Purpose	The Address-Resolution Protocol (ARP) maps IP addresses to MAC addresses in an ARP table. Each network processor in the ARX has its own ARP table. Use the arp command to add a static entry to all ARP tables on the switch.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	arp ip-address mac-address [vlan vlan-id] no arp ip-address   ip-address (for example, 10.125.16.3) is the IP address. mac-address (for example, 12:34:56:78:9a:bc) is the MAC address you are statically mapping to the ip-address. vlan vlan-id (optional; 0-4096) applies the mapping to a single VLAN.
Default(s)	None
Guidelines	The network processors are the ones behind the client/server interfaces, as well as the one behind the out-of-band MGMT interface. Use the show arp command to show all ARP-table entries. Use the clear arp command to clear all dynamic-ARP entries, learned from neighboring equipment.
Samples	bstnA(cfg)# arp 192.168.25.38 11:54:d6:2a:95:f2 adds a static entry to the ARP table.   bstnA(cfg)# arp 10.1.1.159 11:df:45:b3:95:36 vlan 4 adds a static entry to the ARP table and applies it to VLAN 4.   bstnA(cfg)# no arp 172.16.209.55 removes an entry from the ARP table.
Related Commands	show arp clear arp

Purpose	The Address-Resolution Protocol (ARP) maps IP addresses to MAC addresses in an ARP table. Each processor in the ARX has its own ARP table. Use the arp gratuitous command to issue gratuitous ARP entries for a single IP address or all IP addresses on the switch (including virtual IP addresses (VIPs), management IP addresses (MIPs), and proxy IP addresses (XIPs)).
Mode	priv-exec
Security Role(s)	network-technician, network-engineer, storage-engineer, or crypto-officer
Syntax	arp gratuitous {ip-address | yes}   ip-address (0.0.0.0. to 255.255.255.255) is the IP address for which you want to add a gratuitous ARP entry. If there is an error, the system displays the error message on the CLI console. yes specifies to add gratuitous ARP entries for all IP addresses owned by the switch. If there is an error, the system logs the error message (failed GARP) in the syslog.
Default(s)	None.
Guidelines	If you do not enter an IP address or yes at the end of this command, the switch sends a gratuitous ARP for all of its publicly-visible IP addresses (such as VIPs). Before sending all of this traffic, the CLI prompts for confirmation: enter yes to proceed. Use the show arp command to show all ARP-table entries. Use the clear arp command to clear all dynamic-ARP entries, learned from neighboring equipment.
Samples	bstnA# arp gratuitous 192.168.25.38 sends a gratuitous ARP entry for one IP address.   bstnA# arp gratuitous Send a gratuitous ARP for all of this switch's IP addresses? [yes/no] yes sends a gratuitous ARP for all IP addresses on the switch (VIPs, MIPs, and Proxy IPs).   bstnA# arp gratuitous yes also sends gratuitous ARPs for all IPs, but skips the prompt.
Related Commands	show arp clear arp arp

Purpose	The Address-Resolution Protocol (ARP) maps IP addresses to MAC addresses in an ARP table. ARP-table entries are either learned from neighbors (dynamic), set through the CLI (static), or set by internal software (local). Use the clear arp command to clear all dynamic entries form the ARP table.
Mode	priv-exec
Security Role(s)	network-technician, network-engineer, storage-engineer, or crypto-officer
Syntax	clear arp [from slot.processor]   from slot.processor (optional) specifies one module processor. This option is not supported on the ARX-1500, ARX-2500, or ARX-VE. Each network-connected processor (the ones behind the client/server ports and the one behind the MGMT port) has its own ARP table. slot (1-2 for an ARX-4000;1 for all others) is the slot number. processor is the processor number. Use the show processors command to show all processors and their associated slot.processor IDs.
Default(s)	None
Guidelines	Use the show arp command to show all ARP-table entries. Use the arp command to create a static-ARP entry.
Samples	bstnA# clear arp clears all dynamic-ARP entries from the ARX.   bstnA# clear arp from 2.2 clears the dynamic-ARP entries from processor 2.2 only.
Related Commands	show processors show arp arp

Purpose	Administrators can log into the CLI or GUI through the out-of-band (OOB) management interface. Port 1/1 is used as the OOB management interface on the ARX-1500 and ARX-2500. The show interface mgmt stats command shows packet counters for this management interface. On the ARX-1500 or the ARX-2500, you can use the clear counters mgmt command to reset these counters to 0 (zero).
Mode	priv-exec
Security Role(s)	network-technician, network-engineer, storage-engineer, or crypto-officer
Syntax	clear counters mgmt
Default(s)	None
Platforms	ARX-1500 or ARX-2500
Guidelines	Use the show interface mgmt stats command to show all ingress and egress counters for the out-of-band management interface. The ARX-1500 and the ARX-2500 can operate without using port 1/1 as an out-of-band management interface; you can use the no interface mgmt command to designate port 1/1 for client/server traffic instead of management traffic. If the port is not used for out-of-band management statistics, this command is unnecessary. You can use the show interface mgmt command (with or without the stats option) to confirm that port 1/1 is designated as an out-of-band management interface.
Sample	stoweA# clear counters mgmt clears all out-of-band-management counters from the current ARX.
Related Commands	show interface mgmt interface mgmt

Purpose	You can configure one in-band management interface per VLAN. From cfg-if-vlan mode, use the optional description command to create a descriptive string for an in-band-management interface. Use the no form of the command to delete the interface description.
Mode	cfg-if-vlan
Security Role(s)	network-engineer or crypto-officer
Syntax	description text no description   text (up to 128 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
Default(s)	No description
Guidelines	The description appears in the show interface vlan command.
Sample	bstnA(cfg-if-vlan[1])# description management for vlan 1 specifies a description for the in-band-management interface on VLAN 1.
Related Commands	show interface vlan

Purpose	An ARX (except the ARX-VE) can have one out-of-band management interface, on a separate IP network from all clients and servers. From cfg-mgmt mode, use the optional description command to create a descriptive string for the out-of-band management interface. Use the no form of the command to delete the interface description.
Mode	cfg-mgmt
Security Role(s)	network-engineer or crypto-officer
Syntax	description text no description   text (up to 128 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
Default(s)	no description
Platforms	any except ARX-VE
Guidelines	The description appears in the show interface mgmt command.
Sample	bstnA(cfg-mgmt)# description oob management specifies a description for the management interface.
Related Commands	show interface mgmt

Purpose	The out-of-band management port is on the front panel of the ARX, typically labeled MGMT. You configure this as part of the initial-boot process. Use the interface mgmt command to modify the management-interface configuration. On an ARX-1500 or ARX-2500, you can use no interface mgmt to stop using port 1/1 for out-of-band management. You can then use other commands to use the port for client/server traffic.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	interface mgmt no interface mgmt
Default(s)	None.
Platforms	any except ARX-VE
Guidelines	The ARX software keeps a separate IP routing table for its out-of-band management interface; this network is designed to be completely separate and disjoint from any client or server subnets. This interface is designed for installations with a separate subnet exclusively for management use. This command puts you into cfg-mgmt mode, where you can set several configuration parameters for the management interface. Use the ip address (cfg-mgmt) command to change the IP address. Use the description (cfg-mgmt) command to set an optional description for the interface, for show commands. Use the shutdown (cfg-mgmt) command to shut down the interface. To show the configuration of the management interface, use show interface mgmt. To set up an in-band management interface for one or more VLANs, use the interface vlan command. You cannot use no interface mgmt if you are logged into the CLI through the out-of-band management interface; this would abruptly end your CLI session. The CLI also prevents no interface mgmt if the ARX has redundancy configured; on many platforms, this interface is used for important redundancy-related traffic.
Guidelines: ARX-1500 and ARX-2500	On the ARX-1500 and ARX-2500, port 1/1 is set up as the out-of-band management interface by default. For installations with no separate management subnet, you can use the no interface mgmt command to stop using port 1/1 for out-of-band management. You can then edit the port as a standard client/server interface with the interface gigabit 1/1 command.
Guidelines: No Out-of-Band Management on the ARX-VE	The ARX-VE is a Virtual Appliance (VA) that only uses a single VNIC, so it only has an in-band management interface. This command is therefore unavailable in the ARX-VE CLI.
Sample	bstnA(cfg)# interface mgmt bstnA(cfg-mgmt)#
Related Commands	ip address (cfg-mgmt) description (cfg-mgmt) shutdown (cfg-mgmt) show interface mgmt interface vlan

Purpose	You can configure one in-band management interface per supported VLAN. Use the interface vlan command to begin configuring the management interface for a VLAN. Use the no form to remove the in-band-management interface for a VLAN.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	interface vlan vlan-id no interface vlan vlan-id   vlan-id (1-4096) identifies the VLAN. Use the show vlan summary command for a list of all configured VLANs.
Default(s)	None
Guidelines	This command puts you into cfg-if-vlan mode, where you can set several configuration parameters for the in-band management interface. Use the ip address (cfg-if-vlan) command to set the IP address. Use the description (cfg-if-vlan) command to set an optional description for the interface, for show commands. Use the shutdown (cfg-if-vlan) command to shut down the interface. You can re-use this interface as a connection to the switchs redundant peer and/or to multiple switches on the same RON. The redundancy (cfg-if-vlan) command makes the interface eligible for the initial rendezvous with a redundant peer; this command is required for the ARX-1500 and ARX-2500, which use this layer-3 connection for exchanging heartbeats and metalog data. The ron tunnel command enters a sub-mode for configuring a RON tunnel to another ARX. To show the configuration of the management interface, use show interface vlan.
Sample	bstnA(cfg)# interface vlan 9 bstnA(cfg-if-vlan[9])#
Related Commands	show vlan summary ip address (cfg-if-vlan) description (cfg-if-vlan) shutdown (cfg-if-vlan) show interface vlan redundancy (cfg-if-vlan) ron tunnel

Purpose	Administrators can use the in-band management address to log into the CLI or GUI from a client or server VLAN. From cfg-if-vlan mode, use the ip address command to set the address for the current VLANs in-band management interface. Use the no form of this command to remove the IP address and disable the interface.
Important: In a redundant pair of ARXes, the network software uses an in-band (VLAN) management address as a home address for its communication with the quorum-disk. Without an in-band-management address and an ip route to the quorum disk, a failover is impossible. Additionally, any ron tunnels that use this address will fail if you remove it; a shadow-copy-rule depends on RON tunnels to communicate with other ARXes in the network. Use the no form of the command only on the advice of F5 Support.
Mode	cfg-if-vlan
Security Role(s)	network-engineer or crypto-officer
Syntax	ip address address mask no ip address   address is the IP address you choose for the VLAN-management interface (for example, 192.168.108.223). mask defines the network part of the address (for example, 255.255.255.0).
Default(s)	None
Guidelines	An ARX in a redundant pair requires an in-band (VLAN) management address with an IP route to its quorum disk. This is required so that the ARX can reach its quorum disk while in the backup role. Refer to the quorum-disk documentation for more details. Do not delete this address if this ARX has a quorum disk on the current VLAN. A redundant pair of ARX-2500 or ARX-1500 devices requires an in-band (VLAN) management interface for each end of the redundancy link. The redundancy link is the channel (or possibly single link) that connects the redundant ARX devices. The IP address that you assign to the redundancy link (with this command) is used in the peer command when you join the redundant pair. If the current in-band (VLAN) interface is the end point for one or more RON tunnels, those tunnels also depend in this IP address.
Sample	bstnA(cfg-if-vlan[9])# ip address 192.168.25.28 255.255.255.0 sets an in-band management IP for VLAN 9.
Related Commands	interface vlan quorum-disk peer ron tunnel

Purpose	Administrators can use the out-of-band management address to log into the CLI. This is configured as part of the initial-boot process. From cfg-mgmt mode, use the ip address command to change the address for the out-of-band management interface. Use the no form of this command to remove the IP address and disable the interface.
Mode	cfg-mgmt
Security Role(s)	network-engineer or crypto-officer
Syntax	ip address address mask no ip address   address is the IP address you choose for the management interface (for example, 10.1.1.10). mask defines the network part of the address (for example, 255.255.255.0).
Default(s)	None
Platforms	any except ARX-VE
Guidelines	This address must belong to a management network that is entirely distinct from any client subnet (established with virtual server) or the proxy-IP subnet (created by ip proxy-address). The MGMT interface uses a separate IP-routing table; use the ip route ... mgmt command to specify a default route (or any other static route) for the out-of-band management network.
Samples	bstnA(cfg-mgmt)# ip address 10.1.1.7 255.255.255.0 sets an out-of-band management IP for the ARX.   bstnA(cfg-mgmt)# no ip address removes the IP configuration from the out-of-band management interface.
Related Commands	interface mgmt ip route

Purpose	You can create an optional search list of domain names for the ARX to use in its DNS lookups. Whenever the switch needs to perform a DNS lookup for a hostname (for example, fs5), it appends a domain name (for example, mycompany.com) and tries a DNS lookup; on failure, it appends the next domain name in the list; and so on. Use the ip domain-list command to add one domain name to the search list. Use the no form of this command to remove a domain name from the search list.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip domain-list name no ip domain-list name   name (1-255 characters) is a name for one local domain (for example, myorg.org).
Default(s)	None
Guidelines	The search list is analogous to the search list in an /etc/resolv.conf file. You can enter this command multiple times, once for each search domain. The search domains are concatenated together, separated by spaces: the total length of this domain list cannot exceed 256 characters. To identify a DNS server, use the ip name-server command. Use the show ip domain command to view the current DNS-lookup configuration.
Samples	bstnA(cfg)# ip domain-list estorage.com bstnA(cfg)# ip domain-list enet.com adds two domain names to the search list. The ARX will try estorage.com first when it looks up short names.   bstnA(cfg)# no ip domain-list enet.com removes one domain name from the search list.
Related Commands	ip name-server show ip domain

Purpose	This command identifies a DNS server that the ARX can use for DNS lookups. You can enter up to three DNS servers. Use the ip name-server command to add a DNS server. Use the no form of this command to remove a DNS server from the list.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip name-server ip-address no ip name-server ip-address   ip-address identifies a DNS server (for example, 172.16.98.36). This address must be on the server/proxy-IP subnet (see ip proxy-address) or reachable through a static route (see ip route).
Default(s)	None
Guidelines	You can enter this command multiple times, once for each DNS server; the switch supports a maximum of three. The servers are queried in the order that you enter them. The ARX switches from one DNS server to another if (and only if) the server is unreachable. To support lookups of hostnames (for example, myserver instead of myserver.mycompany.com), you can declare one or more local domains (such as mycompany.com) for the switch with the ip domain-list command. All of the DNS servers should provide service for the same set of networks and domains. Use the show ip domain command to view the current DNS-lookup configuration.
Samples	bstnA(cfg)# ip name-server 192.168.25.201 identifies a DNS server.   bstnA(cfg)# no ip name-server 192.168.25.212 removes one DNS server from the list.
Related Commands	ip proxy-address ip route ip domain-list show ip domain

Purpose	Every NSM processor requires a proxy IP address to communicate with back-end devices. Use the ip proxy-address command to add a range of proxy IPs. Use the no form of the command to remove a range of unused proxy-IP addresses.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip proxy-address address mask [vlan vlan-id] [count number] [processor slot.proc] no ip proxy-address address   address is the starting IP address for a range of proxy IPs (for example, 192.168.25.0). mask is the subnet mask (for example, 255.255.255.0). vlan vlan-id (optional, 1-65535) is the VLAN for this subnet, if there is one. Use show vlan summary for a complete list of configured VLANs. count number (optional, 1-64) is the number of contiguous IP addresses to assign to the proxy pool. slot.proc (optional: for example, 1.4) assigns the proxy-IP address to a particular NSM processor. You can only use this option if you specify a single IP.
Default(s)	vlan-id defaults to VLAN 1. number defaults to 1.
Guidelines	You must configure one proxy-IP address per network processor, where the ARX-VE and ARX-500 each have 1, the ARX-1500 has 2, the ARX-2000 has 4, the ARX-2500 has 3 (or 4, depending on the setting for resource-profile), and the ARX-4000 has 12. The proxy IP addresses must all belong to the same subnet, but do not need to be contiguous. You can use this command multiple times to define multiple ranges, as long as there are enough proxy IPs for all of the network processors. Be sure to assign the correct proxy-IP addresses the first time. Once the proxy IP is assigned to an NSM processor, it is difficult to change. To change an assigned proxy IP, you must save your configuration (with the priv-exec copy startup-config command), remove it from the switch (delete startup-config), reboot (reload), edit the saved configuration with the correct proxy-IP addresses, and replay it (that is, copy it and paste it into the CLI). The CLI prompts for confirmation before making any change to the proxy-IP addresses; please examine your proxy-IP change carefully before you enter yes to proceed.
Sample	bstnA(cfg)# ip proxy-address 192.168.25.31 255.255.255.0 vlan 25 count 4 %WARNING: The IP proxy address changes will take effect, and cannot be modified without clearing your startup-config.   The ip proxy-address configuration will be 4 proxy-address(es) starting at IP 192.168.25.31 on VLAN 25.   Continue? [yes/no] yes bstnA(cfg)# ip proxy-address 192.168.25.141 255.255.255.0 vlan 25 count 8 %WARNING: The IP proxy address changes will take effect, and cannot be modified without clearing your startup-config.   The ip proxy-address configuration will be 8 proxy-address(es) starting at IP 192.168.25.141 on VLAN 25.   Continue? [yes/no] yes configures two ranges of proxy-IP addresses, for a total of 12.
Related Commands	show vlan summary

Purpose	Use the ip route command to configure a static IP route. Use the no form of this command to remove a static route.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip route ip-subnet ip-mask gateway [distance] [mgmt] no ip route ip-subnet ip-mask gateway [distance] [mgmt]   ip-subnet is the IP address of a remote subnet (for example, 172.16.151.0). ip-mask defines the network part of the subnet (for example, 255.255.255.0). gateway identifies the gateway to the subnet (for example, 192.168.25.1). distance (optional; 1-255) is an arbitrary distance metric; if you configure two routes to the same subnet, the route with the lowest distance is used. mgmt (optional) is a flag that adds the route to a separate routing table for the out-of-band management network. This option is not available on the ARX-VE, which does not have a separate out-of-band management interface. Also, the option does not apply to any ARX-1500 or an ARX-2500 where port 1/1 is being used for client/server traffic.
Default(s)	distance - 128
Guidelines	Configure a static route for every IP subnet with clients or servers that is outside any client subnet (defined by the virtual server command) or the proxy-IP subnet (see ip proxy-address). For a remote client subnet, the next-hop gateway must be in the subnet where their VIP resides. Similarly, a route to a remote server network must go through the proxy-IP subnet. The ARX keeps a separate routing table for the out-of-band management interface. This management interface connects to a separate IP network, and therefore requires a routing table that is tailored to its network. Use the mgmt flag to add or remove a route from this table. The gateways for these routes must be on the management subnet defined by the ip address (cfg-mgmt) command. You can also use multiple static routes to the same destination, each with different next hops. You can use different distance costs with each route to indicate your route preferences. If the ARX has a redundant peer, you can use the critical route command to designate that a route is critical. If a critical route fails, the ARX may fail over to its peer. Use the show ip route command to list all static routes, including the routes in the separate table for management routes.
Samples	bstnA(cfg)# ip route 172.16.231.0 255.255.255.0 192.168.25.1 creates a static route to a client subnet.   bstnA(cfg)# ip route 172.16.231.0 255.255.255.0 192.168.25.2 255 creates another static route to the same subnet. The distance is set very high, so this route would not be chosen unless the gateway fails for the previous route.   bstnA(cfg)# ip route 10.16.10.0 255.255.255.0 10.1.1.1 mgmt creates a static route for the out-of-band management network.   bstnA(cfg)# no ip route 10.16.165.0 255.255.255.0 10.1.1.1 mgmt removes a static route for the out-of-band management network.
Related Commands	virtual server ip proxy-address ip address (cfg-mgmt) show ip route

Purpose	Some installations have a firewall between the ARX and its clients, and require VIPs on multiple client VLANs. In those situations, the ARXs single default route (created with the ip route command) causes the ARX to send all response packets over the default routes VLAN. If that VLAN is not the same as the VIPs VLAN, the firewall may drop the response packet. For example, if there are VIPs on each of VLANs A, B, and C, the single default route can only go over one of those VLANs (for example, VLAN A). Clients from the other VLANs (B and C) would send requests to those VLANs and get responses from VLAN A. If the firewall is connected to each VLAN through different interfaces, the response packet arrives on a different interface than the request packet. A firewall drops such packets, with different source and destination interfaces. To solve this specific problem, on the advice of F5 Support, you can use the ip route ... per-vlan command to make a separate default route for each client VLAN. Use the no form of this command to remove a VLAN-specific-default route.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip route 0.0.0.0 0.0.0.0 gateway [distance] per-vlan vlan-id no ip route 0.0.0.0 0.0.0.0 gateway [distance] per-vlan vlan-id   0.0.0.0 0.0.0.0 is the IP subnet and mask for a default route. You cannot define a subnet-specific route on a per-VLAN basis. gateway identifies the gateway to use for this VLAN (for example, 192.168.30.1). distance (optional; 1-255) is an arbitrary distance metric; if you configure two routes to the same subnet, the route with the lowest distance is used. per-vlan vlan-id (0-4096) identifies the VLAN for this default route. You must choose a VLAN that is already defined on the ARX; use show vlan summary for a list of defined VLANs, and use vlan to define a new one.
Default(s)	distance - 128
Platforms	ARX-500, ARX-2000, ARX-4000, and ARX-VE
Guidelines	Use this command only on the advice of F5 Support. A standard ip route has some features (listed below) that are not supported for the per-VLAN route. Because of this routes limitations, the CLI prompts for confirmation before it accepts the per-VLAN route; enter yes to continue. If a client request arrives over a VLAN without a per-VLAN-default route, the response goes over the ARXs default route (defined with the standard ip route command). This command is not available on the ARX-1500 or ARX-2500. The ip route ... source-ip command performs a similar function for those platforms.
Guidelines: Limitations	As mentioned above, this type of default route has several limitations. You cannot create a per-VLAN route to a specific subnet. This is always a default route. You cannot designate a per-VLAN route as a critical route, as you can with a standard IP route. If you lose connectivity to the gateway, the ARX does not fail over to its peer (which may have a better connection). Unlike a standard default route, you are limited to a single gateway for each VLAN. For a standard default route, you can enter multiple ip route commands with different gateways and different values for distance. The ARX attempts to reach the gateway with the lowest distance value and tries a higher-distance gateway if the first is unreachable. This form of the command does not support a distance value, so you cannot establish redundant gateways for the VLANs default route. This type of default route is used only for outbound IP packets where a VIP is the source address. (The virtual server command creates a VIP.)
Samples	bstnA(cfg)# ip route 0.0.0.0 0.0.0.0 192.168.76.1 1 per-vlan 38   This static route overrides the default route for the specified VLAN. The route does not support health checks.   Do you want to continue? [yes/no] yes creates a default route for VLAN 38 with the lowest possible distance metric, 1. Responses to packets from this VLAN go back out over the same VLAN.   prtlndB(cfg)# no ip route 0.0.0.0 0.0.0.0 per-vlan 99   Removing this route will result in the global default route being used for this VLAN.   Do you want to proceed? [yes/no] yes removes the default route for VLAN 99. Responses to packets from this VLAN use the default route designated by the standard ip route command.
Related Commands	ip route ip route ... source-ip show ip route vlan show vlan summary critical route virtual server

Purpose	Some installations have a firewall between the ARX and its clients, and require VIPs on multiple client VLANs. In those situations, the ARXs single default route (created with the ip route command) causes the ARX to send all response packets over the default routes VLAN. If that VLAN is not the same as the VIPs VLAN, the firewall may drop the response packet. For example, if there are VIPs on each of VLANs A, B, and C, the single default route can only go over one of those VLANs (for example, VLAN A). Clients from the other VLANs (B and C) would send requests to those VLANs and get responses from VLAN A. If the firewall is connected to each VLAN through different interfaces, the response packet arrives on a different interface than the request packet. A firewall drops such packets, with different source and destination interfaces. To solve this specific problem on an ARX-1500 or ARX-2500, you can use the ip route ... source-ip command to make a separate default route for each VIP; any packet received at the VIP uses this default route with the same VIP as its source IP. Use the no form of this command to remove a VIP-specific-default route.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ip route 0.0.0.0 0.0.0.0 gateway [distance] source-ip vip no ip route 0.0.0.0 0.0.0.0 [gateway] [distance] source-ip vip   0.0.0.0 0.0.0.0 is the IP subnet and mask for a default route. You cannot define a subnet-specific route on a per-VIP basis. gateway identifies the gateway to use for this route (for example, 192.168.30.1). distance (optional; 1-255) is an arbitrary distance metric; if you configure two routes to the same subnet, the route with the lowest distance is used. source-ip vip identifies the VIP for this default route. You must choose a VIP that is already defined on the ARX; use show global server for a list of defined VIPs, and use the virtual server command to define a new one.
Default(s)	distance - 128
Platforms	ARX-1500 or ARX-2500
Guidelines	This command only functions on the ARX-1500 or ARX-2500. The ip route ... per-vlan command performs a similar function on all other platforms. If a client request arrives at a VIP without a per-VIP-default route, the response goes over the ARXs default route (defined with the standard ip route command).
Samples	canbyA(cfg)# ip route 0.0.0.0 0.0.0.0 192.168.121.1 1 source-ip 192.168.121.76 creates a default route for VIP 192.168.121.76 with the lowest possible distance metric, 1. Responses to packets from this VIP go back out over the same VIP.   stoweA(cfg)# no ip route 0.0.0.0 0.0.0.0 192.168.90.1 source-ip 192.168.90.29 removes the default route for VIP 192.168.90.29. Responses to packets from this VIP use the default route designated by the standard ip route command.
Related Commands	ip route ip route ... per-vlan show ip route vlan show vlan summary critical route virtual server

Purpose	The ARX can synchronize its internal clock with an external Network Time Protocol (NTP) server. Use the ntp server command to identify an NTP server. Use the no form of this command to disconnect from an NTP server.
Mode	cfg
Security Role(s)	network-engineer or crypto-officer
Syntax	ntp server ip-address [version {3 | 4}] no ntp server ip-address   ip-address (1-128 characters) identifies the external NTP server by its IP address.
Note: Windows Domain Controllers (DCs) support NTP and can be used as NTP servers. You should only use a DC as your NTP server if all the back-end CIFS filers also use the DC in this way.
	version {3 | 4} (optional) is the NTP version to use, NTPv3 or SNTPv4.
Default(s)	version - 4 (SNTPv4)
Guidelines	Use the same NTP servers for the ARX that you use for the back-end filers and front-end clients. For namespace policy it is vital that the ARX is synchronized with the back-end servers; it is also required for installations that use Kerberos. Note that synchronization is more important than time accuracy; if all the servers agree on the wrong time, policy and Kerberos continue to function. The default protocol for external NTP communication is Simple NTP (SNTP) v4, defined in RFC 2030. If you set the version to v3, the switch uses NTPv3 defined in RFC 1305. You can repeat this command to configure up to 8 NTP servers. The switch selects the best server as specified by the NTP protocol. Use show ntp servers to see the current NTP configuration. Use show clock to see the current time/date setting on the ARX. You can set the internal clock manually with the clock set command. If this setting conflicts with NTP-server time, the NTP time overrides the manual setting.
Samples	bstnA(cfg)# ntp server 192.168.25.201 selects an NTP server at 192.168.25.201.   bstnA(cfg)# ntp server 192.168.25.202 version 3 selects another NTP server, but uses NTPv3 to communicate with it.
Related Commands	clock set show ntp servers show clock

Purpose	You can connect two identical ARXes as a redundant pair. To initially join, or rendezvous, each switch communicates over one of its management interfaces. This command makes it possible to use the current in-band (VLAN) management interface as the rendezvous interface. An ARX-1500 or ARX-2500 also use this type of management interface as one end of a redundant-pair link. They use this link to exchange heartbeat messages and metalog data. Use the no form to disallow the current interface from being used for a redundant-pair rendezvous.
Mode	cfg-if-vlan
Security Role(s)	network-engineer or crypto-officer
Syntax	redundancy no redundancy
Default(s)	no redundancy
Platforms	any except ARX-VE
Guidelines	To select this management interface for rendezvous, go to this switchs redundant peer and use the peer command.
Guidelines: ARX-1500 and ARX-2500	As mentioned above, the ARX-1500 or ARX-2500 can also use this management interface as one end of a redundant-pair link. The redundant pair depends on this link for ongoing heartbeats and metalog updates. For the best failover performance in this case, we strongly recommend a gigabit or ten-gigabit connection to the redundant peer. That is, the current VLANs channel (or member) should connect to the redundant peer and have speeds of 1-gigabit or more. We also recommend that the connection be direct (without any intervening bridges or routers), and that the switches are co-located. If the latency is low, an intervening Gigabit L2 switch is permissible. When redundancy is enabled and the ARX-1500 or ARX-2500 is using this interface as a redundant-pair link, the cfg-if-vlan no redundancy command causes the backup peer to reboot. The reboot does not disrupt any storage services, but the ARX peers cannot function as a redundant pair while the link is shut down. Additionally, a quorum-disk failure or disconnection would cause the active peer to reboot, too. If you proceed with removing the link, you should establish a new one as soon as possible: use the redundancy protocol, redundancy protocol (cfg-channel), or this command on another port, channel, or VLAN interface to establish a new redundant-pair link.
Samples	bstnA(cfg-if-vlan[555])# redundancy allows the in-band-management interface on VLAN 555 to be used for redundancy rendezvous.   bstnA(cfg-if-vlan[8])# no redundancy disallows rendezvous for the VLAN-8 interface.
Related Commands	interface vlan peer redundancy protocol redundancy protocol (cfg-channel)

Purpose	Address-Resolution Protocol (ARP) maps IP addresses to MAC addresses. Every network-connected processor on the ARX keeps a separate ARP table with its known IP/MAC entries. Use the show arp command to show one or more ARP tables.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show arp [all] show arp from slot.processor [type {dynamic | static | local}]   all (optional) specifies all entries on the switch. from slot.processor (optional) focuses on the ARP table at one processor. This option is not supported on the ARX-1500, ARX-2500, or ARX-VE: slot (1-2 for ARX-4000; 1 for all others) is the slot number. processor is the processor number. Use the show processors command to show all processors on the ARX, along with their associated module name(s) and status. type {dynamic | static | local} (optional, if you use the from clause) selects one type of ARP-table entry, based on how the entry was learned. You must choose one of the following: dynamic - learned from neighboring equipment. static - specified by the arp command. local - set internally by the switch.
Guidelines	Proc is the processor (in slot.processor format). This only appears if you use an option, all or from, on a platform other than the ARX-1500, ARX-2500, or ARX-VE. IP Address and MAC Address are mapped together. If the MAC address is all zeros, the ARX could not find the IP address through ARP; likely the IP address does not exist in this case. VLAN is the VLAN where the IP address was learned or specified. Type is dynamic if the entry was learned from neighboring equipment, static if the entry was specified by the arp command, or local if the entry is defined by the switch software. The summary output (from show arp, without any additional arguments) shows only dynamic-ARP entries. Age (sec) is the time the entry has been in the ARP table, shown in seconds. Use the arp command to create a static ARP entry. Use the clear arp command to clear all dynamic-ARP entries.
Samples	bstnA(cfg)# show arp shows a summary of the ARP-table entries on the switch. This includes only dynamic-ARP entries. See Figure 10.1 for sample output.   bstnA(cfg)# show arp all shows all ARP-table entries from all processors. See Figure 10.2 on page 10-29 for sample output.   bstnA(cfg)# show arp from 1.1 shows the ARP table for processor 1.1 only. See Figure 10.3 on page 10-31 for sample output.   bstnA(cfg)# show arp from 1.1 type local shows the local ARP entries for processor 1.1. See Figure 10.4 on page 10-32 for sample output.   See Figure 10.5 on page 10-32 for sample output on the ARX-2000.
Related Commands	show processors arp clear arp

Purpose	Use the show interface command to show the full configuration for all interfaces. Use show interface summary to see a single status line for each interface.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show interface [summary]   summary (optional) reduces the output to a one-line summary for each interface.
Guidelines	The default command, show interface, displays all interface configurations. The output is the same for each individual show command: show interface mgmt, show interface gigabit, show interface vlan, and show ron. The show interface summary command shows the following fields for each interface: Type is mgmt (the out-of-band MGMT interface, if it exists on this chassis), gbe (GigaBit Ethernet, an external port), or 10gbe (ten-Gigabit Ethernet, a faster external port on the ARX-4000). Slot/Port shows the location of the interface. An asterisk (*) indicates that the interface is used as a redundant-pair link. Admin State is Enabled or Disabled (also called shut down), as set by the administrator. To change this, use [no] shutdown in the interfaces configuration mode: see shutdown (cfg-if-gig), shutdown (cfg-if-ten-gig), shutdown (cfg-mgmt), shutdown (cfg-if-vlan), or shutdown (cfg-if-vlan-ron-tnl). If the interface is a member of a channel, its administrative state is controlled by its channel: therefore, this shows Ch n, where n is the channel number. You can use show channel to see the administrative state of a channel. Link Status is the actual state of the interface (up or down). Speed and Duplex are both set by the speed (cfg-if-gig) command.
	Description is set by the description command in the interfaces config mode: description (cfg-mgmt) for fe, description (cfg-if-gig) for gbe, or description (cfg-if-ten-gig) for 10gbe.
Samples	bstnA> show interface shows the configuration of every interface on the current ARX. See Figure 10.6 for sample output.   prtlndA> show interface summary shows summaries of all interfaces on the prtlndA chassis. For sample output, see Figure 10.7 on page 10-40.   canbyA> show interface summary shows summaries of all interfaces on the canbyA chassis, an ARX-1500. For sample output, see Figure 10.8 on page 10-41.
Related Commands	show interface gigabit show interface ten-gigabit show interface mgmt show interface vlan show ron speed (cfg-if-gig) description (cfg-mgmt) description (cfg-if-gig) description (cfg-if-ten-gig)

Purpose	Administrators can log into the CLI or GUI through the out-of-band management interface, typically labeled MGMT. Use the show interface mgmt command to show the configuration and status of the out-of-band management interface.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show interface mgmt [stats]   stats (optional) displays statistics for the interface.
Platforms	any except ARX-VE
Guidelines	The default output contains the following fields: Slot is always 1, and Interface is also always 1. The 1/1 interface is the MGMT interface for all platforms. Description is an optional description, set by the description (cfg-mgmt) command. Admin Status shows whether or not the interface is administratively enabled. You can disable (or restart) this interface with the shutdown (cfg-mgmt) command. Link Status is the actual state of the interface (up or down). Speed, Duplex, and Auto Negotiation are all set by the speed (cfg-mgmt) command. MAC Address is the MAC for the MGMT interface. MTU Size shows the Maximum Transmission Unit, or maximum packet size, for this interface. IP Address, and Subnet Mask define the management address and subnet. You can set these with the ip address (cfg-mgmt) command. The stats output is a table of counters, separated into Ingress and Egress counts. These counts restart when the ARX reboots; use the reload command to reboot the ARX. On an ARX-1500 or an ARX-2500, you can use the clear counters mgmt command to clear the stats, without performing a full reboot. Use the show interface vlan command to list all of the VLAN-based in-band management interfaces.
Samples	bstnA# show interface mgmt shows the configuration and status of the out-of-band management interface. See Figure 10.9 for sample output.   bstnA# show interface mgmt stats shows the statistics for the same interface. Sample output appears in Figure 10.10.
Related Commands	description (cfg-mgmt) ip address (cfg-mgmt) speed (cfg-mgmt) shutdown (cfg-mgmt) show interface vlan clear counters mgmt

Purpose	You can configure one in-band-management interface per VLAN. Administrators on the VLAN can log into the CLI through this interface. Use the show interface vlan command to show the configuration for all in-band management interfaces.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show interface vlan
Guidelines	Vlan is the VLAN ID for the interface. Admin shows whether or not the interface is administratively enabled. You can disable (or restart) an in-band-management interface with the shutdown (cfg-if-vlan) command. IP Address, and Subnet Mask define the management address and subnet. You can set these with the ip address (cfg-if-vlan) command. Description is an optional description, set by the description (cfg-if-vlan) command. Use the show interface mgmt command to show the configuration for the single out-of-band management interface.
Samples	bstnA(cfg)# show interface vlan shows a summary of configured VLANs. See the sample output below.
Related Commands	description (cfg-if-vlan) ip address (cfg-if-vlan) shutdown (cfg-if-vlan)

Purpose	Use the show ip address command to show configuration details for a Proxy IP, private IP, VIP, or some other IP address on the ARX.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ip address ip-address   ip-address is the desired IP address (for example, 192.168.25.56).
Guidelines	Slot ID shows the location of the module that processes all packets for the address. Processor is the network processor that serves the address. Every IP address is assigned to a single network processor. Use the show processors command to show all processors. Type is any of the following: External is an IP address not owned by the switch, for example, the IP address of a router or a back-end filer. Proxy is a proxy-IP address. Use the show ip proxy-addresses command to show all proxy IPs. VIP is a virtual-IP address. Use the show virtual service command to show all Virtual IPs. management is the out-of-band-management interface. Use the show interface mgmt command to show this interface. VLAN is an in-band (VLAN-based) management interface. Use the show interface vlan command to list these interfaces. MAC Address is the MAC for the IP. VLAN ID is the VLAN for IPs subnet.
Sample	prtlndA(cfg)# show ip address 192.168.74.91   Report for 0.0.0.0 Slot ID :1 Processor :2 Type :VIP MAC Address:00:0a:49:17:b1:c0 VLAN ID :74
Related Commands	show processors show ip proxy-addresses show virtual service show interface mgmt show interface vlan

Purpose	The ARX can perform DNS lookups to translate IP addresses (for example, 172.16.36.55) into FQDNs (for example, www.mycompany.com). Use the show ip domain command to show the current configuration for DNS lookups.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ip domain
Guidelines	Domain List is analogous to the search list in resolv.conf. To edit this, use the ip domain-list command. Name Servers is analogous to the nameserver list in resolv.conf. To edit this, use the ip name-server command.
Sample	bstnA(cfg)# show ip domain   DNS Server Configuration Domain List: wwmed.com medarch.org bigorg.org Name Servers: 192.168.25.201 192.168.25.202 192.168.25.209 shows the current configuration for DNS lookups.
Related Commands	ip domain-list ip name-server

Purpose	Every network processor on the ARX has a proxy IP address, used as a home address for communication with filers and servers on the back end. Use the show ip proxy-addresses command to show all configured proxy IPs.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ip proxy-addresses
Guidelines	This command displays a table of proxy IP addresses, one per row. For a redundant pair of switches, this shows all proxy IPs for both peers. Proxy Address is the IP address. VLAN is the VLAN where the proxy IP resides. MAC Address is the layer-2-MAC address for the proxy IP. Owner is the chassis where the proxy IP was configured. This is relevant in a redundant-switch configuration. In Use By is the chassis that is currently using the proxy IP. In a redundancy failover, the surviving chassis assumes all proxy IPs from the failed chassis. Proc identifies the network processor that is using the proxy IP, in slot.processor format. Use the ip proxy-address command to add a range of proxy-IP addresses.
Samples	bstnA# show ip proxy-addresses See Figure 10.12 on page 10-47 for sample output from a non-redundant peer.   prtlndA# show ip proxy-addresses See Figure 10.12 on page 10-47 for sample output from a redundant peer.
Related Commands	ip proxy-address show processors

Purpose	Use the show ip route command to show the active and static routes on the switch.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ip route [all | from slot.processor | monitor]   all (optional) specifies all routes on the switch. from slot.processor (optional) specifies routes from one network processor. This option is not supported on the ARX-1500, ARX-2500, or ARX-VE: slot (1-2 on an ARX-4000, 1 on any other platform) is the slot number, and processor is the processor number. Use the show processors command to show a complete list of processors. monitor (optional) shows the status of the next-hop gateway, and how the ARX is using it.
Guidelines	Every network processor on the ARX has its own IP-routing table. (In addition to the processors behind the client/server Ethernet ports, this includes processor 1.1 because it connects to the out-of-band network.) The show ip route all command shows the routing tables for all processors. Many routes are common to all processors; duplicate routes are removed from the summary command, show ip route. Use the ip route command to create a static route. All versions of this command except show ip route monitor have the following fields: Proc is the number of the module processor with the static route, in slot.processor format. This only appears if you use an option, all or from, on a platform other than the ARX-1500, ARX-2500, or ARX-VE. Each processor has a separate routing table. Use the show processors command to show a complete list of processors and their slots. Destination/Mask defines the subnet for a route in CIDR format. Gateway is the next-hop router for the route. Cost is the relative cost of this route, weighed against any other routes to the same destination. A lower-cost metric is preferred. Interface is the interface or VLAN that carries packets to this subnet. Mgmt is the out-of-band management interface, labeled MGMT on the front panel. Age is the time (in seconds) that the ARX has been in continuous contact with the Gateway. The ARX uses periodic ARP requests to monitor the gateway while the route is active; the route is declared Offline if it fails to respond to ARPs. Direct means that the route is directly-connected to the interface. Unacquired applies to a per-VLAN-default route (created with ip route ... per-vlan), where the gateway has not yet responded to ARP requests. Static means that the per-VLAN route has responded to an ARP request and is evidently reachable.
Guidelines: show ip route monitor	The show ip route monitor command has similar output to show ip route, but it focuses on the status of the connections. It contains the following fields: Destination/Mask defines the subnet for a route in CIDR format. Type is the general destination for the route. This is either VLAN (indicating a client/server VLAN) or Mgmt (the out-of-band management subnet). Mgmt routes are created with a special flag in the ip route command. Gateway is the next-hop router for the route. Cost is the relative cost of this route, weighed against any other routes to the same destination. A lower-cost metric is preferred.
	Status and Details indicate whether or not this route is in use. If it is, this indicates how the switch uses the next-hop gateway. If not, it indicates the problem. Here are the possible conditions in this field: Up/Current Gateway indicates that the switch uses this route (as opposed to another static route to the same subnet). VLAN/Current Gateway applies to a per-VLAN-default route, created with the ip route ... per-vlan variant of the ip route command. This indicates that VLAN-default route is configured. Up/Backup Gateway is a gateway that is available to reach the subnet, but is not being used because some other, preferred gateway is being used instead. Another route should be in the same output with the same Destination/Mask, a different Gateway, and Status/Details of Up/Current Gateway. If this subnets Current Gateway stops responding to ARP packets, this route is a candidate to take its place. Down/No Reply shows that the gateway is reachable through layer 2 and ICMP, but is not replying to IP packets. Down/Unreachable says that the gateway is not on a reachable subnet. Use ip route to reset the gateway. A gateway to file servers must be on the same subnet as the proxy-IP addresses (show ip proxy-addresses shows all such addresses), a gateway to clients must be on the same subnet as the clients VIP (use show virtual service for a list of all VIPs), and a gateway to stations in the out-of-band (OOB) management network must be in the same subnet as the OOB management address (show interface mgmt).
Samples	bstnA> show ip route lists the static routes on the switch by IP address. See Figure 10.14 on page 10-51 for sample output. For sample output on a different platform, see Figure 10.18 on page 10-53.   bstnA> show ip route monitor displays the current status of all of the above routes. See Figure 10.15 on page 10-51 for sample output. For sample output on a different platform, see Figure 10.19 on page 10-53.   bstnA> show ip route all shows all static routes for all processors on the switch. See Figure 10.16 on page 10-51 for sample output. For sample output on a different platform, see Figure 10.20 on page 10-53.   bstnA> show ip route from 2.1 shows the static routes from processor 1 on module 2 (the NSM, or Data Plane). See Figure 10.17 on page 10-53 for sample output. For sample output on a different platform, see Figure 10.21 on page 10-54.
Related Commands	show processors ip route

Purpose	Use the show ntp servers command to display all configured NTP servers.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ntp servers
Guidelines	This command displays a table of NTP servers. For each server, the table shows a numeric ID, the NTP protocol for the server (3 for NTPv3 or 4 for SNTPv4), the number of seconds between Polls, and the servers IP address. Use the ntp server command to add an NTP server to the list. Use the show clock command to verify that the switch is getting the correct time from the NTP server(s).
Related Commands	ntp server show clock

Purpose	Use the show ntp status command to display operational status for each configured NTP server.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show ntp status
Guidelines	This command displays operational status information for each configured NTP server, one row per server. The fields match the output of the pe[er] command on the Unix ntpq program, or ntpq -p on Windows: (tally code) - the one-character tally code, representing the servers current status (see Table 10.1, Tally Codes, on page 57), remote - the remote NTP servers hostname or IP address, refid - the IP address or hostname of the servers reference clock (another NTP server; 0.0.0.0 if unknown), st - the stratum of the server (1-16, where 1 is ideal, 15 is worst, and 16 means unusable), t - the type of the NTP server (local, unicast, multicast, or broadcast) when the last packet was received, when - the time of the last received packet, poll - the number of seconds between polls, reach - the reachability register, in octal, delay - the interval (in milliseconds) to be added to requests that require authentication, offset - the number of milliseconds between the servers clock and the ARX clock, and jitter - the estimated time error of the server clock, measured as an exponential average of RMS time differences.
	Use the show ntp servers command to get a list of all configured NTP servers. Use the show clock command to verify that the switch is getting the correct time from the NTP server(s).
Related Commands	show ntp servers show clock

Table 10.1 Tally Codes

*	sys.peer - The local switch has declared the peer the system peer; the peer lends its variables to the system variables.
o	pps.peer - The peer has been declared the system peer and lends its variables to the system variables. However, the actual system synchronization is derived from a pulse-per-second (PPS) signal, either indirectly via the PPS reference clock driver or directly via kernel interface.
+	candidate - The peer is a survivor and a candidate for the combining algorithm.
#	selected - The peer is a survivor, but not among the first six peers sorted by synchronization distance. If the association is ephemeral, it may be demobilized to conserve resources.
.	excess - The peer is discarded as not among the first ten peers sorted by synchronization distance. It is probably a poor candidate for further consideration.
<Space>	reject - The peer is discarded as unreachable, synchronized to this server (synch loop) or excessive synchronization distance.
x	falsetick - The peer is discarded by the intersection algorithm as a falseticker.
-	outlyer - The clustering algorithm designated the peer as an outlyer and discarded it.

Purpose	From cfg-if-vlan mode, use the shutdown command to shut down the in-band management interface for a VLAN.
Important: In a redundant pair of ARXes, the network software uses an in-band (VLAN) management address as a home address for its communication with the quorum-disk. Without an in-band-management address and an ip route to the quorum disk, a failover is impossible. If this interface has redundancy (cfg-if-vlan) enabled, the shutdown command causes the backup to reboot. Additionally, any ron tunnels that use this address will fail if you shut it down; a shadow-copy-rule depends on RON tunnels to communicate with other ARXes in the network. Use the shutdown command only on the advice of F5 Support.
	Use no shutdown to restart the management interface.
Mode	cfg-if-vlan
Security Role(s)	network-engineer or crypto-officer
Syntax	shutdown no shutdown
Default(s)	shutdown
Guidelines	If you shut down the in-band management interface, administrators are immediately disconnected from the interface. An ARX in a redundant pair has additional issues. A redundant ARX requires an in-band (VLAN) management interface on the same VLAN as its quorum disk. This is required so that the ARX can reach its quorum disk while in the backup role. Refer to the quorum-disk documentation for more details. If this interface has redundancy (cfg-if-vlan) enabled, the interface is even more vital to redundancy; in this case, a shutdown causes the backup ARX to reboot. Do not shut down this interface if this ARX has a quorum disk on the current VLAN or if the interface is used as the redundancy link. If the current in-band (VLAN) interface terminates any Resilient Overlay Network (RON) tunnels, this command shuts down communication with all of them. This could potentially disrupt a shadow-copy rule or management access to another ARX.
Samples	bstnA(cfg-if-vlan[4])# shutdown shuts down the in-band management interface for VLAN 4.   bstnA(cfg-if-vlan[4])# no shutdown restarts the same interface.
Related Commands	interface vlan quorum-disk ron tunnel

Purpose	From cfg-mgmt mode, use the shutdown command to shut down the out-of-band management interface. Use no shutdown to restart the management interface.
Mode	cfg-mgmt
Security Role(s)	network-engineer or crypto-officer
Syntax	shutdown no shutdown
Default(s)	no shutdown: the interface is enabled by default after you go through the initial-boot process.
Platforms	any except ARX-VE
Guidelines	If you shut down the out-of-band management interface, administrators are immediately disconnected from the interface. The ARX-1500 and ARX-2500 use port 1/1 for out-of-band management by default. If you use this command on one of those platforms, you can then dedicate port 1/1 to client/server traffic with the interface gigabit 1/1 command and its sub commands.
Samples	bstnA(cfg-mgmt)# shutdown shuts down the out-of-band management interface.   bstnA(cfg-mgmt)# no shutdown restarts the interface.
Related Commands	interface mgmt

Purpose	From cfg-mgmt mode, use the speed command to set the speed and duplex configuration on the fast Ethernet port for the switchs out-of-band (OOB) management interface.
Mode	cfg-mgmt
Security Role(s)	network-engineer or crypto-officer
Syntax	speed {auto | 100-half | 100-full | 10-half | 10-full | 1000-full}   auto | 100-half | 100-full | 10-half | 10-full | 1000-full is a required choice: auto is auto-negotiate (the default) 10/100 megabits-per-second (mbps), half/full duplex. Makes the port auto-negotiate with its peer. Use this setting to enable MDI/MDIX cross-over on the OOB-management port. 100-half is fast Ethernet, 100 mbps, half duplex. 100-full is fast Ethernet, 100 mbps, full duplex. 10-half is fast Ethernet, 10 mbps, half duplex. 10-full is fast Ethernet, 10 mbps, full duplex. 1000-full is Gigabit Ethernet, 1000 mbps, full duplex.
Default(s)	auto
Platforms	any except ARX-VE
Guidelines	The ARX has one out-of-band management interface labeled MGMT on the front panel of the switch. The MGMT port supports automatic MDI/MDIX cross-over. This feature automatically corrects the polarity of the attached CAT5 cable, regardless if it is a cross-over or straight-through type. However, the port must be set to auto (auto-negotiate enabled). When the port speed/duplex is forced, automatic MDI/MDIX cross-over is disabled, and you must cable the port using standard cross-over or straight-through cabling. That is, connections between switches and/or routers require a crossover cable, and connections between switches/routers to hosts/end-stations require a straight-through cable.
Sample	bstnA(cfg)# interface mgmt bstnA(cfg-mgmt)# speed 100-half For the OOB-management interface, sets the fast Ethernet port speed to 100 mbps and the duplex configuration to half duplex.
Related Commands	interface mgmt show interface mgmt

Purpose	Use the wait-for ip-routes command to wait until all of your configured static routes are operational.
Mode	(any)
Security Role(s)	network-technician, network-engineer, storage-engineer, or crypto-officer
Syntax	wait-for ip-routes [timeout timeout]   timeout (optional, 1-2096) is the timeout value in seconds.
Default(s)	timeout - none, wait indefinitely
Guidelines	This command is useful in CLI scripts. After you have established one or more static routes with the ip route command, you can use the wait-for ip-routes command to wait for all of those routes to come online. This can be useful for CLI scripts, which you can copy onto the switch (with copy ftp, copy scp, copy {nfs|cifs}, or copy tftp), and run. If you set a timeout and it expires before the last static route is up, the command exits with a warning. To interrupt the wait-for ip-routes command, press <Ctrl-C>. You can use the show ip route monitor command to see the current status of all static routes.
Samples	stkbrgA# wait-for ip-routes waits indefinitely for all static routes to come up. The CLI prompt does not return until this command proves that all routes are functional.   stkbrgA# wait-for ip-routes timeout 30 waits up to 30 seconds for all static routes to come up.
Related Commands	ip route show ip route