistribution. This option is applicable if the only-
not-flagged option was used with the redistribute vip command.
Usage For more information on VIP redistribution, see “Usage” in “redistribute” on page 248.
page 274
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
process-id Specifies the OSPFv2 process. If you omit this option, informa-
tion for all configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, informa-
tion for all configured OSPFv3 processes are displayed.
Example The following command shows OSPFv2 IPv4 routes and OSPFv3 IPv6 routes:
Destination Metric
Next-hop
C 1000::/32 10
directly connected, ethernet 1, Area 0.0.0.0
E2 9111::/32 10/20
via fe80::21f:a0ff:fe04:b1f0, ethernet 1
Mode EXEC
page 275
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
tag Specifies the OSPFv3 process. If you omit this option, informa-
tion for all configured OSPFv3 processes is displayed.
area area-id Displays OSPFv3 topology information for the specified area.
page 276
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
Parameter Description
process-id Specifies the OSPFv2 process. If you omit this option, informa-
tion for all configured OSPFv2 processes are displayed.
tag Specifies the OSPFv3 process. If you omit this option, informa-
tion for all configured OSPFv3 processes are displayed.
Example The following command shows information for OSPFv2 virtual links:
page 277
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
OSPF Show Commands
page 278
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes the commands for configuring global Intermediate System to Intermediate Sys-
tem (IS-IS) parameters.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the System Configuration and Administration Guide.
• address-family
• adjacency-check
• area-password
• authentication
• bfd
• default-information originate
• distance
• domain-password
• ha-standby-extra-cost
• ignore-lsp-errors
• is-type
• log-adjacency-changes
• lsp-gen-interval
• lsp-refresh-interval
page 279
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
• max-lsp-lifetime
• metric-style
• net
• passive-interface
• protocol-topology
• redistribute
• set-overload-bit
• spf-interval-exp
• summary-address
address-family
Description Configure this IS-IS instance to exchange multicast IPv6 addresses with other IS-IS routers.
This command changes the CLI to the address-family configuration level, where the
following commands are available.
Command Description
adjacency-check Enables IS-IS router adjacency based on Type-Length-Value (TLV)
fields in IS-IS Hello packets between routers.
default-information originate Enables advertisement of the default route in Link State Packets
(LSPs) sent by this IS-IS instance.
distance Sets the administrative distance, 1-255, for IS-IS routes.
exit-address-family Exits from the address-family configuration level.
[no] multi-topology Enables multi-topology mode. The transition option accepts and
[level-1 | level-1-2 | level-2] generates both IS-IS IPv6 and multi-topology IPv6 TLVs.
[transition]
redistribute option Enables distribution of routes from other sources into IS-IS. For
available options, see “redistribute” on page 290.
summary-prefix ipv6-addr/prefix Configures an IPv6 summary prefix.
[level-1 | level-1-2 | level-2]
Default Disabled. When you enable IPv6 exchange, the unicast option is disabled by default.
Mode IS-IS
Example The following command enables exchange of IPv6 multicast addresses with other IS-IS rout-
ers, and enables the default route to be advertised.
ACOS(config)#router isis
page 280
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
ACOS(config-isis)#address-family ipv6
ACOS(config-isis-ipv6)#default-information originate
adjacency-check
Description Enable IS-IS router adjacency based on Type-Length-Value (TLV) fields in IS-IS Hello packets
between routers.
Default Enabled.
Mode IS-IS
area-password
Description Configure the password for authenticating IS-IS traffic between Level-1 routers.
Parameter Description
string Specifies the password.
authenticate snp Uses the password for authentication of Sequence Num-
ber Packets (SNPs).
send-only Inserts the password into SNP PDUs before sending
them, but does not check for the password in SNP PDUs
received from other routers.
validate Inserts the password into SNP PDUs before sending
them, and also checks for the password in SNP PDUs
received from other routers.
Default None. If you configure a Level-1 password, the snp option is disabled by default.
Mode IS-IS
Usage This command applies only to Level-1. To configure authentication for Level-2, see “domain-
password” on page 284.
Example The following command configures IS-IS to use password “isisl1pwd” to authenticate Level-1
IS-IS traffic within the area, including inbound and outbound SNP PDUs:
ACOS(config)#router isis
ACOS(config-isis)#area-password isisl1pwd authenticate snp validate
page 281
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
authentication
Description Configure authentication for this IS-IS instance.
Parameter Description
send-only [level-1 | level-2] Disables checking for keys in IS-IS packets received by this IS-IS
instance.
Mode IS-IS
Usage Use the send-only option to temporarily disable key checking, then use the key-chain
option to specify the key chain. To use MD5, use the md5 option to disable clear-text authen-
tication and enable MD5 authentication. After key-chains are installed on the other IS-IS rout-
ers, disable the send-only option.
Example The following commands configure MD5 authentication for this IS-IS instance:
ACOS(config)#router isis
ACOS(config-isis)#authentication send-only
ACOS(config-isis)#authentication mode md5
ACOS(config-isis)#authentication key-chain chain1
ACOS(config-isis)#no authentication send-only
page 282
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
bfd
Description Enable BFD on all interfaces for which IS-IS is running.
Default Disabled
Mode IS-IS
default-information originate
Description Enable advertisement of the default route in Link State Packets (LSPs) sent by this IS-IS
instance.
Default Disabled
Mode IS-IS
Usage If the IPv4 or IPv6 data route tables contain a default route, the default route is included in
Level-2 LSPs sent by this IS-IS instance. This command does not apply to Level-1 LSPs.
distance
Description Set the administrative distance for IS-IS routes.
Parameter Description
num Specifies the distance, 1-255.
system-id Assigns the distance only to routes from the router with the
specified IS-IS system ID.
Default None
Mode IS-IS
Usage The administrative distance specifies the trustworthiness of routes. A low administrative dis-
tance value indicates a high level of trust. Likewise, a administrative distance value indicates
a low level of trust. For example, setting the administrative distance value for external routes
to 255 means those routes are very untrustworthy and should not be used.
page 283
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
domain-password
Description Configure the password for authenticating IS-IS traffic between Level-2 routers.
Parameter Description
string Specifies the password.
authenticate snp Uses the password for authentication of Sequence Num-
ber Packets (SNPs).
send-only Inserts the password into SNP PDUs before sending
them, but does not check for the password in SNP PDUs
received from other routers.
validate Inserts the password into SNP PDUs before sending
them, and also checks for the password in SNP PDUs
received from other routers.
Default None. If you configure a Level-2 password, the snp option is disabled by default.
Mode IS-IS
Usage This command applies only to Level-2. To configure authentication for Level-1, see “area-
password” on page 281.
Example The following command configures IS-IS to use password “isisl2pwd” to authenticate Level-2
IS-IS traffic, including inbound and outbound SNP PDUs:
ACOS(config)#router isis
ACOS(config-router)#domain-password isisl2pwd authenticate snp validate
ha-standby-extra-cost
Description Enable IS-IS awareness of VRRP-A.
Replace num with the extra cost to add to the ACOS device’s IS-IS interfaces, if the VRRP-A
status of one or more of the device’s VRIDs is Standby. You can specify 1-65535. If the
resulting cost value is more than 65535, the cost is set to 65535.
Default Not set. The IS-IS protocol on the ACOS device is not aware of the VRRP-A state (Active or
Standby) of the ACOS device.
Mode IS-IS
Usage Enter the command on each of the ACOS devices in the VRRP-A VRID.
page 284
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
ignore-lsp-errors
Description Disable checksum verification for inbound LSPs.
Mode IS-IS
is-type
Description Specify the IS-IS routing level for this IS-IS instance.
Parameter Description
level-1 Level-1 (intra-area) only.
level-1-2 Level-1 and Level-2.
level-2-only Level-2 (inter-area) only.
Default Level-1.
Mode IS-IS
Usage Only one IS-IS instance on the ACOS device can run Level-2 routing.
log-adjacency-changes
Description Log adjacency changes.
Parameter Description
detail Log changes in adjacency state.
disable Disable logging of adjacency state changes.
Mode IS-IS
ACOS(config)#router isis
ACOS(config-isis)#log-adjacency-changes disable
page 285
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
lsp-gen-interval
Description Configure the minimum interval for LSP regeneration.
Parameter Description
level-1 | level-2 Specifies the circuit type to which to apply the interval
configuration. The default is level-1.
seconds Specifies the minimum number of seconds between each
regeneration of the LSP. You can specify 1-120 seconds.
Mode IS-IS
lsp-refresh-interval
Description Configure the LSP refresh interval.
Replace seconds with the minimum number of seconds IS-IS must wait before refreshing
an LSP. You can specify 1-65535 seconds.
Default 900
Mode IS-IS
max-lsp-lifetime
Description Configure the LSP maximum lifetime.
Replace seconds with the maximum number of seconds an LSP can remain in the database
without being refreshed. You can specify 350-65535 seconds.
Default 1200
Mode IS-IS
page 286
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
metric-style
Description Configure the metric style to use for SPF calculation and for TLV encoding in LSPs.
Parameter Description
narrow Supports 6-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 24-bit metrics for SPF calculation, but not for
TLV encoding.
• level-1 – Supports 24-bit SPF calculation only for circuit type Level-1.
• level-2 – Supports 24-bit SPF calculation only for circuit type Level-2.
• level-1-2 – Supports 24-bit SPF calculation for circuit types Level-1 and Level-2.
(This is the default, if the transition option is used.)
transition Supports 6-bit and 24-bit metric lengths for SPF calculation and TLV encoding.
• level-1 – Supports both metric lengths only for circuit type Level-1.
• level-2 – Supports both metric lengths only for circuit type Level-2.
• level-1-2 – Supports both metric lengths for circuit types Level-1 and Level-2.
(This is the default, if the transition option is used.)
wide Supports 24-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 6-bit metrics for SPF calculation, but not for TLV
encoding.
• level-1 – Supports 6-bit SPF calculation only for circuit type Level-1.
• level-2 – Supports 6-bit SPF calculation only for circuit type Level-2.
• level-1-2 – Supports 6-bit SPF calculation for circuit types Level-1 and Level-2.
(This is the default, if the transition option is used.)
page 287
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
Parameter Description
narrow-transition Supports 6-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 24-bit metrics for SPF calculation, but not for
TLV encoding.
• level-1 – Supports 24-bit SPF calculation only for circuit type Level-1.
• level-2 – Supports 24-bit SPF calculation only for circuit type Level-2.
• level-1-2 – Supports 24-bit SPF calculation for circuit types Level-1 and Level-2.
(This is the default, if the transition option is used.)
wide-transition Supports 24-bit metric length for SPF calculation and TLV encoding.
The transition option also allows 6-bit metrics for SPF calculation, but not for TLV
encoding.
• level-1 – Supports 6-bit SPF calculation only for circuit type Level-1.
• level-2 – Supports 6-bit SPF calculation only for circuit type Level-2.
• level-1-2 – Supports 6-bit SPF calculation for circuit types Level-1 and Level-2.
(This is the default, if the transition option is used.)
Default Narrow, for Level-1 and Level-2 routing levels (level-1-2). For all options that accept the
level-1, level-1-2, or level-2 keyword, the default is level-1.
Mode IS-IS
net
Description Configure a Network Entity Title (NET) for the instance.
Parameter Description
area-address Specifies the address of the IS-IS area.
system-id Specifies the system ID.
Default None
Mode IS-IS
page 288
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
You can configure more than one NET. This is useful in cases where you are reconfiguring the
network and need to temporarily merge or split existing areas.
If you configure more than 1 NET, the area-address must be unique in each NET but the
system-id must be the same.
passive-interface
Description Disable routing IS-IS routing updates on ACOS interfaces.
Parameter Description
ethernet num Disables routing updates from being sent on the specified
Ethernet data port.
lif num Disables routing updates from being sent on the specified logi-
cal interface.
loopback num Disables routing updates from being sent on the specified loop-
back interface.
trunk num Disables routing updates from being sent on the specified trunk
interface.
ve ve-num Disables routing updates from being sent on the specified Vir-
tual Ethernet (VE) interface.
Default Disabled
Mode IS-IS
Usage This command removes all IS-IS configuration from the specified interface.
For proper operation of IS-IS, routing updates must be enabled on at least one interface.
protocol-topology
Description Enable IS-IS protocol topology support, which provides IPv4/IPv6/dual-stack support.
Default Disabled
Mode IS-IS
page 289
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
redistribute
Description Enable distribution of routes from other sources into IS-IS.
Parameter Description
bgp [options] Redistributes route information from Border Gateway Protocol
(BGP) into IS-IS. For options, see the end of this parameter list.
connected [options] Redistributes routes into IS-IS for reaching directly connected net-
works.
floating-ip [options] Redistributes routes into IS-IS for reaching floating IP addresses.
ip-nat [options] Redistributes routes into IS-IS for reaching translated NAT
addresses allocated from a pool.
ip-nat-list [options] Redistributes routes into IS-IS for reaching translated NAT
addresses allocated from a range list.
isis [options] Redistributes routes back into IS-IS.
lw406 [options] Redistributes routes into IS-IS for Lightweight 4over6. (This is an
IPv6 Migration feature.)
ospf [process-id] [options] Redistributes OSPF routes into IS-IS.
rip [options] Redistributes routes into IS-IS for RIP.
static [options] Redistributes routes into IS-IS for reaching networks through
static routes.
page 290
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
Parameter Description
vip TO control which VIPs are redistributed, use one of the following
[only-flagged | only-not-flagged] options:
[options]
• only-flagged – Redistributes only the VIPs on which the
redistribution-flagged command is used.
• only-not-flagged – Redistributes all VIPs except those on
which the redistribution-flagged command is used.
Default Disabled. By default, IS-IS routes are not redistributed. For other defaults, see above.
Mode IS-IS
Usage When you enable redistribution, routes to all addresses of the specified type are redistrib-
uted. Use the vip option to control which routes to VIPs are redistributed into IS-IS.
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of the following
methods.
page 291
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
• At the configuration level for IS-IS, enter either of the following commands: redis-
tribute vip only-not-flagged or redistribute vip
• If you have 10 VIPs and all of them need to be redistributed by IS-IS, use the redis-
tribute vip command at the configuration level for IS-IS.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the redistribu-
tion-flagged command at the configuration level for each of the 2 VIPs, then use
the redistribute vip only-flagged command at the configuration level for IS-
IS.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistribution-
flagged command at the configuration level for the 2 VIPs that should not be redis-
tributed. Enter the redistribute vip only-not-flagged command at the con-
figuration level for IS-IS. (In this case, alternatively, you could enter redistribute
vip instead of redistribute vip only-not-flagged.)
Example The following commands redistribute floating IP addresses and OSPF routes into IS-IS:
ACOS(config)#router isis
ACOS(config-isis)#redistribute floating-ip
ACOS(config-isis)#redistribute ospf
set-overload-bit
Description Disable use of this IS-IS router as a transit router during SPF calculation.
Parameter Description
on-startup Sets the overload bit only after startup of the IS-IS instance, and clears the
{seconds | wait-for-bgp} bit based on one of the following options:
• seconds – Clears the overload bit after the specified number of sec-
onds. You can specify 5-86400 seconds.
• wait-for-bgp – Clears the overload bit after BGP signals that it has fin-
ished convergence.
• If BGP is not running, the overload bit is immediately cleared.
• If BGP is running but does not signal convergence within 10 minutes
after the IS-IS instance starts, the overload bit is cleared.
page 292
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Configuration Commands
Parameter Description
supress Suppresses redistribution of specific types of reachability information
{external | interlevel} during the overload state.
Default Disabled. The overload bit is not set, and this IS-IS router can be used as a transit (intermedi-
ate hop) router during SPF calculation.
Mode IS-IS
Usage IP prefixes that are directly connected to this IS-IS router continue to be reachable even
when the overload bit is set.
spf-interval-exp
Description Configure the minimum and maximum delay between receiving a link-state or IS-IS configu-
ration change, and SPF recalculation.
Parameter Description
level-1 | level-2 Specifies the IS-IS level to which to apply the interval set-
ting.
Default The default min-delay is 500 ms and the default max-delay is 50000 ms, for Level-1 and
Level-2 routing levels.
Mode IS-IS
page 293
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
summary-address
Description Configure an IPv4 summary address to aggregate multiple IPv4 prefixes for advertisement.
Parameter Description
ipaddr/mask-length Specifies the summary IPv4 address to advertise.
level-1 | Specifies the IS-IS routing level to which to advertise
level-1-2 | the summary address. If you do not specify a routing
level-2 level, the summary address is advertised at Level-2
only.
Default None
Mode IS-IS
Usage The summary address is advertised instead of the individual IP prefixes contained in the sum-
mary address. For example, if the IPv4 route table has routes to 192.168.1.x/24, 192.168.2.x/
24, and 192.168.11.x/24, you can configure IS-IS to advertise summary address 192.168.0.0/16
instead of each of the individual prefixes.
page 294
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
Replace tag with the IS-IS tag (area). If you do not specify a tag value, IPv4 routes for all areas
are displayed.
Mode All
Example The following command shows the IPv4 IS-IS route table:
Area (null):
Destination Metric Next-Hop Interface Tag
C 1.0.3.0/24 10 -- ethernet 5 --
L1 1.0.4.0/24 20 12.0.0.2 ethernet 2 0
C 12.0.0.0/24 10 -- ethernet 2 --
Replace tag with the IS-IS tag (area). If you do not specify a tag value, IPv6 routes for all areas
are displayed.
Mode All
Example The following command shows the IPv6 IS-IS route table:
Area (null):
C 3000::/64 [10]
page 295
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
Mode All
Mode All
page 296
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
isisSysStatAttmptToExMaxSeqNums: 0
isisSysStatSeqNumSkips: 0
isisSysStatOwnLSPPurges: 0
isisSysStatIDFieldLenMismatches: 0
isisSysStatMaxAreaAddrMismatches: 0
isisSysStatPartChanges: 0
isisSysStatSPFRuns: 4
page 297
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
[detail | verbose]
[l1 | l2 | level-1 | level-2]
Parameter Description
tag Specifies the IS-IS tag (area). If you do not specify a tag value,
database entries for all areas is displayed.
lspid Specifies the ID of a specific LSP to display.
detail Displays detailed contents of the LSPs. Without this option,
summary information is displayed.
verbose Displays verbose database information.
l1 | Specifies the IS-IS routing level for which to display database
l2 | entries.
level-1 |
level-2 The default is level-1.
Mode All
page 298
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
ve ve-num
}
Parameter Description
counter Displays IS-IS interface status information and statistics.
ethernet port-num Displays IS-IS information for the specified Ethernet data
port.
lif num Displays IS-IS information for the specified logical inter-
face.
loopback num Displays IS-IS information for the specified loopback
interface.
trunk num Displays IS-IS information for the specified trunk inter-
face.
ve ve-num Displays IS-IS information for the specified VE interface.
Mode All
page 299
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
IS-IS Show Commands
You can specify one of l1, l2, level-1, or level-2 as the IS-IS routing level for which to
display topology information.
Default level-1
Usage All
Area (null):
IS-IS paths to level-1 routers
System Id Metric Next-Hop Interface SNPA
0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 2 001f.a010.a4a6
page 300
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
This chapter describes the syntax for the Border Gateway Protocol (BGP) commands. The commands
are described in the following sections:
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
page 301
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
Enabling BGP
Enabling BGP
To enable BGP on the ACOS device:
1. Enable the protocol and specify the Autonomous System (AS) number, using the following com-
mand at the global configuration level of the CLI:
router bgp AS-num
The AS-num specifies the Autonomous System Number (ASN), which can be 1-4294967295. The
ACOS device supports configuration of one local AS.
This is the minimum required configuration. Additional configuration may be required depending on
your deployment.
NOTE: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router ID changes
caused by VRRP-A failover. If you do not explicitly configure the ACOS
device’s BGP router ID, BGP sessions may become reset whenever there
is an interface state change.
page 302
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
• bgp extended-asn-cap
• bgp nexthop-trigger
bgp extended-asn-cap
Description Enable the ACOS device to send 4-octet BGP Autonomous System Number (ASN) capabili-
ties.
bgp nexthop-trigger
Description Configure BGP nexthop tracking.
Parameter Description
seconds Specifies the how long BGP waits before walking the full BGP table
to determine which prefixes are affected by the nexthop changes,
after receiving a trigger about nexthop changes. You can specify 1-
100 seconds.
enable Enables nexthop tracking.
Default BGP nexthop tracking is disabled by default. When you enable it, the default delay is 5 sec-
onds.
page 303
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
To access the BGP router configuration level, use the router bgp command at the global configuration
level of the CLI:
• address-family
• aggregate-address
• auto-summary
• bgp always-compare-med
• bgp bestpath
• bgp dampening
• bgp default
• bgp deterministic-med
• bgp enforce-first-as
• bgp fast-external-failover
• bgp log-neighbor-changes
• bgp nexthop-trigger-count
• bgp router-id
• bgp scan-time
• default-information originate
• distance
• maximum-paths
page 304
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
page 305
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
• network
• redistribute
• synchronization
• timers
address-family
Description Configure address family parameters.
This command changes the CLI to a new configuration level where the following commands
are available.
Command Description
[no] aggregate-address options See “aggregate-address” on page 308.
[no] auto-summary See “auto-summary” on page 308.
[no] bgp dampening options See “bgp dampening” on page 310.
[no] default-information originate See “default-information originate” on page 313.
[no] distance See “distance” on page 313.
[no] exit-address-family Exits the address-family configuration level.
[no] maximum-paths See “maximum-paths” on page 314.
page 306
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Command Description
[no] neighbor options The following neighbor commands are supported under the
address-family configuration level:
Default None
Mode BGP
page 307
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
aggregate-address
Description Configure an aggregate address.
Parameter Description
ipaddr/mask-length If you are using this command at the BGP configura-
tion level, specify an IPv4 aggregate network address.
Default None
auto-summary
Description Enable sending of summarized routes to BGP peers.
Default Disabled
Mode BGP
bgp always-compare-med
Description Enable comparison of the Multi Exit Discriminators (MEDs) for paths from neighbors in differ-
ent ASs.
Default Disabled. By default, MED comparison is done only among paths from the same AS.
Mode BGP
page 308
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
bgp bestpath
Description Configure options to select the best of multiple paths for a route.
Parameter Description
as-path Use the AS path when selecting the best path for a route.
Mode BGP
page 309
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
bgp dampening
Description Configure the BGP response to route flapping, to minimize network disruption.
Parameter Description
dampening-options Configures the dampening options:
• reuse-start—Specifies the reuse limit value. When the penalty for a suppressed
route decays below the reuse value, the routes become unsuppressed. You can
specify 1-20000.
• suppress-start—Specifies the suppress limit value. When the penalty for a route
exceeds the suppress value, the route is suppressed. You can specify 1-20000.
Mode BGP
page 310
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
bgp default
Description Change BGP default settings.
Parameter Description
ipv4-unicast Activates IPv4 unicast for communication with peers.
Mode BGP
bgp deterministic-med
Description Enable comparison of the Multi Exit Discriminator (MED) values during selection of a route
among routes advertised by different peers in the same AS.
Default Disabled
Mode BGP
bgp enforce-first-as
Description Enable the ACOS device to deny any updates received from an external neighbor that do not
have the neighbor’s configured AS at the beginning of the AS_PATH.
Default Enabled
Mode BGP
page 311
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
bgp fast-external-failover
Description Enable immediate reset of a BGP session if the interface used for the BGP connection goes
down.
Default Enabled
Mode BGP
bgp log-neighbor-changes
Description Enable logging of status change messages without enabling BGP debugging.
Default Disabled
Mode BGP
bgp nexthop-trigger-count
Description Configure display of BGP nexthop-tracking status.
Parameter Description
num Count value (0-127).
Mode BGP
bgp router-id
Description Configure the router ID.
Parameter Description
ipaddr IPv4 address.
Default If a loopback interface is configured, the router ID is set to the IP address of the loopback
interface. If there are multiple loopback interfaces, the loopback interface with the highest
numbered IP address is used.
page 312
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
If there are no loopback interfaces, the interface with the highest numbered IP address is
used.
Mode BGP
bgp scan-time
Description Set the interval for BGP route next-hop scanning.
Parameter Description
seconds Amount of time between scans, in seconds (0-60 seconds).
Default 60
Mode BGP
default-information originate
Description Enable advertisement of the default route in packets sent by this BGP instance.
A valid default route must exist and be verified to complete this configuration or the default
route will not be advertised
Default Disabled
Mode BGP
distance
Description Configure the administrative distance for BGP. The administrative distance is a rating of trust-
worthiness of the BGP process relative to other routing processes running on the ACOS
device. The greater the distance, the lower the trust rating.
page 313
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
admin-distance Overrides the configured administrative distance for specific prefixes.
ipaddr/mask-length
[acl-id] The acl-id option specifies an ACL that matches on the routes for which to
override the default administrative distance. If you do not use this option,
the distance is applied to all IPv4 BGP routes.
NOTE: This option is not available if you are configuring the distance at the
address-family configuration level.
bgp • external – Specifies the administrative distance (1-255) for BGP routes
external internal local learned from another AS.
Mode BGP
maximum-paths
Description Specify the maximum number of ECMP paths to a given route destination allowed for BGP.
Parameter Description
num Maximum number of paths to a given destination. You can specify
1-64.
Default 1. BGP will install the single best ECMP route into the FIB used by the ACOS device to forward
traffic.
Mode BGP
page 314
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Description Enable the exchange of address family routes with a neighboring BGP router.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default N/A
Mode BGP
Usage After the TCP connection is opened with the neighbor, use this command to enable or disa-
ble the exchange of address family information with the neighboring router.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
seconds Minimum interval between route updates. You can specify 0-
600 seconds.
Mode BGP
page 315
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
occurrences Maximum number of occurrences of a given AS number. You
can specify 1-10.
Default Disabled
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
seconds Time between AS origination route updates. You can specify 1-
600 seconds.
Default 15 seconds
Mode BGP
page 316
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
dynamic Enables the ACOS device to advertise or withdraw an address family capability
with the neighbor, without bringing down the BGP session with the peer.
orf prefix-list Enables Outbound Router Filtering (ORF) and advertises the ACOS device’s
{both | receive | send} ORF capability to the neighbor.
• both – ACOS device can send ORF entries to the neighbor, as well as
receive ORF entries from the neighbor.
• receive – ACOS device can receive ORF entries from the neighbor, but
can not send ORF entries to the neighbor.
• send – ACOS device can send ORF entries to the neighbor, but can not
receive ORF entries from the neighbor.
route-refresh Enables advertisement of route-refresh capability to the neighbor. When this
option is enabled, the ACOS device can dynamically request the neighbor to re-
advertise its Adj-RIB-Out.
Default None. (This assumes that the neighbor has no special capabilities or functions.)
Mode BGP
Usage BGP neighbors exchange ORFs reduce the number of updates exchanged between neigh-
bors. By filtering updates, this option minimizes generating and processing of updates.
The local router (ACOS device) advertises the ORF capability in send mode, and the remote
router receives the ORF capability in receive mode applying the filter as outbound policy.
The two routers exchange updates to maintain the ORF for each router. Only an individual
router or a peer group can be configured to be in receive or send mode. A peer-group
member cannot be configured to be in receive or send mode.
Replace neighbor-id with the ID of the neighbor, which can be one of the following types of
values:
page 317
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Default Use this command only if necessary. Generally, the command is not required.
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
map-name Route map that specifies the nexthop IP address.
Default Disabled
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
string String that describes the neighbor (up to 80 characters).
Default None
Mode BGP
page 318
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Replace neighbor-id with the ID of the neighbor, which can be one of the following types of
values:
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types
of values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
ip-access-list Time between AS origination route updates. You can specify
1-600 seconds.
in | out Specifies the update direction to filter:
Mode BGP
page 319
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Replace neighbor-id with the ID of the neighbor, which can be one of the following types of
values:
Mode BGP
Parameter Description
neighbor The IPv4 or IPv6 address of the neighbor router, or the router
tag (1-128 characters).
count The maximum hop count to reach the neighbor (1-255).
Mode BGP
Default Enabled
Mode BGP
page 320
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following
types of values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
AS-path-access-list AS path list. To configure an AS path list, use the fol-
lowing command at the global configuration level of
the CLI:
ip as-path access-list
in | out Specifies the update direction to filter:
Mode BGP
NOTE: The actual maximum number of prefixes that can be configured varies depending
on the platform.
page 321
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types
of values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
num Maximum number of prefixes allowed. You can specify 1-
65536.
Mode BGP
Usage If the maximum is reached, the ACOS device brings down the BGP session with the peer.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Disabled
Mode BGP
page 322
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Disabled
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Disabled
Mode BGP
page 323
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
string The string can be up to 80 characters long. The string can
include the printable ASCII characters, which are [0-9], [a-z], and
[A-Z] and are fully defined by hexadecimal value range 0x20-
0x7e. The string can not begin with a blank space, and can not
contain any of the following special characters: ' " < > & \ /
?
Default Disabled
Mode BGP
Usage Message Digest 5 (MD5) authentication of TCP segments (as introduced in RFC 2385), pro-
vides protection of BGP sessions via the TCP MD5 Signature Option. This feature is enabled
on a per-neighbor basis for the individual BGP peer configuration, and a password is
required. The password must be the same on the ACOS device and on the peer (BGP neigh-
bor).
Example The following command enables MD5 for the connection with eBGP neighbor 10.10.10.22:
page 324
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
group-name Name of the peer group.
Default None
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
list-name Name of the prefix list.
in | out Specifies the update direction to filter:
Mode BGP
Usage Filtering by prefix list matches the prefixes of routes with those listed in the prefix list. If there
is a match, the route is used. An empty prefix list permits all prefixes. If a given prefix does not
match any entries of a prefix list, the route is denied access. When multiple entries of a prefix
page 325
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
list match a prefix, the entry with the smallest sequence number is considered to be a real
match.
The ACOS device begins the search at the top of the prefix list, with rule sequence number 1.
Once a match or deny occurs, the ACOS device does not need to go through the rest of the
prefix list. For efficiency the most common matches or denies are listed at the top.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following
types of values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
AS_num Neighbor’s AS number.
NOTE: AS number 23456 is a reserved 2-octet AS number. An old BGP speaker (2-byte
implementation) should be configured with 23456 as its remote AS number while
peering with a non-mappable new BGP speaker (4-byte implementation).
Default None
Mode BGP
page 326
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Disabled
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
map-name Name of the route map.
in | out Specifies the traffic direction to which to apply the route map:
Default None
Mode BGP
page 327
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
both Sends both standard and extended community attributes.
none Disable community attributes from being sent.
extended Sends only extended community attributes.
standard Sends only standard community attributes.
Default By default, both standard and extended community attributes are sent to a neighbor.
Mode BGP
Usage The community attribute groups destinations in a certain community and applies routing
decisions according to those communities. Upon receiving community attributes, the ACOS
device re-announces them to the neighbor.
Usage To prevent community attributes from being re-announced to the neighbor, use the “no”
form of this command.
page 328
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default None
Mode BGP
Usage This command shuts down any active session for the specified neighbor and clears all
related routing data.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Disabled
Mode BGP
Usage Use this command to store updates for inbound soft reconfiguration. Soft-reconfiguration
can be used as an alternative to BGP route refresh capability. Using this command enables
local storage of all the received routes and their attributes. When a soft reset (inbound) is
performed on the neighbor, the locally stored routes are reprocessed according to the
inbound policy. The BGP neighbor connection is not affected.
page 329
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
Default Enabled
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
interval Amount of time in seconds between transmission of keepalive
messages to the neighbor. You can specify 0-65535 seconds.
page 330
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
holdtime maximum amount of time in seconds the ACOS device will wait
for a keepalive message from the neighbor before declaring the
neighbor dead. You can specify 0-65535 seconds.
Mode BGP
page 331
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
map-name Name of the route map used to select routes to be unsup-
pressed.
Default Disabled
Mode BGP
Usage When the aggregate-address command is used with the summary-only option, the more-
specific routes of the aggregate are suppressed to all neighbors. Use the unsuppress-map
command to selectively leak more-specific routes to a particular neighbor.
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
source Source IP address or interface name.
page 332
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Mode BGP
Parameter Description
neighbor-id ID of the neighbor, which can be one of the following types of
values:
• IPv4 address.
• IPv6 address.
• Name of a peer group.
num Weight value assigned to routes learned from the neighbor. You
can sepcify 0-65535.
Mode BGP
Usage Use this command to specify a weight value, per address-family, to all routes learned from a
neighbor. The route with the highest weight gets preference when the same prefix is learned
from more than one peer.
Unlike the local-preference attribute, the weight attribute is relevant only to the local
router.
The weights assigned using the set weight command override the weights assigned
using this command.
When the weight is set for a peer group, all members of the peer group will have the same
weight. The command can also be used to assign a different weight to a particular peer-
group member. When a separately configured weight of the peer-group member is
unconfigured, its weight will be reset to its peer group’s weight.
network
Description Specify the networks to be advertised by the ACOS device’s BGP routing process.
page 333
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
[community community-list]
[route-map map-name]
Parameter Description
ipaddr/mask-length | ipaddr IPv4 Network address and mask.
ipv6addr/mask-length
backdoor Specify a backdoor BGP route.
community community-list Match the specified BGP community list.
route-map map-name Route map used to set or modify a value.
Default None
Mode BGP
Usage A unicast network address without a mask is accepted if it falls into the natural boundary of
its class. A class-boundary mask is derived if the address matches its natural class-boundary.
redistribute
Description Redistribute route information from other sources into BGP.
page 334
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
[route-map map-name]]
}
Parameter Description
connected [route-map map-name] Redistributes route information for directly connected net-
works into BGP. The route-map option specifies the name
of a configured route map.
floating-ip [route-map map-name] Redistributes route information for floating IP addresses
into BGP. The route-map option specifies the name of a
configured route map.
ip-nat [route-map map-name] Redistributes routes into BGP for reaching translated NAT
addresses allocated from a pool. The route-map option
specifies the name of a configured route map.
ip-nat-list [route-map map-name] Redistributes routes into BGP for reaching translated NAT
addresses allocated from a range list. The route-map
option specifies the name of a configured route map.
isis [route-map map-name] Redistributes route information from Intermediate System
to Intermediate System (IS-IS) into BGP. The route-map
option specifies the name of a configured route map.
lw406 [options] Redistributes routes into BGP for Lightweight 4over6. (This
is an IPv6 Migration feature.)
nat64 [route-map map-name] Redistributes routes into BGP for Nat64. The route-map
option specifies the name of a configured route map.
page 335
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Configuration Commands
Parameter Description
static [route-map map-name] Redistributes routes into BGP for reaching networks
through static routes. The route-map option specifies the
name of a configured route map.
vip Redistributes routes into BGP for reaching virtual server IP
[only-flagged [route-map map-name] | addresses.
only-not-flagged [route-map map-name] |
[route-map map-name]] To control which VIPs are redistributed, use one of the fol-
lowing options:
Default None
Mode BGP
synchronization
Description Enable IGP synchronization of iBGP learned routes.
Default Disabled
Mode BGP
Usage Enable synchronization if the ACOS device should not advertise routes learned from iBGP
neighbors, unless those routes also are present in an IGP (for example, OSPF). Synchroniza-
page 336
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
tion may be enabled when all the routers in an AS do not speak BGP and the AS is a transit
for other ASs.
timers
Description Configure the BGP keepalive and holdtime timer values.
Parameter Description
interval Specifies the amount of time between transmission of keepalive
messages to neighbors. You can specify 0-65535 seconds.
holdtime Specifies the maximum amount of time the ACOS device will wait
for a keepalive message from a neighbor before declaring the
neighbor dead. You can specify 0-65535 seconds.
Mode BGP
page 337
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
ipv4addr | IPv4 prefix and mask length.
ipv4addr/mask-length
longer-prefixes Include prefixes that have a longer mask than the one
specified.
Mode All
Example Ths
page 338
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
ipv6addr | IPv6 prefix and mask length.
ipv6addr/mask-length
longer-prefixes Include prefixes that have a longer mask than the one
specified.
Mode All
page 339
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
route-map map-name |
summary
]
Parameter Description
multicast | unicast Specifies the IPv4 address family for which to display information.
ipv4addr | ipv4addr/mask-length Network and mask information.
community [community-number] Displays routes matching the communities. Enter the community
[options] number in AA:NN format.
page 340
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
quote-regexp string Displays routes that match the specified AS-path regular expression.
Enclose the regular expression string in double quotation marks
(example: “regexp-string-1”).
regexp string [string ...] Displays routes that match the specified AS-path regular expres-
sion(s).
route-map map-name Displays routes that match the specified route map.
summary Displays a summary of BGP neighbor status.
Mode All
Parameter Description
ipv4addr | ipv6addr Network and mask information.
advertised-routes Displays the routes advertised to a BGP neighbor.
received Displays all received routes, both accepted and
prefix-filter rejected.
received-routes Displays the received routes from neighbor. To display
all the received routes from the neighbor, configure
BGP soft reconfiguration first.
routes Displays all accepted routes learned from neighbors.
Mode All
Mode All
page 341
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Mode All
Mode All
page 342
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
view view-name
]
Parameter Description
ipv6addr | Network and mask information.
ipv6addr/mask-length
community Displays routes for communities. Enter the community number in AA:NN for-
[community-number] mat.
[options]
The following options are supported:
page 343
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
regexp string Displays routes that match the specified AS-path regular expression(s).
[string ...]
route-map map-name Displays routes that match the specified route map.
summary Displays a summary of BGP neighbor status.
unicast {ipv6addr | Displays IPv6 routes for the specified unicast address family. The longer-
ipv6addr/mask-length prefixes option includes prefixes that have a longer mask than the one spec-
[longer-prefixes]} ified.
view view-name Displays neighbors within the specified view.
Mode All
Mode All
Mode All
Mode All
Mode All
page 344
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
community-number Community number, in AA:NN format.
exact-match Displays only communities that exactly match.
local-AS Displays only communities that are not sent outside the
local AS.
no-advertise Displays only communities that are not sent advertised to
neighbors.
no-export Displays only communities that are not exported to the
next AS.
Mode All
Mode All
Parameter Description
list-name Displays routes matching the specified community list.
exact-match Displays only the routes that have exactly the same communi-
ties.
Mode All
page 345
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Parameter Description
dampened-paths Displays paths suppressed due to dampening.
flap-statistics Displays flap statistics for routes.
parameters Displays details for configured dampening parameters.
Mode All
Mode All
Mode All
page 346
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
]
]
Parameter Description
ipv4addr | ipv6addr Network and mask information.
advertised-routes Displays the routes advertised to a BGP neighbor.
received prefix-filter Displays all received routes, both accepted and rejected.
received-routes Displays the received routes from neighbor. To display all the received
routes from the neighbor, configure BGP soft reconfiguration first.
routes Displays all accepted routes learned from neighbors.
Mode All
page 347
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Mode All
Mode All
Mode All
Mode All
Mode All
page 348
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Show Commands
Mode All
Mode All
Mode All
Mode All
page 349
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
view-name Name of the view.
ipv4addr | ipv4addr/mask-length Prefix and mask.
ipv4 {multicast | unicast} summary Displays information for the specified IPv4 address family.
neighbors [ipv4addr | ipv6addr] Displays information for the specified neighbor.
summary Displays summary neighbor information.
Mode All
page 350
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
in [prefix-filter] Clears incoming advertised routes. The prefix-filter
option pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
Parameter Description
in [prefix-filter] Clears incoming advertised routes. The prefix-filter
option pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
page 351
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
in [prefix-filter] Clears incoming advertised routes. The prefix-filter
option pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
Parameter Description
in [prefix-filter] Clears incoming advertised routes. The prefix-filter
option pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
page 352
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
dampening Resets dampened routes.
flap-statistics Resets route-flap statistics and history.
ipv4addr | Resets dampened routes or route-flap statistics and
ipv4addr/mask-length history only for the specified IPv4 prefix.
page 353
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
unicast Resets unicast routes.
external Clear all external peers.
To reset dampened routes for an specific network, specify either an IPv6 net-
work (for example, “2003::”) or a network length (for example, “2003::/24”).
flap-statistics [network] Resets all IPv6 route-flap statistics and history.
To reset route-flap statistics and history for a specific network, specify either
an IPv6 network (for example, “2003::”) or a network length (for example,
“2003::/24”).
peer-group Clear all members of the specified peer group.
* Clear all peers.
as-num Clear all peers with the specified AS number.
ipv4-addr Clear the specified IPv4 BGP neighbor.
ipv6-addr Clear the specified IPv6 BGP neighbor.
in [prefix-filter] Clears incoming advertised routes. The prefix-filter option pushes out
prefix-list outbound routing filters, and performs inbound soft reconfigura-
tion.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the BGP neighbor con-
nection.
page 354
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
Parameter Description
group-name Clear BGP connections to all members of the specified
group.
in [prefix-filter] Clears incoming advertised routes. The prefix-filter
option pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
Parameter Description
view-name Clear BGP connections to the specified view.
soft {in | out} Activates routing policy changes without resetting the
BGP neighbor connection.
For option information, see “clear [ip] bgp {* | AS-num}” on page 351.
page 355
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
BGP Clear Commands
page 356
ACOS 4.1.4-P1 Network Configuration Guide for A10 Thunder Series
page 357
CONTACT US
3 a10networks.com/contact