You are here: Home > CLI Commands > Just_CLI_Topics > show datapath

show datapath

show datapath

acl

ap-name <ap-name> name <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-name> type <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-type>

id <id> [verbose]

ip-addr <ip-addr> name <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-name> type <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-type>

amsdu tx

application

[<id> | all | ap-name <ap-name> | counters | ip-addr <ip-addr> | verbose]

bridge

[ap-name <ap-name> | counters | ip-addr <ip-addr> | table <macaddr> | verbose]

bwm

[ap-name <ap-name> | ip-addr <ip-addr> | table | type <type-id> {[contract <contract-id>]}

compression

[<id> | all | counters | verbose]

cp-bwm

[table]

crypto

[<id> | all | counters | verbose]

debug

dma [counters]

eap [counters]
eth1info
memory

memory-usage
opcode
performance [<id> | all | counters | event-guide |verbose]
pkttrace-buffer [log {<number> | all}]

table-limits

tnl-stats
trace-buffer [lines <lines>]
trace-route

dhcp vm-mac

dns-cache

[counters]

dpdk

mempool-stats

ring-stats

dpi

appShort form for application. It generally refers to the application that is downloaded and used on mobile devices.-category <appcatid>

application <appid>

energy-efficiency

error counters

esi

[table]

exthdr

firewall-agg-sess

[counters]

fqdn

frame

[<id> | all | ap-name <ap-name> | counters | ip-addr <ip-addr> | slot | verbose]

hardware

counters

statistics

heartbeat stats

internal

[dir <dir-name> file <file-name>]

ip-fragment-table

[ipv4 | ipv6]

ip-geolocation

[counters]

ip-mcast

[client <client-mac> | destination | group | station]

ip-reassembly

[counters | ipv4 | ipv6]

ip-reputation

[counters | rtc]

ipfix statistics

ipsec-map

ipv6-mcast

destination

group

station

l3-interface

lag table

maintenance

[counters]

message-queue

[counters]

mobility

discovery-table
home-agent-table
mcast-table
stats

nat

[ap-name <ap-name> | ip-addr <ip-addr> | table]

netdest-id

ap-name <ap-name>

ip-addr <ip-addr>

<id>

network

egress
ingress

nexthop-list

openflow

aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.
aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-action-table
auxiliary
session [<A.B.C.D>]
statistics

papi [counters | remote-device-table {counters | ipv6}]

port

[ap-name <ap-name> [table] | ip-addr <ip-addr> [table] | untrusted-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <slot/module/port> | vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.-table <slot/module/port>]

rap-bw-resv

ap-name <ap-name> [advanced]
ip-addr <ip-addr> [advanced]

rap-pkt-trace

ap-name <ap-name>
ip-addr <ip-addr>

rap-stats

ap-name <ap-name>
ip-addr <ip-addr>

route

[ap-name <ap-name> | counters | ip-addr <ip-addr> | ipv4 | ipv6 | table | verbose]

route-cache

[ap-name <ap-name> | counters | ip-addr <ip-addr> | ipv4 | ipv6 | table | verbose]

scheduler

interface <slot/module/port>

table

services

session

[ap-name <ap-name> |

counters |

dhcp-perf |

dpi [counters [all | top | uplink-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <uplinkvlan>] | table [<A.B.C.D> | appid <appShort form for application. It generally refers to the application that is downloaded and used on mobile devices.-id>]] |

high-value [user <macaddr>] |

ip-addr <ip-addr> |

ip-classification |

ipv6 [counters | dhcp-perf | dpi [counters [top]] | high-value | perf | {table [<X:X:X:X::X> | appid <appShort form for application. It generally refers to the application that is downloaded and used on mobile devices.-id>]} | verbose | web-cc [counters | dpi]] |

perf |

session-id <sid> [dpi] |

table [<A.B.C.D>] |

uplink [debug | verbose] |

verbose |

web-cc]

station

[<id> | all | counters | crypto-counters | mac <macaddr> | standby | table | verbose]

tcp

[appShort form for application. It generally refers to the application that is downloaded and used on mobile devices. <app>Short form for application. It generally refers to the application that is downloaded and used on mobile devices. | counters | tunnel table]

tunnel

[counters | encaps | heartbeat | ipv4 | ipv6 | station-list | table | tunnel-id <tid> { trusted-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. | untrusted-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.} | verbose]

tunnel-group

user

[<id> | all | ap-name <ap-name> | counters | ip-addr <ip-addr> | ipv4 | ipv6 | rad-counters | standby | table | verbose}

utilization

vlan

[ap-name <ap-name> | ip-addr <ip-addr> | pvst | table]

vlan-mcast

[ap-name <ap-name> | ip-addr <ip-addr> | table]

wan-hc

[<id> | all | counters | verbose]

web-cc

[counters]

wifi-reassembly

[<id> | all | counters | verbose]

wmm

[counters]

Description

Displays system statistics for the managed device.

Syntax

Parameter

Description

acl

Displays datapath ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. entries.

ap-name <ap-name>

Specify the name of the AP.

id <id-name> [verbose]

Displays datapath statistics associated with a specified ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.. The ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. index is found in the show rights command.

The allowed range is 1–2703.

ip-addr <ip-addr>

Specify the IP address of the AP.

name <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-name>

Specify the name of ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

type <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-type>

Specify the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. Type.

0 - session-based; 1- role-based

amsdu tx

Shows datapath AMSDU TX queue statistics

application

Shows datapath application statistics. By default, it provides combined statistics of all CPUs.

<id>

Shows datapath application statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. id. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Shows datapath application statistics for all CPUs, one by one.

ap-name <ap-name>

Specify the name of the AP.

counters

Shows application counters and errors generated by applications running on a particular AP. These include stateful firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. application layer statistics.

ip-addr <ip-addr>

Specify the IP address of the AP.

verbose

Shows datapath application statistics in detail.

bridge

Shows bridge table entry statistics including MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., assigned VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., Destination, and flag information for an AP.

ap-name <ap-name>

Specify the name of the AP. Shows MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., assigned VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., destination and flags information.

counters

Shows datapath bridge table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures, and max link length.

devices

Shows datapath bridge devices.

ip-addr <ip-addr>

Specify the IP address of the AP. Shows MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., assigned VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., destination and flags information.

table <macaddr>

Displays the current high, maximum, and total number of bridge table entries for the Aruba controller.

verbose

Displays datapath bridge details in a tabular format.

bwm

Displays the following bandwidth management table entry statistics:

Type: Indicates whether the contract is a control plane DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. contract (0), a contract configured through the bandwidth management WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. Interfaces (1), or a contract for multicast traffic generated by the controller(2).

Cont ID: An ID number unique to each contract.

Rate: Contract traffic rate, in 256-byte packets per second.

Policed: The number of packets dropped because the policy was applied.

Avail Credits: This value is the (contract rate) per 32, and is used for internal debugging purposes.

Queued  Pkts/ Bytes: Number of bytes or packets currently being queued.

Flags: Flags applied to the contract.

CPU: A value in this column indicates that the traffic passed through the slowpath CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., and is used for internal debugging purposes.

Status: Indicates if the bandwidth contract is successfully applied.

ap-name <ap-name>

View a bandwidth contract for a specific AP.

ip-addr <ip-addr>

View a bandwidth contract for an AP with the specified IP address.

table

Displays a table of all configured bandwidth contracts.

type <type-id>

Displays only bandwidth contracts of a specific type (0,1 or 2).

contract <contract-id>

Displays the bandwidth contracts for the specified contract id.

compression

Displays datapath compression statistics. By default, the combined statistics of all CPUs are shown.

<id>

Shows datapath compression statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. id. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Shows datapath compression statistics for all CPUs, one by one.

counters

Shows datapath compression counters or statistics.

verbose

Shows datapath compression statistics in detail.

cp-bwm

Displays the data path CP bandwidth management table information.

table

Displays the datapath CP bandwidth management table entries.

crypto

Displays crypto parameter statistics including crypto, IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session., PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets., WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. , TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard., AESCCM encryption and decryptions, WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. CRCCyclic Redundancy Check. CRC is a data verification method for detecting errors in digital data during transmission, storage, or retrieval. , crypto hardware, XSEC, 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., and L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. information.

<id>

Shows datapath crypto statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. id. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Shows datapath crypto statistics for all CPUs, one by one.

counters

Shows datapath crypto counters or statistics.

verbose

Shows datapath crypto statistics in detail.

debug

Displays datapath debug details. These are low-level datapath details.

dma [counters]

DMA statistics are displayed.

eap [counters]

EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  termination statistics are displayed.

eth1info

Displays IPv4 fragment table statistics.

memory

Displays SOS memory statistics.

memory-usage

Displays datapath memory used.

opcode

Displays datapath debugging information.

NOTE: Use this command only under the supervision of Aruba technical support.

 

performance

Displays datapath debug performance statistics including the SUM or CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., addr, and description.

<id>

Displays datapath performance counters by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID.

all

Displays datapath debug performance for all CPUs.

counters

Displays datapath performance counters.

event-guide

Displays the following events:

COP0

L3 Cache

NAE-RX

NAE-TX events (by register index 0-4)

verbose

Displays debug performance statistics including: SUM or CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., address, description, value, and difference from last show.

pkttrace-buffer

[log {<number> | all}]

Shows the datapath packet trace buffer from log file, either as number of lines from the end or as complete packet trace log.

table-limits

Displays the datapath table upper limits.

tnl-stats [<id> | all | counters | verbose]

Displays the Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. Tunnel Stats Exported to CP debug.

trace-buffer [lines <lines>]

Shows the datapath trace buffer, by number of lines from the end of log.

trace-route

Shows datapath route or cache tracing.

dhcp vm-mac

Shows datapath DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. -related information; datapath VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. to host client MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. mapping

dns-cache [counters]

Displays DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. cache statistics.

dpdk

mempool-stats

ring-stats

Data Plane Development Kit.

mempool-stats—Shows datapath DPDK memory pool statistics.

ring-stats—Shows datapath DPDK ring statistics.

dpi

app-category <appcatid> application <appid>

Displays the DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. application default ports. Specify the application Group ID or the application ID.

energy-efficiency

Displays the energy efficiency statistics.

error

Displays datapath error statistics or counters.

counters

Show datapath errors including SUM, CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., Address, and description information.

The output counters include, but not limited to, the following:

BPDUs Received

VOQ retries

Invalid IP headers Received

IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Throttle

VOQ retries

Ipv4 FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. Denied Frames

Ipv6 FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. Denied Frames

IP Reassembly Failures

Invalid IP headers Received

Dot1Q Discards

Dot1d Discards

Drop cache frames

AESCCM Encryption Station Not Ready

AESCCM Decryption Failures

AESCCM Decryption Invalid Replay Co

esi [table]

Displays the contents of the datapath ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. server table entries including server, IP, MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. , destination, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., type, session and flag information.

exthdr

Displays the datapath default IPv6 Extended Header Map.

firewall-agg-sess

Displays the datapath firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. aggregated sessions table.

counters

Displays the datapath aggregate session statistics.

fqdn

Displays datapath FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. entries.

frame

Displays frame statistics that are received and transmitted from the data path of the controller.

Several output fields include the following descriptions:

Descr failures: This is the number of times a packet descriptor was not available and the packet dropped.

Dot1QDiscards: The number of packets received on a trunk port where the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. presented did not match any configured on the controller and the packet dropped.

Dot1d Discards: Spanning tree is disabled and each BPDUBridge Protocol Data Unit. A BPDU is a data message transmitted across a local area network to detect loops in network topologies. frame is counted and dropped.

Denied Frames: Frames that are denied by the data path of the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for thecontroller.

See the Example section for a complete list of output.

<id>

Displays datapath frame statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID. Valid

platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Displays datapath frame statistics for all cpus, one by one.

ap-name <ap-name> [counters]

Name of the AP. The counters parameter is optional.

counters

Displays datapath frame statistics

ip-addr <ip-addr> [counters]

IP address of the AP. The counters parameter is optional.

slot

Displays datapath combined frame statistics of all CPUs, including slot specific section.

verbose

Displays datapath frame statistics in detail.

hardware

Displays datapath hardware counters or hardware packet statistics information.

counters

Displays hardware counters.

statistics

Displays Hardware packet statistics.

heartbeat stats

Displays Sibyte heartbeat packet stats.

internal

Displays Internal details .

dir <dir-name>

Specify the hardware directory.

file <file-name>

Specify the file in the directory.

ip-fragment-table

Displays ip-fragment statistics including CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., current entries, high water mark, max , total, and aged entries.

ipv4

Displays IPv4 fragment statistics.

ipv6

Displays IPv6 fragment statistics.

ip-geolocation

Datapath IP geolocation table entries.

counters

Displays IP geolocation statistics.

ip-mcast

Displays the Datapath IP Multicast Entries table statistics.

client <client-mac>

Datapath Layer 3 groups for specified client.

destination

Datapath tunnel and port membership.

group

Datapath Layer 3 groups.

station

Datapath station membership.

ip-reassembly

Displays the contents of the IP Reassembly statistics tables.

counters

IP reassembly counters.

ipv4

Displays the IPv4 contents of the IP Reassembly statistics table.

ipv6

Displays the IPv6 contents of the IP Reassembly statistics table.

ip-reputation

Datapath IP reputation table entries.

counters

Displays IP reputation statistics.

rtc

Displays IP reputation real time cache.

ipfix statistics

Displays datapath IPFIX collection statistics.

ipsec-map

Displays datapath IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map details.

ipv6-mcast

Displays the datapath IP multicast table statistics.

destination

Displays the IPv6 tunnel and port membership.

group

Displays the IPv6 multicast group.

station

Displays the IPv6 station membership.

l3-interface

Displays datapath Layer 3 interface table.

lag table

Displays contents of the datapath LAGLink Aggregation Group . A LAG combines a number of physical ports together to make a single high-bandwidth data path. LAGs can connect two switches to provide a higher-bandwidth connection to a public network. or port channel table.

maintenance [counters]

Displays datapath maintenance statistics.

message-queue [counters]

Displays statistics of messages received by a CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. from other datapath CPUs (only CPUs that receive messages and non-zero statistics are shown).

The datapath SOS message queue statistics by CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. IDs and Opcode is displayed.

mobility

Displays datapath IP mobility information.

discovery-table

Displays the discovery count table that is used to keep track of per client home agent discovery.

home-agent-table

Displays the datapath HA table information.

mcast-table

Displays the mobility multicast-group table that is used to flood the multicast RARouter Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. traffic to the roamed clients.

stats

Displays the statistics of the datapath mobility.

nat

Displays the contents of the datapath NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. entries table. It displays NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pools as configured in the datapath. Statistics include pool, SITP start, SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. end and DIP.

ap-name <ap-name> [table]

Specify the name of AP.

ip-addr <ip-addr> [table]

Specify the IP address of the AP.

table

Shows the datapath NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. table entries.

netdest-id

ap-name <ap-name>

ip-addr <ip-addr>

<id>

Shows the datapath ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. netdestination table.

for AP name, IP address of AP, or ID.

network {egress | ingress}

Displays egress or ingress queue counters.

The network engress output includes, but not limited to, the following fields:

CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions.

DP High Prio

Network High Prio

The network ingress output includes, but not limited to, the following fields:

LIFO Queue

Threshold count

Empty Count

Threshold Recovery

Empty Recovery

nexthop-list

Displays the following types of information about the datapath for packets routed to next-hop devices.

SOS Dest : Unique datapath identifier for each next-hop list

NhIdx:  Unique identifier for each next-hop list

NhVer: Internally generated number used to synchronize the next-hop and session tables.

openflow

Displays the datapath OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. information.

acl

Displays the datapath OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. table and actions.

acl-action-table

Displays the OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. action table.

auxiliary

Displays the datapath OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. auxiliary channel information.

session [<A.B.C.D>]

Displays the datapath OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. session table and actions. You can optionally filter the sessions based on the IP address.

statistics

Displays the OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. statistics in datapath.

papi

Displays the datapath PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. statistics.

counters

Displays datapath PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. counters including: SUM or CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., addr, description, and value.

remote-device-table [ipv6]

Displays the remote device table maintained in the datapath that contains PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. entries for IPv6 devices.

port

Displays the datapath port table information. This includes the port number, PVID, Ingress ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., Egress ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., Session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., and the following flags:

B: Blocked by the Spanning Tree protocol

L: LSG

M: Tunneled node

Q: Trunk

T: Trusted

X: xSec

Z: QinQ

ap-name <ap-name> [table]

Specify the name of the AP. Shows the datapath port table entries for the specified AP.

ip-addr <ip-addr> [table]

Specify the IP address of the AP. Shows the datapath port table entries for the specified IP.

untrusted-vlan <slot>/<module>/<port>

Shows if there are untrusted vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. entries for the indicated slot, module, and port.

vlan-table <slot>/<module>/<port>

Shows datapath port-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. table session entries for the specified slot, module, and port.

rap-bw-resv

ap-name <ap-name> [advanced]

ip-addr <ip-addr> [advanced]

Displays the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. uplink BW reservation statistics of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. only. Specify the AP or IP address with the advanced parameter for Advanced Debugging Options.

rap-pkt-trace

ap-name <ap-name>

ip-addr <ip-addr>

Specify the name of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.. Displays the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. packet-trace statistics of only the specified Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link..

rap-stats

ap-name <ap-name>

ip-addr <ip-addr>

Specify the name of the Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.. Displays the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. statistics of only the specified Remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link..

route

Displays datapath route table statistics.

The output of the command includes the following fields:

Route table entries

IP

Mask

GatewayGateway is a network node that allows traffic to flow in and out of the network.

Cost

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Flags

IPv6 Route table entries

Prefix

GatewayGateway is a network node that allows traffic to flow in and out of the network.

Cost

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Flags

ap-name <ap-name>

[counters | table | verbose]

Specify the name of the AP.

counters

Displays route table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures and max link length.

ip-addr <ip-addr>

[counters | table | verbose]

Specify the IP address of the AP.

ipv4

Displays datapath IPv4 routing table.

ipv6

Displays datapath IPv6 routing table.

table

Displays route table entries such as IP, mask, gatewayGateway is a network node that allows traffic to flow in and out of the network., cost, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and flags.

verbose

Displays all detailed route table entries including IP, mask, gatewayGateway is a network node that allows traffic to flow in and out of the network., cost, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., flags, Internal VerNum Index.

route-cache

Displays datapath route cache table statistics.

ap-name <ap-name>

[counters | table | verbose]

Specify the name of the AP.

counters

Displays route cache table statistics such as current entries, high water mark, maximum entries, total entries, allocation failures and max link length.

ip-addr <ip-addr>

[counters | table | verbose]

Specify the IP address.

ipv4

Displays datapath IPv4 route cache.

ipv6

Displays datapath IPv6 route cache.

table

Displays route cache table entries such as IP, mask, gatewayGateway is a network node that allows traffic to flow in and out of the network., cost, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and flags.

verbose

Displays all detailed route cache table entries including IP, mask, gatewayGateway is a network node that allows traffic to flow in and out of the network., cost, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., flags, Internal VerNum Index.

scheduler

interface <slot/module/port>

table

Displays the datapath scheduler table. Specify interface for scheduler output in the slot or module or port format.

services

Displays the datapath services table statistics including protocol, port and service.

session

Displays datapath session statistics. The command output includes, but not limited to, the following fields:

Source IP

Destination IP

SPort

DPort

Prio

ToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service.

Age

Destination

TAge

Packets

Bytes

ap-name <ap-name>

[counters | table [<A.B.C.D>]]

Specify the name of the AP. Counters and table are optional parameters

counters

Displays counters statistics including current entries, high water mark, maximum entries, total entries, current maximum link length, maximum link length, stale entries, aged entries, and pending delete entries.

dhcp-perf

Displays the performance details of datapath DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  sessions.

dpi

[counters [all | top | uplink-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <uplinkvlan>]]

Displays Deep Packet Information for this session. The counters parameter is optional.

The output includes, but not limited to, the following fields:

AclVersion: This is used to store the current version number of the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. that is used at session creation time and is used for troubleshooting purposes.

PktsDpi: The number of packets sent to the DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. engine for a given session.

AceIdx: The Index of the Access List entry (in a given ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.) that triggered a match during session creation.

DpiTIdx: This is an index to the DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. engine Tbl and is only used for troubleshooting purposes.

high-value

Shows high- value sessions statistics.

ip-addr <ip-addr>

[counters | table [<A.B.C.D>]]

Specify the IP address of the AP. The counters and table parameters are optional.

ip-classification

IP reputation or geolocation information for session.

ipv6

counters | dhcp-perf |

dpi [counters [top] | high-value | perf |

table [<X:X:X:X::X>] | appid <appShort form for application. It generally refers to the application that is downloaded and used on mobile devices.-id>]

table <X:X:X:X::X>

verbose |

web-cc [counters | dpi]

Displays datapath IPv6 session entries and statistics including current entries, high water mark, maximum entries, total entries, allocation failures, duplicate entries, cross linked entries, number of reverse entries and maximum link length.

perf

Displays the performance monitored for each datapath session.

session-id <sid> [dpi]

 

Displays datapath session FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. for a given session index. The optional dpi parameter displays the deep packet information for session.

 

table [<A.B.C.D>]

Displays all the IP flows of a wireless device or Aruba AP. Statistics include table entries including source IP, destination IP, protocol, SPort, DPort, Cntr, priority, ToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service., age, destination, TAge and flags.

uplink

Displays statistics of datapath session with uplink VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

verbose

Displays additional information about the session that can be used by technical support for debugging purposes.

The command output includes, but not limited to, the following additional fields:

SIDX

SRTI

SRCI

UsrIdx

UsrVer

AclVer

NhIdx

NhVer

web-cc

Displays web-content category information about the session. The output of this command includes but not limited to the following data columns:

WebCCRep: Reputation score (integer). To see the reputation type associated with that particular score, issue the command show web-cc reputation.

WebCCID: Web content category ID. To see the name of the category associated with that category ID, issue the command show web-cc category.

WebCCURL: URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. for that session entry.

station

Displays datapath station association table statistics.

<id>

Shows datapath station statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. id. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Shows datapath station for all CPUs, one by one.

counters

Display the current and high water mark amount of 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. associated wireless devices on a controller. Values output from this command represent the water-marks since the last boot of the controller. This is the same value obtainable from the Num Associations output from the show stm connectivity command.

crypto-counters

Displays datapath station crypto counters or statistics.

mac <macaddr>

Specify the hardware address, in hexadecimal format (48-bit, station's MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address). Shows the datapath station association with a specific MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. .

standby

Shows datapath station associated as standby.

table

Shows datapath station associations.

verbose

Shows the datapath station detail.

tcp

Displays contents of the tcp tunnel table. This command displays all TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. tunnels that are terminated by the controller.

app <app> [counters]

Specify the name of the application.

counters

Displays the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. tunnel statistics.

tunnel table

Displays the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. tunnel table entries.

This command displays the Datapath Station Table Statistics details.

Display all associated wireless devices on the controller with their

corresponding AP BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.

Displays the wireless device is associated with the correct encryption type (if the device is associated to an AP BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. that has encryption enabled and verifies whether the controller is having a problem in decrypting the wireless device’s frames.

tunnel

Displays contents of the datapath tunnel table. This command displays all the tunnels that are terminated by the controller, including the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels of Aruba AP. For example, a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel is created and terminated on the Aruba controller for every SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. configured on the Aruba AP.

The output of the command includes, but not limited to, the following fields:

Source

Destination

Port

Type

MTY

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.

BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.

Decaps

Encaps

Heartbeats

Flags

Encap Bytes

Decap Bytes

counters

Shows tunnel counters or statistics.

encaps

Shows datapath encapsulation statistics verbose.

heartbeat

Displays the datapath heartbeat tunnel details.

ipv4

Displays the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. tunnel table filtered on IPv4 entries.

ipv6 [encaps | verbose]

Displays the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. tunnel table filtered on IPv6 entries. The encaps or verbose parameter is optional.

station-list

Displays the list of stations on the tunnel.

table

Tunnel table statistics.

tunnel-id <tid>

[trusted-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. | untrusted-vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.]

Displays datapath tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. for given tunnel index.

Displays the list of trusted and untrusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

verbose

Shows datapath tunnel internal detail.

tunnel-group

Displays the tunnel group, active status and members.

user

Displays datapath user statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users and maximum link length.

<id>

Shows datapath user statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. id. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Shows datapath user table for all CPUs.

ap-name <ap-name> [counters | table]

Specify the name of the AP.

counters

User counters.

ip-addr <ip-addr> [counters | table]

Specify the IP address of the AP.

ipv4

Displays datapath IPv4 user entries and statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users, and maximum link length.

ipv6

Displays datapath IPv6 user entries and statistics such as current entries, pending deletes, high water mark, maximum entries, total entries, allocation failures, invalid users, and maximum link length.

table

User table statistics.

verbose

Shows datapath user table detail.

utilization

Displays the current CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization of datapath CPUs by CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID.

The output of the command includes CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID and CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization during the past 1 sec, 4 sec, and 64 sec.

vlan

Displays VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. table information such as VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. memberships inside the datapath including Layer 2 tunnels which tunnel L2 traffic.

The output fields of the command are as follows:

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Flags

Ingress RACL

Ports

ap-name <ap-name> [table]

Specify the name of the AP. Shows the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details.

ip-addr <ip-address> [table]

Specify the IP address of the AP. Shows the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. details

pvst

Displays the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. table entries.

table

Displays VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. number, flag, port and datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. multicast entries.

vlan-mcast

Displays the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. multicast table. The output of this command displays the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Multicast entries for the following fields:

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Destinations

ap-name <ap-name> [table]

Specify the name of the AP. Displays the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. multicast table for the specific AP.

ip-addr <ip-addr> [table]

Specify the IP address of the AP. Displays the datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. multicast table for the specific IP address.

table

Displays datapath VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Multicast table entries.

wan-hc

Displays datapath WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health check statistics. By default, combined statistics of all CPUs is shown.

<id>

Displays datapath WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health check statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Displays datapath WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health check statistics for all CPUs.

counters

Displays datapath WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health check counters or statistics.

verbose

Displays datapath WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. health check detail.

web-cc [counters]

Displays web content classification table information. The output of this command includes but not limited to the following data columns:

Rep

ContentID

TTLTime to Live. TTL or hop limit is a mechanism that sets limits for data expiry in a computer or network.

Age

Include the optional counters parameter to display the maximum number of entries allowed in the web content category table.

wifi-reassembly

Displays Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. reassembly counters including CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions., current entries, high water-mark, maximum entries, total entries, and allocation failures.

<id>

Displays Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. reassembly statistics by specified CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. ID. Valid platform CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. range may vary.

all

Displays Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. reassembly statistics for all CPUs, one by one.

counters

Displays Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. reassembly counters or statistics.

verbose

Displays Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. reassembly detail.

wmm [counters]

Displays VOIP statistics, including the number of uplink and downlink resets.

Usage Guidelines

Use the show datapath command to display various datapath statistics for debugging purposes.

MTU guidelines

Since MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. discovery is not enforced between an AP and standby controller in a HA setup, the value of the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. to be passed through the tunnel is not updated.

The size of the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. can be set to 9000, depending on the network link and AP configuration.

In case of a heartbeat tunnel, unanswered larger frames for MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. discovery are counted as heartbeat misses.

Example

The following example displays information on network specific ingress-queue counters:

+-----+-----+---------------------------------+---------+---------+-----+---------+--------+

| | | | | | | | |

|NAE |LIFO | Description |Packets |Threshold|Empty|Threshold|Empty |

|Block|Queue| |Received |count |Count|Recovery |Recovery|

| | | | | | | | |

+-----+-----+---------------------------------+---------+---------+-----+---------+--------+

| 0| 0|ARP, HTTP(CAP), DHCP,DNS,NTP,SNMP| 61221| 0| 0| 0| 0|

| 0| 1|Default queue | 432106| 0| 0| 0| 0|

| 0| 2|GRE (HB) | 0| 0| 0| 0| 0|

| 0| 3|IP Fragments | 0| 0| 0| 0| 0|

| 0| 4|SYSLOG | 0| 0| 0| 0| 0|

| 0| 5|TFTP, FTP, SSH, TELNET, HTTP | 4060| 0| 0| 0| 0|

| 0| 6|PVST, xSTP, VRRP, LACP | 291690| 0| 0| 0| 0|

| 0| 7|PAPI, CFGM | 0| 0| 0| 0| 0|

| 0| 8|SIP, PPTP, L2TP, IKE | 134| 0| 0| 0| 0|

+-----+-----+---------------------------------+---------+---------+-----+---------+--------+

The output parameters of the show datapath network ingress command are explained in the following table:

Output Parameter

Description

LIFO Queue

The number of the queue.

NOTE: Packets ingressing the controller toward the NAE pass through one of 9 queues. Each queue holds a maximum 1000 packets at any one time which are taken from the queue by the NAE for forwarding.

NOTE: The number of packets that each LIFO queue can hold is platform-specific and different for each queue. For example, 780 for Default queue 1 on 7000 Series Controllers and 1580 on 7200 Series Controllers.

Description

The type of traffic assigned to the queue.

Packets received

The aggregate number of packets received since clearing the queues or restarting the controller.

Threshold Count

The number of times the input queue is below the built-in threshold value. Threshold counts are caused by Input queue congestion where the queue is depleted below the threshold value.

Empty Count

The number of times the Input queue is empty. Empty queue counts are caused by Input queue congestion where the queue is empty without any free descriptors.

Threshold Recovery

The number of times the Input queue is below the built-in threshold value, but recovered to a number above the threshold value.

NOTE: In a stable system, the Threshold Recovery and Threshold Count will match.

Empty Recovery

The number of times the Input queue has recovered from empty to a normal condition to a built-in low threshold. In a stable system, the Empty Recovery and Empty Count will match.

The following example displays the discovery count table that keeps track of per client home agent discovery:

(host) [mynode] #show datapath mobility discovery-table

Datapath Mobility Discovery Count Table

-------------------------------------------------

Index Valid Version Retry# No-Response Ack Mac Vlan

------- ------ ------- ------ ----------- ------ -------------- -----

1 1 2 1 a 0 10:78:D2:FA:7D:38 74

The following example displays the datapath HA table information:

(host) [mynode] #show datapath mobility home-agent-table

Datapath Mobility Home Agent Table

----------------------------------

Switch IP

---------------

10.16.19.14

10.16.19.140

The execution of the following command displays the mobility multicast-group table that floods the multicast RARouter Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers. traffic to the roaming clients:

(host) [mynode] #show datapath mobility mcast-table

The following example displays the statistics of the datapath mobility:

(host) [mynode] #show datapath mobility stats

Datapath Mobility Stats

Mcast group entry alloc errors : 0

Frames flooded over MMG (@HA) : 0

Frames subjected to MMG (@FA) : 0

Frames sent to roamed clients : 0

HA Discovery failure to notify NACK : 0

HA Discovery invalid DCT : 0

HA Discovery DCT allocation failed : 0

HA Discovery Probes sent : 0

HA Discovery NULL bridge entry in DCT : 0

HA Discovery failed to start : 0

HA Discovery successfully started : 0

HAT insert failure : 0

HAT insert success : 0

HAT delete failure : 0

HAT delete success : 0

The following example displays the mobility multicast VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. table information:

(host) [mynode] #show ip mobile multicast-vlan-table

Mobility Multicast Vlan Table

-----------------------------

Client MAC Home vlan Current vlan

---------- --------- ------------

40:2C:F4:36:16:07 501 501

The following example displays a list of tunnels.

(host) [mynode] #show datapath tunnel

+----+-------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+-------+-----------------------------------------------------+

| | | |

| G | [000] | Current Entries 10 |

| G | [002] | High Water Mark 12 |

| G | [003] | Maximum Entries 24576 |

| G | [004] | Total Entries 12 |

| G | [006] | Max link length 1 |

+----+-------+-----------------------------------------------------+

Datapath Tunnel Table Entries

-----------------------------

Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK

W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering

S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP

2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Unknown Mcast,

D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only

C - Prohibit new calls, P - Permanent, m - Convert multicast

n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel

V - enforce user vlan(open clients only), x - Striping IP, z - Datazone

H - Standby (HA-Lite), u - Cluster UAC tunnel, b - Active AAC tunnel, t - Cluster s-AAC tunnel

c- IP Compression, g - PAN GlobalProtect Tunnel, w - Tunneled Node Heartbeat

# Source Destination Prt Type MTU VLAN Acls BSSID

------ -------------- -------------- --- ---- ---- ---- ----------------------- -----------------

12 SPI01972200 in 10.17.41.82 50 IPSE 1500 0 routeDest 0000 0

11 SPIFC376400out 10.17.65.115 50 IPSE 1500 0 routeDest 0001 0

Decaps Encaps Heartbeats Flags EncapKBytes DecapKBytes

---------- ---------- ---------- --------------- ------------- -----------

6602 0 T 0 0

0 4376 T 0 0

The following example displays output of L2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. Tunnel Interface.

(host) [mynode] #show datapath tunnel ipv6

Datapath Tunnel Table Entries ----------------------------- Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK W - WEP, K - TKIP, A - AESCCM, M - no mcast src filtering S - Single encrypt, U - Untagged, X - MUX, 1 - 802.1X Term T - Trusted, L - No looping, d - Drop Bcast/Unknown Mcast, D - Decrypt tunnel a - Reduce ARP packets in the air, e - EAPOL only C - Prohibit new calls, P - Permanent, m - Convert multicast, n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), V - enforce user vlan(open clients only), z - Datazone H - Standby (HA-Lite), u - Cluster UAC tunnel, b - Active AAC tunnel, t - Cluster s-AAC tunnel w - Tunneled Node Heartbeat, l - Tunneled Node user tunnel B - Cluster A-SAC Mcast, G - Cluster S-SAC Mcast, Y - Convert BC/MC to Unicast

# Source Destination Prt Type MTU VLAN Acls BSSID

------ ------------- -------------------- --- ---- ---- ---- ------- -----------------

16 2046:eab::25 2047:eab::25 47 0 1280 0 0 00:00:00:00:00:00

Decaps Encaps Heartbeats Flags

--------- --------- ----------- -----

119209 25535 28873 TEFPR

The following example displays the tunnel statistics.

(host) [mynode] #show datapath tunnel counters

+----+------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+------+-----------------------------------------------------+

| | [00] | Tunnel FIB forwarded 38437 |

| | [02] | GRE Encap drop 221 |

| | [03] | GRE Encap fallback to session 1237276789 |

| | [04] | Tunnel FIB stale 1176392 |

+----+------+-----------------------------------------------------+

| | | |

| G | [00] | Current Entries 9366 |

| G | [02] | High Water Mark 9703 |

| G | [03] | Maximum Entries 98304 |

| G | [04] | Total Entries 2876603

| G | [06] | Max link length 7 |

| G | [07] | Current Tunnel FIB 1 |

| G | [08] | Tunnel FIB recompute 1176170 |

+----+------+-----------------------------------------------------+

The output parameters of the show datapath tunnel counters command are explained in the following table:

Output Parameter

Description

Current Entries

Number of tunnels that are active in the system.

Pending Deletes

Number of tunnel entries that are marked to be deleted.

High Water Mark

Maximum number of active entries recorded under Current Entries.

Maximum Entries

Maximum number of tunnel entries that can be supported by the platform.

Total Entries

Total number of tunnel entries in the system.

Allocation Failures

Total number of tunnel entry allocation failures.

Max Link Length

Indicates the length of the linked list that has the maximum length in the hash table.

Current Tunnel FIB

Number of tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. entries that are recomputed and have a valid session entry and route cache entry.

Tunnel FIB Recompute

Number of invalid tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. entries for which tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. is recomputed.

Tunnel FIB forwarded

Number of packets that are forwarded through tunnel.

Tunnel FIB Egress Not Unicast

Number of packets whose bridge entry is not found or whose egress destination is not unicast.

GRE Encap drop

Number of packets that are dropped due to various reasons such as destination is not a tunnel, tunnel is not valid, packet length exceeded the allowed MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet., and so on.

GRE Encap fallback to session

Number of packets that are not permitted to be directly forwarded using tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets., but rather have to fall back to the session-route processing in the pipeline.

Tunnel FIB stale

Number of tunnel FIBForwarding Information Base. FIB is a forwarding table that maps MAC addresses to ports. FIB is used in network bridging, routing, and similar functions to identify the appropriate interface for forwarding packets. entries that are invalid due to invalid session or tunnel version number not matching the session version number.

The following example displays a partial list of crypto parameter statistics.

(host) [mynode] #show datapath crypto counters

+----+-------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+-------+-----------------------------------------------------+

| | [000] | Crypto Requests Total 25751 |

| | [002] | Crypto Response received 25751 |

| | [034] | IPSec drops UDP encap NATT port mis 60 |

| | [153] | RSA Requests 9 |

| | [155] | RSA Response received 9 |

+----+-------+-----------------------------------------------------+

| | | |

| G | [001] | Crypto Cores In Use 4 |

| G | [014] | DOT1X Term Buffers 4096 |

| G | [015] | DOT1X Term Buffers Free 4096 |

+----+-------+-----------------------------------------------------+

| G | [000] | Crypto Accelerator Present TRUE |

+----+-------+-----------------------------------------------------+

The following parameters appear in the output of the show datapath crypto counters command, and are useful for debugging purposes.

Parameter

Description

Crypto BadNPlus

Indicates a queue overrun in the output of the encryption circuit.

Crypto SendNPlusFailed

Indicates a queue overrun in the input of the encryption circuit.

IPSec Frag Failures

This counter increments when the AP detects a failure to fragment a frame before or after IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. encryption.

IPSec Invalid Length

The inbound IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. frame length is verified before and after decryption. If the frame length is found to be incorrect , this counter is incremented.

IKE Rate

When the managed device firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. receives a UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. packet, it determines if the packet is destined for an IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. (500) or IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session._NATT (4500) port. This counter increments when the AP receives an initial IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. packet that has an 8-byte responder cookie defined all 0s.

The following example displays the output of the show datapath frame and show datapath frame counters commands.

(host) [mynode] #show datapath frame

+----+------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+------+-----------------------------------------------------+

| | [00] | Allocated Frames 7068 |

| | [01] | Max Allocated Frames 7391 |

| | [03] | Unknown Unicast 6117 |

| | [10] | IP Reassembled Datagrams 9310 |

| | [14] | IP Reassembly Failures 15791 |

| | [36] | Flood Frames 948757 |

| | [60] | VOQ retries 536 |

+----+------+-----------------------------------------------------+

| | | |

| G | [00] | BPDUs Received 948910 |

+----+------+-----------------------------------------------------+

 

(host) [mynode] #show datapath frame counters

+----+------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+------+-----------------------------------------------------+

| | [00] | Rx Frames 29033086 |

| | [01] | Rx Bytes 812728150 |

| | [02] | Tx Frames 3515809 |

| | [21] | Ipv4 VPN Denied Frames 6 |

| | [27] | Ipv4 Firewall Denied Frames 1 |

| | [36] | Dot1d Discards 313 |

+----+------+-----------------------------------------------------+

 

The following table provides description for some important output parameters of show datapath frame and show datapath frame counters commands:

Output Parameter

Description

Allocated Frames

Statically pre-allocated frames (for handling data-traffic) and dynamically allocated frames (for internal control-traffic).

Max Allocated Frames

Max watermark of Allocated Frames.

TX Underrun

Hardware counter if MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. was fetching packet data while packet is being transmitted.

TX Max Collision-Late Abort

Hardware counter if packet transmission was aborted due to maximum collision count exceeded (10 or 100 modes only) or a late abort.

Frame Denied L2-GRE Loop

Packets where Ingress and Egress are same (Enabled for Mobility feature only).

Unknown Unicast

Unknown dest-mac counter.

IPv6 Unknown Unicast

Unknown Unicast for IPv6 ethtype.

IP Datagrams Fragmented

IP datagrams fragmented when packet-length is greater than Tunnel MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. (Tunnel can be between controllers or controller and AP).

WIFI AMSDU

Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. A-MSDU frames received from Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. clients.

WIFI AMSDU Aggregated

A-MSDU frames sent by controller to Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. clients.

Runts Received

Packet length is less than minimum header length.

Station Not Data Ready

Packets received by a controller from the APs or Stations before they got provisioned.

Station Inactive

Packets received by a controller from the APs or Stations after they were inactive.

 

Association Throttle

Drops of APs or Stations Associate coming at high rate (e.g., during failover).

IKE Throttle

Drops of IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. packets coming at high rate.

IPv6 NA Spoofs

IPv6 Network Advertisement spoofs.

IPv6 NS Spoofs

IPv6 Network Solicitation spoofs.

EOP zero frames

Zero length frames.

CP Policed Frames

Packets bound to Control plane from Data plane dropped.

Seqno request failure

Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. Sequence no. request failed.

Heartbeats sent to SP

Tunnel Heartbeats punted to Slowpath (due to route-cache miss, etc.)

Heartbeats dropped by FP

Tunnel Heartbeats dropped in data plane.

POE descriptor freed

Internal counter

CP Enqueue Buffer Alloc Failure

Buffer allocation failures while sending packets to Control plane.

VOQ retries

Virtual Output Queues are packet exchanges between any two entities (CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. or Hardware offload engines) that have failed due to there not being any available credits. Packets are scheduled to be retried at a later point in time.

Seqno responses sent

The sequence number sent in response to sequence number requests used in Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. frames.

Dot1Q Discards

The Dot1Q discard counter may increase as a result of the following:

1. An incoming frame's VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. does not match a port's configured VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

2. A trunk port is not a member of the received frames's VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and the received frame is not an STPSpanning Tree Protocol. STP is a network protocol that builds a logical loop-free topology for Ethernet networks. BPDUBridge Protocol Data Unit. A BPDU is a data message transmitted across a local area network to detect loops in network topologies., CISCO BPDUBridge Protocol Data Unit. A BPDU is a data message transmitted across a local area network to detect loops in network topologies. or an LACPLink Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. PDUPower Distribution Unit or Protocol Data Unit. Power Distribution Unit is a device that distributes electric power to the networking equipment located within a data center. Protocol Data Unit contains protocol control Information that is delivered as a unit among peer entities of a network..

3. A received frame has three or more stacked (QnQ tagged) VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

4. A received frame contains more than one VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tag, however the expected number of VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tags is one.

5. An untagged access port is not a member of the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in the received frame.

6. A station has sent a tagged VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. frame.

7. A received LLDPLink Layer Discovery Protocol. LLDP is a vendor-neutral link layer protocol in the Internet Protocol suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, which is principally a wired Ethernet. frame has no multicast destination.

8. A received frame has no multicast destination in the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. group.

Dot1D Discards

The Dot1d discard counter may increase as a result of the following:

1. If a port is in STPSpanning Tree Protocol. STP is a network protocol that builds a logical loop-free topology for Ethernet networks. blocking state, then received frames are dropped.

2. The tagged frame received on untagged port and dropped.

3. Received frame length is less than (EthernetEthernet is a network protocol for data transmission over LAN. + VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.) header length.

4. Frames that have been dropped due to bridge filtering.

5. Port has MUX flag set but NULL egress destination.

6. Frame drop either if destined for non-tunnel or to port channel or destination tunnel with no multicast configured.

7. Dropped frames addressed to BPDUBridge Protocol Data Unit. A BPDU is a data message transmitted across a local area network to detect loops in network topologies. MACs but not configured in the bridge table.

8. Dropped unexpected frames.

When the counter value is zero, the output parameter line is not displayed.

Some of the other output parameters that could be part of the show datapath frame command are as follows:

IP Fragmentation Failures

IP Jumbo Fragmentation Failures

IP Jumbo IPSec Encrption Failures

IP Reassembled Datagrams

IP Reassembly overlaps

IP Reassembly PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. Failures

IP Reassembly PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate.

IP Reassembly Failures

IPv6 Datagrams Fragmented

IPv6 Fragmentation Failures

IPv6 Reassembled Datagrams

IPv6 Reassembly overlaps

Invalid IP headers Received

Invalid IPv6 headers Received

Too Many IPv6 Ext. Hdrs Received

xSec Frames Re-Assembled

xSec Re-Assembly Failures

Flood Frames

Flood Frames Peak Value

ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Request Spoofs

ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Reply Spoofs

Gratuitous ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Spoofs

IP spoofs

CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. based seqno resp

Frame Length Failure

Packet send failed and will be retried later

Invalid Tail Room DDMODistributed Dynamic Multicast Optimization. DDMO is similar to Dynamic Multicast Optimization (DMO) where the multicast streams are converted into unicast streams on the AP instead of the controller, to enhance the quality and reliability of streaming videos, while preserving the bandwidth available to non-video clients.

Invalid mcast entry

Jumbo Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. Frames

Invalid ingress frames

Invalid egress frames

Invalid opcode

Invalid Port

Invalid Slot

Invalid ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.

Jumbo discards

Jumbo recvd

Jumbo xmits

Jumbo drops

Jumbo wire to wireless drops

Jumbo xmits Failures

Jumbo drops [Non Jumbo Port]

Jumbo drops [Wireless client]

Flooded Jumbo Frames

Buffer Alloc Failure

NAE Transmit Failure

Total queued BWM packets

Excessive ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. Requests

Drops - DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. enforcement

Drops - WEB CC enforcement

IPv6 VlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Discards

Drops - Wireless client garps

The following is an example of the show datapath compression command output:

+----+------+-----------------------------------------------------+

|SUM/| | | |

|CPU | Addr | Description Value |

+----+------+-----------------------------------------------------+

| | [00] | Compression Engine Present True |

| | [01] | Comp Response received 150 |

| | [02] | Comp Response failed 0 |

| | [03] | Decomp Requests 80 |

| | [04] | Decomp Response received 80 |

| | [05] | Decomp Requests queued 75 |

| G | [06] | Compression Engine Total 4 |

+----+------+-----------------------------------------------------+

When the counter value is zero, the output parameter line is not displayed.

The following example displays the output of the show datapath bwm table command:

(host) [mynode] #show datapath bwm table

Datapath Bandwidth Management Table Entries

-------------------------------------------

Contract Types :

0 - CP Dos 1 - Configured contracts 2 - Internal contracts

------------------------------------------------

Flags: Q - No drop, P - No shape(Only Policed),

T - Auto tuned

--------------------------------------------------------------------

Rate: pps - Packets-per-second (256 byte packets), bps - Bits-per-second

--------------------------------------------------------------------

Cont Avail Queued/Pkts

Type Id Rate Policed Credits Bytes Flags CPU Status

---- ---- --------- ---------- ------- ----------- ------- ------- ------

0 1 9792 pps 0 306 0/0 9 ALLOCATED

0 2 3936 pps 0 123 0/0 9 ALLOCATED

0 3 65536 pps 0 2047 0/0 9 ALLOCATED

0 4 3936 pps 0 123 0/0 9 ALLOCATED

0 5 992 pps 0 31 0/0 9 ALLOCATED

0 6 992 pps 0 31 0/0 9 ALLOCATED

0 7 992 pps 0 31 0/0 9 ALLOCATED

0 8 512 pps 0 16 0/0 9 ALLOCATED

0 9 3936 pps 0 123 0/0 9 ALLOCATED

0 10 1984 pps 0 62 0/0 9 ALLOCATED

1 1 5 Mbps 0 19532 0/0 17 ALLOCATED

If the policed counter is a non-zero value, it means excessive traffic of that type that has been dropped to avoid saturating the Control Plane, resulting in potential DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service..

The following table provides description for the contract IDs 1-10 as well as the corresponding firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. parameters:

Contract ID

Contract Description

Firewall Parameter

1

Rate limit Control-Plane-bound untrusted unicast packets. It is used to limit Web CC traffic to CP.

untrusted-ucast

2

Rate limit Control-Plane-bound untrusted multicast packets. It limits ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. logging, packet capture traffic.

untrusted-mcast

3

Rate limit Control-Plane-bound trusted unicast packets.

trusted-ucast

4

Rate limit Control-Plane-bound trusted multicast packets.

trusted-mcast

5

Rate limit Control-Plane-bound routed packets.

route

6

Rate limit Control-Plane-bound GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. control-plane session mirrored packets.

sessmir

7

Rate limit Control-Plane-bound authentication-related packets.

auth

8

Rate limit Control-Plane-bound VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. protocol packets.

vrrp

9

Rate limit Control-Plane-bound ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. protocol packets

arp-traffic

10

Rate limit Control-Plane-bound other Layer-2 or bridging packets - Non-ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. traffic.

l2-other

The following example displays the IPv6 route table entries of AP datapath in Spit-Tunnel forwarding mode for Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.:

(host)[mynode] #show datapath route ap-name ap303 ipv6

IPv6 Route Table Entries ------------------------ Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop Prefix Gateway Cost VLAN Flags ---------------- -------------------------- ---- ---- ------ ::/0 fe80::eaf7:24ff:fe46:2ee1 0 0 2001:603::/64 2001:603::159b 0 1 L

The following example displays the IPv6 route cache entries of AP datapath in Spit-Tunnel forwarding mode for Remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link.:

(host)[mynode] #show datapath route-cache ap-name ap325 ipv6

Neighbour/Route Cache Entries ------------------------ Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, t-trusted, A - ARP, D - Drop, R - Route across vlan

O - Temporary, N - INactive, i - Mixed Mode IPSec

IP MAC VLAN Flags ---------------- -------------------------- ---- ---- 2001:384::250 E8:F7:24:46:2E:E1 1 2001:603::41c AC:A3:1E:CD:3C:F0 1 LP

2001:604::1800 00:27:10:D0:24:7C 604

fe80::eaf7:24ff:fe46:2ee2 E8:F7:24:46:2E:E2 604 tA

The following example displays the WebCC related entries for IPv6 sessions:

(host)[mynode](config-submode) #show datapath session ipv6 web-cc

Datapath Session Table Entries ------------------------------

Source IP Destination IP Prot SPort DPort Cntr ---------------------------------------- -------------------------- ---- ----- ----- ----- 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::2003 6 55164 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2404:6800:4003:c03::66 6 55185 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2404:6800:4003:c03::61 6 55182 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a04:4e42:2::323 6 55175 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::2005 6 55156 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::2001 6 55143 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2404:6800:4003:c03::65 6 55177 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200a 6 55154 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2404:6800:4003:c03::54 6 55155 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:807::200e 6 55145 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:807::200e 6 55146 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200a 6 55161 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200a 6 55162 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200e 6 55149 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200e 6 55148 443 0/0 2001:470:ed6c:43:181b:450a:792d:3d02 2a00:1450:400e:804::200e 6 55151 443 0/0

 

Prio ToS Age Destination TAge Packets Bytes SIDX AclVer Int-Flag Sess-Flag2 ---- --- --- ----------- ---- --------- --------- -------- -------- -------- --------- 0 0 5 tunnel 13 52 16 1174 91c 2092 0 0 0 0 4 tunnel 13 4e 26 2038 944 2092 0 0 0 0 4 tunnel 13 4e 44 1821 a44 2092 0 0 0 0 5 tunnel 13 4f 8 744 ad8 2092 0 0 0 0 5 tunnel 13 53 19 1360 191c 2092 0 0 0 0 5 tunnel 13 5b 22 2133 1a1c 2092 0 0 0 0 4 tunnel 13 4e 22 1544 1d44 2092 0 0 0 0 5 tunnel 13 58 16 1246 231c 2092 0 0 0 0 4 tunnel 13 53 27 2220 2344 2092 0 0 0 0 6 tunnel 13 5b 14 726 241c 2092 0 0 0 0 6 tunnel 13 5b 23 1242 271c 2092 0 0 0 0 5 tunnel 13 53 19 1158 281c 2092 0 0 0 0 5 tunnel 13 53 14 938 2b1c 2092 0 0 0 0 5 tunnel 13 58 580 13637 2c1c 2092 0 0 0 0 5 tunnel 13 58 10 818 2d1c 2092 0 0 0 0 5 tunnel 13 58 10 818 2e1c 2092 0 0

 

WebCCRep WebCCId AceIdx Flags CPU ID WebCCURL --------- ----------------------- ------- ------- ------- ---------------------- 81 search-engines (50 ) 451 /0 C 3 ssl.gstatic.com 92 computer/interne(5 ) 451 /0 C 3 apis.google.com 92 computer/interne(5 ) 451 /0 C 3 googletagmanager.com 10 bot-nets (67 ) 451 /0 C 3 data.api.cnn.io 79 web-based-email (55 ) 451 /0 C 3 gmail.com 81 computer/interne(5 ) 451 /0 C 3 yt3.ggpht.com 79 computer/interne(5 ) 451 /0 C 3 google-analytics.com 96 search-engines (50 ) 451 /0 C 3 fonts.googleapis.com 96 internet-portals(51 ) 451 /0 C 3 accounts.google.com 81 streaming-media (25 ) 451 /0 C 3 youtube.com 81 streaming-media (25 ) 451 /0 C 3 youtube.com 96 search-engines (50 ) 451 /0 C 3 fonts.googleapis.com 88 computer/interne(5 ) 451 /0 C 3 ajax.googleapis.com 50 content-delivery(65 ) 451 /0 C 3 s.ytimg.com 50 content-delivery(65 ) 451 /0 C 3 s.ytimg.com 50 content-delivery(65 ) 451 /0 C 3 s.ytimg.com

The following example displays the datapath IPv6 session statistics for WebCC counters:

(host) [mynode] (config) #show datapath session ipv6 web-cc counters G - Global Counters Datapath Session ipv6 WebCC counters ------------------------------------ Cpu CategoryID Category Name Current Active Sessions Total Sessions --- ---------- ------------- ----------------------- ---------- G 0 Not Classified 0 30812 G 2 computer/internet-security 0 6 G 4 business-economy 0 2050 G 5 computer/internet-info 0 1032 G 7 shopping 0 2 G 9 travel 0 34 G 14 social-networking 0 6 G 50 search-engines 0 60 G 63 news/media 0 2

The following example displays the trusted and untrusted VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. information:

(host) [mynode] #show datapath tunnel tunnel-id 17 trusted-vlan

Trusted Vlan(s):1-8,90-99,4093-4094

 

(host) [mynode] #show datapath tunnel tunnel-id 17 untrusted-vlan

Untrusted Vlan(s):9-89,100-4092

Related Commands

Command

Description

datapath

This command configures datapath options.

Command History

Release

Modification

ArubaOS 8.4.0.0

The following changes were introduced:

The output of the #show datapath tunnel ipv6 command was modified to include B, G, and Y flags.

The output of the show datapath route ap-name <ap-name> ipv6 and show datapath route-cache ap-name <ap-name> ipv6 commands was modified to display IPv6 route entries.

The web-cc and counters sub-parameters were added to ipv6 parameter.

The output of the show datapath session ipv6 web-cc command was modified to display WebCC related entries for IPv6 sessions.

The trusted-vlan and untrusted-vlan sub-parameters were introduced in the show datapath tunnel tunnel-id <id> command.

ArubaOS 8.2.0.0

The netdest-id, and remote-device-table parameters were added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Enable or Config mode on Mobility Master.

/*]]>*/