COMMAND LINE INTERFACE REFERENCE

A10 Thunder Series and AX Series

ACOS 4.1.0-P2
17 June 2016
© 2016 A10 Networks, Inc. Confidential and Proprietary - All Rights Reserved
Information in this document is subject to change without notice.

Patent Protection
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the
virtual pat- ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents
Act. A10 Net- works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents
pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking.

Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, Affinity, aFleX, aFlow, aGalaxy, aGAPI, aVCS,
AX, aXAPI, IDsentrie, IP-to-ID, SSL Insight, SSLi, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of
A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.

Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of
A10 Networks, Inc.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to
treat Soft- ware as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:

1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2. sublicense, rent or lease the Software.

Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including
but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the
information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-
is." The product specifications and features described in this publication are based on the latest information available; however,
specifications are sub- ject to change without notice, and certain features may not be available upon initial product release.
Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject
to A10 Networks’ standard terms and conditions.

Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please
con- tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of
electronic com- ponents in your area.

Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents

Using the CLI........................................................................................................1

Accessing the System......................................................................................................... 1
Session Access Levels......................................................................................................... 1
User EXEC Level................................................................................................................................2
Privileged EXEC Level..........................................................................................................2
Privileged EXEC Level - Config Mode..................................................................................3
Configuring VRRP-A / aVCS Status in the Command Prompt.............................................3
Enabling Additional Information in the CLI Prompt.........................................................4
Restoring the Default Prompt Display...................................................................................4
L3V Partition Name in Command Prompt..........................................................................5
CLI Quick Reference........................................................................................................... 5
Viewing the CLI Quick Reference Using the help Command................................................5
Viewing Context-Sensitive Help in the CLI............................................................................7
Context Sensitive Help Examples...................................................................................7
Using the no Command..................................................................................................8
Configuring and Viewing Command History.........................................................................8
Setting the Command History Buffer Size.......................................................................8
Recalling Commands......................................................................................................9
Editing Features and Shortcuts.............................................................................................9
Positioning the Cursor on the Command Line..........................................................9
Completing a Partial Command Name...................................................................10
Deleting Command Entries...........................................................................................11
Editing Command Lines that Wrap...............................................................................11
Continuing Output at the --MORE-- Prompt.............................................................11
Redisplaying the Current Command Line.....................................................................11
Editing Pre-Configured SLB Items................................................................................12
Searching and Filtering CLI Output.....................................................................................13
Common Output Filters...........................................................................................13
Advanced Output Filters................................................................................................13
Examples of Filtering Output..................................................................................14
Working with Regular Expressions.....................................................................................15
Single-Character Patterns.............................................................................................15
Special Character Support in Strings..................................................................................15

Special Character Support in Passwords and Strings..................................................15

How To Enter Special Characters in the Password String..................................................16
aVCS Device Numbers in Commands...............................................................................17
page 1 | Document No.: 410-P2-CLI-001 - 6/17/2016
 Device ID Syntax...................................................................................................................... 17
aVCS Device Option for Configuration Commands............................................................18
aVCS Device Option for Show Commands.........................................................................18
CLI Message for Commands That Affect Only the Local Device........................................18
Enabling Baselining and Rate Calculation........................................................................20
Enable the Counters...........................................................................................................20
View the Contents of the Counters.....................................................................................21
View Counter Baseline Information...............................................................................21
View Counter Rate Information.....................................................................................21
Tagging Objects................................................................................................................ 22

EXEC Commands...............................................................................................25
active-partition..................................................................................................................... 25
enable.................................................................................................................................. 26
exit....................................................................................................................................... 26
gen-server-persist-cookie.................................................................................................... 27
health-test............................................................................................................................ 28
help...................................................................................................................................... 28
no................................................................................................................................. 29
ping.............................................................................................................................. 29
show.................................................................................................................................... 30
ssh............................................................................................................................................31
telnet............................................................................................................................ 31
traceroute............................................................................................................................ 32

Privileged EXEC Commands...............................................................................35

active-partition..................................................................................................................... 36
axdebug............................................................................................................................... 36
backup log........................................................................................................................... 36
backup system.................................................................................................................... 38
clear..........................................................................................................................................40
clock.................................................................................................................................... 40
configure.............................................................................................................................. 41
debug........................................................................................................................... 41
diff................................................................................................................................ 41
disable................................................................................................................................. 42
exit....................................................................................................................................... 42
export.................................................................................................................................. 43
gen-server-persist-cookie.................................................................................................... 45
health-test............................................................................................................................ 45
help...................................................................................................................................... 45

import........................................................................................................................... 46
locale................................................................................................................................... 49
no................................................................................................................................. 49
ping.............................................................................................................................. 49
reboot........................................................................................................................... 49
reload.................................................................................................................................. 52
repeat.................................................................................................................................. 53
show.................................................................................................................................... 53
shutdown...................................................................................................................... 53
ssh............................................................................................................................................54
Document No.: 410-P2-CLI-001 - 6/17/2016 | page 2
 telnet............................................................................................................................ 54
terminal................................................................................................................................ 54
traceroute............................................................................................................................ 56
vcs.............................................................................................................................................56
write force............................................................................................................................ 56
write memory................................................................................................................ 57
write terminal................................................................................................................ 59

Config Commands: Global.................................................................................61

aam...........................................................................................................................................67
access-list (standard)................................................................................................................68
access-list (extended)...............................................................................................................70
accounting........................................................................................................................... 74
admin................................................................................................................................... 76
admin-lockout...................................................................................................................... 79
admin-session clear..................................................................................................................80
aflex..........................................................................................................................................80
aflex-scripts start................................................................................................................. 81
application-type................................................................................................................... 81
arp....................................................................................................................................... 82
arp-timeout.......................................................................................................................... 82
audit..................................................................................................................................... 83
authentication console type................................................................................................. 84
authentication enable.......................................................................................................... 84
authentication login privilege-mode.............................................................................. 85
authentication mode..................................................................................................... 85
authentication multiple-auth-reject............................................................................... 86
authentication type....................................................................................................... 86
authorization........................................................................................................................ 87
backup-periodic................................................................................................................... 88
backup store........................................................................................................................ 90
banner................................................................................................................................. 91
bfd echo............................................................................................................................... 92
bfd enable............................................................................................................................ 92
bfd interval........................................................................................................................... 92
bgp............................................................................................................................... 93
big-buff-pool................................................................................................................. 93

block-abort........................................................................................................................... 93
block-merge-end................................................................................................................. 93
block-merge-start................................................................................................................ 94
block-replace-end................................................................................................................ 94
block-replace-start............................................................................................................... 95
boot-block-fix....................................................................................................................... 95
bootimage............................................................................................................................ 96
bpdu-fwd-group............................................................................................................ 96
bridge-vlan-group................................................................................................................ 97
cgnv6................................................................................................................................... 98
class-list (for Aho-Corasick)......................................................................................................98
class-list (for IP limiting)...................................................................................................... 99
class-list (for VIP-based DNS caching)...................................................................................101
class-list (for many pools, non-LSN).......................................................................................103
class-list (string)......................................................................................................................104
class-list (string-case-insensitive)............................................................................................104
page 3 | Document No.: 410-P2-CLI-001 - 6/17/2016
configure sync................................................................................................................... 105
copy................................................................................................................................... 105
debug......................................................................................................................... 107
delete................................................................................................................................. 107
disable reset statistics.............................................................................................................108
disable slb......................................................................................................................... 108
disable-failsafe........................................................................................................................109
disable-management......................................................................................................... 109
dnssec.....................................................................................................................................111
do...................................................................................................................................... 111
enable-core....................................................................................................................... 111
enable-management......................................................................................................... 112
enable-password............................................................................................................... 114
end.................................................................................................................................... 114
environment temperature threshold........................................................................... 115
environment update-interval..............................................................................................116
erase.......................................................................................................................................117
event.................................................................................................................................. 118
exit..................................................................................................................................... 119
export-periodic................................................................................................................... 119
fail-safe...................................................................................................................................121
fw............................................................................................................................... 123
glid............................................................................................................................. 123
glm............................................................................................................................. 126
gslb.................................................................................................................................... 126
hd-monitor enable...................................................................................................... 126
health global...................................................................................................................... 126
health monitor............................................................................................................ 128
health-test.......................................................................................................................... 129
hostname........................................................................................................................... 129
hsm template..................................................................................................................... 130

icmp-rate-limit.................................................................................................................... 130
icmpv6-rate-limit................................................................................................................ 131
import......................................................................................................................... 132
import-periodic................................................................................................................... 133
interface............................................................................................................................. 135
ip................................................................................................................................ 136
ip-list.................................................................................................................................. 136
ipv6.................................................................................................................................... 136
key..........................................................................................................................................136
l3-vlan-fwd-disable............................................................................................................ 137
lacp system-priority........................................................................................................... 138
lacp-passthrough............................................................................................................... 138
ldap-server..............................................................................................................................138
link..................................................................................................................................... 140
lldp enable......................................................................................................................... 141
lldp management-address................................................................................................. 141
lldp notification interval............................................................................................... 142
lldp system-description...................................................................................................... 142
lldp system-name.............................................................................................................. 142
lldp tx fast-count......................................................................................................... 143
lldp tx fast-interval............................................................................................................. 143
lldp tx interval.................................................................................................................... 143
lldp tx hold.................................................................................................................. 144
Document No.: 410-P2-CLI-001 - 6/17/2016 | page 4
 lldp tx reinit-delay....................................................................................................... 144
locale................................................................................................................................. 144
logging auditlog host.................................................................................................. 145
logging buffered......................................................................................................... 146
logging console................................................................................................................. 147
logging disable-partition-name.......................................................................................... 147
logging email buffer........................................................................................................... 147
logging email filter............................................................................................................. 148
logging email-address....................................................................................................... 151
logging export............................................................................................................ 151
logging facility.................................................................................................................... 152
logging host................................................................................................................ 152
logging monitor........................................................................................................... 153
logging single-priority........................................................................................................ 154
logging syslog.................................................................................................................... 154
logging trap................................................................................................................ 155
mac-address...........................................................................................................................155
mac-age-time.................................................................................................................... 156
maximum-paths................................................................................................................. 156
merge-mode-add............................................................................................................... 157
mirror-port.......................................................................................................................... 157
monitor....................................................................................................................... 158
multi-config................................................................................................................. 159
multi-ctrl-cpu............................................................................................................... 160

netflow common max-packet-queue-time..................................................................162

netflow monitor........................................................................................................... 162
no...................................................................................................................................... 164
ntp.............................................................................................................................. 164
object-group network.................................................................................................. 166
object-group service................................................................................................... 167
overlay-mgmt-info.............................................................................................................. 170
overlay-tunnel.................................................................................................................... 170
packet-handling................................................................................................................. 170
partition...................................................................................................................... 170
partition-group............................................................................................................ 170
ping............................................................................................................................ 170
pki copy-cert...................................................................................................................... 171
pki copy-key...................................................................................................................... 171
pki create........................................................................................................................... 172
pki delete........................................................................................................................... 173
pki renew-self.................................................................................................................... 173
pki scep-cert...................................................................................................................... 174
poap.................................................................................................................................. 174
radius-server...........................................................................................................................175
raid.................................................................................................................................... 176
rba enable......................................................................................................................... 176
rba disable......................................................................................................................... 177
rba group........................................................................................................................... 177
rba role.............................................................................................................................. 177
rba user...................................................................................................................................178
restore............................................................................................................................... 179
route-map.......................................................................................................................... 180
router................................................................................................................................. 184
router log file.............................................................................................................. 184
page 5 | Document No.: 410-P2-CLI-001 - 6/17/2016
 router log log-buffer.................................................................................................... 185
rule-set.............................................................................................................................. 185
run-hw-diag....................................................................................................................... 186
running-config display....................................................................................................... 187
scaleout............................................................................................................................. 187
session-filter............................................................................................................................188
sflow.................................................................................................................................. 189
slb...................................................................................................................................... 191
smtp................................................................................................................................... 191
snmp.................................................................................................................................. 192
so-counters........................................................................................................................ 192
sshd........................................................................................................................................193
syn-cookie......................................................................................................................... 194
system all-vlan-limit........................................................................................................... 195
system anomaly log........................................................................................................... 196
system attack log............................................................................................................... 196
system cpu-load-sharing................................................................................................... 196

system ddos-attack........................................................................................................... 198

system glid........................................................................................................................ 198
system ipsec...........................................................................................................................198
system log-cpu-interval..................................................................................................... 199
system module-ctrl-cpu..................................................................................................... 199
system per-vlan-limit......................................................................................................... 199
system promiscuous-mode............................................................................................... 200
system resource-usage...........................................................................................................200
system template................................................................................................................ 201
system ve-mac-scheme.................................................................................................... 202
system-jumbo-global enable-jumbo.................................................................................. 203
system-reset...........................................................................................................................204
tacacs-server host...................................................................................................................205
tacacs-server monitor..............................................................................................................206
techreport.......................................................................................................................... 206
terminal.............................................................................................................................. 207
tftp blksize.................................................................................................................. 208
timezone............................................................................................................................ 210
tx-congestion-ctrl............................................................................................................... 210
upgrade............................................................................................................................. 210
vcs...........................................................................................................................................212
ve-stats...................................................................................................................................212
vlan.................................................................................................................................... 212
vlan-global enable-def-vlan-l2-forwarding.........................................................................213
vlan-global l3-vlan-fwd-disable.......................................................................................... 214
vrrp-a................................................................................................................................. 214
waf..................................................................................................................................... 214
web-category..................................................................................................................... 214
web-service....................................................................................................................... 215
write........................................................................................................................... 216

Config Commands: DNSSEC.............................................................................217

DNSSEC Configuration Commands.................................................................................217
dnssec standalone............................................................................................................ 218
dnssec template................................................................................................................ 218

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 6

 DNSSEC Operational Commands....................................................................................219
dnssec dnskey delete........................................................................................................ 219
dnssec ds delete.....................................................................................................................220
dnssec key-rollover........................................................................................................... 220
dnssec sign-zone-now.......................................................................................................221
DNSSEC Show Commands.............................................................................................. 221
show dnssec dnskey......................................................................................................... 221
show dnssec ds.......................................................................................................................222
show dnssec statistics....................................................................................................... 222
show dnssec status........................................................................................................... 222

show dnssec template....................................................................................................... 222

Config Commands: SNMP...............................................................................225

snmp-server SNMPv1-v2c......................................................................................................226
snmp-server SNMPv3.............................................................................................................227
snmp-server community.................................................................................................... 228
snmp-server contact.......................................................................................................... 228
snmp-server enable........................................................................................................... 228
snmp-server engineID....................................................................................................... 233
snmp-server group............................................................................................................ 233
snmp-server host............................................................................................................... 234
snmp-server location......................................................................................................... 235
snmp-server slb-data-cache-timeout.................................................................................235
snmp-server user....................................................................................................................235
snmp-server view.............................................................................................................. 235

Show Commands.............................................................................................237
show aam.......................................................................................................................... 242
show access-list......................................................................................................................242
show active-partition.......................................................................................................... 242
show admin....................................................................................................................... 243
show aflex......................................................................................................................... 246
show arp............................................................................................................................ 247
show audit......................................................................................................................... 248
show axdebug capture...................................................................................................... 249
show axdebug config......................................................................................................... 249
show axdebug config-file...................................................................................................249
show axdebug file.............................................................................................................. 250
show axdebug filter........................................................................................................... 251
show axdebug status......................................................................................................... 251
show backup..................................................................................................................... 251
show bfd..................................................................................................................... 252
show bgp.................................................................................................................... 257
show bootimage......................................................................................................... 257
show bpdu-fwd-group................................................................................................. 258
show bridge-vlan-group..................................................................................................... 258
show bw-list............................................................................................................... 258
show class-list.........................................................................................................................260
show clns........................................................................................................................... 261
show clock......................................................................................................................... 262
show config................................................................................................................ 263
show config-block.............................................................................................................. 263
page 7 | Document No.: 410-P2-CLI-001 - 6/17/2016
show context.............................................................................................................. 263
show core.......................................................................................................................... 264
show cpu........................................................................................................................... 265
show debug................................................................................................................ 267
show disk........................................................................................................................... 267

show dns cache................................................................................................................. 269

show dns statistics............................................................................................................. 271
show dnssec...................................................................................................................... 271
show dumpthread....................................................................................................... 272
show environment............................................................................................................. 272
show errors........................................................................................................................ 273
show event-action............................................................................................................. 273
show fail-safe..........................................................................................................................274
show glid.................................................................................................................... 276
show gslb........................................................................................................................... 277
show hardware.................................................................................................................. 277
show health....................................................................................................................... 278
show history....................................................................................................................... 282
show hsm.......................................................................................................................... 282
show icmp......................................................................................................................... 282
show icmpv6...................................................................................................................... 283
show interfaces.................................................................................................................. 283
show interfaces brief.......................................................................................................... 285
show interfaces media....................................................................................................... 286
show interfaces statistics...................................................................................................287
show interfaces transceiver............................................................................................... 287
show ip....................................................................................................................... 289
show ip anomaly-drop statistics........................................................................................ 289
show ip bgp................................................................................................................ 290
show ip dns........................................................................................................................ 290
show ip fib | show ipv6 fib........................................................................................... 291
show ip fragmentation | show ipv6 fragmentation | show ipv4-in-ipv6 fragmentation | show
ipv6- in-ipv4 fragmentation......................................................................................... 291
show ip helper-address..................................................................................................... 295
show ip interfaces | show ipv6 interfaces..........................................................................298
show ip isis | show ipv6 isis....................................................................................................299
show ip nat alg pptp.................................................................................................... 299
show ip nat interfaces | show ipv6 nat interfaces..............................................................300
show ip nat pool | show ipv6 nat pool......................................................................... 301
show ip nat pool-group | show ipv6 nat pool-group....................................................302
show ip nat range-list........................................................................................................ 302
show ip nat static-binding........................................................................................... 303
show ip nat statistics......................................................................................................... 304
show ip nat template logging...................................................................................... 304
show ip nat timeouts................................................................................................... 304
show ip nat translations..................................................................................................... 305
show ip-list......................................................................................................................... 306
show ipv6 ndisc................................................................................................................. 307
show ipv6 neighbor..................................................................................................... 308
show ip ospf | show ipv6 ospf..................................................................................... 308
show ip prefix-list | show ipv6 prefix-list............................................................................ 308
show ip protocols | show ipv6 protocols..................................................................... 309

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 8

 show ip rip | show ipv6 rip.......................................................................................... 309
show ip route | show ipv6 route.................................................................................. 309
show ip stats | show ipv6 stats.......................................................................................... 310
show ipv6 traffic................................................................................................................. 310
show isis.................................................................................................................................310
show json-config................................................................................................................ 311
show json-config-detail...................................................................................................... 311
show json-config-with-default............................................................................................ 312
show key-chain.................................................................................................................. 313
show lacp.......................................................................................................................... 314
show lacp-passthrough..................................................................................................... 315
show license...................................................................................................................... 315
show license-debug...........................................................................................................316
show license-info............................................................................................................... 316
show lldp neighbor statistics...................................................................................... 317
show lldp statistics............................................................................................................. 317
show local-uri-file............................................................................................................... 317
show locale........................................................................................................................ 318
show log..................................................................................................................... 318
show mac-address-table................................................................................................... 319
show management............................................................................................................ 320
show memory.................................................................................................................... 321
show mirror........................................................................................................................ 323
show monitor.............................................................................................................. 323
show netflow.............................................................................................................. 324
show ntp..................................................................................................................... 325
show object-group...................................................................................................... 326
show overlay-mgmt-info.................................................................................................... 326
show overlay-tunnel.......................................................................................................... 326
show partition............................................................................................................. 326
show partition-config.................................................................................................. 326
show partition-group................................................................................................... 326
show pbslb........................................................................................................................ 327
show pki............................................................................................................................ 329
show poap......................................................................................................................... 331
show process system........................................................................................................ 331
show radius-server............................................................................................................ 332
show reboot............................................................................................................... 332
show route-map................................................................................................................. 333
show router log file..................................................................................................... 333
show running-config................................................................................................... 334
show scaleout.................................................................................................................... 334
show session..........................................................................................................................334
show sflow......................................................................................................................... 343
show shutdown.......................................................................................................... 343
show slb............................................................................................................................ 343
show smtp.................................................................................................................. 343

show snmp........................................................................................................................ 343

show snmp-stats all........................................................................................................... 346
show startup-config........................................................................................................... 347
show statistics................................................................................................................... 349
show store......................................................................................................................... 350
show switch....................................................................................................................... 350
show system cpu-list......................................................................................................... 351
page 9 | Document No.: 410-P2-CLI-001 - 6/17/2016
 show system cpu-load-sharing..........................................................................................351
show system platform........................................................................................................351
show system port-list......................................................................................................... 352
show system resource-usage........................................................................................... 353
show tacacs-server.................................................................................................................354
show techsupport.............................................................................................................. 355
show terminal.................................................................................................................... 356
show tftp..................................................................................................................... 356
show trunk......................................................................................................................... 357
show vcs............................................................................................................................ 358
show version..................................................................................................................... 358
show vlan counters............................................................................................................ 359
show vlans......................................................................................................................... 359
show vpn........................................................................................................................... 360
show vrrp-a........................................................................................................................ 361
show waf........................................................................................................................... 361
show web-category........................................................................................................... 362

AX Debug Commands......................................................................................365
apply-config....................................................................................................................... 366
capture.............................................................................................................................. 367
count.......................................................................................................................... 369
delete................................................................................................................................. 370
filter.................................................................................................................................... 370
incoming | outgoing.................................................................................................... 371
length......................................................................................................................... 372
maxfile............................................................................................................................... 372
outgoing..................................................................................................................... 373
save-config........................................................................................................................ 373
timeout....................................................................................................................... 373

Up and Down Causes for the show health stat Command.............................375

Up Causes...................................................................................................................... 375
Down Causes.................................................................................................................. 376

Document No.: 410-P2-CLI-001 - 6/17/2016 | page

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 12
Using the CLI

This chapter describes how to use the Command Line Interface (CLI) to configure ACOS devices. The commands and their
options are described in the other chapters.

The following topics are covered:

• Accessing the System

• Session Access Levels
• Configuring VRRP-A / aVCS Status in the Command Prompt
• L3V Partition Name in Command Prompt
• CLI Quick Reference
• aVCS Device Numbers in Commands
• Enabling Baselining and Rate Calculation
• Tagging Objects

Accessing the System

You can access the CLI through a console connection, an SSH session, or a Telnet session. Regardless of which connection
method is used, access to the A10 Advanced Core Operating System (ACOS) CLI generally is referred to as an EXEC session or
simply a CLI session.

NOTE: By default, Telnet access is disabled on all interfaces, including the management inter-
face. SSH, HTTP, HTTPS, and SNMP access are enabled by default on the management
interface only, and disabled by default on all data interfaces.

Session Access Levels

As a security feature, the ACOS operating system separates EXEC sessions into two different access levels – “User
EXEC” level and “Privileged EXEC” level. User EXEC level allows you to access only a limited set of basic monitoring
commands. The privi- leged EXEC level allows you to access all ACOS commands (configuration mode, configuration sub-
modes and management mode) and can be password protected to allow only authorized users the ability to configure or
maintain the system.

This section contains the following topics:

• User EXEC Level

page 1 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Session Access Levels

• Privileged EXEC Level

• Privileged EXEC Level - Config Mode

User EXEC Level

The User EXEC level can be identified by the following CLI prompt:

ACOS>

This is the first level entered when a CLI session begins. At this level, users can view basic system information but cannot
con- figure system or port parameters.

• A10 Thunder Series models contain “ACOS” plus the model number in the prompt. For example, when an EXEC ses-
sion is started, the A10 Thunder Series 6430 will display the following prompt:
ACOS6430>

• AX Series models contain “AX” plus the model number in the prompt. For example, when an EXEC session is
started, the AX Series 5630 will display the following prompt:
AX5630>

The right arrow (>) in the prompt indicates that the system is at the “User EXEC” level. The User EXEC level does not
contain any commands that might control (for example, reload or configure) the operation of the ACOS device. To list the
commands available at the User EXEC level, type a question mark (?) then press Enter at the prompt; for example,
ACOS>?.

NOTE: For simplicity, this document uses “ACOS” in CLI prompts, unless referring to a specific
model. Likewise, A10 Thunder Series or AX Series devices are referred to as “ACOS
devices”, since they both run ACOS software.

Privileged EXEC Level

The Privileged EXEC level can be identified by the following CLI prompt:

ACOS#

This level is also called the “enable” level because the enable command is used to gain access. Privileged EXEC level
can be password secured. The “privileged” user can perform tasks such as manage files in the flash module, save the
system con- figuration to flash, and clear caches at this level.

Critical commands (configuration and management) require that the user be at the “Privileged EXEC” level. To change to the
Privileged EXEC level, type enable then press Enter at the ACOS> prompt. If an “enable” password is configured, the
ACOS device will then prompt for that password. When the correct password is entered, the ACOS device prompt will change
from ACOS> to ACOS# to indicate that the user is now at the “Privileged EXEC” level. To switch back to the “User EXEC”
level, type disable at the ACOS# prompt. Typing a question mark (?) at the Privileged EXEC level will now reveal
many more com- mand options than those available at the User EXEC level.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 2

 A10 Thunder Series and AX Series—Command Line Interface
Configuring VRRP-A / aVCS Status in the Command Prompt

Privileged EXEC Level - Config Mode

The Privileged EXEC level’s configuration mode can be identified by the following CLI prompt:

ACOS(config)#

The Privileged EXEC level’s configuration mode is used to configure the system IP address and to configure switching and
routing features. To access the configuration mode, you must first be logged into the Privileged EXEC level.

From the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode:
ACOS> enable

To access the configuration level of the CLI, enter the config command:
ACOS# config

The prompt changes to include “(config)”:

ACOS(config)#

Commands at the Privileged EXEC level are available from configuration mode by prepending the command with do. For
example, the clock command is available in Privileged EXEC mode, while timezone is available in configuration mode. To
avoid having to switch configuration levels, like the following example:

ACOS(config)# timezone America/Los_Angeles

ACOS(config)# exit
ACOS# clock set 10:30:00 October 1 2015

You can use the do command to execute the clock command from configuration mode:

ACOS(config)# timezone America/Los_Angeles

ACOS(config)# do clock set 10:30:00 October 1 2015

Configuring VRRP-A / aVCS Status in the

Command Prompt
You can configure the following information to be included in the CLI prompt:

• VRRP-A status of the ACOS device: Active, Standby, or ForcedStandby (the VRRP-A status only appears on
devices that are configured in Active-Standby mode)
• Hostname of the ACOS device
• aVCS status (vMaster or vBlade), virtual chassis ID, and device ID

Below is an example of a CLI prompt that shows all these information items:

ACOS-Active-vMaster[1/1]>

page 3 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Configuring VRRP-A / aVCS Status in the Command
Prompt

Table 1 identifies and describes the major components of this prompt:

TABLE 1 CLI Prompt Description

Prompt Component Description
ACOS This is the host name of the ACOS device.
Active This indicates that the ACOS device is a member of a VRRP-A set, and is currently the
active device for at least one virtual port.
vMaster[1/1] This indicates that the ACOS device is currently acting as the vMaster for virtual chassis 1,
and is device ID 1 within that virtual chassis.

By default, all these information items are included in the CLI prompt. You can customize the CLI prompt by explicitly
enabling the individual information items to be displayed.

Enabling Additional Information in the CLI Prompt

To explicitly enable display of information items in the CLI prompt, use the following command at the global
configuration level of the CLI:

terminal prompt info-item-list

The info-item-list can contain on or more of the following values:

• vcs-status [chassis-device-id] – Enables display of the aVCS status of the

device. The chassis-device-id option enables display of the virtual chassis ID and
device ID.
• hostname – Enables display of the ACOS hostname.

• chassis-device-id – Display aVCS device id in the prompt. For example, this can be 7/1, where the number 7
indicates the chassis ID and 1 indicates the device ID within the aVCS set.

NOTE: The aVCS Chassis ID and the aVCS Device ID are configurable as part of the prompt if
aVCS is running. The prompt that you specify will be synchronized and reflected on all
the other devices in the aVCS set.

Restoring the Default Prompt Display

To re-enable display of all the information items, use the no terminal prompt global configuration command.
The following command disables display of the aVCS status and hostname in the CLI prompt:

ACOS2-Active-vMaster[1/1](config)# terminal prompt ha-status

Active(config)#

The following command re-enables display of all the information items:

Active(config)# no terminal prompt

ACOS2-Active-vMaster[1/1](config)#

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 4

 A10 Thunder Series and AX Series—Command Line Interface
L3V Partition Name in Command Prompt

L3V Partition Name in Command Prompt

Application Delivery Partitioning (ADP) allows resources on the ACOS device to be allocated to independent application
delivery partitions (L3V partitions). Depending on the access privileges allowed to an admin, the active partition for a CLI ses-
sion is either the shared partition or an L3V partition.

If the CLI session is on an L3V partition, the partition name is included in the CLI prompt. For example, for L3V
partition “corpa”, the prompt for the global configuration level of the CLI looks like the following:

ACOS[corpa](config)#

In this example, the partition name is shown in blue type. This example assumes that the hostname of the device is

“ACOS”. If the CLI session is in the shared partition, the prompt is as shown without a partition name. For example:

ACOS(config)#

CLI Quick Reference

This section contains the following:

• Viewing the CLI Quick Reference Using the help Command

• Viewing Context-Sensitive Help in the CLI
• Using the no Command
• Configuring and Viewing Command History
• Editing Features and Shortcuts
• Searching and Filtering CLI Output
• Working with Regular Expressions
• Special Character Support in Strings

Viewing the CLI Quick Reference Using the help Command

Entering the help command (available at any command level) returns the CLI Quick Reference, as follows:
ACOS> help
CLI Quick Reference
===============

1. Online Help

page 5 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

Enter “?” at a command prompt to list the commands available at that CLI level.
Enter "?" at any point within a command to list the available options.

Two types of help are provided:

1) When you are ready to enter a command option, type "?" to display
each possible option and its description. For example: show ?
2) If you enter part of an option followed by "?", each command or option
that matches the input is listed. For example: show us?

2. Word Completion

The CLI supports command completion, so you do not need to enter the entire
name of a command or option. As long as you enter enough characters of the
command or option name to avoid ambiguity with other commands or options,
the CLI can complete the command or option.
After entering enough characters to avoid ambiguity, press "tab"
to auto-complete the command or option.

ACOS>

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 6

A10 Thunder Series and AX Series—Command Line Interface
Reference

Viewing Context-Sensitive Help in the CLI

Enter a question mark (?) at the system prompt to display a list of available commands for each command mode. The con-
text-sensitive help feature provides a list of the arguments and keywords available for any command.
To view help specific to a command name, a command mode, a keyword, or an argument, enter any of the commands sum-
marized in Table 2:

TABLE 2 CLI Help Commands

Prompt Command Purpose
ACOS> Help Displays the CLI Quick Reference
abbreviated-command-help? Lists all commands beginning with abbreviation before
or the (?). If the abbreviation is not found, ACOS returns:

% Unrecognized command.Invalid input

ACOS# detected at '^' marker.
abbreviated-command-complete<Tab> Completes a partial command name if unambiguous.
or ? Lists all valid commands available at the current level
command ? Lists the available syntax options (arguments and key-
(config)# words) for the entered command.
command keyword ? Lists the next available syntax option for the command.

A space (or lack of a space) before the question mark (?) is significant when using context-sensitive help. To determine which
commands begin with a specific character sequence, type in those characters followed directly by the question mark; e.g.
ACOS#te?. Do not include a space. This help form is called “word help”, because it completes the word for you.
To list arguments or keywords, enter a question mark (?) in place of the argument or the keyword. Include a space before the
(?); e.g. ACOS# terminal ?. This form of help is called “command syntax help”, because it shows you which keywords
or arguments are available based on the command, keywords, and arguments that you already entered.
Users can abbreviate commands and keywords to the minimum number of characters that constitute a unique
abbreviation. For example, you can abbreviate the config terminal command to conf t. If the abbreviated form
of the command is unique, then ACOS accepts the abbreviated form and executes the command.

Context Sensitive Help Examples

The following example illustrates how the context-sensitive help feature enables you to create an access list from configura-
tion mode.

Enter the letters co at the system prompt followed by a question mark (?). Do not leave a space between the last letter
and the question mark. The system provides the commands that begin with co.
ACOS# co?
configure Entering config mode
ACOS# co

Enter the configure command followed by a space and a question mark to list the keywords for the command and a brief
explanation:
ACOS# configure ?
terminal Config from the terminal

page 7 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

<cr>
ACOS# configure

The <cr> symbol (“cr” stands for carriage return) appears in the list to indicate that one of your options is to press
the Return or Enter key to execute the command, without adding any additional keywords.

In this example, the output indicates that your only option for the configure command is configure terminal
(config- ure manually from the terminal connection).

Using the no Command

Most configuration commands have a no form. Typically, you use the no form to disable a feature or function. The
command without the no keyword is used to re-enable a disabled feature or to enable a feature that is disabled by
default; for example, if the terminal auto-size has been enabled previously. To disable terminal auto-size, use the no
terminal auto-size form of the terminal auto-size command. To re-enable it, use the terminal
auto-size form. This document describes the function of the no form of the command whenever a no form is
available.

Configuring and Viewing Command History

The CLI provides a history or record of commands that you have entered. This feature is particularly useful for recalling
long or complex commands or entries, including access lists. To use the command history feature, perform any of the
tasks described in the following sections:

• Setting the command history buffer size

• Recalling commands
• Disabling the command history feature

Setting the Command History Buffer Size

ACOS records 256 command lines in its history buffer, by default. To change the number of command lines that the system
will record during the current terminal session, use the terminal history command.

From Privileged-EXEC mode, use the terminal history command to set the buffer size for the current session. For
exam- ple, to set the buffer to 500, then verify the change with the show terminal command:

ACOS# terminal history size 500

ACOS# show terminal | sec history
History is enabled, history size is 500
ACOS#

Use the no terminal history size command to reset the buffer size for this session to the default value. For
example:

ACOS# no terminal history size

ACOS# show terminal | sec history
History is enabled, history size is 256
ACOS#

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 8

A10 Thunder Series and AX Series—Command Line Interface
Reference

If you use the terminal history command from Global configuration mode, you are making a more permanent
change on the system; the buffer size will be the same for all configuration sessions, not just the current session.

Recalling Commands
To recall commands from the history buffer, use one of the commands or key combinations described in Table 3:

TABLE 3 Recalling CLI Commands

Command or Key Combination Description
Ctrl+P or Up Arrow key. * Recalls commands in the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Ctrl+N or Down Arrow key. *. Returns to more recent commands in the history buffer after recalling commands
with Ctrl+P or the Up arrow key. Repeat the key sequence to recall successively more
recent commands.
ACOS> show history While in EXEC mode, lists the most recent commands entered.
*. The arrow keys function only on ANSI-compatible terminals.

Editing Features and Shortcuts

A variety of shortcuts and editing features are enabled for the CLI. The following subsections describe these features:
• Positioning the cursor on the command line
• Completing a partial command name
• Recalling deleted entries
• Editing command lines that wrap
• Deleting entries
• Continuing output at the --MORE-- prompt
• Re-displaying the current command line
• Editing Pre-configured SLB Items

Positioning the Cursor on the Command Line

The table below lists key combinations used to position the cursor on the command line for making corrections or changes.
The Control key (ctrl) must be pressed simultaneously with the associated letter key. The Escape key (esc) must be
pressed first, followed by its associated letter key. The letters are not case sensitive. Many letters used for CLI navigation
and editing

page 9 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

were chosen to simplify remembering their functions. In Table 4, characters bolded in the Function Summary column
indi- cate the relation between the letter used and the function.

TABLE 4 Position the Cursor in the CLI

Keystrokes Function Summary Function Details
Left Arrow or Back character Moves the cursor left one character. When entering a command that
ctrl+B extends beyond a single line, press the Left Arrow or Ctrl+B keys repeatedly
to move back toward the system prompt to verify the beginning of the com-
mand entry, or you can also press Ctrl+A.
Right Arrow or Forward character Moves the cursor right one character.
ctrl+F
ctrl+A Beginning of line Moves the cursor to the very beginning of the command line.
ctrl+E End of line Moves the cursor to the very end of the line.

Completing a Partial Command Name

If you do not remember a full command name, or just to reduce the amount of typing you have to do, enter the first few let-
ters of a command, then press tab. The CLI parser then completes the command if the string entered is unique to the com-
mand mode. If the keyboard has no tab key, you can also press ctrl+I.

The CLI will recognize a command once you enter enough text to make the command unique. For example, if you enter
conf while in the privileged EXEC mode, the CLI will associate your entry with the config command, because only the
config command begins with conf.

In the next example, the CLI recognizes the unique string conf for privileged EXEC mode of config after pressing the tab
key:
ACOS# conf<tab>
ACOS# configure

When using the command completion feature, the CLI displays the full command name. Commands are not executed until
the Enter key is pressed. This way you can modify the command if the derived command is not what you expected from
the abbreviation. Entering a string of characters that indicate more than one possible command (for example, te) results in
the following response from the CLI:
ACOS# te
% Ambiguous command
ACOS#

If the CLI can not complete the command, enter a question mark (?) to obtain a list of commands that begin with the char-
acter set entered. Do not leave a space between the last letter you enter and the question mark (?).

In the example above, te is ambiguous. It is the beginning of both the telnet and terminal commands, as shown in the fol-
lowing example:
ACOS# te?
telnet Open a telnet connection
terminal Set Terminal Parameters, only for current
terminal ACOS# te

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 10

A10 Thunder Series and AX Series—Command Line Interface
Reference

The letters entered before the question mark (te) are reprinted to the screen to allow continuation of command entry
from where you left off.

Deleting Command Entries

If you make a mistake or change your mind, use the keys or key combinations in Table 5 to delete command entries:

TABLE 5 Deleting CLI Entries

Keystrokes Purpose
backspace The character immediately left of the cursor is deleted.
delete or ctrl+D The character that the cursor is currently on is deleted.
ctrl+K All characters from the cursor to the end of the command line are deleted.
ctrl+U or ctrl+X All characters from the cursor to the beginning of the command line are deleted.
ctrl+W The word to the left of the cursor is deleted.

Editing Command Lines that Wrap

The CLI provides a wrap-around feature for commands extending beyond a single line on the display.

When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten
charac- ters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back,
press ctrl+B or the left arrow key repeatedly until you scroll back to the command entry, or press ctrl+A to return
directly to the begin- ning of the line.

The ACOS software assumes you have a terminal screen that is 80 columns wide. If you have a different screen-width, use
the
terminal width EXEC command to set the width of the terminal.

Use line wrapping in conjunction with the command history feature to recall and modify previous complex command
entries. See the Recalling Commands section in this chapter for information about recalling previous command
entries.

Continuing Output at the --MORE-- Prompt

When working with the CLI, output often extends beyond the visible screen length. For cases where output continues
beyond the bottom of the screen, such as with the output of many ?, show, or more commands, the output is paused and
a
--MORE-- prompt is displayed at the bottom of the screen.

To proceed, press the Enter key to scroll down one line, or press the spacebar to display the next full screen of output.

Redisplaying the Current Command Line

If you are entering a command and the system suddenly sends a message to your screen, you can easily recall your current
command line entry. To redisplay the current command line (refresh the screen), use either ctrl+L or ctrl+R.

page 11 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

Editing Pre-Configured SLB Items

You can display a list of SLB items that have been configured on the ACOS device by entering the partial command,
followed by the ‘?’ character. Previous releases required you to know the exact name of the real server or other item
you wanted to modify, but this feature enables you to display the items that are already configured without having to
remember the exact name.

The following SLB items can be viewed in this manner:

• slb server
• slb service-group
• slb virtual-server
• member (at service-group configuration level)
• service-group (at virtual-port configuration level)

The following example displays the names of real servers that are already configured on the ACOS device. All options dis-
played in the output except “NAME” are real servers.

ACOS(config)# slb server ?

NAME<length:1-63> Server Name
a1
a2
deploy1
rs1
rs1-a1
rs1-a2
rs1-a3
ACOS2(config)# slb server

You can further refine the list that appears by entering part of the name. For example:

ACOS(config)# slb server a?

NAME<length:1-63> Server Name
a1
a2
ACOS2(config)# slb server a

In the same manner that commands can be auto-completed by partially entering the command name and pressing
<TAB>, the ACOS device supports the ability to auto-complete the names of configured items. For example:

ACOS(config)# slb server d<TAB>

ACOS(config)# slb server deploy1

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 12

A10 Thunder Series and AX Series—Command Line Interface
Reference

Searching and Filtering CLI Output

This section contains the following topics:

• Common Output Filters

• Advanced Output Filters
• Examples of Filtering Output

Common Output Filters

The CLI permits searching through large amounts of command output by filtering the output to exclude information
that you do not need. The show command supports the output filtering options described in Table 6:

TABLE 6 show Command Output Filters

Filter Description
begin string Begins the output with the line containing the specified string.
include string Displays only the output lines that contain the specified string.
exclude string Displays only the output lines that do not contain the specified string
section string Displays only the lines for the specified section (for example, “slb server”, “virtual-server”, or “log-
ging”). To display all server-related configuration lines, you can enter “server”.

Advanced Output Filters

Some show commands (for example, show log) provide additional output filtering options described in Table 7. These
options are a subset of the standard sort commands available on UNIX operating systems.

TABLE 7 show log Command Output Additional Filters

Filter Description
grep [invert-match] string Display only those lines matching the specified grep expression.
awk [fs separator] print expression Displays only the fields matching the specified awk expression.
NOTE: When specifying multiple expressions, use quotations marks
if you need to have spaces. For example, the following expressions
are both valid; the first one prints two fields with no space, the second
encloses the space within quotation marks:
show log | awk fs : print $1,$2
show log | awk fs : print “$1, $2”
cut [delimiter char] fields field Do not show the output matching the specified cut expression.
sort [numeric-sort] [reverse] Sort the lines in the output based on the specified sort expression.
[unique]
uniq [skip-chars num] [skip-fields Show only unique lines in the output as defined by the specified
num] [count] [repeated] options.

page 13 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

Examples of Filtering Output

Use the pipe “ | ” character as a delimiter between the show command and the display filter.

• Example 1—Using Regular Expressions to Match a String

• Example 2—Viewing a Specific Section of the Configuration
• Example 3—Viewing Unique Output Strings

Example 1—Using Regular Expressions to Match a String

You can use regular expressions in the filter string, as shown in the following example:
ACOS(config)# show arp | include 192.168.1.3*
192.168.1.3 001d.4608.1e40 Dynamic ethernet4
192.168.1.33 0019.d165.c2ab Dynamic ethernet4

The output filter displays only the ARP entries that contain IP addresses that match “192.168.1.3” and any value following “3”.
The asterisk ( * ) matches on any pattern following the “3”. (See “Working with Regular Expressions” on page 15.)

Example 2—Viewing a Specific Section of the Configuration

The following example displays the startup-config lines for “logging”:

ACOS(config)# show startup-config | section logging

logging console error
logging buffered debugging
logging monitor debugging
logging buffered 30000
logging facility local0

Example 3—Viewing Unique Output Strings

The following example shows how to use the advanced options to string multiple filters together so that only unique
error log messages are displayed:

AX5100(config)# show log | grep Error | sort | uniq

Apr 03 2015 01:55:42 Error [SYSTEM]:The user, admin, from the remote
host, 172.17.1.169:52130, failed in the CLI authentication.
Apr 06 2015 21:48:45 Error [SYSTEM]:The user, admin, from the remote
host, 172.17.1.169:51582, failed in the CLI authentication.
Apr 08 2016 08:52:36 Error [SYSTEM]:The user, admin, from the remote
host, 172.17.0.224:62585, failed in the CLI authentication.
Apr 08 2016 19:58:13 Error [CLI]:Failed to register routing module
commands Apr 08 2016 19:58:13 Error [CLI]:Unrecognized command: "ospf" in
module if
...

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 14

A10 Thunder Series and AX Series—Command Line Interface
Reference

Working with Regular Expressions

Regular expressions are patterns (e.g. a phrase, number, or more complex pattern) used by the CLI string search feature to
match against show or more command output. Regular expressions are case sensitive and allow for complex matching
requirements. A simple regular expression can be an entry like Serial, misses, or 138. Complex regular expressions can be an
entry like 00210... , ( is ), or [Oo]utput.

A regular expression can be a single-character pattern or a multiple-character pattern. This means that a regular
expression can be a single character that matches the same single character in the command output or multiple
characters that match the same multiple characters in the command output. The pattern in the command output is
referred to as a string. This section describes creating single-character patterns.

Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in the command output. You
can use any letter (A–Z, a–z) or digit (0–9) as a single-character pattern. You can also use other keyboard characters (such
as ! or ~) as single-character patterns, but certain keyboard characters have special meaning when used in regular
expressions. Table 8 lists the keyboard characters that have special meaning.

TABLE 8 Single-Character Regular Expression Patterns

Character Meaning
. Matches any single character, including white space
* Matchers 0 or more sequences of the pattern
+ Matches 1 or more sequences of the pattern
? Matches 0 or 1 occurrences of the pattern
^ Matches the beginning of the string
$ Matches the end of the string
_ (underscore) Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right parenthesis ( ) ), the
beginning of the string, the end of the string, or a space.

Special Character Support in Strings

Special characters are supported in password strings and various other strings. To use special characters in a string,
enclose the entire string in double quotation marks.

This section contains the following topics:

• Special Character Support in Passwords and Strings

• How To Enter Special Characters in the Password String

Special Character Support in Passwords and Strings

The following subsections list the special characters supported for each type of password you can enter in the CLI.

page 15 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

For information about the supported password length, see the CLI help or the command entry in this document.

TABLE 9 Special Characters in Passwords and Strings

Password Type
Admin and Enable password
ACOS device hostname
RADIUS shared secret
SNMPv3 user authentication
passwords
RADIUS shared secrets
Special Character Support
Admin and enable passwords can contain any ASCII characters in the following ranges:
0x20-0x7e and 0x80-0xFF.
Strings for these items can contain any of the following ASCII characters
a-z A-Z 0-9 - . ( )
The device hostname can contain any of the following ASCII characters

a-z A-Z 0-9 - . ( )

MD5 passwords for OSPF or MD5 passwords can be up to 16 characters long. A password string can contain any
BGP ASCII
characters in the range 0x20-0x7e. The password string can not begin with a blank
space, and can not contain any of the following special characters:

' " < > & \ / ?

Passwords used for file
import or export
Passwords user for server
access in health monitors
All of the characters in the following range are supported: 0x20-0x7E.
Most of the characters in the following range are supported: 0x20-0x7E.
The following characters are not supported:

' " < > & \ / ?

SSL certificate passwords Most of the characters in the following ranges are supported: 0x20-0x7E and 0x80-0xFF.
SMTP passwords The following characters are not supported:

' " < > & \ / ?

SMTP passwords

How To Enter Special Characters in the Password String

You can use an opening single-or double-quotation mark without an ending one. In this case, '" becomes ", and "'
becomes '.

Escape sequences are required for a few of the special characters:

• " – To use a double-quotation mark in a string, enter the following: \"

• ? – To use a question mark in a string, enter the following sequence: \077

• \ – To use a back slash in a string, enter another back slash in front of it: \\

For example, to use the string a"b?c\d, enter the following: "a\"b\077c\\d"

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 16

A10 Thunder Series and AX Series—Command Line Interface
Reference

The \ character will be interpreted as the start of an escape sequence only if it is enclosed in double quotation marks.
(The ending double quotation mark can be omitted.) If the following characters do not qualify as an escape sequence, they
are take verbatim; for example, \ is taken as \, "\x41" is taken as A (hexadecimal escape), "\101" is taken as A
(octal escape), and "\10" is taken as \10.

NOTE: To use a double-quotation mark as the entire string, "\"". If you enter \", the result is \.
(Using a single character as a password is not recommended.)

It is recommended not to use i18n characters. The character encoding used on the
ter- minal during password change might differ from the character encoding on the
termi- nal used during login.

aVCS Device Numbers in Commands

Some commands either include or support an ACOS Virtual Chassis System (aVCS) device ID. The device ID indicates the
device to which the command applies.

This section contains the following topics:

• Device ID Syntax
• aVCS Device Option for Configuration Commands
• aVCS Device Option for Show Commands
• CLI Message for Commands That Affect Only the Local Device

Device ID Syntax
In an aVCS virtual chassis, configuration items that are device-specific include the device ID. For these items, use the
follow- ing syntax:

• interface ethernet DeviceID/Portnum

• interface ve DeviceID/Portnum
• interface loopback DeviceID/Loopbacknum
• trunk DeviceID/Trunknum
• vlan DeviceID/VLAN-ID
• bpdu-fwd-group DeviceID/VLAN-ID
• bridge-vlan-group DeviceID/VLAN-ID

This format also appears in the running-config and startup-config.

To determine whether a command supports the DeviceID/ syntax, use the CLI help.

The following command accesses the configuration level for Ethernet data port 5 on device 4:

page 17 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
aVCS Device Numbers in Commands

ACOS(config)# interface ethernet 4/5

ACOS(config-if:ethernet:4/5)#

aVCS Device Option for Configuration Commands

To configure commands for a specific aVCS device, use the device-context command.
For example, to change the hostname for device 3 in the virtual chassis:

ACOS(config)# device-context 3
ACOS(config)# hostname ACOS3
ACOS3(config)#

aVCS Device Option for Show Commands

To view show output for a specific device in an aVCS cluster, you must use the vcs admin-session-connect command
to connect to the device, then run the desired show command. For example:

For example, the following command shows how to connect to device 2 in a virtual chassis, then view the MAC address
table on that device:

ACOS-device1(config)# vcs admin-session-connect device 2

spawn ssh -l admin 192.168.100.126
The authenticity of host '192.168.100.126 (192.168.100.126)' can't be established.
RSA key fingerprint is ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.126' (RSA) to the list of known hosts.
Password:***
Last login: Thu Jul 22 21:06:46 2010 from
192.168.3.77 ACOS-device2# show mac-address-table
MAC-Address Port Type Index Vlan Age
---------------------------------------------------------
0013.72E3.C773 1 Dynamic 13 2 88
0013.72E3.C775 2 Dynamic 16 10 90
Total active entries: 2 Age time: 300 secs

CLI Message for Commands That Affect Only the Local Device
You can display a message when entering a configuration command that applies to only the local device. When this
option is enabled, a message is displayed if you enter a configuration command that affects only the local device, and
the com- mand does not explicitly indicate the device.

This enhancement is enabled by default and can not be disabled.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 18

A10 Thunder Series and AX Series—Command Line Interface
Reference

Local Device
The “local device” is the device your CLI session is on.

• If you log directly onto one of the devices in the virtual chassis, that device is the local device. For example, if you
log on through the management IP address of a vBlade, that vBlade is the local device.
• If you change the device context or router content to another ACOS device, that device becomes the local device.
• If you log onto the virtual chassis’ floating IP address, the vMaster is the local device.

Message Example
The following command configures a static MAC address:

ACOS(config)# mac-age-time 444

This operation applied to device 1

This type of configuration change is device-specific. However, the command does not specify the device ID to which to
apply the configuration change. Therefore, the change is applied to the local device. In this example, the local device
is device 1 in the aVCS virtual chassis.

The message is not necessary if you explicitly specify the device, and therefore is not displayed:

ACOS(config)# device-context 2
ACOS(config)# mac-age-time 444 device 2

For commands that access the configuration level for a specific configuration item, the message is displayed only for the
command that accesses the configuration level. For example:

ACOS(config)# interface ethernet 2

This operation applied to device 1
ACOS(config-if:ethernet:2/1)# ip address 1.1.1.1 /24
ACOS(config-if:ethernet:2/1)#

The message is not displayed after the ip address command is entered, because the message is already displayed after
the interface ethernet 2 command is entered.

The same is true for commands at the configuration level for a routing protocol. The message is displayed only for the
com- mand that accesses the configuration level for the protocol.

• In most cases, the message also is displayed following clear commands for device-specific items. An exception is
clear commands for routing information. The message is not displayed following these commands.

• The message is not displayed after show commands.

page 19 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Enabling Baselining and Rate Calculation

Enabling Baselining and Rate Calculation

The sampling-enable command enhances the information that can be viewed for statistical counters in the system. By
using this command in conjunction with show counters-baselining and show counters-rate, you can obtain
additional counter statistics to help you baseline specific portions of your configuration in order to troubleshoot or improve
performance.

To enable this:

1. Enable the Counters

2. View the Contents of the Counters

Enable the Counters

The sampling-enable command is available at various configuration levels in the CLI. Whenever you see this option,
use the sampling-enable ? command to view the counters for which you can enable baselining.

For example, see the following configuration where a real server is created:

ACOS(config)# slb server s1 2.2.2.2

ACOS(config-real server)# sampling-enable ?
all all
total-conn Total connections
fwd-pkt Forward packets
rev-pkt Reverse packets
peak-conn Peak connections
ACOS(config-real server)# sampling-enable

The counters you will see for the sampling-enable ? command will vary depending on the object. You can select
specific counters you want to enable, or use the all keyword to enable all available counters.

The following example enables baselining for three counters under the SLB server configuration, then verifies the configura-
tion with the show running-config command:

ACOS(config-real server)# sampling-enable total_conn

ACOS(config-real server)# sampling-enable fwd-pkt
ACOS(config-real server)# sampling-enable rev-pkt
ACOS(config-real server)# show running-config | sec slb server
slb server s1 2.2.2.2
sampling-enable
total_conn sampling-
enable fwd-pkt sampling-
enable rev-pkt
ACOS(config-real server)#

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 20

 A10 Thunder Series and AX Series—Command Line Interface
Enabling Baselining and Rate Calculation

View the Contents of the Counters

To view the values of available counters, use the show counters command. This command works the same way even
with- out baselining enabled.

ACOS(config-real server-node port)# show counters slb server s1

Current connections 0
Total connections 189
Forward packets 756
Reverse packets 756
Peak connections 0
ACOS(config-real server-node port)#

The sampling-enable command is used to enable enhanced statistical information:

• View Counter Baseline Information

• View Counter Rate Information

View Counter Baseline Information

To view baseline information, use the show counters-baselining command. Note that only the counters for which
baselining was enabled with the sampling-enable command are listed:

ACOS(config-real server-node port)# show counters-baselining slb server s1

counter_name min max avg

Total Connections 0 189 66
Forward Packets 0 756 264
Reverse Packets 0 756 264
ACOS(config-real server-node port)#

This command shows the minimum, maximum, and average value for each enabled counter over the last 30 seconds.

View Counter Rate Information

To view rate information for each enabled counter, use the show counters-rate command. Note that only the
counters for which rate information was enabled with the sampling-enable command are listed:

ACOS(config-real server-node port)# show counters-rate slb server s1

counter_name 1sec_rate 5sec_rate 10sec_rate 30sec_rate

Total connections 0 0 18 6
Forward packets 0 0 75 25
Reverse packets 0 0 75 25
ACOS(config-real server-node port)#

page 21 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

This command shows the average value of each counter over the following intervals:

• last second
• last 5 seconds
• last 10 seconds
• last 30 seconds

Tagging Objects
Certain objects created in the CLI can be tagged by using the user-tag command. These tags can then be searched by
using the aXAPI. See the “Filters” page of the aXAPI Reference for more information.

NOTE: Do not enter the value “Security” for the custom tag from the CLI; this is a reserved
key- word. Doing so can interfere with the proper display of SSLi configurations
performed in the GUI.

Tagging objects is useful to help differentiate objects that can be used for multiple feature areas, like real servers, virtual
serv- ers, service group, or templates. Consider the following example, where multiple real servers are created for load
balancing. By tagging each server, the show running-config output can help you identify which servers are used for
FTP load bal- ancing (labeled with “FTP”) and which ones are used for HTTP load balancing (labeled with “HTTP):

ACOS(config)# slb server ftp1

192.168.1.1 ACOS(config-real server)#
user-tag FTP-1 ACOS(config-real server)#
exit ACOS(config)# slb server ftp1
192.168.2.2 ACOS(config-real server)#
user-tag FTP-2 ACOS(config-real server)#
exit
ACOS(config)# slb server http1
192.168.10.10 ACOS(config-real server)#
user-tag HTTP-1 ACOS(config-real server)#
exit
ACOS(config)# slb server http2 192.168.20.20
ACOS(config-real server)# user-tag HTTP-2
ACOS(config-real server)# show running-config | sec slb server
slb server ftp1
192.168.1.1 user-tag
FTP-1
slb server ftp2
192.168.2.2 user-tag
FTP-2
slb server http1 192.168.10.10
user-tag HTTP-1
slb server http2 192.168.20.20

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 22

 A10 Thunder Series and AX Series—Command Line Interface
Tagging Objects

user-tag HTTP-2

At a later point in time, suppose server “ftp1” has need to be re-purposed; rather than renaming the server and all of the
cor- responding configuration that might also have “FTP” in their object names, you can update the user tag to indicate
the actual purpose of the server while leaving the existing configuration intact.

Tags can be 1-127 characters in length.

page 23 | Document No.: 410-P2-CLI-001 - 6/17/2016

A10 Thunder Series and AX Series—Command Line Interface
Reference

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 24

EXEC Commands

The EXEC commands (sometimes referred to as the User EXEC commands) are available at the CLI level that is
presented when you log into the CLI.

The EXEC level command prompt ends with >, as in the following example:

ACOS>

The following commands are available:

• active-partition
• enable
• exit
• gen-server-persist-cookie
• health-test
• help
• no
• ping
• show
• ssh
• telnet
• traceroute

active-partition
Description CLI commands related to ADPs are located in Configuring Application Delivery
Partitions.

page 25 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

enable
Description Enter privileged EXEC mode, or any other security level set by a system administrator.

Syntax enable

Mode EXEC

Usage Entering privileged EXEC mode enables the use of privileged commands. Because many
of the privileged commands set operating parameters, privileged access should be
password- protected to prevent unauthorized use. If the system administrator has set a
password with the enable password global configuration command, you are
prompted to enter it before being allowed access to privileged EXEC mode. The password
is case sensitive.

The user will enter the default mode of privileged EXEC.

Example In the following example, the user enters privileged EXEC mode using the enable com-
mand. The system prompts the user for a password before allowing access to the
privileged EXEC mode. The password is not printed to the screen. The user then exits back
to user EXEC mode using the disable command. Note that the prompt for user EXEC
mode is >, and the prompt for privileged EXEC mode is #.

ACOS>enable
Password: <letmein>
ACOS#disable
ACOS>

exit

Description When used from User EXEC mode, this command closes an active terminal session by
log- ging off the system. In any other mode, it will move the user to the previous
configuration level.

Syntax exit

Mode All

Example In the following example, the exit command is used three times:

1. To move from Global configuration mode to the previous config level (privileged
EXEC mode);
2. To move from privileged EXEC mode to the previous config level (User EXEC mode);
3. From User EXEC mode, the exit command is used to log off (exit the active session):

ACOS(config)#exit
ACOS#exit
ACOS>exit
Are you sure to quit (N/Y)?: Y

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 26

A10 Thunder Series and AX Series—Command Line Interface

gen-server-persist-cookie
Description Generate a cookie for pass-through cookie-persistent SLB sessions.

Syntax gen-server-persist-cookie [cookie-name]

match-type
{
port vport-num rport-num {ipaddr | ipv6 ipv6addr} |
server {ipv4addr | ipv6 ipv6addr} |
service-group group-name vport-num rport-num
{ipv4addr | ipv6 ipv6addr}
}

Parameter Description
cookie-name Name of the cookie header. The default is “sto-id” if no name is specified.
port The port option creates a cookie based on the following format:
cookiename-vportnum-groupname=encoded-ip_encoded-rport
server The server option creates a cookie based on the following format:
cookiename=encoded-ip
service-group The service-group option creates a cookie based on the following format:
cookiename-vportnum-groupname=encoded-ip_encoded-rport

Default ACOS does not have a default pass-through cookie. When you configure one, the
default name is “sto-id”. There is no default match-type setting.

Mode EXEC and Privileged EXEC only

Usage Additional configuration is required. The pass-thru option must be enabled in the
cookie- persistence template bound to the virtual port.

page 27 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

health-test
Description Test the status of a device using a configured health monitor.

Syntax health-test {ipaddr | ipv6 ipv6addr}

[count num] [monitorname monitor-name] [port port-num]

Parameter Description
ipaddr Specifies the IPv4 address of the device to test.
ipv6addr Specifies the IPv6 address of the device to test.
count num Specifies the number of health checks to send to the device. You can
specify a number 1 - 65535.
The default count is 1.
monitor-name Specifies the name of the health monitor you want to use, 1-29 char-
acters. The health monitor must already be configured.
See “Config Commands: Health Monitors” on page 547 for more infor-
mation about configuring a health monitor.
The default monitor is ICMP ping, which is the default Layer 3 health
check.
port-num Specifies the protocol port to test. You can specify any port 1 - 65535.
The default is the override port number set in the health monitor con-
figuration. If none is set there, then this option is not set by default.

Default See descriptions.

Mode EXEC, Privileged EXEC, and global config

Usage If an override IP address and protocol port are set in the health monitor configuration, the
ACOS device will use the override address and port, even if you specify an address and
port with the health-test command.

Example The following command tests port 80 on server 192.168.1.66, using configured health
moni- tor hm80:

ACOS#health-test 192.168.1.66 monitorname hm80

node status UP.

help
Description Display a description of the interactive help system of the CLI.

Syntax help

Mode All

Example (See “CLI Quick Reference” on page 5.)

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 28

A10 Thunder Series and AX Series—Command Line Interface

no

Description See “no” on page 49. This command is not used at this level.

ping
Description Send an ICMP echo packet to test network connectivity.

Syntax ping [ipv6] {hostname |

ipaddr} [data HEX-word]
[ds-lite {[source-ipv4 ipaddr] [source-ipv6 ipaddr] [ipaddr]}]
[flood]
[interface {ethernet port-num | ve ve-num}]
ipv6
[pmtu}
[repeat {count | unlimited}]
[size num]
[source {ipaddr | ethernet port-num | ve ve-num}]
[timeout secs]
[ttl num]

Parameter Description
ipv6 {hostname | ipaddr} Send a ping to the specified IPv6 hostname or address.
{hostname | ipaddr} Send a ping to the specified IPv4 hostname or address.
data HEX-word Hexadecimal data pattern to send in the ping. The pattern can be 1-8 hexadecimal
characters long.
This is not set by default.
ds-lite { Send a DS-Lite ping.
[source-ipv4 ipaddr]
[source-ipv6 ipaddr]
ipaddr}
flood Send a continuous stream of ping packets, by sending a new packet as soon as a
reply to the previous packet is received.
This is disabled by default.
interface { Use the specified interface as the source of the ping. Use ethernet for ethernet
ethernet port- interfaces, or ve for virtual ethernet interfaces.
num ve ve-num} By default, this is not set. The ACOS device looks up the route to the ping target in
the main route table and uses the interface associated with the route. (The manage-
ment interface is not used unless you specify the management IP address as the
source interface.)
pmtu Enable PMTU discovery.
repeat {count | unlimited} Number of times to send the ping. You can specify a number 1 - 10000000 (ten mil-
lion), or specify unlimited to ping continuously.
The default count is 5.
size num Specify the size of the datagram in bytes. You can specify a number from 1 - 10000.
The default size is 84 bytes.

page 29 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
source { Forces the ACOS device to give the specified IP address (ipaddr), or the IP
ipaddr | address configured on the specified interface (either ethernet port-num or
ethernet port-num | ve ve-num), as the source address of the ping.
ve ve-num}
timeout secs Number of seconds the ACOS device waits for a reply to a sent ping packet, 1-2100
seconds.
The default timeout value is 10 seconds.
ttl num Maximum number of hops the ping is allowed to traverse, 1-255.
The default is 1.

Default See descriptions.

Mode EXEC, Privileged EXEC, and global configuration

Usage The ping command sends an echo request packet to a remote address, and then awaits
a reply. Unless you use the flood option, the interval between sending of each ping
packet is 1 second.

To terminate a ping session, type ctrl+c.

Example The following command sends a ping to IP address 192.168.3.116:

ACOS>ping 192.168.3.116
PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data
64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206
ms 64 bytes from 192.168.3.116: icmp_seq=2 ttl=128
time=0.260 ms 64 bytes from 192.168.3.116: icmp_seq=3
ttl=128 time=0.263 ms 64 bytes from 192.168.3.116:
icmp_seq=4 ttl=128 time=0.264 ms 64 bytes from
192.168.3.116: icmp_seq=5 ttl=128 time=0.216 ms
--- 192.168.3.116 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms

Example The following command sends a ping to IP address 10.10.1.20, from ACOS Ethernet port 1.
The ping has data pattern “ffff”, is 1024 bytes long, and is sent 100 times.

ACOS>ping data ffff repeat 100 size 1024 source ethernet 1

10.10.1.20

show
Description Show system or configuration information.

Syntax show options

Default N/A

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 30

A10 Thunder Series and AX Series—Command Line Interface

Mode All

Usage For information about the show commands, see “Show Commands” on page 237 and “SLB
Show Commands” in the Command Line Interface Reference for ADC.

ss
h
Description Establish a Secure Shell (SSH) connection from the ACOS device to a different device.

Syntax ssh [use-mgmt-port] {hostname | ipaddr} login-name [protocol-port]

Parameter Description
use-mgmt-port Uses the management interface as the source interface for the
connection to the remote device. The management route table is
used to reach the device. By default, the ACOS device attempts to
use the data route table to reach the remote device through a data
interface.
hostname Host name of the remote system.
ipaddr IP address of the remote system.
login-name The user name used to log in to the remote system.
protocol-port TCP port number on which the remote system listens for SSH client
traffic. Specify a number 1 - 65535.
The default port is 22.

Default See description.

Mode EXEC and Privileged EXEC

Usage SSH version 2 is supported. SSH version 1 is not supported.

telnet
Description Open a Telnet tunnel connection from the ACOS device to another device.

Syntax telnet [use-mgmt-port] {hostname | ipaddr) [protocol-port]

page 31 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
use-mgmt-port Uses the management interface as the source interface for the con-
nection to the remote device. The management route table is used
to reach the device. By default, the ACOS device attempts to use
the data route table to reach the remote device through a data inter-
face.
hostname Host name of the remote system.
ipaddr IP address of the remote system.
protocol-port TCP port number on which the remote system listens for Telnet traf-
fic. Specify a number 1 - 65535.
The default port is 23.

Default See description.

Mode EXEC and Privileged EXEC

Example The following command opens a Telnet session from one ACOS device to another
ACOS device at IP address 10.10.4.55:

ACOS>telnet 10.10.4.55
Trying 10.10.4.55...
Connected to 10.10.4.55.
Escape character is '^]'.
Welcome to Thunder
ACOS login:

traceroute
Description Display the router hops through which a packet sent from the ACOS device can reach
a remote device.

Syntax traceroute [ipv6 | use-mgmt-port] {hostname | ipaddr}

Parameter Description
ipv6 Indicates that the remote device is an IPv6 system.
use-mgmt-port Uses the management interface as the source interface. The man-
agement route table is used to reach the device. By default, the
ACOS device attempts to use the data route table to reach the
remote device through a data interface.
hostname Host name of the device at the remote end of the route to be
traced.
ipaddr IP address of the device at the remote end of the route to be
traced.

Default N/A

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 32

A10 Thunder Series and AX Series—Command Line Interface

Mode EXEC and Privileged EXEC

Usage If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the row for that hop.

Example The following command traces a route to 192.168.10.99:

ACOS>traceroute 192.168.10.99
traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte
packets
1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms
2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms
...

page 33 | Document No.: 410-P2-CLI-001 - 6/17/2016

A10 Thunder Series and AX Series—Command Line Interface

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 34

Privileged EXEC Commands

The Privileged EXEC mode commands are available at the CLI level that is presented when you enter the enable
command and a valid enable password from the EXEC level of the CLI.

The Privileged EXEC mode level command prompt ends with #, as in the following example:

ACOS#

The following commands are available:

• active-partition
• axdebug
• backup log
• backup system
• clear
• clock
• configure
• debug
• diff
• disable
• exit
• export
• gen-server-persist-cookie
• health-test
• help
• import
• locale
• no
• ping
• reboot
• reload

page 35 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• repeat
• show
• shutdown
• ssh
• telnet
• terminal
• traceroute
• vcs
• write force
• write memory
• write terminal

active-partition
Description Change the partition on an ACOS device configured for Application Delivery Partitioning
(ADP). (See “active-partition” on page 25.)

axdebug
Description Enters the AX debug subsystem. (See “AX Debug Commands” on page 365.)

backup log
Description Configure log backup options and save a backup of the system log.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 36

A10 Thunder Series and AX Series—Command Line Interface

Syntax backup log

[expedite]
[period {all | day | month | week | days}]
[stats-data]
{profile-name | [use-mgmt-port] url [password password]}

Parameter Description
expedite Allocates additional CPU to the backup process. This option allows up to 50% CPU utilization
to be devoted to the log backup process.
period Specifies the period of time whose data you want to back up:
• all - Backs up the log messages contained in the log buffer.
• day - Backs up the log messages generated during the most recent 24 hours.
• month - Backs up the log messages generated during the most recent 30 days.
• week - Backs up the log messages generated during the most recent 7 days.
• days - Backs up the log messages generated using days as the interval (for example,
specify 5 to back up every 5 days).
The default period of time is one month.

stats-data Backs up statistical data from the GUI.

profile-name Profile name for the remote URL, 1-31 characters.
Profiles that can be used in place of the URL are configured with the backup store command.
use-mgmt-port Uses the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a
data inter- face.
url Specifies the file transfer protocol, username (if required), and directory path to the location
where you want to save the backup file.
You can enter the entire URL on the command line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255 characters long.
To enter the entire URL, use one of the following:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

password Specifies the password to access the remote site.

Default See descriptions.

Mode Privileged EXEC, or global configuration mode

Usage The expedite option controls the percentage of CPU utilization allowed exclusively to
the log backup process. The actual CPU utilization during log backup may be higher, if
other management processes also are running at the same time.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

page 37 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following commands change the backup period to all, allow up to 50% CPU
utilization for the backup process, and back up the log:

ACOS#backup log period all

ACOS#backup log expedite
ACOS#backup log scp://192.168.20.161/log.tgz
...

Example The following command backs up statistical data from the GUI:

ACOS#backup log stats-data scp://192.168.20.161/log.tgz

NOTE: The log period and expedite settings also apply to backups of the GUI statistical
data.

backup system
Description Back up the system. The startup-config file, aFleX policy files, and SSL certificates and keys
will be backed up to a .tar.gz file.

NOTE: Backing up system from one hardware platform and restoring it to another is not
supported.

Syntax backup system {profile-name |

[use-mgmt-port] url [password password]}

Parameter Description
profile-name Profile name for the remote URL, 1-31 characters.
Profiles that can be used in place of the URL are configured with
the backup store command.
use-mgmt-port Uses the management interface as the source interface for the
con- nection to the remote device. The management route table
is used to reach the device. Without this option, the ACOS
device attempts to use the data route table to reach the remote
device through a data interface.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 38

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
url The url specifies the file transfer protocol, username (if required),
and directory path to the location where you want to save the
backup file.
You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire
URL and a password is required, you will still be prompted for the
pass- word. The password can be up to 255 characters long.
To enter the entire URL, use one of the following:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

password Specifies the password to access the remote site.

Default N/A

Mode Privileged EXEC or Global configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

Example This example backs up the system to the /home/backups folder on host 192.168.2.2.

ACOS#backup system tftp://192.168.2.2/home/backups/

The trailing slash (/) at the end of the URL tells ACOS that this is a directory path, and not a
file name. In this case, since no file name is specified, the file name will be automatically
generated by ACOS. This is the recommended method of performing system backups
because the file names are guaranteed to be unique. Your backups may fail if you
accidentally backup to a file that already exists with the same name.

Example This example backs up the system to a file called “back_file.tar.gz” on host 1.1.1.1:

ACOS#backup system tftp://1.1.1.1/back_file

page 39 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

clear

Description Clear statistics or reset functions. Sub-command parameters are required for specific
sub- commands.

Syntax clear sub-command parameter

Default N/A

Mode Privileged EXEC mode or global configuration mode

Usage To list the options available for a clear command, enter ? after the command name.
For example, to display the clear gslb options, enter the following command:

clear gslb ?

On some ACOS models, entering either the clear slb switch or clear slb l4
command clears all anomaly counters for both show slb switch and show slb l4.
This applies to the following AX models: AX 3200-12, AX 3400, and AX 3530.

Note on Clearing Sessions

After entering the clear session command, the ACOS device may remain in session-
clear mode for up to 10 seconds. During this time, any new connections are sent to the delete
queue for clearing.

Example The following command clears the counters on Ethernet interface 3:

ACOS#clear statistics interface ethernet 3

clock
Description Set the system time and date.

Syntax clock set time day month year

Parameter Description
time Set the time, using 24-hour format hh:mm:ss.
day Set the day of the month (1-31).
month Set the month (January, February, March, and so on).
year Set the year (2013, 2014, and so on).

Mode Privileged EXEC mode

Usage Use this command to manually set the system time and date.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 40

A10 Thunder Series and AX Series—Command Line Interface

If the system clock is adjusted while OSPF or IS-IS is enabled, the routing protocols may stop
working properly. To work around this issue, disable OSPF and IS-IS before adjusting the
system clock.

Example Set the system clock to 5:51 p.m. and the date to February 22nd, 2015.

ACOS#clock set 17:51:00 22 February 2015

configure
Description Enter the configuration mode from the Privileged EXEC mode.

Syntax configure [terminal]

Mode Privileged EXEC mode

Example Enter configuration mode.

ACOS#configure
ACOS(config)#

debug

NOTE: It is recommended to use the AXdebug subsystem instead of these debug com-
mands. See “AX Debug Commands” on page 365.

diff
Description Display a side-by-side comparison of the commands in a pair of locally stored configurations.

Syntax diff {startup-config | profile-name} {running-config | profile-

name} Default N/A

Mode Privileged EXEC mode

Usage The following command compares the configuration profile that is currently linked
to “startup-config” with the running-config.
diff startup-config running-config

Similarly, the following command compares the configuration profile that is currently
linked to “startup-config” with the specified configuration profile:

diff startup-config profile-name

To compare a configuration profile other than the startup-config to the running-config,

enter the configuration profile name instead of startup-config.

To compare any two configuration profiles, enter their profile names instead of startup-
config or running-config.

page 41 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

In the CLI output, the commands in the first profile name you specify are listed on the left
side of the terminal screen. The commands in the other profile that differ from the
commands in the first profile are listed on the right side of the screen, across from the
commands they differ from. The following flags indicate how the two profiles differ:

• | – This command has different settings in the two profiles.

• > – This command is in the second profile but not in the first one.
• < – This command is in the first profile but not in the second one.

disable
Description Exit the Privileged EXEC mode and enter the EXEC mode.

Syntax disable

Mode Privileged EXEC mode

Example The following command exits Privileged EXEC mode.

ACOS#disable
ACOS>

NOTE: The prompt changes from # to >, indicating change to EXEC mode.

exit
Description Exit the Privileged EXEC mode and enter the EXEC Mode.

Syntax exit

Mode Privileged EXEC mode

Example In the following example, the exit command is used to exit the Privileged EXEC mode
level and return to the User EXEC level of the CLI:

ACOS#exit
ACOS>

NOTE: The prompt changes from # to >, indicating change to EXEC mode.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 42

A10 Thunder Series and AX Series—Command Line Interface

export
Description Put a file to a remote site using the specified transport method.

Syntax export
{{
aflex file |
auth-portal file |
auth-portal-image file |
auth-saml-idp file |
axdebug file |
bw-list file |
ca_cert file |
cert file |
cert-key file |
class-list file |
crl file |
debug_monitor file |
dnssec-dnskey file |
dnssec-ds file |
fixed-nat file |
geo-location file |
health-external file |
key file |
local-uri-file file |
lw-4o6 file |
policy file |
running-config |
startup-config |
store {create | delete} profile-name url |
syslog file |
thales-secworld file |
wsdl file |
xml-schema file
}
{[use-mgmt-port] {url | export-store}
}} |
{startup-config-profile [use-mgmt-port] {url | export-store}}

Parameter Description
aflex Exports an aFleX file.
auth-portal Exports an authentication portal file for Application Access
Management (AAM).
auth-portal-image Exports the image file for the default portal.
auth-saml-idp Exports the SAML metadata of the identity provider.
axdebug Exports an AX debug capture file.
bw-list Exports a black/white list.
ca-cert Exports a CA cert file.
cert Exports an SSL cert file.
cert-key Exports a certificate and key together as a single file.
class-list Exports an IP class list.
crl Exports a certificate revocation list (CRL).

page 43 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
debug_monitor Exports a debug monitor file.
dnssec-dnskey Exports a DNSEC key-signing key (KSK) file.
dnssec-ds Exports a DNSSEC DS file.
fixed-nat Exports the fixed NAT port mapping file.
geo-location Export the geo-location CSV file.
health-external Export the external program from the system.
key Exports an SSL key file.
license Exports a license file, if applicable to your model.
local-uri-file Exports the specified image file for the “sorry” page served to
RAM Caching clients if all servers are down.
lw-4o6 Exports the LW-4over6 binding table File.
policy Exports a WAF policy file.
running-config Exports the running configuration to a file.
startup-config Exports the startup configuration.
store Create or delete an export store profile.
syslog Exports the messages from the local log buffer.
wsdl Exports a Web Services Definition Language (WSDL) file.
xml-schema Exports an XML schema file.
profile-name Name of a startup-config profile to export.
use-mgmt-port Uses the management interface as the source interface for
the connection to the remote device. The management route
table is used to reach the device. By default, the ACOS
device attempts to use the data route table to reach the
remote device through a data interface.
url Protocol, user name (if required), and directory path you want
to use to send the file.
You can enter the entire URL on the command line or press
Enter to display a prompt for each part of the URL. If you enter
the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255
characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Mode Privileged EXEC mode or global configuration mode

Usage If you omit the final forward slash in the url string, ACOS attempts to use the string after
the final slash as the filename. If you omit the extension, ACOS attempts to use the string
after

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 44

A10 Thunder Series and AX Series—Command Line Interface

the final slash as the base name of the file. However, this can lead to an error in some cases.
If you are exporting AXdebug output, make sure to use the final slash in the url string.

Due to a limitation in Windows, it is recommended to use names shorter than 255

characters. Windows allows a maximum of 256 characters for both the file name and
the directory path. If the combination of directory path and file name is too long,
Windows will not recognize the file. This limitation is not present on machines running
Linux/Unix.

Example The following command exports an aFleX policy from the ACOS device to an FTP server,
to a directory named “backups”.

ACOS# export aflex aflex-01 ftp://192.168.1.101/backups/aflex-01

gen-server-persist-cookie
Description See “gen-server-persist-cookie” on page 27.

health-test
Description See “health-test” on page 28.

help

Description Display a description of the interactive help system of the ACOS device.

For more information, see “CLI Quick Reference” on page 5.

Syntax help

page 45 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

import
Description Get a file from a remote site.

Syntax import
{
{
aflex file |
auth-portal file |
auth-portal-image file |
auth_saml_idp file |
bw-list file |
{
ca-cert file
[{certificate-type {pem | der | pfx [pfx-password pswd] | p7b}]
[{csr-generate digest {sha1 | sha256 | sha384 | sha512}}]
} |
{
cert file
[{certificate-type {pem | der | pfx [pfx-password pswd] | p7b}]
[{csr-generate digest {sha1 | sha256 | sha384 | sha512}}]
} |
cert-key bulk |
class-list file |
class-list-convert file class-list-type type |
crl file
dnssec-dnskey file |
dnssec-ds file |
geo-location file |
glm-license file |
health-external file
| helath-postfile
file | key file
license file |
local-uri-file file |
lw-4o6 file |
policy file |
store file |
thales-secworld file |
web-category-license file |
wsdl file |
xml-schema file
}
{[overwrite] {[use-mgmt-port] {url | import-store}}
} |
{
{
auth-saml-idp metadata-name
health-external program-name [description text] |
health-postfile file
}
{[overwrite] {[use-mgmt-port] url}
} |
{store {create | delete} profile-name url}
}

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 46

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
aflex Import an aFleX file.
auth-portal Import an authentication portal file for Application Access Management
(AAM).
auth-portal-image Import an image file for the default authentication portal.
auth-saml-idp Import the SAML metadata of the identity provider.
bw-list Import a black/white list.
ca-cert Imports a CA cert file.
• Use the bulk option to import multiple files simultaneously as a .tgz
archive.
• Use certificate-type to specify a certificate type.
• Use csr-generate to generate a CSR file.
cert Imports an SSL cert file.
• Use the bulk option to import multiple files simultaneously as a .tgz
archive.
• Use certificate-type to specify a certificate type.
• Use csr-generate to generate a CSR file.
cert-key bulk Imports a certificate and key together as a single file.
class-list Import an IP class list.
class-list-convert ACOS imports a newline delimited text file and converts it to a class-list file of the
file class-list-type specified type:
{ac | string | ipv4 | ipv6 |
• ac - Aho-Corasick class list.
string-case-intensive}
See the “How to Convert Your SNI List to an A10 Class List” section in the SSLi
Configuration Guide for an example of converting to an A10 Aho-Corasick class
list.
• string
• ipv4
• ipv6
• string-case-insensitive
NOTE: Only the Aho-Corasick class list is compliant with the class list types cre-
ated through the class-list command.

crl Import a certificate revocation list (CRL).

dnssec-dnskey Import a DNSEC key-signing key (KSK) file.
dnssec-ds Import a DNSSEC DS file.
geo-location Imports a geo-location data file for Global Server Load Balancing (GSLB).
glm-license Imports an activation key license file provided by the global license manager
(GLM).
health-external Address of the external script program. Use the description option to
provide a brief description (1-63 characters) of the program.
health-postfile Address of the HTTP Post data file.

page 47 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
key Import the SSL key file.
• Use the bulk option to import multiple files simultaneously as a .tgz archive.
• Use csr-generate to generate a CSR file.
license Import a license file, if applicable to your model.
local-uri-file Import the local URI files for HTTP responses.
lw-4o6 Import the LW-4over6 binding table file.
policy Import a WAF policy file.
store Import a store name for a remote URL.
• Use create to create an import store profile
• Use delete to delete an import store profile
thales-secworld Import a Thales security world file.
web-category-license Import a web-category-license file, which is required if you wish to access the
BrightCloud server and use the web-categorization feature.
wsdl Import a WSDL file.
xml-schema Import an XML schema file.
use-mgmt-port Uses the management interface as the source interface for the
connection to the remote device. The management route table is used to
reach the device. Without this option, the ACOS device device attempts
to use the data route table to reach the remote device through a data
interface.
url Protocol, user name (if required), and directory path you want to use to send the
file.
You can enter the entire URL on the command line or press Enter to display a
prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted for the password. The password can be up to
255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Syntax Privileged EXEC mode or global configuration mode

Example The following command imports an aFleX policy onto the ACOS device from a TFTP
server, from its directory named “backups”:

ACOS# import aflex aflex-01 tftp://192.168.1.101/backups/aflex-01

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 48

A10 Thunder Series and AX Series—Command Line Interface

locale
Description Set the locale for the current terminal session.

Syntax locale parameter

The following table shows valid values for parameter:

Parameter Description
test Test the current terminal encodings for a specific locale.
en_US.UTF-8 English locale for the USA, encoding with UTF-8 (default)
zh_CN.UTF-8 Chinese locale for PRC, encoding with UTF-8
zh_CN.GB18030 Chinese locale for PRC, encoding with GB18030
zh_CN.GBK Chinese locale for PRC, encoding with GBK
zh_CN.GB2312 Chinese locale for PRC, encoding with GB2312
zh_TW.UTF-8 Chinese locale for Taiwan, encoding with UTF-8
zh_TW.BIG5 Chinese locale for Taiwan, encoding with BIG5
zh_TW.EUCTW Chinese locale for Taiwan, encoding with EUC-TW
ja_JP.UTF-8 Japanese locale for Japan, encoding with UTF-8
ja_JP.EUC-JP Japanese locale for Japan, encoding with EUC-JP

Default en_US.UTF-8

Mode Privileged EXEC mode or global configuration mode

no
Description Negate a command or set it to its default setting.

Syntax no command

Mode All

Example The following command disables the terminal command history feature:

ACOS#no terminal history

ACOS#

ping
Description Test network connectivity. For syntax information, see “ping” on page 29.

reboot
Description Reboot the ACOS device.

page 49 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Syntax reboot [
all |
text |
in hh:mm [text] |
at hh:mm [month day | day month] [text] |
cancel
]

Parameter Description
all Reboot all devices when VCS is enabled, or only this device itself if VCS
is not enabled.
text Reason for the reboot, 1-127 characters long.
in hh:mm Schedule a reboot to take effect in the specified hours and minutes.
The reboot must take place within approximately 24 hours.
at hh:mm Schedule a reboot to take place at the specified time (using a 24-hour
clock). If you specify the month and day, the reboot is scheduled to
take place at the specified time and date. If you do not specify the
month and day, the reboot takes place at the specified time on the
current day (if the specified time is later than the current time), or on
the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reboot for midnight.

month Name of the month, any number of characters in a unique string.

day Number of the day, 1-31.
cancel Cancel a scheduled reboot.

Mode Privileged EXEC mode

Usage The reboot command halts the system. If the system is set to restart on error, it
reboots itself. Use the reboot command after configuration information is entered into
a file and saved to the startup configuration.

You cannot reboot from a virtual terminal if the system is not set up for automatic booting.
This prevents the system from dropping to the ROM monitor and thereby taking the system
out of the remote user’s control.

If you modify your configuration file, the system will prompt you to save the configuration.

The at keyword can be used only if the system clock has been set on the ACOS device
(either through NTP, the hardware calendar, or manually). The time is relative to the
configured time zone on the ACOS device. To schedule reboots across several ACOS
devices to occur simultaneously, the time on each ACOS device must be synchronized with
NTP. To display information about a scheduled reboot, use the show reboot command.

Example The following example immediately reboots the ACOS device:

ACOS(config)#reboot
System configuration has been modified. Save? [yes/no]:yes
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 50

A10 Thunder Series and AX Series—Command Line Interface

Example The following example reboots the ACOS device in 10 minutes:

ACOS(config)# reboot in 00:10

ACOS(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 2014 (in
10 minutes)
Proceed with reboot? [yes/no]yes
ACOS(config)#

Example The following example reboots the ACOS device at 1:00 p.m. today:

ACOS(config)# reboot at 13:00

ACOS(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 2014 (in
1 hour and 2 minutes)
Proceed with reboot? [yes/no]yes
ACOS(config)#

Example The following example reboots the ACOS device on Apr 20 at 4:20 p.m.:

ACOS(config)# reboot at 16:20 apr 20

ACOS(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2014 (in
38 hours and 9 minutes)
Proceed with reboot? [yes/no]yes
ACOS(config)#

Example The following example cancels a pending reboot:

ACOS(config)# reboot cancel

%Reboot cancelled.

***
*** --- REBOOT ABORTED ---
***

page 51 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

reload
Description Restart ACOS system processes and reload the startup-config, without rebooting.

Syntax reload [all | device device-id]

Parameter Description
all When VCS is enabled, this parameter causes all devices in the
virtual chassis to be reloaded.
When VCS is disabled, this parameter causes only the device on
which this command is run to be reloaded.
device-id When VCS is enabled, this parameter causes only the specified
device to be reloaded.
When VCS is disabled, this parameter will return an error message.

Mode Privileged EXEC mode

Usage The reload command restarts ACOS system processes and reloads the startup-config,
with- out reloading the system image. To also reload the system image, use the reboot
command instead. (See “reboot” on page 49.)

The ACOS device closes all sessions as part of the reload.

If the reload command is used without any optional parameters (see example below)
then only the device on which the command is run will be reloaded. This is the case for both
VCS- enabled and VCS-disabled devices.

Example Below is an example of the reload command:

ACOS(config)#reload
Reload ACOS. . . .Done.
ACOS(config)#

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 52

A10 Thunder Series and AX Series—Command Line Interface

repeat
Description Periodically re-enter a show command.

Syntax repeat seconds show command-options

Parameter Description
seconds Interval at which to re-enter the command. You can specify 1-
300 seconds.
command-options Options of the show command. See “Show Commands” on
page 237 and “SLB Show Commands” in the Command Line
Interface Reference for ADC.

Mode Privileged EXEC mode

Usage The repeat command is especially useful when monitoring or troubleshooting the system.

The elapsed time indicates how much time has passed since you entered the repeat
command. To stop the command, press Ctrl+C.

show
Description Display system or configuration information. See “Show Commands” on page 237 and “SLB
Show Commands” in the Command Line Interface Reference for ADC.

shutdown
Description Schedule a system shutdown at a specified time or after a specified interval, or cancel a
scheduled system shutdown.

Syntax shutdown {at hh:mm | in hh:mm | cancel [text]}

Parameter Description
at Schedule a reboot to take place at the specified time (using a 24-hour clock). If you specify the month
and day, the reboot is scheduled to take place at the specified time and date. If you do not specify the
month and day, the reboot takes place at the specified time on the current day (if the specified time is
later than the current time), or on the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reboot for midnight.
in Shutdown after a specified time interval (hh:mm). For example, 00:10 causes the device to shut
down 10 minutes from now.
cancel Cancel pending shutdown
text Reason for shutdown

Mode Privileged EXEC mode

Example The following command schedules a system shutdown to occur at 11:59 p.m.:

page 53 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS#shutdown at 23:59

System configuration has been modified. Save? [yes/no]:yes

Building configuration...
[OK]
Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes) by admin on
192.168.1.102
Proceed with shutdown? [confirm]
ACOS#

Example The following command cancels a scheduled system shutdown:

ACOS#shutdown cancel
***
*** --- SHUTDOWN ABORTED ---
***

ss
h
Description Establish a Secure Shell (SSH) connection from the ACOS device to another device. (See
“ssh” on page 31.)

telnet
Description Establish a Telnet connection from the ACOS device to another device. (See “telnet”
on page 31.)

terminal
Description Set terminal display parameters for the current session.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 54

A10 Thunder Series and AX Series—Command Line Interface

Syntax terminal
{
auto-size |
command-timestamp [unix]|
editing |
gslb-prompt options |
history [size number] |
length number |
monitor |
width lines
}

Parameter Description
auto-size Enables the terminal length and width to automatically change to match the terminal win-
dow size.
This is enabled by default.
command-timestamp Include timestamp information in the show command output.
The unix option displays the timestamp in Unix format (sec.us) since Unix Epoch. For
example:
See the example below for more information.
editing Enables command-line editing.
This is enabled by default.
gslb-prompt Enables the CLI prompt to display the role of the ACOS device within a GSLB group.
options
• disable - disables this feature so the CLI prompt does not display role information
• group-role - displays “Member” or “Master” in the CLI prompt. For example:
ACOS:Master(config)#

• symbol - displays “gslb” in the CLI prompt after the name of the ACOS device. For
exam- ple:
ACOS-gslb:Master(config)#

history [size] Enables and controls the command history function. The size option specifies the number of
command lines that will be held in the history buffer. You can specify 0-1000.
This is enabled by default, the default size is 256.
length num Sets the number of lines on a screen. You can specify 0-512. Specifying 0 disables pausing.
The default length is 24.
monitor Copies debug output to the current terminal.
This is disabled by default.
width num Sets the width of the display terminal. You can specify 0-512. The setting 0 means “infinite”.
The default width is 80.

page 55 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Default See descriptions.

Mode Privileged EXEC mode

Usage This command affects only the current CLI session. The command is not added to the run-
ning-config and does not persist across reloads or reboots. To make persistent changes,
use the command at the global configuration level. (See “terminal” on page 207.)

Example The following command changes the terminal length to 40:

ACOS#terminal length 40

Example The following example shows the command-timestamp option. Note the “Command
start time” and “Command end time” lines added as the first and last lines of the output:

ACOS#terminal command-timestamp
ACOS#show config-block
Command start time : 1422647248.076561
!Block configuration: 24 bytes
!64-bit Advanced Core OS (ACOS) version 4.0.1, build 98 (Jan-29-
2015,15:55)
!
interface ethernet 1
!
!
end
!Configuration specified in merge mode
Command end time : 1422647248.077418
ACOS#

traceroute
Description Trace a route. See “traceroute” on page 32.

vcs

Description Enter operational commands for configuring ACOS Virtual Chassis System (aVCS).

For more information, refer to the CLI commands in Configuring ACOS Virtual Chassis
Systems.

write force
Description Forces the ACOS device to save the configuration regardless of whether the system is ready.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 56

A10 Thunder Series and AX Series—Command Line Interface

CAUTION: Using this command can result in an incomplete or empty configuration! It is

rec- ommended that you use this command only with the advice of Technical
Support.

Syntax write force [primary | secondary | name]

Parameter Description
primary Write the configuration to the configuration profile stored in the
default primary configuration area.
secondary Write the configuration to the configuration profile stored in the
default secondary configuration area.
name Write the configuration to a specified profile name.

Mode Privileged EXEC and Global configuration

Example Force the ACOS device to save the current configuration to a custom profile called
“custom- prof”:

ACOS#write memory
System is not ready. Cannot save the configuration.
ACOS#write force custom-prof
Building configuration...
Write configuration to profile "custom-prof"
Do you want to link "custom-prof" to startup-config profile? (y/n):n
[OK]
ACOS#

write memory
Description Write the running-config to a configuration profile.

Syntax write memory

[primary | secondary | profile-name]
[all-partitions | partition {shared | part-name}]

page 57 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
primary Replaces the configuration profile stored in the primary
image area with the running-config.
secondary Replaces the configuration profile stored in the secondary
image area with the running-config.
profile-name Replaces the commands in the specified configuration profile
with the running-config.
all-partitions Saves changes for all resources in all partitions.
shared Saves changes only for the resources in the shared partition.
part-name Saves changes only for the resources in the specified L3V partition.

Default If you enter write memory without additional options, the command replaces the
configu- ration profile that is currently linked to by “startup-config” with the commands in
the run- ning-config. If startup-config is set to its default (linked to the configuration
profile stored in the image area that was used for the last reboot), then write
memory replaces the configu- ration profile in the image area with the running-config.

Unless you use the force option, the command checks for system readiness and saves the
configuration only if the system is ready.

Mode Privileged EXEC and Global configuration

Example The following command saves the running-config to the configuration profile stored in
the primary image area of the hard disk:

ACOS#write memory primary

Building configuration...
Write configuration to primary default startup-config
Do you also want to write configuration to secondary default startup-config as well?
(y/n):y
[OK]

Example The following command saves the running-config to a configuration profile named
"slbcon- fig2":

ACOS#write memory slbconfig2

Example The following command attempts to save the running-config but the system is not ready:

ACOS#write memory
ACOS is not ready. Cannot save the configuration.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 58

A10 Thunder Series and AX Series—Command Line Interface

write terminal
Description Display the current running-config on your terminal.

Syntax write terminal

Mode Privileged EXEC and Global configuration

Example Example output from this command (output is truncated for brevity):

ACOS#write terminal
!Current configuration: 2877 bytes
!Configuration last updated at 03:08:11 IST Tue Jul 7 2015
!Configuration last saved at 04:18:08 IST Tue Jul 7 2015
!version 3.2.0-TPS, build 177 (Jun-22-2015,04:56)
!
hostname ACOS
!
clock timezone Europe/Dublin
!
!
...

page 59 | Document No.: 410-P2-CLI-001 - 6/17/2016

A10 Thunder Series and AX Series—Command Line Interface

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 60

Config Commands: Global

This chapter describes the commands for configuring global ACOS parameters.

To access this configuration level, use the configure command at the Privileged EXEC
level. To display global settings, use show commands. (See “Show Commands” on page
237.)

Common commands that are available at all configuration levels (for example, active-partition, backup, clear,
debug, diff, export, health-test, help, import, repeat, show, write) are described in detail elsewhere in this
guide.

The following commands are available:

• aam
• access-list (standard)
• access-list (extended)
• accounting
• admin
• admin-lockout
• admin-session clear
• aflex
• aflex-scripts start
• application-type
• arp
• arp-timeout
• audit
• authentication console type
• authentication enable
• authentication login privilege-mode
• authentication mode
• authentication multiple-auth-reject
• authentication type
• authorization

page 61 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• backup-periodic
• backup store
• banner
• bfd echo
• bfd enable
• bfd interval
• bgp
• big-buff-pool
• block-abort
• block-merge-end
• block-merge-start
• block-replace-end
• block-replace-start
• boot-block-fix
• bootimage
• bpdu-fwd-group
• bridge-vlan-group
• cgnv6
• class-list (for Aho-Corasick)
• class-list (for IP limiting)
• class-list (for VIP-based DNS caching)
• class-list (for many pools, non-LSN)
• class-list (string)
• class-list (string-case-insensitive)
• configure sync
• copy
• debug
• delete
• disable reset statistics
• disable slb
• disable-failsafe

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 62

A10 Thunder Series and AX Series—Command Line Interface

• disable-management
• dnssec
• do
• enable-core
• enable-management
• enable-password
• end
• environment temperature threshold
• environment update-interval
• erase
• event
• exit
• export-periodic
• fail-safe
• fw
• glid
• glm
• gslb
• hd-monitor enable
• health global
• health monitor
• health-test
• hostname
• hsm template
• icmp-rate-limit
• icmpv6-rate-limit
• import
• import-periodic
• interface
• ip
• ip-list

page 63 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• ipv6
• key
• l3-vlan-fwd-disable
• lacp system-priority
• lacp-passthrough
• ldap-server
• link
• lldp enable
• lldp management-address
• lldp notification interval
• lldp system-description
• lldp system-name
• lldp tx fast-count
• lldp tx fast-interval
• lldp tx interval
• lldp tx hold
• lldp tx reinit-delay
• locale
• logging auditlog host
• logging buffered
• logging console
• logging disable-partition-name
• logging email buffer
• logging email filter
• logging email-address
• logging export
• logging facility
• logging host
• logging monitor
• logging single-priority
• logging syslog

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 64

A10 Thunder Series and AX Series—Command Line Interface

• logging trap
• mac-address
• mac-age-time
• maximum-paths
• merge-mode-add
• mirror-port
• monitor
• multi-config
• multi-ctrl-cpu
• netflow common max-packet-queue-time
• netflow monitor
• no
• ntp
• object-group network
• object-group service
• overlay-mgmt-info
• overlay-tunnel
• packet-handling
• partition
• partition-group
• ping
• pki copy-cert
• pki copy-key
• pki create
• pki delete
• pki renew-self
• pki scep-cert
• poap
• radius-server
• raid
• rba enable

page 65 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• rba disable
• rba group
• rba role
• rba user
• restore
• route-map
• router
• router log file
• router log log-buffer
• rule-set
• run-hw-diag
• running-config display
• scaleout
• session-filter
• sflow
• slb
• smtp
• snmp
• so-counters
• sshd
• syn-cookie
• system all-vlan-limit
• system anomaly log
• system attack log
• system cpu-load-sharing
• system ddos-attack
• system glid
• system ipsec
• system log-cpu-interval
• system module-ctrl-cpu
• system per-vlan-limit

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 66

A10 Thunder Series and AX Series—Command Line Interface

• system promiscuous-mode
• system resource-usage
• system template
• system ve-mac-scheme
• system-jumbo-global enable-jumbo
• system-reset
• tacacs-server host
• tacacs-server monitor
• techreport
• terminal
• tftp blksize
• timezone
• tx-congestion-ctrl
• upgrade
• vcs
• ve-stats
• vlan
• vlan-global enable-def-vlan-l2-forwarding
• vlan-global l3-vlan-fwd-disable
• vrrp-a
• waf
• web-category
• web-service
• write

aam

Description See the Application Access Management Guide.

page 67 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

access-list (standard)
Description Configure a standard Access Control List (ACL) to permit or deny source IP addresses.

Syntax [no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string}
{any | host host-ipaddr | src-ipaddr {filter-mask | /mask-
length}} [log [transparent-session-only]]

Parameter Description
acl-num Standard ACL number (1-99).
seq-num Sequence number of this rule in the ACL. You can use this option to re-sequence the rules
in the ACL.
permit Allows traffic for ACLs applied to interfaces or used for management access.
For ACLS used for IP source NAT, this option is also used to specify the inside host
addresses to be translated into external addresses.
NOTE: If you are configuring an ACL for source NAT, use the permit action. For ACLs
used with source NAT, the deny action does not drop traffic, it simply does not use the
denied addresses for NAT translations.
deny Drops traffic for ACLs applied to interfaces or used for management access.
l3-vlan-fwd-disable Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.
remark string Adds a remark to the ACL. The remark appears at the top of the ACL when you display
it in the CLI.
NOTE: An ACL and its individual rules can have multiple remarks.
To use blank spaces in the remark, enclose the entire remark string in double quotes. The
ACL must already exist before you can configure a remark for it.
any Denies or permits traffic received from any source host.
host host-ipaddr Denies or permits traffic received from a specific, single host.
src-ipaddr Denies or permits traffic received from the specified host or subnet. The filter-mask
{filter-mask | speci- fies the portion of the address to filter:
/mask-length}
• Use 0 to match.
• Use 255 to ignore.
For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.
Alternatively, you can use /mask-length to specify the portion of the address to filter.
For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.
log [transparent- Configures the ACOS device to generate log messages when traffic matches the ACL.
session-only]
The transparent-session-only option limits logging for an ACL rule to creation
and deletion of transparent sessions for traffic that matches the ACL rule.

Default No ACLs are configured by default. When you configure one, the log option is disabled
by default.

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 68

A10 Thunder Series and AX Series—Command Line Interface

Usage An ACL can contain multiple rules. Each access-list command configures one rule.
Rules are added to the ACL in the order you configure them. The first rule you add appears
at the top of the ACL.

Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the
first rule, downward). The first rule that matches traffic is used to permit or deny that traffic.
After the first rule match, no additional rules are compared against the traffic.

To move a rule within the sequence, delete the rule, then re-add it with a new sequence
number.

Access lists do not take effect until you apply them.

• To use an ACL to filter traffic on an interface, see the access-list command in

the “Config Commands: Interface” chapter in the Network Configuration Guide.
• To use an ACL to filter traffic on a virtual server port, see “access-list” in the Command
Line Interface Reference for ADC.
• To use an ACL to control management access, see “disable-management” on page
109 and “enable-management” on page 112.
• To use an ACL with source NAT, see the ip nat inside source command
in the “Config Commands: IP” chapter in the Network Configuration Guide.

The syntax shown in this section configures a standard ACL, which filters based on source IP
address. To filter on additional values such as destination address, IP protocol, or TCP/UDP
ports, configure an extended ACL. (See “access-list (extended)” on page 70.)

Support for Non-Contiguous Masks in IPv4 ACLs

A contiguous comparison mask is one that, when converted to its binary format, consists
entirely of ones. A non-contiguous mask, however, contains at least one zero. Table 3
shows some examples of IPv4 addresses with each of the ACL mask types, a contiguous
mask and a non-contiguous mask. The addresses and masks are shown in both their
decimal and binary formats.

The “F” column indicates the format, decimal (D) or binary (B).

TABLE 10 IPv4 Address and Mask Examples

F Address Mask
D 10 10 10 0 0 255 255 255
B 00001010 00001010 00001010 00000000 00000000 11111111 11111111 11111111
D 10 10 10 0 0 255 0 255
B 00001010 00001010 00001010 00000000 00000000 11111111 00000000 11111111
D 172 0 3 0 0 255 255 255
B 10101100 00000000 00000010 00000000 00000000 11111111 11111111 11111111
D 172 0 3 0 0 255 0 255
B 10101100 00000000 00000010 00000000 00000000 11111111 00000000 11111111

The non-contiguous masks are shown in italics.

page 69 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following commands configure a standard ACL and use it to deny traffic sent from
sub- net 10.10.10.x, and apply the ACL to inbound traffic received on Ethernet interface 4:

ACOS(config)#access-list 1 deny 10.10.10.0 0.0.0.255

ACOS(config)#interface ethernet 4
ACOS(config-if:ethernet:4)#access-list 1 in

Example The commands in this example configure an ACL that uses a non-contiguous mask,
and applies the ACLto a data interface:

ACOS(config)#access-list 3 deny 172.0.3.0 0.255.0.255

Info: Configured a non-contiguous subnet mask.*
ACOS(config)#access-list 20 permit any
ACOS(config)#show access-list
access-list 3 4 deny 172.0.3.0 0.255.0.255 Data plane hits: 0
access-list 20 4 permit any Data plane hits: 0
ACOS(config)#interface ethernet 1
ACOS(config-if:ethernet:1)#access-list 3 in

Based on this configuration, attempts to ping or open an SSH session with destination IP
address 172.17.3.130 from source 172.16.3.131 are denied. However, attempts from
172.16.4.131 are permitted.

access-list
(extended)
Description Configure an extended Access Control List (ACL) to permit or deny traffic based on
source and destination IP addresses, IP protocol, and TCP/UDP ports.

Syntax [no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string} ip

{any | host host-src-ipaddr | object-group src-group-name |

net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |

net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string} icmp

[type icmp-type [code icmp-code]]

*.
This message appears a maximum of 2 times within a given CLI session.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 70

A10 Thunder Series and AX Series—Command Line Interface

{any | host host-src-ipaddr | object-group src-group-name |

net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |

net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string}
object-group svc-group-name

{any | host host-src-ipaddr | object-group src-group-name |

net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | object-group dst-group-name |

net-dst-ipaddr {filter-mask | /mask-length}}

[fragments] [vlan vlan-id] [dscp num]

[log [transparent-session-only]]

or

[no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable | remark string} {tcp | udp}

{any | host host-src-ipaddr | net-src-ipaddr

{filter-mask | /mask-length}}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]

{any | host host-dst-ipaddr | net-dst-ipaddr

{filter-mask | /mask-length}}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]

[fragments] [vlan vlan-id] [dscp num][established]

[log [transparent-session-only]]

Parameter Description
acl-num Extended ACL number (100-199).
seq-num Sequence number of this rule in the ACL. You can use this option to re-sequence the
rules in the ACL.
permit Allows traffic that matches the ACL.
deny Drop the traffic that matches the ACL.
l3-vlan-fwd-disable Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule.

page 71 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
remark string Adds a remark to the ACL. The remark appears at the top of the ACL when you
display it in the CLI.
NOTE: An ACL and its individual rules can have multiple remarks.
To use blank spaces in the remark, enclose the entire remark string in double quotes.
The ACL must already exist before you can configure a remark for it.
ip Filters on IP packets only.
icmp Filters on ICMP packets only.
tcp | udp Filters on TCP or UDP packets, as specified. These options also allow you to filter
based on protocol port numbers.
object-group Service object group name.
For more information, see “object-group service” on page 167.
type icmp-type This option is applicable if the protocol type is icmp. Matches based on the specified
ICMP type. You can specify one of the following. Enter the type name or the type num-
ber (for example, “dest-unreachable” or “3”).
• any-type – Matches on any ICMP type.
• dest-unreachable, or 3 – destination is unreachable.
• echo-reply, or 0 – echo reply.
• echo-request, or 8 – echo request.
• info-reply, or 16 – information reply.
• info-request, or 15 – information request.
• mask-reply, or 18 – address mask reply.
• mask-request, or 17 – address mask request.
• parameter-problem, or 12 – parameter problem.
• redirect, or 5 – redirect message.
• source-quench, or 4 – source quench.
• time-exceeded, or 11 – time exceeded.
• timestamp, or 14 – timestamp.
• timestamp-reply, or 13 – timestamp reply.

code icmp-code This option is applicable if the protocol type is icmp. Matches based on the specified
ICMP code.
Replace code-num with an ICMP code number (0-254), or specify any-code to
match on any ICMP code.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 72

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
any | The source IP addresses to filter.
host host-src-ipaddr |
• any - the ACL matches on any source IP address.
net-src-ipaddr {
filter-mask | • host host-src-ipaddr - the ACL matches only on the specified host IP address.
/mask-length} • net-src-ipaddr {filter-mask | /mask-length} - the ACL matches on
any host in the specified subnet. The filter-mask specifies the portion of the
address to fil- ter:
• Use 0 to match.
• Use 255 to ignore.
For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.
Alternatively, you can use /mask-length to specify the portion of the address to
fil- ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit
subnet.
eq src-port | The source protocol ports to filter for TCP and UDP:
gt src-port |
• eq src-port - The ACL matches on traffic from the specified source port.
lt src-port |
range • gt src-port - The ACL matches on traffic from any source port with a
start-src-port
higher number than the specified port.
end-src-port • lt src-port - The ACL matches on traffic from any source port with a lower
num- ber than the specified port.
• range start-src-port end-src-port - The ACL matches on traffic
from any source port within the specified range.

any | The destination IP addresses to filter.

host host-dst-ipaddr |
• any - the ACL matches on any destination IP address.
net-dst-ipaddr {
filter-mask | • host host-dst-ipaddr - the ACL matches only on the specified host IP address.
/mask-length} • net-dst-ipaddr {filter-mask | /mask-length} - the ACL matches on
any host in the specified subnet. The filter-mask specifies the portion of the
address to fil- ter:
• Use 0 to match.
• Use 255 to ignore.
For example, the filter-mask 0.0.0.255 filters on a 24-bit subnet.
Alternatively, you can use /mask-length to specify the portion of the address to
fil- ter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit
subnet.
eq dst-port | The destination protocol ports to filter for TCP and UDP:
gt dst-port |
• eq src-port - The ACL matches on traffic from the specified destination port.
lt dst-port |
range • gt src-port - The ACL matches on traffic from any destination port with a
start-dst-port
higher number than the specified port.
end-dst-port • lt src-port - The ACL matches on traffic from any destination port with a
lower number than the specified port.
• range start-src-port end-src-port - The ACL matches on traffic
from any destination port within the specified range.

fragments Matches on packets in which the More bit in the header is set (1) or has a non-zero off-
set.
vlan vlan-id Matches on the specified VLAN. VLAN matching occurs for incoming traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP header, 1-63.

page 73 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
established Matches on TCP packets in which the ACK or RST bit is set.
This option is useful for protecting against attacks from outside. Since a TCP connec-
tion from the outside does not have the ACK bit set (SYN only), the connection is
dropped. Similarly, a connection established from the inside always has the ACK bit
set. (The first packet to the network from outside is a SYN/ACK.)
log Configures the ACOS device to generate log messages when traffic matches the ACL.
[transparent-session-
The transparent-session-only option limits logging for an ACL rule to
only]
creation and deletion of transparent sessions for traffic that matches the ACL rule.

Default No ACLs are configured by default. When you configure one, the log option is disabled
by default.

Mode Configuration mode

Usage An ACL can contain multiple rules. Each access-list command configures one rule.
Rules are added to the ACL in the order you configure them. The first rule you add appears
at the top of the ACL.

Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the
first, rule downward). The first rule that matches traffic is used to permit or deny that traffic.
After the first rule match, no additional rules are compared against the traffic.

To move a rule within the sequence, delete the rule, then re-add it with a new sequence
number.

Access lists do not take effect until you apply them:

• To use an ACL to filter traffic on an interface, see the interface command in

the”Con- fig Commands: Interface” chapter in the Network Configuration Guide.
• To use an ACL to filter traffic on a virtual server port, see “access-list” in the Command
Line Interface Reference for ADC.
• To use an ACL with source NAT, see the ip nat inside source command in
“Con- fig Commands: IP” chapter in the Network Configuration Guide.

accounting
Description Configure TACACS+ as the accounting method for recording information about user activi-
ties. The ACOS device supports the following types of accounting:
• EXEC accounting – provides information about EXEC terminal sessions (user shells)
on the ACOS device.
• Command accounting – provides information about the EXEC shell commands exe-
cuted under a specified privilege level. This command also allows you to specify the
debug level.

Syntax [no] accounting exec {start-stop | stop-only} {radius |

tacplus} [no] accounting commands cmd-level stop-only tacplus

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 74

A10 Thunder Series and AX Series—Command Line Interface

[no] accounting debug debug-level

Parameter Description
start-stop Sends an Accounting START packet to TACACS+ servers when a user establishes a CLI
session, and an Accounting STOP packet when the user logs out or the session times out.
stop-only Only sends an Accounting STOP packet when the user logs out or the session times out.
radius | tacplus Specifies the type of accounting server to use.
cmd-level Specifies which level of commands will be accounted:
• 15 (admin) - commands available to the admin (all commands).
• 14 (config) - commands available in config mode (not including the commands of the admin
and those under the admin mode).
• 1 (priv EXEC) - commands available in privileged EXEC mode.
• 0 (user EXEC) - commands available in user EXEC mode.
Command levels 2-13 as the same as command level 1.

debug-level Specifies the debug level for accounting. The debug level is set as flag bits for different types of
debug messages. The ACOS device has the following types of debug messages:
• 0x1 - Common information such as “trying to connect with TACACS+ servers”,
“getting response from TACACS+ servers”; they are recorded in syslog.
• 0x2 - Packet fields sent out and received by ACOS, not including the length fields; they
are printed out on the terminal.
• 0x4 - Length fields of the TACACS+ packets will also be printed on the terminal.
• 0x8 - Information about the TACACS+ MD5 encryption is recorded in syslog.

Default N/A

Mode Configuration mode

Usage The accounting server also must be configured. See “radius-server” on page 175 or “tacacs-
server host” on page 205.

Example The following command configures the ACOS device to send an Accounting START
packet to the previously defined TACACS+ servers when a user establishes a CLI session
on the device. The ACOS device also will send an Accounting STOP packet when a user
logs out or their session times out.

ACOS(config)#accounting exec start-stop tacplus

Example The following command configures the ACOS device to send an Accounting STOP
packet when a user logs out or a session times out.

ACOS(config)#accounting exec stop-only tacplus

Example The following command configures the ACOS device to send an Accounting STOP packet
to TACACS+ servers before a CLI command of level 14 is executed.

page 75 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS(config)#accounting commands 14 stop-only tacplus

Example The following command specifies debug level 15 for accounting.

ACOS(config)#accounting debug l5

admin
Description Configure an admin account for management access to the ACOS device.

Syntax [no] admin admin-username [password string]

Replace admin-username with the user name of an admin (1-31 characters).

This command changes the CLI to the configuration level for the specified admin account,
where the following admin-related commands are available:

Command Description
access {cli | web | axapi} Specifies the management interfaces through which the admin is allowed to
access the ACOS device.
By default, access is allowed through the CLI, GUI, and aXAPI.
disable Disables the admin account.
By default, admin accounts are enabled when they are added.
enable Enables the admin account.
By default, admin accounts are enabled when they are added.
password string Sets the password, 1-63 characters. Passwords are case sensitive and can con-
tain special characters. (For more information, see “Special Character Support
in Strings” on page 15.)
The default password is “a10”; this is the default for the “admin” account
and for any admin account you configure if you do not configure the
password for the account.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 76

A10 Thunder Series and AX Series—Command Line Interface

Command Description
privilege Sets the privilege level for the account:
{
• read – The admin can access the User EXEC and Privileged EXEC levels
read | of the CLI only.
write |
partition-enable-disable
• write – The admin can access all levels of the CLI.
pertition-name | • partition-read – The admin has read-only privileges within the
partition-read L3V partition to which the admin is assigned, and read-only privileges
partition-name | for the shared partition.
partition-write • partition-write – The admin has read-write privileges within the
partition-name L3V partition to which the admin is assigned. The admin has read-only
} privi- leges for the shared partition.

• partition-enable-disable – The admin has read-only privileges for

real servers, with permission to view service port statistics and to disable
or re-enable the servers and their service ports. No other read-only or
read- write privileges are granted.
• partition-name – The name of the L3V partition to which the admin
is assigned. This option applies only to admins that have privilege level
par- tition-read, partition-write, or partition-enable-
disable.
NOTE: L3V partitions are used in Application Delivery Partitioning (ADP). For
information, see the Configuring Application Delivery Partitions guide.
The default privilege is read.
ssh-pubkey options Manage public key authentication for the admin.
ssh-pubkey import url
Imports the public key onto the ACOS device.
The url specifies the file transfer protocol, username (if required), and direc-
tory path.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a
password is required, you will still be prompted for the password. The
password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file
ssh-pubkey delete num
Deletes a public key. The num option specifies the key number on the
ACOS device. The key numbers are displayed along with the keys
themselves by the ssh-pubkey list command. (See below.)
ssh-pubkey list
Verifies installation of the public key.

page 77 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Command Description
trusted-host { Specifies the host or subnet address from which the admin is allowed to log
ipaddr onto the ACOS device. The trusted host can be either a single host
{subnet-mask | /mask-length} | (specified with the IP address and subnet mask), or a configured access
access-list acl-id} control list (ACL) on your system.
The default trusted host is 0.0.0.0/0, which allows access from any host or sub-
net.

unlock Unlocks the account. Use this option if the admin has been locked out
due to too many login attempts with an incorrect password. (To configure
lockout parameters, see “admin-lockout” on page 79.)

Default The system has a default admin account, with username “admin” and password “a10”. The
default admin account has write privilege and can log on from any host or subnet address.

Other defaults are described in the descriptions above.

Mode Configuration mode

Usage An additional session is reserved for the “admin” account to ensure access. If the
maximum number of concurrent open sessions is reached, the “admin” admin can still log
in using the reserved session. This reserved session is available only to the “admin”
account.

Example The following commands add admin “adminuser1” with password “1234”:

ACOS(config)#admin adminuser1
ACOS(config-admin:adminuser1)#password 1234

Example The following commands add admin “adminuser3” with password “abcdefgh” and write priv-
ilege, and restrict login access to the 10.10.10.x subnet only:

ACOS(config)#admin adminuser3
ACOS(config-admin:adminuser3)#password abcdefgh
ACOS(config-admin:adminuser3)#privilege write
ACOS(config-admin:adminuser3)#trusted-host 10.10.10.0 /24

Example The following commands configure an admin account for a private partition:

ACOS(config)#admin compAadmin password compApwd

ACOS(config-admin:compAadmin)#privilege partition-write companyA
Modify Admin User successful !

Example The following commands deny management access by admin “admin2” using the CLI or
aXAPI:

ACOS(config)#admin admin2
ACOS(config-admin:admin2)#no access cli
ACOS(config-admin:admin2)#no access axapi

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 78

A10 Thunder Series and AX Series—Command Line Interface

Example The following commands add admin “admin4” with password “examplepassword” and
default privileges, and restricts login access as defined by access list 2. The show output
con- firms that “ACL 2” is the trusted host:

ACOS(config)#admin admin4 password examplepassword

ACOS(config-admin)#trusted-host access-list 2
Modify Admin User successful!
ACOS(config-admin)#show admin admin4 detail
User Name...................admin4
Status......................Enabled
Privilege...................R
Partition ......
Access type ...... cli web axapi
GUI role....................ReadOnlyAdmin
Trusted Host(Netmask) ...... ACL
2 Lock Status...............No
Lock Time ......
Unlock Time ......
Password Type...............Encrypted
Password....................$1$492b642f$/XuVOTmSOUskpvZsds5Xy0

admin-lockout
Description Set lockout parameters for admin sessions.

Syntax [no] admin-lockout

{duration minutes | enable | reset-time minutes | threshold number}

Parameter Description
duration minutes Number of minutes a lockout remains in effect. After the lock-
out times out, the admin can try again to log in. You can
specify 0-1440 minutes. To keep accounts locked until you or
another authorized administrator unlocks them, specify 0.
The default duration is 10 minutes.
enable Enables the admin lockout feature.
The lockout feature is disabled by default.
reset-time minutes Number of minutes the ACOS device remembers failed login
attempts. You can specify 1-1440 minutes.
The default reset time is 10 minutes.
threshold number Number of consecutive failed login attempts allowed before
an administrator is locked out. You can specify 1-10.
The default threshold is 5.

page 79 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Default See descriptions.

Example The following command enables admin lockout:

ACOS(config)#admin-lockout enable

admin-session clear
Description Terminate admin sessions.

Syntax admin-session clear {all | session-id}

Parameter Description
all Clears all other admin sessions with the ACOS device except
yours.
session-id Clears only the admin session you specify.
To display a list of active admin sessions, including their ses-
sion IDs, use the show admin session command (see
show admin for more information).

Default N/A

Mode Configuration mode

aflex
Description Configure and manage aFleX policies.

For complete information and examples for configuring and managing aFleX policies, see
the aFleX Scripting Language Reference Guide.

Syntax aflex {
check name |
copy src-name dst-name |
create name |
delete name |
help |

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 80

A10 Thunder Series and AX Series—Command Line Interface

rename src-name dst-name

}

Parameter Description
check Check the syntax of the specified aFleX script.
copy Copy the src-name aFleX script to dst-name.
create Create an aFleX script with the specified name.
delete Delete the specified aFleX script.
help View aFleX help.
rename Rename an aFleX script from src-name to dst-name.

Mode Global configuration mode

aflex-scripts start
Description Begin a transaction to edit an aFleX script within the CLI. See the aFleX Scripting
Language Reference Guide.

application-type
Description Define the type of application (ADC or CGN) that will be configured in this partition,
includ- ing the shared partition.

For more information, refer to the Configuration Application Delivery Partitions guide.

page 81 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

arp

Description Create a static ARP entry.

Syntax [no] arp ipaddr mac-address

[interface {ethernet port-num | trunk trunk-id} [vlan vlan-id]]

Parameter Description
ipaddr IP address of the static entry.
mac-address MAC address of the static entry.
port-num Ethernet port number.
trunk-id Trunk ID number.
vlan-id If the ACOS device is deployed in transparent mode, and the
interface is a tagged member of multiple VLANs, use this option to
specify the VLAN for which to add the ARP entry.

Default The default timeout for learned entries is 300 seconds. Static entries do not time out.

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

arp-timeout
Description Change the aging timer for dynamic ARP entries.

Syntax [no] arp-timeout seconds

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 82

A10 Thunder Series and AX Series—Command Line Interface

Replace seconds with the number of seconds a dynamic entry can remain unused
before being removed from the ARP table (60-86400).

Default 300 seconds (5 minutes)

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

audit
Description Configure command auditing.

Syntax [no] audit {enable [privilege] | size num-entries}

Parameter Description
enable Enables command auditing.
Command auditing is disabled by default.
privilege Enables logging of Privileged EXEC commands. Without this option,
only configuration commands are logged.
num-entries Specifies the number of entries the audit log file can hold. You can
specify 1000-30000 entries. When the log is full, the oldest entries
are removed to make room for new entries.
When the feature is enabled, the audit log can hold 20,000 entries by
default.

Mode Configuration mode

Usage Command auditing logs the following types of system management events:
• Admin logins and logouts for CLI, GUI, and aXAPI sessions
• Unsuccessful admin login attempts
• Configuration changes. All attempts to change the configuration are logged, even if
they are unsuccessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled for this level)

The audit log is maintained in a separate file, apart from the system log. The audit log is
ADP- aware. The audit log messages that are displayed for an admin depend upon the
admin’s role (privilege level). Admins with Root, Read Write, or Read Only privileges who
view the audit log can view all the messages, for all system partitions.

Admins who have privileges only within a specific partition can view only the audit
log messages related to management of that partition. Partition Real Server
Operator admins can not view any audit log entries.

NOTE: Backups of the system log include the audit log.

page 83 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

authentication console type

Description Configure a console authentication type.

Syntax [no] authentication console type {ldap | local | radius | tacplus}

Parameter Description
ldap Use LDAP for console authentication
local Use the ACOS configuration for console authentication.
radius Use RADIUS for console authentication.
tacplus Use TACACS+ for console authentication.

Mode Configuration mode

Usage You can specify as many options as needed.

Example The following example grants LDAP and local console authentication:

ACOS(config)# authentication console type ldap local

authentication enable
Description Configuration authentication of admin enable (Privileged mode) access.

Syntax [no] authentication enable {local [tacplus] | tacplus [local]}

Parameter Description
local Uses the ACOS configuration for authentication of the enable password.
tacplus Uses TACACS+ for authentication of the enable password.

Default local

Mode Configuration mode

Usage The authentication enable command operates differently depending on the

authen- tication mode command setting:
• For authentication mode multiple, the ACOS device will attempt to
authenti- cate the admin with the first specified method. If the first method fails, the
next speci- fied method is used.
• For authentication mode single, the ACOS device will attempt to authenticate
the admin with the first specified method. If the method fails, the ACOS device will
return an error. By default, authentication mode single is selected.

See “authentication mode” on page 85.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 84

A10 Thunder Series and AX Series—Command Line Interface

authentication login privilege-mode

Description Places TACACS+-authenticated admins who log into the CLI at the Privileged EXEC level
of the CLI instead of at the User EXEC level.

Syntax [no] authentication login privilege-mode

Default Disabled

Mode Configuration mode

authentication mode
Description Enable tiered authentication.

Syntax [no] authentication mode {multiple | single}

Parameter Description
multiple Enable “tiered” authentication, where the ACOS device will check the next method even if the primary
method does respond but authentication fails using that method.
For example, if the primary method is RADIUS and the next method is TACACS+, and RADIUS
rejects the admin, tiered authentication attempts to authenticate the admin using TACACS+.
This authentication behavior is summarized below:
1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
2. If no method1 servers reply or a method1 server denies access, try method2.
3. If no method2 servers reply or a method2 server denies access, try method3.
4. If no method3 servers reply or a method3 server denies access, try method4. If authentication
suc- ceeds, the admin is permitted. Otherwise, the admin is denied.
single Enable single authentication mode, where the backup authentication method will only be used if the
primary method does not respond. If the primary method does respond but denies access, then the
secondary method is simply not used. The admin is not granted access.
This authentication behavior is summarized below:
1. Try method1. If a method1 server replies, permit or deny access based on the server reply.
2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or deny
access based on the server reply.
3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or deny
access based on the server reply.
4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin is
permitted. Otherwise, the admin is denied.

Default By default, single authentication mode is used.

Mode Configuration mode

page 85 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

authentication multiple-auth-reject
Description Configure support for multiple concurrent admin sessions using the same account.

Syntax [no] authentication multiple-auth-reject

Default Disabled. Multiple concurrent admin sessions using the same account are allowed.

Mode Global configuration

authentication type
Description Set the authentication method used to authenticate administrative access to the ACOS
device.

Syntax [no] authentication [console] type method1

[method2 [method3 [method4]]]

Parameter Description
console Applies the authentication settings only to access through the
con- sole (serial) port. Without this option, the settings apply to all
types of admin access.
type method1 Uses the ACOS configuration for authentication. If the administrative
[method2 username and password match an entry in the configuration, the
[method3 administrator is granted access.
[method4]]]
The following authentication types are supported:
• ldap—Uses an external LDAP server for authentication.
• local—Uses the ACOS configuration for authentication. If the
administrative username and password match an entry in the con-
figuration, the administrator is granted access.
• radius—Uses an external RADIUS server for authentication.
• tacplus—Uses an external TACACS+ server for authentication.
By default, only local authentication is used.

Default By default, only local authentication is used.

Mode Configuration mode

Usage The local database (local option) must be included as one of the authentication
sources, regardless of the order is which the sources are used. Authentication using only
a remote server is not supported.

To configure the external authentication server(s), see “radius-server” on page 175 or “tacacs-
server host” on page 205.

Example The following commands configure a pair of RADIUS servers and configure the ACOS
device to try them first, before using the local database. Since 10.10.10.12 is added first,
this server

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 86

A10 Thunder Series and AX Series—Command Line Interface

will be used as the primary server. Server 10.10.10.13 will be used only if the primary server
is unavailable. The local database will be used only if both RADIUS servers are unavailable.

ACOS(config)#radius-server host 10.10.10.12 secret

radp1 ACOS(config)#radius-server host 10.10.10.13
secret radp2 ACOS(config)#authentication type radius
local

authorization
Description Configure authorization for controlling access to functions in the CLI. The ACOS device
can use TACACS+ for authorizing commands executed under a specified privilege level.
This command also allows the user to specify the level for authorization debugging.

Syntax [no] authorization commands cmd-level method {tacplus [none] |

none} [no] authorization debug debug-level

Parameter Description
cmd-level Specifies the level of commands that will be authorized. The com-
mands are divided into the following levels:
• Privilege 0: Read-only
• Privilege 1: Read-write
• Privilege 2–4: Not-used
• Privilege 5–14: Reserved for ACOS-specific roles
• Privilege 15: Read-write

tacplus Specifies TACACS+ as the authorization method. (If you omit

this option, you must specify none as the method, in which
case no authorization will be performed.)
tacplus none If all the TACACS+ servers fail to respond, then no further
authorization will be performed and the command is allowed to
execute.
none No authorization will be performed.
debug-level Specifies the debug level for authorization. The debug level is set as
flag bits for different types of debug messages. The ACOS device
has the following types of debug messages:
• 0x1 – Common system events such as “trying to connect with
TACACS+ servers” and “getting response from TACACS+
servers”. These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the ACOS device, not
including the length fields. These events are written to the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be
displayed on the terminal.
• 0x8 – Information about TACACS+ MD5 encryption will be
sent to the syslog.

page 87 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Default Not set

Mode Configuration mode

Usage The authorization server also must be configured. See “radius-server” on page 175 or “tacacs-
server host” on page 205.

Example The following command specifies the authorization method for commands executed at
level 14: try TACACS+ first but if it fails to respond, then allow the command to execute
with- out authorization.

ACOS(config)# authorization commands 14 method tacplus none

The following command specifies debug level 15 for authorization:

ACOS(config)# authorization debug l5

backup-periodic
Description Schedule periodic backups.

CAUTION: After configuring this feature, make sure to save the configuration. If the device
resets before the configuration is saved, the backups will not occur.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 88

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] backup-periodic {target [...]}

{hour num | day num | week num}
{[use-mgmt-port] url}

Parameter Description
target • Specify system to back up the following system files:
• Startup-config files
• Admin accounts and login and enable passwords
• aFleX scripts
• Class lists and black/white lists
• Scripts for external health monitors
• SSL certificates, keys, and certificate revocation lists
• If custom configuration profiles are mapped to the startup-config, they also are backed up.
• Specify log to back up the system log.
You can specify either option, or both options.

hour num | Specifies how often to perform the back ups. You can specify one of the following:
day num |
• hour num—Performs the backup each time the specified number of hours passes. For example,
week num specifying hour 3 causes the backup to occur every 3 hours. You can specify 1-65534 hours.
There is no default.
• day num—Performs the backup each time the specified number of days passes. For example,
specifying day 5 causes the backup to occur every 5 days. You can specify 1-199 days. There is
no default.
• week num—Performs the backup each time the specified number of weeks passes. For
example, specifying week 4 causes the backup to occur every 4 weeks. You can specify 1-
199 weeks. There is no default.

use-mgmt-port Uses the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a data
interface.
url Specifies the file transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and a password is required, you will still be prompted
for the password. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Default Not set

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

Example The following commands schedule weekly backups of the entire system, verify the configu-
ration, and save the backup schedule to the startup-config:

page 89 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS(config)#backup-periodic system week 1 ftp://[email protected]/weekly-sys-backup

Password []?<characters not shown>
Do you want to save the remote host information to a profile for later use?[yes/no]yes
Please provide a profile name to store remote url:wksysbackup
ACOS(config)#show backup
backup periodically system week 1 ftp://[email protected]//weekly-sys-backup
Next backup will occur at 14:37:00 PDT Thu Aug 19 2014
ACOS(config)#write
memory Building
configuration... [OK]

backup store
Description Configure and save file access information for backup. When you back up system
informa- tion, you can save typing by specifying the name of the store instead of the
options in the store.

Syntax [no] backup store {create store-name url | delete store-name}

Parameter Description
store-name Name of the store.
url File transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire
URL and a password is required, you will still be prompted for the
pass- word. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Default None

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

For other backup options, see the following:

• “backup log” on page 36

• “backup system” on page 38
• “backup-periodic” on page 88

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 90

A10 Thunder Series and AX Series—Command Line Interface

Related Commands restore

banner
Description Set the banners to be displayed when an admin logs onto the CLI or accesses the
Privileged EXEC mode.

Syntax [no] banner {exec | login} [multi-line end-marker] line

Parameter Description
exec Configures the EXEC mode banner (1-128 characters).
login Configures the login banner (1-128 characters).
multi-line Hexadecimal number to indicate the end of a multi-line message. The
end-marker end marker is a simple string up to 2-characters long, each of the
which must be an ASCII character from the following range: 0x21-
0x7e.
The multi-line banner text starts from the first line and ends at the
marker. If the end marker is on a new line by itself, the last line of
the banner text will be empty. If you do not want the last line to be
empty, put the end marker at the end of the last non-empty line.

line Specifies the banner text.

Default The default login banner is “ACOS system is ready now.”

The default EXEC banner is “[type ? for help]”.

Mode Configuration mode

Example The following examples set the login banner to “welcome to login mode” and set the
EXEC banner to a multi-line greeting:

ACOS(config)#banner exec welcome to exec mode

ACOS(config)#banner login multi-line bb
Enter text message, end with string 'bb'.
Here is a multi-line
Greeting.
bb
ACOS(config)#

page 91 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

bfd echo
Description Enables echo support for Bidirectional Forwarding Detection (BFD).

Syntax [no] bfd echo

Default Disabled

Mode Configuration mode

Usage BFD echo enables a device to test data path to the neighbor and back. When a device
gener- ates a BFD echo packet, the packet uses the routing link to the neighbor device to
reach the device. The neighbor device is expected to send the packet back over the same
link.

bfd enable
Description Globally enable BFD packet processing.

Syntax [no] bfd enable

Default Disabled

Mode Configuration mode

bfd interval
Description Configure BFD timers.

Syntax [no] bfd interval ms min-rx ms multiplier num

Parameter Description
interval ms Rate at which the ACOS device sends BFD control packets to its BFD neighbors. You can
specify 48-1000 milliseconds (ms). The default is 800 ms.
min-rx ms Minimum amount of time in milliseconds that the ACOS device waits to receive a BFD control
packet from a BFD neighbor. If a control packet is not received within the specified time, the
multiplier (below) is incremented by 1. You can specify 48-1000 ms. The default is 800 ms.
multiplier num Maximum number of consecutive times the ACOS device will wait for a BFD control packet
from a neighbor. If the multiplier value is reached, the ACOS device concludes that the routing
process on the neighbor is down. You can specify 3-50. The default is 4

Usage If you configure the interval timers on an individual interface, then the interface settings are
used instead of the global settings. Similarly, if the BFD timers have not been configured
on an interface, then the interface will use the global settings.

NOTE: BFD always uses the globally configured interval timer if it's for a BGP loopback
neighbor.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 92

A10 Thunder Series and AX Series—Command Line Interface

bgp

Description Information about BGP CLI commands is located in the “Config Commands: Router - BGP”
chapter in the Network Configuration Guide.

big-buff-pool
Description On high-end models only, you can enable the big-buff-pool option to expand
support from 4 million to 8 million buffers and increase the buffer index from 22 to 24 bits.

NOTE: The AX 5200-11 requires 96 Gb of memory to support this feature. To check that
your system meets this requirement, use the show memory system CLI com-
mand.

Syntax [no] big-buff-pool

Default Disabled

Mode Configuration mode

Example The following commands enable a larger I/O buffer pool for an AX 5630:

ACOS(config)#no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Y

block-abort

Description Use this command to exit block-merge or block-replace mode without implementing
the new configurations made in block mode.

Syntax block-abort

Default N/A

Mode Block-merge or block-replace configuration mode

Usage Use this command to discard any changes you make while in block-merge or block-replace
mode. In order to exit block mode without committing the new configuration changes, use
block-abort. This command must be entered before block-merge-end or block-
replace-end in order for all block configuration changes to be deleted. This command
ends block configuration mode.

block-merge-end

page 93 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Description Use this command to exit block-merge mode and integrate new configurations into the
cur- rent running config.

Syntax block-merge-end

Default N/A

Mode Block-merge configuration mode

Usage This command exits block-merge configuration mode and merges all of your new configura-
tion with the existing running configuration. In the case of overlapping configurations, the
new configuration will be used and any child instances will be deleted. Any old configura-
tions which are not replaced in block-merge mode will remain in the running configuration
after this command is entered. The new configurations are merged into the running configu-
ration without disturbing live traffic.

block-merge-start
Description Use this command to enter block-merge configuration mode.

Syntax block-merge-start

This command takes you to the Block-merge configuration level, where all configuration
commands are available.

Default Disabled.

Mode Global configuration mode.

Usage This command enters block-merge configuration mode but leaves the ACOS device up.
While in block-merge mode, new configurations will not be entered into the running
config- uration. At the block-merge configuration level, you can enter new configurations
which you want to merge into the running configuration. Any configuration that overlaps
with the cur- rent running configuration will be replaced when ending block-merge
mode. Any configura- tions in the running config which are not configured in block-
merge mode will continue to be included in the running configuration mode after exiting
block-merge mode.

block-replace-end
Description Enter this command to end block-replace configuration mode and replace the current
run- ning configuration with the new configurations.

Syntax block-replace-end

Default N/A

Mode Block-replace configuration mode.

Usage This command exits block-replace configuration mode and replaces all of your existing
con- figuration with the new configuration. Any old configurations which are not
replaced in block-replace mode will be removed in the running configuration after this
command is

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 94

A10 Thunder Series and AX Series—Command Line Interface

entered. The new configurations become the running configuration without disturbing live
traffic.

block-replace-start
Description Use this command to enter block-replace configuration mode.

Syntax block-replace-start

This command takes you to the Block-replace configuration level, where all configuration
commands are available.

Default Disabled.

Mode Global configuration mode.

Usage This command enters block-replace configuration mode but leaves the ACOS device up.
While in block-replace mode, new configurations will not be entered into the running con-
figuration. At the block-replace configuration level, you can enter a new configuration
which you want to replace the running configuration. All of the running configuration will
be replaced when ending block-merge mode. If an object that exists in the running
configura- tion is not configured in block-replace, then all configurations for that object will
be removed upon ending block-replace mode.

boot-block-fix
Description Repair the master boot record (MBR) on the hard drive or compact flash.

Syntax boot-block-fix {cf | hd}

Parameter Description
cf Repair the compact flash.
hd Repair the hard disk.

Default N/A

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

Usage The MBR is the boot sector located at the very beginning of a boot drive. Under
advisement from A10 Networks, you can use the command if your compact flash or hard
drive cannot boot. If this occurs, boot from the other drive, then use this command.

page 95 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

bootimage
Description Specify the boot image location from which to load the system image the next time the
ACOS device is rebooted.

Syntax bootimage {cf pri | hd {pri | sec}}

Parameter Description
cf | hd Boot medium. The ACOS device always tries to boot using the hard
disk (hd) first. The compact flash (cf ) is used only if the hard disk is
unavailable.
pri | sec Boot image location, primary or secondary.

Default The default location is primary, for both the hard disk and the compact flash.

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

Example The following command configures the ACOS device to boot from the secondary image
area on the hard disk the next time the device is rebooted:

ACOS(config)# bootimage hd sec

Secondary image will be used if system is booted from hard disk
ACOS(config)#

bpdu-fwd-group
Description Configure a group of tagged Ethernet interfaces for forwarding Bridge Protocol Data Units
(BPDUs). BPDU forwarding groups enable you to use the ACOS device in a network that
runs Spanning Tree Protocol (STP).

A BPDU forwarding group is a set of tagged Ethernet interfaces that will accept and
broadcast STP BPDUs among themselves. When an interface in a BPDU forwarding group
receives an STP BPDU (a packet addressed to MAC address 01-80-C2-00-00-00), the
interface broadcasts the BPDU to all the other interfaces in the group.

Syntax [no] bpdu-fwd-group group-num

Replace group-num with the BPDU forwarding group number (1-8).

If the ACOS device is a member of an aVCS virtual chassis, specify the group number as
follows: DeviceID/group-num

This command changes the CLI to the configuration level for the BPDU forwarding group,
where the following command is available.

[no] ethernet portnum [to portnum] [ethernet portnum]

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 96

A10 Thunder Series and AX Series—Command Line Interface

This command enables you to specify the ethernet interfaces you want to add to the
BPDU forwarding group.

Default None

Mode Configuration mode

Usage This command is specifically for configuring VLAN-tagged interfaces to accept and forward
BPDUs.

Rules for trunk interfaces:

• BPDUs are broadcast only to the lead interface in the trunk.

• If a BPDU is received on an Ethernet interface that belongs to a trunk, the BPDU is
not broadcast to any other members of the same trunk.

Example The following commands create BPDU forwarding group 1 containing Ethernet ports 1-3,
and verify the configuration:

ACOS(config)# bpdu-fwd-group 1
ACOS(config-bpdu-fwd-group:1)# ethernet 1 to 3
ACOS(config-bpdu-fwd-group:1)# show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3

bridge-vlan-group

Description Configure a bridge VLAN group for VLAN-to-VLAN bridging.

Syntax [no] bridge-vlan-group group-num

Replace group-num with the bridge VLAN group number.

If the ACOS device is a member of an aVCS virtual chassis, specify the group number as
follows: DeviceID/group-num

This command changes the CLI to the configuration level for the specified bridge VLAN
group, where the following configuration commands are available:

Command Description
forward-all-traffic Configures the bridge VLAN group to be able to forward all kinds of
traffic.
forward-ip-traffic Configures the bridge VLAN group to be able to typical traffic
between hosts, such as ARP requests and responses.
This is the default setting.
[no] name string Specifies a name for the group. The string can be 1-63 characters
long. If the string contains blank spaces, use double quotation marks
around the entire string.
There is no default name set.

page 97 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Command Description
[no] router-interface ve num Adds a Virtual Ethernet (VE) interface to the group. This command is
applicable only on ACOS devices deployed in routed (gateway)
mode. The VE number must be the same as the lowest numbered
VLAN in the group.
By default this is not set.
[no] vrid num Configure a VRID for the bridge VLAN group; this can be used
with additional groups sharing the same VRID in VRRP-A
configurations.
[no] vlan vlan-id Adds VLANs to the group.
[vlan vlan-id ... | to vlan vlan-id]
By default this is not set.

Default By default, the configuration does not contain any bridge VLAN groups. When you create
a bridge VLAN group, it has the default settings described above.

Mode Configuration mode

Usage VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the
network either into the same VLAN, or into different IP subnets, is not desired or is
impractical.

In bridge VLAN group configurations, the VE number must be the same as the lowest
numbered VLAN in the group.

Example For more information, including configuration notes and examples, see the “VLAN-to-VLAN
Bridging” chapter in the System Configuration and Administration Guide.

cgnv6
Description CGN and IPv6 migration commands.

For more information about these commands, refer to the Command Line Interface Reference
(for CGN).

class-list (for Aho-Corasick)

Description Configure an Aho-Corasick class list. This type of class list can be used to match on Server
Name Indication (SNI) values.

Syntax [no] class-list list-name ac [file filename]

Parameter Description
list-name Adds the list to the running-config.
ac Identifies this as an Aho-Corasick class list.
filename Saves the list to a standalone file on the ACOS device.

NOTE: A class list can be exported only if you use the file option.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 98

A10 Thunder Series and AX Series—Command Line Interface

This command changes the CLI to the configuration level for the specified class list, where
the following commands are available:

Command
[no] contains sni-string
[no] ends-with sni-string
[no] equals sni-string
[no] starts-with sni-string
Description
Matches if the specified string appears anywhere within the SNI value.
Matches only if the SNI value ends with the specified string.
Matches only if the SNI value completely matches the specified string.
Matches only if the SNI value starts with the specified string.

(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 61.)

Default None

Mode Configuration mode

Usage The match options are always applied in the following order, regardless of the order in
which the rules appear in the configuration.
• Equals
• Starts-with
• Contains
• Ends-with

If a template has more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and an SNI value matches on more than one of them, the most-
specific match is always used.

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

class-list (for IP limiting)

Description Configure an IP class list for use with the IP limiting feature.

Syntax [no] class-list list-name

[ac | dns | ipv4 | ipv6 | string | string-case-insensitive]
[file filename]

Parameter Description
list-name Adds the list to the running-config.
ac Identifies this as an Aho-Corasick class list.
dns Identifies this as a DNS class list.
ipv4 | ipv6 Identifies this as an IPv4 or IPv6 class list.
string Identifies this as a string class list.

page 99 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
string-case-insensitive Identifies this as a case-insensitive string class list.
file filename Saves the list to a standalone file on the ACOS device.

NOTE: A class list can be exported only if you use the file option.

This command changes the CLI to the configuration level for the specified class list, where
the following command is available:

(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 61.)

[no] {ipaddr/network-mask | ipv6-addr/prefix-length}

[glid num | lid num]

This command adds an entry to the class list.

Parameter
ipaddr /network-mask
ipv6-addr/subnet-length
glid num | lid num
Description
Specifies the IPv4 host or subnet address of the client. The network-mask specifies
the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard address
matches on all addresses that do not match any entry in the class list.
Specifies the IPv6 host or network address of the client.
Specifies the ID of the IP limiting rule to use for matching clients. You can use a
sys- tem-wide (global) IP limiting rule or an IP limiting rule configured in a PBSLB
policy template.
• To use an IP limiting rule configured at the Configuration mode level, use the
glid num option.
• To use an IP limiting rule configured at the same level (in the same PBSLB
policy template) as the class list, use the lid num option.
To exclude a host or subnet from being limited, do not specify an IP limiting rule.

Default None

Mode Configuration mode

Usage Configure the GLIDs or LIDs before configuring the class list entries. To configure a GLID
or LID for IP limiting, see “glid” on page 123 or “slb template policy” in the Command Line
Inter- face Reference for ADC.

As an alternative to configuring class entries on the ACOS device, you can configure the
class list using a text editor on another device, then import the class list onto the ACOS
device. To import a class list, see “import” on page 46.

NOTE: If you use a class-list file that is periodically re-imported, the age for class-list entries
added to the system from the file does not reset when the class-list file is re-

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 100

A10 Thunder Series and AX Series—Command Line Interface

imported. Instead, the entries are allowed to continue aging normally. This is by
design.

For more information about IP limiting, see the DDoS Mitigation Guide (for ADC).

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

Request Limiting and Request-Rate Limiting in Class Lists

If a LID or GLID in a class list contains settings for request limiting or request-rate limiting, the
settings apply only if the following conditions are true:

1. The LID or GLID is used within a policy template.

2. The policy template is bound to a virtual port.

In this case, the settings apply only to the virtual port. The settings do not apply in any of
the following cases:

• The policy template is applied to the virtual server, instead of the virtual port.
• The settings are in a system-wide GLID.
• The settings are in a system-wide policy template.

NOTE: This limitation does not apply to connection limiting or connection-rate limiting.
Those settings are valid in all the cases listed above.

Example The following commands configure class list “global”, which matches on all clients, and
uses IP limiting rule 1:

ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1

class-list (for VIP-based DNS caching)

Description Configure an IP class list for use VIP-based DNS caching.

Syntax class-list list-name dns [file filename]

Parameter Description
list-name Adds the list to the running-config.
dns Identifies this list as a DNS class list.
file filename Saves the list to a file.

This command changes the CLI to the configuration level for the specified class list, where
the following command is available:

[no] dns match-option domain-string lid num

page 101 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

This command specifies the match conditions for domain strings and maps matching
strings to LIDs.

Parameter Description
match-option Specifies the match criteria for the domain-string. The match-option
can be one of the following:
• dns contains – The entry matches if the DNS request is
for a domain name that contains the domain-string anywhere
within the requested domain name.
• dns starts-with – The entry matches if the DNS request is
for a domain name that begins with the domain-string.
• dns ends-with – The entry matches if the DNS request is for
a domain name that ends with the domain-string.
domain-string Specifies all or part of the domain name on which to match. You
can use the wildcard character * (asterisk) to match on any
single character.
For example, “www.example*.com” matches on all the following
domain names: www.example1.com, www.example2.com,
www.examplea.com, www.examplez.com, and so on.
For wildcard matching on more than one character, you can use the
dns contains, dns starts-with, and dns ends-with
options. For example, “dns ends-with example.com” matches on
both abc.example.com and www.example.com.

lid num Specifies a list ID (LID) in the DNS template. LIDs contain DNS cach-
ing policies. The ACOS device applies the DNS caching policy in the
specified LID to the domain-string.

(The other commands are common to all CLI configuration levels. See “Config
Commands: Global” on page 61.)

Default None

Mode Configuration mode

Usage Configure the LIDs before configuring the class-list entries. LIDs for DNS caching can be con-
figured in DNS templates. (See “slb template dns” in the Command Line Interface Reference
for ADC.

As an alternative to configuring class entries on the ACOS device, you can configure the
class list using a text editor on another device, then import the class list onto the ACOS
device. To import a class list, see “import” on page 46.

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

Example See the “DNS Optimization and Security” chapter in the Application Delivery and Server
Load Balancing Guide.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 102

A10 Thunder Series and AX Series—Command Line Interface

class-list (for many pools, non-LSN)

Description Configure IP class lists for deployment that use a large number of NAT pools.

Syntax [no] class-list list-name [ipv4 | ipv6] [file filename]

Parameter Description
list-name Adds the list to the running-config.
file filename Saves the list to a standalone file on the ACOS device.
ipv4 | ipv6 Identifies this list as an IPv4 or IPv6 class list.

This command changes the CLI to the configuration level for the specified class list, where
the following commands are available.

[no] ipaddr /network-mask glid num

This command specifies the inside subnet that requires the NAT.

Parameter Description
/network-mask Specify the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The
wildcard address matches on all addresses that do not match
any entry in the class list.
glid num Specify the global LID that refers to the pool.

(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 61.)

Default None

Mode Configuration mode

Usage First configure the IP pools. Then configure the global LIDs. In each global LID, use the use-
nat-pool pool-name command to map clients to the pool. Then configure the class list
entries.

As an alternative to configuring class entries on the ACOS device, you can configure the
class list using a text editor on another device, then import the class list onto the ACOS
device. To import a class list, see “import” on page 46.

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

Example See the “Configuring Dynamic IP NAT with Many Pools” section in the “Network Address
Translation” chapter of the System Configuration and Administration Guide.

page 103 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

class-list (string)
Description Configure a class list that you can use to modify aFleX scripts, without he need to edit
the script files themselves.

Syntax [no] class-list list-name [file filename] [string]

Parameter Description
list-name Adds the list to the running-config.
file filename Saves the list to a standalone file on the ACOS device.
string Identifies this as a string class list.

Mode Global configuration

Usage A class list can be exported only if you use the file option.

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

For more information, see the aFleX Scripting Language Reference.

class-list (string-case-insensitive)
Description Configure a cast-insensitive class list that you can use to modify aFleX scripts, without he
need to edit the script files themselves.

Syntax [no] class-list list-name [file filename] [string-case-insensitive]

Parameter Description
list-name Adds the list to the running-config.
file filename Saves the list to a standalone file on the ACOS device.
string-case-insensitive Identifies this as a case-insensitive string class list.

Mode Global configuration

Usage A class list can be exported only if you use the file option.

If you delete a file-based class list (no class-list list-name), save the configuration
(“write memory” on page 57) to complete the deletion.

For more information, see the aFleX Scripting Language Reference.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 104

A10 Thunder Series and AX Series—Command Line Interface

configure sync
Description Synchronize the local running-config to a peer’s running-config.

Syntax [no] configure sync {running | all}

{{all-partitions | partition name} | auto-authentication}
dest-ipaddress

Parameter Description
running Synchronize the local running-config to a peer’s running-config.
all Synchronize the local running-config to a peer’s running-config, and the local startup-
con- fig to the same peer’s startup-config.
all-partitions Synchronize all partition configurations.
partition name Synchronize the configuration for the specified partition only.
auto-authentication Authenticate using the local user name and password.
dest-ipaddress IP address of the peer to which you want to synchronize your configurations.

Default N/A

Mode Configuration mode

Example The following example synchronizes both the local running-config and startup-config for
the shared partition only to the peer at IP address 10.10.10.4:

ACOS(config)#configure sync all partition shared 10.10.10.4

copy
Description Copy a running-config or startup-config.

Syntax copy {running-config | startup-config | from-profile-

name} [use-mgmt-port]
{url | to-profile-name}

Parameter Description
running-config Copies the commands in the running-config to the specified
URL or local profile name.
startup-config Copies the configuration profile that is currently linked to
“startup-config” and saves the copy under the specified
URL or local profile name.
use-mgmt-port Uses the management interface as the source interface for
the connection to the remote device. The management route
table is used to reach the device. By default, the ACOS
device attempts to use the data route table to reach the
remote device through a data interface.

page 105 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
url Copies the running-config or configuration profile to a
remote device. The URL specifies the file transfer protocol,
username, and directory path.
You can enter the entire URL on the command line or press
Enter to display a prompt for each part of the URL. If you enter
the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255
characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

from-profile-name Configuration profile you are copying from.

to-profile-name Configuration profile you are copying to.

NOTE: You cannot use the profile name “default”. This name is reserved and always refers
to the configuration profile that is stored in the image area from which the ACOS
device most recently rebooted.

Default None

Mode Configuration mode

Usage If you are planning to configure a new ACOS device by loading the configuration from
another ACOS device:
1. On the configured ACOS device, use the copy startup-config url command
to save the startup-config to a remote server.
2. On the new ACOS device, use the copy url startup-config command to
copy the configured ACOS device’s startup-config from the remote server onto the
new ACOS device.
3. Use the reboot command (at the Privileged EXEC level) to reboot the new
ACOS device.
4. Modify parameters as needed (such as IP addresses).

If you attempt to copy the configuration by copying-and-pasting it from a CLI session on the
configured ACOS device, some essential parameters such as interface states will not be
copied.

Example The following command copies the configuration profile currently linked to “startup-
config” to a profile named “slbconfig3” and stores the profile locally on the ACOS
device:

ACOS(config)#copy startup-config slbconfig3

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 106

A10 Thunder Series and AX Series—Command Line Interface

debug

NOTE: It is recommended that you use the AXdebug commands instead of the debug
command. (See “AX Debug Commands” on page 365.)

delete
Description Delete a locally stored file from the ACOS device.

Syntax delete file-type file-name

Parameter Description
file-type Type of file to be deleted:
• auth-portal (portal file for HTTP authentication)
• auth-portal-image (image file for the default authentication
por- tal)
• auth-saml-idp (SAML metadata of the identity provider)
• bw-list (blacklist or whitelist)
• cgnv6 fixed-nat (fixed-NAT port mapping file)
• debug-monitor (debug file)
• geo-location (geo-location file)
• geo-location-class-list (geo-location class-list file)
• health-external (external script program)
• health-postfile (HTTP POST data file)
• license (temporary license file for a virtual/soft/cloud ACOS
device)
• local-uri-file (local URI files for HTTP response)
• partition (hard delete an L3V partition)
• startup-config (startup configuration profile)
• web-category database (web-category database)
file-name Name of the file you want to delete.
NOTES:
• For the geo-location option, you can specify all instead of a
spe- cific file-name to delete all files.
• There is no file-name option for web-category database.

Default N/A

Mode Configuration mode

Usage The startup-config file type deletes the specified configuration profile linked to
startup- config. The command deletes only the specific profile file-name you specify.

If the configuration profile you specify is linked to startup-config, the startup-config is

automatically re-linked to the default configuration profile. (The default is the configuration
profile stored in the image area from which the ACOS device most recently rebooted.)

page 107 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following command deletes configuration profile “slbconfig2”:

ACOS(config)#delete startup-config slbconfig2

disable reset statistics

Description Prevents resetting (clearing) of statistics for the following resources: SLB servers, service
groups, virtual servers, and Ethernet interfaces.

Syntax disable reset statistics

Default Disabled (clearing of statistics is allowed)

Mode Configuration mode

Usage Admins with the following CLI roles are allowed to disable or re-enable clearing of SLB
and Ethernet statistics:
• write
• partition-write

Example The following command disables reset of SLB and Ethernet statistics:

ACOS(config)#disable reset statistics

disable slb
Description Disable real or virtual servers.

Syntax disable slb server [server-name] [port port-num]

disable slb virtual-server [server-name] [port port-num]

Parameter Description
server-name Disables the specified real or virtual server.
port port-num Disables only the specified service port. If you omit the server-
name option, the port is disabled on all real or virtual servers. Oth-
erwise, the port is disabled only on the server you specify.

Default Enabled

Mode Configuration mode

Example The following command disables all virtual servers:

ACOS(config)#disable slb virtual-server

Example The following command disables port 80 on all real servers:

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 108

A10 Thunder Series and AX Series—Command Line Interface

ACOS(config)#disable slb server port 80

Example The following command disables port 8080 on real server “rs1”:

ACOS(config)#disable slb server rs1 port 8080

disable-failsafe
Description Disable fail-safe monitoring for software-related errors.

Syntax [no] disable-failsafe

[all | io-buffer | session-memory | system-memory]

Parameter Description
all Disables fail-safe monitoring for all the following types of software
errors.
io-buffer Disables fail-safe monitoring for IO-buffer errors.
session-memory Disables fail-safe monitoring for session-memory errors.
system-memory Disables fail-safe monitoring for system-memory errors.

Default Fail-safe monitoring and automatic recovery are disabled by default, for both hardware
and software errors.

Mode Configuration mode

disable-management
Description Disable management access to the ACOS device.

Syntax disable-management service {http | https | ping | snmp | ssh}

Parameter Description
http Disables HTTP access to the management GUI.
https Disables HTTPS access to the management GUI.
ping Disables ping replies from ACOS. This option does not affect
the ACOS device’s ability to ping other devices.
snmp Disables SNMP access to the ACOS device’s SNMP agent.
ssh Disables SSH access to the CLI.

This command changes the CLI to the configuration level for the type of access you
specify. At this level, you can specify the interfaces for which to disable access, using
the following options:

• ethernet portnum [to portnum]

page 109 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Disable access for the specified protocol on the specified Ethernet interface. Use the
[to portnum] option to specify a range of Ethernet interfaces.

• management
Disable access for the specified protocol on the management interface.

• ve ve-num [to ve-num]

Disable access for the specified protocol on the specified virtual Ethernet interface. Use
the [to ve-num] option to specify a range of virtual Ethernet
interfaces.

The CLI lists options only for the interface types for which the access type is enabled by
default.

NOTE: Disabling ping replies from being sent by the device does not affect the device’s
ability to ping other devices.

Default Table 11 lists the default settings for each management service.

TABLE 11Default Management Service Settings

Ethernet Management Ethernet and VE Data
Management Service Interface Interfaces
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled
Syslog Disabled Disabled
SNMP-trap Disabled Disabled

Mode Configuration mode

Usage If you disable the type of access you are using on the interface you are using at the time
you enter this command, your management session will end. If you accidentally lock
yourself out of the device altogether (for example, if you use the all option for all
interfaces), you can still access the CLI by connecting a PC to the ACOS device’s serial
port.

To enable management access, see “enable-management” on page 112.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

You can enable or disable management access, for individual access types and interfaces.
You also can use an Access Control List (ACL) to permit or deny management access
through the interface by specific hosts or subnets.

For more information, see “Access Based on Management Interface” in the Management
Access and Security Guide.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 110

A10 Thunder Series and AX Series—Command Line Interface

Example The following command disables HTTP access to the out-of-band management interface:

ACOS(config)# disable-management service http management

You may lose connection by disabling the http service.
Continue? [yes/no]: yes

dnssec
Description Configure and manage Domain Name System Security Extensions (DNSSEC). See “Config
Commands: DNSSEC” on page 217.

do
Description Run a Privileged EXEC level command from a configuration level prompt, without
leaving the configuration level.

Syntax do command

Default N/A

Mode Configuration mode

Usage For information about the Privileged EXEC commands, see “Privileged EXEC Commands”
on page 35.

Example The following command runs the traceroute command from the Configuration
mode level:

ACOS(config)# do traceroute 10.10.10.9

enable-core
Description Change the file size of core dumps.

Syntax [no] enable-core {a10 | system}

Parameter Description
a10 Enable A10 core dump files.
system Enable system core dump files.
System core dump files are larger than A10 core dump files.

Default If VRRP-A is configured, system core dump files are enabled by default. If VRRP-A is not
con- figured, A10 core dump files are enabled by default.

Mode Configuration mode

page 111 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Usage You can save this command to the startup-config on SSD or HD. However, ACOS does
not support saving the command to a configuration file stored on Compact Flash (CF).
This is because the CF does not have enough storage for large core files.

enable-management
Description Enable management access to the ACOS device.

Syntax [no] enable-management service

{
acl-v4 id |
acl-v6 id |
http |
https |
ping |
snmp |
ssh |
telnet
}

Parameter Description
acl-v4 id Permits or denies management access based on permit or deny rules in
the ACL for IPv4 addresses.
acl-v6 id Permits or denies management access based on permit or deny rules in
the ACL for IPv6 addresses.
http Allows HTTP access to the management GUI.
https Allows HTTPS access to the management GUI.
ping Allows ping replies from ACOS interfaces. This option does not affect the
ACOS device’s ability to ping other devices.
snmp Allows SNMP access to the ACOS device’s SNMP agent.
ssh Allows SSH access to the CLI.
telnet Allows Telnet access to the CLI.

NOTE: The management interface supports only a single ACL.

NOTE: IPv6 ACLs are supported for management access through Ethernet data interfaces
and the management interface.

This command changes the CLI to the configuration level for the type of access you
specify. At this level, you can specify the interfaces for which to enable access, using
the following options:

• ethernet portnum [to portnum]

Enable access for the specified protocol on the specified Ethernet interface. Use the
[to portnum] option to specify a range of Ethernet interfaces.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 112

A10 Thunder Series and AX Series—Command Line Interface

• management
Enable access for the specified protocol on the management interface.

• ve ve-num [to ve-num]

Enable access for the specified protocol on the specified virtual Ethernet interface. Use
the [to ve-num] option to specify a range of virtual Ethernet
interfaces.]

The CLI lists options only for the interface types for which the access type is disabled by
default.

Default The following table lists the default settings for each management service.

Management Service Management Interface Data Interfaces

ACL Enabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
Ping Enabled Enabled
SNMP Enabled Disabled
SSH Enabled Disabled
Telnet Disabled Disabled

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

IPv6 ACLs are supported for management access through Ethernet data interfaces and the
management interface.

For more information, see “Access Based on Management Interface” in the Management
Access and Security Guide.

Example The following command enables Telnet access to Ethernet data interface 6:

ACOS(config)#enable-management service telnet

ACOS(config-enable-management telnet)#ethernet 6

Example The following commands configure IPv6 traffic filtering on the management interface and
display the resulting configuration:

ACOS(config)#ipv6 access-list ipv6-acl1

ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config-access-list:ipv6-acl1)#exit
ACOS(config)#interface management
ACOS(config-if:management)#ipv6 access-list ipv6-acl1 in

page 113 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS(config-if:management)#show running-config
ipv6 access-list ipv6-acl1
permit ipv6 any any
!
interface management
ip address 192.168.217.28 255.255.255.0
ipv6 address 2001:192:168:217::28/64
ipv6 access-list ipv6-acl1 in

Example The following commands configure an IPv6 ACL, then apply it to Ethernet data ports 5 and
6 to secure SSH access over IPv6:

ACOS(config)#ipv6 access-list ipv6-acl1

ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config-access-list:ipv6-acl1)#exit
ACOS(config)#enable-management service ssh
ACOS(config-enable-management ssh)#acl-v6 ipv6-acl1
ACOS(config-enable-management ssh-acl-v6)#ethernet 5 to 6

enable-password
Description Set the enable password, which secures access to the Privileged EXEC level of the CLI.

Syntax [no] enable-password string

Parameter Description
string Password string (1-63) characters. Passwords are case sensitive
and can contain special characters. (For more information, see
“Special Character Support in Strings” on page 15.)

Default By default, the password is blank. (Just press Enter.)

Mode Configuration mode

Example The following command sets the Privileged EXEC password to “execadmin”:

ACOS(config)#enable-password execadmin

end

Description Return to the Privileged EXEC level of the CLI.

Syntax end

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 114

A10 Thunder Series and AX Series—Command Line Interface

Default N/A

Mode Config

Usage The end command is valid at all configuration levels of the CLI. From any configuration
level, the command returns directly to the Privileged EXEC level.

Example The following command returns from the Configuration mode level to the Privileged
EXEC level:

ACOS(config)#end
ACOS#

environment temperature threshold

Description Configure the temperature condition under which a log is generated.

Syntax [no] environment temperature threshold low num medium num high num

Parameter Description
low num Low temperature threshold in Celcius; a log is generated when the
temperature drop below this threshold.
medium num Medium temperature threshold in Celcius.This threshold causes the
status in the show environment command to change between
“low/med” or “med/high”.
high num High temperature threshold in Celcius; a log is generated when the
temperature rises above this threshold.

Default Low is 25, medium is 45, high is 68.

Mode Configuration mode

Example Set the low temperature threshold to 20 degress Celcius, medium to 45 degrees Celcius,
and high temperature threshold to 55 degrees Celcius:

ACOS(config)#environment temperature threshold low 20 medium 45 high 55

The show environment command reflects the new temperature thresholds:

ACOS(config)#show environment
Updated information every 30 Seconds
Physical System temperature: 38C / 100F : OK-low/med
Thresholds: Low 20 / Medium 45 / High
55 Physical System temperature2: 34C / 93F : OK-low/med
Thresholds: Low 20 / Medium 45 / High 55
HW Fan Setting: Automatic
Fan1A : OK-med/high Fan1B : OK-med/high

page 115 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Fan2A : OK-med/high Fan2B : OK-med/high

Fan3A : OK-med/high Fan3B : OK-med/high
Fan4A : OK-med/high Fan4B : OK-med/high
Fan5A : OK-med/high Fan5B : OK-med/high
Fan6A : OK-med/high Fan6B : OK-med/high
Fan7A : OK-med/high Fan7B : OK-med/high
Fan8A : OK-med/high Fan8B : OK-med/high
System Voltage 12V : OK
System Voltage 5V : OK
System Voltage CPU1 VCORE (1V) : OK
System Voltage CPU0 VCORE (1V) : OK
System Voltage AUX 5V : OK
System Voltage VBAT (3.3V) :
OK
Upper Left Power Unit(Rear View) State: On
Upper Right Power Unit(Rear View) State: On
Lower Left Power Unit(Rear View) State: On
Lower Right Power Unit(Rear View) State: Off

In addition, both temperature status indicate “low/med” because the temperatures fall in
between the low threshold of 20 and medium threshold of 45.

environment update-interval
Description Configure the hardware polling interval for fault detection and log generation.

Syntax [no] environment update-interval num

Parameter Description
num Polling interval in seconds (1-60).
The lower the update interval number, the faster the messages will
be seen in the sylog and the status reflected in the show
environment output.

Default 30 seconds

Mode Configuration mode

Example Set the hardware polling interval to 5 seconds:

ACOS(config)#environment update-interval 5

Use the show environment to verify this change, or to view the current hardware polling
interval. The first line in the output shows the hardware polling interval:

ACOS(config)#show environment

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 116

A10 Thunder Series and AX Series—Command Line Interface

Updated information every 5 Seconds

Physical System temperature: 37C / 98F : OK-med/high
Thresholds: Low 10 / Medium 30 / High
45 Physical System temperature2: 32C / 89F : OK-med/high
Thresholds: Low 10 / Medium 30 / High 45
HW Fan Setting: Automatic
Fan1A : OK-med/high Fan1B : OK-med/high
Fan2A : OK-med/high Fan2B : OK-med/high
Fan3A : OK-med/high Fan3B : OK-med/high
Fan4A : OK-med/high Fan4B : OK-med/high
Fan5A : OK-med/high Fan5B : OK-med/high
Fan6A : OK-med/high Fan6B : OK-med/high
Fan7A : OK-med/high Fan7B : OK-med/high
Fan8A : OK-med/high Fan8B : OK-med/high
System Voltage 12V : OK
System Voltage 5V : OK
System Voltage CPU1 VCORE (1V) : OK
System Voltage CPU0 VCORE (1V) : OK
System Voltage AUX 5V : OK
System Voltage VBAT (3.3V) :
OK
Upper Left Power Unit(Rear View) State: On
Upper Right Power Unit(Rear View) State: On
Lower Left Power Unit(Rear View) State: On
Lower Right Power Unit(Rear View) State: Off

erase
Description Erase the startup-config file.

This command returns the device to its factory default configuration after the next reload
or reboot.

The following table summarizes that is removed or preserved on the system:

What is Erased What is Preserved

Saved configuration files
Management IP address
Admin-configured admins
Enable password
Running configuration
Audit log entries
System files, such as SSL certificates and keys, aFleX poli-
cies, black/white lists, and system logs
Inactive partitions

To remove imported files or inactive partitions, you must use the system-reset
command. (See “system-reset” on page 204.)

page 117 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Syntax erase [preserve-management] [preserve-accounts] [reload]

Parameter Description
preserve-management Keeps the configured management IP address and default
gateway, instead of erasing them and resetting them to
their factory defaults following reload or reboot.
preserve-accounts Keeps the configured admin accounts, instead of
erasing them. Likewise, this option keeps any
modifications to the “admin” account, and does not
reset the account to its defaults following reload or
reboot.
reload Reloads ACOS after the configuration erasure is completed.

Default N/A

Mode Configuration mode

Usage The erasure of the startup-config occurs following the next reload or reboot. Until the
next reload or reboot, the ACOS device continues to run based on the running-config.

The management IP address is not erased. This is true even if you do not use the
preserve- management option. However, without this option, the default management
gateway is erased and reset to its factory default.

To recover the configuration, you can save the running-config or reload the configuration
from another copy of the startup-config file.

The preserve-management option has no effect on an enterprise’s organizational

structure. If it did, a caution would appear here discouraging its use.

Example The following command erases the startup-config file. The change takes place following the
next reload or reboot.

ACOS(config)#erase

Example The following command erases the startup-config file, except for management interface
access and admin accounts, and reloads to place the change into effect.

ACOS(config)#erase preserve-management preserve-accounts reload

Related Commands system-reset

event
Description Generate an event for the creation or deletion of an L3V partition.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 118

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] event partition {part-create | part-del}

Parameter Description
part-create Generate an event when a partition is created.
part-del Generate an event when a partition is deleted.

Default N/A

Mode Configuration mode

Related Commands show event-action

exit

Description Return to the Privileged EXEC level of the CLI.

Syntax exit

Default N/A

Mode Configuration mode

Usage The exit command is valid at all CLI levels. At each level, the command returns to the
previ- ous CLI level. For example, from the server port level, the command returns to the
server level. From the Configuration mode level, the command returns to the Privileged
EXEC level. From the user EXEC level, the command terminates the CLI session.

From the Configuration mode level, you also can use the end command to return to the
Privileged EXEC level.

Example The following command returns from the Configuration mode level to the Privileged
EXEC level:

ACOS(config)#exit
ACOS#

export-periodic

Description Export file to a remote site periodically.

page 119 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Syntax export-periodic
{
aflex file |
auth-portal file |
axdebug file |
bw-list file |
class-list file |
debug-monitor file |
dnssec-dnskey file |
dnssec-ds file |
geo-location file |
local-uri-file file |
policy file |
ssl-cert file |
ssl-cert-key bulk |
ssl-crl file |
ssl-key |
syslog file |
thales-secworld file [overwrite] |
wsdl file |
xml-schema file
}
[use-mgmt-port] url
period seconds
}

Parameter Description
aflex Export an aFleX file.
auth-portal Export an authentication portal file for Application Access Management (AAM).
axdebug Export an AX Debug packet file.
bw-list Export a black/white list.
class-list Export an IP class list.
dnssec-dnskey Export a DNSEC key-signing key (KSK) file.
dnssec-ds Export a DNSSEC DS file.
geo-location Export a geo-location data file for Global Server Load Balancing (GSLB).
local-uri-file Export a local URI file.
policy Export a WAF policy file.
ssl-cert Export a certificate.
ssl-cert-key Export a certificate and key together as a single file.
ssl-key Export a certificate key.
ssl-crl Export a certificate revocation list (CRL).
syslog Export a syslog file.
thales-secworld Export Thales security world files. Use the overwrite option to overwrite an existing file
with the same name.
wsdl Export a WSDL file.
xml-schema Export an XML schema file.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 120

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
use-mgmt-port Uses the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a
data interface.
url Protocol, user name (if required), and directory path you want to use to send the file.
You can enter the entire URL on the command line or press Enter to display a prompt for
each part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

period seconds Enables automated updates of the file. You can specify 60 (one minute)-31536000 (one
year) seconds.

The period option simplifies update of imported files, especially files that are used by
mul- tiple ACOS devices. You can edit a single instance of the file, on the remote server,
then con- figure each of ACOS device to automatically update the file to import the latest
changes.

When you use this option, the ACOS device periodically replaces the specified file with the
version that is currently on the remote server. If the file is in use in the running-config, the
updated version of the file is placed into memory.

The updated file affects only new sessions that begin after the update but does not affect
existing sessions. For example, when an aFleX script that is bound to a virtual port is
updated, the update affects new sessions that begin after the update, but does not affect
existing sessions that began before the update.

Mode Privileged EXEC mode or global configuration mode

Example The following command exports an aFleX policy onto the ACOS device from a TFTP
server, from its directory named “backups” every 30 days:

ACOS(config)#export-periodic aflex aflex-01 tftp://192.168.1.101/backups/aflex-01 period

2592000

fail-safe
Description Configure fail-safe automatic recovery.

Syntax [no] fail-safe

{
fpga-buff-recovery-threshold 256-buffer-units |
hw-error-monitor-disable
hw-error-monitor-enable |
hw-error-recovery-timeout minutes |

page 121 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

session-memory-recovery-threshold percentage |
sw-error-monitor-enable |
sw-error-recovery-timeout minutes |
total-memory-size-check Gb {kill | log}
}

Parameter
fpga-buff-recovery-threshold
256-buffer-units
hw-error-monitor-disable
hw-error-monitor-enable
hw-error-recovery-timeout minutes
session-memory-recovery-threshold
percentage
sw-error-monitor-enable
sw-error-recovery-timeout minutes
Description
Minimum required number of free (available) FPGA buffers. If the
num- ber of free buffers remains below this value until the recovery
timeout, fail-safe software recovery is triggered.
You can specify 1-10 units. Each unit contains 256 buffers.
The default is 2 units (512 buffers).
Disables fail-safe monitoring and recovery for hardware errors.
This is enabled by default.
Enables fail-safe monitoring and recovery for hardware errors.
This is enabled by default.
Number of minutes fail-safe waits after a hardware error occurs to
reboot the ACOS device. You can specify 1-1440 minutes.
The default is 0 (not set).
Minimum required percentage of system memory that must be free. If
the amount of free memory remains below this value long enough for
the recovery timeout to occur, fail-safe software recovery is triggered.
You can specify 1-100 percent. The default is 30 percent.
Enables fail-safe monitoring and recovery for software errors.
This is disabled by default.
Number of minutes (1-1440) the software error condition must remain
in effect before fail-safe occurs:
• If the system resource that is low becomes free again within the
recovery timeout period, fail-safe allows the ACOS device to
continue normal operation. Fail-safe recovery is not triggered.
• If the system resource does not become free, then fail-safe recovery
is triggered.
The default timeout is 3 minutes.

total-memory-size-check Gb Amount of memory the device must have after booting.

{kill | log}
• Gb - Minimum amount of memory required.
• kill – Stops data traffic and generates a message. However,
the management port remains accessible.
• log – Generates a log message but does not stop data traffic.

Default By default, fail-safe automatic recovery is enabled for hardware errors and disabled for
soft- ware errors. You can enable the feature for hardware errors, software errors, or both.
When

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 122

A10 Thunder Series and AX Series—Command Line Interface

you enable the feature, the other options have the default values described in the table
above.

Mode Configuration mode

Usage Fail-safe hardware recovery also can be triggered by a “PCI not ready” condition. This fail-
safe recovery option is enabled by default and can not be disabled.

fw
Description Configuration commands for DC Firewall.

For more information, refer to the Data Center Firewall Guide.

glid
Description Configure a global set of IP limiting rules for system-wide IP limiting.

NOTE: This command configures a limit ID (LID) for use with the IP limiting feature. To con-
figure a LID for use with Large-Scale NAT (LSN) instead, see the IPv4-to-IPv6
Transi- tion Solutions Guide.

Syntax [no] glid num

Replace num with the limit ID (1-1023).

This command changes the CLI to the configuration level for the specified global LID, where
the following command is available.

(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 61.)

Command Description
[no] conn-limit num Specifies the maximum number of concurrent connections allowed for a client. You
can specify 0-1048575. Connection limit 0 immediately locks down matching cli-
ents.
There is no default value set for this parameter.
[no] conn-rate-limit num Specifies the maximum number of new connections allowed for a client within the
per num-of-100ms specified limit period. You can specify 1-4294967295 connections. The limit period
can be 100-6553500 milliseconds (ms), specified in increments of 100 ms.
There is no default value set for this parameter.
[no] dns options Configure settings for IPv4 DNS features.
[no] dns64 options Configure settings for IPv6 DNS features.

page 123 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Command Description
[no] over-limit- Specifies the action to take when a client exceeds one or more of the limits. The
action [forward | command also configures lockout and enables logging. Action can include:
reset] [lockout
• drop – The ACOS device drops that traffic. If logging is enabled, the ACOS
minutes] [log device also generates a log message. (There is no drop keyword; this is
minutes] default action.)
• forward – The ACOS device forwards the traffic. If logging is enabled, the
ACOS device also generates a log message.
• reset – For TCP, the ACOS device sends a TCP RST to the client. If logging
is enabled, the ACOS device also generates a log message.
The lockout option specifies the number of minutes during which to apply the
over-limit action after the client exceeds a limit. The lockout period is activated
when a client exceeds any limit. The lockout period can be 1-1023 minutes. There
is no default lockout period.
The log option generates log messages when clients exceed a limit. When you
enable logging, a separate message is generated for each over-limit occurrence,
by default. You can specify a logging period, in which case the ACOS device holds
onto the repeated messages for the specified period, then sends one message at
the end of the period for all instances that occurred within the period. The logging
period can be 0-255 minutes. The default is 0 (no wait period).

[no] request-limit num
[no] request-rate-limit
num per num-of-100ms
[no] use-nat-pool
pool-name
Specifies the maximum number of concurrent Layer 7 requests allowed for a client.
You can specify 1-1048575.
Specifies the maximum number of Layer 7 requests allowed for the client within
the specified limit period. You can specify 1-4294967295 connections. The limit
period can be 100-6553500 milliseconds (ms), specified in increments of 100
ms.
Binds a NAT pool to the GLID. The pool is used to provide reverse NAT for class-list
members that are mapped to this GLID. (The use-nat-pool option, available in
GLIDs, is applicable only to transparent traffic, not to SLB traffic.)

Default See descriptions in the table.

Mode Configuration mode

Usage This command uses a single class list for IP limiting. To use multiple class lists for system-wide
IP limiting, use a policy template instead. See the “slb template policy” command in the Com-
mand Line Interface Reference for ADC.

Differences Between GLIDs and LIDs

A Global Limit ID (GLID) is an ID that identifies a set of limiting rules configured globally.
This ID is included in a class-list, as shown in the following example:

glid 10
request-limit 100
class-list HTTP-RL
10.100.0.0/16 lid 1
10.2.0.0/16 lid 2
0.0.0.0/0 glid 10

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 124

A10 Thunder Series and AX Series—Command Line Interface

The limiting rules within a GLID can be reused in different class-list objects, unlike a Local
Limit ID (LID).

A LID is an ID that identifies a set of limiting rules configured inside an SLB template of a
certain type, such as an SLB policy template or an SLB DNS template, that support a class-
list. For example:

slb template policy Policy-HTTP-RL

class-list HTTP-RL
lid 1
request-limit 1000
lid 2
request-limit 10

A local limit ID can be used if the same class-list is used for several different VIPs, and if
each VIP has different limiting rules; using the LID eliminates the need to create many
class-lists.

Note that GLIDs and LIDs are optional configurations within a class-list, and they are not
required if the class-list is used as a black-list or a white-list.

Additional Usage Information about GLIDs and LIDs

A policy template is also required if you plan to apply IP limiting rules to individual virtual
servers or virtual ports.

The request-limit and request-rate-limit options apply only to HTTP, fast-

HTTP, and HTTPS virtual ports. For details on configuring these options, see “Request Limiting
and Request-Rate Limiting in Class Lists” on page 101.

The over-limit-action log option, when used with the request-limit or

request-rate-limit option, always lists Ethernet port 1 as the interface.

The use-nat-pool option is applicable only to transparent traffic, not to SLB traffic.

Example The following commands configure a global IP limiting rule to be applied to all IP clients
(the clients that match class list “global”):

ACOS(config)#glid 1
ACOS(config-glid:1)#conn-rate-limit 10000 per 1
ACOS(config-glid:1)#conn-limit 2000000
ACOS(config-glid:1)#over-limit forward logging
ACOS(config-glid:1)#exit
ACOS(config)#system glid 1
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1

page 125 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

glm

Description Manually enable a connection to the Global License Manager.

Syntax [no] glm enable-requests

Default Disabled

Mode Configuration mode

The other glm commands are for internal use and testing purposes only.

gslb
Description Configure Global Server Load Balancing (GSLB) parameters. See the Global Server Load Bal-
ancing Guide.

hd-monitor enable
Description Enable hard disk monitoring on your ACOS device.

Syntax [no] hd-monitor enable

Default Hard disk monitoring is disabled by default.

Mode Configuration mode

Example The example below shows how to enable hard disk monitoring.

ACOS(config)#hd-monitor enable
Harddisk monitoring turned on.
Please write mem and reload to take effect.
ACOS(config)#

health global
Description Globally change health monitor parameters.

Syntax health global

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 126

A10 Thunder Series and AX Series—Command Line Interface

This command changes the CLI to the configuration level for global health monitoring
parameters, where the following commands are available.

Parameter Description
[no] health check-rate threshold Change the health-check rate limiting threshold.
Replace threshold with the maximum number of health-check
pack- ets the ACOS device will send in a given 500-millisecond (ms)
period.
The valid range is 1-5000 health-check packets per 500-ms period.
When you disable auto-adjust mode, the default threshold is 1000
health-check packets per 500-ms period.
When auto-adjust mode is enabled, you can not manually change the
threshold. To change the threshold, you first must disable auto-adjust
mode. (See below.)
[no] health disable-auto-adjust Disable the auto-adjust mode of health-check rate limiting.
When necessary, the auto-adjust mode dynamically increases the
default interval and timeout for health checks. By increasing these
timers, health- check rate limiting provides more time for health-check
processing.
Auto-adjust mode is enabled by default.
[no] health external-rate scripts Specify the maximum number of external health-checks scripts the
per 100-ms-units ACOS device is allowed to perform during a given interval.
• scripts – Maximum number of external health-check scripts, 1-999.
• 100-ms-units – Interval to which the scripts option applies, 1-
20 100-ms units.
The default rate is 2 scripts every 200 ms.
interval seconds Number of seconds between health check attempt, 1-180 seconds. A
health check attempt consists of the ACOS device sending a packet to
the server. The packet type and payload depend on the health monitor
type. For example, an HTTP health monitor might send an HTTP GET
request packet. Default is 5 seconds.
multi-process cpus Enable use of multiple CPUs for processing health checks.
Replace cpus with the total number of CPUs to use for processing
health checks.
The default is 1.
retry number Maximum number of times ACOS will send the same health check to an
unresponsive server before determining that the server is down. You
can specify 1-5. Default is 3.
timeout seconds Number of seconds ACOS waits for a reply to a health check, 1-12 sec-
onds. Default is 5 seconds.
up-retry number Number of consecutive times the device must pass the same periodic
health check, in order to be marked Up. You can specify 1-10. The
default is 1.

NOTE: The timeout parameter is not applicable to external health monitors.

page 127 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

You can change one or more parameters on the same command line.

Default See above.

NOTE: To change a global parameter back to its factory default, use the “no” form of the
command (for example: no up-retry 10).

Mode Configuration mode

Usage Globally changing a health monitor parameter changes the default for that parameter. For
example, if you globally change the interval from 5 seconds to 10 seconds, the default
inter- val becomes 10 seconds.

If a parameter is explicitly set on a health monitor, globally changing the parameter does
not affect the health monitor. For example, if the interval on health monitor hm1 is explicitly
set to 20 seconds, the interval remains 20 seconds on hm1 regardless of the global setting.

NOTE: Global health monitor parameter changes automatically apply to all new health
monitors configured after the change. To apply a global health monitor
parameter change to health monitors that were configured before the change,
you must reboot the ACOS device.

Example The following command globally changes the default number of retries to 5:

ACOS(config)# health global retry 5

Example The following command globally changes the timeout to 10 seconds and default number of
retries to 4:

ACOS(config)# health global timeout 10 retry 4

health monitor
Description Configure a health monitor.

Syntax [no] health monitor monitor-name

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 128

A10 Thunder Series and AX Series—Command Line Interface

The monitor-name can be 1-29 characters. This command changes the CLI
to the configuration level for the health monitor.

Default See the “Health Monitoring” chapter in the Application Delivery and Server Load
Balancing Guide for information on the defaults.

Mode Configuration mode

Usage For information about the commands available at the health-monitor configuration
level, see “Config Commands: Health Monitors” on page 547.

health-test
Description Test the status of a device at a specified IP address using a defined health monitor.

To configure a health monitor, use the health monitor command.

Syntax health-test ipaddr [count num] [monitorname name] [port portnum]

Parameter Description
ipaddr IPv4 or IPv6 address of the device you want to test.
count num Wait for count tests (1-65535).
The default count is 1.
monitorname name Specify the pre-configured health monitor to use for the test.
port portnum Specify the port to test.

Mode Configuration mode

hostname
Description Set the ACOS device’s hostname.

Syntax [no] hostname string

Replace string with the desired hostname (1-31 characters). The name can contain
any alpha-numeric character (a-z, A-Z, 0-9), hypen (-), period (.), or left or right
parentheses characters.

Default The default hostname is the name of the device; for example, an AX Series 5630 device
will have “AX5630” as the default hostname.

Mode Configuration mode

Usage The CLI command prompt also is changed to show the new hostname.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

page 129 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following example sets the hostname to “SLBswitch2”:

ACOS(config)# hostname SLBswitch2

SLBswitch2(config)#

hsm template
Description Configure a template for DNSSEC Hardware Security Module (HSM) support.

Syntax [no] hsm template template-name {softHSM | thalesHSM}

Replace template-name with the name of the template (1-63 characters).

This command changes the CLI to the configuration level for the specified template, where
the following command is available:

password hsm-passphrase

This command configures the HSM passphrase.

(The other commands are common to all CLI configuration levels. See “Config Commands:
Global” on page 61.)

Default Not set

Mode Configuration mode

icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks.

Syntax [no] icmp-rate-limit normal-rate lockup max-rate lockup-time

Parameter Description
normal-rate Maximum number of ICMP packets allowed per second. If the ACOS device receives more
than the normal rate of ICMP packets, the excess packets are dropped until the next one-sec-
ond interval begins. The normal rate can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMP packets allowed per second before the ACOS device locks up
ICMP traffic. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup
expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be
larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMP traffic, after the maximum rate
is exceeded. The lockup time can be 1-16383 seconds.

Default None

Mode Configuration mode

Usage This command configures ICMP rate limiting globally for all traffic to or through the
ACOS device. To configure ICMP rate limiting on individual Ethernet interfaces, see the
icmp-

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 130

A10 Thunder Series and AX Series—Command Line Interface

rate-limit command in the “Config Commands: Interface” chapter in the Network

Config- uration Guide. To configure it in a virtual server template, see “slb template
virtual-server” on page 259. If you configure ICMP rate limiting filters at more than one of
these levels, all filters are applicable.

Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify
them, lockup does not occur.

Log messages are generated only if the lockup option is used and lockup occurs.
Otherwise, the ICMP rate-limiting counters are still incremented but log messages are not
generated.

Example The following command globally configures ICMP rate limiting to allow up to 2048 ICMP
packets per second, and to lock up all ICMP traffic for 10 seconds if the rate exceeds
3000 ICMP packets per second:

ACOS(config)#icmp-rate-limit 2048 lockup 3000 10

icmpv6-rate-limit
Description Configure ICMPv6 rate limiting for IPv6 to protect against denial-of-service (DoS) attacks.

Syntax [no] icmpv6-rate-limit normal-rate lockup max-rate lockup-time

Parameter Description
normal-rate Maximum number of ICMPv6 packets allowed per second. If the ACOS device receives
more than the normal rate of ICMPv6 packets, the excess packets are dropped until the
next one- second interval begins. The normal rate can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMPv6 packets allowed per second before the ACOS device locks up
ICMPv6 traffic. When ICMPv6 traffic is locked up, all ICMPv6 packets are dropped until the
lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate
must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMPv6 traffic, after the maximum
rate is exceeded. The lockup time can be 1-16383 seconds.

Default None

Mode Configuration mode

Usage This command configures ICMPv6 rate limiting globally for all traffic to or through the ACOS
device. To configure ICMPv6 rate limiting on individual Ethernet interfaces, see the
icmpv6- rate-limit command in the “Config Commands: Interface” chapter in the
Network Config- uration Guide. To configure it in a virtual server template, see “slb
template virtual-server” on page 259. If you configure ICMPv6 rate limiting filters at more
than one of these levels, all fil- ters are applicable.

Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify
them, lockup does not occur.

Log messages are generated only if the lockup option is used and lockup occurs. Otherwise,
the ICMPv6 rate-limiting counters are still incremented but log messages are not generated.

page 131 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

import
Description See “import” on page 46.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 132

A10 Thunder Series and AX Series—Command Line Interface

import-periodic
Description Get files from a remote site periodically.

Syntax import-periodic
{
{
aflex file |
auth-portal file |
bw-list file |
class-list file |
class-list-convert file class-list-type type |
dnssec-dnskey file |
dnssec-ds file |
geo-location file |
license file |
local-uri-file file |
policy file |
{
ssl-cert file
{[certificate-type {pem | der | pfx pfx-password pswd | p7b}]
[csr-generate]
} |
ssl-cert-key bulk |
ssl-crl file [csr-generate] |
ssl-key file [csr-generate] |
thales-kmdata file [overwrite] |
thales-secworld file [overwrite] |
wsdl file |
xml-schema file
}
{[use-mgmt-port] url}
period seconds
}

Parameter Description
aflex Import an aFleX file.
auth-portal Import an authentication portal file for Application Access Management (AAM).
bw-list Import a black/white list.
class-list Import an IP class list.
class-list-convert ACOS imports a newline delimited text file and converts it to a class-list file of the type spec-
file class-list- ified a filetype keyword:
type {ac | string
• ac - Aho-Corasick class list.
|ipv4 | ipv6 |
string-case-inten-
See the “How to Convert Your SNI List to an A10 Class List” section in the SSL Insight book
for an example of converting to an A10 Aho-Corasick class list.
sive}
• string
• ipv4
• ipv6
• string-case-insensitive
NOTE: Only the Aho-Corasick class list is compliant with the class list types created
through the class-list command.

dnssec-dnskey Import a DNSEC key-signing key (KSK) file.

page 133 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
dnssec-ds Import a DNSSEC DS file.
geo-location Imports a geo-location data file for Global Server Load Balancing (GSLB).
license Import a license file, if applicable to your model.
local-uri-file Import a local URI file.
policy Import a WAF policy file.
ssl-cert [bulk] Imports a certificate.
• Use the bulk option to import multiple files simultaneously as a .tgz archive.
• Use certificate-type to specify a certificate type.
• Use csr-generate to generate a CSR file.
ssl-cert-key [bulk] Imports a certificate and key together as a single file.
Specify bulk to import multiple files simultaneously as a .tgz archive
ssl-key [bulk] Import a certificate key.
Specify bulk to import multiple files simultaneously as a .tgz archive
ssl-crl Import a certificate revocation list (CRL).
wsdl Import a WSDL file.
xml-schema Import an XML schema file.
use-mgmt-port Uses the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a
data interface.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 134

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
url Protocol, user name (if required), and directory path you want to use to send the file.
You can enter the entire URL on the command line or press Enter to display a prompt for
each part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

period seconds Enables automated updates of the file. You can specify 60 (one minute)-31536000 (one
year) seconds.

The period option simplifies update of imported files, especially files that are used by
mul- tiple ACOS devices. You can edit a single instance of the file, on the remote server,
then con- figure each of ACOS device to automatically update the file to import the latest
changes.

When you use this option, the ACOS device periodically replaces the specified file with the
version that is currently on the remote server. If the file is in use in the running-config, the
updated version of the file is placed into memory.

The updated file affects only new sessions that begin after the update but does not affect
existing sessions. For example, when an aFleX script that is bound to a virtual port is
updated, the update affects new sessions that begin after the update, but does not affect
existing sessions that began before the update.

Mode Privileged EXEC mode or global configuration mode

Example The following command imports an aFleX policy onto the ACOS device from a TFTP
server, from its directory named “backups” every 30 days:

ACOS(config)# import-periodic aflex aflex-01 tftp://192.168.1.101/backups/aflex-01 period

2592000

interface
Description Access the CLI configuration level for an interface.

Syntax interface {
ethernet port-num |
lif logical-interface-id |
loopback num |
management |
trunk num |
tunnel num |
ve ve-num
}

Default N/A

Mode Configuration mode

page 135 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Usage If the ACOS device is a member of an aVCS virtual chassis, specify the interface number as
follows: DeviceID/Portnum

For information about the commands available at the interface configuration level, see
“Config Commands: Interface” in the Network Configuration Guide.

Example The following command changes the CLI to the configuration level for Ethernet interface 3:

ACOS(config)#interface ethernet 3
ACOS(config-if:ethernet:3)#

ip
Description Configure global IP settings. For information, see “Config Commands: IP” in the Network Con-
figuration Guide.

ip-list
Description Create a list of IP addresses with group IDs to be used by other GSLB commands.

For example, you can create an IP list and use it in a GSLB policy.

Refer to Global Server Load Balancing Guide for more

information.

Syntax [no] ip-list list-name

After entering this command, you are placed in a sub-configuration mode where you can
enter the IP addresses as follows:

ipv4-addr [to end-ipv-addr]

ipv6-addr [to end-ipv6-addr]
ipv6-addr/range [count num] [to end-ipv6-addr/range]

Mode Configuration mode

Example The following example shows how to use the ip-list command to create a list of IPv4
addresses from 10.10.10.1 to 10.10.10.44:

ACOS(config)#ip-list ipv4-list
ACOS(config-ip-list)#10.10.10.1 to 10.10.10.44

ipv6

Description Configure global IPv6 settings. For information, see “Config Commands: IPv6” in the Network
Configuration Guide.

key
Description Configure a key chain for use by RIP or IS-IS MD5 authentication.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 136

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] key chain name

Replace name with the name of the key chain (1-31 characters).

This command changes the CLI to the configuration level for the specified key chain,
where the following key-chain related command is available:

[no] key num

This command adds a key and enters configuration mode for the key. The key number can
be 1-255. This command changes the CLI to the configuration level for the specified key,
where the following key-related command is available:

[no] key-string string

This command configures the authentication string of the key, 1-16 characters.

Default By default, no key chains are configured.

Mode Global Config

Usage Although you can configure multiple key chains, it is recommends using one key chain per
interface, per routing protocol.

Example The following commands configure a key chain named “example_chain”.

ACOS(config)#key chain example_chain

ACOS(config-keychain)#key 1
ACOS(config-keychain-key)#key-string thisiskey1
ACOS(config-keychain-key)#exit
ACOS(config-keychain)#key 2
ACOS(config-keychain-key)#key-string thisiskey2
ACOS(config-keychain-key)#exit
ACOS(config-keychain)#key 3
ACOS(config-keychain-key)#key-string thisiskey3

l3-vlan-fwd-disable
Description Globally disable Layer 3 forwarding between VLANs.

Syntax [no] l3-vlan-fwd-disable

Default By default, the ACOS device can forward Layer 3 traffic between VLANs.

Mode Configuration mode

Usage This command is applicable only on ACOS devices deployed in gateway (route) mode. If
the option to disable Layer 3 forwarding between VLANs is configured at any level, the
ACOS device can not be changed from gateway mode to transparent mode, until the
option is removed.

page 137 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Depending on the granularity of control required for your deployment, you can disable
Layer 3 forwarding between VLANs at any of the following configuration levels:

• Global – Layer 3 forwarding between VLANs is disabled globally, for all VLANs, on
ACOS devices deployed in gateway mode. (Use this command at the Configuration
mode level.)
• Individual interfaces – Layer 3 forwarding between VLANs is disabled for incoming traf-
fic on specific interfaces. (See the “l3-vlan-fwd-disable” command in the Network Con-
figuration Guide.)
• Access Control Lists (ACLs) – Layer 3 forwarding between VLANs is disabled for all traffic
that matches ACL rules that use the l3-vlan-fwd-disable action. (See “access-
list (standard)” on page 68 or “access-list (extended)” on page 70.)

To display statistics for this option, see “show slb switch” on page 427.

lacp system-priority
Description Set the Link Aggregation Control Protocol (LACP) priority.

Syntax [no] lacp system-priority num

Replace num with the LACP system priority, 1-65535. A low priority number indicates a high
priority value. The highest priority is 1 and the lowest priority is 65535.

Default 32768

Mode Configuration mode

Usage In cases where LACP settings on the local device (the ACOS device) and the remote
device at the other end of the link differ, the settings on the device with the higher priority
are used.

lacp-passthrough
Description Specify peer ports to which received LACP packets can be forwarded.

Syntax lacp-passthrough ethernet fwd-port ethernet rcv-port

Parameter Description
fwd-port Peer member that will forward LACP packets.
rcv-port Peer member that will receive the forwarded LACP packets.

Default Not set

Mode Configuration mode

ldap-server
Description Set Lightweight Directory Access Protocol (LDAP) parameters for authenticating
administra- tive access to the ACOS device.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 138

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] ldap-server host

{hostname | ipaddr}
{cn cn-name dn dn-name |
domain domain-name [base base-domain] [group group-id]}
[port portnum]
[ssl]
[timeout seconds]

Parameter Description
hostname Host name of the LDAP server.
ipaddr IP address of the LDAP Server.
cn-name Value for the Common Name (CN) attribute.
dn-name Value for the Distinguished Name (DN) attribute.
The DN attribute does not support spaces or quotation marks. For
example, the following DN string syntax is valid:
cn=xxx3,dc=maxcrc,dc=com
The following string is not valid because of the quotation marks and
space character:
“cn=xxx3,dc=max crc,dc=com”
domain-name Active Directory domain name.
base-domain Base domain to which the user belongs.
group-id Group ID to which the user belongs.
portnum Protocol port on which the server listens for LDAP traffic.
The default is 389.
seconds Maximum number of seconds the ACOS device waits for a reply
from the LDAP server for a given request (1-60 seconds). If the
LDAP server does not reply before the timeout, authentication of the
admin fails.
The default is 44 seconds.
ssl Authenticate using SSL.

Default No LDAP servers are configured by default. When you add an LDAP server, it has the
default settings described in the table above.

Mode Configuration mode

Usage LDAP is a AAA protocol that the ACOS device can use to authenticate admins and
authorize their management access based on admin account information on external
LDAP servers.

This release supports the following types of LDAP servers:

• OpenLDAP
• Microsoft Active Directory (AD)

To enable LDAP authentication, use the following command at the global configuration level
of the CLI:

page 139 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

[no] authentication type ldap [method2 [method3 [method4]]]

To use backup methods, specify them in the order you want to use them.

Nested OUs

To use nested OUs, specify the nested OU first, then the root. For example, a user account
could be nested as follows:

Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1

To configure the ACOS device to provide LDAP AAA for “UserAccUser1”, use a command
such as the following:

ldap-server host ldapserver.ad.example.edu cn cn dn ou=StaffElevatedAccounts,

ou=ServiceAccounts,dc=ad,dc=example,dc=edu

Example The following commands enable LDAP authentication and add LDAP server 192.168.101.24:

ACOS(config)#authentication type ldap

ACOS(config)#ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=example,dc=com

link
Description Link the “startup-config” token to the specified configuration profile. By default, “startup-
con- fig” is linked to “default”, which means the configuration profile stored in the image
area from which the ACOS device most recently rebooted.

Syntax link startup-config {default | profile-name} [primary | secondary]

Parameter Description
default Links “startup-config” to the configuration profile stored in the
image area from which the ACOS device was most recently
rebooted.
profile-name Links “startup-config” to the specified configuration profile.
primary | second- Specifies the image area. If you omit this option, the image
ary area last used to boot is selected.

Default The “startup-config” token is linked to the configuration profile stored in the image area
from which the ACOS device was most recently rebooted.

Mode Configuration mode

Usage This command enables you to easily test new configurations without replacing the
configu- ration stored in the image area.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 140

A10 Thunder Series and AX Series—Command Line Interface

The profile you link to must be stored on the boot device you select. For example, if you use
the default boot device (hard disk) selection, the profile you link to must be stored on the
hard disk. If you specify cf, the profile must be stored on the compact flash. (To display the
profiles stored on the boot devices, use the show startup-config all command.
See “show startup-config” on page 347.)

After you link “startup-config” to a different configuration profile, configuration

management commands that affect “startup-config” affect the linked profile instead of
affecting the configuration stored in the image area. For example, if you enter the write
memory command without specifying a profile name, the command saves the running-
config to the linked profile instead of saving it to the configuration stored in the image
area.

Likewise, the next time the ACOS device is rebooted, the linked configuration profile is
loaded instead of the configuration that is in the image area.

To relink “startup-config” to the configuration profile stored in the image area, use the default
option (link startup-config default).

Example The following command links configuration profile “slbconfig3” with “startup-config”:

ACOS(config)# link startup-config slbconfig3

Example The following command relinks “startup-config” to the configuration profile stored in
the image area from which the ACOS device was most recently rebooted”:

ACOS(config)# link startup-config default

lldp enable
Description Use this command to enable or disable LLDP from the global level. You can enable LLDP
to either receive only, transmit only, or transmit and receive.

Syntax lldp enable [rx] [tx]

no lldp enable

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example To enable LLDP transmission and receipt from the global level, issue the following
com- mand:

ACOS(config)# lldp enable rx tx

lldp management-address
Description Configures the management-address that can include the following information:
• DNS name
• IPv4 address

page 141 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• IPv6 address

Optionally, you can specify the interface on which the management address is configured.
The management interface can be either a physical Ethernet interface or a virtual
interface (VE).

Syntax [no] lldp management-address

{dns dns-value | ipv4 ipv4-value ipv6 ipv6-value}
interface {ethernet eth-num | management | ve ve-num}

Default Not set

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

lldp notification interval

Description This object controls the interval between transmission of LLDP notifications during normal
transmission periods.

Syntax [no] lldp notification interval notification-value

Default 30

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

lldp system-description
Description Defines the alpha-numeric string that describes the system in the network.

Syntax [no] lldp system-description sys-description-value

Default None

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

lldp system-name
Description Defines the string that will be assigned as the system name.

Syntax [no] lldp system-name system-name-value

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 142

A10 Thunder Series and AX Series—Command Line Interface

Default hostname

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the LLDP system name to “testsystem”:

ACOS(config)# lldp system-name testsystem

lldp tx fast-count
Description This value is used as the initial value for the Fast transmission variable. This value
determines the number of LLDP data packets that are transmitted during a fast
transmission period. This value can range from 1-8 seconds.

Syntax [no] lldp tx fast-count value

Default 4

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the LLDP fast count transmission value to 3 seconds:

ACOS(config)# lldp tx fast-count 3

lldp tx fast-interval
Description This variable defines the time interval in timer ticks between transmissions during fast
trans- mission periods (that is, txFast is non-zero). The range for this variable is 1-3600
seconds.

Syntax [no] lldp tx fast-interval

Default 1 second

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the LLDP fast transmission interval value to 2000 seconds:

ACOS(config)# lldp tx fast-interval 2000

lldp tx interval
Description Defines the transmission (tx) interval between a normal transmission period.

Syntax [no] lldp tx interval value

page 143 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Replace value with the transmission interval from 1 to 3600 seconds.

Default 30 seconds

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the transmission interval to 200:

ACOS(config)# lldp tx interval 200

lldp tx hold
Description Determines the value of the message transmission time to live (TTL) interval that is carried
in LLDP frames. The hold-value can be from 1 to 100 seconds.

Syntax [no] lldp tx hold hold-value

Default Default 4 seconds

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the transmission hold time to 255:

ACOS(config)# lldp tx hold 255

lldp tx reinit-delay
Description Indicates the delay interval when the administrative status indicates ‘disabled’ after which
re- initialization is attempted. The range for the
reinit-delay-value is 1-5 seconds.

Syntax [no] lldp tx reinit-delay reinit-delay-value

Default 2 seconds

Mode Configuration mode

Usage LLDP commands are only available in the shared partition.

Example The following command will set the retransmission delay to 3 seconds:

ACOS(config)# lldp tx reinit-delay 3

locale
Description Set the CLI locale.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 144

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] locale {test | locale}

Default en_US.UTF-8

Mode Configuration mode

Usage Use this command to configure the locale or to test the supported locales.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

Example The following commands test the Chinese locales and set the locale to zh_CN.GB2312:

ACOS(config)# locale test zh_CN

ACOS(config)# locale zh_CN.GB2312

logging auditlog host

Description Configure audit logging to an external server.

Syntax [no] logging auditlog host {ipaddr |

hostname} [facility facility-name]

Parameter Description
ipaddr IP address of the remote server.
hostname Host name of the remote server.
facility-name Name of a log facility:
• local0
• local1
• local2
• local3
• local4
• local5
• local6
• local7
There is no default.

Default N/A

Mode Configuration mode

Usage The audit log is automatically included in system log backups. You do not need this
com- mand in order to back up audit logs that are within the system log. To back up
the system log, see “backup system” on page 38 and “backup log” on page 36.

In the current release, only a single log server is supported for remote audit logging.

page 145 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

logging buffered
Description Configure the event log on the ACOS device.

Syntax [no] logging buffered max-messages

Syntax [no] logging buffered

{disable | emergency | alert | critical | error | warning |
notification | information | debugging}

Parameter Description
max-messages Specifies the maximum number of messages the event log buffer will hold. The default buffer
size (maximum messages) is 30000.
disable Disable logging to the monitor.
emergency Send emergency events (severity level 0—system unusable) to the monitor.
alert Send alert events (severity level 1—take action immediately) to the monitor.
critical Send critical events (severity level 2—system is in critical condition) to the monitor.
error Send error events (severity level 3—system has an error condition) to the monitor.
warning Send warning events (severity level 4—system has warning conditions) to the monitor.
notification Send notifications (severity level 5—normal but significant conditions) to the monitor.
information Send informational messages (severity level 6) to the monitor.
debugging Send debug level messages (severity level 7) to the monitor.

Default See descriptions.

Mode Configuration mode

Example The following command sets the severity level for log messages to 7 (debugging):

ACOS(config)#logging buffered debugging

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 146

A10 Thunder Series and AX Series—Command Line Interface

logging console
Description Set the logging level for messages sent to the console.

Syntax [no] logging console

{disable | emergency | alert | critical | error | warning |
notification | information | debugging}

Parameter Description
disable Disable logging to the console.
emergency Send emergency events (severity level 0—system unusable) to the console.
alert Send alert events (severity level 1—take action immediately) to the console.
critical Send critical events (severity level 2—system is in critical condition) to the console.
error Send error events (severity level 3—system has an error condition) to the console.
warning Send warning events (severity level 4—system has warning conditions) to the console.
notification Send notifications (severity level 5—normal but significant conditions) to the console.
information Send informational messages (severity level 6) to the console.
debugging Send debug level messages (severity level 7) to the console.

Default Level 3—Error messages

Mode Global configuration

logging disable-partition-name
Description Disable display of L3V partition names in log messages.

Syntax [no] logging disable-partition-name

Default Display of L3V partition names in log messages is enabled by default.

Mode Configuration mode

Usage When this option is enabled partition names are included in log messages as the following
example illustrates.
Jan 24 2014 15:30:21 Info [HMON]:<partition_1> SLB server rs1 (4.4.4.4) is down
Jan 24 2014 15:30:19 Info [HMON]:<partition_1> SLB server rs1 (4.4.4.4) is
up Jan 24 2014 15:30:17 Info [ACOS]:<partition_1> Server rs1 is created

logging email buffer

Description Configure log email settings.

page 147 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] logging email buffer [number num] [time minutes]

Parameter Description
num Specifies the maximum number of messages to buffer (16-256).
The default number is 50 messages.
minutes Specifies how long to wait before sending all buffered messages, if the
buffer contains fewer than the maximum allowed number of messages.
You can specify 10-1440 minutes.
The default time is 10 minutes.

Default By default, emailing of log messages is disabled. When you enable the feature, the
buffer options have the default values described in the table above.

Mode Configuration mode

Usage To configure the ACOS device to send log messages by email, you also must configure an
email filter and specify the email address to which to email the log messages. See “logging
email filter” on page 148 and “logging email-address” on page 151.

Example The following command configures the ACOS device to buffer log messages to be
emailed. Messages will be emailed only when the buffer reaches 32 messages, or 30
minutes passes since the previous log message email, whichever happens first.

ACOS(config)#logging email buffer number 32 time 30

logging email filter

Description Configure a filter for emailing log messages.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 148

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] logging email filter filter-num “conditions” operators

[trigger]

Parameter Description
filter-num Specify the filter number (1-8).
conditions Message attributes on which to match. The conditions list can contain one or more of the
following:
• Severity levels of messages to send in email. Specify the severity levels by number or word:
• 0 - emergency
• 1 - alert
• 2 - critical
• 3 - error
• 4 - warning
• 5 - notification
• 6 - information
• 7 - debugging
• Software modules for which to email messages. Messages are emailed only if they come from
one of the specified software modules. For a list of module names, enter ? instead of a module
name, and press Enter.
• Regular expression. Standard regular expression syntax is supported. Only messages that meet
the criteria of the regular expression will be emailed. The regular expression can be a simple text
string or a more complex expression using standard regular expression logic.
operators Set of Boolean operators (AND, OR, NOT) that specify how the conditions should be compared.
The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix Notation), a
notation method that places an operator (AND, OR, NOT) after all of its operands (in this case, the con-
ditions list).
After listing all the conditions, specify the Boolean operator(s). The following operators are supported:
• AND – All conditions must match in order for a log message to be emailed.
• OR – Any one or more of the conditions must match in order for a log message to be emailed.
• NOT – A log message is emailed only if it does not match the
conditions For more information about Reverse Polish Notation, see:
http://en.wikipedia.org/wiki/Reverse_Polish_notation

trigger Immediately sends the matching messages in an email instead of buffering them. If you omit this
option, the messages are buffered based on the logging email buffer settings.

Default Not set. Emailing of log messages is disabled by default.

Mode Configuration mode

Usage To configure the ACOS device to send log messages by email, you also must specify the
email address to which to email the log messages. See “logging email-address” on page
151.

Below are some additional usage considerations:

• You can configure up to 8 filters. The filters are used in numerical order, starting with
fil- ter 1. When a message matches a filter, the message will be emailed based on the
buf- fer settings. No additional filters are used to examine the message.

page 149 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• A maximum of 8 conditions are supported in a filter.

• The total number of conditions plus the number of Boolean operators supported in a
filter is 16.
• The filter requires a valid module name, even if you omit the module option.
• For backward compatibility, the following syntax from previous releases is still
sup- ported:

logging email severity-level

The severity-level can be one or more of the following (specify either the severity
number o r name):

• 0 - emergency
• 1 - alert
• 2 - critical
• 5 - notification

The command is treated as a special filter. This filter is placed into effect only if the
com- mand syntax shown above is in the configuration. The filter has an implicit trigger
option for emergency, alert, and critical messages, to emulate the behavior in previous
releases.

Example The following command configures a filter that matches on log messages if they are infor-
mation-level messages and contain the string “abc”. The trigger option is not used,
so the messages will be buffered rather than emailed immediately.

ACOS(config)#logging email filter 1 “level information pattern abc and”

The following command reconfigures the filter to immediately email matching messages.

ACOS(config)#logging email filter 1 “level information pattern abc and” trigger

Example The following example configures a filter to send email if the log message is generated
by the “AFLEX” module and the severity level is “warning”:

ACOS(config)#logging email filter 1 “level warning module AFLEX and”

Example The following example configures a filter to send email if the log message has the pattern
of “disk is full” or the severity level is “critical”:

ACOS(config)#logging email filter 2 “pattern disk is full level critical or”

Example The following example configures a filter to send email if the log message is generated
by (module “SYSTEM” or “ALB”) and (the severity level is “alert” or has pattern of
“unexpected error”)

ACOS(config)#logging email filter 3 “module SYSTEM module ALB or level alert pattern unex-
pected error or and”

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 150

A10 Thunder Series and AX Series—Command Line Interface

logging email-address
Description Specify the email addresses to which to send event messages.

Syntax [no] logging email-address address

Parameter Description
address Email address to which event message will be sent.
To specify multiple Email addresses, use the logging email-
address command once for each address.

Default None

Mode Configuration mode

Usage To configure the ACOS device to send log messages by email, you also must configure
an email filter. See “logging email filter” on page 148.

Example The following command sets two email addresses to which to send log messages:

ACOS(config)#logging email-address [email protected]

ACOS(config)#logging email-address [email protected]

logging export
Description Send the messages that are in the event buffer to an external file server.

Syntax [no] logging export [all] [use-mgmt-port] url

Parameter Description
all Include system support messages.
use-mgmt-port Use the management interface as the source interface for the connection to the remote
device. The management route table is used to reach the device. Without this option, the
ACOS device attempts to use the data route table to reach the remote device through a data
interface.
url Saves a backup of the log to a remote server.
You can enter the entire URL on the command line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Default Not set

page 151 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

Example The following example sends the event buffer to an external file server using FTP. The
file “event-buffer-messages.txt” will be created on the remote server.

ACOS(config)#logging export ftp://exampleuser@examplehost/event-buffer-messages.txt

logging facility
Description Enable logging facilities.

Syntax [no] logging facility facility-name

Parameter Description
facility-name Name of a log facility:
• local0
• local1
• local2
• local3
• local4
• local5
• local6
• local7

Default The default facility is local0.

Mode Configuration mode

logging host
Description Specify a Syslog server to which to send event messages.

Syntax [no] logging host ipaddr [port protocol-port [tcp]] [use-mgmt-port]

Parameter Description
ipaddr IP address of the Syslog server.
protocol-port Protocol port number to which to send messages (1-32767).
tcp Use TCP as the transport protocol.
use-mgmt-port Establish the connection to the Syslog server using the management port.

Default The default protocol port is 514.

Mode Global configuration

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 152

A10 Thunder Series and AX Series—Command Line Interface

Usage Multiple log servers can be created by using the logging host command once for
each server. If you use the command with the same IP address as an existing logging
server, it replaces any existing configuration for that existing server.

Example The following command configures two external log servers. In this example, both
servers use the default syslog protocol port, 514, to listen for log messages.

ACOS(config)#logging host 10.10.10.1

ACOS(config)#logging host 10.10.10.2

logging monitor
Description Set the logging level for messages sent to the terminal monitor.

Syntax [no] logging monitor

{disable | emergency | alert | critical | error | warning |
notification | information | debugging}

Parameter Description
disable Disable logging to the monitor.
emergency Send emergency events (severity level 0—system unusable) to the monitor.
alert Send alert events (severity level 1—take action immediately) to the monitor.
critical Send critical events (severity level 2—system is in critical condition) to the monitor.
error Send error events (severity level 3—system has an error condition) to the monitor.
warning Send warning events (severity level 4—system has warning conditions) to the monitor.
notification Send notifications (severity level 5—normal but significant conditions) to the monitor.
information Send informational messages (severity level 6) to the monitor.
debugging Send debug level messages (severity level 7) to the monitor.

Default Not set (no logging)

Mode Global configuration

page 153 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

logging single-priority
Description Configure single-priority logging to log one specific severity level from among the
standard syslog message severity levels.

Syntax [no] logging single-priority {emergency | alert | critical | error

| warning | notification | information | debugging}

Parameter Description
emergency Log emergency events (severity level 0—system unusable) only.
alert Log alert events (severity level 1—take action immediately) only.
critical Log critical events (severity level 2—system is in critical condition) only.
error Log error events (severity level 3—system has an error condition) only.
warning Log warning events (severity level 4—system has warning conditions) only.
notification Log notifications (severity level 5—normal but significant conditions) only.
information Log informational messages (severity level 6) only.
debugging Log debug level messages (severity level 7) only.

Default Not set (no logging)

Mode Configuration mode

logging syslog
Description Set the syslog logging level for events sent to the syslog host.

Syntax [no] logging syslog

{disable | emergency | alert | critical | error | warning |
notification | information | debugging}

Parameter Description
disable Disable logging of syslog events.
emergency Send emergency events (severity level 0—system unusable) to the syslog host.
alert Send alert events (severity level 1—take action immediately) to the syslog host.
critical Send critical events (severity level 2—system is in critical condition) to the syslog host.
error Send error events (severity level 3—system has an error condition) to the syslog host.
warning Send warning events (severity level 4—system has warning conditions) to the syslog host.
notification Send notifications (severity level 5—normal but significant conditions) to the syslog host.
information Send informational messages (severity level 6) to the syslog host.
debugging Send debug level messages (severity level 7) to the syslog host.

Default Not set (no logging)

Mode Global configuration

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 154

A10 Thunder Series and AX Series—Command Line Interface

logging trap
Description Set the logging level for traps sent to the SNMP host.

Syntax [no] logging trap {disable | emergency | alert | critical}

Parameter Description
disable Disable logging of SNMP traps.
emergency Sent emergency events (severity level 0—system unusable) to the SNMP host.
alert Send alert events (severity level 1—take action immediately) to the SNMP host.
critical Send critical events (severity level 2—system is in critical condition) to the SNMP host.

Default Not set (no logging)

Mode Global configuration

mac-address
Description Configure a static MAC address.

Syntax [no] mac-address mac-address port port-num vlan vlan-id

[trap {source | dest | both}]

Parameter Description
mac-address Hardware address, in the following format:
aabb.ccdd.eeff
port port-num ACOS Ethernet port to which to assign the MAC address.
If the ACOS device is a member of an aVCS virtual chassis, specify
the interface as follows:
DeviceID/Portnum
vlan vlan-id Layer 2 broadcast domain in which to place the device.
trap Send packets to the CPU for processing, instead of switching them
in hardware.:
• source – Send packets that have this MAC as a source address
to the CPU.
• dest – Send packets that have this MAC as a destination
address to the CPU.
• both – Send packets that have this MAC as either a
source or destination address to the CPU.

NOTE: The trap option is supported on only some AX models: AX 3200-12, AX 3400,
AX 5200-11 and AX 5630.

page 155 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Default No static MAC addresses are configured by default.

Mode Configuration mode

Example The following command configures static MAC address abab.cdcd.efef on port 5 in VLAN 3:

ACOS(config)#mac-address abab.cdcd.efef port 5 vlan 3

mac-age-time
Description Set the aging time for dynamic (learned) MAC entries. An entry that remains unused for
the duration of the aging time is removed from the MAC table.

Syntax [no] mac-age-time seconds

Replace seconds with the number of seconds a learned MAC entry can remain unused
before it is removed from the MAC table (10-600).

Default 300 seconds

Mode Configuration mode

On some AX models, the actual MAC aging time can be up to 2 times the configured value.
For example, if the aging time is set to 50 seconds, the actual aging time will be between
50 and 100 seconds. (This applies to the AX 3200-12, AX 3400, AX 5200-11 and AX
5630.)

On other models, the actual MAC aging time can be +/- 10 seconds from the configured
value.

Example The following command changes the MAC aging time to 600 seconds:

ACOS(config)#mac-age-time 600

maximum-paths
Description Change the maximum number of paths a route can have in the forwarding Information
Base (FIB).

Syntax [no] maximum-paths num

Replace num for the maximum number of paths a route can have. You can specify 1-64.

Default 10

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 156

A10 Thunder Series and AX Series—Command Line Interface

merge-mode-add
Description Use this command to enter “merge” mode and integrate new configurations into the
current running configuration. This is a setting of the “block-merge” command in which
any child instances of the old configuration are retained if not present in the new
configuration.

Syntax merge-mode-add slb {server | service-group | virtual-server}

Parameter Description
server Controls block-merge behavior for slb server.
service- Controls block-merge behavior for slb service-group.
group
virtual- Controls block-merge behavior for slb virtual-server.
server

Default N/A

Mode Block-merge configuration mode

mirror-port
Description Specify a port to receive copies of another port’s traffic.

For more information about mirror port configuration, see “Multiple Port-Monitoring Mirror
Ports” in the System Configuration and Administration Guide.

Syntax [no] mirror-port portnum ethernet portnum [input | output | both]

Parameter Description
mirror-port Mirror port index number.
portnum
ethernet Ethernet port number. This is the port that will act as the mirror
portnum port. Mirrored traffic from the monitored port will be copied to and
sent out of this port.
input Configures the mirror port so that only inbound traffic from the moni-
tored port can be sent out of the mirror port.
output Configures the mirror port so that only outbound traffic from the
monitored port can be sent out of the mirror port.
both Configures the mirror port so that both inbound and outbound traffic
from the monitored port can be sent out of the mirror port.
This is the default behavior, meaning that if no traffic direction is
spec- ified, then both inbound and outbound traffic will be mirrored
with- out having to explicitly specify the both option.

page 157 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Default Not set

Mode Configuration mode

Usage When enabling monitoring on a port, you can specify the mirror port to use. You also can
specify the traffic direction. A monitored port can use multiple mirror ports.

To specify the port to monitor, use the monitor command at the interface configuration
level. (See the “monitor” command in the Network Configuration Guide.)

Example The following command configures Ethernet port 4 so that it is able to send both inbound
and outbound traffic from the monitored port:

ACOS(config)#mirror-port 1 ethernet 4 both

The following commands configure a monitor port, Ethernet port 8, to use Ethernet port 4
as the mirror port, using mirror index 1 from above:

ACOS(config)#inferface ethernet 8
ACOS(config-if:ethernet:8)#monitor 1 both

Example The following command configures Ethernet port 3 to send only inbound traffic from the
monitored port:

ACOS(config)#mirror-port 2 ethernet 3 input

The following commands configure a monitor port, Ethernet port 6, to use Ethernet port 3
as the mirror port, using mirror index 2 from above. Note that the input parameter
must be used on the monitor port since the mirror port was also configured with the
input parameter:

ACOS(config)#inferface ethernet 6
ACOS(config-if:ethernet:6)#monitor 2 input

monitor
Description Specify event thresholds for utilization of resources.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 158

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] monitor resource-type threshold-value

Parameter Description
resource-type Type of resource for which to set the monitoring threshold:
• buffer-drop – Packet drops (dropped IO buffers)
• buffer-usage – Control buffer utilization
The conn-type resources configure the conn resource
type thresholds per CPU:
• conn-type0 – 32 bytes
• conn-type1 – 64 bytes
• conn-type2 – 128 bytes
• conn-type3 – 256 bytes
• conn-type4 – 512 bytes
• ctrl-cpu – Control CPU utilization
• data-cpu – Data CPUs utilization
• disk – Hard disk utilization
• memory – Memory utilization
The smp-type resources configure the Threshold for SMP
resources for the global session memory pool, shared across all
of the ACOS device’s CPUs:
• smp-type0 – 32 bytes
• smp-type1 – 64 bytes
• smp-type2 – 128 bytes
• smp-type3 – 256 bytes
• smp-type4 – 512 bytes
• warn-temp – CPU temperature

threshold-value The values you can specify depend on the event type and
on the ACOS device model. For information, see the CLI
help.

Default The default threshold values depend on the event type and on the ACOS model. For
infor- mation, see the CLI help.

Usage If utilization of a system resource crosses the configured threshold, a log message is
gener- ated. If applicable, an SNMP trap is also generated.

To display the configured event thresholds, see “show monitor” on page 323.

Example The following command sets the event threshold for data CPU utilization to 80%:

ACOS(config)#monitor data-cpu 80

multi-config
Description Enable simultaneous admin sessions.

page 159 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] multi-config enable

Default Enabled

Mode Config

Usage Use the “no” form of the command to disable multiple admin access.

NOTE: Disabling multiple admin access does not terminate currently active admin ses-
sions. For example, if there are 4 active config sessions, disabling multi-user
access will cause the display of a permission prompt when a 5th user attempts to
log onto the device. However, the previous 4 admin sessions will continue to run
unaffected.

multi-ctrl-cpu
Description Enable use of more than one CPU for control processing.

Syntax multi-ctrl-cpu num

Replace num with the number of CPUs to use for control processing. Up to one fourth of the
device’s CPUs can be used for control processing.

To display the number of CPUs your device has, enter the show hardware command.

Default One CPU is used for control processing.

Mode Global configuration level

Usage A reboot is required to place this command into effect.

This command is required if you plan to enable use of multiple CPUs for health-check
processing.

NOTE: There is no “no” form of this command. To disable multiple CPUs for control pro-
cessing and restore it back to default, simply configure multi-ctrl-cpu 1.

Example The following commands display the number of CPUs (cores) the device being
managed contains, and enable use of multiple CPUs for control processing.

ACOS(config)# show hardware

AX Series Advanced Traffic Manager AX2500
Serial No : AX2505abcdefghij
CPU : Intel(R) Xeon(R) CPU
8 cores
5 stepping
Storage : Single 74G drive
Memory : Total System Memory 6122 Mbyte, Free Memory 1275
Mbyte
SMBIOS : Build Version: 080015

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 160

A10 Thunder Series and AX Series—Command Line Interface

Release Date: 02/01/2010

SSL Cards : 5 device(s) present
5 Nitrox PX
GZIP : 0 compression device(s)
present FPGA : 0 instance(s) present
L2/3 ASIC : 0 device(s)
present Ports : 12

The first attempt does not succeed because the number of CPUs requested (3) was more
than the number available for control processing on this device.

ACOS(config)# multi-ctrl-cpu 3
The number of control CPUs should be less than a quarter of the total number of CPUs

The next attempt succeeds. The number of CPUs requested (2) is one-fourth of the total
number of CPUs on the device, which is the maximum that can be allocated to control
processing.

ACOS(config)# multi-ctrl-cpu 2
This will modify your boot profile for multiple control CPUs.
It will take effect after the next reboot.
Please confirm: You want to configure multiple control CPUs (N/Y)?:Y
...

After the system is rebooted, the show running-config indicates that multiple CPUs are
being utilized:

ACOS# show running-config

!Current configuration: 961 bytes
!Configuration last updated at 15:16:44 IST Wed Jun 3 2015
!Configuration last saved at 14:08:29 IST Wed Jun 3 2015
!version 2.7.2-P5, build 129 (May-27-2015,06:52)
!
!multi-ctrl-cpu 2 <<-multiple CPUs are being used
...

The output of the show version command also contains information when multiple
CPUs are being utilized:

ACOS# show version

Thunder Series Unified Application Service Gateway TH6630
Copyright 2007-2015 by A10 Networks, Inc. All A10 Networks products
are protected by one or more of the following US patents:
8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938
8826372, 8813180. 8782751, 8782221, 8595819, 8595791, 8595383, 8584199
8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322
8079077, 7979585. 7804956, 7716378, 7665138, 7647635, 7627672, 7596695
7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516

page 161 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

6363075, 6324286, 5931914, 5875185, RE44701, 8392563, 8103770, 7831712

7606912, 7346695, 7287084, 6970933, 6473802, 6374300

64- bit Advanced Core OS (ACOS) version 2.7.2-P5, build 129 (May-27-
2015,06:52) Booted from Hard Disk primary image

Number of control CPUs is set to 2 <<-multiple CPUs are being used

...

Neither line appears in the output if multi-ctrl-cpu is not enabled.

netflow common max-packet-queue-time

Description Specify the maximum amount of time ACOS can hold onto a NetFlow record packet in the
queue before sending it to the NetFlow collector. ACOS holds a NetFlow packet in the
queue until the packet payload is full of record data or until the queue timer expires.

Syntax [no] netflow common max-packet-queue-time queue-time-multiplier

Replace queue-time-multiplier with the multiplier for the maximum queue time.
Multiply this value by 20 to calculate the maximum number of milliseconds (ms) ACOS will
hold a NetFlow packet in the queue before sending it. The multiplier can be 0-50. For
example, to specify a half-second maximum queue time, set the multiplier to 25. Likewise, to
specify a 1-second queue time, set the multiplier to 50.

Setting the multiplier to 0 means that there will be no delay for NetFlow packets to be
sent to the NetFlow collector, and NetFlow records will not be buffered.

Default 50 (1-second maximum queue time)

Mode Global configuration level

netflow monitor
Description Enable ACOS to act as a NetFlow exporter, for monitoring traffic and exporting the data
to one or more NetFlow collectors for analysis.

Syntax [no] netflow monitor monitor-name

Default Replace monitor-name with the name of the NetFlow monitor.

This command changes the CLI to the configuration level for the specified NetFlow monitor,
where the following commands are available.

Command Description
[no] destination Configure the destination where NetFlow records will be sent.
ipaddr [portnum]
disable Disable this NetFlow monitor.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 162

A10 Thunder Series and AX Series—Command Line Interface

Command Description
[no] flow-timeout Timeout value interval at which flow records will be periodically exported for long-
lived sessions. Flow records for short-lived sessions (if any) are sent upon
termination of the session.
After the specified amount of time has elapsed, the ACOS device will send any
flow records to the NetFlow collector, even if the flow is still active. The flow
timeout can be set to 0-1440 minutes. The flow timeout default value is 10
minutes.
Setting the timeout value to 0 disables the flow timeout feature. Regardless of how
long-lived a flow might be, the ACOS device waits until the flow has ended and the
session is deleted before it sends any flow records for it.
[no] protocol Configure the version of the NetFlow protocol you want to use:
• v9 – Version 9 (default)
• v10 – Version 10
[no] record Configure the NetFlow record types to be exported. (See the “NetFlow v9 and v10
netflow-template-type (IPFIX)” chapter in the System Configuration and Administration Guide.)
[no] resend-template Configure when to resend the NetFlow template. The trigger can be either the num-
{records num | ber of records, or the amount of time that has passed.
timeout seconds}
• records – Specifies the counters by which the ACOS device resends
templates to the collectors. The num can be 0-1000000. The default is 1000.
• timeout – Specifies the time between when templates are resent to the
collec- tors. The num is the number of seconds and can be 0-86400. The
default is 1800.
NOTE: Specifying 0 means never resend the template.
[no] sample {ethernet | Enable sampling.
global | nat-pool | ve}
Configure filters for monitoring traffic. Identify the specific type and subset of
resources to monitor.
• ethernet portnum – Specify the list of Ethernet data ports to monitor.
Flow information for the monitored interfaces is sent to the NetFlow
collector(s).
• global – (Default) No filters are in effect. Traffic on all interfaces is monitored.
• nat-pool pool-name – NAT pool.
• ve ve-num – Specify the list of Virtual Ethernet (VE) data ports to monitor.
[no] source-address Uses the specified IP address as the source address for exported NetFlow packets.
{ip ipv4addr | By default, the IP address assigned to the egress interface is used. This command
ipv6 ipv6addr} does not change the egress port out which the NetFlow traffic is exported.
[no] source-ip-use-mgmt Use the management interface’s IP address as the source IP for exported NetFlow
packets. This command does not change the egress port out which the NetFlow traf-
fic is exported.

Default Described above, where applicable.

Mode Global configuration level

page 163 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

no

Description Remove a configuration command from the running configuration.

Syntax no command-string

Default N/A

Mode Config

Usage Use the “no” form of a command to disable a setting or remove a configured item. Configu-
ration commands at all Config levels of the CLI have a “no” form, unless otherwise noted.

The command is removed from the running-config. To permanently remove the command
from the configuration, use the write memory command to save the configuration
changes to the startup-config. (See “write memory” on page 57.)

Example The following command removes server “http99” from the running-config:

ACOS(config)#no slb server http99

ntp
Description Configure Network Time Protocol (NTP) parameters.

Syntax [no] ntp allow-data-ports

Syntax [no] ntp auth-key {M | SHA | SHA1} [hex] string

Syntax [no] ntp trusted-key ID-num

Syntax [no] ntp server {hostname | ipaddr}

The ntp server command changes the CLI to the configuration level for the server,
where the following commands are available.

Parameter Description
allow-data-ports Allow connections to NTP servers from data ports.
disable Disables synchronization with the NTP server.
enable Enables synchronization with the NTP server.
key ID-num Creates an authentication key. For ID-num, enter a value
between 1-65535.
prefer Directs ACOS to use this NTP server by default. Additional
NTP servers are used as backup servers if the preferred NTP
server is unavailable.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 164

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
{M | SHA | SHA1} Specifies the type of authentication key you want to create
{ascii | hex} for authenticating the NTP servers.
string
• M - encryption using MD5
• SHA - encryption using SHA
• SHA1 - encryption using SHA1
Specify the authentication key string (1-20 characters. Use
the hex parameter to specify the string in hex format (21-
40 characters), or ascii to specify it in text.
trusted-key ID-num Adds an authentication key to the list of trusted keys. For
num, enter the identification number of a configured
authentication key to add the key to the trusted key list. You
can enter more than one number, separated by whitespace,
to simultaneously add multiple authentication keys to the
trusted key list.

Default NTP synchronization is disabled by default. If you enable it, DST is enabled by default, if
appli- cable to the specified timezone.

Mode Configuration mode

Usage You can configure a maximum of 4 NTP servers.

If the system clock is adjusted while OSPF or IS-IS is enabled, the routing protocols may stop
working properly. To work around this issue, disable OSPF and IS-IS before adjusting the
system clock.

Example The following commands configure an NTP server and enable NTP:

ACOS(config)#ntp server 10.1.4.20

ACOS(config)#ntp server enable

Example The following example creates 3 authentication keys (1337 using MD5 encryption, 1001
using SHA encryption, and 1012 using SHA1 encryption) and adds these keys to the list of
trusted keys. The NTP server located at 10.1.4.20 is configured to use a trusted key (1337)
for authentication:

ACOS(config)#ntp auth-key 1337 M XxEnc192

ACOS(config)#ntp auth-key 1001 SHA Vke1324as
ACOS(config)#ntp auth-key 1012 SHA1 28fj039
ACOS(config)#ntp trusted-key 1337 1001 1012
ACOS(config)#ntp server 10.1.4.20 key 1337

You can verify the NTP server and authentication key configuration with the show run
command. The following example includes an output modifier to display only NTP-related
configuration:

page 165 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS(config)#show run | include ntp

ntp auth-key 1001 SHA encrypted
FSNiuf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1012 SHA1 encrypted
NEMuh8GgapM8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1337 M encrypted zIJptJHuaQaw/5o10esBTDwQjLjV2wDnPBC-
MuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 1001 1012 1337
ntp server 10.1.4.20 key 1337
ntp server enable

object-group network
Description Create a network object group, for specifying match criteria using Layer 3 parameters.
An object group is a named set of IP addresses or protocol values.

Syntax [no] object-group network group-name [acl | fw {v4 | v6}]

Parameter Description
group-name Name of the network object group (1-63 characters).
acl Create a network object group that will be used by Access Control Lists.
When you configure an IPv4 or IPv6 ACL, you can specify the name of
an object group in place of IP address or protocol parameters. This
capability can be useful in cases where the same match criteria are
used in more than one ACL. If you need to modify the match criteria,
you can apply the changes to all affected ACLs at the same time, by
modifying the object group. You do not need to edit each individual
ACL.
fw v4 Create a network object group that will be used for IPv4 firewall config-
urations.
f4 v6 Create a network object group that will be used for IPv4 firewall config-
urations.

This command changes the CLI to the configuration level for the network object group,
where the following commands are available:

Command Description
[no] any Matches on all IP addresses.
[no] host host-src-ipaddr Matches only on the specified host IPv4 or IPv6 address.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 166

A10 Thunder Series and AX Series—Command Line Interface

Command Description
[no] net-src-ipaddr { Matches on any host in the specified IPv4 subnet.
filter-mask |
The filter-mask specifies the portion of the address to filter:
/mask-length }
• Use 0 to match.
• Use 255 to ignore.
For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit
subnet.

[no] net-src-ipv6addr Matches on any host in the specified subnet. The prefix-length specifies
/prefix-length the portion of the address to filter.

Default Not set

Mode Configuration mode

Example The following commands configure network object groups INT_CLIENTS, HTTP_SERVERS
and FTP_SERVERS:

ACOS(config)# object-group network INT_CLIENTS

ACOS(config-network-group:INT_CLIENTS)# host 10.9.9.1
ACOS(config-network-group:INT_CLIENTS)# host 10.9.9.2
ACOS(config-network-group:INT_CLIENTS)# 10.1.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)# 10.2.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)# exit
ACOS(config)# object-group network HTTPS_SERVERS
ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.215
ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.216
ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.217
ACOS(config-network-group:HTTPS_SERVERS)# exit
ACOS(config)# object-group network FTP_SERVERS
ACOS(config-network-group:FTP_SERVERS)# host 192.168.230.5
ACOS(config-network-group:FTP_SERVERS)# host 192.168.230.216
ACOS(config-network-group:FTP_SERVERS)# exit
object-group service
Description Create a service object group, for specifying match criteria using Layer 4 - Layer 7 parameters.
An object group is a named set of IP addresses or protocol values.

Usage [no] object-group service group-name

page 167 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

This command changes the CLI to the configuration level for the service object group, where
the following commands are available:

Command Description
description Description of this service object group instance.
[no] icmp Matches on ICMP traffic.
[type {type-option}
The type type-option parameter matches based on the
[code {any-code | code-num}]]
specified ICMP type. You can specify one of the following ICMP types
(enter either the number or the name):
• any-type – Matches on any ICMP type.
• dest-unreachable | 3 – Type 3, destination unreachable
• echo-reply | 0 – Type 0, echo reply
• echo-request | 8 – Type 8, echo request
• info-reply | 16 – Type 16, information reply
• info-request | 15 – Type 15, information request
• mask-reply | 18 – Type 18, address mask reply
• mask-request | 17 – Type 17, address mask request
• parameter-problem | 12 – Type 12, parameter problem
• redirect | 5 – Type 5, redirect message
• source-quench | 4 – Type 4, source quench
• time-exceeded | 11 – Type 11, time exceeded
• timestamp | 13 – Type 13, timestamp
• timestamp-reply | 14 – Type 14, timestamp reply
The code code-num option is applicable if the protocol type is icmp.
You can specify:
• any-code – Matches on any ICMP code.
• code-num – ICMP code number, 0-254

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 168

A10 Thunder Series and AX Series—Command Line Interface

Command Description
[no] icmpv6 Matches on ICMPv6 traffic.
[type {type-option}
The type type-option parameter matches based on the specified
[code {any-code | code-num}]]
ICMPv6 type. You can specify one of the following types (enter either the
number or the name):
• any-type – Matches on any ICMPv6 type.
• dest-unreachable – Matches on type 1, destination unreachable
messages.
• echo-reply – Matches on type 129, echo reply messages.
• echo-request – Matches on type 128, echo request messages.
• packet-too-big – Matches on type 2, packet too big messages.
• param-prob – Matches on type 4, parameter problem messages.
• time-exceeded – Matches on type 3, time exceeded messages.

{tcp | udp} Specifies the protocol ports on which to match:

eq src-port |
• eq src-port – The ACL matches on traffic on the specified port.
gt src-port |
lt src-port | • gt src-port – The ACL matches on traffic on any port with a
higher number than the specified port.
range start-src-port end-src-port
• lt src-port – The ACL matches on traffic on any port with a
lower number than the specified port.
• range start-src-port end-src-port – The ACL matches
on traffic on any port within the specified range.

Default Not set

Mode Configuration mode

Example The following commands configure service object group WEB_SERVICES and display
the configuration:

ACOS(config)# object-group service WEB-SERVICES

ACOS(config-service-group:WEB-SERVICES)# tcp eq 80
ACOS(config-service-group:WEB-SERVICES)# tcp source range 1025 65535 eq 8080
ACOS(config-service-group:WEB-SERVICES)# tcp source range 1025 65535 eq 443
ACOS(config-service-group:WEB-SERVICES)# exit
ACOS(config)# show object-group
object-group service WEB-SERVICES
tcp eq 80
tcp source range 1025 65535 eq 8080
tcp source range 1025 65535 eq 443

Example The following command configures an ACL that uses service object group configured above:

ACOS(config)# access-list 111 permit object-group WEB-SERVICES any any

page 169 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

overlay-mgmt-info
Description Configure management-specific data for an overlay network. (See the Configuring Overlay
Networks guide.)

overlay-tunnel
Description Configure an overlay network. (See the Configuring Overlay Networks guide.)

packet-handling
Description Configure how you want the system to handle unregistered broadcast packets.

Syntax [no] packet-handling broadcast {trap | flood}

Parameter Description
trap Trap packets to the CPU.
flood Flood packets to other ports.

Mode Configuration mode

partition
Description Configure an L3V private partition.

For more information, see “ADP CLI Commands” in Configuring Application Delivery
Partitions.

partition-group
Description Create a named set of partitions.

For more information, see “ADP CLI Commands” in Configuring Application Delivery
Partitions.

ping

Description Ping is used to diagnose basic network connectivity. For syntax information, see “ping” on
page 29.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 170

A10 Thunder Series and AX Series—Command Line Interface

pki copy-cert
Description Make a copy of the SSL certificate file.

Syntax pki copy-cert source-cert-name [rotation num] dest-cert-name

[overwrite]

Parameter Description
source-cert-name Name of the existing SSL certificate file (1-63 characters).
rotation Specify the rotation number of the SCEP generated certificate file (1-4).
dest-cert-name Name of the copy of the SSL certificate file (1-63 characters).
overwrite if there is an existing file with the same name as the specified dest-cert-name, overwrite
the existing file.

Mode Configuration mode

Example Create a copy of the existing SSL cert file (example_existing_cert.crt) to a new file
(exam- ple_new_cert.crt), and overwrite the destination file if it has the same name:

ACOS(config)#pki copy-cert example_existing_cert.crt example_new_cert.crt overwrite

pki copy-key
Description Make a copy of the SSL key file.

Syntax pki copy-key source-key-name [rotation num] dest-key-name

[overwrite]

Parameter Description
source-cert-name Name of the existing SSL key file (1-63 characters).
rotation Specify the rotation number of the SCEP generated key file (1-4).
dest-cert-name Name of the copy of the SSL key file (1-63 characters).
overwrite if there is an existing file with the same name as the specified dest-key-name, overwrite the
existing file.

Mode Configuration mode

Example Create a copy of the existing SSL key file (example_existing_key.key) to a new file
(exam- ple_new_key.key), and overwrite the destination file if it has the same name:

ACOS(config)#pki copy-key example_existing_key.key example_new_key.key overwrite

page 171 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

pki create
Description Create a self-signed certificate.

Syntax pki create {

certificate cert-name [csr-generate] |
csr
{name [renew cert-name] use-mgmt-port url |
cert-expiration-within days {local | use-mgmt-port url}
}

Commands Description
create Creates a self-signed certificate or a certificate signed request (CSR) file.
[certificate certificate- Creates the self-signed certificate. You can specify up to 255 characters in the
name] name.
[csr csr_name] Creates a certificate signed request (CSR) and allows you to specify a file
{name [renew cert-name] name. You can specify up to 255 characters in the name.
use-mgmt-port url | The following options apply to name:
cert-expiration-within
days {local | use-mgmt-
• name is the name of the CSR file.
port url} • renew allows you to create a CSR file name to renew an expiring
certificate.
• use-mgmt-port uses the management interface as the source
interface for the connection to the remote device. The management route
table is used to reach the device. By default, the ACOS device attempts to
use the data route table to reach the remote device through a data
interface.
The following options apply to cert-expiration-within:
• days allows you to specify in how many days the certificate will expire. You
can select from 0 to 100 days.
• local allows you to save the CSR file on your local drive.
• use-mgmt-port uses the management interface as the source interface
for the connection to the remote device. The management route table is used
to reach the device. By default, the ACOS device attempts to use the data
route table to reach the remote device through a data interface.
url File transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to display a
prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted for the password. The password can be up to
255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 172

A10 Thunder Series and AX Series—Command Line Interface

Mode Configuration Mode

Usage See the description.

pki delete
Description Deletes a self-signed certificate.

Syntax pki delete {

certificate {cert-name | ca cert-name} |
crl crl-file-name |
private-key priv-key-name |
}

Commands Descriptions
delete Deletes the self-signed certificate or the CSR file.
cert-name Deletes a specific self-signed certificate.
crl_file_name Deletes a specific certificate revocation list (CRL) file.
priv_key_name Deletes a specific private key.

Mode Configuration Mode

Usage See the description.

pki renew-self
Description Renews a self-signed certificate.

Syntax pki renew-self cert-name {days num | days-others}

Commands Description
renew Renews the self-signed certificate or the CSR file.
cert-name Deletes a specific self-signed certificate.

page 173 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Commands Description
days num Number of effective dates for which the certificate should be
extended. This should be a value from 30 to 3650 days. The default
value is a 730 day extension
days-others Presents a more extensive set of input options. After entering the
value for an option, press Enter to display the input prompt for the
next option. The following
specifications will be presented sequentially:
• input valid days, 30-3650, default 730: num
• input Common Name, 0-64: name
• input Division, 0-31: division-name
• input Organization, 0-63: organization-name
• input Locality, 0-31: city-or-region
• input State or Province, 0-31: state-or-province
• input Country, 2 characters: country-code
• input email address, 0-64: email-address
The num specifies the number of effective days for which the certifi-
cate should be extended, ranging from 30 to 3650 days. If this field
is left blank, then the default value is a 730 day extension.
Every other option can be left blank, except for the country-
code value. The numbers following Common Name, Division,
Organiza- tion, Locality, State or Province, and email address
specify the num- ber of characters allowed.

Mode Configuration Mode

Usage See the description.

pki scep-cert
Description Create an SCEP certificate enrollment object.

Syntax pki scep-cert object-name

Replace object-name with the name of the certificate you want to enroll (1-63
characters).

Mode Configuration mode

poap
Description Enables Power On Auto Provisioning (POAP).

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 174

A10 Thunder Series and AX Series—Command Line Interface

NOTE: After using the poap command, you must reboot the system. The device will
return to service in POAP mode.

Syntax [no] poap {enable | disable}

Default POAP mode is enabled by default on virtual appliances. However, the feature is disabled
by default on all physical devices.

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

radius-server
Description Set RADIUS parameters, for authenticating administrative access to the ACOS device.

Syntax [no] radius-server host {hostname | ipaddr} secret secret-string

[acct-port protocol-port]
[auth-port protocol-port]
[retransmit num]
[timeout seconds]

Default [no] radius-server default-privilege-read-write

Parameter Description
hostname | ipaddr Hostname or IP address of the RADIUS server.
secret secret-string Password, 1-128 characters, required by the RADIUS server for authentication
requests.
acct-port Protocol port to which the ACOS device sends RADIUS accounting information.
protocol-port
The default port is 1813.
auth-port Protocol port to which the ACOS device sends authentication requests.
protocol-port
The default port is 1812.
retransmit num Maximum number of times the ACOS device can resend an unanswered
authentication request to the server. If the ACOS device does not receive a
reply to the final request, the ACOS device tries the secondary server, if one is
config- ured.
If no secondary server is available, or if the secondary server also fails to
reply after the maximum number of retries, authentication fails and the
admin is denied access.
You can specify 0-5 retries. The default is 3 retries.

page 175 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
timeout seconds Maximum number of seconds the ACOS device will wait for a reply to an
authentication request before resending the request. You can specify 1-15 sec-
onds.
The default is 3 seconds.
default-privilege-read-write Change the default privilege authorized by RADIUS from read-only to read-
write. The default privilege is used if the Service-Type attribute is not used, or
the A10 vendor attribute is not used.
This is disabled by default; if the Service-Type attribute is not used, or the A10
vendor attribute is not used, successfully authenticated admins are authorized
for read-only access.

Default No RADIUS servers are configured by default. When you add a RADIUS server, it has the
default settings described in the table above.

You can configure up to 2 RADIUS servers. The servers are used in the order in which you
add them to the configuration. Thus, the first server you add is the primary server. The
second server you add is the secondary (backup) server. Enter a separate command for each
of the servers. The secondary server is used only if the primary server does not respond.

Mode Configuration mode

Example The following commands configure a pair of RADIUS servers and configure the ACOS
device to use them first, before using the local database. Since 10.10.10.12 is added first,
this server will be used as the primary server. Server 10.10.10.13 will be used only if the
primary server is unavailable.

ACOS(config)#radius-server host 10.10.10.12 secret

radp1 ACOS(config)#radius-server host 10.10.10.13
secret radp2 ACOS(config)#authentication type radius
local
raid

Description Enter the configuration level for RAID, if applicable to your device model.

Syntax raid

CAUTION: RAID configuration should be performed only by or with the assistance of

technical support. It is strongly advised that you do not experiment with these
commands.

rba enable
Description Enable Role-Based Access Control (RBA) configuration.

This feature supports the creation of multiple users, groups, and roles with varying degrees
of permissions. RBA can limit the read/write privileges on different partitions and for different
objects.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 176

A10 Thunder Series and AX Series—Command Line Interface

For more information about this feature, see “Role-Based Access Control” in the Management
Access and Security Guide.

Syntax rba enable

Mode Configuration mode.

rba disable
Description Disable Role-Based Access Control (RBA) configuration.

For more information about this feature, see “Role-Based Access Control” in the Management
Access and Security Guide.

Syntax rba disable

Mode Configuration mode.

rba group
Description Configure an RBA group.

For more information about this feature, see “Role-Based Access Control” in the Management
Access and Security Guide.

Syntax [no] rba group

users
partition
roles | privileges

Mode Configuration mode

Example The following example defines an RBA group “slb-group.” The group has two users, “slb-
user1” and “slb-user2.” Both users are granted write privileges on SLB server objects but
read only privileges on all other SLB objects in partition “companyA”:

!
rba group slb-group
user slb-user1
user slb-user2
partition companyA
slb read
slb.server write

rba role
Description Configure an RBA role.

page 177 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

For more information about this feature, see “Role-Based Access Control” in the Management
Access and Security Guide.

Syntax [no] rba role-name

privileges

Mode Configuration mode.

Example The following example defines an RBA role “role1.” Any user assigned this role will have
write access on SLB server objects, but read privileges on all other SLB objects.

!
rba role role1
slb read
slb.server write

rba user
Description Configure RBA for a user.

The user must be an existing admin account and can be authentication either locally or
externally using LDAP, RADIUS, or TACACS+.

For more information about this feature, see “Role-Based Access Control” in the Management
Access and Security Guide.

Syntax [no] rba user username

partition partition-name
roles | privileges

Mode Configuration mode.

Example The following example configures RBA for user “user1”. In partition companyA, this user
has read privileges for SLB virtual server objects, write privileges for SLB server objects,
but no access to all other SLB objects. In partition companyB, this user has all privileges
defined by RBA role “role1”:

!
rba user user1
partition companyA
slb no-access
slb.server write
slb.virtual-server read
partition companyB
role role1
!

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 178

A10 Thunder Series and AX Series—Command Line Interface

restore
Description Restore the startup-config, aFleX policy files, and SSL certificates and keys from a file
previ- ously created by the backup system command. The restored configuration takes
effect fol- lowing a reboot.

NOTE: Backing up system from one hardware platform and restoring it to another is not
supported.

Syntax restore [use-mgmt-port] url

Parameter Description
use-mgmt-port Uses the management interface as the source interface for the
connection to the remote device. The management route table is
used to reach the device. By default, the ACOS device attempts to
use the data route table to reach the remote device through a data
interface.
url File transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter
to display a prompt for each part of the URL. If you enter the entire
URL and a password is required, you will still be prompted for the
password. The password can be up to 255 characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file

Default N/A

Mode Configuration mode

Usage Do not save the configuration (write memory) after restoring the startup-config. If you
do, the startup-config will be replaced by the running-config and you will need to restore the
startup-config again.

To place the restored configuration into effect, reboot the ACOS device.

page 179 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

route-map
Description Configure a rule in a route map. You can use route maps to provide input to routing com-
mands, like the “redistribute” or “default-information originate” command for OSPF. See
the Network Configuration Guide for more information.

Syntax [no] route-map map-name {deny | permit} sequence-num

Parameter Description
map-name Route map name.
deny | permit Action to perform on data that matches the rule.
sequence-num Sequence number of the rule within the route map, 1-65535. Rules
are used in ascending sequence order.
The action in the first matching rule is used, and no further match-
ing is performed.
You do not need to configure route map rules in numerical order.
The CLI automatically places them in the configuration (running-
config) in ascending numerical order.

This command changes the CLI to the configuration level for the specified route map rule,
where the following commands are available.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 180

A10 Thunder Series and AX Series—Command Line Interface

Command Description
match attribute Specifies the match criteria for routes:
• match as-path list-id – Matches on the BGP AS paths in the specified AS path list.
• match community list-id [exact-match] – Matches on the BGP communities
in the specified community list.
• match extcommunity list-id [exact-match]– Matches on the BGP
communities listed in the specified extended community list.
• match group num {active | standby} – Matches on VRRP-A set ID and state
(active or standby).
• match interface {ethernet portnum | loopback num | trunk num |
ve ve-num} – Matches on the data interface used as the first hop for a route.
• match ip address {acl-id | prefix-list list-name} – Matches on the
route IP addresses in the specified ACL or prefix list.
• match ip next-hop {acl-id | prefix-list list-name}– Matches on the
next- hop router IP addresses in the specified ACL or prefix list.
• match ip peer acl-id – Matches on the peer router IP addresses in the specified list.
• match ipv6 address {acl-id | prefix-list list-name} – Matches on
the route IP addresses in the specified ACL or prefix list.
• match ipv6 next-hop {acl-id | prefix-list list-name | ipv6-
addr} – Matches on the next-hop router IP addresses in the specified ACL or prefix list, or
the speci- fied IPv6 address.
• match ipv6 peer acl-id – Matches on the peer router IP addresses in the specified
ACL.
• match local-preference num – Matches on the specified local preference value,
0-4294967295.
• match metric num – Matches on the specified route metric value, 0-4294967295.
• match origin {egp | igp | incomplete} – Matches on the specified BGP
origin code.
• match route-type external {type-1 | type-2} – Matches on the
specified external route type.
• match tag tag-value – Matches on the specified TAG value, 0-4294967295.

page 181 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Command Description
set attribute Sets information for matching routes:
• set aggregator as as-num ipaddr – Sets the aggregator attribute.
• set as-path prepend as-num [...]– Adds the specified BGP AS number(s)
to the front of the AS-path attribute.
• set atomic-aggregate – Specifies that a BGP route has been aggregated, and that
path information for the individual routes that were aggregated together is not available.
• set comm-list list-id delete – Sets the specified BGP community list to
be deleted.
• set community community-value – Sets the BGP community ID to the specified
value: 1-4294967295
AS:NN, where AS is the AS number and NN is a numeric value in the range 1-4294967295.
internet – Internet route.
local-AS – Advertises routes only within the local Autonomous System (AS), not to
exter- nal BGP peers.
no-advertise – Does not advertise routes.
no-export – Does not advertise routes outside the AS boundary.
none – No community attribute.
• set dampening [reachability-half-life [reuse-value [suppress-value]
[max-duration [unreachability-half-life]]]] – Enables route-flap
dampening. Route-flap dampening helps minimize network instability caused by unstable
routes.
reachability-half-life – Reachability half life, 1-45 minutes. After a route
remains reachable for this period of time, the penalty value for that route is divided in
half. The default is 15 minutes.
reuse-value [suppress-value] – Penalty thresholds for the suppression and
reuse (re-advertisement) of a route. The supported range for each value is 1-20000. The
default suppress-value is 2000. the default reuse-value is 750.
max-duration – Maximum amount of time a route will remain suppressed, 1-255 minutes.
The default is 4 times the reachability-half-life.
unreachability-half-life – Unreachability half life, 1-45 minutes. After a route
remains unreachable for this period of time, the penalty value for that route is divided in half.
(cont.)

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 182

A10 Thunder Series and AX Series—Command Line Interface

Command Description
set attribute • set extcommunity comm-id [...]– Sets the BGP extended community attribute.
• set ip next-hop ipaddr – Sets the next hop for matching IPv4 routes.
• set ipv6 [local] ipv6addr – Set the next hop for matching IPv6 routes. If the
address is for an inside network (not globally routable), use the local option.
• set level {level-1 | level-1-2 | level-2} – Sets the IS-IS level for
exporting a route to IS-IS.
• et local-preference num – Sets the BGP local preference path attribute.
• set metric metric-value – Sets the metric value for the destination routing
protocol.
• set metric-type {external | internal | type-1 | type-2} – Sets the
metric type for the destination routing protocol.
• set origin {egp | igp | incomplete} – Sets the origin attribute:
egp – Exterior gateway protocol.
igp – Interior gateway protocol.
incomplete – Unknown
heritage.
• set originator-id ipaddr – Sets the BGP originator attribute.
• set tag tag-value – Sets the tag value for the destination routing protocol.
• set weight num – Sets the BGP weight value for the routing table.

Default None

Mode Configuration mode

Usage For options that use an ACL, the ACL must use a permit action. Otherwise, the route
map action is deny.

page 183 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

router
Description Enter the configuration mode for a dynamic routing protocol.

Syntax [no] router protocol

Replace protocol with one of the following:

Command Description
bgp AS-num Specifies an Autonomous System (AS) for which to run Border Gateway Protocol
(BGP) on the ACOS device. This also enters BGP configuration mode.
For more information, see “Config Commands: Router - BGP” in the Network Configu-
ration Guide.
ipv6 {ospf [tag] | rip} Specifies an IPv6 OSPFv3 process (1-65535) or Routing Information Protocol (RIP)
pro- cess to run on the IPv6 link, and also enter configuration mode for the specified
pro- tocol.
For more information, see “Config Commands: Router - OSPF” or “Config Commands:
Router - RIP” in the Network Configuration Guide.
isis [tag] Enter configuration mode for Intermediate System to Intermediate System (IS-IS).
For more information, see “Config Commands: Router - IS-IS” in the Network Configu-
ration Guide.
ospf [process-id] Specifies an IPv4 OSPFv2 process (1-65535) to run on the ACOS device, and also
enter OSPF configuration mode.
For more information, see “Config Commands: Router - OSPF” in the Network Configu-
ration Guide.
rip Enter configuration mode for Routing Information Protocol (RIP).
For more information, see “Config Commands: Router - RIP” in the Network Configura-
tion Guide.

Default Dynamic routing protocols are disabled by default.

Mode Configuration mode

Usage This command is valid only when the ACOS device is configured for gateway mode (Layer 3).

Example The following command enters the configuration level for OSPFv2 process 1:

ACOS(config)# router ospf 1

ACOS(config-ospf:1)#

router log file

Description Configure router logging to a local file.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 184

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] router log file

{name string | per-protocol | rotate num | size Mbytes}

Parameter Description
name string Name of the log file.
per-protocol Uses separate log files for each protocol. Without this option, log mes-
sages for all protocols are written to the same file.
By default, this is disabled.
rotate num Specifies the number of backups to allow for each log file. When a
log file becomes full, the logs are saved to a backup file and the log
file is cleared for new logs. You can specify 0-100 backups. If the
maximum number of backups is reached, the oldest backups are
purged to make way for new ones.
The default is 0.
size Mbytes Specifies the size of each log file. You can specify 0-1000000 Mbytes. If
you specify 0, the file size is unlimited.
The default size is 0.

Default See descriptions.

Mode Configuration mode

Usage When you enable logging, the default minimum severity level that is logged is debugging.

The per-protocol option is recommended. Without this option, messages from all
routing protocols will be written to the same file, which may make troubleshooting more
difficult.

router log log-buffer

Description Sends router logs to the logging buffer.

Syntax [no] router log log-buffer

Default Disabled by default.

Mode Configuration mode

rule-set
Description Configure a Data Center Firewall rule set.

For more information, refer to the Data Center Firewall Guide.

page 185 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

run-hw-diag
Description Access the hardware diagnostics menu on the next reboot

CAUTION: The system will be unavailable for normal operations while a test is running.

NOTE: A reboot is required before the hardware diagnostics menu appears. If you reboot
to a software release that does not support the hardware diagnostics menu, the
menu is not available. Currently, the hardware diagnostics menu is supported in
AX Release 2.4.3-P3 and later 2.4.x releases, and in AX Release 2.6.1.

Syntax run-hw-diag

Mode Configuration mode

Usage The hardware diagnostic menu is available only on serial console sessions. To run a test,
you must use a serial console connection.

The run-hw-diag command requires a reboot. After the reboot is completed, a menu with
the following options appears:

• 1 - Memory Test
• 2 - HDD/CF Scan Test (1-2 hours)
• 3 - MBR (Master Boot Record) check
• 4 - Complete Test (all above)
• x - Reboot

NOTE: As indicated in the description for option 2, the media scan test, the test takes 1-2
hours to complete.

After a test is completed, you can use the x option to reboot. If you do not enter an
option to run another test or reboot, the system automatically reboots after 5 minutes.
The same software image that was running when you entered the run-hw-diag
command is reloaded during the reboot.

Example The following example shows how to access the hardware diagnostic menu:

ACOS(config)#run-hw-diag
Please confirm: You want to run HW diagnostics (N/Y)?:y
Please reboot the system when you are ready.
HW diagnostic will run when the system comes back up.
ACOS(config)#end
ACOS#reboot
Proceed with reboot? [yes/no]:yes

Rebooting......

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 186

A10 Thunder Series and AX Series—Command Line Interface

INIT: version 2.86 booting

Booting.........mdadm: stopped /dev/md1
mdadm: stopped /dev/md0

00000000000

------------------------------------------------------
| Hardware Diagnostic Menu |
------------------------------------------------------
| 1 - Memory Test |
| 2 - HDD/CF Scan Test (1-2 hours) |
| 3 - MBR (Master Boot Record) check |
| 4 - Complete Test (all above) |
| x - Reboot |
------------------------------------------------------

Please select an option [1-4, x]:

running-config display
Description Configure whether or not aFleX and class-list file information should be included in the run-
ning-config.

Syntax [no] running-config display {aflex | class-list}

Parameter Description
aflex Show aFleX scripts in the running-config.
class-list Show class-list files in the running-config.

Default By default, aFlex and class-list file information is not displayed.

Mode Configuration mode

Usage One or both options may be specified.

scaleout
Description Configure Scaleout.

For more information, refer to the Configuring Scaleout guide.

page 187 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

session-filter
Description Configure a session filter.

Syntax [no] session-filter filter-name set

{
dest-addr ipv4addr [dest-mask {/length | mask}] |
dest-port portnum |
ipv6 |
sip |
source-addr ipv4addr |
source-port portnum
}

Parameter Description
dest-addr Matches on sessions that have a source or destination IPv4 address or port:
dest-port
• source-addr ipaddr [{subnet-mask | /mask-length}] – Matches on
source-addr IPv4 sessions that have the specified source IP address.
source-port
• source-port port-num – Matches on IPv4 sessions that have the specified
source protocol port number, 1-65535.
• dest-addr – Matches on IPv4 sessions that have the specified destination IP address.
• dest-port – Matches on IPv4 sessions that have the specified destination protocol
port number, 1-65535.
You can use one or more of the suboptions together in a single command, nested in the
order shown above. For example, if the first suboption you enter is dest-addr, the
only additional suboption you can specify is dest-port.

ipv6 Matches on all sessions that have a source or destination IPv6 address.
sip Matches on all SIP sessions.

Default No session filters are configured by default.

Mode Configuration mode

Usage Session filters allows you to save session display options for use with the clear
session and show session commands. Configuring a session filter allows you to specify
a given set of options one time rather than re-entering the options each time you use the
clear ses- sion or show session command.

Example The following commands configure a session filter and use it to filter show session
output:

ACOS(config)#session-filter f1 source-addr 1.0.4.147

ACOS(config)#show session filter f1
Prot Forward Source Forward Dest Reverse Source Reverse
Dest Age Hash
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:51613 1.0.100.1:21 1.0.3.148:21 1.0.4.147:51613
120 1

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 188

A10 Thunder Series and AX Series—Command Line Interface

sflow
Description Enables the ACOS device to collect information about Ethernet data interfaces and send
the data to an external sFlow collector (v5).

Syntax [no] sflow

{
agent address {ipaddr | ipv6addr} |
collector {ip ipaddr | ipv6 ipv6addr} portnum |
polling type |
sampling {ethernet portnum [to portnum] | ve ve-num [to ve-num]} |
setting sub-options |
source-address {ip ipaddr | ipv6 ipv6addr}
}

Parameter Description
agent address Configure an sFlow agent. The ipaddr value can be any valid IPv4 or IPv6
{ipaddr | ipv6addr} address. By default, sFlow datagrams use the management IP of the ACOS
device as the source address, but you can specify a different IP address, if
desired. The informa- tion will appear in the Layer 4 information section of the
sFlow datagram, and it is not used to make routing decisions.
collector Configure up to four sFlow collectors. The IP address is that of the sFlow collector
{ip ipaddr | ipv6 ipv6addr} device. Specify the port number, with a range from 1-65535.
portnum
The default port number is 6343.
polling type Enables sFlow export of DDoS Mitigation statistics for the source IP address(es)
matched by this rule. You can enable polling for the following types of data:
• cpu-usage – Polls for CPU utilization statistics.
• ethernet – Polls for Ethernet data interface statistics.
• http-counter - Polls for HTTP statistics.
• ve - Polls for statistics for Virtual Ethernet (VE) interfaces.
All sFlow polling (collection) is disabled by default

sampling Enable sFlow sampling on a specified interface.

{ethernet portnum
There is no default.
[to portnum] |
ve ve-num [to ve-num]}

page 189 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
setting sub-options Configure global sFlow settings:
• counter-polling-interval seconds – Configure the sFlow counter
polling interval. The interval seconds option specifies the frequency with
which statistics for an interface are periodically sampled and sent to the sFlow
collector. The range can be configured to a value from 1-200 seconds. The
default polling interval is 20 seconds.
• max-header bytes – Maximum number of bytes to sample from any given
packet, 14-512 bytes. The default is 128 bytes.
• packet-sampling-rate num – Configure sFlow default packet sampling
rate. The num option specifies the value of N, where N is the value of the
denominator in the ratio at which a single packet will be sampled from a
denominator ranging from 10-1000000. The default is 1000, meaning one
packet out of every 1000 will be sampled.
• source-ip-use-mgmt – Enable use of the management interface’s IP as
the source address for outbound sFlow packets.

source-address
{ip ipaddr | ipv6 ipv6addr}
Source IP address for sFlow packets sent from ACOS to sFlow collectors.
NOTE: By default, the IP address of the egress interface is used. You can
specify a data interface’s IP address or the management interface’s IP address
as the source address for sFlow packets sent to the collector. However, the
current release does not support routing of sFlow packets out the management
interface. The sFlow collector must be able to reach the ACOS device through a
data interface, even if you use the ACOS device’s management IP address as
the source address of sFlow packets sent to the collector.

Default Described above, where applicable.

Mode Configuration mode

Usage Enable either or both of the following types of data collection, for individual Ethernet
data ports:
• Packet flow sampling – ACOS randomly selects incoming packets on the monitored
interfaces, and extracts their headers. Each packet flow sample contains the first 128
bytes of the packet, starting from the MAC header. Note that setting a smaller value
for the num variable increases the sampling frequency, and larger numbers decrease
the sampling frequency. This is due to the fact that the variable is in the denominator.
• Counter sampling – ACOS periodically retrieves the send and receive statistics for
the monitored interfaces. These are the statistics listed in the Received and
Transmitted counter fields in show interface output.

Notes

• Sampling of a packet includes information about the incoming interface but not
the outgoing interface.
• None of the following are supported:
• Host resource sampling
• Application behavior sampling
• Duplication of traffic to multiple sFlow collectors
• Configuration of sFlow Agent behavior using SNMP

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 190

A10 Thunder Series and AX Series—Command Line Interface

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

Example The following commands specify the sFlow collector, and enables use of the management
interface’s IP as the source IP for the data samples sent to the sFlow collector:

ACOS(config)#sflow collector ip 192.168.100.3 5

ACOS(config)#sflow setting source-ip-use-mgmt

slb
Description Configure Server Load Balancing (SLB) parameters. For information about the slb com-
mands, see “Config Commands: Server Load Balancing” in the Command Line
Interface Reference for ADC.

smtp
Description Configure a Simple Mail Transfer Protocol (SMTP) server to use for sending emails from the
ACOS device.

Syntax [no] smtp

{
{hostname | ipaddr} |
[mailfrom email-src-addr]
| [needauthentication] |
[port protocol-port] |
[username string password string]
}

Parameter Description
hostname | ipaddr Specifies an SMTP server.
mailfrom email-src-addr Specifies the email address to use as the sender (From) address.
needauthentication Specifies that authentication is required.
This is disabled by default.
port protocol-port Specifies the protocol port on which the server listens for SMTP traffic.
The default port is 25.
username string Specifies the username and password required for access. The password can be 1-31
password string characters long.

Default No SMTP servers are configured by default. When you configure one, it has the default
set- tings described in the table above.

Mode Configuration mode

Example The following command configures the ACOS device to use SMTP server “ourmailsrvr”:

ACOS(config)#smtp ourmailsrvr

page 191 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

snmp
Description For information about SNMP commands, see “Config Commands: SNMP” on page 225.

so-counters
Description Show scale out statistics.

Syntax so-counters [sampling-enable options]

Specify sampling-enable to enable baselining. The following options are available:

Option Description
all All packets.
so_pkts_conn_in Total packets processed for an established con-
nection.
so_pkts_conn_redirect Total packets redirected for an established con-
nection.
so_pkts_dropped Total packets dropped.
so_pkts_errors Total packet errors.
so_pkts_in Total number of incoming packets.
so_pkts_new_conn_in Total packets processed for a new connection.
so_pkts_new_conn_redirect Total packets redirected for a new connection.
so_pkts_out Total number of packets sent out.
so_pkts_redirect Total number of packets redirected.

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 192

A10 Thunder Series and AX Series—Command Line Interface

sshd

Description Perform an SSHD operation on the system.

Syntax sshd
{
key generate [size {2048 | 4096}] |
key load [use-mgmt-port] url |
key regenerate [size {2048 | 4096}] |
key wipe |
restart
}

Parameter Description
key generate Generate an SSH key.
You can choose to specify a key size; use size 2048 to generate a 2048-bit key, or size 4096
to generate a 4096-bit key.
key load Load an SSH key.
Specify use-mgmt-port to use the management interface as the source interface for the
con- nection to the remote device. The management route table is used to reach the device. By
default, the ACOS device attempts to use the data route table to reach the remote device
through a data interface.
Specify the url to the SSH key. You can enter the entire URL on the command line or press
Enter to display a prompt for each part of the URL. If you enter the entire URL and a password
is required, you will still be prompted for the password. The password can be up to 255
characters long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file

key regenerate Regenerate an SSH key.

You can choose to specify a key size; use size 2048 to generate a 2048-bit key, or size 4096
to generate a 4096-bit key.
key wipe Wipe an SSH key.
restart Restart the SSH service.

Mode Configuration mode

Introduced in Release 4.0.1

page 193 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

syn-cookie
Description Enable hardware-based SYN cookies, which protect against TCP SYN flood attacks.

Syntax [no] syn-cookie enable [on-threshold num off-threshold num]

Parameter Description
on-threshold num Maximum number of concurrent half-open TCP connections
allowed on the ACOS device, before SYN cookies are enabled.
If the number of half-open TCP connections exceeds the on-
threshold, the ACOS device enables SYN cookies. You can
specify 0-2147483647 half-open connections.
off-threshold num Minimum number of concurrent half-open TCP connections
for which to keep SYN cookies enabled. If the number of half-
open TCP connections falls below this level, SYN cookies are
disabled. You can specify 0-2147483647 half-open connec-
tions.

NOTE: It may take up to 10 milliseconds for the ACOS device to detect and respond to
crossover of either threshold.

Default Hardware-based SYN cookies are disabled by default. When the feature is enabled, there
are no default settings for the on and off thresholds.

Mode Configuration mode

Usage Hardware-based SYN cookies are available only on some models.

If both hardware-based and software-based SYN cookies are enabled, only hardware-based
SYN cookies are used. You can leave software-based SYN cookies enabled but they are not
used. (Software-based SYN cookies are enabled at the virtual port level using the syn-
cookie enable command.)

If you omit the on-threshold and off-threshold options, SYN cookies are
enabled and are always on regardless of the number of half-open TCP connections present
on the ACOS device.

This command globally enables SYN cookie support for SLB and also enables SYN cookie
support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie
support. However, to use Layer 2/3 SYN cookie support, you also must enable it at the
configuration level for individual interfaces. See the “ip tcp syn-cookie threshold” command
in the Network Configuration Guide.

If L3V partitions are configured, hardware-based SYN cookies must be enabled per individual
partition. Hardware-based SYN cookies are NOT partition-aware.

On FTA models only, it is recommended not to use hardware-based SYN cookies if DSR also
is enabled. If both features are enabled, a client who sends TCP requests to a VIP that is
configured for DSR will receive two SYN-ACKS, one from the ACOS hardware-based SYN-

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 194

A10 Thunder Series and AX Series—Command Line Interface

cookie feature, and the other from the server. This can be confusing to a client because the
client expects only one SYN-ACK in reply to the client’s SYN.

Example The following command enables hardware-based SYN cookies:

ACOS(config)#syn-cookie enable

The command in the following example configures dynamic SYN cookies when the number
of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when
the number falls below 30000:

ACOS(config)#syn-cookie enable on-threshold 50000 off-threshold

30000

system all-vlan-limit
Description Set the global traffic limits for all VLANs.

The limit applies system-wide to all VLANs; collectively, all ACOS device VLANs
cannot exceed the specified limit.

To configure the limit per individual VLAN, use “system per-vlan-limit” on page 199.

Syntax [no] system all-vlan-limit

{bcast | ipmcast | mcast | unknown-ucast} num

Parameter Description
all-vlan-limit Limit applies system-wide to all VLANs. Collectively, all the
ACOS device’s VLANs together cannot exceed the specified
limit.
per-vlan-limit Limit applies to each VLAN. No individual can exceed the
speci- fied limit.
bast Limit broadcast traffic.
ipmcast Limit IP multicast traffic.
mcast Limit all multicast packets except for IP multicast packets.
unknown-ucast Limit all unknown unicast traffic.
num Specifies the maximum number of packets per second that are
allowed of the specified traffic type.

Default 5000 packets per second.

Mode Configuration mode

Example The following command limits each VLAN to 1000 multicast packets per second:

ACOS(config)#system per-vlan-limit mcast 1000

Related Commands system per-vlan-limit

page 195 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

system anomaly log

Description Enable logging for packet anomaly events. This type of logging applies to system-
wide attacks such as SYN attacks.

Syntax [no] system anomaly log

Default Disabled

Mode Configuration mode

system attack log

Description Enable logging for DDoS attacks.

Syntax [no] system attack log

Default Disabled

Mode Configuration mode

system cpu-load-sharing
Description The CPU Round Robin feature can be used to mitigate the effects of Denial of Service
(DoS) attacks that target a single CPU on the ACOS device. You can use this command to
configure thresholds for CPU load sharing. If a threshold is exceeded, CPU load sharing is
activated, and additional CPUs are enlisted to help process traffic and relieve the burden
on the targeted CPU. A round robin algorithm distributes packets across all of the other
data CPUs on the device. Load sharing will remain in effect until traffic is no longer
exceeding the thresholds that originally activated the feature. (See the “Usage” section
below for details.)

Syntax [no] system cpu-load-sharing

{
cpu-usage low percent |
cpu-usage high percent |
disable |
packets-per-second min num-pkts
}

Parameter Description
cpu-usage low Lower CPU utilization threshold. Once the data CPU utilization rate drops below this
percent thresh- old, then CPU round robin redistribution will stop. The default is 60, but you
can specify 0- 100 percent.
cpu-usage high Upper CPU utilization threshold. Once the data CPU utilization rate exceeds this
percent threshold, then CPU round robin redistribution will begin. The default is 75, but you can
specify 0-100 percent.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 196

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
disable Disables CPU load sharing. The CPU round robin feature is not used, even if a triggering
threshold is breached.
packets-per-second Maximum number of packets per second any CPU can receive, before CPU load sharing is
min num-pkts used. You can specify 0-30000000 (30 million) packets per second.

Default The CPU load sharing feature is enabled. The thresholds have the following default values:
• cpu-usage low – 60 percent
• cpu-usage high – 75 percent
• packets-per-second – 100000

Mode Configuration mode

Usage If a hacker targets the ACOS device by repeatedly flooding the device with many
packets that have the same source and destination ports, this could overwhelm the
CPU that is being targeted. However, the CPU load sharing feature (which is enabled
by default) protects the device by using a round robin algorithm to distribute the load
across multiple CPUs when such an attack is detected.

ACOS will activate this round robin distribution across multiple CPUs if all of the following
conditions occur:

1. If the utilization rate of the CPU being targeted exceeds the configured high
threshold (which has a default value of 75%), AND
2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum
config- ured threshold (the default is 100,000 packets per second), AND
3. If the CPU being targeted is receiving significantly more traffic than the other CPUs on
the ACOS device. If all CPUs are under a heavy load, there would be no advantage to
using round robin to distribute the traffic. Therefore, the CPU being targeted must
have an elevated utilization rate that is at least 50% higher than the median utilization
rate of its peer CPUs. (For example, this criterion would be met if the non-targeted
CPUs have a median packet flow of 100,000 packets per second, but the targeted
CPU is receiving packets at a rate exceeding 150,00 packets per second, in which
case it would be 50% higher than the median of the rate of the other processors).

ACOS will de-activate CPU round robin mode and return to normal mode when the first
criterion, and either 2 or 3 above are no longer true.

For example, CPU round robin mode will cease:

1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND
• If the targeted CPU is receiving packets at a rate below the minimum configured
packets-per-second threshold, OR
• If the utilization rate of the targeted CPU is no longer 50% higher than the median
of its neighboring CPUs.

page 197 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

system ddos-attack
Description Enable logging for DDoS attack events.

Syntax [no] system ddos-attack log

Mode Configuration mode

system glid
Description Apply a combined set of IP limiting rules to the whole system.

Syntax [no] system glid num

Replace num with the global LID you want use.

Default None

Mode Configuration mode

Usage This command uses a single global LID. To configure the global LID, see “glid” on page 123.

Example The following commands configure a standalone IP limiting rule to be applied globally to all
IP clients (the clients that match class list “global”):

ACOS(config)#glid 1
ACOS(config-glid:1)#conn-rate-limit 10000 per 1
ACOS(config-glid:1)#conn-limit 2000000
ACOS(config-glid:1)#over-limit forward logging
ACOS(config-glid:1)#exit
ACOS(config)#system glid 1

system ipsec
Description Configure Crypto Cores for IPsec processing.

Syntax [no] system ipsec {crypto-core num | crypto-mem percentage}

Parameter Description
crypto-core num Number of crypto cores assigned for IPsec processing (0-56).
crypto-mem percentage Percentage of memory that can be assigned for IPsec processing.

Default N/A

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 198

A10 Thunder Series and AX Series—Command Line Interface

system log-cpu-interval
Description Log occurrences where the CPU is at a high usage for a specified duration.

Syntax [no] system log-cpu-interval seconds

Replace seconds with the number of consecutive seconds that the CPU must be at a high
usage level before a log event is created.

Mode Configuration mode

system module-ctrl-cpu
Description Throttle CLI and SNMP output when control CPU utilization reaches a specific threshold.

Syntax [no] system module-ctrl-cpu {low | medium | high}

Parameter Description
low Throttles CLI and SNMP output when control CPU utilization reaches
10 percent. This is the most aggressive setting.
medium Throttles CLI and SNMP output when control CPU utilization reaches
25 percent.
high Throttles CLI and SNMP output when control CPU utilization reaches
45 percent. This is the least aggressive setting.

Default Not set. Throttling does not occur.

Mode Configuration mode

Usage The command takes effect only for new CLI sessions that are started after you enter the
com- mand. After entering the command, close currently open CLI sessions and start a new
one.

system per-vlan-limit
Description Configure the packet flooding limit per VLAN.

The limit applies to each VLAN. No individual can exceed the specified limit.

page 199 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

To configure a global limit for all VLANs, use “system all-vlan-limit” on page 195.

Syntax [no] system per-vlan-limit

{bcast | ipmcast | mcast | unknown-ucast} limit

Parameter Description
bcast Configure the limit for broadcast packets.
ipmcast Configure the limit for IP multicast packets.
mcast Configure the limit for multicast packets.
unknown-ucast Configure the limit for unknown unicast packets.
limit Configure the number of packets per second (1-65535).

Default 1000 packets per second.

Mode Configuration mode

Example The following example sets the packet limit to 5000 broadcast packets per second:

AOCS(config)#system per-vlan-limit bcast 5000

Related Commands system all-vlan-limit

system promiscuous-mode
Description Enable the system to pass traffic in promiscuous mode.

This setting enables an interface to pass all received traffic directly to the CPU, instead of
passing only the packets that were intended for that interface. Promiscuous mode is
commonly used as a tool to help diagnose network connectivity problems.

Syntax [no] system promiscuous-mode

Default Not enabled.

Mode Configuration mode

system resource-usage
Description Change the capacity of a system resource.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 200

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] system resource-usage resource-type

Command Description
resource-type Specifies the resource type and the maximum allowed:
• auth-portal-html-file-size num – Maximum file size allowed for AAM HTML
files (4-120 Kbytes).
• auth-portal-image-file-size num – Maximum file size allowed for AAM
portal image files (1-80 Kbytes).
• class-list-ac-entry-count - Maximum SNI entries allowed per ACOS device
for Aho-Corasik class-lists (when used for SSL Insight bypass).
• class-list-ipv6-addr-count - Maximum number of IPv6 addresses allowed
within each IPv6 class list (524288-1048576).
• l4-session-count num – Maximum number of Layer 4 sessions supported (32768
- 524288).
• max-aflex-file-size num – Maximum size of an aFleX script in Kbytes (16-256).
The default maximum allowable file size is 32K.

Mode Configuration mode

Usage To place a change to l4-session-count into effect, a reboot is required. A reload will not
place this change into effect. For changes to any of the other system resources, a reload is
required but a reboot is not required.

system template
Description Globally applies a template to the ACOS device.

Syntax [no] system template template-type template-name

Default N/A

Mode Configuration mode

Usage This command applies on only to certain template types. For each valid option, a section in
the configuration guide describes it use.

page 201 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

system ve-mac-scheme
Description Configure MAC address assignment for Virtual Ethernet (VE) interfaces.

Syntax [no] system ve-mac-scheme {round-robin | system-mac | hash-based}

Parameter Description
round-robin In the shared partition, this option assigns MAC addresses in round-robin fashion, beginning with the
address for port 1. Each new VE, regardless of the VE number, is assigned the MAC address of the
next Ethernet data port. For example:
• The MAC address of Ethernet data port 1 is assigned to the first VE you configure.
• The MAC address of Ethernet data port 2 is assigned to the second VE you configure.
• The MAC address of Ethernet data port 3 is assigned to the third VE you configure.
This process continues until the MAC address of the highest-numbered Ethernet data port on the
ACOS device is assigned to a VE. After the last Ethernet data port’s MAC address is assigned to a
VE, MAC assignment begins again with Ethernet data port 1. The number of physical Ethernet data
ports on the ACOS device differs depending on the ACOS model.
This option is not supported in L3V partitions.

system-mac In the shared partition, this option assigns the system MAC address (the MAC address of Ethernet
data port 1) to all VEs.
In an L3V partition, this option allocates a system MAC for the partition and assigns the system MAC
address of the partition to all VLANs and VEs in the partition. This is useful when configuring cross
con- nect between partitions.
hash-based In the shared partition, this option causes ACOS to use a hash value based on the VE number to
select an Ethernet data port, and assigns that data port’s MAC address to the VE. This method
always assigns the same Ethernet data port’s MAC address to a given VE number, on any model,
regardless of the order in which VEs are configured.
This option is not supported in L3V partitions.

Default hash-based

Mode Configuration mode

Usage This command can be configured only in the shared partition, not in L3V partitions. A
reload or reboot is required to place the change into effect.

Example Below is an example of the system-mac parameter and how it is used with L3V
partitions. First, assume we have partitions “p1” and “P2” on the device, then execute the
command:

ACOS(config)#system ve-mac-scheme system-mac

After rebooting or reloading the device, examine the MAC addresses to see the mac-scheme
applied on the VEs.

First, in partition “p1”:

ACOS[p1](config)#show interfaces brief | sec ve600

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 202

A10 Thunder Series and AX Series—Command Line Interface

ve600 Down N/A N/A N/A 600 021f.a008.01f7 0.0.0.0/0 0

ACOS[p1](config)#

Next, in partition “p2”:

ACOS[p2]#show interfaces brief | sec ve800

ve800 Down N/A N/A N/A 800 021f.a008.02f7 0.0.0.0/0 0
ACOS[p2]#

Finally, in the shared partition:

ACOS(config)#show interfaces brief | sec ve

ve500 Down N/A N/A N/A 500 021f.a008.00f7 51.51.51.2/24 1
ACOS(config)#

The MAC address for each partition is unique to the partition.

system-jumbo-global enable-jumbo
Description Globally enable jumbo frame support. In this release, a jumbo frame is an Ethernet frame
that is more than 1522 bytes long.

NOTE: Jumbo frames are not supported on all platforms. For detailed information, refer to
the Release Notes.

Syntax [no] system-jumbo-global enable-jumbo

NOTE: This is the only command required to enable jumbo support on FTA models. See
the Usage section below for details on enabling jumbo support on non-FTA mod-
els.

Default Disabled

Mode Configuration mode

Usage Notes about the usage of this command:

• If your configuration uses VEs, you must enable jumbo on the individual Ethernet
ports first, then enable it on the VEs that use the ports. If the VE uses more than port,
the MTU on the VE should be the same or smaller than the MTU on each port.
• Enabling jumbo support does not automatically change the MTU on any
interfaces. You must explicitly increase the MTU on those interfaces you plan
to use for jumbo packets.
• Jumbo support is not recommended on 10/100 Mbps ports.
• On FTA models only, for any incoming jumbo frame, if the outgoing MTU is less
than the incoming frame size, the ACOS device fragments the frame into 1500-byte
frag-

page 203 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ments, regardless of the MTU set on the outbound interface. If it is less than 1500
bytes, it will be fragmented into the configured MTU.
• Setting the MTU on an interface indirectly sets the frame size of incoming packets
to the same value. (This is the maximum receive unit [MRU]).
• In previous releases, the default MTU is 1500 and can not be set to a higher value.

CAUTION: On non-FTA models, after you enable (or disable) jumbo frame support, you must
save the configuration (write memory command) and reboot (reboot com-
mand) to place the change into effect.

If jumbo support is enabled on a non-FTA model and you erase the startup-config, the
device is rebooted after the configuration is erased.Configuration mode.

system-reset
Description Restore the ACOS device to its factory default settings.

The following table summarizes that is removed or preserved on the system:

What is Erased What is Preserved

Saved configuration files Running configuration
System files, such as SSL certificates and keys, Audit log entries
aFleX policies, black/white lists, and system logs
Management IP address
Admin-configured admins
Enable password
Imported files
Inactive partitions

Syntax system-reset

Default N/A

Mode Configuration mode

Usage This command is helpful when you need to redeploy an ACOS device in a new
environment or at a new customer site, or you need to start over the configuration at the
same site.

The command does not automatically reboot or power down the device. The device
continues to operate using the running-config and any other system files in memory, until
you reboot or power down the device.

Reboot the ACOS device to erase the running-config and place the system reset into effect.

Example The following commands reset an ACOS device to its factory default configuration,
then reboot the device to erase the running-config:

ACOS(config)#system-reset

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 204

A10 Thunder Series and AX Series—Command Line Interface

ACOS(config)#end
ACOS#reboot

Related Commands erase

tacacs-server host
Description Configure TACACS+ for authorization and accounting. If authorization or accounting is
spec- ified, the ACOS device will attempt to use the TACACS+ servers in the order they are
config- ured. If one server fails to respond, the next server will be used.

Syntax [no] tacacs-server host {hostname | ipaddr}

secret secret-string [port portnum] [timeout seconds]

Parameter Description
hostname Host name of the TACACS+ server. If a host name is used, make
sure a DNS server has been configured.
ipaddr IP address of the TACAS+ server.
secret-string Password, 1-128 characters, required by the TACACS+ server for
authentication requests.
portnum The port used for setting up a connection with a TACACS+ server.
The default port is 49.
seconds The maximum number of seconds allowed for setting up a connec-
tion with a TACACS+ server. You can specify 1-12 seconds.
The default timeout is 12 seconds.

Default See descriptions.

Mode Configuration mode

Usage You can configure up to 2 TACACS+ servers. The servers are used in the order in which
you add them to the configuration. Thus, the first server you add is the primary server. The
sec- ond server you add is the secondary (backup) server. Enter a separate command for
each of the servers. The secondary server is used only if the primary server does not
respond.

Example The following command adds a TACACS+ server "192.168.3.45" and sets its shared secret as
"SharedSecret":

ACOS(config)#tacacs-server host 192.168.3.45 secret SharedSecret

Example The following command adds a TACACS+ server "192.168.3.72", sets the shared secret
as "NewSecret", sets the port number as 1980, and sets the connection timeout value as 6
sec- onds:

ACOS(config)#tacacs-server host 192.168.3.72 secret NewSecret port

1980 timeout 6

page 205 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following command deletes TACACS+ server “192.168.3.45:

ACOS(config)#no tacacs-server host 192.168.3.45

Example The following command deletes all TACACS+ servers:

ACOS(config)#no tacacs-server

tacacs-server monitor
Description Check the status of TACACS+ servers.

Syntax [no] tacacs-server monitor [interval seconds]

Parameter Description
seconds Frequency (in seconds) that you want the ACOS device to check the
status of the TACACS+ server. You can specify 1 - 120 seconds.

Default Status checking of the TACACS+ server is not enabled. When enabled, the default interval
is 60 seconds.

Mode Global configuration

Usage When TACACS+ server monitoring is configured, the ACOS device sends a TACACS+
monitor request, which contains the user name and password to the server in order to log
into the device and check if the server is available. If it is, then the
last_available_timestamp will be updated with current time.
• If a user login authentication request arrives at the ACOS device, then ACOS will send
the request to the TACACS+ server that has the most recent
last_available_timestamp value.
• If the user’s login attempt is successful, then timestamp for that server will
be updated to the current time.
• However, if the user authentication request fails, then ACOS will send the request
to the secondary TACACS+ server.
• To enable this feature, you must configure the user name and password for the
TACACS+ server’s administrative account. While a simple server port “ping” could
be used to check the status, this is not recommended because it could cause the
ACOS device to be mistakenly seen as an attacker, thus causing it to be added to
the ACL.

techreport
Description Configure automated collection of system information. If you need to contact Technical Sup-
port, they may ask you to for the techreports to help diagnose system issues.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 206

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] techreport

{interval minutes | disable | priority-partition name}

Parameter Description
interval minutes Specifies how often to collect new information. You can specify 15-120 minutes.
The default interval is 15 minutes.
disable Disable automated collection of system information.
Automated collection of system information is enabled by default.
priority-partition name Configure the specified partition to automatically collect system information.

Default Automated collection of system information is enabled by default. The default interval is 15
minutes.

Mode Configuration mode

Usage The ACOS device saves all techreport information for a given day in a single file.
Timestamps identify when each set of information is gathered. The ACOS device saves
techreport files for the most recent 31 days. Each day’s reports are saved in a separate file.

The techreports are a light version of the output generated by the show techsupport
command. To export the information, use the show techsupport command. (See “show
techsupport” on page 355.)

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

terminal
Description Set the terminal configuration.

Syntax [no] terminal

{
auto-size |
editing |
gslb-prompt options |
history [size number] |
idle-timeout minutes |
length number |
prompt options |

page 207 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

width lines
}

Parameter Description
auto-size Automatically adjusts the length and width of the terminal display.
Auto-sizing is enabled by default.
gslb-prompt options Enables display of the ACOS device’s role within a GSLB group at the CLI prompt.
• disable - disables display of the GSLB group status.
• group-role symbol - Displays “Member” or “Master” in the CLI prompt; for example:
ACOS:Master(config)#

• symbol - Displays “gslb” in the CLI prompt after the name of the ACOS device;
for example:
ACOS-gslb:Master(config)#
editing Enables command editing.
This feature is enabled by default.
history [size number] Enables the command history and specifies the number of commands it can contain, 0-
1000.
By default, history is enabled for up to 256 commands.
idle-timeout minutes Specifies the number of minutes a CLI session can be idle before it times out and is termi-
nated, 0-60 minutes. To disable timeout, enter 0.
The default idle timeout is 15 minutes.
length number Specifies the number of lines to display per page, 0-512. To disable paging, enter 0.
The default length is 24 lines.
prompt options See “Using the CLI” on page 1.
width lines Specifies the number of columns to display, 0-512. To use an unlimited number of col-
umns, enter 0.
The default width is 80 columns.

Default See descriptions.

Mode Configuration mode

Example The following example sets the idle-timeout to 30 minutes:

ACOS(config)#terminal idle-timeout 30

tftp blksize
Description Change the TFTP block size.

Syntax [no] tftp blksize bytes

Replace bytes with the Maximum packet length the ACOS TFTP client can use when sending
or receiving files to or from a TFTP server. You can specify from 512-32768 bytes.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 208

A10 Thunder Series and AX Series—Command Line Interface

Default 512 bytes

Mode Configuration mode

Usage Increasing the TFTP block size can provide the following benefits:
• TFTP file transfers can occur more quickly, since fewer blocks are required to a send a
file.
• File transfer errors due to the server reaching its maximum block size before a file
is transferred can be eliminated.

To determine the maximum file size a block size will allow, use the following formula:

1K-blocksize = 64MB-filesize

Here are some examples.

Block Size Maximum File Size

1024 64 MB
8192 512 MB
32768 2048 MB

Increasing the TFTP block size of the ACOS device only increases the maximum block size
supported by the ACOS device. The TFTP server also must support larger block sizes. If the
block size is larger than the TFTP server supports, the file transfer will fail and a
communication error will be displayed on the CLI terminal.

If the TFTP block size is larger than the IP Maximum Transmission Unit (MTU) on any
device involved in the file transfer, the TFTP packets will be fragmented to fit within the
MTU. The fragmentation will not increase the number of blocks; however, it can re-add
some overhead to the overall file transmission speed.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command.

Example The following commands display the current TFTP block size, increase it, then verify
the change:

ACOS(config)#show tftp
TFTP client block size is set to 512
ACOS(config)#tftp blksize 4096
ACOS(config)#show tftp
TFTP client block size is set to 4096

page 209 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

timezone
Description Configure the time zone on your system.

Syntax [no] timezone zone [nodst]

Parameter Description
zone Specify the time zone.
Enter timezone ? at the CLI prompt to see a list of available time
zones.
nodst Disable daylight savings time adjustments for the time on your sys-
tem.

Default GMT

Mode Configuration mode

Usage If you use the GUI or CLI to change the ACOS timezone or system time, the statistical
data- base is cleared. This database contains general system statistics (performance,
and CPU, memory, and disk utilization) and SLB statistics.

Example The following example sets the time zone to America/Los_Angeles. Daylight savings time
adjustments will be made.

ACOS(config)#timezone America/Los_Angeles

tx-congestion-ctrl
Description Configure looping on the polling driver, on applicable models.

NOTE: This command can impact system performance. It is recommended not to use this
command unless advised by technical support.

Syntax tx-congestion-ctrl retries

You can specify 1-65535 retries.

Default 1

Mode Configuration mode

upgrade
Description Upgrade the system.

Syntax upgrade {cf pri | hd {pri | sec}}

{local image-name | [use-mgmt-port] url}

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 210

A10 Thunder Series and AX Series—Command Line Interface

[staggered-upgrade-mode Device device-id]

[reboot-after-upgrade]

Parameter Description
cf Write the upgrade image to the compact flash, replacing the image currently at that
location.
hd Write the upgrade image to the hard disk, replacing the image currently at that loca-
tion.
pri Replace the primary image on the specified location (compact flash or hard disk).
sec Replace the secondary image on the hard disk.
local image-name Use the specified upgrade image from the local VCS image repository.
Use show vcs images to view a list of available local images.
use-mgmt-port Uses the management interface as the source interface for the connection to the
remote device. The management route table is used to reach the device. By default,
the ACOS device attempts to use the data route table to reach the remote device
through a data interface.
url File transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to display a prompt
for each part of the URL. If you enter the entire URL and a password is required, you
will still be prompted for the password. The password can be up to 255 characters
long.
To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
• sftp://[user@]host/file
staggered-upgrade-mode Use VCS staggered upgrade mode.
reboot-after-upgrade Reboot the system after the upgrade is complete.

Default N/A

Mode Configuration mode

Usage For complete upgrade instructions, see the release notes for the ACOS release to which
you plan to upgrade.

Example Below is example output from a successful upgrade.

ACOS(config)# upgrade hd sec scp://[email protected]/packages/ACOS_FTA_4_0_2_100.64.upg

Password []?

System configuration has been modified. Save? [yes/no]:yes

Building configuration...
Write configuration to primary default startup-config
[OK]

page 211 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Running configuration is saved

Do you want to reboot the system after the upgrade?[yes/no]:yes

Getting upgrade package ...
.......................................................... Done (0 minutes 59 seconds)
Decrypt upgrade package ...
.................... Done (0 minutes 21 seconds)
Checking integrity of upgrade package ...
Upgrade file integrity checking passed (0 minutes 1 seconds)
Expand the upgrade package now ............ Done (0 minutes 10 seconds)
Upgrade ...................................................... Upgrade was successful (0
minutes 52 seconds)
Rebooting system ...
ACOS(config)#

vcs

Description Configure ACOS Virtual Chassis System (aVCS).

The vcs commands are available only when aVCS is enabled. To enable aVCS, use the vcs
enable command.

For more information, see “aVCS CLI Commands” in Configuring ACOS Virtual Chassis Systems.

ve-stats
Description Enable statistics collection for Virtual Ethernet (VE) interfaces.

NOTE: This command does not work in L3V partitions.

Syntax [no] ve-stats enable

Default Disabled

Mode Configuration mode

Usage If the ACOS device is a member of an aVCS virtual chassis, use the device-context
com- mand to specify the device in the chassis to which to apply this command.

vlan

Description Configure a virtual LAN (VLAN). This command changes the CLI to the configuration level
for the VLAN.

Syntax [no] vlan vlan-id

Replace vlan-id with the ID of the VLAN (2-4094).

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 212

A10 Thunder Series and AX Series—Command Line Interface

If the ACOS device is a member of an aVCS virtual chassis, specify the vlan-id as follows:

DeviceID/vlan-id

Default VLAN 1 is configured by default. All Ethernet data ports are members of VLAN 1 by default.

Mode Configuration mode

Usage You can add or remove ports in VLAN 1 but you cannot delete VLAN 1 itself.

For information about the commands available at the VLAN configuration level, see the
“Config Commands: VLAN” chapter in the Network Configuration Guide.

Example The following command adds VLAN 69 and enters the configuration level for that VLAN:

ACOS(config)# vlan 69
ACOS(config-vlan:69)#

Example You cannot have duplicate VLANs configured across partitions. In this example, VLAN 10
is configured in the shared partition:

ACOS(config)# vlan 10
ACOS(config-vlan:10)# exit
ACOS(config)#

If you attempt to configure VLAN 10 in an L3V partition, you will receive an error message:

ACOS(config)# active-partition p2
Current active partition: p2
ACOS[p2]# configure ACOS[p2]
(config)# vlan 10
This VLAN or Port is owned by another partition.

vlan-global enable-def-vlan-l2-forwarding
Description Enable Layer 2 forwarding on the default VLAN (VLAN 1).

Syntax [no] vlan-global enable-def-vlan-l2-forwarding

Default Layer 2 forwarding is disabled on VLAN 1, on ACOS devices deployed in route mode.

Usage This command applies only to routed mode deployments.

On a new or unconfigured ACOS device, as soon as you configure an IP interface on any

individual Ethernet data port or trunk interface, Layer 2 forwarding on VLAN 1 is disabled.

page 213 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

When Layer 2 forwarding on VLAN 1 is disabled, broadcast, multicast, and unknown unicast
packets are dropped instead of being forwarded. Learning is also disabled on the VLAN.
However, packets for the ACOS device itself (ex: LACP) are not dropped.

NOTE: Configuring an IP interface on an individual Ethernet interface indicates you are

deploying in route mode (also called “gateway mode”). If you deploy in transparent
mode instead, in which the ACOS device has a single IP address for all data inter-
faces, Layer 2 forwarding is left enabled by default on VLAN 1.

vlan-global l3-vlan-fwd-disable
Description Globally disable Layer 3 forwarding between VLANs.

Syntax [no] vlan-global l3-vlan-fwd-disable

Default By default, the ACOS device can forward Layer 3 traffic between VLANs.

Usage This option is applicable only on ACOS devices deployed in gateway (route) mode. If
the option to disable Layer 3 forwarding between VLANs is configured at any level, the
ACOS device can not be changed from gateway mode to transparent mode, until the
option is removed.
• Depending on the granularity of control required for your deployment, you can
disable Layer 3 forwarding between VLANs at any of the following configuration
levels:
• Global – Layer 3 forwarding between VLANs is disabled globally, for all VLANs. (Use
this command at the Configuration mode level.)
• Individual interfaces – Layer 3 forwarding between VLANs is disabled for incoming
traf- fic on specific interfaces.
• Access Control Lists (ACLs) – Layer 3 forwarding between VLANs is disabled for all traffic
that matches ACL rules that use the l3-vlan-fwd-disable action.

vrrp-a
Description Configure VRRP-A high availability for ACOS.

For more information, see “VRRP-A CLI Commands” in Configuring VRRP-A High Availability.

waf

Description Configure Web Application Firewall (WAF) parameters. See the Web Application Firewall
Guide.

web-category
Description Configure Web Category classification. See “Config Commands: Web Category” in the Com-
mand Line Interface Reference for ADC.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 214

A10 Thunder Series and AX Series—Command Line Interface

web-service
Description Configure web services.

Syntax [no] web-service

{
auto-redir |
axapi-session-limit num |
axapi-timeout-policy idle minutes |
port protocol-port |
secure {
certificate load [use-mgmt-port] url |
private-key load [use-mgmt-port] url |
generate domain-name domain_name [country country_code]
[state state_name] |
regenerate domain-name domain_name [country country_code]
[state state_name] |
restart |
wipe} |
secure-port protocol-port |
server disable |
secure-server disable |
}

Parameter Description
auto-redir Enables requests for the unsecured port (HTTP) to be automatically redirected to the
secure port (HTTPS).
This feature is enabled by default.
axapi-session-limit Specifies the maximum number of aXAPI sessions that can be run simultaneously
num (1- 100).
The default is 30.
axapi-timeout-policy Specifies the number of minutes an aXAPI session or GUI session can remain idle
idle minutes before being terminated. Once the aXAPI session is terminated, the session ID
generated by the ACOS device for the session is no longer valid. You can specify 0-60
minutes. If you spec- ify 0, sessions never time out.
The default timeout is 10 minutes.
port port Specifies the port number for the unsecured (HTTP) port.
The default HTTP port is 80.
secure Generate a new certificate for your ACOS device when it is booted for the first time.
Use the certificate or private-key parameters to load an externally-
generated certificate or private-key. For the URL, you can specify:
• tftp://host/file
• ftp://[user@]host[port:]/file
• scp://[user@]host/file
• sftp://[user@]host/file
Use generate or regenerate for certificate creation. You must specify the domain
name, and can optionally specify the country and state location.

page 215 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
secure-port port Specifies the port number for the secure (HTTPS) port.
The default HTTPS port is 443.
server disable Disables the HTTP server.
This sever is enabled by default.
secure-server disable Disables the HTTPS server.
This sever is enabled by default.

Default See descriptions.

Mode Configuration mode

Usage If you disable HTTP or HTTPS access, any sessions on the management GUI are immediately
terminated.

Example The following command disables management access on HTTP:

ACOS(config)#web-service server disable

write
Description Write the current running-config. See the following related commands:
• “write force” on page 56
• “write memory” on page 57
• “write terminal” on page 59

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 216

Config Commands: DNSSEC

This chapter lists the CLI commands for DNS Security Extensions (DNSSEC):

• DNSSEC Configuration Commands

• DNSSEC Operational Commands
• DNSSEC Show Commands

Common commands available at all configuration levels are available elsewhere in this guide:

• “EXEC Commands” on page 25

• “Privileged EXEC Commands” on page 35
• “Config Commands: Global” on page 61

NOTE: For information about Hardware Security Module (HSM) commands, see “Config Com-
mands: Hardware Security Module” on page 219.

DNSSEC Configuration Commands

This section shows the configuration commands for DNSSEC:

• dnssec standalone
• dnssec template

page 217 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
DNSSEC Configuration Commands

dnssec standalone
Description Enable the ACOS device to run DNSSEC without being a member of a GSLB controller group.

Syntax [no] standalone

Default Disabled

Mode Configuration mode

Usage GSLB is still required. The ACOS device must be configured to act as a GSLB controller, and
as an authoritative DNS server for the GSLB zone.

dnssec template
Description Configure a DNSSEC template.

Syntax [no] dnssec template template-name

This command changes the CLI to the configuration level for the specified DNSSEC template,
where the following commands are available.

Command
[no] algorithm
{RSASHA1 | RSASHA256 | RSASHA512}
[no] combinations-limit num
[no] dnskey-ttl seconds
[no] enable-nsec3
[no] hsm template-name
[no] ksk keysize bits
[no] ksk lifetime seconds
[rollover-time seconds]
Description
Cryptographic algorithm to use for encrypting DNSSEC keys.
The default algorithm is RSASHA256.
Maximum number of combinations per Resource Record Set (RRset),
where RRset is defined as all the records of a particular type for a
particu- lar domain, such as all the “quad-A” (IPv6) records for
www.example.com. You can specify 1-65535.
The default number of combinations is 31.
Lifetime for DNSSEC key resource records. The TTL can range from 1-
864,000 seconds.
The default is 14,400 seconds (4 hours).
Enables NSEC3 support. This is disabled by default.
Binds a Hardware Security Module (HSM) template to this DNSSEC tem-
plate.
Key length for KSKs. You can specify 1024-4096 bits.
The default is 2048 bits.
Lifetime for KSKs, 1-2147483647 seconds (about 68 years). The
roll- over-time specifies how long to wait before generating a
standby key to replace the current key. The rollover-time setting
also can be
1-2147483647 seconds. Generally, the rollover-time setting should
be shorter than the lifetime, to allow the new key to be ready when
needed.
The default is 31536000 seconds (365 days), with rollover-time
30931200 seconds (358 days)

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 218

 A10 Thunder Series and AX Series—Command Line Interface
DNSSEC Operational Commands

Command Description
[no] return-nsec-on-failure Returns an NSEC or NSEC3 record in response to a client request for an
invalid domain. As originally designed, DNSSEC would expose the list of
device names within a zone, allowing an attacker to gain a list of network
devices that could be used to create a map of the network.
This is enabled by default.
[no] signature-validity-period Period for which a signature will remain valid. The time can range from 5
days to 30 days.
The default is 10 days.
[no] zsk lifetime seconds Lifetime for ZSKs, 1-2147483647 seconds. The rollover-time
[rollover-time seconds] specifies how long to wait before generating a standby key to replace the
current key. The rollover-time setting also can be 1-2147483647
seconds. Generally, the rollover-time setting should be shorter
than the life- time, to allow the new key to be ready when needed.
The default is 7776000 seconds (90 days), with rollover-time
7171200 seconds (83 days).

Default See descriptions.

Mode Global configuration mode

DNSSEC Operational Commands

This section describes the operational commands for DNSSEC and for HSM support:

• dnssec dnskey delete

• dnssec ds delete
• dnssec key-rollover
• dnssec sign-zone-now

Because these are operational commands, they are not added to the running-config or saved to the startup-config.

dnssec dnskey delete

Description Delete DNS Public Key (DNSKEY) resource records.

Syntax dnssec dnskey delete [zone-name]

Replace zone-name with the name of the zone for which to delete DNSKEY resource
records. If you do not specify a zone name, the DNSKEY resource records for all child
zones are deleted.

page 219 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
DNSSEC Operational Commands

Default N/A

Mode Configuration mode

dnssec ds delete
Description Delete Delegation Signer (DS) resource records for child zones.

Syntax dnssec dnskey delete [zone-name]

Replace zone-name with the name of the zone for which to delete DS resource records.
If you do not specify a zone name, the DS resource records for all child zones are deleted.

Default N/A

Mode Configuration mode

dnssec key-rollover
Description Perform key change (rollover) for ZSKs or KSKs.

Syntax dnssec key-rollover zone-name

{KSK {ds-ready-in-parent-zone | start} | ZSK start}

Parameter Description
zone-name Name of the child zone for which to regenerate keys. If you do not spec-
ify a zone name, all child zones are re-signed.
KSK Regenerates key-signing keys (KSKs).:
{ds-ready-in-parent-zone | start}
• ds-ready-in-parent-zone – Indicates that the DS
resource record has already been transferred to the parent zone,
so it is ok to remove the old active key.
• start – Immediately begins KSK rollover.
ZSK start Immediately begins ZSK rollover.

Default N/A

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 220

A10 Thunder Series and AX Series—Command Line Interface
Reference

dnssec sign-zone-now
Description Force re-signing of zone-signing keys (ZSKs).

Syntax dnssec sign-zone-now [zone-name]

Replace zone-name with the name of the child zone for which to re-sign the ZSKs. If you
do not specify a zone name, all child zones are re-signed.

Default N/A

Mode Configuration mode

DNSSEC Show Commands

This section describes the show commands for DNSSEC.

• show dnssec dnskey

• show dnssec ds
• show dnssec statistics
• show dnssec status
• show dnssec template

show dnssec dnskey

Description Show the DNS Public Key (DNSKEY) resource records for child zones.

Syntax show dnssec dnskey [zone-name]

[all-partitions | partition partition-name]

Parameter Description
zone-name The name of the child zone. If you do not specify a zone name,
DNSKEY resource records for all child zones are displayed.
partition Display the information for a specific partition.
partition-name

Mode Privileged EXEC and all configuration levels

page 221 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

show dnssec ds
Description Show the Delegation Signer (DS) resource records for child zones.

Syntax show dnssec ds [zone-name]

[all-partitions | partition partition-name]

Parameter Description
zone-name The name of the child zone. If you do not specify a zone name,
DS resource records for all child zones are displayed.
partition Display the information for a specific partition.
partition-name

Mode Privileged EXEC and all configuration levels

show dnssec statistics

Description Show memory statistics for DNSSEC.

Syntax show dnssec statistics memory

Mode Privileged EXEC and all configuration levels

show dnssec status

Description Show the DNSSEC status for each zone.

Syntax show dnssec status

Mode Privileged EXEC and all configuration levels

show dnssec template

Description Show DNSSEC templates.

Syntax show dnssec template [default | template-

name] [all-partitions | partition partition-
name]

Parameter Description
default | The name of the template. If you do not specify a template name,
template-name all DNSSEC templates are displayed.
partition Display the information for a specific partition.
partition-name

Mode Privileged EXEC and all configuration levels

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 222

A10 Thunder Series and AX Series—Command Line Interface
Reference

page 223 | Document No.: 410-P2-CLI-001 - 6/17/2016

A10 Thunder Series and AX Series—Command Line Interface
Reference

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 224

Config Commands: SNMP

This chapter lists the CLI commands for Simple Network Management Protocol

(SNMP). The following commands are available:

• snmp-server SNMPv1-v2c
• snmp-server SNMPv3
• snmp-server community
• snmp-server contact
• snmp-server enable
• snmp-server engineID
• snmp-server group
• snmp-server host
• snmp-server location
• snmp-server slb-data-cache-timeout
• snmp-server user
• snmp-server view

Common commands available at all configuration levels are available elsewhere in this guide:

• “EXEC Commands” on page 25

• “Privileged EXEC Commands” on page 35
• “Config Commands: Global” on page 61

page 225 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

snmp-server SNMPv1-v2c
Description Define an SNMPv1 or SNMPv2c community. The members of the community can
gain access to the SNMP data available on this device.

Syntax [no] snmp-server SNMPv1-v2c user u1

This command changes the CLI to an SNMP community configuration mode, where the
following commands are available:

Parameter Description
community read string Define a read-only community string (1-31 charac-
ters).
oid oid-value Object ID.
This option restricts the objects that the ACOS device
returns in response to GET requests. Values are
returned only for the objects within or under the
specified OID.
remote { Restricts SNMP access to a specific remote host
ipv4addr [/mask-length | mask] | or subnet.
ipv6addr [mask] |
When you use this option, only the specified host or
DNS-remote-host
subnet can receive SNMP data from the ACOS
}
device by sending a GET request to this community.

Default The configuration does not have any default SNMP communities.

Mode Global configuration mode

Usage All SNMP communities are read-only. Read-write communities are not supported. The OID
for A10 Thunder Series and AX Series objects is 1.3.6.1.4.1.22610.

Example The following commands enable SNMP and define community string “a10community”:

ACOS(config)# snmp-server enable service

ACOS(config)# snmp-server SNMPv1-v2c user u1
ACOS(config-user:u1)# community read a10community
ACOS(config-user:u1)# remote 10.10.10.0 /24
ACOS(config-user:u1)# remote 20.20.20.0 /24
ACOS(config-user:u1)# oid 1.2.3
ACOS(config-user:u1-oid:1.2.3)# remote 30.30.30.0 /24
ACOS(config-user:u1-oid:1.2.3)# remote 40.40.40.0 /24

Hosts in 10.10.10.0 /24 and 20.20.20.0 /24 can access the entire MIB tree using the
“a10community” community string. Hosts in 30.30.30.0 /24 and 40.40.40.0 /24 can access the
MIB sub-tree 1.2.3 using the community string “a10community.”

Example The following example deletes the OID sub-tree 1.2.3:

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 226

A10 Thunder Series and AX Series—Command Line Interface

ACOS(config-user:u1)# no oid 1.2.3

snmp-server SNMPv3
Description Define an SNMPv3 user.

Syntax [no] snmp-server SNMPv3 user username group groupname v3 {

auth {md5 | sha} auth-password [priv {des | aes} priv-password] |
noauth
}

Parameter Description
username Specifies the SNMP user name.
groupname Specifies the group to which the SNMP user belongs.
v3 Specifies SNMP version 3.
auth {md5 | sha} Specifies the encryption method to use for user authentication.
• md5 - Uses Message Digest Algorithm 5 (MD5) encryption.
• sha - Uses Security Hash Algorithm (SHA) encryption.
auth-password Password for user authentication (8-31 characters).
priv {aes | des} Specifies the encryption method to use for user privacy.
• aes - Uses Advanced Encryption Standard (AES) algorithm.
This uses a fixed block size of 128 bits, and has a key size of
128, 192, or 256 bits. AES encryption supersedes DES encryp-
tion.
• des - Uses Data Encryption Standard (DES) algorithm to
apply a 56-bit key to each 64-bit block of data. This is
considered strong encryption.

priv-password Password for message encryption and privacy (8-31 characters).

noauth Does not use message encryption or privacy.

Default No SNMP users are configured by default.

Mode Configuration mode

Usage SNMPv3 enables you to configure each user with a name, authentication type with an
asso- ciated key, and privacy type with an associated key.
• Authentication (auth) is performed by using the user’s authentication key to sign the
message being sent. This can be done using either MD5 or SHA encryption; the
authentication key is generated using the specified encryption method and the speci-
fied auth-password.
• Encryption (priv) is performed by using a user’s privacy key to encrypt the data
por- tion of the message being sent. This can be done using either AES or DES
encryption; the authentication key is generated using the specified encryption
method and the specified priv-password.

page 227 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following example shows how to configure an SNMP user “exampleuser”, who is a
mem- ber in “examplegroup”. Authentication using MD5 encryption for “authpassword” is
config- ured, along with message encryption using AES or “privpassword”.

ACOS(config)# snmp-server view exampleview 1.2.3 included

ACOS(config)# snmp-server group examplegroup v3 auth read exampleview
ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 authpass-
word priv aes privpassword

snmp-server community
Description Deprecated command to configure an SNMP community string.

Use snmp-server SNMPv1-v2c.

snmp-server contact
Description Configure SNMP contact information.

Syntax [no] snmp-server contact contact-name

Replace contact-name with the SNMP contact; for example, an E-mail address.

Default Empty string

Mode Configuration mode

Usage The no form removes the contact information.

By default, the SNMP sysContact OID value is synchronized among all member ACOS devices
of an aVCS virtual chassis. You can disable this synchronization, on an individual device basis.

NOTE: After configuring this option for an ACOS device, if you disable aVCS on that device,
the running-config is automatically updated to continue using the same
sysCon- tact value you specified for the device. You do not need to reconfigure
the sysCon- tact on the device after disabling aVCS.

Example The following command defines the SNMP contact with the E-mail address
“exampleu- [email protected]”:

ACOS(config)#snmp-server contact [email protected]

snmp-server enable
Description Enable the ACOS device to accept SNMP MIB data queries and to send SNMP v1/v2c traps.

To use SNMP on the device, you must enter this command. Enter this command first, then
enter the other snmp-server commands to further configure the feature.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 228

A10 Thunder Series and AX Series—Command Line Interface

Syntax [no] snmp-server enable service

Syntax [no] snmp-server enable traps

{ all |
gslb trap-name |
lldp |
lsn |
network trap-name |
routing trap-name |
slb trap-name |
slb-change trap-name |
snmp trap-name |
system trap-name |
vcs state-change |
vrrp-a
}

Parameter Description
traps Specify the traps you want to enable.
all Enable all the traps described below.
NOTE: The all option can be specified at any command level to enable all SNMP traps at that
level.
gslb Enable GSLB group traps:
• group – Enable group-related traps.
• service-ip – Enable traps related to service-IPs.
• site – Enable site-related traps.
• zone – Enable zone-related traps.

lldp Enable LLDP group traps.

lsn Enable LSN group traps:
• per-ip-port-uage-threshold - Enable LSN trap when IP total port usage reaches
the threshold (default 64512).
• total-port-usage-threshold - Enable LSN trap when NAT total port usage reaches
the threshold (default 655350000).
• traffic-exceeded - Enable LSN trap when NAT pool reaches the threshold.
network Enable network group traps:
• trunk-port-threshold – Indicates that the trunk ports threshold feature has disabled
trunk members because the number of up ports in the trunk has fallen below the configured
threshold.

page 229 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
routing Enable the routing group traps:
• bgp – Enables traps for BGP routing:
• bgpEstablishedNotification - A BGP neighbor transitions to the Established state.
• bgpBackwardTransNotification - a BGP neighbour transitions from a higher state to a
lower state; for example, if the BGP neighbour’s state transitions from Established to OpenCon-
firm or from Connect to Idle.
• isis – Enables traps for IS-ID routing:
• isisAdjancencyChange
• isisAreaMismatch
• isisAttemptToExceedMaxSequence
• isisAuthenticationFailure
• isisAuthenticationTypeFailure
• isisCorruptedLSPDetected
• isisDatabaseOverload
• isisIDLenMismatch
• isisLSPTooLargeToPropagate
• isisManualAddressDrops
• isisMaxAreaAddressesMismatch
• isisOriginatingLSPBufferSizeMismatch
• isisOwnLSPPurge
• isisProto9colSupportedMismatch
• isisRejectedAdjacency
• isisSequenceNumberSkip
• isisVersionSkew
• ospf – Enables traps for OSPF routing:
• ospfIfAuthFailure
• ospfIfConfigError
• ospfIfRxBadPacket
• ospfIfStateChange
• ospfLsdbApproachingOverflow
• ospfLsdbOverflow
• ospfMaxAgeLsa
• ospfNbrStateChange
• ospfOriginateLsa
• ospfTxRetransmit
• ospfVirtIfAuthFailure
• ospfVirtIfConfigError
• ospfVirtIfRxBadPacket
• ospfVirtIfStateChange
• ospfVirtIfTxRetransmit
• ospfVirtNbrStateChange

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 230

A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
slb Enable the SLB group traps:
• application-buffer-limit – Indicates that the configured SLB application buffer threshold
has been exceeded. (See “monitor” on page 158.)
• server-conn-limit – Indicates that an SLB server has reached its configured connection limit.
• server-conn-resume – Indicates that an SLB server has reached its configured connection-
resume value.
• server-disabled – Indicates that an SLB server has been disabled.
• server-down – Indicates that an SLB server has gone down.
• server-selection-failure – Indicates that SLB was unable to select a real server
for a request.
• server-up – Indicates that an SLB server has come up.
• service-conn-limit – Indicates that an SLB service has reached its configured connection
limit.
• service-conn-resume – Indicates that an SLB service has reached its configured connection-
resume value.
• service-down – Indicates that an SLB service has gone down.
• service-group-down – Indicates that an SLB service group has gone down.
• service-group-member-down – Indicates that an SLB service group member has gone down.
• service-group-member-up – Indicates that an SLB service group member has come up.
• service-group-up – Indicates that an SLB service group has come up.
• service-up – Indicates that an SLB service has come up.
• vip-connlimit – Indicates that the connection limit configured on a virtual server has
been exceeded.
• vip-connratelimit – Indicates that the connection rate limit configured on a virtual
server has been exceeded.
• vip-down – Indicates that an SLB virtual server has gone down.
• vip-port-connlimit – Indicates that the connection limit configured on a virtual port
has been exceeded.
• vip-port-connratelimit – Indicates that the connection rate limit configured on a
virtual port has been exceeded.
• vip-port-down – Indicates that an SLB virtual service port has gone down.
• vip-port-up – Indicates that an SLB virtual service port has come up. An SLB virtual
server’s ser- vice port is up when at least one member (real server and real port) in the service
group bound to the virtual port is up.
• vip-up – Indicates that an SLB virtual server has come up.

slb-change Enables the SLB change traps:

• connection-resource-event - Enable system connection resource event trap.
• resource-usage-warning – Indicates resource usage threshold met.
• server – Indicates a real server was created or deleted.
• server-port – Indicates a real server port was created or deleted.
• ssl-cert-change – Indicates that an SSL certificate has been changed.
• ssl-cert-expire – Indicates that an SSL certificate has expired.
• vip – Indicates a virtual server was created or deleted.
• vip-port – Indicates a virtual service port was created or deleted.

page 231 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
snmp Enable SNMP group traps:
• linkdown – Indicates that an Ethernet interface has gone down.
• linkup – Indicates that an Ethernet interface has come up.
ssl Enable the SSL group traps:
• server-certificate-error – Indicates a certificate error.
system Enable the system group traps:
• control-cpu-high – Indicates that the control CPU utilization is higher than the
configured threshold. (See “monitor” on page 158.)
• data-cpu-high – Indicates that data CPU utilization is higher than the configured
threshold. (See “monitor” on page 158.)
• fan – Indicates that a system fan has failed. Contact A10 Networks.
• file-sys-read-only – Indicates that the file system has entered read-only mode.
• high-disk-use – Enables system high disk usage traps.
• high-memory-use – Indicates that the memory usage on the ACOS device is higher than
the configured threshold. (See “monitor” on page 158.)
• high-temp – Indicates that the temperature inside the ACOS chassis is higher than the
config- ured threshold. (See “monitor” on page 158.)
• license-management – Enables license management traps.
• packet-drop – Indicates that the number of dropped packets during the previous 10-
second interval exceeded the configured threshold. (See “monitor” on page 158.)
NOTE: This trap is not applicable to some device types. The trap is applicable to Thunder Series
and AX Series hardware-based models and software-based models.
• power – Indicates that a power supply has failed. Contact A10 Networks.
• pri-disk – Indicates that the primary Hard Disk has failed or the RAID system has failed. In
dual- disk models, the primary Hard Disk is the one on the left, as you are facing the front of the
ACOS device chassis.
• restart – Indicates that the ACOS device is going to reboot or reload.
• sec-disk – Indicates that the secondary Hard Disk has failed or the RAID system has failed.
The secondary Hard Disk is the one on the right, as you are facing the front of the ACOS device
chassis.
NOTE: This trap applies only to models that use disk drives.
• shutdown – Indicates that the ACOS device has shut down.
• start – Indicates that the ACOS device has started.

vcs Enable the VCS state-change trap.

state-change
vrrp-a Enable VRRP-A high availability traps:
• active - Indicates a device has become the active device.
• standby - Indicated a device bas become the standby device.

Default The SNMP service is disabled by default and all traps are disabled by default.

Mode Configuration mode

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 232

A10 Thunder Series and AX Series—Command Line Interface

Usage For security, SNMP and SNMP trap are disabled on all data interfaces. Use the enable-
man- agement command to enable SNMP on data interfaces. (See “enable-
management” on page 112.)

The no form disables traps.

If the ACOS device is a member of an aVCS virtual chassis, use the device-context
command to specify the device in the chassis to which to apply this command. This is only
valid for SNMP routing (snmp-server enable traps routing trap-name) and
network (snmp-server enable traps network trap-name) traps.

Example The following command enables all traps:

ACOS(config)# snmp-server enable traps

Example The following command enables all SLB traps:

ACOS(config)# snmp-server enable traps slb

Example The following commands enable SLB traps server-conn-limit and server-conn-resume:

ACOS(config)# snmp-server enable traps slb server-conn-limit

ACOS(config)# snmp-server enable traps slb server-conn-resume

snmp-server engineID
Description Set the SNMPv3 engine ID of this ACOS device.

Syntax [no] snmp-server engineID hex-string

Replace hex-string with a hexadecimal string representing the engine ID.

Mode Configuration mode

snmp-server group
Description Configure an SNMP group for SNMPv3.

Syntax [no] snmp-server group group-name v3

{auth | noauth | priv} read view-name

Parameter Description
group-name Specifies the name of the SNMP group.
auth Uses packet authentication but does not encrypt the packets.
(This is the authNoPriv security level.)
noauth Does not use any authentication of packets.
(This is the noAuthNoPriv security level.)

page 233 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
priv Uses packet authentication and encryption.
(This is the authPriv security level.)
read view-name Specifies the name of a read-only view for accessing the MIB
object values (1-31 characters).
Views can be created using the snmp-server view command.

Default The configuration does not have any default SNMP groups.

Mode Configuration mode

Example The following commands add SNMP v3 group “group1” with authPriv security and read-
only view “view1”:

ACOS(config)# snmp-server group group1 v3 priv read view1

snmp-server host
Description Configure an SNMP v1/v2c trap receiver.

Syntax [no] snmp-server host trap-receiver

[version {v1 | v2c | v3}]
community-string
[udp-port port-num]

Parameter Description
trap-receiver Hostname or IP address of the remote device to which
traps will be sent.
version {v1 | v2c | v3} SNMP version. If you omit this option, the trap receiver
can use SNMP v1 or v2c.
community-string Community string for the traps.
udp-port port-num UDP port to which the ACOS device will send the trap.

Default No SNMP hosts are defined. When you configure one, the default SNMP version is v2c
and the default UDP port is 162.

Mode Configuration mode

Usage You can configure up to 16 trap

receivers. The “no” form removes the

trap receiver.

Example The following command configures SNMP trap receiver 100.10.10.12 to use
community string “public” and UDP port 166 for SNMP v2c traps.

ACOS(config)# snmp-server host 100.10.10.12 public udp-port 166

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 234

A10 Thunder Series and AX Series—Command Line Interface

snmp-server location
Description Configure SNMP location information.

Syntax [no] snmp-server location location

Replace location with the location of the ACOS device.

Default Empty string

Mode Configuration mode

Example The following command configures the location as “ExampleLocation”:

ACOS(config)# snmp-server location ExampleLocation

snmp-server slb-data-cache-timeout
Description Configure the SLB data cache timeout.

Syntax snmp-server slb-data-cache-timeout seconds

Replace seconds with the number of seconds (5-120) for the SLB data cache timeout.

Default 60 seconds.

Mode Configuration mode

Example The following example sets the SLB data cache timeout to 45 seconds.

AOCS(config)# snmp-server slb-data-cache-timeout 45

snmp-server user
Description Deprecated command to configure an SNMPv3 user.

Use snmp-server SNMPv3.

snmp-server view
Description Configure an SNMP view.

Syntax [no] snmp-server view view-name oid {oid-mask | included | excluded}

Parameter Description
view-name Name of the SNMP view.
oid MIB family name or OID.
oid-mask OID mask. Use hex octets, separated by a dot ( . ) character.

page 235 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
included MIB family is included in the view.
excluded MIB family is excluded from the view.

Default N/A

Mode Configuration mode

Usage The OID for ACOS devices is 1.3.6.1.4.1.22610.

Example The following command adds SNMP view “view1” and includes all objects in the 1.3.6 tree:

ACOS(config)# snmp-server view view1 1.3.6 included

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 236

Show Commands

The show commands display configuration and system information.

In addition to the command options provided with some show commands, you can use output modifiers to search and filter
the output. See “Searching and Filtering CLI Output” on page 13.

To automatically re-enter a show command at regular intervals, see “repeat” on page 53.

NOTE: The show slb commands are described in a separate chapter. See “SLB Show Com-
mands” in the Command Line Interface Reference for ADC.

Below are the available show commands:

• show aam
• show access-list
• show active-partition
• show admin
• show aflex
• show arp
• show audit
• show axdebug capture
• show axdebug config
• show axdebug config-file
• show axdebug file
• show axdebug filter
• show axdebug status
• show backup
• show bfd
• show bgp
• show bootimage
• show bpdu-fwd-group
• show bridge-vlan-group

page 237 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• show bw-list
• show class-list
• show clns
• show clock
• show config
• show config-block
• show context
• show core
• show cpu
• show debug
• show disk
• show dns cache
• show dns statistics
• show dnssec
• show dumpthread
• show environment
• show errors
• show event-action
• show fail-safe
• show glid
• show gslb
• show hardware
• show health
• show history
• show hsm
• show icmp
• show icmpv6
• show interfaces
• show interfaces brief
• show interfaces media
• show interfaces statistics

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 238

A10 Thunder Series and AX Series—Command Line Interface

• show interfaces transceiver

• show ip
• show ip anomaly-drop statistics
• show ip bgp
• show ip dns
• show ip fib | show ipv6 fib
• show ip fragmentation | show ipv6 fragmentation | show ipv4-in-ipv6 fragmentation | show ipv6-in-ipv4
fragmenta- tion
• show ip helper-address
• show ip interfaces | show ipv6 interfaces
• show ip isis | show ipv6 isis
• show ip nat alg pptp
• show ip nat interfaces | show ipv6 nat interfaces
• show ip nat pool | show ipv6 nat pool
• show ip nat pool-group | show ipv6 nat pool-group
• show ip nat range-list
• show ip nat static-binding
• show ip nat statistics
• show ip nat template logging
• show ip nat timeouts
• show ip nat translations
• show ip-list
• show ipv6 ndisc
• show ipv6 neighbor
• show ip ospf | show ipv6 ospf
• show ip prefix-list | show ipv6 prefix-list
• show ip protocols | show ipv6 protocols
• show ip rip | show ipv6 rip
• show ip route | show ipv6 route
• show ip stats | show ipv6 stats
• show ipv6 traffic

page 239 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• show isis
• show json-config
• show json-config-detail
• show json-config-with-default
• show key-chain
• show lacp
• show lacp-passthrough
• show license
• show license-debug
• show license-info
• show lldp neighbor statistics
• show lldp statistics
• show local-uri-file
• show locale
• show log
• show mac-address-table
• show management
• show memory
• show mirror
• show monitor
• show netflow
• show ntp
• show object-group
• show overlay-mgmt-info
• show overlay-tunnel
• show partition
• show partition-config
• show partition-group
• show pbslb
• show pki
• show poap

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 240

A10 Thunder Series and AX Series—Command Line Interface

• show process system

• show radius-server
• show reboot
• show route-map
• show router log file
• show running-config
• show scaleout
• show session
• show sflow
• show shutdown
• show slb
• show smtp
• show snmp
• show snmp-stats all
• show startup-config
• show statistics
• show store
• show switch
• show system cpu-list
• show system cpu-load-sharing
• show system platform
• show system port-list
• show system resource-usage
• show tacacs-server
• show techsupport
• show terminal
• show tftp
• show trunk
• show vcs
• show version
• show vlan counters

page 241 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• show vlans
• show vpn
• show vrrp-a
• show waf
• show web-category

show aam
Description Display information for Application Access Management (AAM). See the Application Access
Management Guide.

show access-list
Description Display the configured Access Control Lists (ACLs). The output lists the configuration
com- mands for the ACLs in the running-config.

Syntax show access-list [{ipv4 | ipv6} [acl-id]

Parameter Description
ipv4 | ipv6 IP address type.
acl-id ACL name or number.

Mode All

Example The following command displays the configuration commands for ACL 1:

ACOS# show access-list ipv4 1

access-list 1 permit 198.162.11.0 0.0.0.255 Data plane hits: 3
access-list 1 deny 198.162.12.0 0.0.0.255 Data plane hits: 1

NOTE: The ACL Hits counter is not applicable to ACLs applied to the management port.

show active-partition
Description This command is described in the Configuring Application Delivery Partitions guide.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 242

A10 Thunder Series and AX Series—Command Line Interface

show admin
Description Display the administrator accounts.

Syntax show admin [admin-name] [detail | session]

Parameter Description
admin-name Administrator name.
detail Shows detailed information about the admin account.
session Shows the current management sessions.

Mode Privileged EXEC mode and configuration mode

Example The following command lists the admins configured on an ACOS device:

ACOS# show admin

Total number of configured users: 8
Privilege R: read-only, W: write, P: partition, En:
Enable Access Type C: cli, W: web, A: axapi

UserName Status Privilege Access Partition

-------------------------------------------------------------------
admin Enabled R/W C/W/A
admin1 Enabled R/W W
admin2 Enabled R C/W/A
CorpAadmin Enabled P.En C/W/A companyA
CorpBadmin Enabled P.R/W C/W/A companyB

page 243 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command output.

Field Description
UserName Name of the ACOS admin.
Status Administrative status of the account.
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the system.
• R – Read-only. Allows monitoring access to the system but not
config- uration access. In the CLI, this account can only access the
User EXEC and Privileged EXEC levels, not the configuration levels.
In the GUI, this account cannot modify configuration information.
• P.R/W – The admin has read-write privileges within the L3V partition
to which the admin has been assigned. The admin has read-only
privi- leges for the shared partition.
• P.R – The admin has read-only privileges within the L3V partition to
which the admin has been assigned, and read-only privileges for
the shared partition.
• P.En– The admin is assigned to an L3V partition but has permission
only to view service port statistics for real servers in the partition,
and to disable or re-enable the real servers or their service ports.
NOTE: The “P” (partition) privilege levels apply to Application Delivery
Partitions (ADP). For more information, see the Configuring
Application Delivery Partitions guide.

Access Which modules the admin is allowed to access:

• C - Admin is allowed CLI access.
• W - Admin is allowed web (GUI) access.
• A - Admin is allowed aXAPI access.
Partition L3V partition to which the admin is assigned.

Example The following command lists details for the “admin” account:

ACOS# show admin admin detail

User Name...................admin
Status......................Enabled
Privilege...................R/W
Partition ......
Access type .....cli web axapi
GUI role ......
Trusted Host(Netmask).......Any
Lock Status.................No
Lock Time ......
Unlock Time ......
Password Type...............Encrypted
Password ...... $1$6334ba07$CKbWL/LuSNdY12kcE.KdS0

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 244

A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command output.

Field Description
User Name Name of the ACOS admin.
Status Administrative status of the account.
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the system.
• R – Read-only. Allows monitoring access to the system but not
con- figuration access. In the CLI, this account can only access the
User EXEC and Privileged EXEC levels, not the configuration
levels. In the GUI, this account cannot modify configuration
information.
• Partition-write – The admin has read-write privileges within the
pri- vate partition to which the admin has been assigned. The
admin has read-only privileges for the shared partition.
• Partition-read – The admin has read-only privileges within the pri-
vate partition to which the admin has been assigned, and read-
only privileges for the shared partition.
• Partition-enable-disable – The admin is assigned to a private
parti- tion but has permission only to view service port statistics
for real servers in the partition, and to disable or re-enable the
real servers and their service ports.
Partition Private partition to which the admin is assigned.
Note: A partition name appears only for admins with Partition-write,
Partition-read, or Partition-enable-disable privileges. For other privi-
lege levels, this field is blank.
Access type Management interfaces the admin is allowed to access, which can be
one or more of the following:
• cli
• web
• axapi
GUI role Role assigned to the admin for GUI access.
Note: If the admin is configured using the GUI, assignment of a role
is required. However, if the admin is configured using the CLI, a GUI
access role can not be assigned. In this case, the GUI role is
equivalent to ReadWriteAdmin.
Trusted IP host or subnet address from which the admin must log in.
Host(Netmask)
Lock Status Indicates whether the admin account is currently locked.
Lock Time If the account is locked, indicates how long the account has been
locked.
Unlock Time If the account is locked, indicates how long the account will continue
to be locked.
Password Type Indicates whether the password is encrypted when displayed in the
CLI or GUI and in the startup-config and running-config.
Password The admin’s password.

page 245 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following command lists all the currently active admin sessions:

ACOS# show admin session

Id User Name Start Time Source IP Type Partition Authen
Role Cfg
------------------------------------------------------------------------------------------
------------------
2 admin 11:35:49 IST Tue Sep 30 2014 127.0.0.1 WEBSERVICE Local
ReadWriteAdmin No
*4 admin 11:43:12 IST Tue Sep 30 2014 172.17.0.224 CLI Local
ReadWriteAdmin No

The following table describes the fields in the command output.

Field Description
Id Admin session ID assigned by the ACOS device. The ID applies only to
the current session.
User Name Admin name.
Start Time System time when the admin logged onto the ACOS device to start
the current management session.
Source IP IP address from which the admin logged on.
Type Management interface through which the admin logged on.
Partition Partition that is currently active for the management session.
Authen Indicates the database used to authenticate the admin:
• Local – Admin database on the ACOS device
• RADIUS – Admin database on a RADIUS server
• TACACS – Admin database on a TACACS+ server
Role Indicates the role assigned to the admin for GUI access.
Cfg Indicates whether the admin is at the configuration level.

show aflex
Description Display the configured aFleX scripts.

Syntax show aflex [aflex-name] [all-partitions | partition name]

Mode All

Usage To display the aFleX policies for a specific partition only, use the partition name option.

Example The following command shows the aFleX scripts on an ACOS device:

ACOS# show aflex

Total aFleX number: 6
Name Syntax Virtual port

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 246

A10 Thunder Series and AX Series—Command Line Interface

------------------------------------------------------------
aFleX_Remote No No
aFleX_check_agent No No
aFleX_relay_client Check No
bugzilla_proxy_fix Check Bind
http_to_https Check No
louis No No

The following table describes the fields in the command output.

Field Description
Total aFleX Total number of aFleX scripts on the ACOS device.
number
Name Name of the aFleX policy.
Syntax Indicates whether the aFleX policy has passed the syntax check per-
formed by the ACOS device:
• Check – The aFleX policy passed the syntax check.
• No – The aFleX policy did not pass the syntax check.
Virtual port Indicates whether the aFleX policy is bound to a virtual port.

show arp
Description Display ARP table entries.

Syntax show arp [all | ipaddr]

Mode All

Example The following command lists the ARP entry for host 192.168.1.144:

ACOS# show arp 192.168.1.144

Total arp entries: 3 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
192.168.210.1 021f.a000.0009 Dynamic 14 Management 1
192.168.210.5 001f.a004.ee6c Dynamic 47 Management 1
192.168.210.128 001f.a010.0dca Dynamic 274 Management 1

page 247 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command output.

Field Description
Total arp entries Total number of entries in the ARP table. This total includes static and
learned (dynamic) entries.
Age time Number of seconds a dynamic ARP entry can remain in the table
before being removed.
IP Address IP address of the device.
MAC Address MAC address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry was last
used.
Interface ACOS interface through which the device that has the displayed
MAC address and IP address can be reached.
Vlan VLAN through which the device that has the MAC address can be
reached.

show audit
Description Show the command audit log.

Syntax show audit [all-partitions | partition {shared | name}]

Mode All

Usage The audit log is maintained in a separate file, apart from the system log. The audit log
mes- sages that are displayed for an admin depend upon the admin’s privilege level:
• Admins with Root, Read Write, or Read Only privileges who view the audit log can
view all the messages, for all system partitions. To display the messages for a specific
parti- tion only, use the partition option.
• Admins who have privileges only within a specific partition can view only the audit
log messages related to management of that partition. Admins with partition-
enable-dis- able privileges can not view any audit log entries.

Example Below is a sample output of the command audit log (truncated for brevity):

ACOS# show audit

Sep 30 2014 11:54:26 [admin] cli: [172.17.0.224:60009] show audit
Sep 30 2014 11:54:22 [admin] axapi: [1412074462810894] RESP HTTP status 200 OK
Sep 30 2014 11:54:22 [admin] axapi: [1412074462810894] GET: /axapi/v3/system/ctrl-
cpu/ oper
Sep 30 2014 11:54:22 [admin] axapi: [1412074462808372] RESP HTTP status 200 OK
Sep 30 2014 11:54:22 [admin] axapi: [1412074462808372] GET: /axapi/v3/system/memory/oper
Sep 30 2014 11:54:22 [admin] axapi: [1412074462804830] RESP HTTP status 200 OK

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 248

A10 Thunder Series and AX Series—Command Line Interface

show axdebug capture

Description Display a list of AX Debug files.

Syntax show axdebug capture [partition name] [file-name]

Parameter Description
partition name Displays files only for a select partition.
file-name Filters the show output for only files that partially match a speci-
fied file-name

Mode All

show axdebug config

Description Display the AX Debug filter configuration currently applied on ACOS.

Syntax show axdebug config

Mode All

Example This example shows the output of the show axdebug config command:

ACOS(config)#show axdebug config

timeout 5

no incoming

no outgoing

count 3000

length 1518

show axdebug config-file

Description Display a list of the AX debug configuration files.

Syntax show axdebug config-file

Mode All

page 249 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show axdebug file

Description Display AX debug capture files or their contents.

Syntax show axdebug file [filename]

Mode All

Example The following command displays the list of AX debug capture files on the device:

ACOS(axdebug)#show axdebug file

------------------------------------+--------------+----------------------------
Filename | Size(Byte) | Date
------------------------------------+--------------+----------------------------
file1 | 58801 | Tue Sep 23 22:49:07 2008
file123 | 192 | Fri Sep 26 17:06:51 2008
------------------------------------+--------------+----------------------------
Total: 2
Maximum file number is: 100

Example The following command displays the packet capture data in file “file123”:

ACOS(axdebug)#show axdebug file file123

Parse file for cpu #1:

Parse file for cpu #2:

15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack

3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack
3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,time-
stamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,time-
stamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
<nop,nop,timestamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
<nop,nop,timestamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: F 192:192(0) ack 151 win 54
<nop,nop,timestamp 1368738448 524090234>

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 250

A10 Thunder Series and AX Series—Command Line Interface

show axdebug filter

Description Display the configured AXdebug output filters.

Syntax show axdebug filter [filter-num]

Mode All

show axdebug status

Description Display per-CPU packet capture counts for AXdebug.

Syntax show axdebug status [cpu-num [...]]

Mode All

Example The following example shows the output for the show axdebug status command for all
CPUs:

ACOS(config)#show axdebug status

axdebug is enabled
6660 seconds left
debug incoming interface 1
debug outgoing interface 2 3 5 8 9 10 11 12
maximum 111 packets
Captured packet length
1111 cpu#1 captured 4
packets. cpu#2 captured 1
packets. cpu#3 captured 8
packets. cpu#4 captured 1
packets. cpu#5 captured 0
packets. cpu#6 captured 6

show backup packets.

Description Display information about scheduled backups.

Syntax show backup

Mode All

page 251 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show bfd
Description Display information for Bidirectional Forwarding Detection (BFD).

Syntax show bfd {neighbors [detail] | statistics}

Parameter Description
neighbors Displays summarized information for BFD neighbors.
detail Displays detailed information for BFD neighbors.
statistics Displays overall statistics for BFD packets.

Mode All

Example The following example shows how to view overall statistics for BFD packets:

ACOS(config)#show bfd statistics

IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator
0 Multihop config mismatch 0
BFD Version mismtach 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0
BFD Packet my_discriminator is invalid 0
BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 0
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 0
BFD Destination unreachable 0
BFD Other error 0

Example The following command displays the BFD neighbor status:

ACOS#show bfd neighbors

Our Address Neighbor Address State Holddown txint mult diag
219.0.0.1 219.0.0.2 Up 150 50 3 3/0
219.0.1.1 219.0.1.2 Up 150 50 3 3/0
219.0.2.1 219.0.2.2 Up 150 50 3 0/0

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 252

A10 Thunder Series and AX Series—Command Line Interface

219.0.3.1 219.0.3.2 Up 150 50 3 0/0

219.0.4.1 219.0.4.2 Up 150 50 3 3/0
219.0.5.1 219.0.5.2 Up 150 50 3 3/0
219.0.6.1 219.0.6.2 Up 150 50 3 0/0
219.0.7.1 219.0.7.2 Up 150 50 3 3/0

The following table describes the fields in the command output.

Field Description
Our Address ACOS interface associated with the BFD session.
Neighbor Address Neighbor interface associated with the BFD session.
State Shows the local state of the session.
Holdtime Maximum amount of time the ACOS device waits for a BFD control packet from the neighbor.
txint Configured interval at which the ACOS device sends BFD control packets to the neighbor.
mult Maximum number of consecutive times the ACOS device will wait for a BFD control packet from
the neighbor.
diag Diagnostic codes for the local and remote ends of the BFD session.

Example The following command displays detailed BFD neighbor status:

ACOS#show bfd neighbors detail

Our Address 219.0.0.1
Neighbor Address 219.0.0.2
Clients OSPFv2, IS-IS
Singlehop, Echo disabled, Demand disabled, UDP source port 53214
Asynchronous mode, Authentication None
CPU ID 2, Interface index 93
Local State Up, Remote State Up, 2h:29m:45s up
Local discriminator 0x00000fdf, Remote discriminator 0x0000006f
Config DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Local DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Remote DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milliseconds
Local Multiplier 3, Remote Multiplier 3
Hold Down Time 150 milliseconds, Transmit Interval 50
milliseconds Local Diagnostic: Neighbor Signalled Session Down(3)
Remote Diagnostic: No Diagnostic(0)
Last sent echo sequence number 0x00000000
Control Packet sent 215226, received 215195
Echo Packet sent 0, received 0

page 253 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command output.

Field Description
Our Address ACOS interface associated with the BFD session.
Neighbor Address Neighbor interface associated with the BFD session.
Clients Protocol that initiates this BFD session. It can be one or more of the following:
Static, OSPFv2, OSPFv3, IS-IS, or BGP.
Singlehop (or Multihop) BFD session can be either singlehop or multihop.
Echo Indicates whether Echo functionality has been enabled or disabled.
Demand Indicates whether Demand mode functionality has been enabled or disabled.
UDP source port UDP source port used for this BFD session.
Asynchronous mode (or Demand) If configured and running, indicates whether BFD is operating in Asynchronous
mode mode or Demand mode.
Authentication Authentication method. This can be either “None” (if it is not configured) or one
of the following supported authentication schemes:
• Simple password
• Keyed MD5
• Meticulous Keyed MD5
• Keyed SHA1
• Meticulous Keyed SHA1

CPU ID Since BFD traffic is distributed across multiple data CPUs, this CPU ID refers to
the one associated with the current BFD session.
Interface index Interface index associated with the current BFD session. This index is used mostly
for debugging purposes
Local State Shows the local state the session. The state can be one of the following:
• Init
• Up
• AdminDown
• Down
Remote State Shows the remote state the session. The state can be one of the following:
• Init
• Up
• AdminDown
• Down
Local discriminator The local discriminator value that the ACOS device assigns for the current BFD
ses- sion.
Remote discriminator The remote discriminator value that the neighboring router claims.
Config The configured timer values.
Local The configured timer values sent in the last BFD control packet. This value is
deter- mined based on BFD package exchange and negotiation.
Remote The timer values received in the last BFD control packet from the BFD neighbor.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 254

A10 Thunder Series and AX Series—Command Line Interface

Field Description
Local Multiplier The local multiplier sent in the last BFD packet.
Remote Multiplier The remote multiplier received in the last BFD packet from the neighbor.
Hold Down Time The expiration time after which the BFD session will be brought down. This value is
determined with the negotiated interval value and the remote multiplier value.
Transmit Interval The periodic interval to send BFD control packets.
Local Diagnostic: The diagnostic value sent in the last BFD control packet.
Remote Diagnostic: The diagnostic value received in the last BFD control packet from the neighbor.
Last sent echo sequence number A10 Network’s proprietary sequence number sent in the last echo packet.
Control Packet sent..received Statistics of control packets for this BFD session.
Echo Packet sent...received Statistics of echo packets received for this BFD session.

Example The following command shows BFD statistics:

ACOS(config)# show bfd statistics

IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator
39958 Multihop config mismatch 0
BFD Version mismatch 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0
BFD Packet my_discriminator is invalid 0
BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 103
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 2
BFD Destination unreachable 1
BFD Other error 0

page 255 | Document No.: 410-P2-CLI-001 - 6/17/2016


The following table describes the fields in the command output.
Field
IP Checksum error
UDP Checksum error
No session found with your_discriminator
Multihop config mismatch
BFD Version mismatch
BFD Packet length field is too small
BFD Packet data is short
BFD Packet DetectMult is invalid
BFD Packet Multipoint is invalid
BFD Packet my_discriminator is invalid
BFD Packet TTL/Hop Limit is invalid
BFD Packet auth length is invalid
BFD Packet auth type mismatch
BFD Packet auth key ID mismatch
BFD Packet auth key mismatch
BFD Packet auth seq# invalid
BFD Packet auth failed
BFD local state is AdminDown
A10 Thunder Series and AX Series—Command Line Interface
Description
Number of BFD packets that had an invalid IP checksum.
Number of BFD packets that had an invalid UDP checksum.
Number of BFD packets whose Your Discriminator value did not match a
My Discriminator value on the ACOS device.
A multihop configuration mismatch occurs when an ACOS device receives
a BFD packet with a source or destination that matches an existing BFD
ses- sion. It can also be caused in two other scenarios:
• Local is configured as singlehop, but the packet is received on the
UDP port for multihop.
• Local is configured as multihop, but packet is received on the UDP
port for singlehop.
Number of BFD packets with a different BFD version than the one in use by
the ACOS device.
Number of BFD packets whose Length field value was shorter than the
min- imum BFD packet length (24 bytes without authentication or 26 bytes
with authentication).
The packet payload size is smaller than the BFD length value.
The value of the received DetectMult is “0”.
The value of the received multipoint flag is set to “1”.
Number of BFD packets whose My Discriminator value was invalid.
In a singlehop BFD session, the IP time-to-live or IPv6 hop limit value must
be 255. If a value other than 255 is detected, this field is incremented.
The BFD length without the BFD packet header does not match the
expected authentication length byte value. The number of BFD control
packets have wrong authentication lengths in bytes
Number of BFD packets carrying an authentication type that does not
match the BFD authentication type configured on the ACOS device.
This field is incremented when the key ID in the authentication header does
not match the one configured on the ACOS device.
This field is incremented when the received authentication key does not
match the one configured on the ACOS device.
This field is incremented when the received authentication sequence num-
ber is not equal to or greater than the sequence number received previ-
ously.
Number of BFD packets with an incorrect authentication value.
Number of BFD packets received while the BFD session was administra-
tively down.
Document No.: 410-P2-CLI-001 - 6/17/2016 | page 256
A10 Thunder Series and AX Series—Command Line Interface

Field Description
BFD Destination unreachable Number of times the destination IP address for a BFD neighbor was
unreachable while the ACOS device was attempting to transmit a BFD
packet to the neighbor.
BFD Other error Number of BFD errors not counted in any of the fields above.

show bgp
Description Display information for Border Gateway Protocol (BGP). See the “Config Commands: Router -
BGP” chapter in the Network Configuration Guide.

show bootimage
Description Display the software images stored on the ACOS device.

Syntax show bootimage

Mode All

Example The following command shows the software images on an A10 Thunder Series 4430 device:

ACOS#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.0.0.485
Hard Disk secondary 2.7.2-P2-SP6.1 (*)
Compact Flash primary 2.7.2.191 (*)
Compact Flash secondary 2.7.2.191

The asterisk ( * ) indicates the default image for each boot device (hard disk and compact
flash). The default image is the one that the ACOS device will try to use first, if trying to boot
from that boot device. (The order in which ACOS tries to use the image areas is controlled
by the bootimage command. See “bootimage” on page 96.)

page 257 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show bpdu-fwd-group
Description Display the configured Bridge Protocol Data Units (BPDU) forwarding groups.

Syntax show bpdu-fwd-group [number]

Specify a BPDU forwarding group number to view the configuration of the specified BPDU
forwarding group. If you omit this option, all configured BPDU forwarding groups are shown.

Mode All

Example The following command shows all configured BPDU forwarding groups:

ACOS#show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3
BPDU forward Group 2 members: ethernet 9 to 12

show bridge-vlan-group
Description Display information for a bridge VLAN group.

Syntax show bridge-vlan-group [group-id]

Mode All

show bw-list
Description Show black/white list information.

Syntax show bw-list [name [detail | ipaddr]]

Parameter Description
name Name of a black/white list.
detail Displays the IP addresses contained in a black/white list.
ipaddr IP address within the black/white list.

Default N/A

Mode Config

Example The following command shows all the black/white lists on an ACOS device:

ACOS#show bw-list
Name Url Size(Byte) Date
----------------------------------------------------------------------------
bw1 tftp://192.168.1.143/bwl.txt 106 Jan/22 12:48:01
bw2 tftp://192.168.1.143/bw2.txt 211 Jan/23 10:02:44

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 258

A10 Thunder Series and AX Series—Command Line Interface

bw3 tftp://192.168.1.143/bw3.txt 192 Feb/11 08:02:01

bw4 Local 82 Dec/12 21:01:05
Total: 4

Example The following command shows the IP addresses in black/white list “test”:

ACOS#show bw-list test detail

Name: test
URL: tftp://192.168.20.143/bwl_test.txt
Size: 226 bytes
Date: May/11 12:04:00
Update period: 120 seconds
Update times: 2

Content
------------------------------------------------------------------------------
1.1.1.0 #13
1.1.1.1 #13
1.1.1.2 #13
1.1.1.3 #13
1.1.1.4 #13
9.9.99.9 9
1.2.3.4/32 31
4.3.2.1/24 4
10.1.2.1/32 1
10.1.2.2/32 2
10.1.2.3/32 3
10.1.2.4/32 4
10.3.2.1/32 3
10.3.2.2/32 4
10.5.2.1/32 5
10.5.2.2/32 6
128.0.0.0/1 11

page 259 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show class-list
Description Display information for class lists.

Syntax show class-list [name [ipaddr]]

Replace name with the class list name or ipaddr with an IP address in the class list. If neither
option is specified, the list of configured class lists is displayed instead.

Mode All

Usage For Aho-Corasick (AC) class lists, enter the write memory command immediately before
entering show class-list.

Example The following command displays the class-list files on the ACOS device device:

ACOS#show class-list
Name IP Subnet Location
test 4 3 file
user-limit 14 4 config
Total: 2

The following table describes the fields in the command output.

Field Description
Name Name of the class list.
IP Number of host IP addresses in the class list.
Subnet Number of subnets in the class list.
Location Indicates whether the class list is in the startup-config or in a stand-
alone file:
• config – Class list is located in the startup-config.
• file – Class list is located in a standalone file.
Total Total number of class lists on the ACOS device device.

The following command shows details for a class list:

ACOS#show class-list test

Name: test
Total single IP: 4
Total IP subnet: 3
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 260

A10 Thunder Series and AX Series—Command Line Interface

20.1.2.0 /24 lid 2

0.0.0.0 /0 lid 31

The following commands show the closest matching entries for specific IP addresses in
class list “test”:

AOCS#show class-list test 1.1.1.1

1.1.1.1 /32 glid 1
ACOS#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31

The class list contains an entry for 1.1.1.1, so that entry is shown. However, since the class list
does not contain an entry for 1.1.1.2 but does contain a wildcard entry (0.0.0.0), the wildcard
entry is shown.

show clns
Description Show Connectionless Network Service (CLNS) information.

Syntax show clns [tag] [is-neighbors |

neighbors] [
ethernet num |
lif num |
loopback num |
management |
trunk num |
tunnel num |
ve num
]
[detail]]

Parameter Description
is-neighbors Displays IS neighbor adjacencies.
neighbors Displays CLNS neighbor adjacencies.
ethernet num Display adjacency information for the specified ethernet interface.
lif num Display adjacency information for the specified logical interface.
loopback num Display adjacency information for the specified loopback interface.
management Display adjacency information for the management interface.
trunk num Display adjacency information for the specified trunk.
tunnel num Display adjacency information for the specified tunnel.
ve num Display adjacency information for the specified virtual interface.
detail Displays detailed information.

Mode All

Example The show clns neighbors command displays IS-IS helper information when ACOS is
in helper mode for a particular IS-IS neighbor. Here is an example:

page 261 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS#show clns neighbors

Area ax1:
System Id Interface SNPA State Holdtime Type Protocol
0000.0000.0004 ethernet 10 78fe.3d32.880a * Up 99 L2 M-ISIS

The asterisk (*) character in the output indicates that IS-IS is in helper mode for the neighbor.

show clock
Description Display the time, timezone, and date.

Syntax show clock [detail]

Parameter Description
detail Shows the clock source, which can be one of the following:
• Time source is NTP
• Time source is hardware calendar

Mode All

Example The following command shows clock information for an ACOS device:

ACOS#show clock detail

20:27:16 Europe/Dublin Sat Apr 28 2007
Time source is NTP

Example If a dot appears in front of the time, the ACOS device has been configured to use NTP but
NTP is not synchronized. The clock was in sync, but has since lost contact with all
configured NTP servers.

ACOS#show clock
.20:27:16 Europe/Dublin Sat Apr 28 2007

Example If an asterisk appears in front of the time, the clock is not in sync or has never been set.

ACOS#show clock
*20:27:16 Europe/Dublin Sat Apr 28 2007

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 262

A10 Thunder Series and AX Series—Command Line Interface

show config
Description This command displays the entire running configuration

Syntax show config

Default N/A

Mode Global

Usage Use this command to display the entire running configuration for the ACOS device, or
for the particular partition which you are viewing.

Related Commands show running-config

show config-block
Description This command displays the current configurations being made in either block-merge or
block-replace mode.

Syntax show config-block

Default N/A

Mode Block-merge or Block-replace configuration mode

Usage Use this command to display the uncommitted configurations you have made in either
block-merge or block-replace mode. These commands are not a part of the running
configu- ration, but they will be implemented upon ending block-merge or block-replace
mode.

show context
Description View the configuration for the sub-module in which the command is run.

For example, if you are configuring a virtual port under a virtual server, the show
context command displays only the portion of the configuration within the context of
the virtual port configuration; see the examples below.

Unlike other show commands, the show context command is only available in Global
configuration mode, or any additional sub-mode. For example, if you are configuring a port
under an SLB server, this command shows only the configuration related to the port.

Syntax show context

Mode Global configuration mode or further sub-modes

Example The following example shows the portion of the configuration related to BGP AS 1:

ACOS(config)#router bgp 1
ACOS(config-bgp:1)#show context

page 263 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

!Section configuration: 216 bytes

!
router bgp 1
network 2.2.2.2/32
neighbor a peer-group
neighbor 3.3.3.3 remote-as 1
address-family ipv6
bgp dampening 3 3 3 3
neighbor a activate
neighbor a capability orf prefix-list send

Example The following example first shows the portion of the running-config related to server s1,
then only the portion related to port 80:

ACOS(config-bgp:1-ipv6)#slb server s1
ACOS(config-real server)#show context
!Section configuration: 104 bytes
!
slb server s1 1.1.1.1
port 80 tcp
weight 2
conn-limit 2
conn-resume 1
port 81 tcp
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#show context
!Section configuration: 64 bytes
!
port 80 tcp
weight 2
conn-limit 2
conn-resume 1

show core
Description Display core dump statistics.

Syntax show core [process]

The process parameter shows core dump statistics for processes on the ACOS
device. Without this option, system core dump statistics are shown instead.

Mode Privileged EXEC level and configuration levels

Example The following command shows system core dump statistics:

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 264

A10 Thunder Series and AX Series—Command Line Interface

ACOS#show core
The LB process has reloaded 1 time.
The LB process has crashed 0 time.
The LB process has been up for 2755 seconds.

show cpu
Description Display CPU statistics.

Syntax show cpu

[history [seconds | minutes | hours | control-cpu | data-cpu]]
[interval seconds]
[overall]

Parameter Description
history Show control CPU and data CPU usage information.
seconds Show CPU usage information in last 60 seconds.
minutes Show CPU usage information in last hour.
hours Show CPU usage information in last 72 hours.
control-cpu Show Control CPU usage information.
data-cpu Show Data CPU usage information.
interval Automatically refreshes the output at the specified interval. If you
seconds omit this option, the output is shown one time. If you use this option,
the output is repeatedly refreshed at the specified interval until you
press ctrl+c.

Mode Privileged EXEC level and configuration levels

If you enter the show cpu command from within an L3V partition, the command shows
utilization for only that partition.

Example The following command shows CPU statistics in 10-second intervals:

ACOS# show cpu interval 10

Cpu Usage: (press ^C to quit)
1Sec 5Sec 10Sec 30Sec 60Sec
--------------------------------------------------------
Time: 23:42:10 GMT Tue Dec 8 2015
Control1 5% 4% 6% 5% 4%
Data1 0% 0% 0% 0% 0%
Data2 0% 0% 0% 0% 0%
Data3 0% 0% 0% 0% 0%
Data4 0% 0% 0% 0% 0%
Data5 0% 0% 0% 0% 0%
I/O1 100% 100% 100% 100% 100%

page 265 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

I/O2 100% 100% 100% 100% 100%

Time: 23:42:20 GMT Tue Dec 8 2015
Control1 4% 3% 3% 4% 4%
Data1 0% 0% 0% 0% 0%
Data2 0% 0% 0% 0% 0%
Data3 0% 0% 0% 0% 0%
Data4 0% 0% 0% 0% 0%
Data5 0% 0% 0% 0% 0%
I/O1 100% 100% 100% 100% 100%
I/O2 100% 100% 100% 100% 100%
...
<ctrl+c>

ACOS#

The following table describes the fields in the command output.

Field Description
Time System time when the statistics were gathered.
Controln Control CPU.
Datan Data CPU. The number of data CPUs depends on the ACOS model.
I/On IO CPU usage.
I/O fields are displayed on non-FTA platforms only.
1Sec-60sec Time intervals at which statistics are collected.

Example The following command output displays CPU utilization rates plotted over the last 60 sec-
onds. The x-axis represents the time elapsed and the y-axis represents the CPU utilization
rate. Asterisks appear along the bottom of the output to illustrate the CPU utilization rates
over time. The figure below only shows the usage for the Control CPU. The usage for the
Control CPU and Data CPU are displayed in separate figures. The CLI command prints 1
aster- isk for every 10 percent utilization. This means no asterisk will be printed if the CPU
usage is from 0-4; one asterisk will be printed if the CPU usage is 5-14; two asterisks will be
printed if the CPU usage is 15-24; and so on.

ACOS(config)#show cpu history seconds

Time: 12:27:35 IST Tue Sep 30 2014

533743333333244342332253334382533636436465444746756446654678
100
90
80
70
60
50

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 266

A10 Thunder Series and AX Series—Command Line Interface

40
30
20
10* * * * * * * * ** * **** *** ***
0....0....1....1....2....2....3....3....4....4....5....5....
5 0 5 0 5 0 5 0 5 0 5
Control CPU1: CPU% per second (last 60 seconds)

100
90
80
70
60
50
40
30
20
10
0....0....1....1....2....2....3....3....4....4....5....5....
5 0 5 0 5 0 5 0 5 0 5
Data CPU1: CPU% per second (last 60 seconds)

show debug
Description This command applies to debug output. It is recommended to use the AXdebug subsystem
commands instead of the debug commands. See the following:
• “AX Debug Commands” on page 365
• “show axdebug file” on page 250
• “show axdebug filter” on page 251
• “show axdebug status” on page 251

show disk
Description Display status information for the ACOS device hard disks.

Syntax show disk

Mode Privileged EXEC level and configuration levels

Example The following command shows hard disk information for an A10 Thunder Series 4430 device:

page 267 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

NOTE: The output on your device may differ slightly from the one shown below.

ACOS#show disk
Total(MB) Used Free Usage
-----------------------------------------
95393 11301 84091 11.8%

Device Primary Disk Secondary Disk

----------------------------------------------
md0 Active
md1 Active

The following table describes the fields in the command output.

Field Description
Total(MB) Total amount of data the hard disk can hold.
NOTE: The hard disk statistics apply to a single disk. This is true
even if your ACOS device contains two disks. In systems with two
disks, the second disk is a hot standby for the primary disk and is
not counted separately in the statistics.
Used Number of MB used.
Free Number of MB free.
Usage Percentage of the disk that is in use.
Device Virtual partition on the disk:
• md0 – The boot partition
• md1 – The A10 data partition
Primary Disk Status of the left hard disk in the redundant pair:
• Active – The disk is operating normally.
• Inactive – The disk has failed and must be replaced. Contact
tech- nical support.
• Synchronizing – The disk has just been installed and is
synchroniz- ing itself with the other disk.
Secondary Disk Status of the right hard disk in the redundant pair.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 268

A10 Thunder Series and AX Series—Command Line Interface

show dns cache

Description Display DNS caching information.

Syntax show dns cache {client | entry | statistics}

Parameter Description
client DNS client statistics.
entry DNS cache entries.
statistics DNS caching statistics.

Mode All

Example The following command shows DNS caching statistics:

ACOS#show dns cache statistics

Total allocated: 0
Total freed: 0
Total query: 0
Total server response:
0 Total cache hit: 0
Query not passed: 0
Response not passed: 0
Query exceed cache size: 0
Response exceed cache size: 0
Response answer not passed: 0
Query encoded: 0
Response encoded: 0
Query with multiple questions: 0
Response with multiple questions: 0
Response with multiple answers: 0
Response with short TTL: 0
Total aged out: 0
Total aged for lower weight: 0
Total stats log sent: 0
******The following counters are global to system and not per parti-
tion*****
Current allocate: 0
Current data allocate: 0

The following table describes the fields in the command output.

Field Description
Total Allocated Total memory allocated for cached entries.
Total Freed Total memory freed.

page 269 | Document No.: 410-P2-CLI-001 - 6/17/2016


Field
Total Query
Total Server Response
Total Cache Hit
Query Not Passed
Response Not Passed
Query Exceed Cache Size
Response Exceed Cache Size
Response Answer Not Passed
Query Encoded
Response Encoded
Query With Multiple Questions
Response With Multiple Questions Number of responses that were not cached because they contained
Response With Multiple Answers
Response with Short TTL
Total Aged Out
Total Aged for Lower Weight
Total Stats Log Sent
Current Allocate
Current Data Allocate
A10 Thunder Series and AX Series—Command Line Interface
Description
Total number of DNS queries received by the ACOS device.
Total number of responses form DNS servers received by the ACOS device.
Total number of times the ACOS device was able to use a cached reply in
response to a query.
Number of queries that did not pass a packet sanity check.
Number of responses that did not pass a packet sanity check. The ACOS device
checks the DNS header and question in the packet, but does not parse the entire
packet.
Number of queries that were not cached because they had a payload greater than
the maximum size of 512 bytes.
Number of responses that were not cached because they had a payload greater
than the maximum size of 512 bytes.
Number of responses that were not cached because they were malformed DNS
responses.
Number of queries that were not cached because the domain name in the
ques- tion was encoded in the DNS query packet.
Number of queries that were not cached because the domain name in the
ques- tion was encoded in the DNS response packet.
Number of queries that were not cached because they contained multiple ques-
tions.
answers for multiple questions.
Number of responses that were not cached because they contained more than
one answer.
Number of responses that had a short time to live (TTL).
Total number of DNS cache entries that have aged out of the cache.
Number of cache entries aged out due to their weight value.
Total number of logs sent.
Current memory allocation.
Current data allocation.
Document No.: 410-P2-CLI-001 - 6/17/2016 | page 270
A10 Thunder Series and AX Series—Command Line Interface

show dns statistics

Description Show DNS statistics.

Syntax show dns {cache {client | entry | statistics} | statistics}

Parameter Description
cache client Show DNS client statistics.
cache entry Show DNC cache entry.
cache statistics Show DNS cache statistics
statistics Show DNS packet statistics.

Mode Privileged EXEC level and configuration levels

Usage This command lists statistics values only if the configuration contains a virtual port that
is bound to a UDP template.

Example The following command displays DNS statistics:

ACOS#show dns statistics

DNS statistics for SLB:
-----------------------
No. of requests: 510
No. of responses: 508
No. of request retransmits: 0
No. of requests with no response: 2
No. of resource failures: 0
DNS statistics for IP NAT:
--------------------------
No. of requests: 0
No. of responses: 0
No. of request retransmits: 0
No. of requests reusing a transaction id: 0
No. of requests with no response: 0
No. of resource failures: 0
show dnssec
Description Show DNS Security Extensions (DNSSEC) information. (See “DNSSEC Show Commands” on
page 221.)

page 271 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show dumpthread
Description Show status information about the system threads.

Syntax show dumpthread

Mode Privileged EXEC level and configuration levels

Example Example output for this command:

ACOS#show dumpthread
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 101102 sec.

show environment
Description Display temperature, fan, and power supply status.

Syntax show environment

Mode All

Example The following command shows environment information for an A10 Thunder Series
3030S device:

NOTE: The output on your device may vary from the one shown below.

ACOS#show environment
Updated information every 30 Seconds
Physical System temperature: 40C / 104F :
OK-low/med Fan1A : OK-med/high Fan1B : OK-low/med
Fan2A : OK-med/high Fan2B : OK-low/med
Fan3A : OK-med/high Fan3B : OK-low/med
Fan4A : OK-med/high Fan4B : OK-low/med
System Voltage 12V : OK
System Voltage 5V : OK
System Voltage AVCC 3.3V : OK
System Voltage CC(3.3V) : OK
System Voltage VCore(0.9v) : OK
System Voltage VBAT 3.3V : OK
System Voltage PCH 1.05V : OK
System Voltage CPU0 VCore : OK
System Voltage VTT 1.05V : OK
System Voltage DDR 1.5V : OK
Right Power Unit(view from front) State: Off
Left Power Unit(view from front) State: On

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 272

A10 Thunder Series and AX Series—Command Line Interface

Power Supply temperature: 36C / 96F

show errors
Description Show error information for the system. This command provides a way to quickly view
system status and error statistics.

Syntax show errors [sub-options]

Parameter Description
sub-options Displays error information for ACOS applications. For a list of sub-
options, enter the following command:
show errors ?

show event-action
Description View the events generated for L3V partition creation or deletion as configured by the.event
command.

Syntax show event-action partition {partition-create | partition-delete}

Parameter Description
partition-create View partition creation events.
partition-delete View partition deletion events.

Mode All

Example This example shows the output of this command:

ACOS(config)#show event-action vnp part-create

Event VNP part-create action configuration: logging off, email off

Related Commands event

page 273 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show fail-safe
Description Display fail-safe information.

Syntax show fail-safe {config | information}

Parameter Description
config Displays the fail-safe configuration entered by you or other admins.
information Displays fail-safe settings and statistics. The output differs
between models that use FPGAs in hardware and models that do
not. (See “Example” below.)

Mode All

Example The following commands configure some fail-safe settings and verify the changes.

ACOS(config)#fail-safe session-mem-recovery-threshold 30
ACOS(config)#fail-safe fpga-buff-recovery-threshold 2
ACOS(config)#fail-safe sw-error-recovery-timeout 3
ACOS(config)#show fail-safe config
fail-safe hw-error-monitor-enable
fail-safe session-memory-recovery-threshold 30
fail-safe fpga-buff-recovery-threshold 2
fail-safe sw-error-recovery-timeout 3

Example The following command shows fail-safe settings and statistics on an ACOS device that uses
FPGAs in hardware:

ACOS(config)#show fail-safe information

Total Session Memory (2M blocks): 1012
Free Session Memory (2M blocks): 1010
Session Memory Recovery Threshold (2M blocks): 809
Total Configured FPGA Buffers (# of buffers): 4194304
Free FPGA Buffers in Domain 1 (# of buffers): 507787
Free FPGA Buffers in Domain 2 (# of buffers): 508078
Total Free FPGA Buffers (# of buffers): 1015865
FPGA Buffer Recovery Threshold (# of buffers): 256
Total System Memory (Bytes): 2020413440

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 274

A10 Thunder Series and AX Series—Command Line Interface
Field
Total Session Memory
Free Session Memory
Session Memory Recovery Threshold Minimum percentage of session memory that must be free before fail-safe
Total Configured FPGA Buffers
Free FPGA Buffers in Domain 1
Free FPGA Buffers in Domain 2
Total Free FPGA Buffers
FPGA Buffer Recovery Threshold
Total System Memory
Example
Field
Total Session Memory
Free Session Memory
Session Memory Recovery Threshold
Total Configured FPGA Buffers
Free FPGA Buffers
page 275 | Document No.: 410-P2-CLI-001 - 6/17/2016
The following table describes the fields in the command output.
Description
Total amount of the ACOS device’s memory that is allocated for session process-
ing.
Amount of the ACOS device’s session memory that is free for new sessions.
occurs.
Total number of configured FPGA buffers the ACOS device has. These buffers
are allocated when the ACOS device is booted. This number does not change
during system operation.
The FPGA device is logically divided into 2 domains, which each have their
own buffers. The next two counters are for these logical FPGA domains.
Number of FPGA buffers in Domain 1 that are currently free for new data.
Number of FPGA buffers in Domain 2 that are currently free for new data.
Total number of free FPGA buffers in both FPGA domains.
Minimum number of packet buffers that must be free before fail-safe occurs.
Total size the ACOS device’s system memory.
The following command shows fail-safe settings and statistics on an ACOS device that does
not use FPGAs in hardware. (The FPGA buffer is an I/O buffer instead.)
ACOS(config)#show fail-safe information
Total Session Memory (2M blocks): 1018
Free Session Memory (2M blocks): 1017
Session Memory Recovery Threshold (2M blocks): 305
Total Configured FPGA Buffers (# of buffers): 2097152
Free FPGA Buffers (# of buffers): 2008322
FPGA Buffer Recovery Threshold (# of buffers): 1280
Total System Memory (Bytes): 4205674496
The following table describes the fields in the command output.
Description
Total amount of the ACOS device’s memory that is allocated for session process-
ing.
Amount of the ACOS device’s session memory that is free for new sessions.
Minimum percentage of session memory that must be free before fail-safe
occurs.
Total number of configured FPGA buffers the ACOS device has. These buffers
are allocated when the ACOS device is booted. This number does not change
during system operation.
Number of FPGA that are free for new data.
 A10 Thunder Series and AX Series—Command Line Interface

Field Description
FPGA Buffer Recovery Threshold Minimum number of packet buffers that must be free before fail-safe occurs.
Total System Memory Total size the ACOS device’s system memory.

show glid
Description Show information for global IP limiting rules.

Syntax show glid [num]

Parameter Description
num View configuration information for the specified GLID only.

Mode All

Example The following command the configuration of each global IP limiting rule:

ACOS#show glid
glid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
glid 2
conn-limit 20000
conn-rate-limit 2000 per 10
request-limit 200
request-rate-limit 200 per 1
over-limit-action reset log 3
glid 30
conn-limit 10000
conn-rate-limit 1000 per 1
over-limit-action forward log

Example The following command shows the configuration of global IP limiting rule 1:

ACOS#show glid 1
glid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 276

A10 Thunder Series and AX Series—Command Line Interface

request-rate-limit 10 per 10
over-limit-action reset log 1

show gslb

Description See the Global Server Load Balancing Guide.

show hardware
Description Displays hardware information for the ACOS device.

Syntax show hardware

Default All

Example Below is a sample output for this command, the output you see may differ depending on
your specific platform.

ACOS# show hardware

Thunder Series Unified Application Service Gateway
TH3030S Serial No : TH30A83313480003
CPU : Intel(R) Xeon(R) CPU
8 cores
9 stepping
Storage : Single 74G drive
Memory : Total System Memory 16381 Mbyte, Free Memory 8102
Mbyte SSL Cards : 1 device(s) present
1 Nitrox III each with 32
cores L2/3 ASIC : 0 device(s) present
IPMI : Not Present
Ports : 12
Flags : No CF
SMBIOS : Build Version: 4.6.5
Release Date: 07/10/2014

page 277 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show health
Description Show status information for health monitors.

Syntax show health

{
database |
external [name] |
gateway |
monitor [name] |
postfile [name] |
stat
[all-partitions | partition {shared | name}]
}

Parameter Description
database Show the database health check log.
external [name] Shows configuration settings for the specified external health monitoring program.
gateway Shows configuration settings and statistics for gateway health monitoring.
monitor [name] Shows configuration settings and status for the specified health monitor.
postfile [name] Shows the files used for POST requests in HTTP/HTTPS health checks.
stat Shows health monitoring statistics. The statistics apply to all health monitoring activity on the
ACOS device.

Mode All

Usage To display health monitor information for a specific partition only, use the partition name
option.

Example The following command shows configuration settings and status for health monitor “ping”:

ACOS#show health monitor

ping Monitor Name: ping
Interval: 30
Max Retry: 3
Timeout: 5
Status: In use
Method: ICMP

The output shows the method used for the monitor, and the settings for each of the
parameters that are configurable for that method.

Example The following command shows the configuration settings of external health monitoring
pro- gram “http.tcl”:

ACOS#show health external http.tcl

External Program Description
http.tcl check http method
!!! Content Begin !!!

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 278

A10 Thunder Series and AX Series—Command Line Interface

set ax_env(Result) 1

# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]}
{ puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}

# Send the request

puts $sock "GET / HTTP/1.0\n"

# Wait for the response from http server

set line [read $sock]

if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {

puts "server $ax_env(ServerHost) response : $status"
}
close $sock

# Check exit code

if { $status == 200 }
{ set ax_env(Result) 0
}
}
!!! Content End !!!

Example The following command shows health monitoring statistics:

ACOS#show health stat

Health monitor statistics
Total run time: : 2 hours 1345 seconds
Number of burst: : 0
max scan jiffie: : 326
min scan jiffie: : 1
average scan jiffie: : 1
Opened socket: : 1140
Open socket failed: : 0
Close socket: : 1136
Send packet: : 0
Send packet failed: : 259379
Receive packet: : 0
Receive packet failed : 0
Retry times: : 4270
Timeout: : 0

page 279 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Unexpected error: : 0
Conn Immediate Success: : 0
Socket closed before l7: : 0
Socket closed without fd notify: : 0
Configured health-check rate (/500ms) : Auto configured
Current health-check rate (/500ms): : 1600
External health-check max rate(/200ms) : 2
Total number: : 8009
Status UP: : 8009
Status DOWN: : 0
Status UNKN: : 0
Status OTHER: : 0

IP address Port Health monitor Status Cause(Up/Down) Retry PIN

--------------------------------------------------------------------------------
10.0.0.11 80 http UP 11 /0 @0 0 0 /0 0
10.0.0.12 80 http UP 10 /0 @0 0 0 /0 0

The following table describes the fields in the command output.

Field Description
Total run time Time elapsed since the health monitoring process started.
Number of burst Number of times the system detected that a health check would leave the ACOS
device as a traffic burst, and remedied the situation.
max scan jiffie These are internal counters used by technical support for debugging purposes.
min scan jiffie
average scan jiffie
Opened socket Number of sockets opened.
Open socket failed Number of failed attempts to open a socket.
Close socket Number of sockets closed.
Send packet Number of health check packets sent to the target of the health monitor.
Send packet failed Number of sent health check packets that failed. (This is the number of times a tar-
get server or service failed its health check.)
Receive packet Number of packets received from the target in reply to health checks.
Receive packet failed Number of failed receive attempts.
Retry times Number of times a health check was resent because the target did not reply.
Timeout Number of times a response was not received before the health check timed out.
Unexpected error Number of unexpected errors that occurred.
Conn Immediate Success These are internal counters used by technical support for debugging purposes.
Socket closed before l7
Socket closed without fd notify

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 280

A10 Thunder Series and AX Series—Command Line Interface

Field Description
Configured health-check rate If auto-adjust is enabled, shows “Auto configured”.
If auto-adjust is disabled, shows the manually configured threshold.
Current health-check rate If auto-adjust is enabled, shows the total number of health monitors divided by the
global health-check timeout:
total-monitors / global-timeout
If auto-adjust is disabled, shows the manually configured threshold.
External health-check max rate The external health-check probe rate.
Total number Total number of health checks performed.
Status UP Number of health checks that resulted in status UP.
Status DOWN Number of health checks that resulted in status DOWN.
Status UNKN Number of health checks that resulted in status UNKN.
Status OTHER Number of health checks that resulted in status OTHER.
IP address IP address of the real server.
Port Protocol port on the server.
Health monitor Name of the health monitor.
If the name is “default”, the default health monitor settings for the protocol port type
are being used. (See “health-check” in the Command Line Interface Reference for
ADC for Layer 3 health checks or “port” in the Command Line Interface Reference
for ADC for Layer 4-7 health checks.)
Status Indicates whether the service passed the most recent health check.
Cause (Up/Down) Up and Down show internal codes for the reasons the health check reported the
server or service to be up or down. (See “Up and Down Causes for the show health
stat Command” on page 375.)
Retry Number of retries.
PIN Indicates the following:
• Current number of retries – Displayed to the left of the slash ( / ). The
number of times the most recent health check was retried before a response
was received or the maximum number of retries was used.
• Current successful up-retries – Displayed to the right of the slash ( / ). Number
of successful health check replies received for the current health check. This
field is applicable if the up-retry option is configured for the health check.
(See “health monitor” on page 128.)

page 281 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show history
Description Show the CLI command history for the current session.

Syntax show history

Mode Privileged EXEC level and configuration levels

Usage Commands are listed starting with the oldest command, which appears at the top of the list.

Example The following example shows a history of CLI commands (truncated for brevity):

ACOS#show history
enable
show version
show access-list
show admin
show admin admin
show admin detail
show admin session
...

show hsm
Description See “Config Commands: DNSSEC” on page 217.

show icmp
Description Show ICMP rate limiting configuration settings and statistics.

Syntax show icmp [stats]

Use the stats option to view detailed statistics.

Mode All

Example The following command shows ICMP rate limiting settings, and the number of ICMP
packets dropped because the threshold has been exceeded:

ACOS(config)#show icmp
Global rate limit: 5
Global lockup rate limit: 10
Lockup period: 20
Current global rate: 0
Global rate limit drops: 0
Interfaces rate limit drops: 0
Virtual server rate limit drops: 0

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 282

A10 Thunder Series and AX Series—Command Line Interface

Total rate limit drops: 0

show icmpv6
Description Show ICMPv6 rate limiting configuration settings and statistics.

Syntax show icmpv6 [stats]

Use the stats option to view detailed statistics.

Mode All

show interfaces
Description Display interface configuration and status information.

Syntax show interfaces

[brief] |
[ethernet [num]] |
[ve [num]] |
[lif num] |
[loopback num] |
[management] |
[trunk [num] |
[tunnel num]] |
[media] |
[statistics] |
[transceiver]

Mode Privileged EXEC level and configuration levels

Usage If no specific interface type and number are specified, statistics for all configured
interfaces are displayed. See the examples below.
• For information about the brief option, see “show interfaces brief” on page 285.
• For information about the media option, see “show interfaces media” on page 286.
• For information about the statistics options, see “show interfaces statistics”
on page 287.
• For information about the transceiver option, see “show interfaces transceiver”
on page 287.

Example The following example shows information for Ethernet port 1:

ACOS#show interfaces ethernet 1

Ethernet 1 is up, line protocol is up
Hardware is GigabitEthernet, Address is 0090.0b0a.a596
Internet address is 10.10.10.241, Subnet mask is 255.255.255.0
Internet address is 10.10.10.242, Subnet mask is 255.255.255.0
Internet address is 10.10.10.243, Subnet mask is 255.255.255.0
Internet address is 10.10.10.244, Subnet mask is 255.255.255.0
Internet address is 10.10.11.244, Subnet mask is 255.255.255.0

page 283 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
Member of L2 Vlan 1, Port is Untagged
Flow Control is enabled, IP MTU is 1500 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts
0 input errors, 0 CRC 0 frame
0 runts 0 giants
0 packets output 0 bytes
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 158073232 bits/sec, 154368 packets/sec, 15% utilization
300 second output rate: 35704 bits/sec, 5 packets/sec, 0% utilization

Example The following example shows information for loopback interface 8:

ACOS#show interfaces loopback 8

Loopback 8 is up, line protocol is up
Hardware is Loopback
Internet address is 10.10.10.55, Subnet mask is 255.255.255.0

Example The following example shows Virtual Ethernet (VE) interface statistics:

ACOS#show interface ve 10
VirtualEthernet 10 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.c0e2
Internet address is 110.10.10.1, Subnet mask is 255.255.255.0
IPv6 address is 2001:10::241 Prefix 64 Type: unicast
IPv6 link-local address is fe80::21f:a0ff:fe04:c0e2 Prefix 64 Type: unicast
Router Interface for L2 Vlan 10
IP MTU is 1500 bytes
28 packets input 2024 bytes
Received 0 broadcasts, Received 24 multicasts, Received 4 unicasts
10 packets output 692 bytes
Transmitted 8 broadcasts, Transmitted 2 multicasts, Transmitted 0 unicasts
300 second input rate: 48 bits/sec, 0 packets/sec
300 second output rate: 16 bits/sec, 0 packets/sec

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 284

A10 Thunder Series and AX Series—Command Line Interface

show interfaces brief

Description View brief interface information.

Syntax show interfaces brief [ipv6]

Mode Privileged EXEC level and configuration levels

Example Below is example output from the show interfaces brief command:

Port Link Dupl Speed Trunk Vlan MAC IP Address IPs Name
------------------------------------------------------------------------------------
mgmt Up Full 1000 N/A N/A 001f.a007.5930 10.6.10.56/24 1
1 Disb None None 2 1 001f.a007.5932 0.0.0.0/0 0 HA_TRUNK
2 Disb None None 2 1 001f.a007.5933 0.0.0.0/0 0
3 Disb None None None 1 001f.a007.5934 0.0.0.0/0 0
4 Disb None None None 1 001f.a007.5935 0.0.0.0/0 0
5 Up Full 10000 1 Tag 001f.a007.5936 0.0.0.0/0 0
6 Up Full 10000 1 Tag 001f.a007.5937 0.0.0.0/0 0
7 Up Full 10000 1 Tag 001f.a007.5938 0.0.0.0/0 0
8 Down None None 1 Tag 001f.a007.5939 0.0.0.0/0 0
9 Down None None None 1 001f.a007.593a 202.20.202.20/24 1
10 Down None None None 1 001f.a007.593b 20.20.20.20/24 1
11 Disb None None None 1 001f.a007.593c 0.0.0.0/0 0
12 Disb None None None 1 001f.a007.593d 0.0.0.0/0 0
13 Down None None 3 Tag 001f.a007.593e 0.0.0.0/0 0
14 Down None None 3 Tag 001f.a007.593f 0.0.0.0/0 0
15 Down None None None Tag 001f.a007.5940 0.0.0.0/0 0
16 Down None None None 1 001f.a007.5941 16.16.16.56/24 1
ve2 Up N/A N/A N/A 2 001f.a007.5932 1.2.2.252/24 1 conn-to-router
ve10 Down N/A N/A N/A 10 001f.a007.5933 192.168.111.1/24 1 VRRP-a_Int
ve71 Up N/A N/A N/A 71 001f.a007.5934 172.16.71.252/24 1 Cav-80-eth0.71

page 285 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show interfaces media

Description Display information about 1-Gbps and 10-Gbps small form-factor pluggable (SFP+)
inter- faces.

Syntax show interfaces media [ethernet num]

Parameter Description
num Show information for the specified interface only.

Mode Privileged EXEC level and configuration levels

Usage On Virtual Chassis System (VCS), this command provides device-specific media information.

NOTE: This command does not show information on media installed in ports that belong
to an L3V partition.

On platforms that do not have a 1 Gigabit Ethernet port installed, on FTA

platforms, or on a virtual appliance model, the following message is displayed
when you issue the show interfaces media command:

No SPF/SPF+ ports found in this model.

Example The following example sample output for this command. The example displays output on
ports with an installed 1 Gigabit SFP and a 10 Gigabit SFP+ module. When an SFP is
not installed, or if the port has not been enabled, an error message appears in the
output, as shown below:

ACOS-Active#show interface media

port 10:
Type: SFP 1000BASE-SX
Vendor: JDS UNIPHASE
Part#: JSH-21S3AB3 Serial#:F549470401B0

port 11:
No media detected.

port 18:
Type: SFP+ 10G Base-SR
Vendor: FINISAR CORP.
Part#: FTLX8571D3BCL Serial#:UG505PM

port 19:
No media detected.

port 20:
Cannot retrieve media information when port is disabled.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 286

A10 Thunder Series and AX Series—Command Line Interface

In this example, the SFP+ interface for port 18 is installed and its link is up. The other 10-
Gbps interfaces either are down or do not have an SFP+ installed.

Example The following example shows the CLI response if you enter show interfaces
media on an ACOS device that does not support SFP+ interfaces:

ACOS#show interfaces media

No 10G fiber port installed.

show interfaces statistics

Description Display interface statistics.

Syntax show interfaces statistics

[ethernet portnum [ethernet portnum ...]][lif ifnum [lif ifnum
...]] [{in-pps | in-bps | out-pps | out-bps}] [interval seconds]

Parameter Description
ethernet Ethernet data interface numbers for which to display statistics. If you
portnum omit this option, statistics are displayed for all Ethernet data interfaces
and logical tunnel interfaces.
lif ifnum Logical tunnel interface numbers for which to display statistics. If you
omit this option, statistics are displayed for all Ethernet data
interfaces and logical tunnel interfaces.
in-pps Inbound traffic, in packets per second (PPS).
in-bps Inbound traffic, in bytes per second (BPS).
out-pps Outbound traffic, in packets per second (PPS).
out-bps Incoming traffic, in bytes per second (BPS).
interval Refreshes the statistics at the specified interval, 1-32 seconds. If you
seconds do not use this option, the statistics are displayed only once.

Mode Privileged EXEC level and configuration levels

show interfaces transceiver

Description View interface transceiver information for FINISAR 40G and 100G ports.

Syntax show interfaces transceiver [ethernet num] [details]

Mode Privileged EXEC level and configuration levels

Example View information for all configured 40G and 100G ports with the show
interfaces transceiver command:

ACOS#show interfaces transceiver

Optical Optical

page 287 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Temperature Voltage Current Tx Power Rx Power

Port (Celsius) (Volts) (mA) (dBm) (dBm)
------- ----------- ------- -------- -------- --------
5 34.83 6.16 16.00 31.35 31.35
6 35.24 6.17 15.00 31.78 31.78
7 46.71 6.18 17.00 32.19 32.19
8 35.78 6.13 15.00 31.78 31.78
9 34.29 6.14 15.00 32.58 32.58
13 40.10 6.13 0.00 0.00 0.00
14 39.42 6.16 0.00 0.00 0.00

Example View detailed information for a specific 40G or 100G interface:

ACOS#show interfaces transceiver ethernet 5 details

High Alarm High Warn Low Warn Low Alarm
Temperature Threshold Threshold Threshold Threshold
Port (Celsius) (Celsius) (Celsius) (Celsius) (Celsius)
------- ----------- ---------- --------- --------- ---------
5 35.24 84.24 78.84 -8.64 -14.04

High Alarm High Warn Low Warn Low Alarm

Voltage Threshold Threshold Threshold Threshold
Port (Volts) (Volts) (Volts) (Volts) (Volts)
------- ----------- ---------- --------- --------- ---------
5 6.16 6.91 6.72 5.62 5.42

High Alarm High Warn Low Warn Low Alarm

Current Threshold Threshold Threshold Threshold
Port (mA) (mA) (mA) (mA) (mA)
------- ---------- ---------- --------- --------- ---------
5 16.00 23.00 21.00 9.00 7.00

Optical High Alarm High Warn Low Warn Low Alarm

TX Power Threshold Threshold Threshold Threshold
Port (dBm) (dBm) (dBm) (dBm) (dBm)
------- --------- ---------- --------- --------- ---------
5 31.35 34.97 32.96 24.85 23.98

Optical High Alarm High Warn Low Warn Low Alarm

RX Power Threshold Threshold Threshold Threshold

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 288

A10 Thunder Series and AX Series—Command Line Interface

Port (dBm) (dBm) (dBm) (dBm) (dBm)

------- --------- ---------- --------- --------- ---------
5 31.35 36.64 34.34 0.00 0.00

show ip
Description Show the IP mode in which the ACOS device is running, gateway or transparent mode.

Syntax show ip

Mode All

Example The following command shows that the ACOS device is running in gateway mode:

ACOS#show ip
System is running in Gateway Mode

show ip anomaly-drop statistics

Description Show drop statistics for malformed IP packets.

Syntax show ip anomaly-drop statistics

Mode All

Example Example output for this command:

IP Anomaly Drop Statistics

--------------------------
Land Attack Drop 0
Empty Fragment Drop 0
Micro Fragment Drop 0
IPv4 Options Drop 0
IP Fragment Drop 0
Bad IP Header Len Drop 0
Bad IP Flags Drop 0
Bad IP TTL Drop 0
No IP Payload drop 0
Oversize IP Payload Drop 0
Bad IP Payload Len Drop 0
Bad IP Fragment Offset Drop 0
Bad IP Checksum Drop 0
ICMP Ping of Death Drop 0
TCP Bad Urgent Offset Drop 0

page 289 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

TCP Short Header Drop 0

TCP Bad IP Length Drop 0
TCP Null Flags Drop 0
TCP Null Scan Drop 0
TCP Syn and Fin Drop 0
TCP XMAS Flags Drop 0
TCP XMAS Scan Drop 0
TCP Syn Fragment Drop 0
TCP Fragmented Header Drop 0
TCP Bad Checksum Drop 0
UDP Short Header Drop 0
UDP Bad Length Drop 0
UDP Kerberos Fragment Drop 0
UDP Port Loopback Drop 0
UDP Bad Checksum Drop 0
Runt IP Header Drop 0
Runt TCP/UDP Header Drop 0
IP-over-IP Tunnel Mismatch Drop 0
TCP Option Error Drop 0
IP-over-IP Tunnel Error Drop 0
VXLAN Tunnel Error Drop 0
GRE Tunnel Error Drop 0
GRE PPTP Error Drop 0

show ip bgp
Description Display BGP information. (See the “Config Commands: Router - BGP” chapter in the Network
Configuration Guide.)

show ip dns
Description Display system DNS information.

Syntax show ip dns

Mode All

Example The following example shows example output for this command.

ACOS#show ip dns
DNS suffix: ourcorp
Primary server: 10.10.20.25
Secondary server: 192.168.1.25

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 290

A10 Thunder Series and AX Series—Command Line Interface

show ip fib | show ipv6 fib

Description Display Forwarding Information Base (FIB) entries.

NOTE: This command is applicable only on ACOS devices that are configured in route
mode. The command returns an error if you enter it on a device configured for
transparent mode.

Syntax show {ip | ipv6} fib

Mode All

Example The following command shows the IPv4 FIB entries on an ACOS device configured in
route mode:

ACOS#show ip fib
Prefix Next Hop Interface Distance
------------------------------------------------------------------------
0.0.0.0 /0 192.168.20.1 ve10 0
192.168.20.0 /24 0.0.0.0 ve10 0
Total routes = 2

Example The following command shows IPv6 FIB entries:

ACOS(config)#show ipv6 fib

Prefix Next Hop Interface Metric Index
----------------------------------------------------------------------------
b101::/64 :: Ethernet 6 256 0
Total routes = 1

show ip fragmentation | show ipv6 fragmentation | show ipv4-in-ipv6 fragmentation |

show ipv6-in-ipv4 fragmentation
Description Show statistics for IP fragmentation.

Syntax show {ip | ipv6 | ipv4-in-ipv6 | ipv6-in-

ipv4} fragmentation statistics

Mode All

Example Example output for this command:

ACOS(config)#show ip fragmentation statistics

IP Fragmentation Statistics
---------------------------
Session Inserted 0
Session Expired 0
ICMP Received 0

page 291 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ICMPv6 Received 0
UDP Received 0
TCP Received 0
IP-in-IP Received 0
IPv6-in-IP Received 0
Other Received 0
ICMP Dropped 0
ICMPv6 Dropped 0
UDP Dropped 0
TCP Dropped 0
IP-in-IP Dropped 0
IPv6-in-IP Dropped 0
Other Dropped 0
Overlapping Fragment Drop 0
Bad IP Length 0
Fragment Too Small Drop 0
First TCP Fragment Too Small Drop 0
First L4 Fragment Too Small Drop 0
Total Sessions Exceeded Drop 0
Out of Session Memory 0
Fragmentation Fast Aging Set 0
Fragmentation Fast Aging Unset 0
Fragment Queue Success 0
Payload Length Unaligned 0
Payload Length Out of Bounds 0
Duplicate First Fragment 0
Duplicate Last Fragment 0
Total Queued Fragments Exceeded 0
Fragment Queue Failure 0
Fragment Reassembly Success 0
Fragment Max Data Length Exceeded 0
Fragment Reassembly Failure 0
MTU Exceeded Policy Drop 0
Fragment Processing Drop 0
Too Many Packets Per Reassembly Drop 0
Session Max Packets Exceeded 0

The following table describes the fields in the command output.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 292

A10 Thunder Series and AX Series—Command Line Interface

Field Description
Session Inserted Number of times the ACOS device received a new fragment that did not match
any existing session (based on source IP, destination ID, and fragment ID).
A fragment session represents multiple fragments that should be
reassembled together into a single logical packet.
Session Expired Number of times a fragment session timed out before all the fragments for the
packet were received.
ICMP Received Number of ICMP fragments received.
ICMPv6 Received Number of ICMPv6 fragments received.
UDP Received Number of UDP fragments received.
TCP Received Number of TCP fragments received.
IP-in-IP Received Number of IP-in-IP fragments received.
IPv6-in-IP Received Number of IPv6-in-IP fragments received.
Other Received Number of other types of fragments received.
ICMP Dropped Number of ICMP fragments that were dropped. This counter and the other
“Dropped” counters below are incremented when a fragment is dropped for
any of the following reasons:
• Invalid length
• Overlap with other fragments
• Exceeded fragmentation session threshold
ICMPv6 Dropped Number of ICMPv6 fragments that were dropped.
UDP Dropped Number of UDP fragments that were dropped.
TCP Dropped Number of TCP fragments that were dropped.
IP-in-IP Dropped Number of IP-in-IP fragments that were dropped.
IPv6-in-IP Dropped Number of IPv6-in-IP fragments that were dropped.
Other Dropped Number of other types of fragments that were dropped.
Overlapping Fragment Drop Number of fragments dropped because the data in the fragment overlapped
with data in another fragment already received by the ACOS device.
Bad IP Length This counter includes both of the following:
• Number of IPv4 packets for which the total length was invalid.
• Number of IPv6 packets for which the payload length was invalid.
Fragment Too Small Drop Number of fragments in which the length of the data was too short. IP frag-
mentation requires at least 8 bytes of data in all except the last fragment.
First TCP Fragment Too Small Drop Number of fragmented TCP packets that did not contain the entire
Layer 4 header in the first fragment.
First L4 Fragment Too Small Drop Number of fragmented packets other than TCP packets that did not
contain the entire Layer 4 header in the first fragment.
Total Sessions Exceeded Drop Number of times a fragment was dropped because the maximum number of
concurrent fragment sessions were already in use.
Out of Session Memory Number of times the ACOS device ran out of memory for fragment sessions.

page 293 | Document No.: 410-P2-CLI-001 - 6/17/2016


Field
Fragmentation Fast Aging Set
Fragmentation Fast Aging Unset
Fragment Queue Success
Payload Length Unaligned
Payload Length Out of Bounds
Duplicate First Fragment
Duplicate Last Fragment
Total Queued Fragments Exceeded
Fragment Queue Failure
Fragment Reassembly Success
Fragment Max Data Length Exceeded
Fragment Reassembly Failure
MTU Exceeded Policy Drop
Fragment Processing Drop
Too Many Packets Per Reassembly
Drop
Session Max Packets Exceeded
IPv4-in-IPv6 Fragmentation Statistics
(Not shown in the example above.)
A10 Thunder Series and AX Series—Command Line Interface
Description
Number of times the ACOS device sped up aging of existing fragment
sessions in order to accommodate new sessions.
Number of times the ACOS device returned to normal aging for fragment
ses- sions.
Number of times a new fragment session was created, or a new fragment was
added to an existing session.
Number of fragments whose length did not consist of a multiple of 8 bytes.
Note: This counter does not apply to the final fragments of fragmented pack-
ets. The final fragment of a packet is not required to have a length that is a mul-
tiple of 8.
Number of times a fragmented packet’s data length exceeded what should
have been the end of the reassembled packet.
Number of times a duplicate first fragment was received for the same packet.
Number of times a duplicate last fragment was received for the same packet.
Number of times the maximum number of concurrent fragmented packets
supported by the ACOS device was exceeded.
Total number of times a fragmented packet could not be queued to a
session, due to any of the errors listed separately by the following counters:
• Duplicate First Fragment
• Duplicate Last Fragment
• Payload Length Out of Bounds
• Payload Length Unaligned
Number of times all fragments for a packet were reassembled successfully.
Number of times the total length of all reassembled fragments for a packet
exceeded 65535. This type of error can indicate an attack such as a ping-
of- death attack.
Total number of fragment reassembly errors, including errors due to unlikely
causes such as memory corruption.
Number of packets dropped due to an MTU exceeded policy.
Number of packets dropped due to errors during fragment processing.
Number of packets dropped because too many fragments were received for
the packet.
Number of times the limit for fragmented packets has been reached.
These are the same as the counters described above, but they apply to
packets fragmented into IPv4 fragments before being sent in the IPv6 tunnel.
For exam- ple, these counters can apply to fragmented DS-Lite traffic.
These counters are displayed if you use the ipv6 option instead of the ip
option.
Document No.: 410-P2-CLI-001 - 6/17/2016 | page 294
A10 Thunder Series and AX Series—Command Line Interface

show ip helper-address
Description Display DHCP relay information.

Syntax show ip helper-address [detail]

Mode All

Example The following command shows summary DHCP relay information:

ACOS(config)#show ip helper-address
Interface Helper-Address RX TX No-Relay Drops
--------- -------------- ------------ ------------ ------------ ------------
eth1 100.100.100.1 0 0 0 0
ve5 100.100.100.1 1669 1668 0 1
ve7 1668 1668 0 0
ve8 100.100.100.1 0 0 0 0
ve9 20.20.20.102 0 0 0 0

The following table describes the fields in the command output.

Field Description
Interface ACOS interface. Interfaces appear in the output in either of the fol-
lowing cases:
• A helper address is configured on the interface.
• DHCP packets are sent or received on the interface.
Helper-Address Helper address configured on the interface.
RX Number of DHCP packets received on the interface.
TX Number of DHCP packets sent on the interface.
No-Relay Number of packets that were examined for DHCP relay but were not
relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not have
a helper address and the packets are not destined to the relay.
• DHCP packets are received on an interface that does have a
helper address, but the packets are unicast directly from the
client to the server and do not need relay intervention.

Drops Number of packets that were ineligible for relay and were dropped.

Example The following command shows detailed DHCP relay information:

ACOS#show ip helper-address detail

IP Interface: eth1
------------
Helper-Address: 100.100.100.1

page 295 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Packets:

RX: 0
BootRequest Packets : 0
BootReply Packets : 0
TX: 0
BootRequest Packets : 0
BootReply Packets : 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0 No
Route to Dest : 0 Dest
Processing Err : 0

IP Interface: ve5
------------
Helper-Address: 100.100.100.1
Packets:
RX: 16
BootRequest Packets :
16 BootReply Packets
: 0
TX: 14
BootRequest Packets : 0
BootReply Packets : 14
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0 No
Route to Dest : 2 Dest
Processing Err : 0

IP Interface: ve7
------------
Helper-Address: None
Packets:
RX: 14

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 296

A10 Thunder Series and AX Series—Command Line Interface

BootRequest Packets : 0
BootReply Packets : 14
TX: 14
BootRequest Packets :
14 BootReply Packets
: 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0 No
Route to Dest : 0 Dest
Processing Err : 0

The following table describes the fields in the command output.

Field Description
IP Interface ACOS interface.
Helper-Address IP address configured on the ACOS interface as the DHCP helper
address.
Packets DHCP packet statistics:
• RX – Total number of DHCP packets received on the interface.
• BootRequest Packets – Number of DHCP boot request
packets (Op = BOOTREQUEST) received on the interface.
• BootReply Packets – Number of DHCP boot reply packets (Op
= BOOTREPLY) received on the interface.
• TX – Total number of DHCP packets sent on the interface.
• BootRequest Packets – Number of DHCP boot request
packets (Op = BOOTREQUEST) sent on the interface.
• BootReply Packets – Number of DHCP boot reply packets (Op
= BOOTREPLY) sent on the interface.

page 297 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Field Description
No-Relay Number of packets that were examined for DHCP relay but were not
relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not have
a helper address and the packets are not destined to the relay.
• DHCP packets are received on an interface that does have a
helper address, but the packets are unicast directly from the client
to the server and do not need relay intervention.

Drops Lists the following counters for packets dropped on the interface:
• Invalid BOOTP Port – Number of packets dropped because they
had UDP destination port 68 (BOOTPC).
• Invalid IP/UDP Len – Number of packets dropped because the IP
or UDP length of the packet was shorter than the minimum
required length for DHCP headers.
• Invalid DHCP Oper – Number of packets dropped because the Op
field in the packet header did not contain BOOTREQUEST or BOOT-
REPLY.
• Exceeded DHCP Hops – Number of packets dropped because
the number in the Hops field was higher than 16.
• Invalid Dest IP – Number of packets dropped because the
destina- tion was invalid for relay.
• Exceeded TTL – Number of packets dropped because the TTL
value was too low (less than or equal to 1).
• No Route to Dest – Number of packets dropped because the relay
agent (ACOS device) did not have a valid forwarding entry
towards the destination.
• Dest Processing Err – Number of packets dropped because the
relay agent experienced an error in sending the packet towards the
desti- nation.

show ip interfaces | show ipv6 interfaces

Description Display IP interfaces.

Syntax show {ip | ipv6} interfaces

[ethernet num] |
[ve num] |
[loopback num] |
[management] |
[trunk [num]] |
[lif [num]]

Mode All

Example The following command shows the IPv4 interfaces configured on Ethernet interface 1:

ACOS#show ip interfaces ethernet 1

IP addresses on ethernet 1:

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 298

A10 Thunder Series and AX Series—Command Line Interface

ip 10.10.10.241 netmask 255.255.255.0 (Primary)

ip 10.10.10.242 netmask 255.255.255.0
ip 10.10.10.243 netmask 255.255.255.0
ip 10.10.10.244 netmask 255.255.255.0
ip 10.10.11.244 netmask 255.255.255.0

Example The following command shows the IPv4 interfaces configured on VEs:

ACOS#show ip interfaces ve
Port IP Netmask PrimaryIP
--------------------------------------------------
--------------------------------------------------
ve4 60.60.60.241 255.255.255.0 Yes
50.60.60.241 255.255.252.0 No
--------------------------------------------------
ve6 99.99.99.241 255.255.255.0 Yes

The PrimaryIP column indicates whether the address is the primary IP address for the
interface. (For more information, see the ip address command in the “Config
Commands: Interface” chapter of the Network Configuration Guide.

show ip isis | show ipv6 isis

Description See the “Config Commands: Router - IS-IS” chapter in the Network Configuration Guide.

show ip nat alg pptp

Description Display Application Level Gateway (ALG) information for IP source NAT.

Syntax show ip nat alg pptp {statistics | status}

Example The following command displays the status of the PPTP NAT ALG feature:

ACOS#show ip nat alg pptp status

NAT ALG for PPTP is enabled on port 1723.

Example The following command displays PPTP NAT ALG statistics.

ACOS(config-if:ethernet:2)#show ip nat alg pptp statistics

Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 10
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 1
Mismatched PAC Call ID: 0

page 299 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Retransmitted PAC Message: 3

Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching GRE Session: 4

The following table describes the fields in the command output.

Field
Calls In Progress
Call Creation Failure
Truncated PNS Message
Truncated PAC Message
Mismatched PNS Call ID
Mismatched PAC Call ID
Retransmitted PAC Message
Truncated GRE Packets
Unknown GRE Packets
No Matching GRE Session
Description
Current call attempts, counted by inspecting the TCP control session. This counter will
decrease once the first GRE packet arrives.
Number of times a call could not be set up because the ACOS device ran out of mem-
ory or other system resources.
Number of runt TCP PPTP messages received from clients.
Number of runt TCP PPTP messages received from servers.
Number of calls that were disconnected because the GRE session had the wrong Call
ID.
Number of calls that were disconnected because they had the wrong Call ID.
Number of TCP packets retransmitted from PAC servers.
Number of runt GRE packets received by the ACOS device.
Number of GRE packets that were not used for PPTP and were dropped.
Number of GRE PPTP packets sent with no current call.

show ip nat interfaces | show ipv6 nat interfaces

Description Display IP or IPv6 source NAT information for data interfaces.

Syntax show {ip | ipv6} nat interfaces

Example The following command shows the IP NAT interface settings:

ACOS#show ip nat interfaces

Total IP NAT Interfaces configured:
2 Interface NAT Direction
-----------------------------
ve10 outside
ve11 inside

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 300

A10 Thunder Series and AX Series—Command Line Interface

show ip nat pool | show ipv6 nat pool

Description Display information for IP or IPv6 source NAT pools.

Syntax show {ip | ipv6} nat pool [pool-name] [statistics]

Parameter Description
pool-name Displays information only for the specified pool.
statistics Displays pool statistics.

Example The following command displays pool information:

ACOS#show ip nat pool

Total IP NAT Pools: 2
Pool Name Start Address End Address Mask Gateway Vrid
-----------------------------------------------------------------------------------------
dmz1 10.0.0.200 10.0.0.200 /24 0.0.0.0 default
dmz2 10.10.10.200 10.10.10.200 /24 0.0.0.0 default

The following table describes the fields in the command output.

Field Description
Pool Name Name of the pool.
Start Address Beginning IP address in the pool address range.
End Address Ending IP address in the pool address range.
Mask Network mask.
Gateway Default gateway for traffic mapped to an address in the pool.
Vrid VRRP-A VRID to which the pool is assigned, if applicable.

Entering a pool name displays the same fields but for only the specified pool:

ACOS#show ip nat pool dmz1

Pool Name Start Address End Address Mask Gateway Vrid
------------------------------------------------------------------------------------------
------
dmz1 10.0.0.200 10.0.0.200 /24 0.0.0.0 default

Example The following command displays pool statistics:

ACOS#show ip nat pool statistics

Pool Address Port Usage Total Used Total Freed Failed
-------------------------------------------------------------------------------
dmz1 10.0.0.200 0 0 0 0
Pool Address Port Usage Total Used Total Freed Failed

page 301 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

-------------------------------------------------------------------------------
dmz2 10.10.10.200 0 0 0 0

The following table describes the fields in the command output.

Field Description
Pool Name of the pool.
Address IP address in the pool.
Port Usage Number of Layer 4 protocol port mappings currently in use on the port.
Note: A local address can have multiple NAT mappings. Each NAT mapping for a local
address consists of an IP:port tuple.
Total Used Total number of port mappings (IP:port tuples) used from the pool.
Total Freed Total number of port mappings that were used and then returned to the pool.
Failed Number of mappings that failed.

show ip nat pool-group | show ipv6 nat pool-group

Description Display configuration information for IP or IPv6 source NAT pool groups.

Syntax show {ip | ipv6} nat pool-group [group-name]

show ip nat range-list

Description Displays information for IP source NAT range lists.

Syntax show ip nat range-list

Example The following command shows NAT range-list information:

ACOS(config)#show ip nat range-list

Total Static NAT range lists: 1
Name Local Address/Mask Global Address/Mask Count HA
--------------------------------------------------------------------------------
rl1 10.10.10.88/24 192.168.10.88/24 10 0

The following table describes the fields in the command’s output.

Field Description
Name Name of the range list.
Local Address/Mask Beginning local address of the range to be translated into global (NAT)
addresses.
Global Address/Mask Beginning global address of the range.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 302

A10 Thunder Series and AX Series—Command Line Interface

Field Description
Count Number of address translations in the range.
HA VRRP-A VRID to which the range list belongs, if applicable.

show ip nat static-binding

Description Display information for static IP source NAT bindings.

Syntax show ip nat static-binding [statistics] [ipaddr]

Parameter Description
statistics Displays statistics.
ipaddr Displays information for the specified IP address.

Example The following command displays the static source NAT binding for local address 10.10.10.20:

ACOS#show ip nat static-binding 10.10.10.20

Local Address 10.10.10.20 statically bound to Global Address 10.10.10.1

Example The following command displays static-binding statistics:

ACOS#show ip nat static-binding statistics

Source Address Port Usage Total Used Total Freed
---------------------------------------------------------------------------
10.10.10.20 0 0 0

The following table describes the fields in the command output.

Field Description
Source Address Source IP address that is statically mapped to a global IP address (source NAT address).
Port Usage Number of Layer 4 protocol port mappings currently in use by the local address.
Note: A local address can have multiple NAT mappings. Each NAT mapping for a local
address consists of an IP:port tuple.
Total Used Total number of port mappings (IP:port tuples) used by the inside address.
Total Freed Total number of port mappings returned to the static pool.

page 303 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show ip nat statistics

Description Displays IP source NAT statistics.

Syntax show ip nat statistics

Example Displays IP NAT statistics:

ACOS(config)#show ip nat statistics

Outside interfaces: ethernet8, ethernet11, ve20, ve110,
ve120 Inside interfaces: ethernet8, ethernet11, ve20, ve110,
ve120 Hits: 1707 Misses: 0
Outbound TCP sessions created:
1363 Outbound UDP sessions
created: 344 Outbound
ICMP sessions created: 0
Inbound TCP sessions created: 0
Inbound UDP sessions created: 0
Dynamic mappings:
-- Inside Source
access-list 8 pool v4
start 10.10.120.200 end 10.10.120.202
total addresses 3, allocated 2315, misses 0
access-list v6 pool l3nat6
start 6020::203 end 6020::203
total addresses 1, allocated 0, misses 0

The output lists the inside NAT and outside NAT interfaces and provides address translation
statistics.

show ip nat template logging

Description Display configuration information for IP source NAT logging templates.

Syntax show ip nat template logging [template-name]

show ip nat timeouts

Description Display the IP source NAT protocol port timeouts.

Syntax show ip nat timeouts

Example The following command displays the timeout settings IP source NAT sessions.

ACOS(config)#show ip nat
timeouts NAT Timeout values in
seconds: TCP UDP ICMP

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 304

A10 Thunder Series and AX Series—Command Line Interface

------------------------
300 300 fast
Service 53/udphas fast-aging configured

show ip nat translations

Description Display IP source NAT translations.

Syntax show ip nat translations

Mode All

Example The following command shows source NAT translations:

ACOS#show ip nat translations

Prot Inside global Inside local Outside local Outside
global Age Hash Type
------------------------------------------------------------------------------------------
---------------------
Tcp 10.10.120.200:33345 10.10.30.19:35955 10.10.120.124:1107
10.10.120.124:1107 0 1 NF NAT
Tcp 10.10.120.200:28260 10.10.30.16:64602 10.10.120.111:443
10.10.120.111:443 0 1 NS NAT
Tcp 10.10.120.200:29988 10.10.30.20:2466 10.10.120.111:80
10.10.120.111:80 0 1 NS NAT
Tcp 10.10.120.200:29952 10.10.30.16:64638 10.10.120.124:21
10.10.120.124:21 0 1 NS NAT
Tcp 10.10.120.200:9257 10.10.30.15:48569 10.10.120.124:1093
10.10.120.124:1093 0 1 NF NAT
Tcp 10.10.120.200:28170 10.10.30.18:38106 10.10.120.124:21
10.10.120.124:21 0 1 NS NAT
Tcp 10.10.120.200:29845 10.10.30.15:48619 10.10.120.111:443
10.10.120.111:443 0 2 NS NAT
Tcp 10.10.120.200:28716 10.10.30.15:48624 10.10.120.124:1111
10.10.120.124:1111 0 2 NF NAT
Tcp 10.10.120.200:29377 10.10.30.19:35947 10.10.120.111:80
10.10.120.111:80 0 2 NS NAT
Tcp 10.10.120.200:29179 10.10.30.15:48565 10.10.120.111:443
10.10.120.111:443 0 2 NS NAT
Tcp 10.10.120.200:21887 10.10.30.15:48635 10.10.120.124:1118
10.10.120.124:1118 0 2 NF NAT
Tcp 10.10.120.200:21800 10.10.30.18:38108 10.10.120.124:1097
10.10.120.124:1097 0 2 NF NAT
Tcp 10.10.120.200:29971 10.10.30.20:2467 10.10.120.111:443
10.10.120.111:443 0 2 NS NAT

page 305 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command’s output.

Field Description
Prot Layer 4 protocol.
Inside global Global (NAT) address mapped by ACOS to the inside source address (the
inside local address).
Inside local Inside source address before translation.
Outside local Outside destination address of the traffic.
Outside global Outside destination address of the traffic. <<always the same as “Outside
local”?>>
Age For dynamic mappings, indicates how many seconds the entry is
allowed to continue remaining idle before being removed. <<is this
correct?>>
Hash <<?>>
Type Entry type:
• NF NAT – <<?>>
• NS NAT – <<?>>

show ip-list
Description Display IP-list information.

Syntax show ip-list [list-name]

Parameter Description
list-name Displays the configuration of the specified list. If you omit this option, the config-
ured IP lists are listed instead.

Mode All

Example The following example shows the IP lists configured on an ACOS device:

ACOS-Active(config)#show ip-list
Name Type Entries
--------------------------------------------------
sample_ip_list_ng IPv4 3
test-list IPv4 0
Total: 2

The following command shows the configuration of an individual IP list:

ACOS#show ip-list sample_ip_list_ng

ip-list sample_ip_list_ng
10.10.10.1

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 306

A10 Thunder Series and AX Series—Command Line Interface

20.20.3.1
123.45.6.7

show ipv6 ndisc

Description Display information for IPv6 router discovery.

Syntax show ipv6 ndisc router-advertisement

{ethernet portnum | ve ve-num | statistics}

Mode All

Example The following command displays configuration information for IPv6 router discovery on an
Ethernet interface. In this example, the interface is VE 10.

ACOS#show ipv6 ndisc router-advertisement ve 10

Interface VE 10
Send Advertisements: Enabled
Max Advertisement Interval: 200
Min Advertisement Interval: 150
Advertise Link MTU: Disabled
Reachable Time: 0
Retransmit Timer: 0
Current Hop Limit: 255
Default Lifetime: 200
Max Router Solicitations Per Second:
100000 HA Group ID: None
Number of Advertised Prefixes: 2
Prefix 1:
Prefix: 2001:a::/96
On-Link: True
Valid Lifetime: 4400
Prefix 2:
Prefix: 2001:32::/64
On-Link: True
Valid Lifetime: 2592000

The following command displays router discovery statistics:

ACOS(config)#show ipv6 ndisc router-advertisement statistics

IPv6 Router Advertisement/Solicitation Statistics:
--------------------------------------------------
Good Router Solicitations (R.S.) Received: 1320
Periodic Router Advertisements (R.A.) Sent: 880
R.S. Rate Limited: 2
R.S. Bad Hop Limit: 1

page 307 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

R.S. Truncated: 0
R.S. Bad ICMPv6 Checksum: 0
R.S. Unknown ICMPv6 Code: 0
R.S. Bad ICMPv6 Option: 0
R.S. Src Link-Layer Option and Unspecified Address: 0
No Free Buffers to send R.A.: 0

The error counters apply to router solicitations (R.S.) that are dropped by the ACOS device.

The Src Link-Layer Option and Unspecified Address counter indicates the number of times
the ACOS device received a router solicitation with source address “::” (unspecified IPv6
address) and with the source link-layer (MAC address) option set.

NOTE: In the current release, the ACOS device does not drop IPCMv6 packets that have
bad (invalid) checksums.

show ipv6 neighbor

Description Display information about neighboring IPv6 devices.

Syntax show ipv6 neighbor [ipv6-addr]

Mode All

Example The following command shows IPv6 neighbors:

ACOS(config)#show ipv6 neighbor

Total IPv6 neighbor entries: 2
IPv6 Address MAC Address Type Age State Interface Vlan
---------------------------------------------------------------------------------------
b101::1112 0007.E90A.4402 Dynamic 30 Reachable ethernet 6 1
fe80::207:e9ff:fe0a:4402 0007.E90A.4402 Dynamic 20 Reachable ethernet 6 1

show ip ospf | show ipv6 ospf

Description Display OSPF information. (See the “Config Commands: Router - OSPF” chapter in the Net-
work Configuration Guide.

show ip prefix-list | show ipv6 prefix-list

Description Display information about prefix lists.

Syntax show {ip | ipv6} prefix-list

Mode All

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 308

A10 Thunder Series and AX Series—Command Line Interface

show ip protocols | show ipv6 protocols

Description Show information for dynamic routing protocols.

Syntax show {ip | ipv6} protocols

Mode All

show ip rip | show ipv6 rip

Description Show information for RIP. (See the “Config Commands: Router - RIP” chapter in the Network
Configuration Guide.

show ip route | show ipv6 route

Description Display the IPv4 or IPv6 routing table.

Syntax show {ip | ipv6} route

[
ipaddr[/mask-length] |
all |
bgp |
connected |
database |
isis |
mgmt |
ospf |
rip |
static |
summary
]

Mode All

Usage The all option is only applicable for IPv4.

The show ip route summary command displays summary information for all IP
routes, including the total number of routes. The command output applies to both the data
route table and the management route table, which are separate route tables.

The following commands display routes for only one of the route tables:

• show ip route – Shows information for the data route table only.
• show ip route mgmt – Shows information for the management route table only.

The total number of routes listed by the output differs depending on the command you
use. For example, the total number of routes listed by the show ip route command
includes only data routes, whereas the total number of routes listed by the show ip
route summary command includes data routes and management routes.

Example The following example shows the IP route table:

ACOS#show ip route

page 309 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Codes: C - connected, S - static, O - OSPF

S* 0.0.0.0/0 [1/0] via 192.168.20.1, ve 10

S* 192.168.1.0/24 [1/0] is directly connected,
Management C* 192.168.1.0/24 is directly connected,
Management
C* 192.168.19.0/24 is directly connected, ve
10 Total number of routes : 4

show ip stats | show ipv6 stats

Description View statistics for IPv4 or IPv6 packets.

Syntax show {ip | ipv6} stats

Mode All

show ipv6 traffic

Description Display IPv6 traffic management statistics.

Syntax show ipv6 traffic

Mode All

Example The following command shows IPv6 traffic management statistics:

ACOS#show ipv6 traffic

Traffic Type Received Sent Errors
------------------------------------------------------------------
Router Solicit 1 1 0
Router Adverts 0 0 0
Neigh Solicit 0 0 0
Neigh Adverts 0 0 0
Echo Request 0 0 0
Echo Replies 0 0 0
Other ICMPv6 Errs 0 0 0

show isis
Description See the “Config Commands: Router - IS-IS” chapter in the Network Configuration Guide.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 310

A10 Thunder Series and AX Series—Command Line Interface

show json-config
Description View the JSON/aXAPI data format associated with the running-config, or for a specific object.

Syntax show json-config [object]

If no object is specified, then the JSON configuration for the entire running-config will be
shown.

Mode All

Example The following example shows the JSON configuration for SLB server “web2”:

ACOS#show json-config slb server web2

a10-url:/axapi/v3/slb/server/web2
{
"server":
{ "name":"web2",
"host":"10.10.10.2",
"health-check":"https-with-key",
"port-list": [
{
"port-number":80,
"protocol":"tcp",
"health-check-disable":1
}
]
}
}

Related Commands show json-config-detail, show json-config-with-default

show json-config-detail
Description View the JSON/aXAPI data format, including the URI and object type, associated with
the running-config, or for a specific object.

Syntax show json-config-detail [object]

If no object is specified, then the JSON configuration for the entire running-config will be
shown.

Mode All

Example The following example shows the JSON configuration, with URI and object type
information, for SLB server “web2”:

ACOS#show json-config-detail slb server web2

page 311 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

a10-url:/axapi/v3/slb/server/web2
{
"server":
{ "name":"web2",
"host":"10.10.10.2",
"health-check":"https-with-key",
"port-list": [
{
"port-number":80,
"protocol":"tcp",
"health-check-disable":1,
"a10-url":"/axapi/v3/slb/server/web2/port/80+tcp",
"obj-type":"multi"
}
]
}
}

Related Commands show json-config, show json-config-with-default

show json-config-with-default
Description View the JSON/aXAPI data format, including default values, associated with the running-
con- fig or for a specific object.

Syntax show json-config-with-default [object]

If no object is specified, then the JSON configuration for the entire running-config will be
shown.

Mode All

Example The following example shows the JSON configuration, with default values, for SLB
server “web2”:

ACOS#show json-config-with-default slb server web2

a10-url:/axapi/v3/slb/server/web2
{
"server":
{ "name":"web2",
"host":"10.10.10.2",
"action":"enable",
"template-server":"default",
"health-check":"https-with-key",

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 312

A10 Thunder Series and AX Series—Command Line Interface

"conn-limit":8000000,
"no-logging":0,
"weight":1,
"slow-start":0,
"spoofing-cache":0,
"stats-data-action":"stats-data-enable",
"extended-stats":0,
"port-list": [
{
"port-number":80,
"protocol":"tcp",
"range":0,
"action":"enable",
"no-ssl":0,
"health-check-disable":1,
"weight":1,
"conn-limit":8000000,
"no-logging":0,
"stats-data-action":"stats-data-enable",
"extended-stats":0,
"a10-url":"/axapi/v3/slb/server/web2/port/80+tcp"
}
]
}
}

Related Commands show json-config, show json-config-detail

show key-chain
Description Show configuration information for authentication key chains.

Syntax show key-chain [key-chain-name]

The key-chain-name is the name of the authentication key chain.

Mode Privileged EXEC and all Config levels

page 313 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following text is an example of the output for this command:

ACOS#show key-chain
key chain test1
key 1
key-string test1key1
key 2
key-string test1key2
key chain test2
key 2
key-string test2key2

ACOS#show key-chain test1

key chain test1
key 1
key-string test1key1
key 2
key-string test1key2

show lacp
Description Show configuration information and statistics for Link Aggregation Control Protocol (LACP).

Syntax show lacp

{
counter [lacp-trunk-id] |
sys-id |
trunk
[admin-key-list-details | detail | summary | lacp-trunk-id]
}

Parameter Description
counter View LACP packet statistics for all trunks, or for just
the specified trunk.
sys-id Shows the LACP system ID of the ACOS device.
admin-key-list-details View LACP admin key list details.
detail View detailed trunk information.
summary View trunk summary information.

Mode All

Example The following command shows LACP statistics:

ACOS#show lacp counters

Traffic statistics
Port LACPDUs Marker Pckt err
Sent Recv Sent Recv Sent Recv

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 314

A10 Thunder Series and AX Series—Command Line Interface

Aggregator po5 1000000

ethernet 1 81 81 0 0 0 0
ethernet 2 81 81 0 0 0 0
Aggregator po10 1000001
ethernet 6 233767 233765 0 0 0 0

In this example, LACP has dynamically created two trunks, 5 and 10. Trunk 5 contains ports 1
and 2. Trunk 10 contains port 6.

Example The following command shows summary trunk information:

ACOS#show lacp trunk summary

Aggregator po5 1000000
Admin Key: 0005 - Oper Key 0005
Link: ethernet 1 (3) sync: 1
Link: ethernet 2 (4) sync: 1
Aggregator po10 1000001
Admin Key: 0010 - Oper Key 0010
Link: ethernet 6 (8) sync: 1

show lacp-passthrough

Description Show information for the LACP passthrough feature.

Syntax show lacp-passthrough

Mode All

show license
Description Display the host ID and, if applicable, serial number of the license applied to this
ACOS device.

Syntax show license [uid]

Specify the uid option to show the serial number associated with the UID.

Mode Privileged EXEC or higher

Example The following example shows sample output for this command.

ACOS# show license

Host ID: 029984E1BC8EF50901B63DC0DCD1FE8A02017B9B
ACOS# show license uid
029984E1BC8EF50901B63DC0DCD1FE8A02017B9B

page 315 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show license-debug
Description This command is for internal use and is documented to notify that it does not serve any use-
ful purpose to the consumer.

Syntax show license-debug

Mode All

Example Example output for this command:

ACOS> show license-debug

Host ID : A0C764C33831F0A6FB9861EA6EDCF31330FB91A6
Product : ADC
Platform : AX-V
-----------------------------------------------
Source Enabled Licenses Expiry Date
-----------------------------------------------
BUILT IN
SLB None
CGN None
GSLB None
RC None
DAF None
WAF None

GLM

show license-info
Description Show current product SKU and license information on the ACOS device.

Syntax show license-info

Mode All

Example Example output for this command. This example shows that the CFW product is installed
(highlighted) along with the product modules that are included in this product. Refer to the
Release Notes for more information about product SKUs and licenses.

ACOS> show license-info

Host ID : 5DCB01EC264BECCCFECB3C2ED42E02384EE8C527
Product : CFW
Platform : AX Series Advanced Traffic Manager
GLM Ping Interval In Hours : 24
------------------------------------------------------------------------------------
Enabled Licenses Expiry Date Notes

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 316

A10 Thunder Series and AX Series—Command Line Interface

------------------------------------------------------------------------------------
SLB None
CGN None
GSLB None
RC None
DAF None
WAF None
SSLI None
DCFW None
GIFW None
URLF None
IPSEC None
AAM None
FP None
WEBROOT None Requires an additional Webroot license.
THREATSTOP None Requires an additional ThreatSTOP license.

show lldp neighbor statistics

Description Displays information on all remote neighbors or on the specified interface.

Syntax show lldp neighbor statistics [interface Ethernet eth-num]

Mode All

show lldp statistics

Description Displays LLDP receive or send error statistics, You can display information on all interfaces or
only display information on a specified interface.

Syntax show lldp statistics

[interface {ethernet eth-num | management}]

Mode All

show local-uri-file
Description Display local imported URI files.

Syntax show local-uri-file

[name] [all-partitions] [partition {shared | partition-name}]

Mode All

page 317 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show locale
Description Display the configured CLI locale.

Syntax show locale

Mode All

Example The following command shows the locale configured on an ACOS device:

ACOS#show locale
en_US.UTF-8 English locale for the USA, encoding with UTF-8 (default)

show log
Description Display entries in the syslog buffer or display current log settings (policy). Log entries
are listed starting with the most recent entry on top.

Syntax show log [debug] [length num] [policy]

Parameter Description
debug Show debug logging entries only.
length num Shows the most recent log entries, up to the number of entries
you specify. You can specify 1-1000000 (one million) entries.
policy Shows the log settings. To display log entries, omit this option.

Mode All

Example The following command shows the log settings:

ACOS#show log policy

Syslog servers: (0 hosts)

Facility: local0

Name Level
----------------------------
Console error
Syslog disable
Monitor disable
Buffer debugging
Email disable
Trap disable

Example The following command shows log entries (truncated for brevity):

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 318

A10 Thunder Series and AX Series—Command Line Interface

ACOS#show log
Log Buffer: 30000
Jan 17 11:32:02 Warning A10LB HTTP request has p-
conn Jan 17 11:31:01 Notice The session [1] is
closed
Jan 17 11:31:00 Info Load libraries in 0.044 secs
Jan 17 11:26:19 Warning A10LB HTTP request has p-
conn
Jan 17 11:26:19 Warning A10LB HTTP response not beginning of
header: m counterType="1" hourlyCount="2396"
dailyCount="16295" weeklyCount="16295" monthly
Jan 17 11:16:18 Warning A10LB HTTP request has p-
conn Jan 17 11:16:01 Notice The session [1] is
closed
Jan 17 11:16:00 Info Load libraries in 0.055 secs
Jan 17 11:15:22 Warning A10LB HTTP request has p-
conn Jan 17 11:15:03 Notice The session [1] is
closed Jan 17 11:14:33 Warning A10LB HTTP request
has p-conn
...

show mac-address-table
Description Display MAC table entries.

Syntax show mac-address-table

[macaddr | port port-num | vlan vlan-id]

Parameter Description
macaddr Shows the MAC table entry for the specified MAC address.
Enter the MAC address in the following format: aaaa.bbbb.cccc
port port-num Shows the MAC table entries for the specified Ethernet port.
vlan vlan-id Shows the MAC table entries for the specified VLAN.

Mode All

Example The following command displays the MAC table entries:

ACOS#show mac-address-table
Total active entries: 10 Age time: 300 secs
MAC-Address Port Type Index Vlan Trap
---------------------------------------------------------
001e.bd62.d021 2 Dynamic 85 0 None
001e.bd62.d01e 1 Dynamic 244 120 None
000c.2923.c500 lif2 Dynamic 456 1 None
000d.480a.6665 1 Dynamic 594 120 None
001f.a002.fdc3 1 Dynamic 676 120 None

page 319 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

000c.2923.c500 2 Dynamic 713 60 None

001e.bd62.d01e 1 Dynamic 734 0 None

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 320

 A10 Thunder Series and AX Series—Command Line Interface

000c.2960.8990 1 Dynamic 752 120 None

001f.a002.10a8 5 Dynamic 918 100 None
001e.bd62.d021 2 Dynamic 975 60 None

The following table describes the fields in the command output.

Field Description
Total active entries Total number of active MAC entries in the table. An active entry is
one that has not aged out.
Age time Number of seconds a dynamic (learned) MAC entry can remain
unused before it is removed from the table.
MAC-Address MAC address of the entry.
Port Ethernet port through which the MAC address is reached.
Type Indicates whether the entry is dynamic or static.
Index The MAC entry’s position in the MAC table.
Vlan VLAN the MAC address is on.
Trap Shows any SNMP traps enabled on the port.

show management
Description Show the types of management access allowed on each of the ACOS device’s Ethernet
inter- faces.

Syntax show management [ipv4 | ipv6]

Mode All

Usage To configure the management access settings, see “enable-management” on page 112
and “disable-management” on page 109.

NOTE: If you do not use either option, IPv4 access information is shown.

Example The following command shows IPv4 management access information:

PING SSH Telnet HTTP HTTPS SNMP ACL

------------------------------------------------------------------------------------------
mgmt on on off on on on -
eth1 on off off off off off -
eth2 on off off off off off -
eth3 on off off off off off -
eth4 on off off off off off -
...

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 320

A10 Thunder Series and AX Series—Command Line Interface

If management access is controlled by an ACL, the ACL ID would be listed instead of “on”
or “off” status.

show memory
Description Display memory usage information.

Syntax show memory [cache | system | active-vrid {vrid-num | default}]

Parameter Description
cache Shows cache statistics.
system Shows summary statistics for memory usage.
active-vrid Show memory usage statistics for the specified VRID only. This
option is only available in VRRP-A environments.

Mode Privileged EXEC level and configuration levels

Example The following command shows summary statistics for memory usage:

ACOS#show memory system

System Memory Usage:
Total(KB) Free Shared Buffers Cached Usage
---------------------------------------------------------------------------
2070368 751580 0 269560 96756 59.0%

Example The following command shows memory usage for individual system modules:

ACOS#show memory
Total(KB) Used Free Usage
----------------------------------------------------
Memory: 31941112 8310060 23631052 26.0%

System memory:
Object size(byte) Allocated(#) Max(#)
----------------------------------------------------------------
4 223 3639
36 2536 3639
100 71095 71262
228 152 992
484 12 503
996 183 253
2020 92 127
4068 339 378
8164 72 93

page 321 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

aFleX memory:
Object size(byte) Allocated(#) Max(#)
----------------------------------------------------------------
32 1412 58224
64 7008 30816
128 7621 20960
256 181 12768
512 509 7168
1024 52 3824
2048 0 0
4096 0 0

TCP memory:
Object size(byte) Allocated(#) Max(#)
----------------------------------------------------------------
1104 1 225
184 0 0

Example The following command shows memory cache information (truncated for brevity):

ACOS#show memory cache

System block 4:
Object size: 4, Total in pool: 3639, Allocated to control: 223
Misc1 92 Misc2 1 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0,
0,
0, 0, 0, 0, 0, 0, 0, 0, 0,

System block 36:

Object size: 36, Total in pool: 3639, Allocated to control: 2536
Misc1 0 Misc2 1 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0, 0,
0,
0, 0, 0, 0, 0, 0, 0, 0,

System block 100:

Object size: 100, Total in pool: 71262, Allocated to control: 71095
Misc1 0 Misc2 37 Allocated to 16 data threads: 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0,
...

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 322

A10 Thunder Series and AX Series—Command Line Interface

show mirror
Description Display port mirroring information.

Syntax show mirror

Mode All

Example The following example shows the port mirroring configuration on an ACOS device:

ACOS#show mirror
Mirror Ports 1: Input = 4 Output = 4
Ports monitored at ingress : 1
Mirror Ports 2: Input = None Output = 7
Mirror Ports 3: Input = 9 Output = 9
Mirror Ports 4: Input = 3 Output = None

The following table describes the fields in the command output.

Field Description
Mirror Port Mirror port index number.
Input Indicates that inbound mirrored traffic from the monitor port can be sent out of the
specified ethernet interface. If “None” appears instead of an ethernet interface
number, it means that inbound mirrored traffic will not be sent out of this ethernet
port.
Output Indicates that outbound mirrored traffic from the monitor port can be sent out of the
specified ethernet interface. If “None” appears instead of an ethernet interface
number, it means that outbound mirrored traffic will not be sent out of this ethernet
port.
Port monitored at ingress Port(s) whose inbound traffic is copied to the monitor port.
Port monitored at egress Port(s) whose outbound traffic is copied to the monitor port.

show monitor
Description Display the event thresholds for system resources.

Syntax show monitor

Mode All

Example Below is an example output for this command.

ACOS#show monitor
Current system monitoring threshold:
Hard disk usage: 85
Memory usage: 95
Control CPU usage: 90
Data CPU usage: 90
IO Buffer usage: 734003

page 323 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Buffer Drop: 1000

Warning Temperature: 68
Conn type 0: 32767
Conn type 1: 32767
Conn type 2: 32767
Conn type 3: 32767
Conn type 4: 32767
SMP type 0: 32767
SMP type 1: 32767
SMP type 2: 32767
SMP type 3: 32767
SMP type 4: 32767

show netflow
Description Display NetFlow information.

Syntax show netflow {common | monitor [monitor-name]}

Parameter Description
common Displays the currently configured maximum
queue time for NetFlow export packets.
monitor [monitor-name] Displays information for NetFlow monitors.

Mode All

Example The following example shows the configuration of a NetFlow monitor:

ACOS(config)#show netflow monitor

Netflow Monitor netflow-1
Protocol Netflow v9
Status: Enable
Filter: Global
Destination: Not Configured
Source IP Use MGMT: No
Flow Timeout: 10 Minutes
Resend Template Per Records: 1000
Resend Template Timeout: 1800 Seconds
Sent: 0 (Pkts) / 0 (Bytes)
Records: Not Configured

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 324

A10 Thunder Series and AX Series—Command Line Interface

The following table shows the descriptions of the command output:

Field Description
Protocol Specifies the NetFlow Protocol version (NetFlow v9 or NetFlow v10/
IPFIX)
Status Specifies whether or not the NetFlow monitor is enabled.
Filter Identifies the specific type and subset of resources that are being
monitored (global, specific ports, or a NAT pool).
Destination Indicates the destination IP address and port, if configured.
Source IP Use Specifies whether the IP address of the management port of the
MGMT ACOS device is being used as the source IP of NetFlow packets.
Flow Timeout Timeout value interval at which flow records are periodically
exported for long-lived sessions. Flow records for short-lived
sessions (if any) are sent upon termination of the session.
Resend Tem- The number of records before the ACOS device resends the
plate Per Records NetFlow template that describes the data to perform a refresh of the
template on the NetFlow collector.
Resend Tem- The amount of time before the ACOS device resends the template
plate Timeout that describes the data to perform a refresh of the template on the
NetFlow collector.
Sent Total number of NetFlow packets and bytes sent.
Records Specifies the NetFlow template types configured, which define the
NetFlow records to export.

show ntp
Description Show the Network Time Protocol (NTP) servers and status.

Syntax show ntp {servers | status}

Parameter Description
servers Lists the configured NTP servers and their state (enabled/disabled).
status Lists the configured NTP servers and the status of the connection
between ACOS and the server.

Mode Privileged EXEC level and configuration levels

Example The following commands show NTP information:

ACOS#show ntp servers

Ntp Server isPreferred Mode Authentication
----------------------------------------------------------------------------
10.255.254.50 no enabled disabled
10.255.249.43 no enabled disabled

page 325 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS#show ntp status

NTP Server Status
------------------------------------------
10.255.254.50 synchronized
10.255.249.43 polling

show object-group
Description Show object groups, a named set of IP addresses or protocol values used for extended IPv4
or IPv6 ACLs.

Syntax show object-group [network name | service name]

Parameter Description
network name Show a network object group which contains IP address match crite-
ria.
service name Show a service object group which contains protocol match criteria.

Mode All

show overlay-mgmt-info
Description See the Configuring Overlay Networks guide.

show overlay-tunnel
Description See the Configuring Overlay Networks guide.

show partition
Description All show commands related to partitions are available in Configuring Application Delivery
Par- titions.

show partition-config
Description All show commands related to partitions are available in Configuring Application Delivery
Par- titions.

show partition-group
Description All show commands related to partitions are available in Configuring Application Delivery
Par- titions.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 326

A10 Thunder Series and AX Series—Command Line Interface

show pbslb
Description Show configuration information and statistics for Policy-based SLB (PBSLB).

Syntax show pbslb [name]

show pbslb client [ipaddr]

show pbslb system

show pbslb virtual-server virtual-server-name

[port port-num service-type]

Field Description
name Shows information for virtual servers.
client [ipaddr] Shows information for black/white list clients.
system Shows system-wide statistics for PBSLB.
virtual-server Shows statistics for IP limiting on the specified vir-
virtual-server-name tual server.
[port port-num
service-type]

Mode All

Example The following command shows PBSLB class-list information for an ACOS device:

ACOS#show pbslb
Virtual server class list statistics:
F = Flag (C-Connection, R-Request), Over-RL = Over rate
limit Source Destination F Current Rate Over-limit Over-RL
---------------+---------------------+-+---------+---------+----------+----------
10.1.2.1 10.1.11.1:80 C 15 1 0 0
Total: 1

page 327 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in the command output.

Field Description
Source Client IP address.
Destination VIP address.
Flag Indicates whether the row of information applies to connections
or requests:
• C – The statistics listed in this row are for connections.
• R – The statistics listed in this row are for HTTP requests.
Current Current number of connections or requests.
Rate Current connection or request rate, which is the number of connec-
tions or requests per second.
Over Limit Number of times client connections or requests exceeded the
con- figured limit.
Over Rate Limit Number of times client connections or requests exceeded the
con- figured rate limit.

Example The following command shows PBSLB black/white-list information for an ACOS device:

ACOS#show pbslb
Total number of PBSLB configured: 1
Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0

The following table describes the fields in the command output.

Field Description
Total number of PBSLB configured Number of black/white lists imported onto the ACOS device.
Virtual server SLB virtual server to which the black/white list is bound.
Port Protocol port.
Blacklist/whitelist Name of the black/white list.
GID Group ID.
Connection # Establish Number of client connections established to the group and protocol port.
Connection # Reset Number of client connections to the group and protocol port that were reset.
Connection # Drop Number of client connections to the group and protocol port that were dropped.

Example The following command shows PBSLB information for VIP “vs-22-4”:

ACOS#show pbslb vs-22-4

GID = Group ID, A = Action, OL = Over-limit
GID Establish Reset(A) Drop(A) Reset(OL) Drop(OL) Ser-sel-fail

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 328

A10 Thunder Series and AX Series—Command Line Interface

-------+-----------+-----------+-----------+-----------|-----------+------------
Virtual server: vs-22-4 Port: 80 B/W list: test
1 88 0 3 2 0 0
2 112 0 2 0 0 1
3 29 0 0 0 0 0
4 11 1 0 0 0 0

show pki
Description Shows information about the certificates on the ACOS device device.

Syntax show pki

{ca-cert [cert-name [detail]| cert [cert-name [detail]] | crl}
[all-partitions | partition {shared | partition-name} | sort-
by]

Option Description
ca-cert cert-name Shows the CA certificate.
cert-name specifies a name for the certificate, and you can a
name with a maximum of 255 characters.
cert cert-name Shows information about the certificates on the ACOS device
device. To display information for a specific certificate, use the
cert-name option. To display additional details about the
certifi- cate, use the detail option.
crl Shows information about the Certificate Revocation Lists
(CRLs) that have been imported to the ACOS device device.
[all-partitions | partition | Allows you to select what type of information you want to
sort-by] dis- play:
• All partitions
• A specific partition
You can display information from the shared partition or from a
specific L3V partition.
• Sort by the certificate files

Mode All

Example The following command shows SSL certificate information:

ACOS(config)#pki create certificate server

input key bits(1024,2048,4096) default
1024:1024 input Common Name, 1~64:server
input Division, 0~31:division
input Organization, 0~63:org
input Locality, 0~31:sj
input State or Province, 0~31:ca

page 329 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

input Country, 2 characters:us

input email address, 0~64:
input valid days, 30~3650, default 730:

ACOS(config)#show pki cert

Name: server Type: certificate/key Expiration: Sep 13
18:35:26 2016 GMT [Unexpired, Unbound]

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 330

A10 Thunder Series and AX Series—Command Line Interface

show poap
Description Display the Power On Auto Provisioning (POAP) mode.

Syntax show poap

Mode All

Example Example command and output:

ACOS(config)#show poap
Disabled

show process
system
Description Display the status of system processes.

Syntax show process system

Mode Privileged EXEC level and configuration levels

Usage For descriptions of the system processes, see the “System Overview” chapter of the System
Configuration and Administration Guide.

Example The following command shows the status of system processes on an ACOS device:

ACOS#show process
system a10mon is
running syslogd is
running a10logd is
running a10timer is
running a10Stat is
running
a10hm is running
a10switch is running
a10rt is running
a10rip is running
a10ospf is running
a10snmpd is running
a10gmpd is running
a10wa is running
a10lb is running

page 331 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show radius-server
Description Display statistics about a RADIUS server.

Syntax show radius-server

Example The following text is a sample output for this command:

ACOS(config)#show radius-server
Radius server : 10.0.0.0
contact start : 5
contact failed : 3
authentication success : 1
authentication failed :
1
authorization success : 1

Radius server : 10.0.0.1

contact start : 0
contact failed : 0
authentication success : 0
authentication failed : 0
authorization success : 0

ACOS(config)#

Mode All

show reboot
Description Display scheduled system reboots.

Syntax show reboot

Mode All

Example The following command shows a scheduled reboot on the ACOS device:

ACOS#show reboot
Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16
minutes) by admin on 192.168.1.144
Reboot reason: Outlook_upgrade

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 332

A10 Thunder Series and AX Series—Command Line Interface

show route-map
Description Show the configured route maps.

Syntax show route-map [map-name]

Mode All

show router log file

Description Show router logs.

Syntax show router log file

[
file-num |
bgpd [file-num] |
isisd [file-num] |
nsm [file-num] |
ospf6d [file-num] |
ospfd [file-num] |
ripd [file-num] |
ripngd [file-num]
]

Parameter Description
file-num Log file number.
bgpd [file-num] Displays the specified BGP log file, or all BGP log files.
isisd [file-num] Displays the specified IS-IS log file, or all IS-IS log files.
nsm [file-num] Displays the specified Network Services Module (NSM) log
file, or all NSM log files.
ospf6d [file-num] Displays the specified IPv6 OSPFv3 log file, or all OSPFv3
log files.
ospfd [file-num] Displays the specified IPv4 OSPFv2 log file, or all OSPFv2
log files.
ripd [file-num] Displays the specified IPv4 RIP log file, or all IPv4 RIP log files.
ripngd [file-num] Displays the specified IPv6 RIP log file, or all IPv6 RIP log files.

Mode All

page 333 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show running-config
Description Display the running-config.

This command is used to view the running-config in the partition where the command is
issued. To view the running-config for a different partition, use the show partition-
config command.

Syntax show running-config [options]

Usage This command displays the entire running-config in the current partition.

To narrow the output to specific feature modules, use show running-config ? to

view the available modules, then specify them from the command line. For example, to
view the running-config related only to SLB servers, use:

show running-config slb server

Example The following example shows the running-config for SLB virtual servers:

ACOS#show running-config slb virtual-server

!Section configuration: 2 bytes
!
slb virtual-server test-vip 10.10.10.15
port 80 tcp
!
!
end
ACOS(NOLICENSE)#

show scaleout
Description Command related to Scaleout configuration are available in the Configuring Scaleout guide.

show session
Description Display session information.

Syntax show session

[
brief |
dns-id-switch |
ds-lite [suboptions]|
filter {name | config} |
full-width
ipv4 [addr-suboptions] |
ipv6 [addr-suboptions] |
nat44 [suboptions] |
nat64 [suboptions] |
persist [persistence-type [addr-suboptions]] |

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 334

A10 Thunder Series and AX Series—Command Line Interface

radius |
sctp |
server [name] |
sip [addr-suboptions] |
sixrd-nat64 [suboptions] |
virtual-server [name]
]

Parameter Description
brief Displays summary statistics for all session types.
dns-id-switch Displays statistics for DNS switch sessions.
ds-lite Displays statistics for DS-Lite sessions. The following options are available:
• dest-port num—View sessions with the specified destination port (1-65535).
• dest-v4-addr ipaddr[/length]—View sessions with the specified destination IPv4
address.
• dest-v6-addr ipaddr[/length]—View sessions with the specified destination IPv6
address.
• source-port num—View sessions with the specified source port (1-65535).
• source-v4-addr ipaddr[/length]—View sessions with the specified source
IPv4 address.
• source-v6-addr ipaddr[/length]—View sessions with the specified source
IPv6 address.
Not all suboptions are available for use in conjunction with others. For example, if the first subop-
tion you enter is dest-addr, the only additional suboption you can specify is dest-port.

filter Displays information about configured session filters.

{name | config}
Specify config to view all configured session filters, or specify a filter name to view the
specified filter only.
full-width Display full IPv6 addresses. By default, IPv6 addresses are truncated to 22 characters.
ipv4 Displays information for IPv4 sessions. The following address suboptions are available:
• dest-port num—View sessions with the specified destination port (1-65535).
• dest-v4-addr ipaddr[/length]—View sessions with the specified destination IPv4
address.
• source-port num—View sessions with the specified source port (1-65535).
• source-v4-addr ipaddr[/length]—View sessions with the specified source
IPv4 address.
Not all suboptions are available for use in conjunction with others. For example, if the first subop-
tion you enter is dest-addr, the only additional suboption you can specify is dest-port.

page 335 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
ipv6 Displays information for IPv6 sessions. The following address suboptions are available:
• dest-port num—View sessions with the specified destination port (1-65535).
• dest-v6-addr ipaddr[/length]—View sessions with the specified destination IPv6
address.
• source-port num—View sessions with the specified source port (1-65535).
• source-v6-addr ipaddr[/length]—View sessions with the specified source
IPv6 address.
Not all suboptions are available for use in conjunction with others. For example, if the first subop-
tion you enter is dest-addr, the only additional suboption you can specify is dest-port.

nat44 Displays information for NAT44 sessions.

The supported suboptions are the same as for ipv4 (see above).
nat64 Displays information for NAT64 sessions.
The supported suboptions are the same as for ipv6 (see above).
persist Displays session persistence information.
[type
The following persistence types can be specified:
[suboptions]]
• dst-ip—Displays destination-IP persistent sessions.
• ipv6—Displays IPv6 sessions.
• src-ip—Displays source-IP persistent sessions.
• ssl-sid—Displays SSL-session-ID persistent sessions.
• uie—Displays sessions that are made persistent by the aFleX persist uie command.
The available suboptions are the same as the ones for ipv4 (see above).

radius Displays RADIUS session information.

sctp Displays SCTP sessions only.
server [name] Displays sessions for real servers, or a specific server name.
sip Displays information for Session Initiation Protocol (SIP) sessions. The following suboptions are
available:
• dest-port num—View sessions with the specified destination port (1-65535).
• dest-v4-addr ipaddr[/length]—View sessions with the specified destination IPv4
address.
• dest-v6-addr ipaddr[/length]—View sessions with the specified destination IPv6
address.
• smp-sip-rtp num—View SIP sessions.

sixrd-nat64 Displays 6rd-NAT64 session statistics. The available suboptions are the same as for ds-lite (see
above).
virtual-server Displays sessions for virtual servers, or a specific virtual server name.
[name]

Mode All

Usage For convenience, you can save session display options as a session filter. (See “session-filter”
on page 188.)

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 336

A10 Thunder Series and AX Series—Command Line Interface

Note on Clearing Sessions

After entering the clear session command, the ACOS device may remain in session-
clear mode for up to 10 seconds. During this time, any new connections are sent to the delete
queue for clearing.

Example The following command lists information for all IPv4 sessions:

ACOS(config)#show session ipv4

Traffic Type Total
--------------------------------------------
TCP Established 2
TCP Half Open 0
TCP Half Close 0
UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Free Buff Count 0
Curr Free Conn 2007033
Conn Count 10
Conn Freed 8
TCP SYN Half Open 0
Conn SMP Alloc 13
Conn SMP Free 2
Conn SMP Aged 2
Conn Type 0 Available 3997696
Conn Type 1 Available 2031615
Conn Type 2 Available 999424
Conn Type 3 Available 499712
Conn Type 4 Available 249856
Conn SMP Type 0 Available 3997696
Conn SMP Type 1 Available 1998848
Conn SMP Type 2 Available 999424
Conn SMP Type 3 Available 507875
Conn SMP Type 4 Available 249856

Prot Forward Source Forward Dest Reverse Source Reverse

Dest Age Hash Flags
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Tcp 1.0.16.2:58736 1.0.100.1:21 1.0.3.148:21 1.0.16.2:58736
60 2 OS

page 337 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Total Sessions: 2

The following table describes the fields in the command output.

Field Description
TCP Established Number of established TCP sessions.
TCP Half Open Number of half-open TCP sessions. A half-open session is one for which the ACOS device has not yet
received a SYN ACK from the backend server.
TCP Half Close Number of half-closed TCP sessions. A half-closed TCP session is a session in which the server sends a
FIN but the client does not reply with an ACK.
UDP Number of UDP sessions.
Non TCP/UDP IP Number of IP sessions other than TCP or UDP sessions.
sessions This counter applies specifically to IP protocol load balancing. (See the “IP Protocol Load Balancing”
chapter in the Application Delivery and Server Load Balancing Guide.)
Other Number of internally used sessions. As an example, internal sessions are used to hold fragmentation
information.
Reverse NAT TCP Number of reverse-NAT TCP sessions.
Reverse NAT UDP Number of reverse-NAT UDP sessions.
Free Buff Count Number of IO buffers currently available.
Curr Free Conn Number of Layer 4 sessions currently available.
Conn Count Number of connections.
Conn Freed Number of connections freed after use.
TCP SYN Half Number of half-open TCP sessions. These are sessions that are half-open from the client’s perspective.
Open
Conn SMP Alloc Statistics for session memory resources.
Conn SMP Free
Conn SMP Aged
Conn Type 0-4
Available
Conn SMP Type
0-4 Available
Prot Transport protocol.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 338

A10 Thunder Series and AX Series—Command Line Interface

Field Description
Forward Source Client IP address when connecting to a VIP.
Notes:
• For DNS sessions, the client’s DNS transaction ID is shown instead of a protocol port number.
• The output for connection-reuse sessions shows 0.0.0.0 for the forward source and forward
desti- nation addresses.
• For source-IP persistent sessions, if the option to include the client source port (incl-
sport) is enabled in the persistence template, the client address shown in the Forward
Source column includes the port number.
• IPv4 client addresses – The first two bytes of the displayed value are the third and fourth
octets of the client IP address. The last two bytes of the displayed value represent the client
source port. For example, “155.1.1.151:33067” is shown as “1.151.129.43”.
• IPv6 client addresses – The first two bytes in the displayed value are a “binary OR” of the first
two bytes of the client’s IPv6 address and the client’s source port number. For example,
“2001:ff0:2082:1:1:1:d1:f000” with source port 38287 is shown as
“b58f:ff0:2082:1:1:1:d1:f000”.
Also see the output examples below.
Forward Dest VIP to which the client is connected.
Reverse Source Real server’s IP address.
Note: If the ACOS device is functioning as a cache server (RAM caching), asterisks ( * ) in this field
and the Reverse Dest field indicate that the ACOS device directly served the requested content to the
cli- ent from the ACOS RAM cache. In this case, the session is actually between the client and the
ACOS device rather than the real server.
Reverse Dest IP address to which the real server responds.
• If source NAT is used for the virtual port, this address is the source NAT address used by the
ACOS device when connecting to the real server.
• If source IP NAT is not used for the virtual port, this address is the client IP address.
Age Number of seconds since the session started.
Hash CPU ID.
Flags This is an internal flag used for debugging purposes. This identifies the attributes of a session.
Type Indicates the session type, which can be one of the following:
• SLB-L4 – SLB session for Layer 4 traffic.
• SLB-L7 – SLB session for Layer 7 traffic.
• NAT – Network Address Translation (NAT) session for dynamic NAT.
• ST-NAT – NAT session for static NAT.
• ACL – Session for an ACL.
• TCS – Transparent Cache Switching session.
• XNT – Transparent session.

The following counters apply only to the current partition:

• TCP Established
• TCP Half Open
• UDP
• Non TCP/UDP IP sessions

page 339 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• Other
• Reverse NAT TCP
• Reverse NAT UDP

The other counters apply to all partitions, regardless of the partition from which the
command is entered.

Example The following command displays the IPv4 session for a specific source IP address:

ACOS(config)#show session ipv4 source-addr 1.0.4.147

Prot Forward Source Forward Dest Reverse Source Reverse
Dest Age Hash Flags
------------------------------------------------------------------------------------------
-----------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Total Sessions: 1

Example The following commands display IPv4 source-IP persistent sessions, clear one of the
sessions, then verify that the session has been cleared:

ACOS(config)#show session persist src-ip

Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.16.2 1.0.100.1:21 1.0.3.148 6000 120 2 OS
src 1.0.4.147 1.0.100.1:21 1.0.3.148 6000 120 2 OS
Total Sessions: 2
ACOS(config)#clear sessions persist src-ip source-addr 1.0.16.2
ACOS(config)#show session persist src-ip
Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.4.147 1.0.100.1:21 1.0.3.148 5880 2 OS

In this example, IPv4 source-IP persistent sessions are shown. The incl-sport option in
the source-IP persistence template is enabled, so the value shown in the Forward Source
column is a combination of the client source IP address and source port number. The first
two bytes of the displayed value are the third and fourth octets of the client IP address. The
last two bytes of the displayed value represent the client source port.

Example The following commands display IPv6 source-IP persistent sessions:

ACOS(config)#show session persist ipv6

Prot Forward Source
Forward Dest
Reverse Source Age
------------------------------------------------------------------
src [2001:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 340

A10 Thunder Series and AX Series—Command Line Interface

[2001:ff0:2082:4:1:1:f000:1e4]:6880 300

In the output above, the Forward Source column shows the client’s IPv6 address but does
not show the port number. The port number is omitted because the incl-sport option
in the source-IP persistence template is disabled.

In the output below, the same client IPv6 address is shown. However, in this case, the
incl- sport option in the source-IP persistence template is enabled. Therefore, the
Forward Source column includes the port number. The first two bytes in the displayed value
are a “binary OR” of the first two bytes of the client’s IPv6 address and the client's source
port number. In this example, the Forward source value is “b58f:ff0:2082:1:1:1:d1:f000”. The
first two bytes, “b58f”, are a “binary OR” value of “2001” and port number 38287.

ACOS(config)#show session persist ipv6

Prot Forward Source
Forward Dest
Reverse Source Age
------------------------------------------------------------------
src [b58f:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80
[2001:ff0:2082:4:1:1:f000:1e3]:6880 300

Example The following command shows active RADIUS sessions:

ACOS#show session radius

Traffic Type Total
--------------------------------------------
TCP Established 0
TCP Half Open 0
UDP 30
...

Prot Forward Source Forward Dest Reverse Source Reverse

Dest Age Hash Flags Radius ID
----------------------------------------------------------------------------------------
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.15:1812 10.11.11.50:32836
120 1 NSe0 104
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.12:1812 10.11.11.50:32836
120 1 NSe0 111
...
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.14:1812 10.11.11.50:32836
120 7 NSe0 103
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.11:1812 10.11.11.50:32836
120 7 NSe0 222
Total Sessions: 30

The session table contains a separate session for each RADIUS Identifier value. The
following address information is shown for each session:

page 341 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• Forward Source – The sender of the RADIUS message. This is the IP address of the BRAS.
• Forward Dest – The RADIUS VIP on the ACOS device.
• Reverse Source – The RADIUS server to which the ACOS device sends requests
that have the Identifier listed in the RADIUS ID field.
• Reverse Dest – The destination of the RADIUS server reply forwarded by the ACOS
device. (This is the sender of the initial RADIUS message that started the session, the
BRAS in the example above.)

Example The following example displays the output when viewing the sessions on a real server
named “s2” whose IP address is 172.16.1.11:

ACOS(config)#show session server s2

Traffic Type Total
--------------------------------------------
TCP Established 5
TCP Half Open 0
UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Curr Free Conn 2018015
Conn Count 47300
Conn Freed 46529
TCP SYN Half Open 0
Conn SMP Alloc 22
Conn SMP Free 0
Conn SMP Aged 0
Conn Type 0 Available 3866493
Conn Type 1 Available 1932797
Conn Type 2 Available 950272
Conn Type 3 Available 482942
Conn Type 4 Available 241406
Conn SMP Type 0 Available 3801088
Conn SMP Type 1 Available 1900544
Conn SMP Type 2 Available 950272
Conn SMP Type 3 Available 483305
Conn SMP Type 4 Available 237568
Prot Forward Source Forward Dest Reverse Source Reverse DestAge Hash Flags Type
------------------------------------------------------------------------------
Tcp 172.16.2.10:59992 172.16.2.200:80 172.16.1.11:80 172.16.1.50:18254
600 1 NSe1 SLB-L7
Tcp 172.16.2.10:60171 172.16.2.200:44333 172.16.1.11:80 172.16.1.50:18253
600 1 NSe1 SLB-L7
Total Sessions: 2

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 342

A10 Thunder Series and AX Series—Command Line Interface

show sflow
Description Show sFlow information.

Syntax show sflow statistics

Mode All

show shutdown
Description Display scheduled system shutdowns.

Syntax show shutdown

Mode Privileged EXEC level and configuration levels

Example The following command shows a scheduled shutdown on an ACOS device:

ACOS#show shutdown
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and
23 minutes) by admin on 192.168.1.144
Shutdown reason: Scheduled shutdown

show slb

Description See “SLB Show Commands” in the Command Line Interface Reference for ADC.

show smtp
Description Display SMTP information.

Syntax show smtp

Mode All

Example The following command shows the SMTP server address:

ACOS#show smtp
SMTP server address: 192.168.1.99

show snmp
Description Display SNMP OIDs.

For more information, see the MIB Reference.

Syntax show snmp oid

{
server [svr-name] [port portnum] |
service-group

page 343 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

[sg-name] [addr-type {firewall | tcp | udp}]

[port portnum] [server-member name] |
virtual-server [vs-name] [port portnum]

Parameter Description
server svr-name Returns OIDs for the axServerStatTable.
If a name is specified, this command returns OIDs for the axServerPortStatTable.
service-group sg-name Returns OIDs for the axServiceGroupStatTable.
If a name is specified, this command returns OIDs for the axServerPortStatTable.
You can narrow the command output by specifying the IP address type for addr-type or
specific service-group member. Valid address types are firewall, tcp, or udp.
virtual-server vs-name Returns OIDs for the axVirtualServerStatTable.
If a name is specified, this command returns OIDs for the axVirtualServerPortStatTable.
port port-num Returns OIDs for the specific port of a virtual server.
If no port is specified, this command returns OIDs for all virtual port entries of the speci-
fied VIP.

Mode All

Example The sample command output below narrows the displayed OIDs for TCP IP addresses:

ACOS#show snmp oid service-group sg1 addr-type tcp

OID for axServiceGroupMemberStatTable
service-group-name sg1: type 2: server-name s2: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.50.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.50.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPktsIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatBytesIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPktsOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatBytesOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPersistConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatCurConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.50.80

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 344

A10 Thunder Series and AX Series—Command Line Interface

axServerPortStatusInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalCurrL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatTotalSuccL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatResponseTime:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.50.80
axServiceGroupMemberStatPeakConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.50.80
service-group-name sg1: type 2: server-name s1: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.49.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.49.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPktsIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatBytesIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPktsOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatBytesOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPersistConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatCurConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.49.80
axServerPortStatusInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalCurrL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalSuccL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatResponseTime:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPeakConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.49.80

Example This output narrows the displayed OIDs for the service-group member “s1”:

page 345 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS#show snmp oid service-group sg1 server-member s1

OID for axServiceGroupMemberStatTable
service-group-name sg1: type 2: server-name s1: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.2.115.49.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.2.115.49.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPktsIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.5.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatBytesIn:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.6.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPktsOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.7.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatBytesOut:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.8.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPersistConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.9.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.10.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatCurConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.11.3.115.103.49.2.2.115.49.80
axServerPortStatusInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.12.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.13.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalCurrL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.14.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatTotalSuccL7Reqs:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.15.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatResponseTime:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.16.3.115.103.49.2.2.115.49.80
axServiceGroupMemberStatPeakConns:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.17.3.115.103.49.2.2.115.49.80

show snmp-stats all

Description Display SNMP statistics.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 346

A10 Thunder Series and AX Series—Command Line Interface

NOTE: SNMP statistics also are included automatically in show techsupport output.

Syntax show snmp-stats all

Mode All

Example The following command displays SNMP statistics:

ACOS#show snmp-stats all

Bad SNMP version errors 0

Unknown community name 0
Illegal operation for community name 0
Encoding Error 0
Unknown security models 0
Invalid ID 0
Input packets 0
Number of requested variables 0
Get-Request PDUs 0
Get-Next PDUs 0
Packets drop 0
Too big errors 0
No such name errors 0
Bad values errors 0
General errors 0
Output packets 0
Get-Response PDUs 0
SNMP output traps 0

show startup-config
Description Display a configuration profile or display a list of all the locally saved configuration profiles.

Syntax show startup-config all

Syntax show startup-config

[profile profile-name
[all-partitions | partition {shared | partition-name}]
]

Parameter Description
profile profile-name Displays the commands that are in the specified configuration profile.
all Displays a list of the locally stored configuration profiles.

page 347 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Parameter Description
all-partitions Shows all resources in all partitions. In this case, the resources in the shared parti-
tion are listed first. Then the resources in each private partition are listed, organized
by partition.
partition Shows only the resources in the specified partition.
{shared | partition-name}

Mode All

Usage The profile name must be specified before any partition names.

The all-partitions and partition partition-name options are applicable

on ACOS devices that are configured with L3V partitions. If you omit both options, only the
resources in the shared partition are shown. (If no partitions are configured, all resources
are in the shared partition, so you can omit both options.)

The all-partitions option is applicable only to admins with Root, Read-write, or

Read- only privileges. (See “show admin” on page 243 for descriptions of the admin
privilege levels.)

When entered without the all or profile-name option, this command displays the
contents of the configuration profile that is currently linked to “startup-config”. Unless you
have relinked “startup-config”, the configuration profile that is displayed is the one that is
stored in the image area from which the ACOS device most recently rebooted.

Example The following example shows how to view the startup-config in partition “companyB”
(trun- cated for brevity):

ACOS# show startup-config partition companyB

Show startup-config profile in partition "companyB"
Building configuration...

!Current configuration: 2442 bytes

!Configuration last updated at 11:23:01 IST Tue Sep 30 2014
!Configuration last saved at 11:31:59 IST Tue Sep 30 2014
!
active-partition companyB
!
exit
!
!
ip access-list test
remark 123
exit
!
!
ipv6 access-list test
remark 123

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 348

A10 Thunder Series and AX Series—Command Line Interface

exit
!
...

show statistics
Description Display packet statistics for Ethernet interfaces.

Syntax show statistics [interface int-type port-num]

Mode All

Example The following command shows brief statistics for all Ethernet interfaces on an ACOS device:

ACOS# show statistics

Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors
---------------------------------------------------------------------------
1 3026787 3013699 91573 154220 0
2 0 0 0 0 0
3 0 0 0 0 0
...

Example The following command shows detailed statistics for Ethernet interface 1:

ACOS# show statistics interface ethernet 1

Port Link Dupl Speed IsTagged MAC Address
---------------------------------------------------
1 Up Full 1000 Untagged 0090.0B0A.D860

Port 1 Counters:

InPkts 6926 OutPkts 427659

InOctets 477802 OutOctets 323788182
InBroadcastPkts 5573 OutBroadcastPkts 62389
InMulticastPkts 0 OutMulticastPkts 359729
InBadPkts 0 OutBadPkts 0
OutDiscards 0 Collisions 0
InLongOctet 477802 InAlignErr 0
InLengthErr 0 InOverErr 0
InFrameErr 0 InCrcErr 0
InNoBufErr 0 InMissErr 48
InLongLenErr 0 InShortLenErr 0
OutAbortErr 0 OutCarrierErr 0
OutFifoErr 0 OutLateCollisions 0
InFlowCtrlXon 0 OutFlowCtrlXon 0
InFlowCtrlXoff 0 OutFlowCtrlXoff 0

page 349 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

InBufAllocFailed 0
InUtilization 15 OutUtilization 0

show store
Description Display the configured file transfer profiles in the credential store. The credential store is
a saved set of access information for file transfer between the ACOS device and remote
file servers.

Syntax show store [backup | export | import] name

Mode All

Example The example below shows an example of this command output:

ACOS(config)# show store export

Export Store Information
StoreName url SuccessRate FailedRate
=============================================================================================
green-export-store tftp://:****@172.17.3.156/green.txt 0 0

show switch
Description Display internal system information from the ASIC registers for troubleshooting.

NOTE: This command is only supported on some AX Series devices, and not all parameters
are supported on all devices. Use the “?” character to find out whether or not this
command is supported on your system, and which parameters are supported.

Mode show switch {debug | mac-table | vlan-table | xfp-temp}

Parameter Description
debug View debug information.
mac-table View the MAC addresses configured on the ASIC.
vlan-table View the VLANs configured on the ASIC.
xfp-temp View the XFP temperatures.

Mode All

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 350

A10 Thunder Series and AX Series—Command Line Interface

show system cpu-list

Description Display the CPU list.

Syntax show system cpu-list

Mode All

show system cpu-load-sharing

Description Displays CPU load sharing information.

CPU load sharing can be configured using the system cpu-load-sharing command.

Syntax show system cpu-load-sharing [statistics [detail]]

Parameter Description
statistics Shows CPU load sharing statistics.
detail Show per-CPU counters.

Mode All

Example The following command shows output from the CPU load sharing feature. In this example,
the counter for the “Load Sharing Trggered” field is incremented every time a CPU enters
into load-sharing mode. Similarly, the counter for the “Load Sharing Untriggered” field is
incre- mented every time a CPU is subsequently removed from load-sharing mode.

ACOS(config)#show system cpu-load-sharing statistics

CPU Load-Sharing Stats
---------------------
Load Sharing Triggered 1
Load Sharing Untriggered 1

Example If the command is used without the statistics option, then the output simply
displays which CPUs are in load-sharing mode. The example below shows that CPU 1,
CPU 2, and CPU 3 are in load-sharing mode.

ACOS(config)#show system cpu-load-sharing

CPUs in Load-Sharing Mode: 1 2 3

show system platform

Description Display platform-related information and statistics.

Syntax show system platform

{buffer-stats |

page 351 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

cpu-packet-statistics |
busy-counter |
interface-stats |
statistics
}

Parameter Description
buffer-stats Shows counters for buffer statistics.
cpu-packet-statistics Shows per-CPU packet statistics.
busy-counter Shows counters for system busy statistics.
interface-stats Shows counters for interface statistics.
statistics Shows counters for internal statistics.

Mode All

Example The following command shows platform buffer statistics:

ACOS# show system platform buffer-stats

# buffers in Q0 cache: 2049 App: 0 TCPQ: 0 misc: 0
# buffers in Q1 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q2 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q3 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q4 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q5 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q6 cache: 4096 App: 0 TCPQ: 0 misc: 0
# buffers in Q7 cache: 4096 App: 0 TCPQ: 0 misc: 0
Approximate # buffers in App 0
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1023
Approximate # buffers in Cache 30721
Approximate # buffers in Queue 0
Approximate # buffers in misc 0
Approximate # buffers free 100351
Approximate # buffers avail from HW
99309
show system port-
list

Description Display the port list.

Syntax show system port-list

Mode All

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 352

A10 Thunder Series and AX Series—Command Line Interface

show system resource-usage

Description Display the minimum and maximum numbers of system resources that can be
configured or used, the default maximum number allowed by the configuration, and the
number currently in use.

For example, the “l4-session-count” row of the output shows the number of Layer 4 sessions
that are currently in use, as well as the maximum number currently supported by the
configuration (the default maximum), and the range of values that can be assigned to the
default maximum.

In general, if a resource listed in the output has the same value in the Current and Maximum
columns (GSLB resources, for example), then the allocation for that resource can not be
changed.

Syntax show system resource-usage [template [default | template-name]]

Mode All

Usage To change system resource usage settings, see “system resource-usage” on page 200 com-
mand.

You must reload or reboot the system after making changes to system resource-usage
settings in order to place the changes into effect. For most system resource-usage settings, a
reload is sufficient. However, a change to the l4-session-count setting requires a reboot.

If the target device is not reloaded, the system resource-usage settings synchronized
from the active device appear in the standby device’s running-config, but do not actually
take effect until the reload or reboot.

• If you manually synchronize the configuration, you have the option to reload the target
device immediately following the synchronization. If you do not use this option, you
can reload the device later.
• If you are using VRRP-A in combination with aVCS, configuration synchronization is
automatic. In this case, you must reload or reboot the target device to place the
system resource-usage changes into effect.

NOTE: The target device is not automatically reloaded following configuration synchroni-
zation.

Example Below is a sample output for this command.

ACOS# show system resource-usage

Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 16777216 16777216 4194304 33554432
class-list-ipv6-addr-count 1024000 1024000 1024000 2048000
class-list-ac-entry-count 153600 153600 153600 307200
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
max-aflex-file-size 32768 32768 16384 262144

page 353 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

The following table describes the fields in this output for each resource.

Field Description
Current Number of resources (for example, Layer 4 sessions) currently in use.
Default Default number of maximum resources (for example, Layer 4
sessions) that can be configured based on the current configuration.
Minimum Minimum number of resources (for example, Layer 4 sessions) that
can be configured.
Maximum Maximum number of resources (for example, Layer 4 sessions)
that can be configured.

show tacacs-server
Description Display TACACS statistics.

Syntax show tacacs-server [hostname | ipaddr]

Parameter Description
hostname Only display information for the server with the specified host name.
ipaddr Only display information for the server with the specified IP address.

Mode All

Usage This command is available at all configuration levels, but the option to view information for
a specified server is only available at Global configuration mode or higher.

Example The following command shows information for TACACS server 5.5.5.5:

ACOS# show tacacs-server 5.5.5.5

TACACS+ server : 5.5.5.5:49
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket timeouts: 0
Failed connect attempts: 0
Total packets recv: 0
Total packets send: 0

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 354

A10 Thunder Series and AX Series—Command Line Interface

show techsupport
Description Display or export system information for use when troubleshooting.

Syntax show techsupport [export [use-mgmt-port] url] [page]

Option Description
export Export the output to a remote server.
use-mgmt-port Use the management port to perform the export.
url The file transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and a password is required, you will still be
prompted for the password.
To enter the entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
scp://[user@]host/file
sftp://[user@]host/file
page Shows the information page by page. Without this option, all the command’s output is sent
to the terminal at once.

Mode Privileged EXEC level and configuration levels

Example Below is an example of the output for this command using the page option:

ACOS# show techsupport page

============= Clock Info <Sep 30 2014 13:51:42.025524> =============

.14:51:42 IST Tue Sep 30 2014

============= Version Info <Sep 30 2014 13:51:42.059739> =============

AX Series Advanced Traffic Manager AXSoftAX
Copyright 2007-2014 by A10 Networks, Inc. All A10 Networks products
are protected by one or more of the following US patents:
8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507
8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635
7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114
6535516, 6363075, 6324286, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912
7346695, 7287084, 6970933, 6473802, 6374300

64-bit Advanced Core OS (ACOS) version 4.0.0, build 407 (Sep-30-2014,07:38)

Booted from Hard Disk primary image

Serial Number: N/A

aFleX version: 2.0.0

page 355 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

aXAPI version: 3.0

Hard Disk primary image (default) version 4.0.0, build 407
Hard Disk secondary image version 2.7.0-P2, build 53
Last configuration saved at Sep-30-2014, 11:34
Virtualization type: VMware
Hardware: 1 CPUs(Stepping 7), Single 9G Hard disk
Memory 2054 Mbyte, Free Memory 492 Mbyte
Hardware Manufacturing Code: N/A
Current time is Sep-30-2014, 14:51
The system has been up 0 day, 3 hours, 16 minutes
--MORE--

show terminal
Description Show the terminal settings.

Syntax show terminal

Mode All

Example The following command shows the terminal settings.

ACOS#show terminal
Idle-timeout is 00:59:00
Length: 32 lines, Width: 90 columns
Editing is enabled
History is enabled, history size is 256
Auto size is enabled
Terminal monitor is off
Terminal prompt format: hostname
Command timestamp format: none

show tftp
Description Display the currently configured TFTP block size.

Syntax show tftp

Mode All

Example The following command shows the TFTP block size.

ACOS(config)# show tftp

TFTP client block size is set to 512

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 356

A10 Thunder Series and AX Series—Command Line Interface

show trunk
Description Show information about a trunk group.

Syntax show trunk num

Replace num with the trunk number

Mode All

Example The following command shows information for trunk group 1:

ACOS# show trunk 1

Trunk ID : 1 Member Count: 8
Trunk Status : Up
Members : 1 2 3 4 5 6 7 8
Cfg Status : Enb Enb Enb Enb Enb Enb Enb
Enb Oper Status : Up Up Up Up Up Up Up Up
Ports-Threshold : 6 Timer: 10 sec(s) Running:
No Working Lead : 1

The following table describes the fields in the command output.

Field Description
Trunk ID ID assigned to the trunk by the admin who configured it.
Member Count Number of ports in the trunk.
Trunk Status Indicates whether the trunk is up.
Members Port numbers in the trunk.
Cfg Status Configuration status of the port.
Oper Status Operational status of the port.
Ports-Threshold Indicates the minimum number of ports that must be up in order for
the trunk to remain up.
If the number of up ports falls below the configured threshold, ACOS
automatically disables the trunk’s member ports. The ports are dis-
abled in the running-config. The ACOS device also generates a log
message and an SNMP trap, if these services are enabled.
Timer Indicates how many seconds the ACOS device waits after a port goes
down before marking the trunk down, if the ports threshold is
exceeded.
Running Indicates whether the ports-threshold timer is currently
running. When the timer is running, a port has gone down but
the state change has not yet been applied to the trunk’s
state.
Working Lead Port number used for responding to ARP requests.
NOTE: If the lead port is shown as 0 or “None”, the trunk interface is
down.

page 357 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show vcs
Description aVCS-specific show commands are available in Configuring ACOS Virtual Chassis Systems.

show version
Description Display software, hardware, and firmware version information.

Syntax show version

Mode All

Example Below is sample output for this command; note that the output on your system will
differ depending on your specific platform.

ACOS# show version

AX Series Advanced Traffic Manager AXvThunder
Copyright 2007-2016 by A10 Networks, Inc. All A10 Networks products
are protected by one or more of the following US patents:
9124550, 9122853, 9118620, 9118618, 9106561, 9094364, 9060003, 9032502
8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938
8826372, 8813180. 8782751, 8782221, 8595819, 8595791, 8595383, 8584199
8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322
8079077, 7979585. 7804956, 7716378, 7665138, 7647635, 7627672, 7596695
7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516
6363075, 6324286, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695
7287084, 6970933, 6473802, 6374300

64-bit Advanced Core OS (ACOS) version 4.1.0, build 324 (Jan-08-2016,05:26)

Booted from Hard Disk primary image
Licenses: Bandwidth
Serial Number: N/A
aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.1.0, build 324
Hard Disk secondary image version 2.7.2-P4, build 76
Last configuration saved at Jan-8-2016, 18:34
Virtualization type: KVM
Hardware: Thunder HVA
Build Type: Internal
Hardware: 1 CPUs(Stepping 3), Single 8G Hard disk
Memory 2046 Mbyte, Free Memory 509 Mbyte
Hardware Manufacturing Code: N/A
Current time is Jan-9-2016, 01:32
The system has been up 0 day, 6 hours, 56 minutes

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 358

A10 Thunder Series and AX Series—Command Line Interface

show vlan counters

Description View statistics/counters for configured VLANs or a specific VLAN.

Syntax show vlan counters [vlan-id]

Parameter Description
vlan-id View counters for the specified VLAN only (2-4094).

Mode All

Example Example output for this command, for a specific VLAN:

ACOS> show vlan counters 10

Broadcast counter
Multicast counter 0
IP Multicast counter 0
Unknown Unicast counter 0
Mac Movement counter 0

show vlans
Description Display the configured VLANs.

Syntax show vlans [vlan-id]

Parameter Description
vlan-id View information for the specified VLAN only (1-4094).

Mode All

Example The following command lists all the VLANs configured on an ACOS device:

ACOS# show vlans

Total VLANs: 4
VLAN 1, Name [DEFAULT VLAN]:
Untagged Ethernet Ports: 3 4 6 7 8 9 10 11
12 13 14 15 16 17 18 19
20
Tagged Ethernet Ports: None
Untagged Logical Ports: None
Tagged Logical Ports: None

VLAN 60, Name [None]:

page 359 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Untagged Ethernet Ports:None

Tagged Ethernet Ports: 2
Untagged Logical Ports: None
Tagged Logical Ports: None

Router Interface: ve 60

VLAN 100, Name [None]:

Untagged Ethernet Ports: None
Tagged Ethernet Ports: 5
Untagged Logical Ports: None
Tagged Logical Ports: None

Router Interface: ve 100

VLAN 120, Name [None]:

Untagged Ethernet Ports: None
Tagged Ethernet Ports: 1
Untagged Logical Ports: None
Tagged Logical Ports: None

Router Interface: ve 120

show vpn
Description Show VPN information.

Syntax show vpn [

all-partitions |
crl |
default |
ike-sa |
ike-stats |
ike-stats-global |
ipsec-sa |
log |
ocsp

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 360

A10 Thunder Series and AX Series—Command Line Interface

partition {shared | partition-name}

]

Parameter Description
all-partitions Show VPN configuration summary for all partitions.
crl Show cached VPN Certificate Revocation Lists (CRL) certificates.
default Show default VPN configuration.
ike-sa Show VPN IKE Security Association (SA).
ike-stats Show VPN IKE statistics.
ike-stats-global Show VPN IKE global statistics.
ipsec-sa Show VPN IPsec Security Association (SA).
log Show VPJN log and debug information.
ocsp Show cached VPN Online Certificate Status Protocol (OCSP)
cer- tificates.
partition Show VPN configuration for the specified partition only.

Mode All

Example Below is an example output for this command.

ACOS# show vpn

IKE Gateway total: 0
IPsec total: 0

IKE SA total: 0
IPsec SA total: 0

IPsec mode: software

IPsec passthrough
traffic

CPU 0 processed 0 packets

show vrrp-a
Description All show commands related to VRRP-A are available in Configuring VRRP-A High Availability.

show waf
Description Display information for the Web Application Firewall (WAF). See the Web Application
Firewall Guide.

page 361 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

show web-category
Description Show information the about current operation of the Web Category feature.

Syntax show web-category

{
bypassed-urls [num | all] |
database |
intercepted-urls [num | all] |
license |
url-category name [local-db-only] |
version
}

Parameter Description
bypassed- Lists the URLs bypassed by the Web Category feature.
urls
num – Specifies the number of URLs to list, 1-8000. The most
[num | all]
recently bypassed URLs, up to the number you specify, are listed.
all – Displays the entire list of URLs bypassed by the feature.
The entries are listed beginning with the most recently bypassed
URL on top. If a URL is bypassed multiple times, the URL is listed
separately for each time it bypassed.
By default, the 50 most recent entries are shown.

database Shows information about the currently loaded BrightCloud database.

intercepted- Lists the URLs intercepted by the Web Category feature.
urls
num – Specifies the number of URLs to list, 1-8000. The most
[num | all]
recently bypassed URLs, up to the number you specify, are listed.
all – Displays the entire list of URLs bypassed by the feature.
The entries are listed beginning with the most recently intercepted
URL on top. If a URL is intercepted multiple times, the URL is listed
sep- arately for each time it intercepted.
By default, the 50 most recent entries are shown.

license Shows detailed information about the license.

url-category Shows categories returned by BrightCloud library for the specified
url-name URL.
[local-db-
local-db-only – Checks only the local database and service
only]
cache. Does not make a cloud query to fetch the category list for this
URL.
version Shows the current version of the Web Category engine.

Mode All

Example The following command shows the URLs bypassed by the Web Category feature:

ACOS#show web-category bypassed-urls

paper.example.com
paper.example.com

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 362

A10 Thunder Series and AX Series—Command Line Interface

paper.example.com
paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...

Example The following command shows information about the currently loaded BrightCloud data-
base:

ACOS#show web-category database

Database name : full_bcdb_4.457.bin
Database size : 352 MB
Database version : 457
Last Update Time : Fri Jan 23 00:00:40 2015
Next Update Time : Sat Jan 24 00:00:43 2015
Connection Status : GOOD
Last Successful Connection : Fri Jan 23 15:54:43 2015

Example The following command shows the URLs intercepted by the Web Category feature:

ACOS#show web-category intercepted-urls

fhr.data.example.com
fhr.data.example.com
fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org

Default versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
fhr.data.example.com
...

page 363 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

Example The following commands show the web categories to which some individual URLs belong.
In this example, the categories for the URLs in the ACOS device’s local database match
the most recent categorizations from the BrightCloud server.

ACOS#show web-category url-category www.google.com

Search Engines
ACOS#show web-category url-category www.google.com local-db-only
Search Engines
ACOS#show web-category url-category www.youtube.com
Streaming Media
ACOS#show web-category url-category www.youtube.com local-db-only
Streaming Media

Example The following command shows the current version of the Web Category engine:

ACOS#show web-category version

version: 4.0

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 364

AX Debug Commands

The AX debug subsystem enables you to trace packets on the ACOS device. To access the AX debug subsystem, enter the
following command at the Privileged EXEC level of the CLI:

ACOS# axdebug

The CLI prompt changes as follows:

ACOS(axdebug)#

This chapter describes the debug-related commands in the AX debug subsystem.

To perform ACOS debugging using this subsystem:

1. Use the filter command to configure packet filters to match on the types of packets to capture.
2. (Optional) Use the count command to change the maximum number of packets to capture.
3. (Optional) Use the timeout command to change the maximum number of minutes during which to capture packets.
4. (Optional) Use the incoming | outgoing command to limit the interfaces on which to capture traffic.
5. Use the capture command to start capturing packets. The ACOS device begins capturing packets that match the
filter, and saves the packets to a file or displays them, depending on the capture options you specify.
6. To display capture files, use the show axdebug file command.
7. To export capture files, use the export command at the Privileged EXEC or global configuration level of the CLI.

The AXdebug utility creates a debug file in packet capture (PCAP) format. The PCAP format can be read by third-party
diag- nostic applications such as Wireshark, Ethereal (the older name for Wireshark) and tcpdump. To simplify export of
the PCAP file, the ACOS device compresses it into a zip file in tar format. To use a PCAP file, you must untar it first.

The following commands are available:

• apply-config
• capture
• count
• delete
• filter
• incoming | outgoing
• length

page 365 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

• maxfile
• outgoing
• save-config
• timeout

apply-config
Description Apply an AXdebug configuration file.

AXdebug configuration files can be created with the save-config command.

Syntax apply-config file

Replace file with the name of an existing AXdebug configuration file (1-63 characters).

Mode AX debug

Example The following example applies the debug configuration saved in the example-ax-debug file:

ACOS# axdebug
ACOS(axdebug)# apply-config testfile
Applying debug commands
Done
example-ax-debug has been applied.
ACOS(axdebug)#

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 366

A10 Thunder Series and AX Series—Command Line Interface

capture
Description Start capturing packets.

Syntax [no] capture parameter

Parameter Description
brief [save ...] Captures basic information about packets. (For save options, see save filename
below.)
detail [save ...] Captures packet content in addition to basic information. (For save options, see
save filename below.)
non-display [save ...] Does not display the captured packets on the terminal screen. Use the save
options to configure a file in which to save the captured packets.
save filename Saves captured packets in a file:
[max-packets]
• filename – Specifies the name of the packet capture file.
[incoming [portnum ...]]
[outgoing [portnum ...]] • max-packets – Specifies the maximum number of packets to capture in the
file, 0-65535. To save an unlimited number of packets in the file, specify 0.
• incoming [portnum ...] – Captures inbound packets. You can specify
one or more physical Ethernet interface numbers. Separate the interface
numbers with spaces. If you do not specify interface numbers, inbound traffic on
all physical Ethernet interfaces is captured.
• outgoing [portnum ...] – Captures outbound packets on the specified
phys- ical Ethernet interfaces or on all physical Ethernet interfaces. If you do not
specify interface numbers, outbound traffic on all physical Ethernet interfaces is
captured.

Default By default, packets in both directions on all Ethernet data interfaces are captured.

NOTE: The traffic also must match the AX debug filters.

Mode AX debug

Usage To minimize the impact of packet capture on system performance, it is recommended

that you configure an AX debug filter before beginning the packet capture.

To display a list of AX debug capture files or to display the contents of a capture file, see
“show axdebug file” on page 250.

Example The following command captures brief packet information for display on the terminal
screen. The output is not saved to a file.

ACOS# axdebug
ACOS(axdebug)# capture brief
Wait for debug output, enter <ctrl c> to exit
(0,1738448) i( 1, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) o( 3, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) i( 1, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A

page 367 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

78f07ab9:dbffc0c2(0)
(0,1738448) o( 3, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A
78f07ab9:dbffc0c2(0)
(1,1738450) i( 1, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
78f07ab9:dbffc0c2(191)
(1,1738450) o( 3, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
78f07ab9:dbffc0c2(191)
(1,1738450) i( 1, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
(1,1738450) o( 3, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
...

These lines of debug output show the following:

• 0 – CPU ID. Indicates the CPU that processed the packet. CPU 0 is the control CPU.
• 1738448 – Time delay between packets. This is a jiffies value that increments in 4-
milli- second (4-ms) intervals.
• i – Traffic direction: 1 (input) or o (output).
• (1, 0, cca8) – Ethernet interface, VLAN tag, and packet buffer index. If the VLAN tag
is 0, then the port is untagged. In this example, the first packet is received on Ethernet
port 1, and the VLAN is not yet known. The packet is assigned to buffer index cca8.

NOTE: Generally, the VLAN tag for ingress packets is 0. It is normal for the ingress VLAN tag
to be 0 even when the egress VLAN tag is not 0.

The source and destination IP addresses are listed next, followed by the source and
destination protocol port numbers.

The TCP flag is shown next:

• S – Syn
• SA – Syn Ack
• A – Ack
• F – Fin
• PA – Push Ack

The TCP sequence number and ACK sequence number are then shown.

Finally, the packet payload is shown. The header size is excluded.

Example The following command captures packet information and packet contents for display on the
terminal screen. The output is not saved to a file.

ACOS# axdebug
ACOS(axdebug)# capture detail
Wait for debug output, enter <ctrl c> to exit
i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>........E.
0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@[email protected]......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 368

A10 Thunder Series and AX Series—Command Line Interface

0xa6657078: 16a02ea5 00000204 05b40402 080a5194 :..............Q.

0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>. E.
0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 :..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0)
Dump buffer(0xa6657848), len(80 bytes)...
0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>........E.
0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O......
0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+..
0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD.. . . .Q.lV.<
0xa6657888: 1d4041de e3380000 00000000 00000000 : [email protected]..........
0xa6657898: 00000000 00000000 00000000 00000000 : ................
...

Example The following command saves captured packet information in file “file123”. The captured
traffic is not displayed on the terminal screen.

ACOS# axdebug
ACOS(axdebug)# capture save file123

count
Description Specify the maximum number of packets to capture.

Syntax count num

Replace num with the maximum number of packets to capture, 0-65535. To capture
an unlimited number of packets, specify 0.

Default 3000

Mode AX debug

Example The following command sets the maximum number of packets to capture to 2048:

ACOS# axdebug
ACOS(axdebug)# count 2048

page 369 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

delete
Description Delete an axdebug capture file.

Syntax delete filename

Default N/A

Mode AX debug

Example The following command deletes capture file “file123”:

ACOS# axdebug
ACOS(axdebug)# delete file123

filter
Description Configure an AX debug filter, to specify the types of packets to capture.

Syntax [no] filter filter-id

Replace filter-id with the ID of the filter (1-255).

This command changes the CLI to the configuration level for the specified AX debug filter,
where the following AX debug filter-related commands are available:

Command
dst
{ip ipaddr | mac macaddr | port portnum}
l3-proto {arp | ip | ipv6}
ip ipaddr {subnet-mask | /mask-length}
mac macaddr
offset position length bytes operator
value
port min-portnum max-portnum
Description
Matches on the specified destination IP address, MAC
address, or protocol port number.
Matches on the specified Layer 3 protocol.
Matches on the specified IPv4 address.
Matches on the specified MAC address.
Matches on the specified length of bytes and value of those
bytes within the packet:
• position – Starting position within the packet, 1-
65535 bytes.
• bytes – Number of consecutive bytes to filter on, from
1- 65535, beginning at the offset position.
• operator – One of the following:
• > (greater than)
• >= (greater than or equal to)
• <= (smaller than or equal to)
• < (smaller than)
• = (equal to)
• range min-value max-value (select a range)
• value – String to filter on.
Matches on the specified range of protocol port numbers.

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 370

A10 Thunder Series and AX Series—Command Line Interface

Command Description
proto Matches on the specified protocol or protocol port number.
{icmp | icmpv6 | tcp | udp | portnum}
src Matches on the specified source IP address, MAC address,
{ip ipaddr | mac macaddr | port port-num} or protocol port number.

Default No filters are configured by default. When you create one, all packets match the filter
by default.

Mode AX debug

Usage If a packet capture is running and you change the filter, there will be a 5-second delay
while the ACOS device clears the older filter. The delay does not occur if a packet capture
is not already running.

The packet filter for the debug command is internally numbered filter 0. In AXdebug,
you can create multiple filters, which are uniquely identified by filter ID. If you create
filter 0 in AXdebug, this filter will overwrite the debug packet filter. Likewise, if you
configure filter 0 in AXdebug, then configure the debug packet filter, the debug packet
filter will overwrite AXdebug filter 0.

Example The following commands configure an AX debug filter to match on source IP address
10.10.10.30, destination protocol port number 80, and source MAC address
aabb.ccdd.eeff. The show axdebug filter command displays the filter.

ACOS# axdebug
ACOS(axdebug)# filter 1
ACOS(axdebug-filter:1)# src ip 10.10.10.30
ACOS(axdebug-filter:1)# dst port 80
ACOS(axdebug-filter:1)# src mac aabb.ccdd.eeff
ACOS(axdebug-filter:1)# exit
ACOS(axdebug)# show axdebug filter
axdebug filter 1
src ip 10.10.10.30
dst port 80
src mac aabb.ccdd.eeff

incoming | outgoing
Description Specify the Ethernet interfaces and traffic direction for which to capture packets.

Syntax [no] incoming [portnum ...] [outgoing [portnum ...]]

outgoing [portnum ...]

Default Disabled

page 371 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

NOTE: The traffic also must match the AX debug filters.

Mode AX debug

Example The following command limits the packet capture to inbound packets on Ethernet interface
3 and outbound packets on Ethernet interface 4:

ACOS# axdebug
ACOS(axdebug)# incoming 3 outgoing 4

Example The following command limits the packet capture to outbound packets on Ethernet inter-
face 7. Inbound packets on all Ethernet interfaces are captured, unless specified otherwise
in AX debug filters.

ACOS# axdebug
ACOS(axdebug)# outgoing 7

length
Description Specify the maximum length of packets to capture. Packets that are longer are not captured.

Syntax [no] length bytes

Replace bytes with the maximum packet length (64-1518 bytes).

Default 1518 bytes.

Mode AX debug

Example The following command changes the maximum packet length to capture to 128:

ACOS# axdebug
ACOS(axdebug)# length 128

maxfile
Description Specify the maximum number of axdebug packet capture files to keep.

Once the maximum is reached, new axdebug files can not be created until existing files are
removed.

Syntax maxfile num

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 372

A10 Thunder Series and AX Series—Command Line Interface

Replace num with the maximum number of files to keep (1-65535).

Default 100 files.

Mode AX debug

Example The following command changes the maximum number of AX debug capture files to
keep to 125:

ACOS# axdebug
ACOS(axdebug)# maxfile 125

outgoing
Description See “incoming | outgoing” on page 371.

save-config
Description Save your AXdebug configuration to a file.

This file can be retrieved at a later time with the apply-config command.

Syntax save-config name

Replace name with the name of the configuration file (1-63 characters).

Mode AX debug

Example The following example saves the AX debug configuration to a file called “example-
ax- debug”:

ACOS# axdebug
ACOS(axdebug)# save-config example-ax-debug
Config has been saved to example-ax-debug.
ACOS(axdebug)#

timeout

Description Specify the maximum number of minutes to capture packets.

Syntax timeout minutes

Replace minutes with the number of minutes to capture the packets (0-65535).

Default 5 minutes.

Mode AX debug

Example The following command changes the capture timeout to 10 minutes:

ACOS# axdebug

page 373 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface

ACOS(axdebug)# timeout 10

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 374

Up and Down Causes for the show health stat
Command

This chapter lists the cause strings for the numeric cause codes that appear in the Up and Down fields of the show
health stat output. The Up / Down cause codes are shown in the output under “Cause(Up/Down/Retry)”.

Up Causes
Table 12 lists the Up causes.

TABLE 12 show health stat Up Causes

Cause Code Cause String
0 HM_INVALID_UP_REASON
1 HM_DNS_PARSE_RESPONSE_OK
2 HM_EXT_REPORT_UP
3 HM_EXT_TCL_REPORT_UP
4 HM_FTP_ACK_USER_LOGIN
5 HM_FTP_ACK_PASS_LOGIN
6 HM_HTTP_RECV_URL_FIRST
7 HM_HTTP_RECV_URL_NEARBY_FIRST
8 HM_HTTP_RECV_URL_FOLLOWING
9 HM_HTTP_RECV_URL_NEARBY_FOLLOWING
10 HM_HTTP_STATUS_CODE
11 HM_ICMP_RECV_OK
12 HM_ICMP_RECV6_OK
13 HM_LDAP_RECV_ACK
14 HM_POP3_RECV_ACK_PASS_OK
15 HM_RADIUS_RECV_OK
16 HM_RTSP_RECV_STATUS_OK
17 HM_SIP_RECV_OK
18 HM_SMTP_RECV_OK
19 HM_SNMP_RECV_OK
20 HM_TCP_VERIFY_CONN_OK
21 HM_TCP_CONN_OK
22 HM_TCP_HALF_CONN_OK
23 HM_UDP_RECV_OK

page 375 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

TABLE 12 show health stat Up Causes (Continued)

Cause Code Cause String
24 HM_UDP_NO_RESPOND
25 HM_COMPOUND_UP

Down Causes
Table 13 lists the Down causes.

TABLE 13 show health stat Down Causes

Cause Code Cause String
0 HM_INVALID_DOWN_REASON
1 HM_DNS_TIMEOUT
2 HM_EXT_TIMEOUT
3 HM_EXT_TCL_TIMEOUT
4 HM_FTP_TIMEOUT
5 HM_HTTP_TIMEOUT
6 HM_HTTPS_TIMEOUT
7 HM_ICMP_TIMEOUT
8 HM_LDAP_TIMEOUT
9 HM_POP3_TIMEOUT
10 HM_RADIUS_TIMEOUT
11 HM_RTSP_TIMEOUT
12 HM_SIP_TIMEOUT
13 HM_SMTP_TIMEOUT
14 HM_SNMP_TIMEOUT
15 HM_TCP_TIMEOUT
16 HM_TCP_HALF_TIMEOUT
17 HM_DNS_RECV_ERROR
18 HM_DNS_PARSE_RESPONSE_ERROR
19 HM_DNS_RECV_LEN_ZERO
20 HM_EXT_WAITPID_FAIL
21 HM_EXT_TERM_BY_SIG
22 HM_EXT_REPORT_DOWN
23 HM_EXT_TCL_REPORT_DOWN
24 HM_FTP_RECV_TIMEOUT
25 HM_FTP_SEND_TIMEOUT
26 HM_FTP_NO_SERVICE
27 HM_FTP_ACK_USER_WRONG_CODE
28 HM_FTP_ACK_PASS_WRONG_CODE
29 HM_COM_CONN_CLOSED_IN_WRITE

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 376

 A10 Thunder Series and AX Series—Command Line Interface
Down Causes

TABLE 13 show health stat Down Causes (Continued)

Cause Code Cause String
30 HM_COM_OTHER_ERR_IN_WRITE
31 HM_COM_CONN_CLOSED_IN_READ
32 HM_COM_OTHER_ERR_IN_READ
33 HM_COM_SEND_TIMEOUT
34 HM_COM_CONN_TIMEOUT
35 HM_COM_SSL_CONN_ERR
36 HM_HTTP_SEND_URL_ERR
37 HM_HTTP_RECV_URL_ERR
38 HM_HTTP_RECV_MSG_ERR
39 HM_HTTP_NO_LOCATION
40 HM_HTTP_WRONG_STATUS_CODE
41 HM_HTTP_WRONG_CHUNK
42 HM_HTTP_AUTH_ERR
43 HM_HTTPS_SSL_WRITE_ERR
44 HM_HTTPS_SSL_WRITE_OTHERS
45 HM_HTTPS_SSL_READ_ERR
46 HM_HTTPS_SSL_READ_OTHERS
47 HM_ICMP_RECV_ERR
48 HM_ICMP_SEND_ERR
49 HM_ICMP_RECV6_ERR
50 HM_LDAP_RECV_ACK_ERR
51 HM_LDAP_SSL_READ_ERR
52 HM_LDAP_SSL_READ_OTHERS
53 HM_LDAP_RECV_ACK_WRONG_PACKET
54 HM_LDAP_SSL_WRITE_ERR
55 HM_LDAP_SSL_WRITE_OTHERS
56 HM_LDAP_SEND_ERR
57 HM_POP3_RECV_TIMEOUT
58 HM_POP3_SEND_TIMEOUT
59 HM_POP3_NO_SERVICE
60 HM_POP3_RECV_ACK_USER_ERR
61 HM_POP3_RECV_ACK_PASS_ERR
62 HM_RADIUS_RECV_ERR
63 HM_RADIUS_RECV_ERR_PACKET
64 HM_RADIUS_RECV_NONE
65 HM_RTSP_RECV_STATUS_ERR
66 HM_RTSP_RECV_ERR
67 HM_RTSP_SEND_ERR
68 HM_SIP_RECV_ERR
69 HM_SIP_RECV_ERR_PACKET
70 HM_SIP_CONN_CLOSED
71 HM_SIP_NO_MEM

page 377 | Document No.: 410-P2-CLI-001 - 6/17/2016

 A10 Thunder Series and AX Series—Command Line Interface
Reference

TABLE 13 show health stat Down Causes (Continued)

Cause Code Cause String
72 HM_SIP_STARTUP_ERR
73 HM_SMTP_RECV_ERR
74 HM_SMTP_NO_SERVICE
75 HM_SMTP_SEND_HELO_TIMEOUT
76 HM_SMTP_SEND_QUIT_TIMEOUT
77 HM_SMTP_WRONG_CODE
78 HM_SNMP_RECV_ERR
79 HM_SNMP_RECV_ERR_PACKET
80 HM_SNMP_RECV_ERR_OTHER
81 HM_TCP_PORT_CLOSED
82 HM_TCP_ERROR
83 HM_TCP_INVALID_TCP_FLAG
84 HM_TCP_HALF_NO_ROUTE
85 HM_TCP_HALF_NO_MEM
86 HM_TCP_HALF_SEND_ERR
87 HM_UDP_RECV_ERR
88 HM_UDP_RECV_ERR_OTHERS
89 HM_UDP_NO_SERVICE
90 HM_UDP_ERR
91 HM_COMPOUND_INVAL_RPN
92 HM_COMPOUND_DOWN
93 HM_COMPOUND_TIMEOUT

Document No.: 410-P2-CLI-001 - 6/17/2016 | page 378

A10 Thunder Series and AX Series—Command Line Interface

page 379 | Document No.: 410-P2-CLI-001 - 6/17/2016

磾
A10 Net works, Inc.
Tel: + 1 408 325 8668 (Main)
3 West Plumeria Drive
Tel: + 1 408 32 5 8678 (Support)
San Jose, CA 95134
Fax: + 1 408 325 8666 . .
w a1Onet c

Document No.: 410-P2-CLl-001 I 6/17/2016