- No category
advertisement
HPE NonStop Cluster I/O
Protocols (CIP) CLIMCMD
Manpages
Abstract
This document consolidates the CLIMCMD manpages in CIP subsystem for Hewlett
Packard Enterprise systems that use the HPE NonStop operating system. The document publishes the manpages for offline reference otherwise available online on a running system.
Technical White Paper
Part Number: 875808-001
Published: March 2017
About This Document
This manual provides consolidated CLIMCMD manpages for HPE NonStop Cluster I/O Protocols (CIP) subsystem. Each manpage is included in its original format preserving its independent page numbers.
Table of Contents
The manpages are included in alphabetical order. When opened as a pdf file, the bookmark references
(normally in the left pane of the pdf viewer) in the file function as table of contents for this document. Note that the page numbers are preserved within each manpage to match the output of the manpage shown through the CLIMCMD.
Intended Audience
This manual is intended for network and storage administrators who need manpages for CLIM commands for managing the CIP subsystem on an HPE Integrity NonStop system.
Publishing History
Part Number Product Version Publication Date
875808-001 L02, L03 March 2017
© Copyright 2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein.
875808-001, March 2017
clim(1) clim(1)
NAME
clim − query and control the CLIM software.
SYNOPSIS
CLIMCMD {clim-name|ip-address} clim [option]
CLIM DESCRIPTION
clim provides a set of commands to query and control the CLIM software, and to display the process status of each of the clim processes.
PARAMETERS abort
Abort and dump all CLIM processes.
clearlog
Allows a CLIM that has stopped trying to restart itself after reaching a retry threshold to be resumed. Should be followed by ’clim start’.
disable-policy-routing
Disables policy routing on the next CLIM reboot.
enable-policy-routing
Enables policy routing on the next CLIM reboot. This is the default configuration.
info
Provides clim configuration information.
value/status of configurable clim parameters.
This command displays the current
onlinedebug
Packages clim-related information into a compressed tar file for debugging purposes.
reboot start status
Reboots the CLIM, after taking a system memory dump.
Starts the CLIM software.
Displays the process status of the CLIM processes. The details of the CLIM processes in terms of system resource consumption are displayed. This is essentially the same as executing the psclim command at the prompt.
ERROR MESSAGES
None.
CONSIDERATIONS
1. If the application restart threshold is exceeded, the ’clim start’ command will output an error message and switch from doing an application level restart to doing a CLIM reboot.
If the CLIM reboot threshold is exceeded, the ’clim start’ command will output an error message and exit without attempting to do any further application-level restarts or reboots. Once the CLIM has given up attempting to restart the CLIM, operator intervention will be required to enable the CLIM to restart. The operator can accomplish this by using the ’clim clearlog’ command, which will delete the log.
EXAMPLES
None.
SEE ALSO
psclim(1), climstatus(1)
1
climconfig(1) climconfig(1)
NAME
climconfig − configure network protocol parameters
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig command [parameter]
CLIMCONFIG DESCRIPTION
This command is a parameter to the CLIMCMD command-line interface. It allows you to configure network, IPSec, climiptables, iptables, ip6tables, failover and SNMP parameters. Enter CLIMCMD at the
TA CL prompt on the NonStop system followed by the clim-name or CLIM IP address, climconfig and one or more command objects and associated parameters.
COMMANDS
climconfig supports the network configuration commands documented in this section.
ERROR MESSAGES
None.
EXAMPLES
> CLIMCMD 17.24.17.5 climconfig arp -add eth1 -host 17.24.17.50 &
-hwaddress 00:0E:7f:F5:6E:8A
SEE ALSO
For details about the climconfig command arguments, see the following man pages:
CLIMCMD {clim-name|ip-address} man climconfig.all
CLIMCMD {clim-name|ip-address} man climconfig.arp
CLIMCMD {clim-name|ip-address} man climconfig.bondmode
CLIMCMD {clim-name|ip-address} man climconfig.climiptables
CLIMCMD {clim-name|ip-address} man climconfig.failover
CLIMCMD {clim-name|ip-address} man climconfig.hostname
CLIMCMD {clim-name|ip-address} man climconfig.interface
CLIMCMD {clim-name|ip-address} man climconfig.ip
CLIMCMD {clim-name|ip-address} man climconfig.ip6tables
CLIMCMD {clim-name|ip-address} man climconfig.iptables
CLIMCMD {clim-name|ip-address} man climconfig.prov
CLIMCMD {clim-name|ip-address} man climconfig.psk
CLIMCMD {clim-name|ip-address} man climconfig.remote
1
climconfig(1) climconfig(1)
CLIMCMD {clim-name|ip-address} man climconfig.route
CLIMCMD {clim-name|ip-address} man climconfig.sa
CLIMCMD {clim-name|ip-address} man climconfig.slaveinterface
CLIMCMD {clim-name|ip-address} man climconfig.snmp
CLIMCMD {clim-name|ip-address} man climconfig.sp
CLIMCMD {clim-name|ip-address} man climconfig.sysctl
CLIMCMD {clim-name|ip-address} man climconfig.tunnel
CLIMCMD {clim-name|ip-address} man climconfig.vlan
CLIMCMD {clim-name|ip-address} man climconfig.vpn
CLIMCMD {clim-name|ip-address} man climconfig.vxlan
2
climconfig.all(1) climconfig.all(1)
NAME
climconfig.all − display the entire CLIM configuration
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig all -info [-obeyform]
CLIMCONFIG.ALL DESCRIPTION
This command displays the entire CLIM configuration.
PARAMETERS
-info Displays the cumulative output of these commands: climconfig interface -info all climconfig vlan -info all climconfig vxlan -info all climconfig route -info all climconfig arp -info climconfig snmp -info climconfig bondmode -info climconfig failover -info climconfig sysctl -info all climconfig psk -info climconfig sp -info climconfig sa -info climconfig remote -info climconfig climiptables -info climconfig prov -info
-info -obeyform
Displays the cumulative output of these commands followed by the "exit" command: climconfig interface -info all -obeyform
1
climconfig.all(1) climconfig.all(1) climconfig vlan -info all -obeyform climconfig vxlan -info all -obeyform climconfig snmp -info -obeyform climconfig bondmode -info -obeyform climconfig failover -info -obeyform climconfig sysctl -info all -obeyform climconfig psk -info -obeyform climconfig sp -info -obeyform climconfig sa -info -obeyform climconfig remote -info -obeyform climconfig climiptables -info -obeyform climconfig prov -info -obeyform
ERROR MESSAGES
None.
EXAMPLES
> CLIMCMD n100253 climconfig all -info
> CLIMCMD n100253 climconfig all -info -obeyform
2
climconfig.arp(1) climconfig.arp(1)
NAME
climconfig.arp − manage arp entries
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig arp -add
{eth0|interface} -host host -hwaddress MAC-address
CLIMCMD {clim-name|ip-address} climconfig arp -delete
{eth0|interface} -host host
CLIMCMD {clim-name|ip-address} climconfig arp -info
[-obeyform]
CLIMCONFIG.ARP DESCRIPTION
This command:
arp -add
adds information about ARP entries.
arp -delete
deletes manually-added ARP entries.
arp -info
displays manually-added and kernel-added ARP entries.
The arp -add and arp -delete commands add to or delete from the /etc/network/interfaces file and if the interface is active, to the kernel. If the interface is not active, the add and delete commands affect only the
/etc/network/interfaces file. The arp -info command displays information about ARP entries in the kernel
(includes both manually-added and automatically-added entries). Entries that are automatically added by the Kernel cannot be deleted using this command. This command does not support InfiniBand interfaces.
PARAMETERS
eth0 Specifies the dedicated service LAN interface.
interface
Specifies an interface to configure. The interface can be either an existing physical interface name (for example, eth2) or a bonding interface name (for example, bond0) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example e1xzt7).
-host host Specifies the host. Use the host IP address for this parameter.
-hwaddress MAC-address
Specifies the MAC address of the host.
-delete eth0
Specifies the dedicated service LAN interface.
-delete interface
Specifies an interface (physical or bonding or VLAN or VXLAN interface).
-info Displays information about ARP entries.
-obeyform Generates user-configured ARP entries.
ERROR MESSAGES
For arp -add and arp -delete:
The interface interface-name is not configured.
This command is not supported for the interface lo.
This command is not supported for the interface eth0:0.
1
climconfig.arp(1) climconfig.arp(1)
This command is not supported for the interface tunnel-interface.
The specified arp entry already exists for the interface-name.
This command does not support InfiniBand interfaces.
EXAMPLES
> CLIMCMD NCLIM002 climconfig arp -add eth1 -host 15.76.219.4
-hwaddress 00:0E:7f:F5:6E:8A
> CLIMCMD NCLIM001 climconfig arp -add e1v7 -host 10.10.10.10
-hwaddress 00:0E:7F:E8:6D:9A
> CLIMCMD 192.168.36.51 climconfig arp -delete eth1 -host 15.76.219.4
> CLIMCMD NCLIM001 climconfig arp -delete e1xzt7 -host 15.76.219.5
> CLIMCMD N100241 climconfig arp -info
Interface : eth0
IP Address : 192.168.36.11
Hardware Address : 00:01:30:10:E6:50
Hardware Type : ether
Flags : C
Mask :
> CLIMCMD NCLIM003 climconfig arp -info -obeyform climconfig arp \
-add eth1 \
-host 15.146.232.112 \
-hwaddress 00:1c:c4:de:cf:ae climconfig arp \
-add eth1 \
-host 15.146.232.113 \
-hwaddress 00:1b:78:07:69:70 climconfig arp \
-add eth1 \
-host 15.146.232.1 \
-hwaddress 00:19:bb:1c:0c:00
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
2
climconfig.bondmode(1) climconfig.bondmode(1)
NAME
climconfig.bondmode − change bonding mode, get bondmode info
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig bondmode
-modify bonding-mode [-xmithashpolicy <value>]
[-lacprate <value>] [-adselect <value>]
CLIMCMD {clim-name|ip-address} climconfig bondmode
-info [-obeyform]
CLIMCONFIG.BONDMODE DESCRIPTION
This command displays information about the bonding mode. The bonding mode applies to all the bonding interfaces in the CLIM. Only one slave in the bond is active.
The supported bonding modes are: mode=1 (active-backup)
Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option, specified in the climconfig slave interface command, affects the behavior of this mode.
mode=4 (802.3ad)
IEEE 802.3ad Dynamic link aggregation: Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification. To utilize this feature, the endpoints to which the CLIM is connected must support IEEE 802.3ad.
mode=5 (balance-tlb)
Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
mode=6 (balance-alb)
Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for
IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP
Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.
A different slave becomes active if the active slave fails. The bond MAC address is externally visible on only one network interface to avoid problems in the switch. This mode provides fault tolerance.
Configuring the bonding mode applies to both bond interfaces, bond0 and bond1. Even if those bonds are assigned to different providers on CLIMs with MULTIPROV ON, the bonding mode still applies to both.
PARAMETERS
-modify bonding-mode
Specifies the bonding mode to be applied to all the bonding interfaces
-xmithashpolicy value
This option specifies the transmit hash policy to use for slave selection in bonding mode 4 (802.3ad). The possible values are 0, 1, and 2.
1
climconfig.bondmode(1) climconfig.bondmode(1)
The default value is 0 (layer2).
• 0 (layer2)
This policy uses XOR of the hardware MAC addresses and packet ID type field to generate the hash. This will place all traffic to a particular network peer on the same slave.
• 1 (layer3+4)
This policy uses upper layer protocol information, when available, to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a connection will not span across multiple slaves. For fragmented TCP or
UDP packets and all other IPv4 and IPv6 protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy.
• 2 (layer2+3)
This policy uses a combination of layer2 and layer3 protocol information to generate the hash. This will place all traffic to a particular network peer on the same slave. For non-IP traffic, the behavior is the same as for the layer2 transmit hash policy. This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in environments where a layer3 gateway device is required to reach most destinations.
-lacprate value
This option specifies the rate in which the link partner is asked to transmit LACPDU packets in 802.3ad mode. The possible values are 0 and 1.
The default value is 1 (fast).
• 0 (slow)
Request the link partner to transmit LACPDUs every 30 seconds.
• 1 (fast)
Request the link partner to transmit LACPDUs every 1 second.
-adselect value
This option specifies the 802.3ad aggregation selection logic to use. The possible values are 0, 1, and 2.
The default value is 0 (stable).
• 0 (stable)
The active aggregator is chosen by largest aggregate bandwidth. Reselection of the active aggregator occurs only when all slaves of the active aggregator are down or the active aggregator has no slaves.
• 1 (bandwidth)
The active aggregator is chosen by largest aggregate bandwidth. Reselection occurs if:
-
A slave is added to or removed from the bond
Any slave’s link state changes
-
Any slave’s 802.3ad association state changes
The bond’s administrative state changes to UP
• 2 (count)
The active aggregator is chosen by the largest number of ports (slaves). Reselection occurs as described under the "bandwidth" setting, above. The bandwidth and count selection policies permit failover of 802.3ad aggregations when partial failure of the active aggregator occurs. This keeps the aggregator with the highest availability
(either in bandwidth or in number of ports) active at all times.
-info Displays the configured bonding mode. Also, it displays value of associated parameters, if any. The display format is:
2
climconfig.bondmode(1) climconfig.bondmode(1)
Example 1:
Bonding Mode : 1 ( active-backup )
Example 2:
Bonding Mode
: 4 ( 802.3ad )
Transmit Hash Policy : 2 ( layer2+3 )
LACP Rate
: 1 ( fast )
Aggregation Selection
: 2 ( count )
-obeyform Generates the configured bonding mode information in modify command format. The display format is: climconfig bondmode -modify bonding-mode
[-xmithashpolicy value][-lacprate value][-adselect value]
ERROR MESSAGES
For bondmode -modify, one or more of the Bonding interfaces is UP
The value of the bonding mode should be either 1, 4, 5, or 6
The software MAC address of the slaves <slave interface> and <slave interface> of bonding interface
<bonding interface> cannot be same for bonding mode <mode>.
The <option name> option is supported only for bonding mode 4(802.3ad).
The bonding mode 4(802.3ad) is not supported on <clim mode> CLIM.
WARNING MESSAGES
For bondmode -modify:
• Warning: For bonding mode 4(802.3ad),the line speed and duplex settings of all the slaves of a bonding interface should be same.
CONSIDERATIONS
The bonding mode cannot be changed while the bonding interfaces are UP.
The bonding mode 4(803.2ad) is supported only Gen9 L-Series CLIMs.
For modes 5(balance-tlb) and 6(balance-alb), the software MAC addresses of all the slaves of a bonding interface should be unique.
For mode 4(802.3ad), the line speed and duplex settings of all the slaves of a bonding interface should be same.
The xmithashpolicy, laprate and adselect options can be specified only with bonding mode 4(802.3ad).
EXAMPLES
> CLIMCMD n100253 climconfig bondmode -info
Bonding Mode : 1 ( active-backup )
> CLIMCMD n100253 climconfig bondmode -info -obeyform climconfig bondmode -modify 1
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
3
climconfig.bondmode(1) climconfig.bondmode(1)
> CLIMCMD n100253 climconfig bondmode -info
Bonding Mode : 4 ( 802.3ad )
Transmit Hash Policy : 2 ( layer2+3 )
LACP Rate : 1 ( fast )
Aggregation Selection : 2 ( count )
> CLIMCMD n100253 climconfig bondmode -info -obeyform climconfig bondmode -modify 4 -xmithashpolicy 2 -lacprate 1 -adselect 2
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
4
climconfig.climiptables(1) climconfig.climiptables(1)
NAME
climconfig.climiptables − configure climiptables
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig climiptables
[-prov prov-name] -enable
CLIMCMD {clim-name|ip-address} climconfig climiptables
[-prov prov-name] -disable [-force]
CLIMCMD {clim-name|ip-address} climconfig climiptables
[-prov prov-name] -info [-obeyform]
CLIMCMD {clim-name|ip-address} climconfig climiptables
[-prov prov-name] -status
CLIMCONFIG.CLIMIPTABLES DESCRIPTION
This command allows you to display and configure CLIM IP tables:
climiptables -enable
activates configurations for the climiptables. Enable and disable states are persistent through CLIM reboots and software updates.
climiptables -disable
deactivates configurations for the climiptables. Enable and disable states are persistent through CLIM reboots and software updates.
climiptables -info
displays the state of the climiptables, iptables and ip6tables configurations.
climiptables -info -obeyform
obtains the obeyform lines for configuring climiptables in add/delete command format.
climiptables -status
displays the state of the climiptables.
PARAMETERS
-force
Used with the -disable option, causes the command to bypass user confirmation.
-prov
Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own iptables configuration. The provider name is case-insensitive and always converted to UPPER case.
-obeyform Used with the -info option, obtains climiptables configuration in obeyform format.
ERROR MESSAGES
For climconfig climiptables [-enable | -disable [-force] | -info [-obeyform]]:
Error: File /etc/clim/climiptables/state does not exist.
Error: Cannot open the file /etc/clim/climiptables/state: error code.
Error: invalid version string "version", file "/etc/clim/climiptables/state".
Error: version string major, minor is not compatible, file "/etc/clim/climiptables/state".
1
climconfig.climiptables(1) climconfig.climiptables(1)
Error: Invalid climiptables state file.
CONSIDERATIONS
None.
EXAMPLES
To enable climiptables:
> CLIMCMD N1001253 climconfig climiptables -enable climiptables is now enabled
> CLIMCMD N1001253 climconfig climiptables -disable
Do you want to continue with DISABLING climiptables? yes/[no] - yes climiptables is now disabled
> CLIMCMD N1001253 climconfig climiptables -force -disable climiptables is now disabled
> CLIMCMD N1001253 climconfig climiptables -status climiptables is currently enabled
> CLIMCMD N1001253 climconfig climiptables -info climiptables is currently enabled iptables configuration:
-N snmptrap
-A CIP_INPUT -p tcp -m tcp --dport 162 -j snmptrap
-A CIP_INPUT -p udp -m udp --dport 162 -j snmptrap
-A snmptrap ! -s 100.100.100.56/32 -j
REJECT --reject-with icmp-port-unreachable ip6tables configuration:
-P CIP_INPUT DROP
> CLIMCMD N1001253 climconfig climiptables -info -obeyform climconfig climiptables -disable -force climconfig iptables -force -N abc climconfig iptables -force -P CIP_INPUT ACCEPT climconfig iptables -force -A abc -p tcp -j ACCEPT climconfig ip6tables -force -P CIP_INPUT DROP climconfig climiptables -enable
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
2
climconfig.climiptables(1) climconfig.climiptables(1)
SEE ALSO
climconfig iptables, ip6tables
3
climconfig.failover(1) climconfig.failover(1)
NAME
climconfig.failover − configure failover
SYNOPSIS
If CLIM is an OPEN CLIM:
CLIMCMD {clim-name|ip-address} climconfig failover -add src-interface
-dest dest-clim-name.dest-interface [-autofo {cip | partner}]
Else for other types of CLIMs:
CLIMCMD {clim-name|ip-address} climconfig failover -add src-interface
-dest dest-clim-name.dest-interface
CLIMCMD {clim-name|ip-address} climconfig failover -delete
{src-interface|all} [-force]
CLIMCMD {clim-name|ip-address} climconfig failover -info clim-name -interface {interface-name|all}[-obeyform]
CLIMCONFIG.FAILOVER DESCRIPTION
This command allows you to configure the failover behavior between CLIMs. You can configure both physical and bonding interfaces to failover to an interface on a different CLIM.
• failover -add adds a failover configuration to the failover.conf file. The command must be run for the CLIM that contains the src-interface for which the failover configuration is to be added.
• failover -delete deletes the failover configuration for the specified interface. The command must be run for the CLIM that contains the src-interface with the failover configuration that is to be deleted.
• failover -info displays the failover configuration of the specified interface. This command can be run for any CLIM.
PARAMETERS
src-interface
Specifies the native interface name. It can be a physical (Ethernet or InfiniBand) or bonding interface.
dest-clim-name
Specifies the destination CLIM.
dest-interface
Specifies the destination interface. The specified interface can be a physical interface
(Ethernet or InfiniBand) or a bonding interface.
-autofo {cip | partner}
Interface failover attribute. The options are as follows: cip - If the primary interface goes down, the interface failover is initiated by CIP. If no option is specified with the command, then option cip is taken as a default option.
partner - If the primary interface goes down, the interface failover is externally directed by NonStop partner process.
-all Deletes all of the failover configurations for the native CLIM.
clim-name Specifies the CLIM containing the interface whose failover configuration is to be displayed.
1
climconfig.failover(1) climconfig.failover(1)
-clim Is the interface containing the failover configuration to display. If you specify inter-
face-name the output is only one line.
interface-name
Specifies the interface for the failover configuration. For the -info command, the display format is: clim-name.interface-name.failover clim name.failover-interface all Specifies all failover configurations for the CLIM. The display format is: clim-name.interface-name failover-clim-name.failover-interface-name
-force Runs the command without prompting for confirmation.
-obeyform Generates failover configuration information in add command format.
ERROR MESSAGES
For failover -add:
• Invalid source interface.
• Invalid destination interface, it should be one of the eth[1-n], bond[0-n], or ib[0-n].
• Source and Destination CLIM name are same.
• Failover configuration for the source interface exists.
• The specified destination already exists.
• An Ethernet interface can failover only to another Ethernet interface. The dest-interface is not an Ethernet interface.
• An InfiniBand interface can failover only to another InfiniBand interface. The dest-interface is not an InfiniBand interface.
• The option -autofo is supported only on OPEN CLIMs.
For failover -delete:
• Failover configuration for the source interface does not exist.
For failover -info:
• The CLIM clim-name does not exist.
• The interface interface-name does not exist.
WARNINGS
• Warning: virtio interfaces do not automatically failover due to a host connectivity failure.
CONSIDERATIONS
• Automatic failover of virtio interfaces due to link pulse failure is not supported on VCLIM.
• Failover of virtual interfaces is not supported.
• Failover configuration for a tunnel interface is not supported. Tunnel interfaces are automatically failed over along with the parent physical or bonding interface.
• Failover configuration of VLAN and VXLAN interfaces is not supported. These interfaces will be automatically failed over along with their physical or bonding host interface.
• For each VLAN interface, the failover interface for the associated physical or bonding interface must also has a VLAN interface with the same VID (Virtual LAN Identifier).
• For each VXLAN interface, the failover interface for the associated physical or bonding interface must also has a VXLAN interface with the same VNI (VXLAN Network Identifier), same multicast IP address, and same UDP destination port.
• There cannot be multiple failover configurations for a source interface.
2
climconfig.failover(1) climconfig.failover(1)
• lo, eth0, and eth0:0 cannot be configured to fail over.
• To achieve a failover configuration, two interfaces are associated as a failover pair.
• Each interface can be paired with no more than one other interface and each interface of a pair must use either the other as its failover interface or no failover interface.
• At the time of configuration, the climconfig tool does not validate whether the failover configurations follow failover pairs. The host validates the configuration when the CLIM is
STARTED.
• At the time of configuration, the climconfig tool does not validate whether the destination
CLIM and destination interface exist and are part of the same provider. The NonStop server host does this validation when the CLIM is STARTED.
• If src-interface is Ethernet, then the dest-interface> should also be Ethernet.
• If src-interface is InfiniBand, then the dest-interface should also be InfiniBand.
• Only CLIM interfaces of the same type can be paired. Ethernet and InfiniBand interface pairing is invalid.
For Example, Ethernet interfaces can be paired with only Ethernet interfaces and InfiniBand with only InfiniBand interfaces.
EXAMPLES
> CLIMCMD N100241 climconfig failover -add eth1 -dest N100242.eth2
> CLIMCMD OCLIM001 climconfig failover -add eth1 -dest OCLIM002.eth2 -autofo partner
> CLIMCMD 17.205.15.2 climconfig failover -delete eth1
> CLIMCMD n100253 climconfig failover -info clim2 eth1
SOURCE DESTINATION FAMILY clim2.eth1 clim1.eth1
INET clim1.eth2 clim3.eth1
INET
> CLIMCMD n100253 climconfig failover -info climx -interface eth1
SOURCE DESTINATION climx.eth1 climy.eth2
> CLIMCMD OCLIM001 climconfig failover -info OCLIM001 -interface all
SOURCE DESTINATION AUTOFO
OCLIM001.eth1 OCLIM002.eth2 partner
> CLIMCMD n100253 climconfig failover -info climx -interface eth1 -obeyform climconfig failover \
-add eth1 \
-dest climy.eth2
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
SEE ALSO
climconfig interface -add
3
climconfig.hostname(1) climconfig.hostname(1)
NAME
climconfig.hostname − manage the CLIM host name
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig hostname -modify hostname
CLIMCMD {clim-name|ip-address} climconfig hostname -info
CLIMCONFIG.HOSTNAME DESCRIPTION
This command modifies and displays the host name of the CLIM.
PARAMETERS
-modify Changes the host name of the specified CLIM.
-info Displays the host name of the specified CLIM.
hostname
Specifies the host name to be modified. The hostname is converted to upper case.
ERROR MESSAGES
None
CONSIDERATIONS
• The host name of a CLIM cannot be modified when the CLIM is in the STARTED state.
• The CLIM host name and the SCF CLIM object name must match. If you change the CLIM host name, you also need to change the name of the CLIM in the host. Use SCF to delete the
CLIM and then add a new CLIM with a name that matches the new host name you have assigned to the CLIM.
• Hostname cannot exceed 8 characters.
• If there are any failover configurations existing for the CLIM for which you change the hostname, the climconfig tool automatically changes the source-CLIM name in its failover configurations.
• If the interfaces of the other CLIM are configured to fail over to this CLIM, manually change the failover configurations of the other CLIMs.
EXAMPLES
> CLIMCMD 172.18.105.17 climconfig hostname -info
CLIM1
> CLIMCMD 172.18.105.17 climconfig hostname -modify N100253
SEE ALSO
SCF DELETE CLIM command, SCF ADD CLIM command
1
climconfig.interface(1) climconfig.interface(1)
NAME
climconfig.interface − manage CLIM interfaces
SYNOPSIS
interface -add command:
CLIMCMD {clim-name|ip-address} climconfig interface -add
{eth0:0|interface-name} [-prov prov-name] [-mtu mtu-value |
-jumbo { on | off } ] interface -delete command:
CLIMCMD {clim-name|ip-address} climconfig interface -delete
{eth0:0|interface-name} interface -modify command for eth0 interface:
CLIMCMD {clim-name|ip-address} climconfig interface -modify eth0
{ [-ipaddress ipv4-address -netmask ipv4-netmask] |
[-autonegotiation on] |
[-autonegotiation on -linespeed 1000 [-duplex full ] ] |
[-autonegotiation { on | off } -linespeed {10 | 100} -duplex { half | full } ]
}[-force] interface -modify command for data interfaces:
CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name
{ [-mtu mtu-value] |
[-jumbo { on | off } ] |
[-autonegotiation on] |
[-autonegotiation on -linespeed 1000 -duplex full]] |
[-autonegotiation { on | off } -linespeed { 10 | 100 } -duplex { half | full } ] |
[-macaddr {mac address | default} ]
}[-force]
For changing the eth0 IP address:
CLIMCMD {clim-name|ip-address} climconfig interface -modify eth0 -ipaddress ipv4-address -netmask ipv4-netmask
For changing MTU settings:
CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -mtu mtu-value
1
climconfig.interface(1) climconfig.interface(1)
For changing jumbo frame settings:
CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -jumbo { on | off }
For changing Ethernet card settings:
CLIMCMD {clim-name | ip-address} climconfig interface -modify interface-name [ -force ]
{[ -autonegotiation on ] |
[ -autonegotiation on -linespeed 1000 [ -duplex full ] ] |
[ -autonegotiation { on | off } -linespeed { 10 | 100 }
-duplex { half | full } ] }
For changing the MAC address for physical and slave interfaces:
CLIMCMD {clim-name|ip-address} climconfig interface -modify interface-name -macaddr {mac-address|default} [-force]
For displaying the configuration of an interface:
CLIMCMD {clim-name|ip-address} climconfig interface -info
{eth0|eth0:0|interface-name|all}[-obeyform]
CLIMCONFIG.INTERFACE DESCRIPTION
This command does the following:
interface -add
adds the interface name to the /etc/network/interfaces file of the CLIM. The host brings up the interface when it is added.
If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added. Thus, for an unknown provider, you can specify climconfig interface -addinterface-name
prov-name, which would be the equivalent of issuing the two commands, climconfig
prov -addprov-name and climconfig interface -addinterface-name prov-name.
The interface can be added even when the CLIM is in the STARTED state.
Slave interfaces can be added by using the slaveinterface -configure command. If a bonding interface does not have any slave interfaces, it is not activated by the host.
interface -delete
removes the configured physical or bonding interface and its configuration (all the IP addresses and routes associated with the interface) from the /etc/network/interfaces file of CLIM.
interface -modify
changes the existing interface configuration in the CLIM /etc/network/interfaces file.
For eth0, its IP address or MAC address settings can be modified. For modifying parameters of any option, only the modified parameter can be specified and other
2
climconfig.interface(1) climconfig.interface(1) unmodified parameters need not be specified. You can modify the jumbo setting, IP address, mtu, autonegotiation settings, and MAC address individually, but not all on the same command. If an option does not exist, the new option and its parameter can be added. However, you cannot delete a previously configured option. This command does not support InfiniBand interfaces.
interface -info
displays the configuration of an interface. For a given interface, the IP address, netmask, gateway, minimum TCP Retransmission Timeout (RTO) value (in milliseconds), and other information, are displayed. An interface can have both IPv4 and
IPv6 addresses; in this case, the command displays both of the configuration details for the interface. The command displays the configurations only for an interface existing in the /etc/network/interfaces file. To display the configurations for an interface existing in the kernel, use the ifconfig command.
PARAMETERS
eth0 Specifies the dedicated service LAN interface.
eth0:0 Specifies the maintenance Provider LAN interface.
interface Refers to the physical (Ethernet or InfiniBand interface) or logical (software abstraction such as bond or tunnel) interfaces on the CLIM.
interface-name
Specifies the interface for the operation. For the -macaddr option, the interface, including slave interfaces must be physical interfaces. For other options, the interface can be either a physical interface (for example, eth1, ib0) or a bonding interface (for example, bond0).
-ipaddress ipaddress
Specifies an IPv4 address.
-prov Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own interface configuration. The provider name is case-insensitive and always converted to UPPER case.
-netmask netmask
Specifies an IPv4 network address in dotted quad form.
all Displays information for all interfaces.
-obeyform This option displays the user-configured resources of an interface in add command format.
-mtu Sets frame size for an interface. If the option is not specified, the default frame size is
1500.
For physical and bonding interface allowable values are 1280 to 9000.
For tunnel interfaces allowable values are 1280 to 65508.
If the mtu option is set for bonding interface, it will also be applied to a slave interface.
Setting mtu option separately for a slave interface is not allowed.
You cannot specify both the jumbo and mtu options.
mtu cannot be specified for eth0, eth0:0, and InfiniBand interfaces.
Specifying mtu overrides previous values set for jumbo.
-jumbo on Changes jumbo frames for an interface other than eth0 or eth0:0. If jumbo is set (on), the frame size is 9000 bytes. If jumbo is reset (off), the frame size is1500 bytes. If the option is not specified, the default frame size is 1500 bytes.
3
climconfig.interface(1) climconfig.interface(1)
The jumbo option has a limited set of allowable values (1500 - OFF and 9000 - ON) for frame size, whereas the mtu option supports a range of values. The mtu option is the recommended method for setting the MTU size.
The climconfig tool reports an error if the NIC does not support a frame size of 9000 bytes.
If the jumbo option is set for a bonding interface, it will also be applied to a slave interface.
Setting the jumbo option separately for a slave interface is not allowed.
If the bonding interface is UP, the jumbo option is set and a slave interface is added that does not support frames of 9000 bytes, Climconfig reports an error while adding the slave interface.
You cannot specify both the jumbo and mtu options.
A jumbo frame cannot be set for eth0 and eth0:0.
Specifying jumbo overrides previous values set for mtu.
-jumbo off Disables jumbo frames for an interface. The frame size is set to 1500 bytes. If this parameter is not specified, the jumbo option is reset and the frame size set to 1500 bytes.
-force Causes the command to modify the interface without prompting for confirmation.
-autonegotiation on
Enables autonegotiation.
-autonegotiation off
Disables autonegotiation. -linespeed and -duplex options must be specified.
-linespeed 10
Sets the linespeed to 10MB/sec.
-linespeed 100
Sets the linespeed to 100MB/sec.
-linespeed 1000
Sets the linespeed to 1000MB/sec. This option can be set only if -autonegotiation is set to on.
-duplex half
Sets the duplex mode to half.
-duplex full
Sets the duplex mode to full.
-macaddr Specifies the MAC address to be assigned to the specified interface. If default is specified, the original hardware MAC address is assigned. (This option is not supported on virtio interfaces).
Note:
When the interface is deleted from the configuration, either as a slave interface or an independent interface, the configured software MAC address is not retained with the interface.
ERROR MESSAGES
For interface -add:
The interface interface-name is already configured as an independent interface.
Interface interface-name is slave interface for a bonding interface. It cannot be configured as an independent interface.
Interface interface-name does not exist in the kernel.
4
climconfig.interface(1) climconfig.interface(1)
The -jumbo option is not supported for eth0/eth0:0.
The -mtu option is not supported for eth0/eth0:0 or for ib0/ib1.
Only one of -jumbo or -mtu options can be specified.
A value within the range 1280 to 9000 must be specified for -mtu option.
The -prov option is not supported for CLIM with SCF MULTIPROV option set to
OFF.
The -prov option must be specified for CLIM with SCF MULTIPROV option set to
ON.
The -prov option is not supported for eth0 and eth0:0.
eth0:0 is not supported on virtio interfaces.
The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.
For interface -delete:
This command is not supported for the interface eth0.
This command is not supported for the interface lo.
The interface interface-name is not configured.
The interface interface-name has a tunnel interface tunnel-interface-name associated with it.
The specified interface interface-name has a vlan interface vlan-interface-name associated with it.
The specified interface interface-name has a vxlan interface vxlan-interface-name associated with it.
The interface interface-name is UP, cannot execute this command.
Cannot execute this command for the interface eth0:0, with eth0:0 in use.
For interface -modify:
This command is not supported for the interface lo.
The -jumbo option is not supported for eth0/eth0:0 or ib0/ib1.
The -mtu option is not supported for eth0/eth0:0.
Only one of -jumbo or -mtu options can be specified.
A value within the range 1280 to 9000 must be specified for -mtu option.
The specified mtu <mtu-value> is less than that of its VLAN interface <vlan-inter-
face>.
The specified mtu <mtu-value> must be at least 50 bytes more than that of its
VXLAN interface <vxlan-interface> (with IPV4 multicast IP address).
The specified mtu <mtu-value> must be at least 70 bytes more than that of its
VXLAN interface <vxlan-interface> (with IPV6 multicast IP address).
The specified line speed <linespeed-value> is invalid. The line speed of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).
The specified duplex setting <duplex-value> is invalid. The duplex settings of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).
The IPv6 family cannot be specified for the eth0.
-ipaddress option for the command - "climconfig interface -modify", is supported only for eth0.
5
climconfig.interface(1) climconfig.interface(1)
The interface interface-name is not configured.
Cannot execute this command for the interface eth0 when the CLIM is in STARTED state.
The tunnel interface and its parent interface have different jumbo settings.
Internal Error in updating SLNP rules, error-code.
The specified MAC address is not a software MAC address.The software MAC address of the slaves slave-interface-1 and slave-interface-2 of bonding interface
bonding-interface cannot be the same for bonding mode mode.
This command is not supported for InfiniBand interfaces.
The specified Jumbo value already exists for the interface.
The specified interface does not support the specified speed and mode.
For interface -info:
The interface interface-name is not configured.
WARNING MESSAGES
For interface -modify:
Warning: SNMP configuration file /etc/default/snmpd is missing.
Warning: SNMP configuration file /etc/default/snmpd is corrupt.
Warning: Cannot restart SNMP daemon.
Warning: Cannot restart SNMP agents.
Warning: Cannot write to SNMP configuration file /etc/default/snmpd.
CONSIDERATIONS
Considerations for interface -add:
The bonding interface will find an entry as one of the interfaces, with the slave interfaces configured within that bonding interface definition. Slave interfaces should not be added using this command. Slave interfaces for a bonding interface can be configured using the command climconfig slaveinterface -configure . . ..
The climconfig tool does not allow addition of a virtual interface other than eth0:0.
eth0:0 cannot be added when the CLIM is in the STARTED state.
If the interface to be added is UP, it should first be brought down using the CLIM-
CMD ifstop command, and then added.
climconfig tool does not allow addition of the eth0:0 interface on vCLIM (MAINTE-
NANCE type providers are not supported, and ZTCP0/1 are configured as standard data providers with data interface (e.g. eth1)).
Considerations for interface -delete:
You cannot delete eth0, the dedicated service LAN interface.
lo, the loopback interface, cannot be deleted.
This command cannot be executed when the specified interface is active (UP). Use the CLIMCMD ifstop command to deactivate the interface before deleting it.
An interface cannot be deleted before deleting all tunnel and VLAN and VXLAN interfaces associated with it.
This command cannot be used to delete tunnel interfaces.
This command cannot be used to delete VLAN and VXLAN interfaces.
eth0:0, the maintenance provider interface, cannot be deleted when eth0:0 is in use by the NonStop host.
6
climconfig.interface(1) climconfig.interface(1)
Considerations for interface -modify:
You cannot modify the IP address and netmask of eth0 when the CLIM is in the
STARTED state. To modify the IP address on a CLIM, do a climcmd clim-name, then a climcmd clim-name. Then issue the SCF CLIM START command to restart the CLIM after the changes.
An IPv6 address cannot be assigned to eth0 interface.
The -jumbo option cannot be used for eth0 and eth0:0.
If the Maximum Transfer Unit (MTU) of an active interface is changed using the jumbo option, a failover of that interface might occur.
The mtu value cannot be less than the mtu of its VLAN interface.
The mtu value must be at least 50 bytes more than that of its VXLAN interface (with
IPv4 multicast IP address).
The mtu value must be at least 70 bytes more than that of its VXLAN interface (with
IPv4 multicast IP address).
The loopback interface, lo, cannot be modified.
Not all ethernet cards support all linespeeds and duplex modes.
Fibre channel supports only -autonegotiation on. Virtio and IB interfaces do not support speed settings.
Gigabit ethernet standard requires auto-negotiation to be ON. You cannot specify
SPEED 1000 Mb/s and AUTONEGOTIATION OFF.
Modifying the MAC address on virtio interfaces is not supported.
A MAC address can be modified only for an interface that is DOWN (stopped).
Therefore, effectively, eth0 MAC address cannot be changed.
When a MAC address is being modified, the interface must not have been failed over.
The software MAC addresses of all slaves of a bonding interface must be unique in bonding modes 5 (balance-tlb) and 6 (balance-alb). A check is performed when you attempt to change the bonding mode.
The line speed and duplex settings of all the slaves of a bonding interface should be same in bonding mode 4 (802.3ad).
If the eth0 IP address is being changed, the known host information SSHDB on the
NonStop host must be modified. Here are the required steps:
1. At the TACL prompt, enter:
Tacl> sshcom open $zssp0; mode client; info knownhost *:old-eth0-ip-address.22; exit
2. For each entry listed above (one per user), issue this command: sshcom open $zssp0; mode client; delete knownhost user-name:old-eth0-ip-address.22; exit
The old-eth0-ip-address is the IP address configured on eth0 that is being changed to a new IP address.
Considerations for interface -info:
7
climconfig.interface(1) climconfig.interface(1)
For vCLIM, the Type of Card field and MAC address of the interface are used for determining the mapping to the vCLIM configuration in the hypervisor.
Also note that the maintenance provider, ZTCP0/1 is configured using data interface
(e.g. eth1), rather than the (unsupported) eth0:0.
EXAMPLES
> CLIMCMD clim1 climconfig interface -add eth1 -jumbo on
> CLIMCMD clim1 climconfig interface -add bond0 -jumbo on
> CLIMCMD clim1 climconfig interface -delete eth1
> CLIMCMD clim1 climconfig interface -modify eth0
-ipaddress 15.76.217.112 -netmask 255.255.128.0
> CLIMCMD 17.205.15.2 climconfig interface -modify eth1
-jumbo off
> CLIMCMD 15.205.15.2 climconfig interface -modify eth1
-autonegotation off -linespeed 100 -duplex half
> CLIMCMD 15.205.15.2 climconfig interface -modify eth2
-autonegotiation on -linespeed 1000
> CLIMCMD 15.205.15.2 climconfig interface -modify eth2
-macaddr 00:16:b4:3B:90:EE
> CLIMCMD 16.107.170.241 climconfig interface -info all
> CLIMCMD 16.107.170.241 climconfig interface -info all -obeyform
> CLIMCMD NCLIM000 climconfig interface -info all -obeyform
Maintenance LAN Interfaces
Interface : lo
Interface Type : Loopback Interface
Interface : eth0
Interface Type : Virtio Interface
MTU Size
IP Address
: 1500
: 192.168.38.163
Netmask : 255.255.0.0
ROUTE Details :
Route Type : Default Route
Destination Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway Address : 192.168.38.1
Metric : 0
Minimum RTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
Type of Card : virtio
8
climconfig.interface(1) climconfig.interface(1)
Software MAC Address : Unspecified
Data Provider ZTC0 interfaces
Interface : eth1
Interface Type : Virtio Interface
MTU Size : 1500
IP Address : 15.213.85.114
Netmask : 255.255.254.0
ROUTE Details
-
:
Route Type : Default Route
Destination Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway Address : 15.213.84.1
Metric : 0
Minimum RTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
Type of Card : virtio
Software MAC Address : Unspecified
Interface : eth2
Interface Type : Virtio Interface
MTU Size
IP Address
: 1500
: 192.168.36.180
Netmask : 255.255.0.0
Type of Card : virtio
Software MAC Address : Unspecified
Data Provider ZTCP1 interfaces
Interface : eth6
Interface Type : Virtio Interface
MTU Size : 1500
IP Address : 192.168.136.186
Netmask : 255.255.0.0
Type of Card : virtio
Software MAC Address : Unspecified
Data Provider ZTC4 interfaces
Interface : eth4
Interface Type : Virtio Interface
MTU Size : 1500
IP Address : 192.168.136.116
Netmask : 255.255.0.0
Type of Card : virtio
Software MAC Address : Unspecified
SEE ALSO
climconfig ip -add
9
climconfig.ip(1) climconfig.ip(1)
NAME
climconfig.ip − add or delete IP addresses
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig ip -add
{eth0|eth0:0|interface} -ipaddress ip-address -netmask netmask
CLIMCMD {clim-name|ip-address} climconfig ip -delete interface
-ipaddress ip-address -netmask netmask [-force]
CLIMCONFIG.IP DESCRIPTION
This command does the following:
• ip -add adds an IP address to an existing interface. Multiple IP addresses can be added to an interface.
• ip -delete deletes an IP address from the specified interface. The IP address is deleted from the configuration file. If the IP address exists in the kernel, it is deleted from the kernel.
PARAMETERS
eth0 Specifies the dedicated service LAN interface.
eth0:0 Specifies the maintenance provider LAN interface.
interface
Specifies an interface. This parameter can be either a physical interface name (such as eth1, ib0), a bonding interface name (such as bond0), a tunnel interface name
(such as tun0), a vlan interface name (such as e1v7, b0v8), or a vxlan interface name
(such as e1xzt7, b0xzt8).
-ipaddress ipaddress
Is the new IP address to be assigned to the interface (for ip -add) or the IP address to be deleted from the interface (for ip -delete). It can be an IPv4 or an IPv6 IP address.
-netmask netmask
Specifies the netmask for the interface. For IPv4 addresses, use dotted quad format.
For IPv6 addresses, use the number of bits appropriate for the IPv6 address (for example, 64).
-delete interface
Deletes an IP address for the specified physical or bonding interface from the /etc/net-
work/interfaces file of the CLIM. This command also deletes the tunnel configurations associated with the interface.
-force Causes the command to delete the IP address without prompting for confirmation.
ERROR MESSAGES
For ip -add:
• The interface interface-name is not configured.
• This command is not supported for the interface lo.
• Configuring IPv6 "address" is not allowed for eth0 and eth0:0 interfaces.
• Interface "eth0" already has an IP.
• Interface "eth0:0" already has an IP.
• The specified IP address already exists for the interface.
1
climconfig.ip(1) climconfig.ip(1)
• Cannot execute this command for the interface interface-name when the CLIM is in
STARTED state.
• The "IPv4" family cannot be specified for the "tunnel interface".
For ip -delete:
• This command is not supported for the interface lo.
• The interface interface-name is not configured.
• The specified IP address ip-address is not configured for the interface.
• The IP address cannot be deleted from eth0.
• The IP address cannot be deleted from eth0:0 with eth0:0 in use.
• A route with the specified IP address as a -src exists.
• The specified IP address ip-address is in use by the VXLAN interface interface-name.
WARNING MESSAGES
For ip -add:
• Warning: SNMP configuration file /etc/default/snmpd are missing.
• Warning: SNMP configuration file /etc/default/snmpd are corrupt.
• Warning: Cannot restart SNMP daemon.
• Warning: Cannot write to SNMP configuration file /etc/default/snmpd.
• Cannot restart SNMP agents.
For ip -delete:
• Warning: Could not remove IPv4 compatible IPv6 address from the kernel.
CONSIDERATIONS
For ip -add:
• For SNMP listening address configuration, when the IP address is added to eth0, the climconfig tool updates the /etc/defaults/snmpd configuration file with the new listening address as the dedicated service LAN IP.
• Tunnel interfaces can be assigned only with IPv6 addresses.
• An IPv6 address cannot be assigned to eth0 and eth0:0.
• On vCLIM, the hypervisor may constrain the IP addresses that may be configured.
(This is not checked by CLIM software).
• Only one IPv4 address can be assigned to eth0 or eth0:0.
• The IP address is added either to the /etc/network/interfaces file, to the kernel, or to both.
The behavior is defined as:
• If the specified interface is down, the IP address is added to the file.
• If the CLIM is in the STOPPED state, the IP address is added to the file.
• If the specified interface is UP and the CLIM is in the STARTED state, the IP address is added to the file and to the kernel.
• The customer data interfaces, eth1 - eth5, cannot have IP addresses in the 192.168.*.* range, or whatever the dedicated service LAN address range is for the system.
• If the same static IPv6 address is configured and added to more than one CLIM, during the interface activation, the IPv6 address being duplicated remains as a tentative address. This
IPv6 address is not automatically removed from the kernel/file configuration by climconfig. It is the operator’s responsibility to remove such duplicate static IPv6 addresses from the configuration.
2
climconfig.ip(1) climconfig.ip(1)
For ip -delete
• The IP address cannot be deleted from eth0.
• The IP address cannot be deleted from eth0:0, with eth0:0 in use.
• IP address from Loopback interface lo, cannot be deleted.
• If an interface is hosting one or more VXLAN interfaces, the last IP address cannot be deleted from it.
• All the routes belonging to an interface for a particular network are automatically deleted from the kernel when the last IPv4 address belonging to that network is deleted from the interface.
However, the routes remain in the configuration file. These routes will come into effect only when the interface is restarted (ifstop followed by ifstart) or when the routes are deleted and then added back after adding at least one IPv4 address corresponding to that network. For example: interface -info eth5
Interface : eth5
Interface Type : Physical Interface
MTU Size : 1500
IP Address : 172.17.190.71
Netmask : 255.255.255.0
ROUTE Details
-
:
Route Type : Default Route
Destination Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway Address : 172.17.190.1
Metric : 0
Minimum RTO : Unspecified
When the IP 172.17.190.71 is deleted, the default route 172.17.190.1 is automatically deleted from the kernel.
EXAMPLES
> ip -add eth1 -ipaddress 15.76.217.14 -netmask 255.255.255.0
> ip -add e1xzt7 -ipaddress 15.76.217.14 -netmask 255.255.255.0
> ip -delete eth1 -ipaddress 15.76.217.14 -netmask 255.255.255.0
> ip -delete e1xzt7 -ipaddress 15.76.217.14 -netmask 255.255.255.0
3
climconfig.ip6tables(1) climconfig.ip6tables(1)
NAME
climconfig.ip6tables − configure ip6tables
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig ip6tables
[-prov prov-name] [-force] arguments
Or,
CLIMCMD {clim-name|ip-address} climconfig ip6tables
[-prov prov-name] arguments [-force]
CLIMCONFIG.IP6TABLES DESCRIPTION
This command supports the following options. If a command is labeled as sensitive, a user confirmation is required for execution unless the -force option is also specified.
--append | -A chain rule-specification options
This command appends one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. This command is valid only for the
CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains.
--delete | -D chain rulenum rule-specification options
This command deletes one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting from 1 for the first rule) or a rule to match. For the latter case, the specified rule must match an existing entry in the chain exactly. This command is valid only for the
CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains. This is a sensitive command.
--insert | -I chain rulenumrule-specification options
This inserts one or more rules in the selected chain as the given rule number. Number starts from 1. This is also the default if no rule number is specified. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains.
--replace | -R chain rulenum rule-specification options
This command replaces a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. This command is valid only for the CIP_INPUT chain of filter table,
CIP_OUTPUT chain of mangle table, and user-defined chains. This is a sensitive command.
--list | -L [chain rulenum]
Lists all rules or the rule of the specified rule number in the selected chain. Any chain
(including the built-in chains) can be listed. This command is valid for all chains including the Linux built-in chains, the CIP built-in chains, and all user-defined chains. If no chain is selected, all chains are listed.
--list-rules | -S [chain rulenum]
Prints all rules or the rule of the specified rule number in the selected chain in form of iptables/ip6tables commands. This command is valid only for the CIP_INPUT chain and user-defined chains. If no chain is selected, all users chains, if any, and the
CIP_INPUT chain are listed.
1
climconfig.ip6tables(1) climconfig.ip6tables(1)
--flush | -F [chain]
This command deletes all user-defined rules in a chain. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains. If no chain is specified, this flushes all rules in the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and in all user-defined chains. The CIP_INPUT_p chain is not flushed. This is a sensitive command.
--zero | -Z [chain]
This command zeros out the packet and bytes counters in the specified chain or all chains if the chain name is not specified. This applies to all user-defined chains, the
CIP built-in chains and Linux built-in chains if chain is not specified. A user may also specify the Linux built-in INPUT chain for this command.
--new | -N chain
This command creates a new user-defined chain by the given name. There must be no target of that name already, or an error is returned. Creating a Linux built-in or CIP built-in chain is not allowed.
--delete-chain | -X [chain]
Delete the user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must also be empty, i.e. not containing any rules. If no argument is given, it will attempt to delete every user-defined chain in the table. The Linux built-in chains and CIP built-in chains cannot be deleted.
--rename-chain | -E old-chain new-chain
This command renames the specified user-defined chain to the user-supplied name.
Any references to the old chain name are automatically renamed by Linux iptables/ip6tables itself. The Linux built-in chains and CIP built-in chains cannot be renamed.
--policy | -P chain target
This command sets the policy for the chain to the given target. Only a CIP built-in
CIP_INPUT chain can be specified with a policy. Neither Linux built-in nor userdefined chains can be policy targets.
Setting a policy to CIP_INPUT chain causes the target (the first and only rule) in
CIP_INPUT_p chain to be replaced.
-h | -help | --help
This command prints the climconfig iptables/ip6tables help information. If it is specified after a match extension, some more information pertinent to that match could also be given.
PARAMETERS
-prov
-force
Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own ip6tables configuration. The provider name is case-insensitive and always converted to UPPER case.
Used with a sensitive command, causes the command to bypass user confirmation.
Must be either ahead of the command or at end of the line.
[!] --protocol | -p proto
To match protocol proto, which is either a protocol name or number. Supported protocols are: all(0), tcp(6), udp(17), icmpv6(58), esp(50), ah(51), and sctp(132). When the "!" argument is used, the ’match’ operation is changed to the ’not match’ operation.
2
climconfig.ip6tables(1) climconfig.ip6tables(1)
[!] --source | --src | -s addressmask
To match a source address. Address can be either a network IPv4/IPv6 address (with
/mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of
24 is equivalent to 255.255.255.0. When the "!" argument is used the ’match’ operation is changed to the ’not match’ operation.
[!] --destination | --dst | -d addressmask
To match a destination address. Address can be either a network IP address (with
/mask), or a plain IPv4/IPv6 address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the
’match’ operation is changed to the ’not match’ operation.
[!] --in-interface | -i interface_name
To match a packet by the interface in which it was received. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. When the "!" argument is used the
’match’ operation is changed to the ’not match’ operation.
[!] −−out−interface | −o name
Name of an interface via which a packet is going to be sent (for packets entering the
FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a
"+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.
--jump | -j target
Jump to a target, which can be a user-defined chain, a built-in or extension target.
--match | -m match-module-name
Load a match extension module.
--numeric | -n
Select numeric output of addresses and ports.
--table | -t table
Specify table to manipulate. table must be ’filter’ or ’mangle’.
--verbose | -v
Verbose mode.
--line-numbers
Print line numbers when listing.
--exact | -x To expand numbers (display exact values).
--set-counters | -c pkts bytes
This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations). For example, ip6tables -A CIP_INPUT -c 100 2000 -p tcp -i eth2
--dport 21 -j ACCEPT would set the rule in the CIP_INPUT chain for accepting ftp packets targeted for interface eth2 and, at the same time, initialize the number of packets accepted to be
100 and number of bytes to be 2000.
MATCH EXTENSIONS
The supported match extensions are based on the Linux ip6tables man pages. They are subject to future changes made by Linux ip6tables implementation.
3
climconfig.ip6tables(1) climconfig.ip6tables(1)
ah
Matches the SPIs in Authentication header of IPsec packets.
[!] --ahspi spi[:spi]
[!] --ahlen length
--ahres comment
Allows you to add comments (up to 256 characters) to any rule.
--comment comment
Example: ip6tables -A CIP_INPUT -s fe80::221:5aff:fec9:1a32/64
-m comment --comment ’A privatized IP block’
connbytes Matches by how many bytes/packets a connection has transferred.
[!] --connbytes from:[to]
--connbytes-dir {original|reply|both}
--connbytes-mode {packets|bytes|avgpkt}
Example: ip6tables .. -m connbytes --connbytes 10000:100000
--connbytes-dir both --connbytes-mode bytes ...
connlimit
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
−−connlimit−upto n
Match if the number of existing connections is below or equal n.
−−connlimit−above n
Match if the number of existing connections is above n.
−−connlimit−mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between
(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable protocol is used.
−−connlimit−saddr
Apply the limit onto the source group. This is the default if
−−connlimit−daddr is not specified.
−−connlimit−daddr
Apply the limit onto the destination group.
Examples:
# allow 16 telnet connections per client host ip6tables -p tcp --syn --dport 80 -s fe80::/64
-m connlimit
--connlimit-above 16 --connlimit-mask 64 -j REJECT
connmark *
Matches packets in connections with value set by CONNMARK target.
This is not supported on CIP.
conntrack Matches additional connection tracking information.
4
climconfig.ip6tables(1) climconfig.ip6tables(1)
dccp * dscp dst
[!] --ctstate statelist statelist is a comma-separated list of the connection states to match.
[!] --ctproto l4proto
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Matches against original/reply source/destination address.
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port]
Matches against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
[!] --ctexpire time[:time]
--ctdir {ORIGINAL|REPLY}
Matches DCCP-specific fields and types.
Not supported because CIP does not support Datagram Congestion Control Protocol.
This module matches the 6 bit DSCP field within the TOS field in the IP header.
DSCP has superseded TOS within the IETF.
[!] −−dscp value Match against a numeric (decimal or hex) value [0-63].
[!] −−dscp−class class Match the DiffServ class. This value may be any of the BE,
EF, AFxx or CSx classes. It will then be converted into its according numeric value.
Matches parameters in Destination Options header.
[!] --dst-len length
esp eui64 frag
--dst-opts type[:length][,type[:length]...]
Matches the SPIs in ESP header of IPsec packets.
[!] --espspi spi[:spi]
Matches EUI-64 part of a stateless auto configured IPv6 address.
Matches parameters in the Fragment header.
[!] --fragid id[:id]
[!] --fraglen length
--fragres
--fragfirst
--fragmore
--fraglast hashlimit
Hashlimit for something like per destination-ip or per (destip, destport) tuple. It gives you the ability to express:
"1000 packets per second for every host in 192.168.0.0/16"
5
climconfig.ip6tables(1) climconfig.ip6tables(1)
hbh helper
"100 packets per second for every service of 192.168.1.1" with a single ip6tables rule.
--hashlimit-upto amount[/second|/minute|/hour|/day]
--hashlimit-above amount[/second|/minute|/hour|/day]
--hashlimit-burst amount
--hashlimit-mode {srcip|srcport|dstip|dstport},...
--hashlimit-srcmask prefix
--hashlimit-dstmask prefix
--hashlimit-name foo
--hashlimit-htable-size buck ets
--hashlimit-htable-max entries
--hashlimit-htable-expire msec
--hashlimit-htable-gcinterval msec
Matches parameters in Hop-by-Hop Options header.
[!] --hbh-len length
--hbh-opts type[:length][,type[:length]...]
Specifies the conntrack-helper module.
[!] --helper string
hl icmp6
Matches the Hop Limit field in the IPv6 header.
[!] --hl-eq value
--hl-lt value
--hl-gt value
Matches ICMPv6-specific values.
[!] --icmp-type {type[/code]|typename}
Allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command: ip6tables -p ipv6-icmp -h
iprange
Matches on a given arbitrary range of IP addresses.
[!] --src-range from[-to]
[!] --dst-range from[-to]
ipv6header
Matches IPv6 extension headers and/or upper layer header.
length
--soft
[!] --header header[,header...]
Matches the length of a packet against a value or range of values.
limit
[!] --length length[:length]
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the
LOG target to give limited logging, for example.
6
climconfig.ip6tables(1) climconfig.ip6tables(1)
mac mark quota
xt_limit has no negation support - you will have to use −m hashlimit ! −−hashlimit
rate in this case whilst omitting −−hashlimit−mode.
--limit rate [/second|/minute|/hour|/day]
--limit-burst number
Matches source MAC address.
[!] --mac-source address
This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).
[!] −−mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison). Matches packets with value previously set by MARK target.
mh *
Matches the Mobility Header (MH) type.
Not supported because CIP does not support ipv6-mh protocol.
multiport Matches a set of source or destination ports.
[!] --source-ports | --sports port[,port|,port:port]...
[!] --destination-ports | --dports port[,port|,port:port]...
[!] --ports port[,port|,port:port]...
owner *
Matches various characteristics of the (locally generated) packet creator.
Not supported because it is only valid in the OUTPUT and POSTROUTING chains.
physdev * Matches on the bridge port input and output devices enslaved to a bridge device.
Not supported because CIP is not a bridge device.
pkttype
Matches link-layer packet type.
[!] --pkt-type {unicast|broadcast|multicast} policy
Matches IPsec policy.
--dir {in|out}
--pol {none|ipsec}
--strict
[!] --reqid id
[!] --spi spi
[!] --proto {ah|esp|ipcomp}
[!] --mode {tunnel|transport}
[!] --tunnel-src addr[/mask]
[!] --tunnel-dst addr[/mask]
--next
Implements network quota by decrementing a byte counter with each packet. The condition matches until the byte counter reaches zero. Behavior is reversed with negation (i.e. the condition does not match until the byte counter reaches zero).
[!] --quota bytes
The quota in bytes.
7
climconfig.ip6tables(1) climconfig.ip6tables(1)
rateest *
Rate estimator.
Not supported because it is mainly for making routing decisions (mangle table).
realm *
Matches the routing realm.
recent
Not supported because it is for dynamic routing.
Matches against dynamically constructed list of IP addresses.
--name name
[!] --set
--rsource rt
--rdest
[!] --rcheck
[!] --update
[!] --remove
--seconds seconds
--reap
--hitcount hits
--rttl
Matches on IPv6 routing header.
--rt-type [!] type
sctp set *
--rt-segsleft [!] num[:num]
--rt-len [!] length
--rt-0-res
--rt-0-addrs ADDR[,ADDR...]
--rt-0-not-strict
Matches SCTP-specific information.
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
[!] --chunk-types all|any|only chunktype[:flags] [...]
Matches IP sets which can be defined by ipset(8).
socket state
Not supported because ipset is not supported.
Matches if an open socket can be found by doing a socket lookup on the packet.
--transparent
Allows access to conntrack state for this packet.
[!] --state statelist
Where statelist is a comma-separated list of the connection states to match. Possible states are INVALID, ESTABLISHED, NEW, and RELATED.
statistic
Matches packets based on some statistic condition.
--mode mode
[!] --probability p
[!] --every n
8
climconfig.ip6tables(1) climconfig.ip6tables(1)
string tcp tcpmss time tos u32
--packet p
Matches a given string pattern.
--algo bm|kmp
--from offset
--to offset
[!] --string pattern
[!] --hex-string pattern
Matches TCP-specific values.
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
[!] --tcp-flags mask comp
[!] --syn
[!] --tcp-option number
Matches the TCP MSS field of the TCP header.
[!] --mss value[:value]
Matches the arrival time/date of packets.
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
[!] --monthdays day[,day...]
[!] --weekdays day[,day...]
--kerneltz
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
Matches the 8 bits ToS (Type of Service) field in the IP header.
[!] --tos value[/mask]
[!] --tos symbol
Tests whether quantities of up to 4 bytes extracted from a packet have specified values. The specification of what to extract is general enough to find data at given offsets from tcp headers or payloads.
[!] --u32 tests
The argument amounts to a program in a small language described below: tests := location "=" value | tests "&&" location "=" value value := range | value "," range range := number | number ":" number a single number, n, is interpreted the same as n:n. n:m is interpreted as the range of numbers >=n and <=m.
location := number | location operator number
9
climconfig.ip6tables(1) climconfig.ip6tables(1)
udp
operator := "&" | "<<" | ">>" | "@"
The operators &, <<, >> and && mean the same as in C. The = is really a set membership operator and the value syntax describes a set. The @ operator is what allows moving to the next header.
Matches UDP-specific values.
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
Extensions with an asterisk (*) are not supported but are not disallowed by CIP.
TARGET EXTENSIONS
The supported target extensions are based on the Linux ip6tables man pages. They are subject to future changes made by Linux ip6tables implementation.
DSCP
This target allows to alter the value of the DSCP bits within the TOS header of the IPv4 packet.
As this manipulates a packet, it can only be used in the mangle table.
−−set−dscp value
Set the DSCP field to a numerical value (can be decimal or hex)
−−set−dscp−class class
Set the DSCP field to a DiffServ class.
LOG
When the LOG target is set for a rule, the Linux kernel will print some information on all matching packets (i.e., most IP header fields) to syslog. This is a "non-terminating target", i.e. rule traversal continues at the next rule. If you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG, the next using DROP (or REJECT).
LOG has the following options:
--log-level level
Level of logging (keyword or numeric): debug (or 7), info (or 6), notice (or 5), warning (or 4), err
(or 3), crit (or 2), alert (or 1), emerg (or 0).
Default is warning if not specified. If the specified severity of log-level is ’info’ or above (e.g., warning), the log message is also sent to NSK host generating a 5232 EMS event in $0.
NOTE: Care should be used so as to not flood EMS with events.
--log-prefix prefix
Prefix log messages with the specified prefix; up to 25 letters long, and useful for distinguishing messages in the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
10
climconfig.ip6tables(1) climconfig.ip6tables(1)
Example 1:
Both syslog and EMS display the message.
climconfig ip6tables -A CIP_INPUT -j LOG --log-level info --log-prefix "LOGDROP" climconfig ip6tables -A CIP_INPUT -j DROP
Example 2:
The message is only logged in the syslog not in EMS.
climconfig ip6tables -A CIP_INPUT -j LOG --log-level debug --log-prefix "LOGDROP" climconfig ip6tables -A CIP_INPUT -j DROP
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
−−set−xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
−−set−mark value[/mask]
Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted,
0xFFFFFFFF is assumed.
The following mnemonics are available:
−−and−mark bits
Binary AND the nfmark with bits.
(Mnemonic for −−set−xmark 0/invbits, where invbits is the binary negation of bits.)
−−or−mark bits
Binary OR the nfmark with bits. (Mnemonic for −−set−xmark bits/bits.)
−−xor−mark bits
Binary XOR the nfmark with bits. (Mnemonic for −−set−xmark bits/0.)
REJECT
Used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROP so it is a terminating TARGET, ending rule traversal. The following option controls the nature of the error packet returned:
--reject-with type
The type given for ip6tables can be icmp6-no-route no-route icmp6-adm-prohibited adm-prohibited icmp6-addr-unreachable addr-unreach icmp6-port-unreachable
11
climconfig.ip6tables(1) climconfig.ip6tables(1) port-unreach
ERROR MESSAGES
climconfig ip6tables requires options/commands.
Try ’climconfig ip6tables -h’ for more information.
climconfig ip6tables Error: File /etc/clim/climiptables/state does not exist.
climconfig ip6tables Error: Cannot open the file /etc/clim/climiptables/state: error-code.
Error: invalid version string ’version’, file ’/etc/clim/climiptables/state’.
Error: version string major, minor is not compatible, file ’/etc/clim/climiptables/state’.
climconfig ip6tables Error: Invalid climiptables state file.
climconfig ip6tables Error: max prefix length for ’--log-prefix’ is 25.
climconfig ip6tables Error: Deleting/Appending/Renaming/Flushing a rule from/to the Linux built-in chain
’xxx’ is not allowed.
climconfig ip6tables Error: Deleting/Appending/Renaming/Flushing a rule from/to the CIP policy chain is not allowed.
climconfig ip6tables Error: the -t option must be ’-t filter’ or ’-t mangle’; table=’name’.
climconfig ip6tables Error: the ’-t mangle’ option is NOT supported on this hardware.
CONSIDERATIONS
None.
EXAMPLES
> climcmd n1002583 climconfig ip6tables -S
-N ftp
-N telnet
-A CIP_INPUT -p tcp -m tcp --dport 20:21 -j ftp
-A CIP_INPUT -p tcp -m tcp --dport 23 -j telnet
-A ftp -i eth2 -j REJECT --reject-with icmp-port-unreachable
-A telnet ! -i eth2 -j REJECT --reject-with icmp-port-unreachable
Termination Info: 0
> climcmd n1002583 climconfig ip6tables -vL
Chain INPUT (policy ACCEPT 11 packets, 889 bytes) pkts bytes target prot opt in out source destination
7636 1970K ACCEPT all -- any any N1002583 anywhere
657K 229M ACCEPT all -- eth0 any anywhere anywhere
204 13045 CIP_INPUT all -- any any anywhere anywhere
146 9781 CIP_INPUT_p all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1313 packets, 246K bytes) pkts bytes target prot opt in out source destination
Chain CIP_INPUT (1 references) pkts bytes target prot opt in out source destination
18 972 ftp tcp -- any any anywhere anywhere
12
climconfig.ip6tables(1) climconfig.ip6tables(1) tcp dpts:ftp-data:ftp
4 224 telnet tcp -- any any anywhere anywhere tcp dpt:telnet
Chain CIP_INPUT_p (1 references) pkts bytes target prot opt in out source destination
Chain ftp (1 references) pkts bytes target prot opt in out source destination
2 120 REJECT all -- eth2 any anywhere anywhere reject-with icmp-port-unreachable
Chain telnet (1 references) pkts bytes target prot opt in out source destination
1 60 REJECT all -- !eth2 any anywhere anywhere reject-with icmp-port-unreachable
Termination Info: 0
SEE ALSO
climconfig iptables, climiptables
13
climconfig.iptables(1) climconfig.iptables(1)
NAME
climconfig.iptables − configure iptables
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig iptables
[-prov prov-name] [-force] arguments
Or,
CLIMCMD {clim-name|ip-address} climconfig iptables
[-prov prov-name] arguments [-force]
CLIMCONFIG.IPTABLES DESCRIPTION
This command supports the following arguments. If a command is labeled as sensitive, a user confirmation is required for execution unless the -force option is also specified.
--append | -A chain rule-specification options
This command appends one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. This command is valid only for the
CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains.
--delete | -D chain rulenum rule-specification options
This command deletes one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting from 1 for the first rule) or a rule to match. For the latter case, the specified rule must match an existing entry in the chain exactly. This command is valid only for the
CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and userdefined chains. This is a sensitive command.
--insert | -I chain rulenumrule-specification options
This inserts one or more rules in the selected chain as the given rule number. Number starts from 1. This is also the default if no rule number is specified. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains.
--replace | -R chain rulenum rule-specification options
This command replaces a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. This command is valid only for the CIP_INPUT chain of filter table,
CIP_OUTPUT chain of mangle table, and user-defined chains. This is a sensitive command.
--list | -L [chain rulenum]
Lists all rules or the rule of the specified rule number in the selected chain. Any chain
(including the built-in chains) can be listed. This command is valid for all chains including the Linux built-in chains, the CIP built-in chains, and all user-defined chains. If no chain is selected, all chains are listed.
--list-rules | -S [chain rulenum]
Prints all rules or the rule of the specified rule number in the selected chain in form of iptables/ip6tables commands. This command is valid only for the CIP_INPUT chain and user-defined chains. If no chain is selected, all users chains, if any, and the
CIP_INPUT chain are listed.
1
climconfig.iptables(1) climconfig.iptables(1)
--flush | -F [chain]
This command deletes all user-defined rules in a chain. This command is valid only for the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and user-defined chains. If no chain is specified, this flushes all rules in the CIP_INPUT chain of filter table, CIP_OUTPUT chain of mangle table, and in all user-defined chains. The CIP_INPUT_p chain is not flushed. This is a sensitive command.
--zero | -Z [chain]
This command zeros out the packet and bytes counters in the specified chain or all chains if the chain name is not specified. This applies to all user-defined chains, the
CIP built-in chains and Linux built-in chains if chain is not specified. A user may also specify the Linux built-in INPUT chain for this command.
--new | -N chain
This command creates a new user-defined chain by the given name. There must be no target of that name already, or an error is returned. Creating a Linux built-in or CIP built-in chain is not allowed.
--delete-chain | -X [chain]
Delete the user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must also be empty, i.e. not containing any rules. If no argument is given, it will attempt to delete every user-defined chain in the table. The Linux built-in chains and CIP built-in chains cannot be deleted.
--rename-chain | -E old-chain new-chain
This command renames the specified user-defined chain to the user-supplied name.
Any references to the old chain name are automatically renamed by Linux iptables/ip6tables itself. The Linux built-in chains and CIP built-in chains cannot be renamed.
--policy | -P chain target
This command sets the policy for the chain to the given target. Only a CIP built-in
CIP_INPUT chain can be specified with a policy. Neither Linux built-in nor userdefined chains can be policy targets.
Setting a policy to CIP_INPUT chain causes the target (the first and only rule) in
CIP_INPUT_p chain to be replaced.
-h | -help | --help
This command prints the climconfig iptables/ip6tables help information. If it is specified after a match extension, some more information pertinent to that match could also be given.
PARAMETERS
-prov
-force
Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own iptables configuration. The provider name is case-insensitive and always converted to UPPER case.
Used with a sensitive command, causes the command to bypass user confirmation.
Must be either ahead of the command or at end of the line.
[!] --protocol | -p proto
To match protocol proto, which is either a protocol name or number. Supported protocols are: all(0), tcp(6), udp(17), icmp(1), esp(50), ah(51), and sctp(132). When the
"!" argument is used, the ’match’ operation is changed to the ’not match’ operation.
[!] --source | --src | -s addressmask
To match a source address. Address can be either a network IPv4/IPv6 address (with
/mask), or a plain IP address. The mask can be either a network mask or a plain
2
climconfig.iptables(1) climconfig.iptables(1) number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the
’match’ operation is changed to the ’not match’ operation.
[!] --destination | --dst | -d addressmask
To match a destination address. Address can be either a network IP address (with
/mask), or a plain IPv4/IPv6 address. The mask can be either a network mask or a plain number, specifying the number of 1s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. When the "!" argument is used the
’match’ operation is changed to the ’not match’ operation.
[!] --in-interface | -i interface_name
To match a packet by the interface in which it was received. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. When the "!" argument is used the
’match’ operation is changed to the ’not match’ operation.
[!] −−out−interface | −o name
Name of an interface via which a packet is going to be sent (for packets entering the
FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a
"+", then any interface which begins with this name will match. If this option is omitted, any interface name will match.
--fragment | -f
To match only the second and subsequent fragments of a datagram.
! --fragment | -f
To match only the first fragment, or an unfragmented datagram.
--jump | -j target
Jump to a target, which can be a user-defined chain, a built-in or extension target.
--match | -m match-module-name
Load a match extension module.
--numeric | -n
Select numeric output of addresses and ports.
--table | -t table
Specify table to manipulate. table must be ’filter’ or ’mangle’.
--verbose | -v
Verbose mode.
--line-numbers
Print line numbers when listing.
--exact | -x To expand numbers (display exact values).
--set-counters | -c pkts bytes
This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations). For example, iptables -A CIP_INPUT -c 100 2000 -p tcp -i eth2 --dport 21 -j ACCEPT would set the rule in the CIP_INPUT chain for accepting ftp packets targeted for interface eth2 and, at the same time, initialize the number of packets accepted to be
100 and number of bytes to be 2000.
MATCH EXTENSIONS
The supported match extensions are based on the Linux iptables man pages. They are subject to future changes made by Linux iptables implementation.
3
climconfig.iptables(1) climconfig.iptables(1)
addrtype
Matches packets based on address type. Valid address types are: UNSPEC, UNI-
CAST, LOCAL, BROADCAST, ANYCAST, MULTICAST, BLACKHOLE,
UNREACHABLE, PROHIBIT, THROW, NAT , XRESOLVE.
[!] --src-type type
[!] --dst-type type
ah
--limit-iface-in
Matches the SPIs in Authentication header of IPsec packets.
[!] --ahspi spi[:spi]
comment
Allows you to add comments (up to 256 characters) to any rule.
--comment comment
Example: iptables -A INPUT -s 192.168.0.0/16 -m comment
--comment ’A privatized IP block’
connbytes Matches by how many bytes/packets a connection has transferred.
[!] --connbytes from:[to]
Matches packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. If TO is omitted, only a FROM check is done. "!" is used to match packets not falling in the range:
--connbytes-dir {original|reply|both}
--connbytes-mode {packets|bytes|avgpkt}
Example: iptables .. -m connbytes --connbytes 10000:100000
--connbytes-dir both
--connbytes-mode bytes ...
connlimit
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
−−connlimit−upto n
Match if the number of existing connections is below or equal n.
−−connlimit−above n
Match if the number of existing connections is above n.
−−connlimit−mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between
(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the maximum prefix length for the applicable protocol is used.
−−connlimit−saddr
Apply the limit onto the source group. This is the default if
−−connlimit−daddr is not specified.
−−connlimit−daddr
Apply the limit onto the destination group.
Examples:
# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit
--connlimit-above 2 -j REJECT
4
climconfig.iptables(1) climconfig.iptables(1)
connmark *
Matches packets in connections with value set by CONNMARK target.
This is not supported on CIP.
conntrack Matches additional connection tracking information.
[!] --ctstate statelist statelist is a comma-separated list of the connection states to match.
[!] --ctproto l4proto
[!] --ctorigsrc address[/mask]
[!] --ctorigdst address[/mask]
[!] --ctreplsrc address[/mask]
[!] --ctrepldst address[/mask]
Matches against original/reply source/destination address.
[!] --ctorigsrcport port[:port]
[!] --ctorigdstport port[:port]
[!] --ctreplsrcport port[:port]
[!] --ctrepldstport port[:port]
Matches against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
[!] --ctexpire time[:time]
dccp * dscp ecn
--ctdir {ORIGINAL|REPLY}
Matches DCCP-specific fields and types.
Not supported because CIP does not support Datagram Congestion Control Protocol.
This module matches the 6 bit DSCP field within the TOS field in the IP header.
DSCP has superseded TOS within the IETF.
[!] −−dscp value Match against a numeric (decimal or hex) value [0-63].
[!] −−dscp−class class Match the DiffServ class. This value may be any of the BE,
EF, AFxx or CSx classes. It will then be converted into its according numeric value.
Matches different ECN fields in the TCP and IPv4 headers.
[!] --ecn-tcp-cwr
[!] --ecn-tcp-ece
[!] --ecn-ip-ect num
esp
Matches the SPIs in ESP header of IPsec packets.
[!] --espspi spi[:spi]
hashlimit
Hashlimit for something like per destination-ip or per (destip,destport) tuple. It gives you the ability to express:
’1000 packets per second for every host in 192.168.0.0/16’
’100 packets per second for every service of 192.168.1.1’ with a single iptables rule.
--hashlimit-upto amount[/second|/minute|/hour|/day]
5
climconfig.iptables(1) climconfig.iptables(1)
--hashlimit-above amount[/second|/minute|/hour|/day]
--hashlimit-burst amount
--hashlimit-mode {srcip|srcport|dstip|dstport},...
--hashlimit-srcmask prefix
--hashlimit-dstmask prefix
--hashlimit-name foo
--hashlimit-htable-size buck ets
--hashlimit-htable-max entries
helper icmp
[!] --icmp-type {type[/code]|typename}
Allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by the command: iptables -p icmp -h
iprange
Matches on a given arbitrary range of IP addresses.
[!] --src-range from[-to]
[!] --dst-range from[-to]
length
--hashlimit-htable-expire msec
--hashlimit-htable-gcinterval msec
Specifies the conntrack-helper module.
[!] --helper string
This extension is loaded if ’--protocol icmp’ is specified. It provides the following option:
limit
Matches the length of a packet against a value or range of values.
[!] --length length[:length]
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the
LOG target to give limited logging, for example.
xt_limit has no negation support - you will have to use −m hashlimit ! −−hashlimit
rate in this case whilst omitting −−hashlimit−mode.
--limit rate [/second|/minute|/hour|/day]
mac mark
--limit-burst number
Matches source MAC address.
[!] --mac-source address
This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).
[!] −−mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison). Matches packets with value previously set by MARK target.
multiport Matches a set of source or destination ports.
[!] --source-ports | --sports port[,port|,port:port]...
[!] --destination-ports | --dports port[,port|,port:port]...
[!] --ports port[,port|,port:port]...
6
climconfig.iptables(1) climconfig.iptables(1)
owner *
Matches various characteristics of the (locally generated) packet creator.
Not supported because it is only valid in the OUTPUT and POSTROUTING chains.
physdev * Matches on the bridge port input and output devices enslaved to a bridge device.
Not supported because CIP is not a bridge device.
pkttype
Matches link-layer packet type.
policy
[!] --pkt-type {unicast|broadcast|multicast}
Matches IPsec policy.
--dir {in|out} quota
--pol {none|ipsec}
--strict
[!] --reqid id
[!] --spi spi
[!] --proto {ah|esp|ipcomp}
[!] --mode {tunnel|transport}
[!] --tunnel-src addr[/mask]
[!] --tunnel-dst addr[/mask]
--next
Implements network quota by decrementing a byte counter with each packet. The condition matches until the byte counter reaches zero. Behavior is reversed with negation (i.e. the condition does not match until the byte counter reaches zero).
[!] --quota bytes
The quota in bytes.
rateest *
Rate estimator.
Not supported because it is mainly for making routing decisions (mangle table).
realm *
Matches the routing realm.
recent
Not supported because it is for dynamic routing.
Matches against dynamically constructed list of IP addresses.
--name name
[!] --set
--rsource sctp
--rdest
[!] --rcheck
[!] --update
[!] --remove
--seconds seconds
--reap
--hitcount hits
--rttl
Matches SCTP-specific information.
7
climconfig.iptables(1) climconfig.iptables(1)
set * socket
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
[!] --chunk-types all|any|only chunktype[:flags] [...]
Matches IP sets which can be defined by ipset(8).
Not supported because ipset is not supported.
Matches if an open socket can be found by doing a socket lookup on the packet.
--transparent
Allows access to conntrack state for this packet.
state
[!] --state statelist
Where statelist is a comma-separated list of the connection states to match. Possible states are INVALID, ESTABLISHED, NEW, and RELATED.
statistic
Matches packets based on some statistic condition.
--mode mode
[!] --probability p
string tcp tcpmss time
[!] --every n
--packet p
Matches a given string pattern.
--algo bm|kmp
--from offset
--to offset
[!] --string pattern
[!] --hex-string pattern
Matches TCP-specific values.
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
[!] --tcp-flags mask comp
[!] --syn
[!] --tcp-option number
Matches the TCP MSS field of the TCP header.
[!] --mss value[:value]
Matches the arrival time/date of packets.
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
[!] --monthdays day[,day...]
[!] --weekdays day[,day...]
--kerneltz
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
8
climconfig.iptables(1) climconfig.iptables(1)
tos ttl u32
Matches the 8 bits ToS (Type of Service) field in the IP header.
[!] --tos value[/mask]
[!] --tos symbol
Matches the Time to Live (TTL) field in the IP header.
[!] --ttl-eq ttl
--ttl-gt ttl
--ttl-lt ttl
Tests whether quantities of up to 4 bytes extracted from a packet have specified values. The specification of what to extract is general enough to find data at given offsets from tcp headers or payloads.
[!] --u32 tests
The argument amounts to a program in a small language described below: tests := location "=" value | tests "&&" location "=" value value := range | value "," range range := number | number ":" number a single number, n, is interpreted the same as n:n. n:m is interpreted as the range of numbers >=n and <=m.
location := number | location operator number operator := "&" | "<<" | ">>" | "@"
The operators &, <<, >> and && mean the same as in C. The = is really a set membership operator and the value syntax describes a set. The @ operator is what allows moving to the next header.
Matches UDP-specific values.
udp
[!] --source-port | --sport port[:port]
[!] --destination-port | --dport port[:port]
Extensions with an asterisk (*) are not supported but are not disallowed by CIP.
TARGET EXTENSIONS
The supported target extensions are based on the Linux iptables man pages. They are subject to future changes made by Linux iptables implementation.
DSCP
This target allows to alter the value of the DSCP bits within the TOS header of the IPv4 packet.
As this manipulates a packet, it can only be used in the mangle table.
−−set−dscp value
Set the DSCP field to a numerical value (can be decimal or hex)
−−set−dscp−class class
Set the DSCP field to a DiffServ class.
LOG
When the LOG target is set for a rule, the Linux kernel will print some information on all matching packets (i.e., most IP header fields) to syslog. This is a "non-terminating target", i.e. rule traversal continues at the next rule. If you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG, the next using DROP (or REJECT).
9
climconfig.iptables(1) climconfig.iptables(1)
LOG has the following options:
--log-level level
Level of logging (keyword or numeric): debug (or 7), info (or 6), notice (or 5), warning (or 4), err
(or 3), crit (or 2), alert (or 1), emerg (or 0).
Default is warning if not specified. If the specified severity of log-level is ’info’ or above (e.g., warning), the log message is also sent to NSK host generating a 5232 EMS event in $0.
NOTE: Care should be used so as to not flood EMS with events.
--log-prefix prefix
Prefix log messages with the specified prefix; up to 25 letters long, and useful for distinguishing messages in the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
Example 1:
Both syslog and EMS display the message.
climconfig iptables -A CIP_INPUT -j LOG --log-level info --log-prefix "LOGDROP" climconfig iptables -A CIP_INPUT -j DROP
Example 2:
The message is only logged in the syslog not in EMS.
climconfig iptables -A CIP_INPUT -j LOG --log-level debug --log-prefix "LOGDROP" climconfig iptables -A CIP_INPUT -j DROP
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
−−set−xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.
−−set−mark value[/mask]
Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted,
0xFFFFFFFF is assumed.
The following mnemonics are available:
−−and−mark bits
Binary AND the nfmark with bits.
10
climconfig.iptables(1) climconfig.iptables(1)
(Mnemonic for −−set−xmark 0/invbits, where invbits is the binary negation of bits.)
−−or−mark bits
Binary OR the nfmark with bits. (Mnemonic for −−set−xmark bits/bits.)
−−xor−mark bits
Binary XOR the nfmark with bits. (Mnemonic for −−set−xmark bits/0.)
REJECT
Used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROP so it is a terminating TARGET, ending rule traversal. The following option controls the nature of the error packet returned:
--reject-with type
The type given for iptables can be icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited icmp-admin-prohibited
ERROR MESSAGES
climconfig iptables requires options/commands. Try ’climconfig iptables -h’ for more information.
climconfig iptables Error: File /etc/clim/climiptables/state does not exist.
climconfig iptables Error: Cannot open the file /etc/clim/climiptables/state: error-code
Error: invalid version string ’version’, file ’/etc/clim/climiptables/state’.
Error: version string major, minor is not compatible, file ’/etc/clim/climiptables/state’.
climconfig iptables Error: Invalid climiptables state file.
climconfig iptables Error: max prefix length for ’--log-prefix’ is 25 climconfig iptables Error: Deleting/Appending/Renaming/Flushing a rule from/to the Linux built-in chain
’xxx’ is not allowed.
climconfig iptables Error: Deleting/Appending/Renaming/Flushing a rule from/to the CIP policy chain is not allowed.
climconfig iptables Error: the -t option must be ’-t filter’ or ’-t mangle’; table=’name’.
climconfig iptables Error: the ’-t mangle’ option is NOT supported on this hardware.
CONSIDERATIONS
None.
EXAMPLES
> climcmd n1002583 climconfig iptables -S
-N ftp
-N telnet
-A CIP_INPUT -p tcp -m tcp --dport 20:21 -j ftp
-A CIP_INPUT -p tcp -m tcp --dport 23 -j telnet
-A ftp -i eth2 -j REJECT --reject-with icmp-port-unreachable
-A telnet ! -i eth2 -j REJECT --reject-with icmp-port-unreachable
Termination Info: 0
11
climconfig.iptables(1) climconfig.iptables(1)
> climcmd n1002583 climconfig iptables -vL
Chain INPUT (policy ACCEPT 11 packets, 889 bytes) pkts bytes target prot opt in out source destination
7636 1970K ACCEPT all -- any any N1002583 anywhere
657K 229M ACCEPT all -- eth0 any anywhere anywhere
204 13045 CIP_INPUT all -- any any anywhere anywhere
146 9781 CIP_INPUT_p all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1313 packets, 246K bytes) pkts bytes target prot opt in out source destination
Chain CIP_INPUT (1 references) pkts bytes target prot opt in out source destination
18 972 ftp tcp -- any any anywhere anywhere tcp dpts:ftp-data:ftp
4 224 telnet tcp -- any any anywhere anywhere tcp dpt:telnet
Chain CIP_INPUT_p (1 references) pkts bytes target prot opt in out source destination
Chain ftp (1 references) pkts bytes target prot opt in out source destination
2 120 REJECT all -- eth2 any anywhere anywhere reject-with icmp-port-unreachable
Chain telnet (1 references) pkts bytes target prot opt in out source destination
1 60 REJECT all -- !eth2 any anywhere anywhere reject-with icmp-port-unreachable
Termination Info: 0
SEE ALSO
climconfig ip6tables, climiptables
12
climconfig.prov(1) climconfig.prov(1)
NAME
climconfig.prov − configure prov
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig prov
-add prov-name
CLIMCMD {clim-name|ip-address} climconfig prov
-delete prov-name [-force]
CLIMCMD {clim-name|ip-address} climconfig prov
-info {prov-name | all} [-obeyform]
CLIMCONFIG.PROV DESCRIPTION
This command allows you to display and configure climconfig prov objects.
All network objects configured on CLIMs with the MULTIPROV attribute set to OFF are associated with the provider that this CLIM is assigned to in the SCF CLIM object configuration.
Network objects configured on CLIMs with the MULTIPROV attribute set to ON must be explicitly associated with a provider. That association is represented by a climconfig prov object.
prov -add configures a new provider association. The new provider will have a loop back interface configured automatically. The provider name must not be more than seven characters long and must be alpha-numeric characters with the first character being alphabetic, and should directly correspond to the name of the PROVIDER object in SCF that this CLIM will provide network services to. The name can be specified in caseinsensitive manner. climconfig converts the name to upper case.
prov -delete
deletes a provider association. All network objects configured using this provider association should be deleted first before deleting the prov object. If any network objects are associated with it, an error message is generated.
Note:
The sp, sa, psk, remote, iptables and ip6tables objects will be automatically deleted if the provider is deleted, and no error will be generated.
prov -info displays all the configured provider associations.
prov -info -obeyform
obtains the obeyform lines for configuring the provider association in add format.
PARAMETERS
-force
Used with the -delete option, causes the command to bypass user confirmation.
-obeyform Used with the -info option, obtains the provider association configuration in obeyform format.
ERROR MESSAGES
For climconfig prov -add:
Error: The specified provider name already exists.
Error: The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.
The maximum no.of providers that can be configured is <provider-limit>.
1
climconfig.prov(1) climconfig.prov(1)
For climconfig prov -delete:
Error: The specified provider name does not exist.
Error: The specified provider has one or more interfaces still associated with it.
Error: The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.
CONSIDERATIONS
Climconfig prov objects are added implicitly during interface addition, so this command is only required if a provider with only loopback needs to be added.
The deletion of a provider results in deletion of IPSec and iptables objects. If you want to preserve this configuration for later re-use, you can first run climconfig all -info -obeyform to capture the configuration of these objects.
Typically, A maximum of only 7 providers can be configured per CLIM. From L17.02 onwards, on Gen9
L-Series CLIMs, a maximum of 105 providers can be configured per CLIM.
EXAMPLES
To add the provider ztc1:
> CLIMCMD N1001253 climconfig prov -add ztc1
To delete the provider ztc1:
> CLIMCMD N1001253 climconfig prov -delete ztc1
To display all providers:
> CLIMCMD N1001253 climconfig prov -info all ztc0 ztc1
To display all providers with the obeyform option:
> CLIMCMD N1001253 climconfig prov -info all -obeyform climconfig prov -add ztc0 climconfig prov -add ztc1
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
Exit
SEE ALSO
prov.1p (man 1p prov)
2
climconfig.psk(1) climconfig.psk(1)
NAME
climconfig.psk − configure pre-shared keys
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig psk -add
[-prov prov-name] -ip {ip-address|fqdn}
-k {hex-number|string}
CLIMCMD {clim-name|ip-address} climconfig psk -delete
[-prov prov-name] -ip {ip-address|fqdn}
CLIMCMD {clim-name|ip-address} climconfig psk -info
[-prov {prov-name | all}] [-ip {ip-address|fqdn}]
[-obeyform]
CLIMCONFIG.PSK DESCRIPTION
This command does the following:
psk -add
adds a pre-shared key for an IP address or fully-qualified domain name (FQDN) to the
psk.txt file. Both the -ip and -k parameters are required.
psk -delete
deletes the pre-shared key for a given IP address or deletes the FQDN from the
psk.txt file. The -ip parameter is required.
psk -info
displays the pre-shared key for a given IP address or displays the FQDN from the
psk.txt file. The -ip parameter is optional; if it is omitted, all pre-shared keys for various IP addresses from the psk.txt file are displayed.
PARAMETERS
-prov Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always converted to UPPER case.
-ip ip-address
Specifies an IPv4 or IPv6 address.
-ip fqdn Specifies a fully qualified domain name.
-k string Specifies a key as a series of hexadecimal digits preceded by 0x or double-quoted character string.
-obeyform Displays the pre-shared key configuration in the format of add command(s).
ERROR MESSAGES
For psk -add:
Please give the correct options. (The wrong options are displayed.)
For psk -delete:
The pre-shared key for the matched IP address is not found.
For psk -info:
There are no pre-shared keys found for the matching IP address.
If no options are specified, all the pre-shared keys from the file psk.txt are displayed.
1
climconfig.psk(1) climconfig.psk(1)
EXAMPLES
> CLIMCMD N1001253 climconfig psk -add -ip 10.1.1.2
-k 0x12abfe34
> CLIMCMD N1001253 climconfig psk -add -ip 10.3.3.2
-k ""simple psk""
> CLIMCMD N1001253 climconfig psk -add -prov ztc0 -ip 10.3.3.2
-k "simple psk"
> CLIMCMD N1001253 climconfig psk -delete -ip 10.3.3.2
> CLIMCMD N1001253 climconfig psk -delete -prov ztc0 -ip 10.3.3.2
> CLIMCMD N1001253 climconfig psk -info
> CLIMCMD N1001253 climconfig psk -info -ip 10.3.3.2
> CLIMCMD N1001253 climconfig psk -info -prov zsam1 -ip 10.2.2.1
> CLIMCMD N1001253 climconfig psk -info -prov ztc0 -obeyform
The sample display for the psk -info command is:
10.3.3.2 simple psk
The sample display for the psk -info -obeyform command is: climconfig psk -add \
-ip 10.3.3.2 \
-k "simple psk"
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
2
climconfig.remote(1) climconfig.remote(1)
NAME
climconfig.remote − manage remote configuration for security associations
SYNOPSIS
Remote configuration for authentication method of pre-shared key:
CLIMCMD {clim-name | ip-address} climconfig remote -add
[-prov prov-name] -ip {ip-address | anonymous}
-M exchange_mode [-idtype address [-idvalue ip-address]
| -idtype {fqdn | user_fqdn} -idvalue string
| -idtype keyid -idvalue file]
[-peer_idtype address [-peer_idvalue ip-address]
| -peer_idtype {fqdn | user_fqdn} -peer_idvalue string
| -peer_idtype keyid -peer_idvalue file [-verify_identifier]]
[-dpd_delay seconds [-dpd_retry seconds]
[-dpd_maxfail number]]
-E encryption_algorithm
-H hash_algorithm [-A pre_shared_key]
-D dh_group [-lifetime seconds] [-restart [-force]]
Remote configuration for authentication method of certificates:
CLIMCMD {clim-name | ip-address} climconfig remote -add
[-prov prov-name] -ip {ip-address | anonymous}
-M exchange_mode [-idtype asn1dn [-idvalue string]]
[-peer_idtype asn1dn [-peer_idvalue string]
[-verify_identifier]]
-pubcert certfile -privkey privkeyfile
[-dpd_delay seconds [-dpd_retry seconds]
[-dpd_maxfail number]]
-E encryption_algorithm
-H hash_algorithm -A {rsasig | gssapi_krb}
-D dh_group [-gssid string] [-lifetime seconds]
[-restart [-force]]
Remote -delete command:
CLIMCMD {clim-name | ip-address} climconfig remote -delete
[-prov prov-name] -ip {ip-address | anonymous} [-restart
[-force]]
Remote -add_proposal command for pre-shared key:
CLIMCMD {clim-name | ip-address} climconfig remote
-add_proposal [-prov prov-name] -ip {ip-address | anonymous}
-E encryption_algorithm -H hash_algorithm
1
climconfig.remote(1) climconfig.remote(1)
[-A pre_shared_key]
-D dh_group [-lifetime seconds] [-restart [-force]]
Remote -add_proposal command for certificates:
CLIMCMD {clim-name | ip-address} climconfig remote
-add_proposal [-prov prov-name] -ip {ip-address | anonymous}
-E encryption_algorithm -H hash_algorithm
-A {rsasig | gssapi_krb}
-D dh_group [-gssid string] [-lifetime seconds]
[-restart [-force]]
Remote -delete_proposal command:
CLIMCMD {clim-name | ip-address} climconfig remote -delete_proposal
[-prov prov-name] -ip {ip-address | anonymous}
-tag tag-id [-restart [-force]]
Remote -info command:
CLIMCMD {clim-name | ip-address} climconfig remote -info
[-prov {prov-name | all}][-ip {ip-address | anonymous}]
[-obeyform]
CLIMCONFIG.REMOTE DESCRIPTION remote -add
adds a remote entry into the configuration file racoon.conf.
remote -add_proposal
adds an additional proposal for the remote ip-address into the configuration file
racoon.conf for the phase 1 IKE negotiation. A maximum of 10 proposals can exist in a remote configuration.
remote -delete
deletes a remote entry from the configuration file racoon.conf.
remote -delete_proposal
deletes a proposal with a tag identifier for the remote IP address from the configuration file racoon.conf. At least one proposal must exist in a remote configuration.
remote -info
displays the remote configurations from the configuration file racoon.conf.
PARAMETERS
-prov Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always
2
climconfig.remote(1) climconfig.remote(1) converted to UPPER case.
-ip ip-address
Specifies the IP address in the configuration file racoon.conf for which the remote command is issued.
-ip anonymous
Indicates that no IP address is specified.
-M exchange_mode
Defines the exchange mode for phase 1 when the racoon is the initiator. This parameter also defines the acceptable exchange mode when the racoon is the responder.
exchange_mode is one or more of: main, aggressive, or base. You can specify more than one mode by separating them with a comma and enclosing them in double quotes. If you specify multiple modes, the racoon uses the first mode when it is the initiator.
-idtype Specifies the identifier sent to the remote host and the type to use in the phase 1 negotiation. The value is one of: user_fqdn, fqdn, address, keyid, or asn1dn.
-idvalue Specifies the idtype value. The value is one of: ip-address, string, file.
Note:
When the value is of type file, the entire pathname has to be specified.
-peer_idtype
Specifies the peer’s identifier to be received. If it is not defined, racoon will not verify the peer’s identifier in ID payload transmitted from the peer. If it is defined, the behavior of the verification depends on the flag of verify_identifier. The value is one of: user-fqdn, fqdn, address, keyid or asn1dn.
-peer_idvalue
Specifies the peer_idtype value. The value is one of: ip-address, string, file.
Note:
When the value is of type file, the entire pathname has to be specified.
-verify_identifier
To verify the peer’s identifier, set this to on. In this case, if the value defined by
-peer_idtype is not the same as the peer’s identifier in the ID payload, the negotiation will fail. The default is off.
-pubcert certfile
Specifies the file name of a public certificate.
-privkey privkeyfile
Specifies the file name of a private key. If you omit the -pubcert or -privkey option, the default behavior is to use the pre-shared key. The default path for pre-shared key is /etc/racoon/psk.txt.
-dpd_delay seconds
Activates Dead Peer Detection (DPD) and specifies the time, in seconds, allowed between two proof of liveliness requests. The default value is 0, which disables DPD monitoring but negotiates DPD support.
-dpd_retry seconds
Sets the delay, in seconds, to wait for a proof of liveliness before considering it as failed and send another request. The default value is 5. This is set only if dpd_delay is set.
-dpd_maxfail number
Sets the maximum number of liveliness proofs to request, without reply, before considering the peer is dead. The default value is 5. This is set only if dpd_delay is set.
3
climconfig.remote(1) climconfig.remote(1)
-A authentication_method
Specifies the authentication method used for the phase 1 negotiation. This parameter is required. The method is one of the values: pre_shared_key, rsasig, or gssapi_krb.
-D dh_group
Defines the group used for the Diffie-Hellman exponentiations. This parameter is required. group is one of the values: modp768, modp1024, modp1536, modp2048,
modp3072, modp4096, modp6144, or modp8192. You can also specify one of the numerals 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number. When you choose aggressive mode, you must define the same DH group in each proposal.
-E encryption_algorithm
Specifies the encryption algorithm used for the phase 1 negotiation. This parameter is required. The algorithm is one of the following: des, 3des, blowfish, cast128, aes,
aes192, or aes256 for Oakley. Do not use this parameter for other transforms.
-H hash_algorithm
Specifies the hash algorithm used for the phase 1 negotiation. This parameter is required. hash_algorithm is one of the values: md5, sha1, sha256, sha384, or
sha512 for Oakley.
-gssid string
Specifies the GSS-API endpoint name, to be included as an attribute in the SA, if the gssapi_krb authentication method is used. If gssid is not defined, the default value host/hostname’ is used, where hostname is the value returned by the hostname command.
-lifetime seconds
This option specifies an expiry time which will be proposed during phase 1 negotiation.
-tag tag-id The tag identifier that identifies the proposal of a remote configuration. Tag ids are numbered from 1 to 10.
-restart Causes the newest racoon.conf file to be loaded by restarting the racoon daemon. A warning about the restart of the racoon daemon is issued to inform users that the SAs established in the SAD will be disconnected.
-force Used with the -restart option, causes the command to bypass user confirmation.
-obeyform Displays the remote configuration in the format of add command(s).
ERROR MESSAGES
For remote -add:
Please give the correct options. (The incorrect option is displayed.)
For remote -delete:
The remote information for the matched IP-address is not found.
For remote -info:
The remote information for the IP-address is not found.
CONSIDERATIONS
The configuration information is not loaded until the racoon daemon is restarted. To restart the racoon daemon, use the restart option.
If no options are specified for the remote -info command all the remote information for the IP addresses contained in the configuration file racoon.conf are displayed.
EXAMPLES
> CLIMCMD clim1 climconfig remote -add -ip 10.1.1.2 -M main
-dpd_delay 60 -E 3des -H md5 -A pre_shared_key -D modp768
4
climconfig.remote(1) climconfig.remote(1)
> CLIMCMD clim1 climconfig remote -add -ip 10.1.1.2 -M main
-E 3des -H md5 -A pre_shared_key -D modp768 -lifetime 70
> CLIMCMD 17.205.17.2 climconfig remote -add -ip anonymous -M main
-E 3des -H md5 -A pre_shared_key -D modp768 -restart
> CLIMCMD n100253 climconfig remote -add -ip anonymous -M main
-E 3des -H md5 -A pre_shared_key -D modp768 -restart -force
> CLIMCMD clim1 climconfig remote -add -ip 10.1.1.2 -M main
-pubcert pubkey.pem -privkey privkey.pem -E 3des -H md5 -A rsasig
-D modp768 -restart
> CLIMCMD clim1 climconfig remote -add -ip 10.1.1.2 -M main
-pubcert pubkey.pem -privkey privkey.pem -E 3des -H md5 -A rsasig
-D modp768 -restart -force
> CLIMCMD n100253 climconfig remote -add -ip anonymous -M main
-pubcert pubkey.pem -privkey privkey.pem -E 3des -H md5 -A rsasig
-D modp768
With the following command, you will be asked for confirmation that you want to restart the racoon daemon:
> CLIMCMD clim1 climconfig remote -delete -ip 10.1.1.2 -restart
The following command does not prompt for confirmation:
> CLIMCMD clim1 climconfig remote -delete -ip 10.1.1.2
-restart -force
> CLIMCMD clim1 climconfig remote -delete -ip anonymous
> CLIMCMD clim1 climconfig remote -add_proposal -ip 10.1.1.2
-E 3des -H md5 -A pre_shared_key -D modp768 -restart
> CLIMCMD clim1 climconfig remote -add_proposal -ip 10.1.1.2
-E 3des -H md5 -A pre_shared_key -D modp768 -lifetime 70 -restart
> CLIMCMD clim1 climconfig remote -delete_proposal -ip 10.1.1.2
-tag 2 -restart -force
> CLIMCMD n100253 climconfig remote -info -ip anonymous
> CLIMCMD n100253 climconfig remote -add -prov ztc0 -ip 10.1.1.2
-M main -dpd_delay 60 -E 3des -H md5 -A pre_shared_key -D modp768
> CLIMCMD n100253 climconfig remote -delete -prov ztc0
-ip 10.1.1.2 -restart
> CLIMCMD n100253 climconfig remote -add_proposal -prov zsam1
-ip 10.1.1.2 -E 3des -H md5 -A pre_shared_key -D modp768 -restart
> CLIMCMD n100253 climconfig remote -delete_proposal -prov zsam1
5
climconfig.remote(1) climconfig.remote(1)
-ip 10.1.1.2 -tag 2 -restart -force
> CLIMCMD n100253 climconfig remote -info -prov zsam1
> CLIMCMD n100253 climconfig remote -info -prov ztc1 -obeyform
> CLIMCMD 17.205.17.2 climconfig remote -info
Sample display for remote info: remote 10.2.2.1 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; lifetime time 70 sec;
}
}
> CLIMCMD n100253 climconfig remote -info -ip anonymous -obeyform
> CLIMCMD 17.205.17.2 climconfig remote -info -obeyform
The sample display for a remote -info -obeyform command is: climconfig remote -add \
-ip 10.2.2.1 \
-M main \
-E 3des \
-H sha1 \
-A pre_shared_key \
-D modp1024
-lifetime 70
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
SEE ALSO
climconfig psk, climconfig sa, climconfig sp
6
climconfig.route(1) climconfig.route(1)
NAME
climconfig.route − configure routes
SYNOPSIS
Command to add IPv4 route (non-default):
CLIMCMD {clim-name|ip-address} climconfig route -add
{eth0|eth0:0 | interface} -target ipv4-address {-host | -net}
[-netmask netmask] [-gateway gateway] [-mt metric]
[-minrto time] [-initcwnd number] [-src ipv4-address]
Command to add IPv6 route (non-default):
CLIMCMD {clim-name|ip-address} climconfig route
-add interface -target ipv6-address {-host|-net}
[-netmask netmask] [-gateway gateway] [-mt metric]
[-minrto time] [-initcwnd number]
Command to add default IPv4 route:
CLIMCMD {clim-name|ip-address} climconfig route -add
{eth0|eth0:0|interface} -default -gateway gateway
[-mt metric] [-minrto time] [-initcwnd number]
[-src ipv4-address]
Command to add default IPv6 route:
CLIMCMD {clim-name|ip-address} climconfig route
-add interface -default -gateway gateway [-mt metric]
[-minrto time] [-initcwnd number]
Command to delete IPv4/IPv6 routes:
CLIMCMD {clim-name|ip-address} climconfig route -delete
{ eth0|eth0:0 | interface} [-target ip-address] {-host|-net}
[-netmask netmask] [-gateway gateway] [-default] [-force]
Command to delete default IPv4/IPv6 routes:
CLIMCMD {clim-name|ip-address} climconfig route
-delete { eth0|eth0:0 |interface} -default -gateway gateway
1
climconfig.route(1) climconfig.route(1)
Command to obtain info about a route:
CLIMCMD {clim-name|ip-address} climconfig route
-info [-usrconfig | -obeyform]
Command to add a route to a host in a different network:
CLIMCMD {clim-name| ip-address} climconfig route
-add {eth0|eth0:0|interface} -net -target host-ip
-gateway gateway
CLIMCONFIG.ROUTE DESCRIPTION
This command does the following:
route -add adds a static route through an interface to specific hosts or networks.
route -delete
deletes a route from an interface.
route -info displays route information.
PARAMETERS
{-add|-delete} eth0
Specifies the dedicated service LAN interface. Valid only for IPv4 routes.
{-add|-delete} eth0:0
Specifies the maintenance Provider LAN interface. Valid only for IPv4 routes.
Note:
eth0:0 is a logical interface and is hosted on the physical interface eth0 and both the interfaces have to belong to same subnet. Climconfig will maintain the same set or routes on both the interfaces. If a route is added to either eth0 or eth0:0, climconfig will add it to both eth0 and eth0:0.
{-add|-delete} interface
Specifies one of the following interfaces:
An existing physical interface (for example, eth1 or ib0).
-host
-net
A bonding interface (for example, bond0).
A point-to-point tunnel interface (for example, mytun). Only IPv6 routes can be added to a tunnel interface.
A vlan interface name (for example e1v7, b0v8)
A vxlan interface name (for example e1xzt7, b0xzt8)
Indicates that the route is to the host within the network (within the same subnet).
The -netmask, -net, -default, and -gateway parameters are not valid with the -host parameter.
Indicates that the route is to the network or to a host in another network. The -default parameter is not valid with the -net parameter. Also:
If -netmask is not specified, the route is to a host in a different subnet.
If -netmask is specified, the route is a network route. For a network route, you can specify the -gateway parameter.
2
climconfig.route(1) climconfig.route(1)
-target
Specifies the destination network or host. Specify a dotted-quad format IPv4 address or a colon-delimited IPv6 address.
-netmask netmask
Specifies the netmask to be used. For an IPv4 address, specify the netmask as an IPv4 address in dotted quad form; for an IPv6 address, specify the netmask as a number of bits (for example, 64). This parameter is not valid with the -default and -host options. If this parameter is omitted and -net is specified, default netmask values are
255.255.255.255 for IPv4 routes and 128 for IPv6 routes.
-gateway
Specifies a gateway address. This parameter is required if the -default parameter is specified.
-mt
Specifies the distance to the target, measured in hops. This number is used to indicate the cost of the route so that the best route, potentially among multiple routes to the same destination, is selected.
-minrto
Specifies the minimum Retransmission Timeout (RTO) value, in milliseconds, to be used with the specified destination. Specify a decimal or integer value; for example,
5.5. The minimum RTO depends on the clock interrupt frequency, and might therefore get modified when assigned to the kernel.
If the failed over route is the same as the home route, the failed over route uses the home route’s minrto value.
-initcwnd
Specifies the maximum initial congestion window (cwnd) size in MSS (Maximal Segment Size) of a TCP connection. It sets the initial congestion window size to n *
MSS. Value is from 1 to 4294967295. This option is used to improve performance on routes to SWAN concentrators, with a recommended value of 7.
-default
Specifies to use the default route if no other route matches. This option is not valid with the -host, -net, -netmask, and -target options.
-usrconfig Valid only with the route -info command. This option displays user-configured routes only. If this option is omitted, the command displays the user configured routes and the dynamic routes added by the kernel.
-obeyform Generates user-configured route (IPv4 and IPv6) information in add command format.
-force
If used without -force option, this command prompts for confirmation before deleting the route.
-src
The source IP address to use for outgoing connections or UDP packets using this route if the socket is not bound to an IP address. The option is useful if there is an interface with multiple IP Addresses and it is desired that outgoing client connection requests or UDP packets using that interface use a particular IP Address on that interface to the specified location. The -src option is valid for IPv4 routes only.
See the climconfig.route command under Parameters in the for a table that shows possible combinations for different route types.
ERROR MESSAGES
For route -add:
This command is not supported for the interface lo.
The interface interface-name is not configured.
Configuring IPv6 route is not allowed for eth0 and eth0:0 interfaces.
The IPv4 family cannot be specified for the tunnel interface.
The specified route already exists for the interface-name.
The specified IP Address ip-address is not configured for interface-name
3
climconfig.route(1) climconfig.route(1)
The -src parameter is not valid for an IPv6 route.
For route -delete:
The interface interface-name is not configured.
This command is not supported for the interface lo.
The specified route is not configured for the interface-name.
CONSIDERATIONS
Valid combinations of options for different route types for route -add and route -delete are:
If the -net option is specified, then -target is required, and -netmask, -gateway, and
-mt (route -add only) are optional.
If -host is specified, then -target is required, -netmask and -gateway are not required, and -mt (route -add only) is optional.
If -default is specified, then -target and -netmask are not required, -gateway is required, and -mt (route -add only) is optional.
If -all (route -delete only) is specified, then -target, -netmask, -gateway, and -mt
(route -add only) are not valid.
A route added by the route -add command is added to the /etc/network/interfaces file, to the kernel or to both, as follows:
If the specified interface is down, the route is added to the file.
If the CLIM is in the STOPPED state, the route is added to the file.
If the specified interface is UP and CLIM is in the STARTED state and ifactivate is issued to the home resources by CLIMAGT, the route is added to the file and to the kernel.
If the specified interface is UP and CLIM is in the STARTED state and ifdeactivate is issued to the home resources by CLIMAGT, the route is added to the file.
All the options specified with climconfig route -add -net (except the -mt option) should be specified for climconfig route -delete -net.
-src is not valid for an IPv6 route.
EXAMPLES
> CLIMCMD clim1 climconfig route -add eth1 -net
-target 15.76.217.1 -netmask 255.255.255.0
-gateway 15.76.217.101
> CLIMCMD n100253 climconfig route -add eth2 -default
-gateway 23.34.34.34
> CLIMCMD n100253 climconfig route -add e1v7 default
-gateway 23.34.34.34
> CLIMCMD n100253 climconfig route -delete eth1 -net
-target 15.76.217.0 -netmask 255.255.255.0
> CLIMCMD clim1 climconfig route -delete eth2 -default
-gateway 23.34.35.1
> CLIMCMD clim1 climconfig route -delete e1v7 -default
-gateway 23.34.35.1
> CLIMCMD 17.205.15.2 climconfig route -info
4
climconfig.route(1) climconfig.route(1)
CLIMCMD 17.205.15.2 climconfig route -info
Maintenance LAN routes
Interface : eth0
Destination : 16.107.168.0
Netmask : 255.255.252.0
Gateway : 0.0.0.0
Flags : U
Metric : 0
Ref : 0
Use : 0
MinRTO : Unspecified
InitCWND : Unspecified
Src : 16.107.168.71
Interface : eth0
Destination : 0.0.0.0
Netmask : 0.0.0.0
Getway : 16.107.168.1
Flags : UG
349
Metric : 0
Ref : 0
Use : 0
MinRTO : 5ms
InitCWND : Unspecified
Src : Unspecified
Interface : lo
Destination : 1128
Gateway :
Metric : 0
MinRTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
Interface : lo
Destination : fe80::128
Gateway :
Flags : U
Metric : 0
Ref : 0
Use : 2
MinRTO : 5ms
InitCWND : Unspecified
Src : Unspecified
Maintenence provider routes
Interface : eth0
Destination : 16.107.168.0
Netmask : 255.255.252.0
Gateway : 0.0.0.0
Flags : U
Metric : 0
Ref : 0
Use : 0
5
climconfig.route(1) climconfig.route(1)
MinRTO : Unspecified
InitCWND : Unspecified
Src : 16.107.168.71
Interface : eth0
Destination : 0.0.0.0
Netmask : 0.0.0.0
Getway : 16.107.168.1
Flags : UG
349
Metric : 0
Ref : 0
Use : 0
MinRTO : 5ms
InitCWND : Unspecified
Src : Unspecified
Interface : lo
Destination : 1128
Gateway :
Metric : 0
MinRTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
Interface : lo
Destination : fe80::128
Gateway :
Flags : U
Metric : 0
Ref : 0
Use : 2
MinRTO : 5ms
InitCWND : Unspecified
Src : Unspecified
Data Provider ZTC1 routes
Interface : eth1
Destination : 16.107.170.0
Netmask : 255.255.255.0
Gateway : 16.107.170.1
Flags : U
Metric : 0
Ref : 0
Use : 0
MinRTO : Unspecified
InitCWND : 32768
Src : 16.107.170.31
Data Provider ZTC7 routes
Interface : e1v7
Destination : 0.0.0.0
Netmask : 0.0.0.0
Gateway : 23.34.35.1
Flags : UG
6
climconfig.route(1) climconfig.route(1)
Metric : 0
Ref : 0
Use : 0
MinRTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
Termination Info: 0
> CLIMCMD 17.205.15.2 climconfig route -info -obeyform climconfig route \
-add eth0 \
-default \
-gateway 15.146.232.1
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
SEE ALSO
SCF ADD ROUTE command
7
climconfig.sa(1) climconfig.sa(1)
NAME
climconfig.sa − configure security associations
SYNOPSIS
The command for managing security associations to the configuration file ipsec-tools.conf is:
CLIMCMD {clim-name|ip-address} climconfig sa -add -manual
[-prov prov-name] -s src-ip -d dst-ip -p protocol
-i spi [-m {tunnel|transport}] algorithm [-load]
The command for adding proposals for a security association into the configuration file racoon.conf is:
CLIMCMD {clim-name|ip-address} climconfig sa -add
[-prov prov-name]{ -s src-id -d dst-id -u upperspec| anonymous} [-P pfs_group] -E encryption_algorithm
-A authentication_algorithm -C compression_algorithm
[-lifetime seconds] [-restart [-force]]
The command for deleting a security association from the configuration file ipsec-tools.conf is:
CLIMCMD {clim-name|ip-address} climconfig sa -delete -manual
[-prov prov-name] -s src-id -d dst-id -u upperspec| anonymous} -p protocol -i spi [-unload [-force]]
The command for deleting a security association from the configuration file racoon.conf is:
CLIMCMD {clim-name|ip-address} climconfig sa -delete
[-prov prov-name] {-s src-id -d dst-id -u upperspec| anonymous} [-restart [-force]]
The command for obtaining information about a security association is:
CLIMCMD {clim-name|ip-address} climconfig sa -info
[-prov {prov-name | all}] anonymous|[-s src-ip]
[-d dst-ip][-p protocol]|[-u upperspec]][-obeyform]
The command for unloading SAs from the SAD is:
CLIMCMD {clim-name|ip-address} climconfig sa -stop
[-prov prov-name][-s src-ip -d dst-ip
-p {esp|ah|ipcomp}|-i spi-value][-force]
1
climconfig.sa(1) climconfig.sa(1)
CLIMCONFIG.SA DESCRIPTION
The sa command does the following:
sa -add
adds the proposals for a security association into the configuration file racoon.conf.
The command parameters are reformatted into a sainfo <...> format that the racoon daemon accepts. The SA establishment depends on the application connect.
sa -add -manual
adds a security association to the configuration file ipsec-tools.conf. The command parameters are reformatted into an add <...> type of setkey command. The SA is not loaded into the SAD unless the -load option is specified.
sa -delete
deletes the security associations from the file racoon.conf. If there are any SAs activated on the CLIM, they are not affected.
Note:
sa -delete -manual deletes the security associations from the file ipsec-tools.conf. If any SAs are activated on the CLIM, they are not affected. The SA is not unloaded from the SAD unless the -unload option is specified.
The -manual part of the command must follow sa -add and sa -delete directly.
sa -info
displays security association configurations from the file ipsec-tools.conf or
racoon.conf. If no options are selected, all the SAs are listed from both of these configuration files.
sa -stop
unloads security associations from the SAD. If you specify any of the optional parameters in the first group (-s, -p, -d, -i), you must specify all of them. sa -stop is one of the commands for deactivating VPN connections.
PARAMETERS
-manual When specified with the add subcommand, adds a security association into the ipsec-
tools.conf file. The command parameters are reformatted into an add <...> type of
setkey command. The SA is not loaded into the SAD unless the -load option is specified.
-prov
When specified with the delete subcommand, deletes a security association from the
ipsec-tools.conf file. If there are any SAs activated on the CLIM, they are not impacted. The SA is not unloaded from the SAD unless the -unload option is specified.
Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always converted to UPPER case.
-s src-ip Specifies the source IP address of the secure communication as either an IPv4 or IPv6 address, and an optional port number enclosed in brackets, in the following form: address [/ prefix] [[port]]
prefix and port must be decimal numbers.
-d |dst-id Specifies the destination IP address of the secure communication as either an IPv4 or
IPv6 address, and an optional port number between square brackets, in the following form: address [/ prefix] [[port]]
-E Is the encryption algorithm. Supported algorithms are: des, 3des, des_iv64, des_iv32,
rc5, rc4, idea, 3idea, cast128, blowfish, null_enc, twofish, rijndael, aes, aes192,
aes256 (used with ESP). This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.
2
climconfig.sa(1) climconfig.sa(1)
-A
-C
-p
Authentication algorithm.
Supported algorithms include des, 3des, des_iv64,
des_iv32, hmac_md5, hmac_sha1, hmac_sha256, hmac_sha384, hmac_sha512,
non_auth (used with ESP authentication and AH). This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.
Compression algorithm. The supported algorithm is deflate (used with IPComp).
This option is for the sa -add commands (not sa -add -manual) for which the configurations go into the racoon.conf file.
Specifies the protocol. protocol is one of : esp, ah, or ipcomp. You must specify one of these protocols.
-u
-i spi
Upper layer protocol to be specified. Any of the protocols from the /etc/protocols file can be specified as upperspec, or icmp6, ip4, or any. any indicates any protocol. A protocol number can also be specified.
Specifies the security parameter index (SPI) for the SAD. SPI must be a decimal number or a hexadecimal number with a 0x prefix. SPI values between 0 and 255 are reserved for future use by IANA and cannot be used.
Note:
The SPI value must be unique.
-m mode Specifies the mode. Possible values are: transport or tunnel.
-load Used with the sa add command. This is an optional parameter. If you specify this option, the SA is loaded into the SAD. For the sa add -auto command, you are warned that the racoon daemon will be restarted so as to load the newest racoon.conf file and that the restart will disconnect the SAs established in the SAD.
-P Specifies the PFS group, which defines the group of Diffie-Hellman exponentiations.
If PFS is not required, you can omit this parameter. Any proposal is accepted if this parameter is not specified. group is one of following: modp768, modp1024,
modp1536, modp2048, modp3072, modp4096, modp6144, modp8192. Or 1, 2, 5,
14, 15, 16, 17, or 18 can be used to define the DH group number.
-lifetime This option specifies an expiry time which will be proposed during IPsec-SA negotiation.
algorithm
(for sa -add -manual only) is one of: -E ealgo key, -A aalgo key, or -C calgo [-R].
-E ealgo key
Specifies the encryption algorithm for ESP. ealgo key is one of:
3des-cbc (164-bit key)
3des-deriv (192-bit key) aes-ctr (160/224/288-bit key)
Blowfish-cbc (40- to 448-bit key)
Cast128-cbc (40- to 128-bit key) des-cbc (64-bit key) des-deriv (64-bit key) null (0- to 2048-bit key) rijndael-cbc (128/192/256-bit key) twofish-cbc (0- to 256-bit key)
-A aalgo key
Specifies the authentication algorithm for ESP. aalgo key is one of:
3
climconfig.sa(1) climconfig.sa(1)
Aes-xcbc-mac (128-bit key) hmac-md5 (128-bit key) hmac-sha1 (160-bit key) hmac-sha256 (256-bit key) hmac-sha384 (384-bit key) hmac-sha512 (512-bit key) hmac-ripemd160 (160-bit key) keyed-md5 (128-bit key) keyed-sha1 (160-bit key) null (0- to 2048-bit key)
Tcp-md5 (8- to 640-bit key)
-C calgo [R]
Specifies a compression algorithm for IPComp.
[R]calgo is either deflate or Algorithm.
If -R is specified, the SPI field value is used as the IPComp compression parameter index (CPI) on wire as-is. If -R is not specified, the kernel uses well-known CPI on wire, and the SPI field is used only as an index for kernel-internal usage.
key
-unload Used with the sa -delete -manual command. This is an optional parameter; if it is specified, the SA is unloaded from the SAD. The command prompts for confirmation to unload the SA from the SAD.
-restart
Must be a double-quoted character string or a series of hexadecimal digits preceded by 0x.
Used with the sa -add and sa -delete commands. This is an optional parameter; if it is specified, the racoon daemon is restarted so that the newest racoon.conf is loaded.
Note:
-force
The restart of the racoon daemon leads to the disconnection of the SAs already loaded into the SAD. A new connection established thereafter loads the SA into the SAD.
You are prompted for confirmation to restart the racoon daemon.
Used with -unload or -restart to cause the command to bypass user confirmation.
-obeyform Displays the security association configuration in the format of add command(s).
ERROR MESSAGES
For sa -add and sa -add -manual:
Please give the correct options. (The incorrect options are displayed.)
For sa -delete and sa -delete -manual:
Please give the correct options. (The incorrect option is displayed.)
The security association for the matched options is not found.
For sa -info:
There are no security associations with the matched options.
For sa -stop:
SA configuration(s) not unloaded from the SAD.
CONSIDERATIONS
For sa -info, if no options are specified, all the security associations in the configuration files ipsec-
tools.conf and racoon.conf are listed.
For sa -stop:
4
climconfig.sa(1) climconfig.sa(1)
The src-ip and dst-ip pair, upperspec and spi value are optional parameters. If the src-ip and dst-ip pair are specified, all the SAs that match the src-ip and dst-ip are unloaded from the SAD. If no option is specified, all the SAs currently loaded in the kernel are unloaded.
Unless you specify the -force option, you are prompted for confirmation.
EXAMPLES
> CLIMCMD clim1 climconfig sa -add
-manual -s 10.1.1.2 -d 10.3.3.2
-p esp -i 0x200 -m transport
-E 3des-cbc 0x123456789123456789123456789123456789123456789123
-A hmac-md5 0x12345678912345678912345678912345
> CLIMCMD clim1 climconfig sa -add -manual -s 10.1.1.2
-d 10.3.3.2 -p esp -i 0x200 -m transport
-E 3des-cbc 0x123456789123456789123456789123456789123456789123
-A hmac-md5 0x12345678912345678912345678912345 -load
> CLIMCMD clim1 climconfig sa -add -s 10.1.1.2
-d 10.3.3.2 -u any -E 3des -A hmac_md5
> CLIMCMD clim1 climconfig sa -add -s 10.1.1.2
-d 10.3.3.2 -u any -E 3des -A hmac_md5 -restart
> CLIMCMD clim1 climconfig sa -add -s 10.1.1.2
-d 10.3.3.2 -u any -E 3des -A hmac_md5 -restart -force
> CLIMCMD clim1 climconfig sa -add -s 10.1.1.2
-d 10.3.3.2 -u any -E 3des -A hmac_md5 -lifetime 60
-restart -force
> CLIMCMD clim1 climconfig sa -delete -manual
-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload
> CLIMCMD clim1 climconfig sa -delete -manual
-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200
> CLIMCMD clim1 climconfig sa -delete -manual
-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload -force
> CLIMCMD clim1 climconfig sa -delete -s 10.1.1.2
-d 10.3.3.2 -u any
> CLIMCMD clim1 climconfig sa -delete -s 10.1.1.2
-d 10.3.3.2 -u any -restart
> CLIMCMD clim1 climconfig sa -delete -s 10.1.1.2
-d 10.3.3.2 -u any -restart -force
> CLIMCMD clim1 climconfig sa -info
> CLIMCMD clim1 climconfig sa -stop -s 10.1.1.2
-d 10.3.3.2 -p esp -i 0x200
> CLIMCMD clim1 climconfig sa -stop -s 10.1.1.2
-d 10.3.3.2 -p esp -i 0x200 -force
5
climconfig.sa(1) climconfig.sa(1)
> CLIMCMD clim1 climconfig sa -stop
> CLIMCMD clim1 climconfig sa -stop -force
> CLIMCMD clim1 climconfig sa -add -prov ztc0 -s 10.1.1.2
-d 10.3.3.2 -u any -E 3des -A hmac_md5
> CLIMCMD clim1 climconfig sa -add -manual -prov zsam1
-s 10.1.1.2
-d 10.3.3.2 -p esp -i 0x200 -m transport
-E 3des-cbc 0x123456789123456789123456789123456789123456789123
-A hmac-md5 0x12345678912345678912345678912345 -load
> CLIMCMD clim1 climconfig sa -delete -manual -prov zsam1
-s 10.1.1.2 -d 10.3.3.2 -p esp -i 0x200 -unload -force
> CLIMCMD clim1 climconfig sa -delete -prov ztc0 -s 10.1.1.2
-d 10.3.3.2 -u any
> CLIMCMD clim1 climconfig sa -info -prov zsam1
> CLIMCMD clim1 climconfig sa -info -prov ztc1 -obeyform
> CLIMCMD clim1 climconfig sa -info -obeyform
The sample output for sa -info -obeyform is:
# Auto SAs: climconfig sa -add \
-s 5.5.5.7 \
-d 6.6.6.7 \
-u any \
-P 18 \
-E des_iv64 \
-A des_iv64 \
-C deflate \
-lifetime 60
# Manual SAs: climconfig sa -add -manual \
-s 1.1.1.1 \
-d 2.2.2.2 \
-p esp \
-i 1024 \
-m transport \
-E des-cbc 0x1122334455667788
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
6
climconfig.sa(1) climconfig.sa(1)
SEE ALSO
climconfig vpn and climconfig sp
7
climconfig.slaveinterface(1) climconfig.slaveinterface(1)
NAME
climconfig.slaveinterface − configure bonding interfaces
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig slaveinterface
-configure bonding-interface-name
{ [-add interface-name ]
[ -delete interface-name ]
[ -primary interface-name ]
| none ]}}
CLIMCONFIG.SLAVEINTERFACE DESCRIPTION
This command configures existing bonding interfaces by adding or deleting slave interfaces. With this command, you can add new slave interfaces or delete existing slave interfaces. The addition or deletion of slave interfaces can be done dynamically (when the bonding interface is up). This command is not supported for InfiniBand interfaces and virtio interfaces on vCLIM.
PARAMETERS
bonding-interface-name
Is the name of the bonding interface to be configured.
-add interface
Adds a slave interface to a bonding interface. To add a slave interface to a bonding interface, specify the interface name along with the -add option.
-delete interface
Deletes a slave interface from a bonding interface. To delete a slave interface from a bonding interface, specify the interface name along with the -delete option.
-primary interface | none
Specifies a slave as a primary slave. To remove a configured primary slave, specify
-primary with the none option.
ERROR MESSAGES
The slave interface slave-interface-name specified with -add and -delete option is the same.
The interface bonding-interface-name is not configured.
The interface bonding-interface is not a bonding interface.
Slave interface slave-interface-name is not configured for this bonding interface.
The specified interface slave-interface-name is already a slave of bonding-interface-name interface.
This command is not supported for the interface eth0.
The specified interface slave-interface-name is already configured as an independent interface.
The specified interface slave-interface-name does not exist in the kernel.
The specified slave interface slave-interface-name is not a physical interface.
The interface slave-interface-name is the first slave interface of the bonding interface and the bonding interface is UP.
The slave specified with -primary is not one of the configured slaves of this bond interface.
bonding-interface-name is already configured with the specified primary slave.
bonding-interface-name is already configured without a primary slave.
Bonding is not supported for InfiniBand interfaces.
Bonding is not supported for virtio interfaces.
1
climconfig.slaveinterface(1) climconfig.slaveinterface(1)
The -primary option is supported only for bonding modes 1(active-backup), 5(balance-tlb) and 6(balancealb).
WARNING MESSAGES
For slaveinterface -add:
• For bonding mode 4(802.3ad),the line speed and duplex settings of all the slaves of a bonding interface should be same.
CONSIDERATIONS
The bonding interface should be configured using the command climconfig interface -add bonding-inter-
face before adding the slave interfaces.
eth0 cannot be configured as a slave interface of a bonding interface.
A physical interface cannot be a slave interface for more than one bonding interface.
A physical interface cannot be configured independently before being configured as the slave interface.
Dynamically deleting (that is, deleting when the bonding interface is UP) the first slave interface of a bonding interface is not allowed.
For mode 4(802.3ad), the line speed and duplex settings of all the slaves of a bonding interface should be same.
Using the -primary option:
This option is supported only for bonding modes 1(active-backup), 5(balance-tlb) and 6(balance-alb).
In active-backup mode, the primary slave will always be the active slave, if functional.
Example 1:
Bond0 is configured with eth2 and eth3, without any slave specified as primary.
If eth2 is configured as the first slave, it will be used as long as it is functional (link pulse is present and interface driver indicates that the interface is present). eth2 is active and eth3 is passive. If eth2 fails, bond0 will start using eth3. If eth2 later becomes functional, bond0 continues to use eth3 and will switch to eth2 only if eth3 fails.
Example 2:
Bond0 is configured with eth2 and eth3, with eth2 specified as primary.
eth2 will be used as long as it is functional (link pulse is present and interface driver indicates that the interface is present). If eth2 fails, bond0 will start using eth3. If eth2 later becomes functional, bond0 switches to eth2 from eth3, even though eth3 is functional.
In balance-tlb mode, outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the primary slave. Transmission of broadcasts and multicasts is done through the primary slave.
In balance-alb mode, the outgoing and incoming traffic is distributed among all slaves. Transmission of broadcasts and multicasts is through the primary slave.
Multiple instances of the -primary option are not allowed in a command line.
The -primary option can be specified regardless of the bond interface status.
If the slave interface specified as the primary is removed from the bonded interface, that interface will not have any slave configured as primary.
When the configured primary slave is deleted from the bonding interface, a warning is issued.
EXAMPLES
> climconfig slaveinterface -configure bond0 -add eth1
> climconfig slaveinterface -configure bond0 -delete eth1
2
climconfig.slaveinterface(1) climconfig.slaveinterface(1)
> climconfig slaveinterface -configure bond0 -primary eth1
> climconfig slaveinterface -configure bond0 -add eth1
-delete eth2 -primary eth3
> climconfig slaveinterface -configure bond0 -delete eth1
-add eth3
SEE ALSO
climconfig interface -add
3
climconfig.snmp(1) climconfig.snmp(1)
NAME
climconfig.snmp − configure snmp
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig snmp -add trap-receiver-ipaddress
CLIMCMD {clim-name|ip-address} climconfig snmp -delete trap-receiver-ipaddress
CLIMCMD {clim-name|ip-address} climconfig snmp -start
CLIMCMD {clim-name|ip-address} climconfig snmp -stop [-force]
CLIMCMD {clim-name|ip-address} climconfig snmp -info [-obeyform]
CLIMCONFIG.SNMP DESCRIPTION
This command does the following:
• snmp -add adds a trap receiver IP address to the /etc/snmp/snmpd.conf file and restarts the
SNMP daemon and agents. The trap receiver address defines the host that receives traps.
• snmp -delete deletes a trap receiver IP address from the /etc/snmp/snmpd.conf file and restarts the SNMP daemon and agents.
• snmp -start explicitly starts the SNMP daemon and agents.
• snmp -stop explicitly stops the SNMP daemon and agents.
• snmp -info displays SNMP configuration information. The display format is:
Trap Receiver IP Address ip-address-1
.
.
.
ip-address-n
SNMP Agent State state
SNMP Agent Listening IP Address ip-address
PARAMETERS
trap-receiver-ipaddress
Specifies the trap receiver IP address to be added to or deleted from the configuration file.
-force
Causes the command to stop the SNMP daemon and agents without confirmation.
-obeyform Displays SNMP configuration information in add command format.
ERROR MESSAGES
For climconfig snmp -add:
• Trapsink already exists in SNMP configuration.
1
climconfig.snmp(1) climconfig.snmp(1)
• Internal error cannot restart the SNMP daemon, error-code.
• Internal error cannot restart the SNMP agents, error-code.
For climconfig snmp -delete:
• Trapsink already exists in SNMP configuration.
• Internal Error cannot restart SNMP daemon, error-code.
• Internal error cannot restart the SNMP agents, error-code.
For climconfig snmp -start:
• SNMP daemon and agents are already in started state.
• Internal error cannot start SNMP daemon, error-code.
• Internal error cannot start the SNMP agents, error-code.
For climconfig snmp -stop:
• SNMP daemon and agents are already in stopped state.
• Internal Error cannot stop SNMP daemon, error-code.
• Internal error cannot stop the SNMP agents, error-code.
CONSIDERATION
• You can designate multiple hosts to receive traps by using snmp -add to add additional trap receiver IP addresses to the /etc/snmp/snmpd.conf file.
EXAMPLES
> CLIMCMD N1001253 climconfig snmp -info
Trap Receiver IP Address 192.168.1.192
192.168.1.193
192.168.1.194
SNMP Agent State STARTED
SNMP Agent Listening IP Address 192.1.1.1
> CLIMCMD N1001253 climconfig snmp -info -obeyform climconfig snmp -add 192.168.1.192
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
2
climconfig.sp(1) climconfig.sp(1)
NAME
climconfig.sp − configure security policies
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig sp -add
[-prov prov-name] -s src-range -d dst-range -u upperspec
-dir {in|out } -policy {discard|none|ipsec}
-protocol {esp|ah|ipcomp }
-mode {tunnel -srcdst src_ip-dst_ip|transport }
-level {use|require|unique|default} [-load]
CLIMCMD {clim-name|ip-address} climconfig sp -delete
[-prov prov-name] -s src-range -d dst-range -u upperspec
-dir {in|out } [-unload [-force]]
CLIMCMD {clim-name|ip-address} climconfig -info
[-prov {prov-name | all}] [-s src-range ]
[-d dst-range] [-u upperspec][-obeyform]
CLIMCMD {clim-name|ip-address} climconfig sp -start
[-prov prov-name] [ -s src-range -d dst-range [-u upperspec]]
CLIMCMD {clim-name|ip-address} climconfig sp -stop
[-prov prov-name] [ -s src-range -d dst-range -u upperspec
-dir {in|out }] [-force]
CLIMCONFIG.SP DESCRIPTION
This command does the following:
sp -add
adds a security policy to the configuration file ipsec-tools.conf. The command parameters are reformatted into a spdadd < ...> type setkey command. The SP is not loaded into the SPD unless the -load option is specified.
sp -delete
deletes a security policy from the configuration file ipsec-tools.conf. If any SPs were already activated, they are not impacted. The SP is not unloaded from the SPD unless the -unload option is specified.
sp -info
displays security policy information from the configuration file ipsec-tools.conf. If no options are selected, all the SPs are listed from the ipsec-tools.conf file.
sp -start
loads security policies into the SPD. sp -start is one of the commands for activating
VPN connections.
sp -stop
unloads security policies from the SPD. sp -stop is one of the commands for deactivating VPN connections.
1
climconfig.sp(1) climconfig.sp(1)
PARAMETERS
-prov Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always converted to UPPER case.
-s src-range
Specifies the source of the secure communication as an IPv4 or IPv6 address and an optional port number between square brackets. This takes the form: address[/prefixlen][[port]]
-d dst-range
Specifies the destination of the secure communication as an IPv4 or IPv6 address and an optional port number between square brackets. This takes the following form: address[/prefixlen][[port]]
-u upperspec
Specifies the upper layer protocol. Any of the protocols from the /etc/protocols file can be specified as upperspec, icmp6, ip4, or any. The any option indicates any protocol. You can also specify the protocol number.
Note:
The upperspec parameter does not work in the forwarding case.
There are many protocols in /etc/protocols, but protocols other than TCP, UDP, and
ICMP may not be suitable to use with IPSec.
-dir direction
Specifies in or out.
-policy policy
Is one of the values: discard, none, or ipsec.
The discard parameter causes the packet-matching indexes to be discarded. The
none parameter causes the IPSec operation not to take place on the packet. The ipsec parameter causes the IPSec operation to take place on the packet.
-protocol protocol
One of: esp, ah, or ipcomp.
-mode mode
Either transport or tunnel.
-srcdst src_ip-dst_ip
Specifies the end-point addresses of the tunnel. This parameter is specified as two addresses separated by a hyphen (-). If -mode is transport, this option is not required. If -mode is tunnel, this parameter is required.
-level policy-level
Specifies the policy lev el. The value is one of: default, use, require, or unique. If the SA is not available in every level, the kernel requests the key-exchange daemon to establish a suitable SA.
The default option causes the kernel, when the kernel processes the packet, to consult the system-wide default for the protocol specified; for example, the esp_trans_deflev sysctl variable.
The use sysctl option causes the kernel to use an SA if it is available; otherwise the kernel continues to run in normal operation.
The require option causes the SA to be required whenever the kernel sends a packet matched with the policy.
2
climconfig.sp(1) climconfig.sp(1)
-load
The unique option is the same as the require option. Additionally, the unique option allows the policy to match the unique out-bound SA. If policy lev el -level is specified as unique, racoon configures the SA for the policy.
Causes the SP to be loaded into the SPD. This parameter optional, and is used with the sp -add command.
-unload Causes the SP to be unloaded from the SPD. This parameter is optional, and is used with the sp -delete command. Unless you specify the -force parameter, you are prompted for confirmation for this command.
-force Causes the command to run without confirmation.
-obeyform Displays the security policy configuration in the format of add command(s).
ERROR MESSAGES
For sp -add:
Please give the correct options.
For sp -delete:
Please give the correct options. (The incorrect option is displayed).
The security policy for the matched options is not found.
For sp -start:
SP configuration not found.
For sp -info:
Please give the correct options. (The incorrect option is displayed.)
There are no security policies with the matched options.
For sp -stop:
SP configuration(s) not unloaded from the SPD.
CONSIDERATIONS
For sp -add:
The parameters protocol, mode and level are required and valid if and only if the parameter specified for policy is ipsec.
For sp -stop:
The src-ip, dst-ip and upperspec are optional parameters. If src-ip and dst-ip pair is provided, all SPs that match the src-ip and dst-ip are unloaded from the SPD. If no option is provided, all the SPs currently loaded in the kernel are unloaded.
Unless you specify -force you are prompted for confirmation to unload the SP(s) from the SPD.
You must add the SP configurations separately for different IPSec protocols ESP and
AH. However, in the file, the configuration is represented as a single configuration instead of two separate configurations. For example: spdadd 1.2.3.4 4.3.2.1 any -P in ipsec ah/transport//require esp/transport//require;
When you add the SP configuration for the second, different protocol and specify the
-load option, the IPSec tool unloads the previous old SP configuration (AH or ESP protocol) from the SPD and loads the new SP configuration (both AH and ESP protocols) into the SPD.
If you do not use the -load option, for example, if you do not load the SP configuration for the second protocol added, you must unload the old SP configuration
3
climconfig.sp(1) climconfig.sp(1)
Note:
manually (climconfig sp -stop <...> command) and then load the new SP configuration manually (climconfig sp -start <...> command).
If you try to load the new SP configuration without unloading the old SP configuration, the new SP configuration is not loaded into the SPD.
For sp -info:
If no options are specified, the list of all security policies in the configuration file
ipsec-tools-conf is displayed.
EXAMPLES
> CLIMCMD clim1 climconfig sp -add
-s 10.1.1.0/24[any] -d 10.3.3.0/24[any]
-u any -dir in -policy ipsec -protocol esp -mode tunnel -srcdst 10.2.2.1-10.2.2.2 -level require -load
> CLIMCMD clim1 climconfig sp -add -s 10.1.1.2
-d 10.3.3.2 -u any -dir out -policy ipsec -protocol esp
-mode transport -level require -load
> CLIMCMD clim1 climconfig sp -delete -s 10.1.1.2
-d 10.3.3.2 -u any -dir out -unload
> CLIMCMD clim1 climconfig sp -delete -s 10.1.1.2
-d 10.3.3.2 -u any -dir out -unload -force
> CLIMCMD clim1 climconfig sp -info -s 10.1.1.0
-d 10.3.3.0 -u any
> CLIMCMD clim1 climconfig sp -info
> CLIMCMD clim1 climconfig sp -stop
> CLIMCMD clim1 climconfig sp -stop -force
> CLIMCMD clim1 climconfig sp -info -obeyform
> CLIMCMD clim1 climconfig sp -info -s 10.1.1.0
-d 10.3.3.0 -u 1 -obeyform
> CLIMCMD clim1 climconfig sp -add -prov ztc0
-s 10.1.1.2 -d 10.3.3.2 -u any -dir out -policy ipsec
-protocol esp -mode transport -level require -load
> CLIMCMD clim1 climconfig sp -delete -prov ztc0
-s 10.1.1.2 -d 10.3.3.2 -u any -dir out -unload -force
> CLIMCMD clim1 climconfig sp -info -prov zsam1
> CLIMCMD clim1 climconfig sp -info -prov ztc1 -obeyform
The sample output for sp -info -obeyform is: climconfig sp -add \
-s 10.1.1.2 \
-d 10.3.3.2 \
4
climconfig.sp(1) climconfig.sp(1)
-u any \
-dir out \
-policy ipsec \
-protocol esp \
-mode transport \
-level require
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
SEE ALSO
climconfig.sa, climconfig.vpn
5
climconfig.sysctl(1) climconfig.sysctl(1)
NAME
climconfig.sysctl − set or display CLIM kernel parameters
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig sysctl
-update {clim-name|ip-address}
CLIMCMD {clim-name|ip-address} climconfig sysctl -info {all|param-name}[-obeyform]
CLIMCMD {clim-name|ip-address} climconfig sysctl -delete param-name param-value
CLIMCONFIG.SYSCTL DESCRIPTION
This command sets the kernel parameter param-name values specified by param-value. In addition, this command causes an entry corresponding to the parameter to be added to or updated in the configuration file
/etc/clim/kernelparam.conf. The configuration file /etc/clim/kernelparam.conf is dedicated to maintaining only the customer-configured kernel parameters.
When the CLIM is started, a script reads the /etc/clim/kernelparam.conf configuration file and sets the user configured kernel parameters in the kernel. Your changes remain persistent across CLIM reboots. To preserve changes made to the configuration file, a backup must be done, which can be restored when the
CLIM is updated or the disk is replaced.
This command also displays the user-configured kernel parameters along with their corresponding values existing in the /etc/clim/kernelparam.conf file.
This command internally invokes the Linux provided sysctl utility with the param-name and param-value as arguments. Therefore, the behavior of this command is similar to that of the Linux provided sysctl utility. For information about the sysctl parameters, see the sysctl(8) man page on the CLIM.
PARAMETERS
param-name
For sysctl -update, denotes the kernel parameter to be updated with the new value.
For sysctl -info, specifies the kernel parameter in the /etc/clim/kernelparam.conf file to be displayed.
For sysctl -delete, deletes the specified kernel parameter from the /etc/clim/kernel-
param.conf file. The parameter value remains unchanged in the kernel and is reset to its default value when the CLIM is rebooted.
param-value
Specifies the new value for the kernel parameter param-name.
all Displays all the user-configured kernel parameters along with their corresponding values as they exist in the /etc/clim/kernelparam.conf file.
-obeyform Generates the modify kernel parameter commands.
ERROR MESSAGES
The error messages are the same as those returned by the Linux sysctl utility. See the sysctl man page for information about errors.
1
climconfig.sysctl(1) climconfig.sysctl(1)
CONSIDERATIONS
• If the param-value has multiple entries, you must specify the entries as space separated values within single quotes.
• Changes to these sysctl parameters must be done for every CLIM in a Provider:
• net.core.rmem_default
• net.core.rmem_max
• net.core.wmem_default
• net.core.wmem_max
• net.ipv4.ip_local_port_range
• net.ipv4.tcp_rmem
• net.ipv4.tcp_wmem
• If a sysctl is deleted, the change will come into effect only after a CLIM reboot.
• Changes to sysctl parameters should not be made when the CLIM is in STARTED state. To change the sysctl parameters on the CLIM:
1. Stop the CLIMs and the Provider.
2. Alter the sysctl parameters.
3. Start the CLIMs and the Provider.
If the CLIM is an Open type, you must reboot it.
EXAMPLES
> CLIMCMD n100253 climconfig sysctl -update net.ipv4.conf.all.forwarding 1
> CLIMCMD n100253 climconfig sysctl -update net.ipv4.tcp_rmem ’4096 87380 1048576’
> CLIMCMD n100253 climconfig sysctl -info net.ipv4.tcp_rmem
net.ipv4.tcp_rmem = 4096 87380 1048576
> CLIMCMD n100253 climconfig sysctl -info all net.ipv4.tcp_rmem = 4096 87380 1048576 net.ipv4.conf.all.forwarding = 1
> CLIMCMD n100253 climconfig sysctl -info all -obeyform climconfig sysctl -update net.ipv4.tcp_fin_timeout 60
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
2
climconfig.tunnel(1) climconfig.tunnel(1)
NAME
climconfig.tunnel − modify tunnel configuration
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig tunnel
-add tunnel-interface -ipaddress ipv6-address
-netmask netmask
-endpoint {ipv4-address | any}
-local ipv4-address
[-ttltime ttl-time] - intf parent-interface
[-mtu mtu-value | -jumbo { on | off } ]
CLIMCMD {clim-name|ip-address} climconfig tunnel -delete interface
CLIMCMD {clim-name|ip-address} climconfig tunnel -info
{tunnel-interface|all}[-obeyform]
CLIMCONFIG.TUNNEL DESCRIPTION
This command does the following:
tunnel -add
adds an IPv6-over-IPv4 (point-to-point) tunnel configuration to the /etc/net-
work/interfaces file. IPv6 packets are encapsulated in IPv4 headers and sent across the IPv4 infrastructure through the configured tunnel. If the -mtu option is not specified, the tunnel interface is activated with an MTU size of 20 bytes less than its parent interface MTU size or with a value of 1280, whichever is higher.
NOTE: When adding a tunnel interface to CLIMs with MULTIPROV ON, the tunnel is added to the same provider that the parent interface belongs to and does not need to be explicitly indicated in the command line.
tunnel -delete
deletes an existing tunnel interface. If the tunnel is active, the tunnel configuration cannot be deleted.
tunnel -info
displays tunnel configuration information for a specified tunnel interface. The display format is:
Interface Name tunnel-interface
IPv6 Address ip-address
Netmask netmask
Remote Endpoint ip-address
Local Endpoint ip-address
TTL Time ttltime
MTU Size value
If the Local Endpoint, Gateway, and TTL Time fields are not configured, they do not appear in the display.
1
climconfig.tunnel(1) climconfig.tunnel(1)
The -obeyform display format is: climconfig tunnel -add interface-name -ipaddress ipv6-address
-netmask ipv6-prefix -endpoint ipv4-address
-local ipv4-address -intf parent-interface
[-mtu mtu-value][-ttltime ttl-time]
PARAMETERS
tunnel-interface
Is the name of the tunnel interface to be added, deleted, or displayed. The tunnel interface name is case sensitive.
all Displays the configurations of all the interfaces.
-obeyform For a specified Tunnel interface name, displays Tunnel configuration in add command format.
-ipaddress ipv6-address
Is an IPv6 address.
-netmask netmask
Is the netmask for the IPv6 address, specified as a number of bits, for example, 64.
-endpoint {ipv4-address|any}
Is the address of the tunnel endpoint. Specify either a dotted quad IPv4 address or
any. If it is specified as any, the kernel determines the remote endpoint by examining the 6to4 address and creates a 6to4 tunnel. 6to4 tunnels do not have an IPv6 link local address like point-to-point tunnels. The local IPv4 address will be added as an IPv6 compatible IPv4 address. The kernel then encapsulates the packet and sends it to the
IPv4 address embedded in the packet.
-local ipv4-address
Is the address of the local endpoint, specified as a dotted quad IPv4 address.
-ttltime ttl-time
Is the TTL setting indicating the network time to live. The maximum value is 255.
-intf parent-interface
Specifies the parent interface name (for example, eth1 or bond1) that hosts the local endpoint IPv4 address.
-mtu Sets frame size for an interface. Allowable values are 1280 to 65508.
You cannot specify both the jumbo and mtu options.
Specifying the mtu option overrides previous values set for jumbo.
-jumbo { on | off }
Sets or resets jumbo frames for a tunnel interface. If set to ON, the frame size is set to
9000 bytes. If reset (OFF), the frame size is set to 1500 bytes.
The jumbo option has a limited set of allowable values (1500 - OFF and 9000 - ON) for frame size, whereas the mtu option supports a range of values. The mtu option is the recommended method for setting MTU size.
You cannot specify both the jumbo and mtu options.
Specifying jumbo overrides previous values set for mtu.
ERROR MESSAGES
For tunnel -add:
Tunnel interface interface is already configured as an independent interface.
2
climconfig.tunnel(1) climconfig.tunnel(1)
parent-interface is invalid parent interface.
The interface parent-interface is not configured.
The IP address ipv4-address specified with the -local option is not configured with the specified interface parent-interface.
A tunnel for the specified endpoints exists.
Another tunnel with the same endpoints should not exist.
Only one of -jumbo or -mtu options can be specified.
A value within the range of 1280 to 65508 must be specified for the -mtu option.
For tunnel -delete:
The interface tunnel-interface is not configured.
The interface tunnel-interface is UP; cannot execute this command.
For tunnel -info:
Tunnel interface interface configuration does not exist.
CONSIDERATIONS
As of J06.10 and H06.21, tunnels can be added only in upper case, but existing tunnels in lower case are supported and do not need to be deleted and re-added.
The parent interface and the local endpoint address should be configured before adding the tunnel interface.
eth0, lo, and eth0:0 are not valid parent interfaces for a tunnel interface.
A VLAN or VXLAN interface cannot be the parent interface of a tunnel interface.
A tunnel interface cannot be the parent interface of a tunnel interface.
If the Maximum Transfer Unit (MTU) value of an active interface is changed using the jumbo option, a failover of that interface might occur.
A different tunnel with the same endpoints cannot exist.
EXAMPLES
> CLIMCMD clim1 climconfig tunnel -add MYTUN1
-ipaddress 2001:0db8:fff5:6::101
-netmask 64 -endpoint 15.76.217.111 -local 15.76.217.35 -intf eth1
> CLIMCMD 100.253.17.2 climconfig tunnel -delete MYTUN1
> CLIMCMD clim1 climconfig tunnel -info MYTUN1
Interface : MYTUN1
Interface Type : Point-to-Point Tunnel Interface
MTU Size : 1280
Associated Parent Interface Name: eth5
Local Endpoint Address : 1.2.3.15
Remote Endpoint Address : 1.2.3.4
TTL value : Unspecified
IP Address : dead:beef:face::1/64
> CLIMCMD clim1 climconfig tunnel -info TUN2 -obeyform climconfig tunnel \
-add TUN2 \
-ipaddress 3ffe::218:71ff:fe79:b378 \
-netmask 64 \
3
climconfig.tunnel(1) climconfig.tunnel(1)
-local 173.17.190.40 \
-endpoint 173.17.190.100 \
-intf eth4
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
SEE ALSO
climconfig vpn
4
climconfig.vlan(1) climconfig.vlan(1)
NAME
climconfig.vlan − configure VLAN interfaces
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig vlan
-add <tenant-interface-name> -vid <vid-value>
-hostintf <host-interface-name> [-prov <provider-name>]
[-mtu <mtu-value>]
[-pcpoutmap {/<*:out-pcp>/ |
/<input-priority:out-pcp>,<input-priority:out-pcp>,.../}]
CLIMCMD {clim-name|ip-address} climconfig vlan
-delete <tenant-interface-name> [-force]
CLIMCMD {clim-name|ip-address} climconfig vlan
-modify <tenant-interface-name> [-mtu <mtu-value>]
[-pcpoutmap { default |
/<input-priority:out-pcp>,<input-priority:out-pcp>,.../}]
[-force]
CLIMCMD {clim-name|ip-address} climconfig vlan -info
{<tenant-interface-name> | all} [-obeyform]
CLIMCONFIG.VLAN DESCRIPTION
This command does the following:
vlan -add
adds a VLAN interface to the /etc/network/interfaces file of the CLIM.
The host brings up the VLAN interface when it is added.
If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added.
The VLAN interface can be added even when the CLIM is in the STARTED state.
vlan -delete
deletes an existing VLAN interface.
If the VLAN interface is active, the vlan configuration cannot be deleted.
vlan -modify
modifies the MTU and pcpoutmap associated with the configured VLAN interface.
If any pcpoutmap already exist for the specified VLAN interface, they will be deleted and the new pcpoutmap specified with this command will be set on the VLAN interface.
It changes the existing interface configuration in the CLIM /etc/network/interfaces file.
vlan -info
displays vlan configuration information for the specified VLAN interface.
The display format is:
Interface : <tenant-interface-name>
1
climconfig.vlan(1) climconfig.vlan(1)
Interface Type : VLAN Interface
VID : <vid-value>
Host Interface : <host-interface-name>
MTU Size : <mtu-value>
PCP Outmap
IP Address
: <pcpoutmap-value>
: <ip-address>
Netmask : <netmask>
ROUTE Details :
Route Type : <route-type>
Destination Address : <ip-address>
Netmask : <netmask>
Gateway Address : <gateway-ip-address>
Metric : <value>
Minimum RTO : <value>
InitCWND : <value>
Src : <value>
If any one of the optional parameters are not configured, they appear either as default or with the default value in the display.
The -obeyform display format is: climconfig vlan -add <tenant-interface-name> -vid <vid-value>
-hostintf <host-interface-name> [-prov <provider-name>]
[-mtu <mtu-value>] [-pcpoutmap <pcpoutmap-value>]
PARAMETERS
<tenant-interface-name>
Is the name of the VLAN (IEEE 802.1q enabled) interface to be added, deleted, modified or displayed.
The tenant interface name is case sensitive. It must be in lower case.
The total length of a tenant interface name should not be more than 6 characters long.
It is highly recommended to use the following naming convention so that VLAN interfaces can be easily differentiated with a common convention.
-> eNvMMM - VLAN interface hosted on Ethernet interface ethN with VID MMM.
-> bNvMMM - VLAN interface hosted on bonded interface bondN with VID MMM.
all
MMM is an alphanumeric string of length between 1 and 3 characters.
Displays configurations of all the VLAN interfaces.
-obeyform For a specified VLAN interface name, displays vlan configuration in add command format.
-vid <vid-value>
The 12-bit VID field to be set in the 802.1q header, specifying the virtual LAN tag to be used by traffic through this VLAN interface. It must be an integer value in the range of 1-4094.
-hostintf <host-interface-name>
The physical Ethernet interface or bonded interface to be used for carrying the VLAN traffic.
-prov <provider-name>
The tenant provider in which the VLAN interface will be configured.
This may or may not be the same as the provider in which the host interface is
2
climconfig.vlan(1) climconfig.vlan(1) configured.
-mtu <mtu-value>
The maximum transmission unit for frames send through the VLAN interface. The
MTU of a VLAN interface must be less than or equal to the MTU of the host interface on which it is configured. By default, if unspecified, it is set to a value equal to the MTU of the host interface.
-pcpoutmap <pcpoutmap-value>
This option allows to set Layer 2 QoS in the 802.1q header for outgoing frames.
It allows to specify a mapping of packet <input-priority> to the Priority Control Point
(PCP) field in the 802.1q header for outgoing frames. So, all packets of a given <input-priority> are sent out with <out-pcp> as the value of the PCP field in the 802.1q header.
-force
The <input-priority> and <out-pcp> must be an integer value in the range 0 - 7.
If the wild character * is specified for <input-priority>, all the packets are sent out with <out-pcp> as the PCP field value in the 802.1q header.
To map traffic of different priorities, multiple mappings can be specified for the same
VLAN interface separated by comma character. No blank spaces should be used while specifying the value for pcpoutmap parameter. The <pcpoutmap-value> must be enclosed within the delimiter ’/’.
By default, if no mapping is specified, all packets are sent out with 0 as the value of the PCP field.
Applications can set the <input-priority> on packets sent out through a particular socket by setting the SO_PRIORITY socket option. The <input-priority> on outgoing packets can also be set by adding an iptable policy rule on the POSTROUTING built-in chain of the ’mangle’ table.
Causes the command to modify the VLAN interface without prompting for confirmation.
ERROR MESSAGES
For vlan -add:
A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.
NSK system is running older version of CIP Subsystem software that does not support
VLAN and VXLAN interfaces.
The specified tenant interface name <tenant-interface-name> is more than 6 characters.
The specified tenant interface <tenant-interface-name> is already configured.
A vlan interface <tenant-interface-name> with vid <vid-value> is already configured on the host interface <host-interface>.
VLAN interface cannot be configured in <maintenance-provider-name> provider.
The vid must be an integer value in the range of 1-4094.
The specified host interface <host-interface> is not configured.
3
climconfig.vlan(1) climconfig.vlan(1)
The specified host interface <host-interface> is neither physical nor bonded interface.
The specified mtu <mtu-value> is greater than that of its host interface host-interface.
For the "-pcpoutmap" option, The value must be enclosed within the delimiters ’/’ and
’/’.
For the "-pcpoutmap" option, The input priority must be an integer value in the range of 0 - 7.
For the "-pcpoutmap" option, The out pcp must be an integer value in the range of 0 -
7.
For the "-pcpoutmap" option, The input priority value should not be repeated.
For the "-pcpoutmap" option, The separator ’<x>’ is invalid;
’:’ is expected between input priority and out pcp.
For the "-pcpoutmap" option, The separator ’<x>’ is invalid;
’,’ is expected between different pcp maps.
This command is not supported on clim-mode CLIM.
The -prov option is not supported for CLIM with SCF MULTIPROV option set to
OFF.
The -prov option must be specified for CLIM with SCF MULTIPROV option set to
ON.
The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.
This command is not supported for the interface <interface-name>.
VLAN is not supported on virtio interfaces.
For vlan -delete:
The specified VLAN interface <vlan-interface> is not configured.
The VLAN interface <vlan-interface> is UP; cannot execute this command.
This command is not supported for the interface <interface-name>.
For vlan -modify:
The specified VLAN interface <vlan-interface> is not configured.
For the "-pcpoutmap" option, The input priority must be an integer value in the range of 0 - 7.
For the "-pcpoutmap" option, The out pcp must be an integer value in the range of 0 -
7.
A value within the range 1280 to 9000 must be specified for -mtu option.
The specified mtu <mtu-value> is greater than that of its host interface <host-inter-
face>.
For vlan -info:
The specified VLAN interface <vlan-interface> is not configured.
CONSIDERATIONS
As of L17.02 release, VLAN is supported only on Gen9 L-Series CLIM(s). It is not supported on Storage and IB CLIM(s).
VLAN interface cannot be added when the CLIM is in STARTED state and NSK system is running older version of CIP Subsystem software that does not support VLAN and VXLAN interfaces.
Only physical and bonded interface can be specified as host interface.
VLAN interface cannot be configured in maintenance providers (%MAINT and %MPROV).
4
climconfig.vlan(1) climconfig.vlan(1)
VIDs 0 and 4095 are not supported as they are reserved by IEEE 802.1q specification.
A maximum combined total of only 100 VLAN and VLAN interfaces can be configured per CLIM.
Only one VLAN interface per VID per host interface is supported on the CLIM.
A VLAN interface cannot be deleted when it is active (UP).
EXAMPLES
> CLIMCMD NCLIM001 climconfig vlan -add b0v8 -vid 8 -hostintf bond0 -prov ztc8
> CLIMCMD NCLIM001 climconfig vlan -add e1v7 -vid 7 -hostintf eth1 -mtu 1400 -pcpoutmap /*:5/
> CLIMCMD NCLIM001 climconfig vlan -add e2v6 -vid 6 -hostintf eth2 -prov ztc6 -pcpoutmap /1:2,4:5/
> CLIMCMD 192.168.36.51 climconfig vlan -delete e2v6 -force
> CLIMCMD NCLIM001 climconfig vlan -modify b0v8 -mtu 1500
> CLIMCMD NCLIM001 climconfig vlan -modify e1v5 -mtu 1450 -pcpoutmap default -force
> CLIMCMD NCLIM001 climconfig vlan -info e1v7
Data Provider ZTC7 interfaces
Interface : e1v7
Interface Type : VLAN Interface
VID : 7
Host Interface : eth1
MTU Size : 1400
PCP Outmap
IP Address
: /*:5/
: 1.1.1.1
Netmask : 255.255.255.0
ROUTE Details :
Route Type : Default Route
Destination Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway Address : 1.1.1.10
Metric : 0
Minimum RTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
> CLIMCMD NCLIM001 climconfig vlan -info all
Data Provider ZTC8 interfaces
Interface : b0v8
Interface Type : VLAN Interface
VID : 8
Host Interface : bond0
MTU Size : 1500
PCP Outmap
IP Address
: default
: 2.2.2.2
Netmask : 255.255.255.0
IP Address : 4.4.4.4
Netmask : 255.255.255.0
Data Provider ZTC7 interfaces
5
climconfig.vlan(1) climconfig.vlan(1)
Interface : e1v7
Interface Type : VLAN Interface
VID : 7
Host Interface : eth1
MTU Size
PCP Outmap
: 1400
: /*:5/
IP Address : 1.1.1.1
Netmask : 255.255.255.0
ROUTE Details :
Route Type : Default Route
Destination Address : 0.0.0.0
Netmask : 0.0.0.0
Gateway Address : 1.1.1.10
Metric : 0
Minimum RTO : Unspecified
InitCWND : Unspecified
Src : Unspecified
> CLIMCMD NCLIM001 climconfig vlan -info all -obeyform climconfig vlan \
-add b0v8 \
-vid 8 \
-hostintf bond0 \
-prov ZTC8 \
-mtu 1500 climconfig ip \
-add b0v8 \
-ipaddress 2.2.2.2 \
-netmask 255.255.255.0
climconfig ip \
-add b0v8 \
-ipaddress 4.4.4.4 \
-netmask 255.255.255.0
# No route is configured on b0v8
# No ARP entry is configured on b0v8 climconfig vlan \
-add e1v7 \
-vid 7 \
-hostintf eth1 \
-prov ZTC7 \
-mtu 1400 \
-pcpoutmap /*:5/ climconfig ip \
-add e1v7 \
-ipaddress 1.1.1.1 \
-netmask 255.255.255.0
climconfig route \
-add e1v7 \
-default \
-gateway 1.1.1.10
# No ARP entry is configured on e1v7
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
6
climconfig.vlan(1) climconfig.vlan(1) exit
Termination Info: 0
SEE ALSO
climconfig.interface(1), climconfig.arp(1), climconfig.ip(1), climconfig.route(1)
7
climconfig.vpn(1) climconfig.vpn(1)
NAME
climconfig.vpn − obtain information about virtual private networks
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig vpn -status
[-prov {prov-name | all}] [-s src-ip -d dst-ip]
CLIMCONFIG.VPN DESCRIPTION
This command displays the status of the VPN connection established between the source and destination IP addresses. The security policy and the association loaded in the Security Policy Database (SPD) and Security Association Database (SAD) are displayed in that order. -d and -s are optional parameters; if they are omitted, the status of all the VPN connections is shown.
PARAMETERS
-s src-ip Specifies the source IP address.
-d dst-ip Specifies the destination IP address.
-prov
ERROR MESSAGES
The status for the VPN connection between src-ip and dst-ip is not found. Please check for the correct options and retry again.
EXAMPLES
Specifies a provider name. This option is mandatory for CLIMs that have MULTI-
PROV set to ON and cannot be used if MULTIPROV is set to OFF. Each provider has its own IPSec configuration. The provider name is case-insensitive and always converted to UPPER case.
> CLIMCMD clim1 climconfig vpn -status
Security Policies from SPD:
10.2.2.0/24[any] 10.1.1.2[any] any in ipsec esp/tunnel/10.2.2.1-10.1.1.2/require ah/tunnel/10.2.2.1-10.1.1.2/require created: Jun 22 20:48:13 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=8 seq=2 pid=369 refcnt=1
10.1.1.2[any] 10.2.2.0/24[any] any out ipsec esp/tunnel/10.1.1.2-10.2.2.1/require ah/tunnel/10.1.1.2-10.2.2.1/require created: Jun 22 20:48:13 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=1 seq=1 pid=369 refcnt=1
Security Associations from SAD:
10.1.1.2 10.2.2.1
esp mode=tunnel spi=262906055(0x0faba0c7) reqid=0(0x00000000)
E: 3des-cbc f1eee61a f2642ace 2c89c610 c245978d 7ea13336
133d84d2
A: hmac-md5 d34b8476 cb8bda72 9d1b8e0b 059f14ad seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 22 21:03:02 2008 current: Jun 22 21:03:22 2008
1
climconfig.vpn(1) climconfig.vpn(1) diff: 20(s) hard: 28800(s) soft: 23040(s) last: Jun 22 21:03:03 2008 hard: 0(s) soft: 0(s) current: 252(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=3 pid=727 refcnt=0
10.2.2.1 10.1.1.2
esp mode=tunnel spi=7523920(0x0072ce50) reqid=0
(0x00000000)
E: 3des-cbc b5e66f7b faeb03c3 4571b6ed 5686d721 c05350ad
49e967c2
A: hmac-md5 9206a14f 0f6dfb3a a2138e04 dc1c4140 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 22 21:03:03 2008 current: Jun 22 21:03:22 2008 diff: 19(s) hard: 28800(s) soft: 23040(s) last: Jun 22 21:03:03 2008 hard: 0(s) soft: 0(s) current: 408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=727 refcnt=0
SEE ALSO
climconfig sa -stop, climconfig sp -start, climconfig sp -stop
2
climconfig.vxlan(1) climconfig.vxlan(1)
NAME
climconfig.vxlan − configure VXLAN interfaces
SYNOPSIS
CLIMCMD {clim-name|ip-address} climconfig vxlan
-add <tenant-interface-name> -vni <vni-value>
-multicastip <ip-address>
-hostintf <interface-name> [-prov <provider-name>]
[-dstport <port-number>] [-macaddr <address>]
[-mtu <mtu-value>] [-ttl <ttl-value>] [-tos <tos-value>]
[-udpcsum on|off ] [-udp6zerocsumtx on|off]
[-udp6zerocsumrx on|off]}
CLIMCMD {clim-name|ip-address} climconfig vxlan
-delete <tenant-interface-name> [-force]
CLIMCMD {clim-name|ip-address} climconfig vxlan
{ -modify <tenant-interface-name>
[-macaddr <address>] [-mtu <mtu-value>] [-force]}
CLIMCMD {clim-name|ip-address} climconfig vxlan -info
{<tenant-interface-name> | all} [-obeyform]
CLIMCONFIG.VXLAN DESCRIPTION
This command does the following:
vxlan -add
adds VXLAN interface to the /etc/network/interfaces file of the CLIM.
The host brings up the VXLAN interface when it is added.
If the CLIM has MULTIPROV ON and the operator specifies the -prov command with the name of an unconfigured prov object, that object is implicitly added.
The VXLAN interface can be added even when the CLIM is in the STARTED state.
vxlan -delete
deletes an existing VXLAN interface. If the VXLAN interface is active, the vxlan configuration cannot be deleted.
vxlan -modify
modifies the MTU and macaddr associated with a configured VXLAN interface.
It changes the existing interface configuration in the CLIM /etc/network/interfaces file.
vxlan -info
displays vxlan configuration information for a specified VXLAN interface.
The display format is:
Interface : <tenant-interface-name>
1
climconfig.vxlan(1) climconfig.vxlan(1)
Interface Type : VXLAN Interface
VNI : <value>
Host Interface : <host-interface-name>
Multicast IP : <ip-address>
MTU Size
UDP Port
: <value>
: <value>
TTL value : <value>
TOS value : <value>
UDP Checksum : <value>
UDP IPv6 Checksum TX : <value>
UDP IPv6 Checksum RX : <value>
Software MAC Address : <software-mac-address>
IP Address : <ip-address>
Netmask : <netmask>
ROUTE Details
-
:
Route Type : Network Route
Destination Address : <ip-address>
Netmask : <netmask>
Gateway Address : <value>
Metric : <value>
Minimum RTO : <value>
InitCWND : <value>
Src : <value>
If any one of the optional parameters are not configured, they appear as Unspecified in the display.
The -obeyform display format is: climconfig vxlan -add <tenant-interface-name> -vni <vni-value>
-multicastip <ip-address> -hostintf <parent-interface>
[-prov <provider-name>][-dstport <port-number>]
[-macaddr <address>][-mtu <mtu-value>][-ttl <ttl-time>]
[-tos <tos-value>][-udpcsum on|off]
[-udp6zerocsumtx on|off][-udp6zerocsumrx on|off]
PARAMETERS
tenant-interface-name
Is the name of the VXLAN interface to be added, deleted, modified or displayed.
The tenant interface name is case sensitive. It must be in lower case.
The total length of tenant interface name should not be more than 6 characters long.
It is highly recommended to use the following naming convention so that VXLAN interfaces can be easily differentiated with a common convention.
-> eNxSTR - VXLAN interface hosted on Ethernet interface ethN.
-> bNxSTR - VXLAN interface hosted on bonded interface bondN.
all
STR is an alphanumeric string of length between 1 and 3 characters.
Displays the configurations of all the VXLAN interfaces.
-obeyform For a specified VXLAN interface name, displays vxlan configuration in add command format.
2
climconfig.vxlan(1) climconfig.vxlan(1)
-vni vni-value
The 24-bit VNI field to be set in the VXLAN header, specifying the VXLAN segment
ID to be used by traffic through the VXLAN interface. It must be an integer value in the range of 1-16777215.
-multicastip ip-address
The IPv4 or IPv6 multicast IP address to be used by the VXLAN protocol for discovering which VXLAN endpoint holds a given tenant MAC address. The IPv4 address must be specified in dotted quad format and IPv6 address must be specified in string notation.
-hostintf interface-name
The physical Ethernet or bonded interface to be used for carrying the VXLAN traffic.
This interface must have at least one IP address configured on it.
-prov provider-name
The tenant provider in which the VXLAN interface will be configured.
This may or may not be the same as the provider in which the host interface is configured.
-dstport port-number
The UDP destination port to communicate to the remote VXLAN tunnel endpoint.
By default, if unspecified, the IANA assigned port of 4789 will be used.
-macaddr address
The MAC address that is to be used for the virtual Ethernet frames delivered inside
VXLAN encapsulated packets.
It must be specified in six groups of hexadecimal digits separated by colons.
By default, this MAC address is same as the MAC address of the host interface.
-mtu mtu-value
The maximum transmission unit for virtual LAN Ethernet frames that are tunneled through the VXLAN interface.
For a VXLAN interface with IPv4 multicast IP address, the mtu-value must be at least
50 bytes less than the MTU of the host interface on which it is configured.
By default, if unspecified, the MTU is set to a value 50 bytes less than the MTU of the host interface.
For a VXLAN interface with IPv6 multicast IP address, the mtu-value must be at least
70 bytes less than the MTU of the host interface on which it is configured.
By default, if unspecified, the MTU is set to a value 70 bytes less than the MTU of the host interface.
-ttl ttl-value
The time-to-live value that is to be used for outgoing packets.
The default value is 64.
-tos tos-value
The value to be placed into the 8-bit Differentiated Services (DS) field in the IP header for all outgoing packets.
The tos-value must be in hexadecimal format in the range of 0x00 - 0xfc.
The upper 6 bits of the DS field constitute the Differentiated Service Code Point
(DSCP) field,
3
climconfig.vxlan(1) climconfig.vxlan(1) and the lower 2 bits of the DS field are unused and must be set to 0.
The default value is 0x00.
-udpcsum on|off
This option allows to enable the UDP checksum calculation for transmitted packets over IPv4.
By default, it is “off ” i.e. the checksum is not calculated.
-udp6zerocsumtx on|off
This option allows to disable UDP checksum calculation for transmitted packets over
IPv6.
By default, it is “on” i.e. the checksum is calculated for transmitted packets over
IPv6.
-udp6zerocsumrx on|off
This option allows to disable receiving of incoming UDP packets over IPv6 with zero checksum field.
By default, it is “on” i.e. incoming packets over IPv6 with zero checksum field are allowed.
-force Causes the command to modify the VXLAN interface without prompting for confirmation.
ERROR MESSAGES
For vxlan -add:
A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.
NSK system is running older version of CIP Subsystem software that does not support
VXLAN interfaces.
The specified tenant interface name <tenant-interface-name> is more than 6 characters.
The specified tenant interface <tenant-interface-name> is already configured.
The vxlan interface <tenant-interface-name> with vni <value> is already configured on the host interface <interface-name>.
VXLAN interface cannot be configured in <maintenance-provider-name> provider.
The vni must be an integer value in the range of 1-16777215.
The specified host interface <host-interface> is not configured.
The specified host interface <host-interface> is neither physical nor bonded interface.
The specified host interface <host-interface> has no IP addresses configured.
The specified multicast IP address <ip-address> is invalid.
The specified destination port <port-number> is invalid.
The specified mac address <MAC-address> is invalid.
For a VXLAN interface with IPv4 multicast IP address, the MTU must be at least 50 bytes less than that of its host interface <host-interface>.
For a VXLAN interface with IPv6 multicast IP address, the MTU must be at least 70 bytes less than that of its host interface <host-interface>.
The specified value <value> for <parameter-name> parameter is invalid.
This command is not supported on <clim-mode> CLIM.
4
climconfig.vxlan(1) climconfig.vxlan(1)
The -prov option is not supported for CLIM with SCF MULTIPROV option set to
OFF.
The -prov option must be specified for CLIM with SCF MULTIPROV option set to
ON.
The specified provider name is invalid; it must not be more than seven characters and must be alpha-numeric characters with the first character being alphabetic.
This command is not supported for the interface <interface-name>.
For vxlan -delete:
The specified VXLAN interface <vxlan-interface> is not configured.
The VXLAN interface <vxlan-interface> is UP; cannot execute this command.
This command is not supported for the interface <interface-name>.
For vxlan -modify:
The specified VXLAN interface <vxlan-interface> is not configured.
The specified mac address <MAC-address> is invalid.
A value within the range 1280 to 9000 must be specified for -mtu option.
The specified MTU <value> is greater than the MTU of the host interface <host-
interface>.
For vxlan -info:
The specified VXLAN interface <interface-name> is not configured.
CONSIDERATIONS
As of L17.02 release,
VXLAN is supported only on Gen9 L-Series CLIM(s). It is not supported on Storage and IB CLIM(s).
VXLAN interface cannot be added when the CLIM is in STARTED state and NSK system is running older version of CIP Subsystem software that does not support VLAN and VXLAN interfaces.
Only physical and bonded interface can be specified as host interface.
The host interface must have at least one IP address.
VXLAN interface cannot be configured in maintenance providers (%MAINT and %MPROV).
A maximum combined total of only 100 VLAN and VXLAN interfaces can be configured per CLIM.
Only one VXLAN interface per VNI per host interface is supported on the CLIM.
A VXLAN interface cannot be deleted when it is active (UP).
A MAC address can be modified only for a VXLAN interface that is DOWN (stopped).
EXAMPLES
> CLIMCMD NCLIM001 climconfig vxlan -add e1xzt8 -vni 8 -hostintf eth1 -multicastip ff12::5
-prov ztc7 -dstport 6400 -mtu 1000 -ttl 32 -udpcsum on
> CLIMCMD 100.253.17.2 climconfig vxlan -delete e1xzt8
> CLIMCMD NCLIM001 climconfig vxlan -info e1xzt8
Interface : e1xzt8
Interface Type : VXLAN Interface
VNI : 8
Host Interface : eth1
Multicast IP : ff12::5
MTU Size
UDP Port
: 1000
: 6400
5
climconfig.vxlan(1) climconfig.vxlan(1)
TTL value : 32
TOS value : Unspecified
UDP Checksum : on
UDP IPv6 Checksum TX : Unspecified
UDP IPv6 Checksum RX : Unspecified
Software MAC Address : Unspecified
> CLIMCMD NCLIM001 climconfig vxlan -info e1xzt8 -obeyform climconfig vxlan -add e1xzt8 \
-vni 8 \
-hostintf eth1 \
-multicastip ff12::5\
-prov ZTC7\
-dstport 6400\
-mtu 1000
#CLIMCMD expects ’exit’ to be the last command.
#This is required to terminate CLIMCMD session.
exit
Termination Info: 0
SEE ALSO
climconfig ip -add, climconfig vlan -add, climstatus -od
6
climhelp(1) climhelp(1)
NAME
climhelp - displays the list of supported Linux commands for the CLIM
SYNOPSIS climcmd {clim-name | ipaddress} man climhelp
DESCRIPTION
climhelp displays the list of supported Linux commands for the CLIM. In addition to these commands, standard non-destructive Linux commands such as cat, cd, date, free, grep, less, ls, mkdir, more, wc, who and vmstat are also supported. Any destructive Linux command should not be used as it may cause failure of the CIP subsystem.
List of supported commands: arp -a
display the Internet-to-Ethernet address translation tables used by the address resolution protocol
clim
operate, maintain, and assimilate debugging information of the CLIM software
climconfig
configure network, failover, IPSec and SNMP configuration parameters
climstatus
display CLIM specific status information
cmd
command wrapper which executes Linux command on the CLIM and logs it into system log
ethtool <interface-name>
display the ethernet card settings for the given interface
ifconfig
display the status of currently active interfaces
ifconfig <interface-name>
display the status for the given interface
ifconfig -a
display the status of all interfaces, even those that are down
ifstart
inform NonStop host system to start using an interface for all its functionalities
ifstop
inform NonStop host system to stop using an interface for all its functionalities
ip addr show
display all the IP addresses for each of the network interfaces
ip route show
display the contents of the routing tables
ip link show
lists the network interfaces
1
climhelp(1) climhelp(1)
lunmgr
manage the LUN number assignments that the CLIM uses to communicate with the NonStop host system.
man
find and display reference manual pages
netstat
print network connections, routing tables, masquerade connections, interface statistics and multicast memberships
ping
send ICMP ECHO_REQUEST to network hosts
ping6
send ICMP6 ECHO_REQUEST to network hosts
psclim
show system information about CLIM processes
tcpdump
dump traffic on a network
traceroute
print the route that packets take to the network host
traceroute6
traces path to a network host
NOTES
For details of each command listed above, see the respective man pages.
Examples:
climcmd {clim-name | ipaddress} man climconfig climcmd {clim-name | ipaddress} man climstatus climcmd {clim-name | ipaddress} man 8 ifconfig
SEE ALSO
arp(1), arp(8), clim(1), climconfig(1), climstatus(1), cmd(1), ethtool(1), ifconfig(8), ip(1), ip(8), lun-
mgr(1), man(1), netstat(8), ping(8), ping6(8), psclim(1), tcpdump(8), traceroute(8), traceroute6(8)
2
climstatus(1) climstatus(1)
NAME
climstatus − displays CLIM specific status information
SYNOPSIS
CLIMCMD {clim-name|ip-address} climstatus [-o option]
CLIMSTATUS DESCRIPTION
climstatus is a program that provides active status information about active objects on specific CLIMs: (See climconfig(1) for information on obtaining permanent configuration information.)
ServerNet
EtherNet, Local Area Network (LAN)
Kernel IP Routing Table
Secondary Storage Devices, Hard Disk Drives (HDD)
IP Security policies and associations
Interface Failover configuration
SNMP Configuration information climprep configuration information iptables and ip6tables configuration climstatus, when invoked, provides status information of all the above-mentioned components by default.
However, a user can view status information pertaining to a particular component by providing a -o option to the climstatus command, followed by a character that represents the desired component. The set of characters representing each component is listed under Parameters.
PARAMETERS
This section lists the options that can be used after the -o option.
s l r h
Primarily displays information about the Interconnect information. It includes the
CLIM mode (IP, STORAGE), CLIM model name, SCS status, Number of connection points, their fabric location ((X1, Y1) & (X2, Y2)) on NonStop Integrity systems. It includes Mode and state for InfiniBand on NonStop X systems. It also includes networking, storage and HPTE software version.
Displays the status information pertaining to Local Area Network (EtherNet) only.
Displays information specific to the Network such as the Interface name, type, status, link status, and IP addresses(both IPv4 and IPv6). The LAN information is categorized into three separate classes: Maintenance, Maintenance Provider and Data. The interface "eth0" is the onboard interface that has been reserved as the Maintenance interface and is used for clim internal housekeeping activities. The other interfaces are open for normal Data usage.
Displays the status information pertaining to Kernel IP Routing Table. Displays information specific to the Kernel IPv4 routing table such as the Interface name, Destination IP address, Gateway, and Mask. In case of the Kernel IPv6 routing table, only
Interface name, Destination IP address, and Next Hop information is displayed.
Displays the information pertaining to Filesystem Disk space usage on the CLIM.
Displays information specific to the Filesystem disk space and usage status, such as name, type, size, used and available amount of space, percentage of used space, and the mount point.
i
Displays the information pertaining to the IPSec, such as security policies and associations.
1
climstatus(1) climstatus(1)
f m c
Displays interface failover information.
Displays CLIM SNMP information.
Displays climprep information. On NonStop Integrity platform, it displays location of the CLIM in terms of Group Module Slot Port (GMSP), name of the NonStop Host to which the CLIM is connected, and the model name of the CLIM. On NonStop X platform, it displays the node number of the NonStop Host to which the CLIM is connected, IP addresses of the Infiniband X and Y ports, and the model name of the
CLIM.
t
Displays iptables and ip6tables information.
d
ERROR MESSAGES
None.
Displays the forwarding database of VXLAN interfaces.
CONSIDERATIONS
None.
EXAMPLES
> CLIMCMD NCLIM001 climstatus -o d
Data Provider ZTC7 VXLAN Forwarding Database:
VXLAN Interface b0xzt7:
00:00:00:00:00:00 dst 239.1.1.1 via ifindex 4 self permanent
56:f3:67:d8:75:2d dst 10.1.0.2 self
56:f3:67:b9:67:ef dst 10.1.0.3 self
Data Provider ZTC8 VXLAN Forwarding Database:
No forwarding database entries.
> CLIMCMD NCLIM006 climstatus -o s
--------------------------------------------------------------------------------
CLIM Configuration & Status:
Mode..................... IP
Model Name............... Gen9 CLIM with 4-ports 10G copper and 1-port 1G copper
State.................... STARTED
Last Restart Time........ Wed Dec 14 16:07:44 2016
CLIM Hostname............ NCLIM006
Network SW Version....... T0691L03_15FEB2017_DAR_CLIM_D16
Storage SW Version....... T0830L03_15FEB2017_12DEC2016_DAR
CIP SW Version........... T0853L03_15FEB2017_12DEC2016_DAR
Number of Socket Servers. 1
CIP/Linux Version:
Linux 3.16.38-clim-6-amd64 #1 SMP Debian 3.16.38-clim-6 (2016-12-05)
--------------------------------------------------------------------------------
SEE ALSO
climconfig(1)
2
cmd(1) cmd(1)
NAME
cmd - Command wrapper which executes Linux command on the CLIM and logs it into system log.
DESCRIPTION
Certain native Linux commands issued via CLIMCMD, whether destructive or not, need to be logged into system log for audit purpose. cmd is the command wrapper used for executing supported Linux commands on the CLIM. The user-entered command is logged in its entirety to the system log, along with its arguments and information on the NonStop user who issued the command. The result of the command, along with the CLIM user information, is written to the system log.
List of supported commands: rm <file-name>
deletes the given file from the CLIM
Examples:
climcmd {clim-name | ipaddress} cmd rm abc
1
ifstart(1) ifstart(1)
NAME
ifstart − start an interface
SYNOPSIS
CLIMCMD {clim-name|ip-address} ifstart <interface-name>
IFSTART DESCRIPTION
ifstart allows you to activate an interface if you have stopped the interface using the ifstop command. For all network interfaces (ethernet, ip-over-infiniband, bonding, VLAN, VXLAN and tunnel interfaces), this command activates the specified interface.
PARAMETERS
<interface-name>
Specifies the name of the network interface that is to be started and made available to the NonStop host. The interface name can be specified as a physical or bonded interface name, for example, eth1 or bond0 or ib0, or a tunnel interface (for example,
MYTUN) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example, b0xzt8).
ERROR MESSAGES
The interface <interface-name> is not configured.
This command is not supported for this interface.
climagt process is not executing.
The interface is already in started state.
The -provider option of CLIMCMD should not be used along with ifstart.
Interface <interface-name> does not exist in the kernel.
Slave interface is not configured for this bonding interface.
CONSIDERATIONS
For a tunnel, VLAN, or VXLAN interface to get started, its associated host interface should be in started state.
EXAMPLES
> CLIMCMD N100241 ifstart eth3
SEE ALSO
Ifstop(1), climconfig(1)
1
ifstop(1) ifstop(1)
NAME
ifstop − stop an interface
SYNOPSIS
CLIMCMD {clim-name|ip-address} ifstop <interface-name> [-force]
IFSTOP DESCRIPTION
Use the ifstop command to deactivate an interface. ifstop brings down the ethernet, ip-over-infiniband, bonding, VLAN, VXLAN and tunnel interfaces and deactivates all the IP addresses and routes associated with the network interface.
PARAMETERS
<interface-name>
Specifies the name of the network interface that is to be stopped and made unavailable to the NonStop host. The interface name can be specified as a physical or bonded interface name, for example, eth1 or bond0 or ib0, or a tunnel interface (for example,
MYTUN) or a VLAN interface name (for example, e1v7) or a VXLAN interface name (for example, b0xzt8).
-force
When used without -force option, ifstop prompts for confirmation before stopping the interface. If the -force option is used, ifstop stops the interface without prompting for the confirmation.
ERROR MESSAGES
The interface <interface-name> is not configured.
This command is not supported for this interface.
climagt process is not executing.
climagt not responding for the ifstop request.
The interface is in already in stopped state.
The -provider option of CLIMCMD should not be used along with ifstop.
The interface <interface-name> is not existing in the kernel.
The interface <interface-name> has a tunnel interface associated with it. The tunnel interface should be stopped prior to stopping the specified interface.
The interface <interface-name> has a vlan interface <vlan-interface-name> associated with it, vlan interface should be stopped prior to stopping the specified interface.
The interface <interface-name> has a vxlan interface <vxlan-interface-name> associated with it, vxlan interface should be stopped prior to stopping the specified interface.
CONSIDERATIONS
If there is a tunnel or VLAN or VXLAN interface associated with the specified interface, and if the associated tunnel or VLAN or VXLAN interface is UP, CIP does not allow the interface to be stopped until all the associated interfaces are stopped.
EXAMPLES
> CLIMCMD N100242 ifstop eth3
SEE ALSO
Ifstart(1), climconfig(1)
1
psclim(1) psclim(1)
NAME
psclim − display the status of the CLIM processes
SYNOPSIS
CLIMCMD {clim-name|ip-address} psclim
PSCLIM DESCRIPTION
psclim is a derivation of the ’ps’ command. It displays system information about the CLIM processes. The
CLIM processes consist of climmon, confsync, climagt and one or more cipssrv. The information being displayed consists of process PID, memory used, percentage memory, percentage CPU time, accumulated
CPU time, start time, run status, and start command.
PARAMETERS
None
ERROR MESSAGES
None
CONSIDERATIONS
None.
EXAMPLES
CLIMCMD CLIM1:˜#psclim
PID RSS %MEM %CPU TIME START STAT CMD
6554 1648 0.0 0.0 00:00:00 14:56 S /usr/local/bin/climmon
6555 2416 0.0 0.0 00:00:00 14:56 S cipssrv --number 0
6570 1174 0.0 0.0 00:00:00 14:56 S confsync
6575 2192 0.0 0.2 00:00:00 14:56 S climagt --number 1
SEE ALSO
ps(1, clim(1), climstatus(1)
1
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 clim
- 4 climconfig
- 6 climconfig.all
- 8 climconfig.arp
- 10 climconfig.bondmode
- 14 climconfig.climiptables
- 17 climconfig.failover
- 20 climconfig.hostname
- 21 climconfig.interface
- 30 climconfig.ip
- 33 climconfig.ip6tables
- 46 climconfig.iptables
- 58 climconfig.prov
- 60 climconfig.psk
- 62 climconfig.remote
- 68 climconfig.route
- 75 climconfig.sa
- 82 climconfig.slaveinterface
- 85 climconfig.snmp
- 87 climconfig.sp
- 92 climconfig.sysctl
- 94 climconfig.tunnel
- 98 climconfig.vlan
- 105 climconfig.vpn
- 107 climconfig.vxlan
- 113 climhelp
- 115 climstatus
- 117 cmd
- 118 ifstart
- 119 ifstop
- 120 psclim