CSS Command Reference (Software Version 7.10)
Global Configuration Mode Commands
Downloads: This chapterpdf (PDF - 1.12MB) The complete bookPDF (PDF - 4.66MB) | Feedback

Global Configuration Mode Commands

Table Of Contents

Global Configuration Mode Commands

(config) acl

(config) app

(config) app framesz

(config) app port

(config) app session

(config) app-udp

(config) app-udp options

(config) app-udp port

(config) app-udp secure

(config) arp

(config) arp timeout

(config) arp wait

(config) boot

(config) bridge

bridge aging-time

bridge bpdu-guard

bridge forward-time

bridge hello-time

bridge max-age

bridge priority

bridge spanning-tree

(config) bypass persistence

(config) cdp

cdp holdTime

cdp run

cdp timer

(config) circuit

(config) cmd-sched

(config) cmd-sched record

(config) console authentication

(config) date european-date

(config) dfp

(config) dhcp-agent max-hops

(config) dns

dns primary

dns secondary

dns suffix

(config) dns-boomerang client

dns-boomerang client cpu-threshold

dns-boomerang client domain

dns-boomerang client enable

(config) dns-peer

dns-peer interval

dns-peer receive-slots

dns-peer send-slots

(config) dns-record

dns-record a

dns-record accel

dns-record ns

dns-record zero

(config) dns-server

(config) dns-server accelerate domains

(config) dns-server bufferCount

(config) dns-server domain-cache

(config) dns-server forwarder

(config) dns-server respTasks

(config) dns-server zero

(config) dns-server zone

(config) dnsflow

(config) domain hotlist

(config) domain hotlist interval

(config) domain hotlist size

(config) domain hotlist threshold

(config) dql

(config) dump

(config) eql

(config) flow permanent

(config) flow port-reset

(config) flow reserve-clean

(config) flow tcp-mss

(config) ftp-record

(config) gem-traffic-bursty

(config) global-portmap

(config) group

(config) gsdb

(config) gsdb-interface

(config) header-field-group

(config) host

(config) idle timeout

(config) interface

(config) ip

ip ecmp

ip firewall

ip no-implicit-service

ip opportunistic

ip record-route

ip redundancy

ip route

ip source-route

ip subnet-broadcast

(config) keepalive

(config) load

load ageout-timer

load reporting

load step

load teardown-timer

load threshold

(config) logging

logging buffer

logging commands enable

logging disk

logging host

logging line

logging sendmail

logging subsystem

logging to-disk

show log-state
(config) logging buffer
(config) no logging disk
(config) logging subsystem(config) no

(config) noflow-portmap

(config) nql

(config) ospf

ospf advertise

ospf area

ospf as-boundary

ospf default

ospf enable

ospf equal-cost

ospf range

ospf redistribute

ospf router-id

(config) owner

(config) persistence reset

(config) proximity

proximity cache-remove

proximity cache-size

proximity db

proximity probe rtt interval

proximity probe rtt method

proximity probe rtt metric-weighting

proximity probe rtt samples

proximity probe rtt tcp-ports

proximity ttl

(config) radius-server

radius-server dead-time

radius-server primary

radius-server retransmit

radius-server secondary

radius-server timeout

(config) restrict

(config) rip

rip advertise

rip equal-cost

rip redistribute

(config) rmon-alarm

(config) rmon-event

(config) rmon-history

(config) service

(config) snmp

snmp auth-traps

snmp community

snmp contact

snmp location

snmp name

snmp reload-enable

snmp trap-host

snmp trap-source

snmp trap-type enterprise

snmp trap-type generic

(config) sntp

(config) spanning-packets

(config) sshd

sshd keepalive

sshd port

sshd server-keybits

(config) ssl-l4-fallback

(config) ssl associate

(config) ssl gen...

(config) ssl verify

(config) ssl-proxy-list

(config) tacacs-server

tacacs-server ip_address port

tacacs-server account

tacacs-server authorize

tacacs-server key

tacacs-server timeout

(config) urql

(config) username

(config) username-offdm

(config) username-technician

(config) virtual authentication

(config) vrrp-backup-timer

(config) web-mgmt state


Global Configuration Mode Commands

Global configuration mode allows a SuperUser to:

Configure global CSS parameters.

Initially access subordinate configuration modes on the CSS. These modes allow you to configure ACLs, boot, circuits and their IP interface addresses, EQLs, physical interfaces, global keepalives, source groups, owners and their content rules, RMON alarm, events and history, and services.

To access global configuration mode, use the configure command in SuperUser mode.

This section describes the commands in global configuration mode. For more information on commands for the subordinate configuration modes available on the CSS, see their sections later in this chapter.

For a list of general commands you can use in global configuration mode, see "General Commands".

(config) acl

To access ACL configuration mode and configure an Access Control List (ACL) on the CSS, and enable or disable all ACLs on the CSS, use the acl command. Use the no form of this command to delete an ACL.

acl [index|enable|disable]
no acl index

Syntax Description

index

The number you want to use to create a new ACL or the number for an existing ACL to access ACL mode. Enter a number from 1 to 99.

When you access this mode, the prompt changes to (config-acl [index]). For information about commands available in this mode, see "ACL Configuration Mode Commands".

disable

Disables all ACLs on the CSS.

enable

Enables all ACLs on the CSS.


Usage Guidelines

To enable global logging for ACLs, you must enter the (config) logging subsystem acl level debug-7 command.


Caution When you enable ACL mode, all traffic not configured in an ACL permit clause will be denied. ACLs function as a firewall security feature. You must first configure an ACL to permit traffic before you enable ACL mode. If you do not permit any traffic, you will lose network connectivity. Note that the console port is not affected.

If you do not configure ACLs on the CSS, all packets passing through the CSS could be allowed onto the entire network. For example, you may want to permit all email traffic, but block Telnet traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing the same area.

Related Commands

show acl
(config-acl) apply
(config-acl) clause
(config-acl) remove

(config) app

To enable all Application Peering Protocol (APP) sessions, use the app command. An APP session is the exchange of content information between a group of configured CSSs. APP provides a guaranteed and private communications channel for this exchange. Use the no form of this command to disable all APP sessions.

app
no app

Related Commands

(config) dns-server
(config-owner) dns
(config-owner-content)
add dns

(config) app framesz

To set the maximum frame size allowed on an APP channel between CSSs, use the app framesz command. Use the no form of this command to restore the default frame size to 10240.

app framesz size
no app framesz

Syntax Description

size

The maximum frame size. Enter a number from 10240 to 65535. The default is 10240.


(config) app port

To set the TCP port number, use the app port command. This port listens for APP connections. Use the no form of this command to restore the default port number to 5001.

app port port_number
no app port

Syntax Description

port_number

The port number. Enter a number from 1025 to 65535. The default is 5001.


(config) app session

To create an APP session between the CSS and its peer CSS, use the app session command. These CSSs are a content domain that share the same content rules, load, and DNS information with each other. Use the no form of this command to terminate an APP session.

app session ip_address {ka_freq {[authChallenge|authNone] secret
{[encryptMd5hash|encryptNone] {[rcmdEnable|rcmdDisable]}}}}
no app session ip_address

Syntax Description

ip_address

The IP address for the peer CSS. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

ka_freq

The optional time in seconds between sending keepalive messages to the peer CSS. Enter an integer from 14 to 255. The default is 14.

authChallenge|
authNone

The optional authentication method for the session. Enter either authChallenge for Challenge Handshake Authentication Protocol (CHAP) method or authNone for no authentication method. The default is no authentication.

secret

The secret sent with each packet identifier. Enter an unquoted text string with a maximum of 32 characters. If you entered authNone for the authentication method, enter any character as the secret.

encryptMd5hash|
encryptNone

The optional encryption method for the packets. Enter either encryptMd5hash for MD5 base hashing method or encryptNone for no encryption method. The default is no encryption.

rcmdEnable|
rcmdDisable

The optional setting for sending remote CLI commands to the peer through the rcmd command. Enter either rcmdEnable to send CLI commands or rcmdDisable to not send CLI commands. The default setting is enabled.


Related Commands

show app
show dns-peer
show dns-server

(config) app-udp

To enable Application Peering Protocol-User Datagram Protocol (APP-UDP) datagram messaging, use the app-udp command. Messaging is enabled by default. An APP datagram allows an exchange of information between applications resident on the CSS. Use the no form of this command to disable APP-UDP messaging.

app-udp
no app-udp

Usage Guidelines

The app-udp command is available on a Proximity Database and a DNS CSS.

Related Commands

show app-udp

(config) app-udp options

To configure encryption with an IP address, use the app-udp options command. Use the no form of this command to delete the options from an IP address.

app-udp options ip_address encrypt-md5hash secret
no app-udp options ip_address

Syntax Description

ip_address

The IP address that you want to associate with this group of options. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

secret

The string used in encryption and decryption of the MD5 hashing method. Enter an unquoted text string with a maximum of 31 characters. There is no default.


Usage Guidelines

The CSS applies encryption to packets sent to this destination address or when the CSS receives datagrams with a matching source IP address. You can set the IP address to 0.0.0.0 to apply encryption to all incoming and outbound datagrams that are not more specifically configured. Use of the 0.0.0.0 IP address allows you to set a global security configuration that may be applied to an arbitrary number of peers.

Examples

The following example shows the application of a specific option set to 10.6.3.21 and a global option set to all other IP addresses. The CSS encrypts datagrams received from 10.6.3.21 and transmitted to 10.6.3.21 with secret mySecret. The CSS subjects all other datagrams, received or transmitted, to the default encryption secret anotherSecret.

(config) # app-udp options 10.6.3.21 encrypt-md5hash mySecret
(config) # app-udp options 0.0.0.0 encrypt-md5hash anotherSecret

Related Commands

(config) app-udp secure

(config) app-udp port

To set the UDP port number, use the app-udp port command. This port listens for APP datagrams. Use the no form of this command to restore the UDP port number to its default value of 5002.

app-udp port port_number
no app-udp port

Syntax Description

port_number

The UDP port number. Enter a value from 1025 to 65535. The default is 5002.


(config) app-udp secure

To require the encryption of all inbound APP datagrams, use the app-udp secure command. This prevents unauthorized messages from entering the CSS. Use the no form of this command to restore the default behavior of allowing the CSS to accept all APP datagrams.

app-udp secure
no app-udp secure

Usage Guidelines

Use the app-udp secure command in conjunction with the (config) app-udp options command to specify the secure messages that are accepted. If you use this command without the (config) app-udp options command, the CSS drops all incoming data.

Examples

The following commands allow only incoming traffic from 10.6.3.21 encrypted with the secret "mySecret."

(config) # app-udp secure
(config) # app-udp options 10.6.3.21 encrypt-md5hash mySecret

Related Commands

(config) app-udp options

(config) arp

To define a static ARP mapping IP address to Media Access Control (MAC) address translations necessary for the CSS to send data to network nodes, use the arp command. Use the no form of this command to delete a static mapping address.

arp ip_or_host mac_address interface {vlan}
no arp ip_or_host

Syntax Description

ip_or_host

The IP address of the system for static mapping. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or in mnemonic host-name format (for example, myhost.mydomain.com).

mac_address

The MAC address of the system mapped to the IP address. Enter the MAC address in hyphenated-hexadecimal notation (for example, 00-60-97-d5-26-ab).

interface

The CSS interface that you want to configure as the egress logical port. For a CSS 11501, CSS 11050, or CSS 11150, enter the interface name in interface-port format (for example, e2). For a CSS 11503, CSS 11506, or CSS 11800, the interface format is slot/port (for example, 3/1). To see a list of interfaces, enter:

arp ip_or_host mac_address ?

vlan

The VLAN number configured in a trunked interface on which the ARP address is configured. Enter an integer from 1 to 4094 as the VLAN number.


Usage Guidelines

To show static ARP mapping when you use the show arp command, the IP route must exist in the routing table. To view all static ARP entries, use the show running-config command.

The CSS discards ARP requests from hosts that are not on the same network as the CSS circuit IP address. Thus, if a CSS and a host are within the same VLAN but configured for different IP networks, the CSS does not respond to ARP requests from the host.

Related Commands

clear
show arp
show running-config
update arp

(config) arp timeout

To set the time in seconds to hold an ARP resolution result in the ARP cache, use the arp timeout command. Use the no form of this command to restore the default timeout value of 14400 seconds.

arp timeout timeout_time
no arp timeout

Syntax Description

timeout_time

The number of seconds to hold an ARP resolution result. To set a timeout period, enter an integer from 60 to 86400 (24 hours). The default is 14400 (4 hours). If you do not want the ARP entries to timeout, enter none or 86401.


Usage Guidelines

When you change the timeout value, it only affects new ARP entries. All previous ARP entries retain the old timeout value. To remove all entries with the old timeout value, enter the clear arp cache command.

Related Commands

clear arp cache
show arp config

(config) arp wait

To set the time in seconds to wait for an ARP resolution before discarding the packet waiting to be forwarded to the address, use the arp wait command. Use the no form of this command to restore the default wait time of 5 seconds.

arp wait wait_time
no arp wait

Syntax Description

wait_time

The number of seconds to wait for an ARP resolution. Enter an integer from 5 to 30. The default is 5 seconds.


Related Commands

show arp config

(config) boot

To access boot configuration mode, use the boot command. Boot configuration mode contains all commands necessary to manage booting the CSS and to maintain the software revision.

boot

Usage Guidelines

When you use the boot command to access boot mode, the prompt changes to (config-boot). For information about commands available in this mode, see "Boot Configuration Mode Commands".

(config) bridge

To configure the spanning-tree bridge parameters that apply to the CSS, use the bridge command. The options for this global configuration mode command are:

bridge aging-time..., sets the bridge filtering database aging time

bridge bpdu-guard..., enables or disables the Bridge Protocol Data Unit (BPDU) guard feature on the CSS

bridge forward-time..., sets the bridge forward delay time

bridge hello-time..., sets the bridge hello time interval

bridge max-age..., sets the bridge spanning-tree maximum age

bridge priority..., sets the spanning-tree priority for the root bridge on the network

bridge spanning-tree..., enables or disables the bridge spanning tree

For more information on these options and associated variables, see the following commands.


Note For information on bridge commands you can use in interface mode, see the (config-if) bridge command.


Related Commands

show bridge
(config) interface
(config-if) bridge

bridge aging-time

To set the spanning-tree bridge filtering database aging time for the CSS, use the bridge aging-time command. Use the no form of this command to restore the default aging time of 300.

bridge aging-time timeout
no bridge aging-time

Syntax Description

timeout

The timeout period in seconds for aging out dynamically learned forwarding information. Enter an integer from 10 to 1000000. The default is 300.


Command Modes

Global configuration mode

Related Commands

show bridge status

bridge bpdu-guard

To globally enable or disable the Bridge Protocol Data Unit (BPDU) guard feature on the 11500 series CSS, use the bridge bpdu-guard command. The command shuts down Port Fast configured interfaces that receive BPDUs rather than putting the interfaces into the spanning-tree blocking state. By default, the BPDU guard feature is disabled.

bridge bpdu-guard [enabled|disabled]

Syntax Description

enabled

Enables the BPDU guard feature

disable

Disables the BPDU guard feature (default)


Command Modes

Global configuration

Usage Guidelines

The BPDU guard feature affects interfaces that have the Port Fast feature enabled on them. Port Fast should only be configured on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt CSS and network operation. An interface with Port Fast mode enabled is moved directly to the spanning-tree forwarding state when linkup occurs, without waiting for the standard forward-time delay.

When properly connected to other devices, Port Fast configured interfaces do not receive BPDUs. If a BPDU is received on a Port Fast configured interface, the interface is connected to an invalid device, such as a switch or router, and the BPDU guard feature disables the interface. The BPDU guard feature provides a secure response to invalid connections because you must manually put the interface back in service.

Related Commands

show bridge
(config-if)
bridge port-fast

bridge forward-time

To set the spanning-tree bridge forward delay time, use the bridge forward-time command. Use the no form of this command to restore the default delay time of 4.

bridge forward-time delay
no bridge forward-time

Syntax Description

delay

The delay time in seconds that all bridges use for forward delay when this bridge is acting as the root. Enter an integer from 4 to 30. The default is 4.


Command Modes

Global configuration mode

Usage Guidelines

Make sure that the bridge maximum age is less than or equal to
2 x (bridge forward-time - 1 second) and greater than or equal to
2 x (bridge hello-time + 1 second).

Related Commands

show bridge status
(config)
bridge max-age

bridge hello-time

To set the bridge hello time interval, use the bridge hello-time command. Use the no form of this command to restore the default hello time interval of 1.

bridge hello-time hello
no bridge hello-time

Syntax Description

hello

The hello time in seconds that all bridges use when this bridge is acting as the root. Enter an integer from 1 to 10. The default is 1.


Command Modes

Global configuration mode

Usage Guidelines

Make sure that the bridge maximum age is greater than or equal to
2 x (bridge hello-time + 1 second) and less than or equal to
2 x (bridge forward-time - 1 second).

Related Commands

show bridge status
(config)
bridge max-age

bridge max-age

To set the bridge spanning-tree maximum age, use the bridge max-age command. Use the no form of this command to restore the default maximum age of 6.

bridge max-age age
no bridge max-age

Syntax Description

age

The maximum age in seconds that all bridges use when this bridge is acting as the root. Enter an integer from 6 to 40. The default is 6.


Command Modes

Global configuration mode

Usage Guidelines

Make sure that the bridge maximum age is greater than or equal to
2 x (bridge hello-time + 1 second) and less than or equal to
2 x (bridge forward-time - 1 second).

Related Commands

show bridge status
(config)
bridge forward-time
(config)
bridge hello-time

bridge priority

To set the priority used by the spanning-tree protocol to choose the root bridge on the network, use the bridge priority command. This command can override the root bridge selection in your network. Use the no form of this command to restore the default priority of 32768.

bridge priority priority
no bridge priority

Syntax Description

priority

The decimal value for the write portion of the bridge ID; the first two octets of the 8-octet bridge ID. The last 6 octets of the bridge ID come from the base bridge address. Enter an integer from 0 to 65535 (0 to ffff, hexadecimal). The default is 32768 (0x8000, hexadecimal).


Command Modes

Global configuration mode

Related Commands

show bridge status

bridge spanning-tree

To enable or disable the spanning tree, use the bridge spanning-tree command.

bridge spanning-tree [disable|enable]

Syntax Description

disable

Disables the spanning tree.

enabled

Enables the spanning tree. This is the default state.


Command Modes

Global configuration mode

Usage Guidelines

Disabling spanning-tree bridging may make your network susceptible to packet storms. When you disable spanning-tree bridging, the CSS drops Bridge Protocol Data Units (BPDUs), but forwards the Cisco Systems 802.1Q BPDUs (tagged with the proprietary 01-00-0c-cc-cc-cc-cd destination MAC address) on an 802.1Q VLAN trunk. The CSS can still operate in an 802.1Q spanning-tree environment as long as you do not require that the CSS put any of its ports into a blocking state.

Related Commands

show bridge status

(config) bypass persistence

To determine if the CSS performs either a service remapping or HTTP redirection operation to reset a bypassed service when a content request matches on a content rule, but a previous request caused the bypass, use the bypass persistence command. By default, bypass persistence is enabled.

bypass persistence [disable|enable]

Syntax Description

disable

Performs remapping or redirection to reset the connection according to the setting of the persistence reset method

enable

Does not perform remapping or redirection to reset the connection, and continues to bypass a service


Usage Guidelines

The bypass persistence command affects all flows.

Related Commands

show remap
(config) persistence reset
(config-owner-content) persistent

(config) cdp

To configure the global Cisco Discovery Protocol (CDP) parameters on the CSS, use the cdp command. The options for this global configuration mode command are:

cdp holdTime..., defines the period of time to hold the CSS CDP information before discarding it

cdp run, enables CDP on the CSS and the broadcasting of CDPv1 advertisements by the CSS

cdp timer..., specifies how often the CSS sends CDP advertisements to Cisco CDP-compatible devices

For more information on these options and associated variables, see the following commands.

Usage Guidelines

The Cisco Discovery Protocol (CDP) is a media-independent protocol that runs over Layer 2 (the data link layer) on the CSS and other Cisco manufactured equipment, such as routers, switches, bridges, and access servers. CDP allows the CSS to advertise itself to all other neighboring Cisco CDP-compatible devices on a network.


Note The CSS only transmits CDP advertisements to other CDP-compatible devices on the network; it does not listen for CDP messages from other CDP-compatible devices.


Any Cisco device with CDP support can learn about the CSS by listening to the periodic advertisements transmitted by the CSS and determine when the CSS is active. Network operators and analysts can use this information for configuration monitoring, topology discovery, and fault diagnosis.

CDP advertisements include the following information about the CSS:

Device ID (CSS base MAC address)

IP address (CSS management port IP address)

Ethernet port ID name

CSS functional capability flag (Router, Transparent bridge, or Switch)

CSS software version

CSS platform (CSS 11500 series product family or CSS 11000 series product family)

CDP advertisements also include time-to-live, or hold time information, which defines the length of time the receiving device is to hold CDP information before discarding it.

Related Commands

show cdp

cdp holdTime

To define the hold time in the CSS CDP advertisement to receiving devices, use the cdp holdTime command. The hold time defines how long the CSS wants the device to hold the CSS CDP information before discarding it. If a device does not receive a CSS CDP advertisement before the hold time expires, it drops the CSS as a neighbor. Use the no form of the command to reset the hold time to its default of 180 seconds.

cdp holdTime seconds
no cdp holdTime

Syntax Description

seconds

The number of seconds for holding the CSS CDP information. The range is from 10 to 255. The default is 180.


Command Modes

Global configuration mode

cdp run

To enable CDP transmissions to advertise the CSS in the form of CDPv1 packet broadcasts to neighboring Cisco CDP-compatible devices on the network, use the cdp run command. By default, CDP advertisement is disabled for the CSS. Use the no version of the command to disable the CSS CDP transmissions.

cdp run
no cdp run

Command Modes

Global configuration mode

cdp timer

To specify the interval at which the CSS advertises CDP packets to all receiving CDP-compatible devices, use the cdp timer command. Use the no form of the command to reset the interval to its default of 60 seconds.

cdp timer interval
no cdp timer

Syntax Description

interval

The number of seconds that the CSS advertises CDP packets. The range is from 5 to 254. The default is 60.


Command Modes

Global configuration mode

(config) circuit

To access circuit configuration mode and configure a circuit on the CSS, use the circuit command. A circuit on the CSS is a logical entity that maps IP interfaces to a logical port or group of logical ports.

circuit circuit_name

Syntax Description

circuit_name

The name of the circuit you want to configure. To see a list of available circuits, enter:

circuit ? 

Usage Guidelines

When you use the circuit command to access circuit mode, the prompt changes to (config-circuit [circuit_name]). For information about commands available in this mode, see "Circuit Configuration Mode Commands".

Related Commands

show circuits

(config) cmd-sched

To enable command scheduling, use the cmd-sched command. Use the no form of this command to disable command scheduling.

cmd-sched
no cmd-sched

(config) cmd-sched record

To create a configuration record for the scheduled execution of any CLI commands, including the playing of scripts, use the cmd-sched record command. Use the no form of this command to delete a configuration record.

cmd-sched record name minute hour day month weekday "command..." {logfile_name}
no cmd-sched record

Syntax Description

name

The name of the configuration record. Enter an unquoted text string with a maximum of 16 characters. Any of the following time variables can contain one or some combination of the following values:

A single number to define a single or exact value for the specified time variable

A "*" wildcard character matching any valid number for the specified time variable

A list of numbers separated by commas, with a maximum of 40 characters, to define multiple values for a time variable

Two numbers separated by a dash (-) character indicating a range of values for a time variable

minute

The minute of the hour to execute the command. Valid numbers are from 0 to 59.

hour

The hour of the day. Valid numbers are from 0 to 23.

day

The day of the month. Valid numbers are from 0 to 31.

month

The month of the year. Valid numbers are from 1 to 12.

weekday

The day of the week. Valid numbers are from 1 to 7. Sunday is 1.

command...

The commands you want to execute. Enter a quoted text string with a maximum of 255 characters. Separate multiple commands with a semicolon (:) character. If the command string includes quoted characters, use a single quote character; any single quoted characters not preceded by a "\" character is converted to double quotes when the commands string is executed.

logfile_name

This optional variable defines the name of the log file. Enter a text string with a maximum of 32 characters.


Usage Guidelines

The commands that the cmd-sched record command executes are referred to as the command string. To schedule commands, you must create a configuration record including when to execute the commands, and the command string.

For example, you can use this command to schedule periodic content replication and configuration changes, and gather statistics. At the specified time, the command scheduler executes a command string by creating a pseudo login shell where each string is executed. A cmd-sched record is only scheduled for execution upon completion of its shell. Use the show lines command to display information about active pseudo shells.


Note To terminate the execution of a command string, you can use the disconnect command.


Related Commands

disconnect
show cmd-sched
show lines

(config) console authentication

To configure the primary, secondary, or tertiary console port authentication of locally-defined usernames and passwords logging into the CSS, use the console authentication command. Use the no form of this command to disable authentication on the console port allowing users to access the CSS without a username and password.

console authentication [primary [local|radius|tacacs|none]
|
secondary|tertiary [local|radius|tacacs|none|disallowed]]

no console authentication

Syntax Description

primary

Defines the first authentication method that the CSS uses. The default primary console authentication method is the local user database.

secondary

Defines the second authentication method that the CSS uses if the first method fails. The default secondary console authentication method is to disallow all user access.

If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local. If you do not configure a secondary method and use the default of disallowed, you have the possibility of being locked out of the CSS.

tertiary

Defines the third authentication method that the CSS uses if the second method fails. The default tertiary console authentication method is to disallow all user access.

local

The CSS uses the local user database for authentication.

radius

The CSS uses the configured RADIUS server for authentication.

tacacs

The CSS uses the configured TACACS+ server for authentication.

none

The CSS uses no authentication method. All users can access the CSS.

disallowed

The CSS does not allows access by all users (secondary or tertiary authentication method only). Entering this option does not terminate existing connections.

To remove users currently logged into the CSS, use the disconnect command.


Usage Guidelines

To control access to the CSS, you can configure the CSS to authenticate console users. The CSS can authenticate users by using the local user database, RADIUS server, or TACACS+ server. You can also allow user access without authenticating or disallowing all remote user access to the CSS.

You can set a maximum of three authentication methods: a primary, secondary, or tertiary authentication method. The primary method is the first authentication method that the CSS tries. If the primary authentication method fails, the CSS tries the secondary method. And if the secondary method fails, then the CSS tries the tertiary method. In the event that the tertiary method also fails, the CSS displays a message that authentication has failed.

Before you can use RADIUS or TACACS+ as the console authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the (config) radius-server command or the (config) tacacs-server command.

Related Commands

show user-database
(config) restrict console
(config) radius-server
(config) tacacs-server
(config) virtual authentication

(config) date european-date

To change the behavior of the clock date command to accept date input in the format of day, month, and year, use the date european-date command. Use the no form of the command to reset the format for the clock date command to its default format of month, day, and year.

date european-date
no date european-date

Command Modes

Global configuration mode

Related Commands

clock
show clock

(config) dfp

To configure a DFP agent listening for DFP connections on an IP address and TCP port combination on a server, and to enable the DFP manager on the CSS, use the dfp command. You can configure a maximum of 127 DFP agents for the DFP manager in the CSS. Use the no form of the command to disable the DFP agent connection to an IP address.

dfp ip_or_host {port {key "secret"|[des-encrypted encrypted_key
|"encrypt_key"]} {timeout seconds} {retry count} {delay time} {max-agent-wt weight}

no dfp ip_or_host {port}

Syntax Description

ip_or_host

The IP address or host name of the configured DFP agent. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or a mnemonic host name (for example, myhost.mydomain.com).

port

Optional. The server TCP port that the configured DFP agent uses to listen for connections from the CSS DFP manager. Valid entries are 0 to 65535. The default is 14001.

key "md5secret"

Optional. An MD5 (Message Digest Algorithm Version 5) security key used for encryption to provide a secure data exchange between the CSS DFP load-balancing manager and the DFP agents. MD5 encryption is a one-way hash function that provides strong encryption protection. Enter the secret as a case-sensitive quoted text string (maximum of 64 characters). It can include any printable ASCII character except tabs.

Ensure that you configure the same key on each DFP agent for MD5 encryption to function properly.

des-encrypted

Optionally defines a Data Encryption Standard (DES) encryption key.

encrypted_key

The DES encryption key that the CSS had previously encrypted. The CSS does not re-encrypt this key and saves it in the running-config as you entered it. Enter an unquoted case-sensitive text string with no spaces and a maximum of 128 characters.

"encrypt_key"

The DES encryption key that you want the CSS to encrypt. The CSS saves the encrypted key in the running-config as you entered it. Enter a quoted case-sensitive text string with no spaces and a maximum of 64 characters.

timeout seconds

Optional. The maximum inactivity time period (the keepalive time) for the connection between the CSS DFP manager and the server DFP agent. If the inactivity time period exceeds the timeout value, the DFP manager closes the connection. The DFP manager attempts to reopen the connection as often as specified by the value of the retry option. The range is from 1 to 10000 seconds. The default is 3600 seconds (1 hour).

retry count

Optional. The number of times the CSS DFP manager tries to reopen a connection with the server DFP agent. The range is 0 (for continuous retries) to 65535. The default is 3 retry attempts.

delay time

Optional. The delay time, in seconds, between each connection reestablishment attempt. Valid entries are 1 (immediately) to 65535 seconds (18 hours). The default value is 5 seconds.

max-agent-wt weight

Optional. Maximum value of the weight reported by a DFP agent. A CSS uses this option to scale the reported weight when the weight range of a DFP agent does not match the weight range of the DFP manager. For example, the DFP manager weight range is 0 to 255. If a DFP agent reports weight in the range 0 to 16, the CSS scales up the agent-reported weight to match the weight range of the DFP manager. If an agent reports weight in the range 0 to 65535, the CSS scales down the agent-reported weight to match the weight range of the DFP manager.

If a DFP agent reports a weight greater than the maximum configured weight, then the CSS rejects the weight report and does not use the weight in load balancing decisions. In this case, the CSS also logs an error in SYSLOG. Enter an integer from 1 to 65535. The default is 255.


Command Modes

Global

Related Commands

show dfp
show dfp-reports

(config) dhcp-agent max-hops

To set the maximum allowable number in the hops field of the BOOTP header, use the dhcp-agent max-hops command. The CSS does not forward packets with headers that have a larger number. Use the no form of the command to reset the maximum allowable number in the hops field to its default of 4.

dhcp-agent max-hops number
no dhcp-agent max-hops

Syntax Description

number

The maximum allowable number in the hops field of the BOOTP header. The range is 1 to 15. The default is 4.


Command Modes

Global configuration mode

Related Commands

show dhcp-relay-agent global

(config) dns

To enter commands that control the Domain Name Service (DNS) client, the facility that translates host names such as myhost.mydomain.com to IP (Internet Protocol) addresses such as 192.168.11.1, use the dns command. The options for this global configuration mode command are:

dns primary..., specifies the primary DNS server to use for DNS name resolution

dns secondary..., specifies the secondary DNS server to use for DNS name resolution

dns suffix..., specifies the default suffix to use during a DNS query

For information on these options and associated variables, see the following commands.

Related Commands

show running-config global
(config) dns-server

dns primary

To specify the primary DNS server to use for DNS queries and resolution, use the dns primary command. Use the no form of this command to remove the primary DNS server.

dns primary ip_or_host
no dns primary

Syntax Description

ip_or_host

The default DNS address to use for DNS queries. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1) or the mnemonic host name (for example, myhost.mydomain.com).


Command Modes

Global configuration mode

dns secondary

To specify the secondary DNS server, use the dns secondary command. When the primary server fails, the CSS uses the secondary server for DNS name resolution. Use the no form of this command to remove a secondary DNS server on a client.

dns secondary ip_or_host
no dns secondary ip_or_host

Syntax Description

ip_or_host

The address for the secondary DNS server. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1) or the mnemonic host name (for example, myhost.mydomain.com).


Command Modes

Global configuration mode

Usage Guidelines

You can specify a maximum of two secondary servers. To specify each additional server, repeat the dns secondary command. The order in which you enter them is the order in which they are used if the primary DNS server fails.

dns suffix

To specify the default suffix to use when querying the DNS server to resolve a DNS name, use the dns suffix command. Use the no form of this command to remove the default suffix.

dns suffix suffix
no dns suffix

Syntax Description

suffix

The default suffix. Enter an unquoted text string with no spaces and a maximum length of 64 characters (for example, webhoster.com).


Command Modes

Global configuration mode

(config) dns-boomerang client

To configure and enable the Content Routing Agent (CRA) functionality on the CSS, use the dns-boomerang client command. The CSS functioning as a CRA improves HTTP response time for a client request. A Cisco Content Router 4430B configured as a Content Routing server redirects a client to the closest (best) replicated-content site represented by a CRA, based on network delay.

The options for this global configuration mode command are:

dns-boomerang client cpu-threshold..., specifies the CPU load threshold for a CSS CRA

dns-boomerang client domain..., creates a client domain record in the CSS CRA domain name server or creates a client alias record

dns-boomerang client enable, enables the CRA functionality on the CSS

For information on these options and associated variables, see the following commands.

Related Commands

show dns-boomerang client

dns-boomerang client cpu-threshold

To set the CPU load threshold for a CSS CRA, use the dns-boomerang client cpu-threshold command. If the CSS CPU load exceeds the configured threshold value, then the CSS drops incoming DNS requests from the Content Router. Use the no form of this command to reset the CSS CPU threshold to the default value of 99.

dns-boomerang client cpu-threshold number
no dns-boomerang client cpu-threshold

Syntax Description

number

The load threshold value. Enter a number from 1 to 99. The default value is 99.


Command Modes

Global configuration mode

Usage Guidelines

The load threshold value is the percentage of CPU utilization shown in the show system-resources command.

Related Commands

show system-resources
(config)
dns-boomerang client domain

dns-boomerang client domain

To create a client domain record in the CSS CRA or an alias for the record, use the dns-boomerang client domain command. The record maps to each of the domains you associated with the agent when you configured domains on the Content Router. Use the no form of this command to remove a client domain or the alias for the domain.

dns-boomerang client domain dns_name [alias alias_name|ip_or_host
{"uri"} {key ["secret"|des-encrypted encrypted_key|"encrypt_key"]}
{dns-ttl number1} {ip-ttl number2} {threshold number3}]

no dns-boomerang client domain dns_name {alias alias_name}

Syntax Description

dns_name

The domain name mapped to the client record. Enter the name as a case-sensitive, unquoted text string with no spaces and a maximum length of 72 characters. For example, www.sample.com.

alias

Creates an alias for an existing client domain. The alias behaves exactly the same as the configured domain.

alias_name

The alias name for the associated DNS name. Enter the name as a case-sensitive unquoted text string with no spaces and a maximum length of 72 characters.

ip_or_host

The IP address or host name of the content server or web cache bound to the domain name on the CSS. This address can be a local VIP. Enter the address in dotted-decimal notation (for example, 192.168.11.1) or a mnemonic host name (for example, myhost.mydomain.com).

"uri"

Optionally defines the URI that the CSS uses for the keepalive probe to the Content Router for a domain. Enter a quoted text string with a maximum of 255 characters. If you do not prepend the URI with a slash (/) character, the CSS prepends it.

key

Optionally defines the clear-text secret or DES encryption key on the Content Router.

"secret"

The clear-text secret for encrypting packets sent between a Content Router and the CSS client. The secret is the same as the secret on the CR. Enter the secret as a case-sensitive quoted text string with a maximum of 64 characters.

des-encrypted

Optionally defines a Data Encryption Standard (DES) encryption key.

encrypted_key

The DES encryption key that the CSS had previously encrypted. The CSS does not re-encrypt this key and saves it in the running-config as you entered it. Enter an unquoted case-sensitive text string with no spaces and a maximum of 64 characters.

"encrypt_key"

The DES encryption key that you want the CSS to encrypt. The CSS saves the encrypted key in the running-config as you entered it. Enter a quoted case-sensitive text string with no spaces and a maximum of 16 characters.

dns-ttl number1

Optionally defines the DNS time-to-live value returned with the DNS responses of the CSS client. This option determines the length of time that a domain name server caches the returned information for reuse. Enter an integer from 1 to 2147483647 seconds. The default value is from the Content Router.

ip-ttl number2

Optionally defines the IP routing time-to-live value in hops that is set in the IP packets for returned CSS client DNS responses. This option determines how many router hops a response packet traverses en route to the client's local name server, D-Proxy, before it is discarded. This helps to eliminate the CSS client from longer races. Enter an integer from 1 to 255. The default value is from the Content Router.

threshold number3

Optionally defines the load threshold for testing the keepalive state of a local VIP. If the load on the associated rule is greater than the threshold, then the CSS drops Content Router requests until the load goes below the threshold. Enter an integer from 2 to 254. The default value is 254.


Command Modes

Global configuration mode

Usage Guidelines

If the matching domain record keepalive messaging succeeds, the CSS uses this record for DNS resolutions and will respond to the D-Proxy on behalf of the Content Router.

dns-boomerang client enable

To enable the Content Routing Agent (CRA) functionality on a CSS, use the dns-boomerang client enable command. Use the no form of this command to disable the CRA functionality.

dns-boomerang client enable
no dns-boomerang client enable

Command Modes

Global configuration mode

Usage Guidelines

Before you enable the CRA functionality on a CSS, configure a Cisco Content Router 4430B as a Content Routing server and CRAs on the server. For information on configuring the server, refer to the Cisco Content Router 4430B User Guide.

(config) dns-peer

To control the DNS peer functionality on the CSS, use the dns-peer command. You can configure the CSS as a DNS peer to exchange DNS information over an APP connection to other CSSs. The options for this global configuration mode command are:

dns-peer interval..., sets the time between sending load reports to each CSS DNS peer

dns-peer receive-slots..., sets the maximum number of DNS names that the CSS can receive from each CSS DNS peer

dns-peer send-slots..., sets the maximum number of DNS names that the CSS can send to each CSS DNS peer

For information on these options and associated variables, see the following commands.

Related Commands

show dns-peer
(config) app
(config) dns
(config-owner) dns
(config-owner-content)
add dns

dns-peer interval

To set the time between sending load reports to CSS DNS peers over an APP connection, use the dns-peer interval command. Use the no form of this command to reset the interval to its default value of 5.

dns-peer interval number
no dns-peer interval

Syntax Description

number

The time in seconds between generating load reports. Enter an integer from 5 to 120. The default is 5.


Command Modes

Global configuration mode

dns-peer receive-slots

To set the maximum number of DNS names that the CSS can receive from each CSS DNS peer over an APP connection, use the dns-peer receive-slots command. Use the no form of this command to reset the maximum number of DNS names received from a peer to its default value of 128.

dns-peer receive-slots number
no dns-peer receive-slots

Syntax Description

number

The maximum number of DNS names that can be received from a peer. Enter an integer from 128 to 1024. The default is 128.


Command Modes

Global configuration mode

dns-peer send-slots

To set the maximum DNS names that the CSS can send to each CSS DNS peer, use the dns-peer send-slots command. Use the no form of this command to reset the maximum number of DNS names sent to a peer to its default value of 128.

dns-peer send-slots number
no dns-peer send-slots

Syntax Description

number

The maximum number of DNS names sent to a peer. Enter an integer from 128 to 1024. The default is 128.


Command Modes

Global configuration mode

(config) dns-record

To create a domain record, use the dns-record command and its options. This command is not available on a Proximity Database CSS. The command options are:

dns-record a..., creates a domain record on the CSS Zone Domain Name Server mapped directly to an IP address

dns-record accel..., creates a domain acceleration record on the CSS mapped to a content rule through an IP address

dns-record ns..., creates a domain record on the CSS Zone Domain Name Server mapped to a name server IP address

dns-record zero..., resets the DNS record statistics to zero

For information on these options and associated variables, see the following commands.

Related Commands

show dns-record
(config) dns-server {zone}

dns-record a

To create a domain record on the CSS Zone Domain Name Server that maps the DNS name to an IP address, use the dns-record a command. If a domain can be directly translated to an IP address, configure it as an a-record. Use the no form of this command to delete a domain address record.

dns-record a dns_name ip_address {ttl_value {single|multiple {kal-ap|kal-icmp|kal-none {ip_address2 {threshold {sticky-disabled|sticky-enabled {usedefault|weightedrr|srcip
|leastloaded|preferlocal|roundrobin|proximity {weight }}}}}}}}

no dns-record a dns_name

Syntax Description

dns_name

The DNS name mapped to the address record. Enter the name as a case-sensitive, unquoted text string with no spaces and a maximum of 63 characters.

ip_address

The IP address bound to the dns_name within the CSS zone. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

ttl_value

The optional Time to Live (TTL) value in seconds. This value determines how long the DNS client remembers the IP address response to the query. Enter a value from 0 to 65535. The default is 0.

single|multiple

The optional number of records to return on a DNS response message. Enter either single or multiple. By default, the DNS server returns a single a-record. Setting this parameter to single ensures that only one a-record is returned.

kal-ap|kal-icmp
|kal-none

The optional keepalive message type for this record. The types are:

kal-ap for the CSS keepalive message.

kal-icmp for an ICMP echo message (ping). This is the default setting.

kal-none for no keepalive messaging.

ip_address2

The IP address of the local interface receiving CSS keepalive messages.

threshold

The load threshold used with the CSS proximity keepalive. The CSS considers that this record is in the Down state when the load number is greater than this value. Enter a value from 2 to 254. The default is 254.

sticky-disabled
|sticky-enable

Optionally disable or enable DNS sticky for the domain. The sticky-disabled option disables DNS Sticky for the specified domain. This is the default setting.

The sticky-enabled option causes a CSS 11000 series DNS server to attempt to send a sticky response to the client for the specified domain. See "Usage Guidelines" for more information.

usedefault

Returns domain records using the default DNS load-balancing method configured for the zone.

weightedrr

For an 11500 series CSS, returns domain records based on the weighted roundrobin load-balancing method. This method uses the weight value to determine the zone from which the record should be requested.

srcip

Returns domain records using a source IP address hash. For sticky-enabled domains without a GSDB, the CSS uses the srcip method regardless of the configured balance method. For sticky-enabled domains with a GSDB, a CSS uses the configured balance method when the GSDB does not contain an entry for the requested domain.

leastloaded

Returns domain records from the zone with the smallest load.

preferlocal

Returns local domain records whenever possible. If no local record exists, the CSS uses the balance method configured for the zone with the lowest zone index.

roundrobin

Returns domain records by cycling among records available at the different zones to evenly distribute the load.

proximity

Returns domain records based on proximity information. If a PDB is not configured or is unavailable in a zone, the CSS applies the default balance method for the selected zone for DNS resolution. This is the default method.

weight

For an 11500 series CSS, a value assigned to a domain in the local zone to determine how many requests the local zone receives for the specified domain compared with other zones in a peer mesh. A domain with a weight of 10 in the local zone will receive twice as many requests as the same domain in another zone with a weight of 5.

Use this parameter on an 11500 series CSS with the weighted roundrobin DNS load-balancing method. CSSs configured as authoritative DNS servers in a peer mesh share domain weights, hit counts, maximum hit counts, and a zone pointer with each other. Enter an integer from 1 to 10. The default is 1.

If your configuration includes 11000 series CSSs, the weight value defaults to 1 and is not configurable for those CSSs.


Command Modes

Global configuration mode

Usage Guidelines

This command is available on a CSS PDNS.

If you need to modify an existing A-record configuration, you must first remove the record using the no dns-record a domain_name command. Then, recreate the A-record with the change using the dns-record a command.

When you enable DNS Sticky through the sticky-enabled option, the CSS makes a decision based on one of the following three scenarios:

In a global server load-balancing (GSLB) environment without a global sticky database (GSDB), the CSS selects a server based on the srcip hash (regardless of the default load-balancing method) and the availability of the domain in the zone mesh. The use of the srcip hash ensures that the CSS selects a consistent zone for a given source IP address.

In a GSLB environment with a GSDB, the CSS sends a lookup request to the Global Sticky Database for the requesting client's local DNS server. If the GSDB has an entry in its sticky database for the client's local DNS server IP address, it returns the appropriate zone index to the CSS. The CSS then returns the associated IP address to the client. Otherwise, the CSS selects a zone based on the default load-balancing method and informs the GSDB about the selected zone.

In a Network Proximity environment, the CSS configured as a Proximity Domain Name Server (PDNS) first consults the GSDB. If a sticky database entry exists for the client's local DNS server IP address, the PDNS sends the appropriate IP address to the client based on the zone index returned by the GSDB. If the GSDB does not contain an entry for the client's local DNS server IP address, the PDNS consults the Proximity Database (PDB).

If the PDB contains an entry for the client's local DNS server IP address, the PDNS formulates a response to the client based on the ordered zone index returned by the PDB and keepalive information. The PDNS informs the GSDB about the selected zone (performs a "set" function). If the PDB does not have an entry for the client's local DNS server IP address or the sticky zone is unavailable, the CSS selects a zone based on its default load-balancing method and informs the GSDB about the selected zone.


Note If you configure any sticky domains in a particular zone, you must configure all sticky domains participating in the peer mesh in that same zone. Otherwise, the thrashing of the sticky zone index will cause DNS Sticky to fail.


For details on configuring DNS Sticky, refer to the Cisco Content Services Switch Advanced Configuration Guide.

The CSS uses the following guidelines when selecting a DNS load-balancing method on a domain basis:

If a local record exists, the CSS uses the configured domain balance method to determine local DNS resolutions. This applies regardless of the local record's keepalive state.

If no local record exists, the CSS uses the balance method configured for the zone with the lowest zone index.

Related Commands

show dns-record

dns-record accel

To create a DNS acceleration record for the domains you want to accelerate on the CSS, use the dns-record accel command. Use the no form of this command to delete a DNS acceleration record.

dns-record accel dns_name ip_address {ageout}
no dns-record accel dns_name

Syntax Description

dns_name

The DNS name you want to map to the acceleration record. Enter a case-sensitive unquoted text string with no spaces and a maximum of 63 characters.

ip_address

The IP address of the local content rule that will handle content request for the DNS name during content acceleration.

ageout

The optional number of minutes that the domain remains accelerated. Enter a number from 0 to 525600. The default is 180 minutes. If you enter 0, the accelerated domain record does not age out.


Usage Guidelines

The DNS acceleration record indicates a DNS name that is eligible for content acceleration. The record maps the name to a content rule through an IP address. To enable the acceleration of domains, use the (config) dns-server accelerate domains command. The dns-record accel command is not available on a Proximity Database CSS.

Configure non-accelerated domains as either A-records or NS-records.


Note If the content rule associated with the acceleration candidate domain is suspended or cannot provide service for content requests, the CSA does not accelerate the domain.


Related Commands

show dns-record accel
(config) dns-server accelerate domains

dns-record ns

To create a domain record on the CSS Zone Domain Name Server that maps the DNS name to a Name Server IP address, use the dns-record ns command. If a domain cannot be directly translated to an IP address, configure it as an ns-record. Use the no form of this command to delete a DNS record.

dns-record ns dns_name ip_address {ttl_value {single|multiple {kal-ap|kal-icmp|kal-none {ip_address2 {threshold {default|forwarder {sticky-disabled|sticky-enabled {weight {usedefault|weightedrr|srcip|leastloaded|preferlocal
|roundrobin|proximity}}}}}}}}}

no dns-record ns dns_name

Syntax Description

dns_name

The DNS name mapped to the name server record. Enter the name as a case-sensitive, unquoted text string with no spaces and a maximum of 63 characters.

ip_address

The IP address of the DNS server bound to the dns_name within the CSS zone. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

ttl_value

The optional Time to Live (TTL) value in seconds. This value determines how long the DNS client remembers the IP address response to the query. Enter a value from 0 to 65535. The default is 0.

single|multiple

The optional number of records to return on a DNS response message. Enter either single or multiple. By default, the DNS server returns a single ns-record. Setting this parameter to single ensures that only one ns-record is returned.

kal-ap|kal-icmp|kal-none

The optional keepalive message type for the record. The types are:

kal-ap for the CSS keepalive message.

kal-icmp for an ICMP echo message (ping). This is the default setting.

kal-none for no keepalive messaging.

ip_address2

The optional IP address of the local interface receiving CSS keepalive messages.

threshold

The optional load threshold for the record. The CSS considers that the record is in the Down state when the load number is greater than this value. Enter a value from 2 to 254. The default is 254.

default

Uses PDB information to return the next most proximate location. When a PDB is not available or configured, the roundrobin method is used.

forwarder

Eliminates a potential single point of failure by providing a maximum of two alternative DNS servers called forwarders. A forwarder can be a CSS configured as a DNS server or a fully-functional BIND DNS server. If an optimal miss occurs (the lower-level DNS server indicated in the NS-record is Down), the PDNS sends the DNS request to the primary or secondary forwarder, depending on forwarder health and configuration. An optimal miss occurs when the PDNS cannot return the NS-record for the zone that the PDB indicated was most proximate. For this failover to occur, the local NS-record must be in the Down state, and the PDB has indicated the local zone to be the zone most proximate to the client.

sticky-disabled
|sticky-enable

Optionally disable or enable DNS sticky for the domain. The sticky-disabled option disables DNS Sticky for the specified domain. This is the default setting.

The sticky-enabled option causes an 11000 series CSS DNS server to attempt to send a sticky response to the client for the specified domain. See "Usage Guidelines" for more information.

weight

For an 11500 series CSS, a value assigned to a domain in the local zone to determine how many requests the local zone receives for the specified domain compared with other zones in a peer mesh. A domain with a weight of 10 in the local zone will receive twice as many requests as the same domain in another zone with a weight of 5.

Use this parameter on an 11500 series CSS with the weighted roundrobin DNS load-balancing method. CSSs configured as authoritative DNS servers in a peer mesh share domain weights, hit counts, maximum hit counts, and a zone pointer with each other. Enter an integer from 1 to 10. The default is 1.

Note If your configuration includes 11000 series CSSs, the weight value defaults to 1 and is not configurable for those CSSs.

usedefault

Returns domain records using the default DNS load-balancing method configured for the zone.

weightedrr

For an 11500 series CSS, returns domain records based on the weighted roundrobin load-balancing method. This method uses the weight value to determine the zone from which the record should be requested.

srcip

Returns domain records using a source IP address hash. For sticky-enabled domains without a GSDB, the CSS uses the srcip method regardless of the configured balance method. For sticky-enabled domains with a GSDB, a CSS uses the configured balance method when the GSDB does not contain an entry for the requested domain.

leastloaded

Returns domain records from the zone with the smallest load.

preferlocal

Returns local domain records whenever possible. If no local record exists, the CSS uses the balance method configured for the zone with the lowest zone index.

roundrobin

Returns domain records by cycling among records available at the different zones to evenly distribute the load.

proximity

Returns domain records based on proximity information. If a PDB is not configured or is unavailable in a zone, the CSS applies the default balance method for the selected zone for DNS resolution. This is the default method.


Command Modes

Global configuration mode

Usage Guidelines

This command is available on a CSS PDNS.

If you need to modify an existing NS-record configuration, you must first remove the record using the no dns-record ns domain_name command, and then recreate the NS-record with the change using the dns-record ns command.

When you enable DNS Sticky through the sticky-enabled option, The CSS makes a decision based on one of the following three scenarios.

In a global server load-balancing (GSLB) environment without a global sticky database (GSDB), the CSS selects a server based on the srcip hash (regardless of the default load-balancing method) and the availability of the domain in the zone mesh. The use of the srcip hash ensures that the CSS selects a consistent zone for a given source IP address.

In a GSLB environment with a GSDB, the CSS sends a lookup request to the Global Sticky Database for the requesting client's local DNS server. If the GSDB has an entry in its sticky database for the client's local DNS server IP address, it returns the appropriate zone index to the CSS. The CSS then returns the associated IP address to the client. Otherwise, the CSS selects a zone based on the default load-balancing method and informs the GSDB about the selected zone.

In a Network Proximity environment, the CSS configured as a Proximity Domain Name Server (PDNS) first consults the GSDB. If a sticky database entry exists for the client's local DNS server IP address, the PDNS sends the appropriate IP address to the client based on the zone index returned by the GSDB. If the GSDB does not contain an entry for the client's local DNS server IP address, the PDNS consults the Proximity Database (PDB).

If the PDB contains an entry for the client's local DNS server IP address, the PDNS formulates a response to the client based on the ordered zone index returned by the PDB and keepalive information. The PDNS informs the GSDB about the selected zone (performs a "set" function). If the PDB does not have an entry for the client's local DNS server IP address or the sticky zone is unavailable, the CSS selects a zone based on its default load-balancing method and informs the GSDB about the selected zone.


Note If you configure any sticky domains in a particular zone, you must configure all sticky domains participating in the peer mesh in that same zone. Otherwise, the thrashing of the sticky zone index will cause DNS Sticky to fail.


For details on configuring DNS Sticky, refer to the Cisco Content Services Switch Advanced Configuration Guide.

The CSS uses the following guidelines when selecting a DNS load-balancing method on a domain basis:

If a local record exists, the CSS uses the configured domain balance method to determine local DNS resolutions. This applies regardless of the local record's keepalive state.

If no local record exists, the CSS uses the balance method configured for the zone with the lowest zone index.

Related Commands

show dns-record
(config) dns-server forwarder

dns-record zero

To reset the statistics or counters displayed by the show dns-record command to zero for all domain records or a specific domain name, use the dns-record zero command.

dns-record zero [a/ns {domain_name}|accel {domain_name}]

Syntax Description

a/ns

Resets the statistics for the domain records displayed by the show dns-record statistics command and the show dns-record proximity command.

domain_name

The specified domain name mapped to the DNS record. To view a list of domain names, enter:

dns-record zero [a/ns|accel] ?

accel

Resets the counters for the acceleration records displayed by the show dns-record accel command.


Usage Guidelines

The dns-record zero command is not available on a Proximity Database CSS.

Related Commands

show dns-record
(config) dns-record

(config) dns-server

To enable the DNS server function on the CSS, use the dns-server command. The CSS acts as the authoritative name server for the content domain. Use the no form of this command to disable DNS server functionality on the CSS.

dns-server
no dns-server

Related Commands

show dns-server
show zone
(config) app
(config) dns
(config-owner) dns
(config-owner-content)
add dns

(config) dns-server accelerate domains

To enable the domain acceleration and configure the Client Side Accelerator (CSA) on the CSS, use the dns-server accelerate domains command. Use the no form of this command to disable domain acceleration.

dns-server accelerate domains {threshold interval max_number [single-location|multi-location]}

no dns-server accelerate domains

Syntax Description

threshold

The hits threshold used to determine whether a domain is accelerated. When the hits on the domain are greater than or equal to the threshold, the CSA accelerates the domain. Enter a number from 0 to 65535. The default is 0, indicating that the CSA always accelerates the candidate domains.

interval

The interval in minutes over which the CSA samples the hits on the domain and compares the hits with the threshold. Enter a number from 1 to 3600. The default is 5.

max_number

The maximum number of domains that the CSA can accelerate. Enter a number from 0 to 4096. The default is 1024.

single-location

Allows CSA peers to share content by maintaining the content on the cache farm of a single CSA.

multi-location

Allows multiple CSAs to accelerate the same domain resulting in multiple cache farms maintaining the same content. This can occur when two or more CSAs (located in different POPs) are configured for multi-location and accelerate the same domain. Each cache farm maintains the same content after:

The CSAs accelerate the same domain.

A cache in each POP retrieves the same content from the origin server.


Usage Guidelines

Use the dns-server accelerate command to enable the acceleration of domains configured through the dns-record accel command.

Related Commands

show dns-server accelerate domains
(config)
dns-record accel

(config) dns-server bufferCount

To change the DNS response buffer count on the CSS, use the dns-server bufferCount command. Use the no form of this command to set the DNS response buffer count to its default value of 50.

dns-server bufferCount number
no dns-server bufferCount

Syntax Description

number

The number of buffers allocated for query responses. Enter an integer from 2 to 1000. The default is 50.


Usage Guidelines

Only use the dns-server bufferCount command to tune the CSS if the CSS experiences buffer depletion during normal use. If the name server buffers (NS Buffers) drop below two, increase the buffer count and the responder task with the (config) dns-server respTasks command. To view the buffers, use the show dns-server command.

Related Commands

show dns-server

(config) dns-server domain-cache

To enable domain caching to track DNS request counts and configure the parameters for the domain cache on the CSA, use the dns-server domain-cache command. Use the no form of this command to disable domain caching.

dns-server domain-cache {cache_size ageout|purge {dns_name}
|
zero {dns_name}}

no dns-server domain-cache

Syntax Description

cache_size

The number of domains that the CSA can cache. Enter a number from 1 to 4096. The default is 1024.

ageout

The maximum number of seconds that the domain entry remains in cache. Enter a number from 0 to 60. The default is 10 seconds. If you enter 0, the domain entries remain in cache unless they are removed with the purge option.

purge

Removes all entries or the specified entries in the domain cache.

dns_name

The DNS entry in the domain cache. To see a list of entries, enter:

dns-server domain-cache [purge|zero] ?

zero

Resets all counters for all entries or the specified entry in the domain cache displayed through the show dns-server domain-cache command.


Usage Guidelines

Use the dns-server domain-cache command to create the domain cache and enable it. The domain cache records all domains including accelerated domains.


Note Enabling or disabling the domain cache does not affect domain acceleration. The operation of the domain cache can impact the DNS request/response rate performance. Use the domain cache only when you need to identify potential acceleration candidates.


Related Commands

show dns-server domain-cache

(config) dns-server forwarder

To configure a DNS server forwarder on a CSS, use the dns-server forwarder command. The forwarder is an alternative server for resolving DNS requests. In the case of proximity, the forwarder is a CSS in the same zone as the PDB. When the CSS is acting as a CSA, the forwarder is a fully-functional Berkeley Internet Name Domain (BIND) DNS server, not a CSS. Use the no form of this command to delete the DNS forwarder.

dns-server forwarder [primary ip_address|secondary ip_address|zero]
no dns-server forwarder primary|secondary

Syntax Description

primary

Specifies the first choice forwarder.

The CSS sends unresolvable requests to the primary forwarder unless it is unavailable, in which case, it uses the secondary forwarder. When the primary forwarder is available again, the CSS resumes sending requests to the primary forwarder.

secondary

The second choice as the forwarder.

ip_address

The IP address for the DNS forwarder. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

zero

Resets the statistics of both forwarders on the CSS. The statistics are displayed through the show dns-server forwarder command.


Usage Guidelines

The CSS uses the primary forwarder first. If it is unavailable, the CSS uses the secondary forwarder.

The forwarder receives DNS requests that the CSS cannot resolve, or that contain an unsupported request or record type. The forwarder sends DNS responses to the client transparently through the CSS. To monitor forwarder health, an internal keepalive mechanism sends queries periodically to validate the state of the forwarder.

Related Commands

show dns-server forwarder
(config)
dns-record ns

(config) dns-server respTasks

To change the DNS server responder task count, use the dns-server respTasks command. These tasks handle responses to incoming DNS query requests. Use the no form of this command to set the DNS responder task count to its default value of 2.

dns-server respTasks number
no dns-server respTasks

Syntax Description

number

The number of tasks. Enter an integer from 1 to 250. The default is 2.


Usage Guidelines

If you increase the responder task count, also increase the buffer count with the (config) dns-server bufferCount command.

(config) dns-server zero

To set the DNS server request and response statistics displayed by the show dns-server command to zero, use the dns-server zero command.

dns-server zero

Usage Guidelines

The dns-server zero command is not available on a Proximity Database CSS.

Related Commands

show dns-server
(config) dns-server

(config) dns-server zone

To enable the CSS Zone Domain Name Server (DNS) on a CSS or configure how the CSS handles the leastloaded balance method, use the dns-server zone command. This service allows the CSS to respond to DNS requests based upon proximity and shared zone domain availability. Use the no form of this command to disable the CSS Proximity Domain Name Server or disable DNS server zone load reporting.

dns-server zone zoneIndex {tier1|tier2 {"description" {roundrobin|preferlocal|leastloaded|srcip|weightedrr|ip_address {roundrobin|preferlocal|leastloaded|srcip|weightedrr}}}}
|
load [reporting|frequency seconds|variance number]

no dns-server zone|load [reporting|frequency|variance]

Syntax Description

zoneIndex

The numerical identifier of the Proximity Zone of the CSS. This number should match the zoneIndex configured on the Proximity Database. Enter an integer from 0 to 15.

tier1|tier2

The optional maximum number of zones the CSS expects to participate in its proximity zone mesh. Enter tier1 for a maximum of 6 zones, numbered 0 to 5. Enter tier2 for a maximum of 16 zones, numbered 0 to 15. Tier1 is the default.

For CSA applications, the tier you select must be the same as the tier for the other CSAs participating in the mesh.

description

The optional text description of the CSS zone. Enter a quoted string with a maximum of 20 characters.

ip_address

The IP address of the PDB. Enter the address in dotted-decimal notation (for example, 192.168.11.1). This enables the DNS server to respond to DNS requests based on proximity. For CSA applications, do not enter an IP address.

roundrobin
|preferlocal
|leastloaded
|srcip
|weightedrr

The optional balance method to determine the algorithm that the DNS server uses to choose returned records when a PDB is unavailable or not configured.

roundrobin, the CSS cycles between records available from different zones. This is the default method.

preferlocal, the CSS returns a record from the local zone whenever possible. Otherwise, the server uses the roundrobin method.

leastloaded, the CSS reports loads and selects a record from the zone that has the least traffic.

srcip, the CSS uses a source IP address hash to select the zone index to return to the client.

weightedrr - This option is available only on an 11500 series CSS. The CSS gives a zone priority over other zones in a peer mesh according to the assigned domain weights. Each CSS maintains an internal list of services ordered from highest to lowest according to weight. The heaviest server (the server with the highest weight number) receives DNS requests until it reaches its maximum number of requests, then the next heaviest server receives DNS requests until it reaches its maximum, and so on. When all the servers have reached their maximum number of requests, the CSS resets the counters and the cycle starts over again.

When you add a new DNS zone, each CSS adds the new servers to its list by weight. In this case, the CSSs do not reset their hit counters. This prevents flooding of the heaviest zone every time you add or remove a zone.

For example, a domain with a weight of 10 in the local zone will receive twice as many hits as the same domain with a weight of 5 in another zone. You assign domain weights using the dns-record command.

reporting

Enables the processing of local DNS server zone load information and sharing it with peers. The default is enabled.

frequency seconds

Specifies the period of time in seconds between processing local DNS server load information and the subsequent delivery of load information to peers. Enter an integer from 5 and 300 seconds (5 minutes). The default is 30 seconds.

variance number

Specifies the range of load numbers between zones that will be considered similar. If the load numbers of all zones are within the specified range, the CSS uses response times to identify the leastloaded site. Enter an integer from 1 and 254. The default is 50.


Usage Guidelines

The dns-server zone command is available in the CSS Enhanced feature set.

If you need to modify a dns-server zone value, you must first disable the DNS server using the no dns-server command and then remove the zone using the no dns-server zone command. Restore the DNS server zone with the value change, and then reenable the DNS server. To enable or disable the dns-server zone load reporting command, you must first disable the DNS server using the no dns-server command, and then enter the dns-server zone load reporting or the no dns-server zone load reporting command.

(config) dnsflow

To either set up UDP traffic to DNS server port 53 as a CSS flow or forward the traffic, use the dnsflow command.

dnsflow [disable|enable]

Syntax Description

disable

Forwards UDP traffic on port 53 with the use of content rules and source groups without flow creation. In this state, the CSS has higher performance for DNS client server exchanges.

enable

Allows the CSS to create flows of UDP traffic on port 53. This is the default state.


Command Modes

Global configuration mode

(config) domain hotlist

To enable the domain hotlist, use the domain hotlist command. The domain hotlist is disabled by default. A domain hotlist lists the most accessed domains on the CSS during a user-defined period of time. Use the no form of this command to disable the domain hotlist.

domain hotlist
no domain hotlist

Related Commands

show domain hotlist

(config) domain hotlist interval

To configure the interval, in minutes, to refresh the domain hotlist and start a new list, use the domain hotlist interval command. Use the no form of this command to reset the interval to its default setting of 1 minute.

domain hotlist interval minutes
no domain hotlist interval

Syntax Description

minutes

The interval in minutes. Enter an integer from 1 to 60. The default is 1.


Related Commands

show domain hotlist

(config) domain hotlist size

To configure the maximum number of domain entries contained in the hotlist, use the domain hotlist size command. Use the no form of this command to reset the maximum size to its default setting of 10 entries.

domain hotlist size max_entries
no domain hotlist size

Syntax Description

max_entries

The maximum number of domain hotlist entries. Enter an integer from 1 to 100. The default is 10.


Related Commands

show domain hotlist

(config) domain hotlist threshold

To configure the threshold (the number of domain hits per interval) that must be exceeded for a domain to be considered hot and added to the list, use the domain hotlist threshold command. Use the no form of this command to reset the threshold to its default setting of 0.

domain hotlist threshold number
no domain hotlist threshold

Syntax Description

number

The threshold number. Enter a number from 0 to 65535. The default is 0, which indicates that the threshold is disabled.


Related Commands

show domain hotlist

(config) dql

To access and configure a Domain Qualifier List (DQL), use the dql command. A DQL is a collection of domain names that you can assign to a content rule, instead of creating a rule for each domain.

Use the no form of this command to remove an existing DQL.

dql dql_name
no dql existing_dql_name

Syntax Description

dql_name

The name of a new DQL you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum of 31 characters. To see a list of existing DQL names, enter:

dql ? 

Usage Guidelines

When you use the dql command to access DQL mode, the prompt changes to (config-dql [name]). You can also use this command from DQL mode to access another DQL. For information about commands available in this mode, see "DQL Configuration Mode Commands".

Related Commands

show dql
(config-owner-content) url

(config) dump

To enable or disable core dumps when the CSS experiences a fatal error, use the dump command. Core dumps are enabled by default.


Note Core dump information is for Customer Support use only.


dump [disable|enable]

Syntax Description

disable

Disables core dumps. When the CSS experiences a fatal error and core dumps are disabled, the CSS reboots automatically. The CSS does not write information to the hard disk or flash disk.

enable

Enables core dumps. This is the default setting. When the CSS experiences a fatal error and core dumps are enabled, the CSS:

Writes information about the fatal error to the Core directory of the volume root (for example, c:\core) on either the hard or flash disk. On the:

11000 series CSSs, the hard disk can store a maximum of 30 sequentially numbered dump files. The flash disk stores one compressed dump file of 70 MB.

11500 series CSSs, the hard or flash disk stores one dump file per slot per card type until the disk is full. Files can be 10 to 20 MB in size.

Reboots automatically


Usage Guidelines

For a flash disk-based system, if the core dump file is older than 15 minutes, it may be overwritten. If you want to save the core dump file for later examination, archive it to another directory or disk before it is overwritten. To archive a log file, see the archive log command.

Related Commands

show core

(config) eql

To access EQL configuration mode and configure an Extension Qualifier List (EQL), use the eql command. This list is a collection of file extensions for content requests joined together through content rules. The CSS uses this list to identify which requests to send to a service.

Use the no form of this command to delete an existing extension list.

eql eql_name
no eql existing_eql_name

Syntax Description

eql_name

The name of a new extension list you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing EQL names, enter:

eql ?

Usage Guidelines

When you use the eql command to access eql mode, the prompt changes to (config-eql [name]). For information about commands available in this mode, see "EQL Configuration Mode Commands".

Related Commands

show eql
(config-owner-content) url

(config) flow permanent

To define a set of TCP or UDP ports that will have permanent connections and will not be reclaimed by the CSS when the flows are inactive, use the flow permanent command. By default, the CSS may reclaim TCP/UDP flows that have not received an ACK or content request after approximately 15 seconds. Use the no form of this command to disable a permanent connection by setting its port number to 0.

flow permanent [port[1|2|3|4|5|6|7|8|9|10]] port_number
no flow permanent [port[1|2|3|4|5|6|7|8|9|10]]

Syntax Description

number

The number of the port. Enter an integer from 0 to 65535. The default is 0 which disables a permanent connection on the port.


Usage Guidelines

Issuing the flow permanent command disables Denial of Service protection and reclaiming of ports when there is asymmetrical routing on any flow with the specified transport layer port as a source or destination of a flow.

You can define a maximum of 10 ports.

(config) flow port-reset

To enable the CSS to automatically reset Fast Ethernet and Gigabit Ethernet ports when it detects that they are not responding, use the flow port-reset command. By default, port resetting is enabled on the CSS. Use the no form of this command to disable port resets on the CSS.

flow port-reset
no flow port-reset

Usage Guidelines

Do not disable port resets without guidance from Cisco support personnel.

(config) flow reserve-clean

To define how often the CSS scans flows from reserved Telnet and FTP control ports to reclaim them, use the flow reserve-clean command. Control ports have port numbers less than 23. When the CSS determines that one of these ports has a flow with asymmetrical routing, it reclaims the port. Use the no form of this command to reset the flow cleanup on Telnet and FTP control ports to its default setting of 10 seconds.

flow reserve-clean seconds
no flow reserve-clean

Syntax Description

seconds

The time interval in seconds to scan flows. Enter an integer from 0 to 100. The default is 10. A setting of 0 disables the flow.


(config) flow tcp-mss

To configure the TCP maximum segment size (MSS), use the flow tcp-mss command. Use the no form of this command to reset the TCP maximum segment size to the default value of 1460 bytes.

flow tcp-mss size

Syntax Description

size

The maximum segment size (in bytes) from 1 to 1460. The default is 1460 bytes. Do not define a very small segment size. Smaller payloads may be less efficient due to increased overhead.


Usage Guidelines

The flow tcp-mss command applies only when the client is accessing a Layer 5 content rule. The CSS does not negotiate a TCP maximum segment size for Layer 3 or Layer 4 content rules. The MSS is the largest piece of TCP data that the CSS expects to receive from the other end. This command changes the MSS value in the TCP header options field of a SYN segment.

(config) ftp-record

To create a File Transfer Protocol (FTP) record file to use when accessing an FTP server from the CSS, use the ftp-record command. Use the no form of this command to delete an FTP record file from the CSS.

ftp-record ftp_record ip_or_host username ["password"|des-password des_pwd|encrypted-password encrypted_pwd] {base_directory}
no ftp-record ftp_record

Syntax Description

ftp_record

The name for the FTP record file. Enter an unquoted text string with no spaces and a maximum length of 16 characters.

ip_or_host

The IP address or host name of the FTP server you want to access. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or a mnemonic host name (for example, myhost.mydomain.com).

username

A valid login username on the FTP server. Enter a case-sensitive unquoted text string with no spaces and a maximum length 16 characters.

password

The password for the valid login username on the FTP server. Enter a case-sensitive quoted text string with no spaces and a maximum length of 16 characters.

des-password des_pwd

Specifies the Data Encryption Standard (DES) encrypted password for the valid login username on the FTP server. Enter a case-sensitive unquoted text string with no spaces and a maximum length of 64 characters.

encrypted-password encrypted_pwd

Specifies the encrypted password for the valid login username on the FTP server. Enter a case-sensitive unquoted text string with no spaces and a maximum length of 16 characters. This option is available for the CSS 11000 series products only.

base_directory

An optional base directory when using this record. Enter a case-sensitive unquoted text string with no spaces and a maximum length of 64 characters.


Usage Guidelines

The CSS FTP server supports only the active (normal) FTP mode of operation. It does not support the passive FTP mode of operation.

Related Commands

copy ftp
copy log
copy running-config
copy script
copy ssl
(config-boot) primary
(config-boot) secondary

(config) gem-traffic-bursty

To smooth bursty traffic on Gigabit Ethernet Modules (GEMs) in the CSS 11800 for applications sensitive to packet loss, use the gem-traffic-bursty command. Use the no form of this command to reset the default traffic handling behavior on GEMs.

gem-traffic-bursty
no gem-traffic-bursty

Usage Guidelines

When you enter the gem-traffic-bursty command, it applies to all GEMs installed in the CSS 11800 chassis before and after you enter the command.

Traffic burstiness is the occurrence of extreme amounts of traffic for a short period of time. During extremely heavy traffic loads, when a single GEM port has greater than one gigabit per second of incoming network traffic, substantial packet loss can occur. This condition can easily occur when a group of servers attached to multiple ports sends traffic simultaneously to a single client uplink port.

If the traffic load at the client uplink port is at a rate close to a gigabit per second with occasional bursts of greater than one gigabit per second, you can use the gem-traffic-bursty command to reduce overall packet loss. This command can greatly reduce packet loss for applications sensitive to this condition, for example, video and audio streaming applications.

If the traffic load at the client uplink port remains at a constant rate greater than one gigabit per second, you may need to perform a network reconfiguration, for example, configure an additional client uplink port. You should not use the gem-traffic-bursty command to solve the problem.

(config) global-portmap

To control the global source-port translation (portmapping) for TCP flows on a CSS, use the global-portmap command. Use the no form of this command to reset the starting port number and the port range to their default values.

global-portmap base-port number1 range number2
no global-portmap

Syntax Description

base-port number1

The starting port number for global portmapping on a CSS. Enter an integer from 2016 to 63456. The default is 2016.

range number2

The number of ports in the portmap range. Enter an integer from 2048 to 63488. The default is 63488.

If you enter a portmap range that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number you specify from 65504.


Usage Guidelines

The global portmapper in a CSS is called the megaportmapper. The megaportmapper database comprises 16 banks of portmap numbers (megamap banks) in each session processor (SP) with unique ranges. A CSS uses a source port hash algorithm to select a megamap bank.

Use the global-portmap command to control the global source-port translation (portmapping) for TCP flows on a CSS. This command is always enabled. Use this command to specify the source-port mapping range on:

An 11500 series CSS when you configure a service that uses a non-default destination port number. A CSS changes a TCP destination port number configured on a service in a content rule when a request hits the content rule and the CSS sends a packet to the selected server. The CSS uses the global portmap command parameters to translate the corresponding client source port number to distinguish it from other clients requesting the same service.

Redundant 11500 series CSS peers in a session-level redundancy configuration. For information on session-level redundancy, refer to the Cisco Content Services Switch Advanced Configuration Guide.

Any CSS with back-end server remapping enabled (refer to the Cisco Content Services Switch Basic Configuration Guide.


Note When you configure a source group, the portmap command values take precedence over the global-portmap command. For details on configuring the portmap command in a source group, refer to the Cisco Content Services Switch Basic Configuration Guide. Note that the portmap disable command has no effect on TCP flows.


Related Commands

show global-portmap
(config-group) portmap

(config) group

To access group configuration mode and configure a group, use the group command. A group is a collection of local servers that initiate flows from within the local web farm. For example, after processing a group of real audio transmitters, they all appear on the same source IP address. The CSS lets you treat a group as a virtual server with its own source IP address.

Use the no form of this command to delete an existing group.

group group_name
no group existing_group_name

Syntax Description

group_name

The name of a new group you want to create or of an existing group. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing group names, enter:

group ?

Usage Guidelines

When you use the group command to access group mode, the prompt changes to (config-group [name]). For information about commands available in this mode, see "Group Configuration Mode Commands".


Caution Before you use the no group command to delete an existing group, make sure you want to permanently delete the group. You cannot undo this command. If you want a prompt before the CSS performs a command, use the no expert command.

(config) gsdb

To start the Global Sticky Database (GSDB) on a dedicated CSS 11150 with 256 MB of RAM when you are configuring GSLB with a GSDB or when you are using DNS Sticky in a Network Proximity configuration, or specify a time-to-live (TTL) for the GSDB sticky domain entries, use the gsdb command. Use the no form of this command to disable the GSDB or reset the time-to-live interval for GSDB entries to 7200 seconds.

gsdb {ttl seconds}
no gsdb {ttl}

Syntax Description

ttl

Specifies the time-to-live interval for the GSDB entries.

seconds

The time-to-live interval in seconds. The value you enter determines the length of time that GSDB entries are valid. Enter a number from 300 to 1000000. The default value is 7200.

Any new request from a D-proxy for a sticky domain that arrives before the timer expires resets the timer.


Usage Guidelines

Because the GSDB is dependent upon the presence of the PDB, you must configure the PDB prior to starting the GSDB.

You do not need to configure a GSDB to use the basic DNS Sticky feature in a global server load-balancing (GSLB) environment. However, a GSDB provides a more robust DNS Sticky and load-balancing configuration. For details on the types of DNS Sticky configurations, refer to the Cisco Content Services Switch Advanced Configuration Guide.

Related Commands

show gsdb

(config) gsdb-interface

To create a primary or secondary interface to the GSDB on the CSS DNS server to communicate with a GSDB, or zero the GSDB interface statistics, use the gsdb-interface command. Use the no form of this command to remove a primary or secondary GSDB interface.

gsdb-interface [primary ip_address|secondary ip_address|zero]
no gsdb-interface [primary|secondary]

Syntax Description

primary

Specifies the primary interface for the GSDB. The CSS uses the primary GSDB for sticky requests.

secondary

Specifies the secondary interface for the GSDB. The CSS uses the secondary interface when the primary interface is unavailable.

ip_address

The IP address of the GSDB. Enter the address in dotted-decimal notation (for example, 192.168.11.1).

In a Network Proximity configuration, the IP address of the primary sticky interface is typically the same as the IP address of the PDB.

zero

Resets the GSDB interface statistics that are displayed by the show gsdb-interface command.


Usage Guidelines

The gsdb-interface command is part of the Enhanced feature set.

A GSDB responds with a zone index to sticky queries from CSS DNS servers. All GSDBs participating in a peer mesh share sticky TTL and sticky zone information over APP.

Related Commands

show gsdb-interface

(config) header-field-group

To access header-field-group configuration mode and configure a request header-field group, use the header-field-group command. A request header-field group contains a list of defined header-field entries used by the content rule lookup process. Each header-field group is given a unique name so different content rules can use them. A group can contain several header-field entries. Use the no form of this command to remove a header-field group.

header-field-group group_name
no header-field-group group_name

Syntax Description

group_name

The header-field group that you want to configure. You must define a unique name for each header-field group so different content rules can use the groups. Enter a text string with a maximum of 32 characters. To see an existing list of header-field groups, enter:

header-field-group ?

Usage Guidelines

To access header-field-group configuration mode, use the header-field-group command from all configuration modes, except boot and RMON modes. The prompt changes to (config-header-field-group [group_name]). You can also use this command in header-field-group mode to access another group. For information about commands available in this mode, see "Header-Field Group Configuration Mode Commands".


Note When there is more than one header-field entry in a group, each header-field entry must be successfully matched before the CSS uses the associated content rule.


Related Commands

show header-field-group
(config-owner-content) header-field-rule

(config) host

To manage entries in the Host table, use the host command. The Host table is the static mapping of mnemonic host names to IP address, analogous to the ARP table. Use the no form of this command to remove an existing host from the Host table.

host host_name ip_address
no host host_name

Syntax Description

host_name

The name of the host. Enter an unquoted text string with no spaces and a maximum length of 16 characters. To see a list of host names, enter:

show running-config global

ip_address

The address associated with the host name. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).


Usage Guidelines

To add a host to the Host table, the host name must not already exist. To change a current host's address, remove it and then add it again.

Related Commands

show running-config

(config) idle timeout

To set the maximum amount of time that any Telnet, console, or FTP session can be idle on the CSS before the CSS logs it out, use the idle timeout command. Use the no form of this command to set the idle timeout for any session connected to the CSS to the default of 0.

idle timeout minutes
no idle timeout

Syntax Description

minutes

The maximum time in minutes. Enter a number from 0 to 65535. The default is 0.


Usage Guidelines

You can override the idle timeout command with the terminal command in SuperUser mode.

(config) interface

To enter interface configuration mode and configure an interface, use the interface command.

interface interface_name

Syntax Description

interface_name

The CSS interface that you want to configure. For a CSS 11501, CSS 11050, or CSS 11150, enter the interface name in interface-port format (for example, e2). For a CSS 11503, CSS 11506, or CSS 11800, the interface format is slot/port (for example, 3/1). To see a list of valid interfaces for this CSS, enter:

interface ?

Usage Guidelines

When you use the interface command to access this mode, the prompt changes to (config-if [interface_name]). For information about commands available in this mode, see "Interface Configuration Mode Commands".

(config) ip

To enter global IP configuration commands, use the ip command. The options for this global configuration mode command are:

ip ecmp..., sets the equal-cost multipath selection algorithm

ip firewall..., configures an index that identifies a physical firewall

ip no-implicit-service..., does not allow the CSS to start an implicit service for the next hop of static routes

ip opportunistic..., configures opportunistic Layer-3 forwarding

ip record-route, enables processing of frames with a record-route option

ip redundancy..., enables CSS-to-CSS redundancy

ip route..., configures a static route

ip source-route, enables processing of source-routed frames

ip subnet-broadcast, enables forwarding of subnet broadcast addressed frames

For more information on these options and associated variables, see the following commands.

Related Commands

show ip config
show ip summary

ip ecmp

To set the equal-cost multipath selection algorithm and the preferred reverse egress path, use the ip ecmp command. Use the no form of this command to reset the ingress path of a flow for its preferred reverse egress path.

ip ecmp [address|no-prefer-ingress|round-robin]
no ip ecmp no-prefer-ingress

Syntax Description

address

Chooses among alternate paths based on IP addresses.

no-prefer-ingress

Does not prefer the ingress path of a flow for its reverse egress path. By default, the ingress path for a flow is its preferred egress path.

round-robin

Alternates between equal paths in roundrobin fashion.


Command Modes

Global configuration mode

Usage Guidelines

The equal-cost multipath selection algorithm for non-TCP/UDP packets (for example, ICMP) is applied on a packet-by-packet basis. Multipath selection for TCP and UDP is performed on a per-flow basis and all packets for a particular flow take the same path.

ip firewall

To configure an index that identifies a physical firewall, use the ip firewall command. Use the no form of the ip firewall index command to delete a firewall index. Use the no form of the ip firewall timeout command to reset the firewall timeout to the default value of three seconds.

ip firewall [index local_firewall_address remote_firewall_address remote_switch_address|timeout seconds]
no ip firewall [index|timeout]

Syntax Description

index

The index number to identify the firewall. Enter a number from 1 to 254.

local_firewall_address

The IP address of the firewall on a subnet connected to the CSS. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

remote_firewall_address

The IP address of the firewall on the remote subnet that connects to the remote switch. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

remote_switch_address

The IP address of the remote CSS. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

timeout seconds

The number of seconds the CSS waits to receive a keepalive message from the remote CSS before declaring the firewall to be unreachable. The timeout range is 3 to 16 seconds. The default is 3 seconds.


Command Modes

Global configuration mode

Usage Guidelines

You can configure indices for multiple parallel firewalls allowing for traffic load balancing. To avoid dropping packets, all connections in either direction between a pair of IP addresses cross the same firewall. If a failure occurs on one path, all traffic uses the remaining path.

A CSS must exist on each side of the firewall to control which firewall is selected for each flow. You must configure a firewall index identifier on the remote CSS with the same index number to the same physical firewall.

To configure the firewall route, use the ip route command. Firewalls cannot perform Network Address Translation (NAT). If your configuration requires NATing, you must configure a content rule or source group on the CSS to provide this function.


Caution When you delete a firewall index, all routes associated with that index are also deleted.

The two CSS switches at the endpoints of the firewall configuration must use the same firewall keepalive timeout value. Otherwise, routes on one CSS may not failover simultaneously with those on the other CSS. This could permit asymmetric routing to occur across the firewalls.

Related Commands

ip route

ip no-implicit-service

To stop the CSS from starting an implicit service for the next hop of static routes, use the ip no-implicit-service command. By default, this option is disabled. Use the no form of this command to reset the default setting.

ip no-implicit-service
no ip no-implicit-service

Command Modes

Global configuration mode

Usage Guidelines

By default, the CSS establishes an implicit (or internal) service for the gateway address when a static route is defined. The ip no-implicit-service command specifies that no implicit service is established to the next hop of the static route.


Note When you implement the ip no-implicit-service command, it does not affect any previously configured static routes. If you wish to stop the implicit service for a previously configured static route, then you must delete and reconfigure that static route.


The purpose of the implicit service to the next hop of a static route is to monitor the availability of the next hop to forward data traffic. When the ip no-implicit-service command is in effect, traffic will be forwarded to the next hop even when it is unavailable. Because of the possibility of data loss if the next hop becomes unavailable, use of the ip no-implicit-service command is strongly discouraged.

ip opportunistic

To configure the opportunistic Layer 3 forwarding of packets, use the ip opportunistic command. Use the no form of this command to allow opportunistic Layer-3 forwarding for local destinations.

ip opportunistic [all|disable]
no ip opportunistic

Syntax Description

all

Allows opportunistic Layer 3 forwarding for all destinations; when the IP destination address matches any routing entry on the CSS. This mode is not recommended for a topology that includes multiple routers and the CSS does not know all the routes that the routers know.

disable

Disables opportunistic Layer 3 forwarding. Layer 3 forwarding only occurs for packets whose destination MAC address belongs to the CSS.


Command Modes

Global configuration mode

Usage Guidelines

Opportunistic Layer 3 forwarding allows the CSS to forward packets according to the IP destination address. The MAC destination address does not need to belong to the CSS. By default, the CSS allows this forwarding for local destinations when the IP destination address belongs to a node that resides on one of the subnets directly attached to the CSS and an ARP resolution is known for this node.

ip record-route

To enable the CSS to process frames with a record-route option, use the ip record-route command. Use the no form of this command to disable the processing of frames with a record-route option (the default behavior).

ip record-route
no ip record-route

Command Modes

Global configuration mode

ip redundancy

To enable CSS-to-CSS redundancy on two CSSs interfaced with a crossover cable, use the ip redundancy command. You can also use the master option to manually designate which CSS is the master. By default, redundancy is disabled on a CSS. Use the no form of the ip redundancy command to disable CSS-to-CSS redundancy. Use the no form of the ip redundancy master to unassign the CSS as the master CSS.

ip redundancy {master}
no ip redundancy {master}

Syntax Description

master

Enables CSS-to-CSS redundancy on the CSS that you want to designate as the master CSS. Do not enter this command on both the master and backup CSSs.

You can enter this command option on the CSS:

Whether it was initially booted as the master or the backup. If you enter this command on the backup CSS, it becomes the master and the other CSS automatically becomes the backup CSS.

When CSS-to-CSS redundancy is currently enabled.


Command Modes

Global configuration mode

Usage Guidelines

If you have no requirement to designate a specific CSS as the master, use the ip redundancy command with no option on each CSSs. When you do not manually designate a master CSS, the CSSs negotiate to determine the master and backup. In this negotiation, the master CSS is the CSS that boots first. If both CSSs boot at the same time, the CSS with the higher IP address becomes the master. When the master CSS goes down, the backup CSS automatically becomes master. When the former master CSS comes up again, it becomes the backup CSS.

To manually designate a CSS as the master CSS, enter the master option on it. You can enter this option on a negotiated master or backup. If you enter this option on a master, it remains the master. If you enter this option on the backup CSS, it becomes the master and the other CSS automatically becomes the backup.


Caution Do not enter the ip redundancy master command on both the master and backup CSSs. This can cause network problems.

Because the designated master CSS saves its configuration setting in the running-config, if it goes down and then comes up again, it regains its master status. For example, when the master CSS goes down, the backup CSS becomes master. When the former master CSS comes up again, it becomes the master again.

You cannot use the ip redundancy master command if you previously used the (config-if) redundancy-phy or (config-service) type redundancy-up command. Before you can use the ip redundancy master command, you must enter the (config-if) no redundancy-phy or (config-service) no type command.

The no ip redundancy master command does not disable CSS-to-CSS redundancy.

The CSS does not support simultaneous CSS-to-CSS redundancy and VIP redundancy configurations.

The CSS does not support a trace route of a redundant IP interface.

Related Commands

redundancy force-master
show redundancy
(config-if) redundancy-phy
(config-circuit) redundancy
(config-circuit-ip) redundancy-protocol

ip route

To configure a static route including routes for firewalls, use the ip route command. Use the no form of the command to remove a black-hole, static, or firewall route.

ip route ip_address subnet_mask [blackhole|ip_address2 {distance|originated-packets}|firewall index {distance}]
no ip route ip_address subnet_mask [blackhole|ip_address2
|firewall index]

Syntax Description

ip_address

The destination network address. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

subnet_mask

The IP subnet mask. Enter the mask as either:

A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

A subnet mask in dotted-decimal notation (for example, 255.255.255.0).

blackhole

Instructs the CSS to drop any packets addressed to the route.

ip_address2

The next hop address for a static route. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

distance

The optional administrative distance. Enter an integer from 1 to 254. A smaller number is preferable. The default value is 1.

firewall

Configures a firewall route.

index

An existing index number for the firewall route. For information on configuring a firewall index, see the ip firewall command.

originated-packets

The optional originated-packets keyword instructs the CSS to use this route for flow and session packets going to and from the CSS (for example, a Telnet session to the CSS). Flows or session packets that go through the CSS (for example, between an attached server and a remote client) do not use this route.


Command Modes

Global configuration mode

Usage Guidelines

The CLI prevents you from configuring IP static routes that are firewall routes and IP static routes that are not firewall routes to identical destinations using identical administrative costs.


Note Ping responses and SNMP responses do not use the originated-response route. Ping requests sent from the CSS use the originated-response route. Ping responses sent from the CSS do not use the originated-response route.


ip source-route

To enable the processing of source-routed frames, use the ip source-route command. Use the no form of this command to disable the processing of source-routed frames (the default behavior).

ip source-route
no ip source-route

Command Modes

Global configuration mode

ip subnet-broadcast

To enable the forwarding of subnet broadcast addressed frames, use the ip subnet-broadcast command. Use the no form of this command to disable the forwarding of subnet broadcast addressed frames (the default behavior).

ip subnet-broadcast
no ip subnet-broadcast


Caution When the forwarding of the subnet broadcast is enabled, it can make the subnet susceptible to "smurf" attacks; an attacker sends an ICMP echo request frame using a subnet broadcast address as a destination and a forged address as the source.

If the attack is successful, all the destination subnet hosts reply to the echo and flood the path back to the source. When the subnet broadcast forwarding is disabled, the original echo never reaches the hosts.

Command Modes

Global configuration mode

(config) keepalive

To access keepalive configuration mode and configure the properties for a global keepalive that you can apply to any service, use the keepalive command. Use the no form of this command to delete an existing keepalive.

keepalive name
no keepalive existing_keepalive_name

Syntax Description

name

The name of a new keepalive you want to create or of an existing keepalive. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing keepalive names, enter:

keepalive ?

Usage Guidelines

When you access keepalive mode, the prompt changes to (config-keepalive [name]). For information about commands available in this mode, see "Keepalive Configuration Mode Commands".

Related Commands

show keepalive
(config-service)
keepalive type named

(config) load

To configure global load parameters for the eligibility and ineligibility of CSS services, use the load command. Load is a relative measurement for a service's ability to handle flows. The CSS calculates load by using the variances in normalized response times for each server. You can adjust load calculations by changing the load step size, which is the difference in milliseconds between load numbers. The CSS can determine the load step size dynamically or you can configure it.

Each service has two load values, short and long. Short loads have file sizes of equal to or less than 15Kb. Long flows have file sizes of more than 15Kb.

The CSS determines the best service for each flow based on the service load and the size of the requested content. The CSS estimates the file size based on previous requests for the same content. If the CSS has never seen the content or it has been purged, it uses short load to select the best service.

The load on a service has a range from 2 to 255, with an eligible load state from 2 to 254. An eligible service is an active service that can receive flows. A service with a lower load receives more flows than a service with a higher load. When a service initially comes up, its load value is 2.

A load of 255 indicates that the service is down, as detected through the keepalive. A service becomes ineligible when its load number exceeds the configured load threshold. The service regains eligibility when its load information is considered stale; the tearing down of flows is not detected during the ageout time interval. The CSS erases stale load information for a service and resets the service load to 2. The options for the load command are:

load ageout-timer..., sets the time interval after which load information for a service is considered stale and the service load is reset to 2

load reporting..., enables the CSS to generate teardown reports and derive load numbers

load step..., sets the load step

load teardown-timer..., sets the maximum time for the CSS before sending a teardown report

load threshold..., sets the load threshold for a service, determining its eligibility to receive flows

For more information on these options and associated variables, see the following commands.

load ageout-timer

To set the time interval in seconds in which stale load information for a service is aged out, use the load ageout-timer command. Use the no form of this command to set the ageout time to the default of 60.

load ageout-timer seconds
no load ageout-timer

Syntax Description

seconds

The number of seconds to age out load information for a service. Enter an integer from 0 to 1000000000. The default is 60. The value of 0 disables the timer.


Command Modes

Global configuration mode

Usage Guidelines

When the ageout timer interval expires, the CSS erases the information and resets the service load to 2. Load information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval because no flows (long or short) are being torn down on the service.

At the beginning of the time interval, the ageout timer saves the number of the current teardown report. When the CSS generates a new teardown report, the report number in the CSS increments, and any services in the report saves this number. At the end of the ageout time interval, the CSS compares the initial teardown number saved at the beginning of the time interval with the current teardown number saved by each service. If the number of a service is less than or equal to the timer number, the load information is stale. The CSS erases it and resets the service load to 2.

Related Commands

show load
(config)
load reporting

load reporting

To enable the CSS to generate teardown reports and derive load numbers, use the load reporting command. A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. Use the no form of this command to disable load reporting.

load reporting
no load reporting

Command Modes

Global configuration mode

Related Commands

show load

load step

To set the difference in milliseconds between load numbers, use the load step command. Use the no form of this command to set the load step to the default of 10.

load step msec [dynamic|static]
no load step

Syntax Description

msec

The load step in milliseconds. Enter an integer from 1 to 1000000000. The default is 10.

dynamic

Sets the initial load step. The CSS modifies it after the CSS collects sufficient response time information from the services.

static

Sets a constant load step. This option disables the dynamic calculations made by the CSS.


Command Modes

Global configuration mode

Usage Guidelines

Eligible load numbers have a range from 2 to 254. By default, the CSS dynamically calculates the load step as it accumulates minimum and maximum response times for the services.

When you configure the load step to reduce the flows to a slower service, consider the differences in response times between services. For example:

Increasing the load step causes the load for services to be closer to each other, thus increasing the number of flows to a slower service.

Decreasing the load step causes the load for services to be further from each other, thus decreasing the flows to a slower service.

Related Commands

show load
(config)
load reporting

load teardown-timer

To set the maximum time between teardown reports, use the load teardown-timer command. Use the no form of this command to reset the teardown time interval to its default of 20 seconds.

load teardown-timer seconds
no load teardown-timer

Syntax Description

seconds

The number of seconds between teardown reports. Enter an integer from 0 to 1000000000. The default is 20. The value of 0 disables the timer.


Command Modes

Global configuration mode

Usage Guidelines

A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. When the CSS has sufficient teardown activity for a service, it generates a teardown report and the teardown timer is reset. If a teardown report is not triggered at the end of the teardown timer interval due to insufficient activity, the CSS generate a teardown report based on the current activity. If there is no activity, no report is generated and the timer resets.


Note The teardown timer is overridden when a service is reset. After 10 teardown reports are recorded, the timer is reset to its configured value.


Related Commands

show load
(config)
load reporting

load threshold

To define the global load number that the CSS uses to determine if a service is eligible to receive flows, use the load threshold command. Use the no form of this command to set the load threshold to the default of 254.

load threshold number
no load threshold

Syntax Description

number

The threshold number. Enter a number from 2 to 254. The default is 254.


Command Modes

Global configuration mode

Usage Guidelines

If you do not configure a load threshold for the content rule with the (config-owner-content) load-threshold command, the rule inherits this global load threshold.

If the service load exceeds the threshold, the service becomes ineligible to receive flows until its load information is stale. Information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval.

Related Commands

show load
(config)
load ageout-timer

(config) logging

Use the logging command to:

Select a CSS subsystem and determine which activities to log

Determine where to send the log activity

Set the size of the disk buffer, if applicable

By default, the sys.log file on the CSS disk contains the Notice-level activities for all CSS subsystems. The options for this global configuration mode command are:

logging buffer..., sets the size of the disk buffer

logging commands enable, enables the logging of CLI commands

logging disk..., sends the log activity to a new or existing file on the disk

logging host..., sends the log activity to a host

logging line..., sends the log activity to an active session

logging sendmail..., sends logging messages to an email address

logging subsystem..., selects a CSS subsystem and determine which activities to log

logging to-disk..., disables logging to the sys.log file on the CSS disk

For more information on these options and associated variables, see the following commands.

Related Commands

clear log
show log

logging buffer

To set the size of the disk buffer, use the logging buffer command. Use the no form of this command to set the disk buffer size to the default of 0.

logging buffer size
no logging buffer

Syntax Description

size

The size of the disk buffer in bytes. Enter an integer from 0 to 64000. The default is 0, where the CSS sends the logging information directly to the disk.


Command Modes

Global configuration mode

Usage Guidelines

The logging buffer command is only applicable when you configure logging to the CSS disk through the logging disk command.

When the log activity information for the subsystem fills the buffer, the CSS empties it into the log file on the disk. The larger you configure the buffer size, the less frequently the CSS empties the buffer.

Related Commands

(config) logging disk

logging commands enable

To enable the CSS to log CLI commands, use the logging commands enable command. Use the no form of this command to disable the logging of CLI commands.

logging commands enable
no logging commands

Command Modes

Global configuration mode

Usage Guidelines

For the CSS to send CLI commands to the sys. log file, you must set the logging level of the netman subsystem to info-6. For example:

(config)# logging subsystem netman info-6

logging disk

To log the activity of a subsystem to a new or existing file on the disk, use the logging disk command. Use the no form of this command to turn off logging to the specified file on the disk and re-enable logging to the sys.log file.

logging disk filename
no logging disk

Syntax Description

filename

The new or existing filename in the log directory where you want to send the log information. The default file is sys.log. Enter an unquoted text string with a maximum length of 32 characters. To see a list of log filenames, enter: logging disk ?


Command Modes

Global configuration mode

Usage Guidelines

You can have only one active log file on the disk. If you want to send the log information to a different log file, re-enter the logging disk command.

Logging to a CSS disk causes the performance of the CSS to degrade.

Related Commands

(config) logging buffer
(config)
logging to-disk
(config)
logging subsystem

logging host

To send the log activity of a subsystem to the syslog daemon on the host system, use the logging host command. Use the no form of this command to turn off logging to the syslog daemon on the host.

logging host ip_or_host facility number level number
no logging host ip_or_host

Syntax Description

ip_or_host

The address of the syslog daemon on the host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1) or the mnemonic host name (for example, myhost.mydomain.com).

facility number

The syslog daemon facility level. Enter a number from 0 to 7. For more information on the syslog daemon and facility levels, refer to the syslog daemon documentation that accompanied the host system.

level number

The logging level of the messages sent to the syslog daemon. Enter a number from 0 to 7. The default is 7. See the logging subsystem command for the logging levels you can set for a CSS subsystem. The logging levels are listed in order of severity with a fatal error being the most severe and info being the least severe error.


Command Modes

Global configuration mode

Usage Guidelines

When you use the logging host command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.

The log level that you enter must be equal to or less than the logging level set for a CSS subsystem with the logging subsystem command. If the level is set to a value greater than the logging level, the CSS displays only the subsystem log messages for the specified subsystem level. The log level is a subset of the subsystem level you set. For example, if you specify logging subsystem netman level warning-4 and logging host <ip address> log-level 7, this means that you should expect to see messages only at level 4 or less sent to the syslog daemon. Although the facility number is set to 7, log messages 5, 6, or 7 would not be displayed in the sys.log file on the CSS or sent to the syslog daemon.

Related Commands

(config) logging subsystem

logging line

To send the log activity of a subsystem to an active CSS session, use the logging line command. Use the no form of this command to turn off logging to a session.

logging line session
no logging line session

Syntax Description

session

A valid active session on the CSS. Enter a case-sensitive unquoted text string with a maximum length of 32 characters. To see a list of sessions, enter: logging line ?


Command Modes

Global configuration mode

Usage Guidelines

When you use the logging line command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.

Related Commands

(config) logging subsystem

logging sendmail

To send the log activity of a subsystem to an email address, use the logging sendmail command. Use the no form of this command to turn off logging to an email address.

logging sendmail email_address host_address level {domain}
no logging sendmail email_address

Syntax Description

email_address

The email address for the recipient. Enter a case-sensitive unquoted text string with a maximum length of 30 characters.

host_address

The IP address for the SMTP host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

level

The type of information to log. Enter one of these levels:

fatal-0, Fatal error log messages

alert-1, Alert error log messages

critical-2, Critical error log messages

error-3, General error log messages

warning-4, Warning error log messages

notice-5, Notice error log messages

info-6, Information messages

domain

The domain name for the SMTP host. Enter an unquoted text string with a maximum length of 64 characters (for example, cisco.com).

Do not insert an "@" sign before the domain name. The CSS prepends it to the domain name automatically.


Command Modes

Global configuration mode

logging subsystem

To select a CSS subsystem and determine which type of activity to log, use the logging subsystem command. Use the no form of this command to reset a subsystem logging level to the default setting of warning.

logging subsystem name level level
no logging subsystem name

Syntax Description

name

The name of a CSS subsystem. Enter one of the following subsystem names:

acl, Access Control Lists

all, all subsystems

app, Application Peering Protocol (APP)

boomerang, DNS Content Routing Agent

buffer, Buffer Manager

chassis, Chassis Manager

circuit, Circuit Manager

csdpeer, Content Server Database (CSD) Peer

dql, Domain Qualifier List (DQL)

fac, Flow Admission Control (FAC)

flowmgr, Flow Manager

hfg, Header Field Group (HFG)

ipv4, Internet Protocol version 4

keepalive, Keepalive

netman, Network Management

nql, Network Qualifier List (NQL)

ospf, OSPF

name
(cont.)

pcm, Proximity CAPP Messaging (PCM)

portmapper, PortMapper

proximity, Proximity

publish, Publish

radius, Remote Authentication Dial-In User Server (RADIUS)

replicate, Replication

redundancy, CSS redundancy

rip, RIP

security, Security Manager

sntp, Simple Network Time Protocol (SNTP)

syssoft, System software

urql, Uniform Resource Qualifier List

vlanmgr, VLAN Manager

vpm, Virtual Pipe Manager

vrrp, Virtual Router Redundancy Protocol

wcc, Web Conversation Control

To see a list of subsystems, enter:

logging subsystem ?

level

The log level for the message. Enter one of these levels:

fatal-0, Fatal errors only.

alert-1, Alert errors, including errors at the fatal-0 level.

critical-2, Critical errors, including errors at the alert-1 level.

error-3, Error errors, including errors at the critical-2 level.

warning-4, Warning errors (default), including errors at the error-3 level.

notice-5, Notice messages, including errors at the warning-4 level.

info-6, Informational messages, including errors at the notice-5 level.

debug-7, All errors and messages. Setting the logging level to debug-7 may decrease the performance of the CSS. When you enter this option, the CSS prompts you with the following message:

Logging at the debug level may degrade the CSS 
performance. Continue, [y/n]: 

Enter y to verify that you want to set the log level to debug-7. Enter n to cancel the executing of the debug-7 log level.


Command Modes

Global configuration mode

Related Commands

clear log
(config)
logging disk
(config)
logging host
(config)
logging line

logging to-disk

To disable or enable logging to the sys.log file on the CSS disk, use the logging to-disk command. By default, the CSS logs to the sys.log file.

logging to-disk [disable|enable]

Syntax Description

disable

Disables logging to the sys.log file

enable

Re-enables logging to the sys.log file


Command Modes

Global configuration mode

Usage Guidelines

Use the logging to-disk disable command to prevent excessive writes to the disk or to increase the performance of the CSS. Logging to a file on a CSS disk degrades the performance of the CSS.

The logging to-disk disable command affects the sys.log file only. It does not affect a disk log file that you specified through the logging disk command. To disable all logging to the CSS disk, use the no logging disk command and then enter the logging to-disk command to disable logging to the sys.log file.

Related Commands

show log-state
(config)
logging buffer
(config) no
logging disk
(config)
logging subsystem(config) no

To negate a command or set it to its default, use the no command. Not all commands have a no form. For information on general no commands that you can use in this mode, see the general no command.

All of the following options are available in global configuration mode.

Syntax Description

no acl index

Deletes an existing ACL

no app

Disables APP on the CSS

no app framesz

Restores the default APP frame size to 10240

no app port

Restores the default APP port number to 5001

no app session ip_address

Terminates an APP session

no app-udp

Disables APP-UDP messaging on the CSS

no app-udp options ip_address

Deletes the APP-UDP options from the IP address

no app-udp port

Restores the default APP-UDP port number to 5002

no app-udp options ip_address

Deletes the APP-UDP options from the IP address

no app-udp secure

Restores the default behavior of accepting all APP datagrams

no arp ip_or_host

Removes a static mapping address

no arp timeout

Restores the default timeout of 14400 seconds

no arp wait

Restores the default wait time of 5 seconds

no bridge aging-time

Restores the default aging time of 300

no bridge forward-time

Restores the default delay time of 4

no bridge hello-time

Restores the default hello time interval of 1

no bridge max-age

Restores the default maximum age of 6

no bridge priority

Restores the default priority of 32768

no cmd-sched

Disables the execution of scheduled CLI commands

no cmd-sched record

Deletes a configuration record for the execution of CLI commands

no console authentication

Sets console authentication to none

no date european-date

Resets the format for the clock date command to its default of month, day, and year

no dhcp-relay-agent max-hops

Resets the maximum allowable number in the hops field of the BOOTP header to 4

no dns primary

Removes the primary DNS server

no dns secondary ip_or_host

Removes a secondary DNS server

no dns suffix

Removes the default suffix

no dns-boomerang client cpu-threshold

Resets the CSS CPU threshold to the default value of 99

no dns-boomerang client domain dns_name {alias alias_name}

Removes a client domain or the alias for the domain

no dns-boomerang client enable

Disables the Content Routing Agent (CRA) functionality on the CSS

no dns-peer interval

Resets the time between load reports to the CSS DNS peers to its default of 5 seconds

no dns-peer receive-slots

Resets the maximum number of DNS names received from a peer to its default value of 128

no dns-peer send-slots

Resets the maximum number of DNS names sent to a peer to its default value of 128

no dns-record a dns_name

Deletes a domain address record

no dns-record accel dns_name

Deletes a DNS acceleration record

no dns-record ns dns_name

Deletes a domain name server record

no dns-server

Disables the DNS server functionality on the CSS

no dns-server accelerate domains

Disables domain acceleration

no dns-server bufferCount

Restores the default response buffer count to 10

no dns-server domain-cache

Disables domain caching

no dns-server forwarder primary|secondary

Deletes a CSS DNS forwarder

no dns-server respTasks

Restores the default responder task count to 2

no dns-server zone

Disables the CSS Proximity Domain Name Server

no domain hotlist

Disables the domain hotlist

no domain hotlist interval

Resets the domain hotlist interval to 1 minute

no domain hotlist size

Resets the maximum number of entries in the domain hotlist to 100

no domain hotlist threshold

Resets the domain hotlist threshold to 0, which disables the threshold

no dql dql_name

Deletes the specified DQL

no eql eql_name

Deletes the specified EQL

no flow tcp-mss

Resets the TCP maximum segment size to 1460 bytes

no flow permanent port[1|2|3|4|5|6|7|8|9|10]

Resets a port to its default number of 0

no flow port-reset

Disables Fast and Gigabit Ethernet port resets on the CSS

no flow reserve-clean

Resets the reclaiming of port numbers to 10 seconds

no ftp-record ftp_record

Deletes an FTP record file from the CSS

no gem-traffic-bursty

Resets the default traffic behavior on the CSS 11800 GEMs

no global-portmap

Resets the starting port and range to their default values

no group existing_group_name

Deletes an existing group

no gsdb

Disables the GSDB

no gsdb ttl

Resets the time to live for GSDB entries to its default of 7200 seconds

no gsdb-interface [primary|secondary]

Removes the GSDB primary or secondary interface

no header-field-group existing_group_name

Deletes an existing header-field group

no host host_name

Removes an existing host from the Host table

no idle timeout

Sets the idle timeout for any session connected to the CSS to the default of 0 (disabled)

no ip ecmp no-prefer-ingress

Resets the ECMP ingress path for a flow to be its preferred reverse egress path

no ip firewall index

Deletes a configured firewall

no ip no-implicit-service

Resets the CSS to start an implicit service for the next hop of static routes

no ip opportunistic

Allows opportunistic Layer 3 forwarding for local destinations

no ip record-route

Disables processing of frames with a record-route option

no ip redundancy

Disables CSS-to-CSS redundancy

no ip redundancy master

Unassigns the CSS as the master CSS

no ip route ip_address subnet_mask ip_address2

Removes a static route

no ip route ip_address subnet_mask blackhole

Disables the dropping of packets to a black-hole route

no ip route ip_address subnet_mask firewall index

Removes a firewall route

no ip source-route

Disables processing of source-routed frames

no ip subnet-broadcast

Disables forwarding of subnet broadcast addressed frames

no keepalive name

Deletes an existing keepalive

no load ageout-timer

Resets the number of ageout time interval for load information to its default value of 60 seconds

no load reporting

Disables load reporting

no load step

Resets the load step to its default value of 10 ms

no load teardown-timer

Resets the teardown time interval to its default value of 20 seconds

no load threshold

Resets the global load threshold to its default value of 254

no logging buffer

Sets the disk buffer size to the default of 0

no logging commands

Disables the logging of CLI commands

no logging disk

Turns off logging to a specified file on disk

no logging host ip_or_host

Turns off logging to the syslog daemon on the host

no logging line session

Turns off logging to an active CSS session

no logging sendmail email_address

Turns off logging to an email address

no logging subsystem name

Resets the logging level of a subsystem to the default setting of warning

no noflow-portmap

Resets the starting port and range to their default values

no nql name

Deletes an existing NQL

no ospf advertise ip_address subnet_mask

Stops advertising of the route as OSPF ASE through the OSPF interfaces

no ospf area ip_address

Removes the OSPF area

no ospf as-boundary

Unassigns the CSS as a AS boundary router

no ospf default

Stops advertising the routes originated through OSPF

no ospf enable

Disables OSPF

no ospf equal-cost

Resets the number of equal-cost routes OSPF can use to its default of 15

no ospf range area_id address mask

Removes the range to summarize routes at an area border

no ospf redistribute [firewall|local|rip|static]

Stops advertising a route of a specific protocol type through OSPF

no ospf router-id

Deletes the OSPF router ID on the CSS

no owner existing_owner_name

Deletes an existing owner

no proximity cache-size

Restores the proximity lookup cache size to its default of 16000 entries

no proximity db

Disables the CSS Proximity Database

no proximity probe rtt interval

Resets the delay in seconds between ICMP samples to its default of 1 second

no proximity probe rtt metric-weighting

Resets the percentage of the previous metric value to derive the new metric to its default of 0

no proximity probe rtt samples

Resets the number of ICMP echo requests that the CSS uses for averaging during an initial probe to its default of 2

no proximity probe rtt tcp-ports

Resets the default probe ports for SYN proximity metric discovery

no proximity ttl assigned

Resets the TTL value to its default of 60 minutes

no proximity ttl probe

Resets the TTL value to its default of 0, which disables the caching of responses at the Proximity Database

no radius-server dead-time

Resets the dead-time period to its default of 5 seconds

no radius-server primary

Deletes the primary RADIUS server

no radius-server retransmit

Resets the retransmission of authentication request to its default of 3

no radius-server secondary

Deletes the secondary RADIUS server

no radius-server timeout

Resets the time interval that the CSS waits for a reply to a RADIUS request to 10 seconds

no restrict console

Enables access to the CSS from a console

no restrict ftp

Enables FTP access to the CSS

no restrict snmp

Enables SNMP access to the CSS

no restrict ssh

Enables SSHD access to the CSS

no restrict telnet

Enables Telnet access to the CSS

no restrict xml

Enables XML access to the CSS

no restrict web-mgmt

Enables Web management access to the CSS

no rip advertise ip_address/ip_mask

Stops advertising a route through all RIP interfaces

no rip equal-cost

Resets the number of equal-cost routes RIP can use to its default of 1

no rip redistribute [local|ospf|static|
firewall]

Stops advertising routes from other protocols

no rmon-alarm index

Deletes an RMON alarm

no rmon-event index

Deletes an RMON event

no rmon-history index

Deletes an RMON history

no service service_name

Deletes an existing service

no snmp auth-traps

Disables reception of authentication traps

no snmp community community_name

Removes a community name and defaults it to Cisco Systems, Content Network Systems

no snmp contact

Removes the contact name

no snmp location

Removes the location and defaults it to Customer Premises

no snmp name

Removes the SNMP name for this system and defaults it to Support

no snmp reload-enable

Disallows an SNMP-based reboot of the CSS

no snmp trap-host ip_or_host

Removes a specified trap host

no snmp trap-source

Resets the SNMP source traps to the default of the management port IP address

no snmp trap-type generic

Disables generic traps

no snmp trap-type enterprise

Disables enterprise traps

no snmp trap-type enterprise dos_attack_type

Disables the generation of an SNMP enterprise trap for a Denial of Service attack type, as configured with the (config) snmp trap-type enterprise command

no snmp trap-type enterprise chmgr-module-transition

Disables the generation of an SNMP enterprise trap when a module is inserted into or removed from the chassis

no snmp trap-type enterprise chmgr-ps-transition

Disables the generation of an SNMP enterprise trap when a power supply changes state

no snmp trap-type enterprise isc-lifetick-failure

Disables the generation of an SNMP enterprise traps on ISC lifetick message failures

no snmp trap-type enterprise login-failure

Disables the generation of an SNMP enterprise trap when a login fails

no snmp trap-type enterprise reload

Disables the generation of an SNMP enterprise trap when the CSS reboots initiated directly through SNMP

no snmp trap-type enterprise redundancy-transition

Disables the generation of an SNMP enterprise trap when a redundant CSS transitions state

no snmp trap-type enterprise service-transition

Disables the generation of an SNMP enterprise trap when a service transitions state

no sntp poll-interval

Resets the poll interval to its default to 64 seconds

no sntp server

Removes the SNTP server

no sshd keepalive

Disables SSHD keepalive

no sshd port

Resets the SSHD port number to 22

no sshd server-keybits

Resets the number of bits for the server key to 768

no tacacs-server ip_address port

Removes the TACACS+ server

no tacacs-server account config|non-config

Disables TACACS+ accounting for running and non-running configuration commands

no tacacs-server authorize config|non-config

Disables TACACS+ authorization for running and non-running configuration commands

no tacacs-server key

Removes the global encryption key

no tacacs-server timeout

Resets the TACACS+ server timeout period to its default of 5 second

no urql name

Deletes an existing URQL

no username name

Deletes an existing username

no virtual authentication

Disables virtual authentication

no vrrp-backup-timer

Resets the timer to the default value of 3 seconds


Command Modes

Global configuration mode

(config) noflow-portmap

To control the port translation (portmapping) range of DNS UDP source-port numbers greater than 1023 on a CSS, use the noflow-portmap command. This command is always enabled. Use the no form of this command to reset the starting port number and portmap range to their default values.

noflow-portmap base-port number1 range number2
no noflow-portmap

Syntax Description

base-port number1

The starting port number for no-flow (DNS flows are disabled) portmapping on a CSS. Enter an integer from 2016 to 63456. The default is 2016.

range number2

The number of ports in the portmap range. Enter an integer from 2048 to 63488. The default is 63488.

If you enter a value for the portmap range that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number from 65504.


Usage Guidelines

Before a CSS can use the noflow-portmap command, you must enter the dnsflow disable command to disable DNS flows on the CSS.

The portmap command values configured in a source group take precedence over the noflow-portmap command values, unless you configure the portmap disable command. For details on configuring the portmap commands in a source group, refer to Cisco Content Services Switch Basic Configuration Guide.

Related Commands

show noflow-portmap
(config) dnsflow
(config-group) portmap

(config) nql

To access Network Qualifier List (NQL) configuration mode and configure an NQL, use the nql command. An NQL is a collection of subnet and host IP addresses which you can assign to an ACL clause, instead of creating a clause for each address. Use the no form of this command to remove an existing NQL.

nql nql_name
no nql existing_nql_name

Syntax Description

nql_name

The name of a new NQL you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing NQL names, enter:

nql ?

Command Modes

Global configuration mode

Usage Guidelines

You can access NQL mode from any configuration mode except boot, group, RMON alarm, RMON event, and RMON history configuration modes. The prompt changes to (config-nql [name]). You can also use the nql command from NQL mode to access another NQL. For information about commands available in this mode, see "NQL Configuration Mode Commands".

You can configure a maximum of 512 networks to an NQL, and a maximum of 512 NQLs on the CSS.

(config) ospf

To configure global Open Shortest Path First (OSPF) parameters on the CSS, use the ospf command and its options. The options for this global configuration mode command are:

ospf advertise..., advertises a route as OSPF Autonomous System external (ASE) through all OSPF interfaces

ospf area..., configures an OSPF area

ospf as-boundary..., configures the CSS as an Autonomous System (AS) boundary router

ospf default..., advertises default ASE default routes through OSPF

ospf enable..., enables OSPF

ospf equal-cost..., sets the number of equal-cost routes that OSPF can use

ospf range..., configures summarize routes at an area border

ospf redistribute..., advertises other routes through OSPF

ospf router-id..., configures the OSPF router ID

For more detailed information about these options and their variables, see the following sections.

Related Commands

show ospf
(config-circuit-ip) ospf

ospf advertise

To advertise a route as OSPF ASE through all OSPF interfaces, use the ospf advertise command. Use the no form of this command to stop advertising the route as OSPF ASE through all OSPF interfaces.

ospf advertise ip_address subnet_mask {metric number1} {tag number2} {type1}
no ospf advertise ip_address subnet_mask

Syntax Description

ip_address

The IP address for the route prefix. Enter an IP address in dotted-decimal notation (for example, 192.168.128.0).

subnet_mask

The subnet mask. Enter the mask as either:

A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

A dotted-decimal notation (for example, 255.255.254.0).

number1

An optional metric to use when advertising a route. Enter a number from 1 to 16777215. The default is 1.

tag number2

An optional 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

Optionally advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

Usage Guidelines

Before you enter the ospf advertise command, you must configure the CSS as an Autonomous System (AS) boundary router. For more information, see the ospf as-boundary command.

The AS boundary router can perform external route summarization to consolidate multiple routes into a single advertisement. For a CSS, this is useful when you want to advertise VIP addresses for content as OSPF AS external (ASE) through all OSPF interfaces.


Note When you configure OSPF to advertise a VIP address as ASE, it continues to advertise the route even when the underlying service is not active or does not exist anymore. However, if you configure the VIP as a redundant VIP within a virtual router, OSPF will stop advertising this VIP when the virtual router state is Down or Backup.

For more information on configuring a redundant VIP within a virtual router, refer to the Cisco Content Services Switch Advanced Guide. To stop the advertisement of the route, enter the no ospf advertise command.


ospf area

To configure an OSPF area, use the ospf area command. To remove an OSPF area, disable OSPF and then use the no form of this command.

ospf area area_id {stub {default-metric metric|send-summaries}}
no ospf area area_id

Syntax Description

area_id

The OSPF area ID. Enter the ID in dotted-decimal notation (for example, 0.0.0.1). Although an area ID has the same form as an IP address, the area ID address space is its own distinct address space. The area ID of 0.0.0.0 is reserved for the backbone.

stub

This option allows you to configure the area as a stub area. AS-external link state advertisements are not flooded into stub areas. This reduces the link-state database size and the memory requirements for internal routers in the stub area.

default-metric

Optionally sets a metric for the default route advertised into the stub area.

metric

The metric value. By default, this value equals the least metric among the interfaces to other areas. Enter an integer from 1 to 16777215.

send-summaries

Optionally, propagates summary link state advertisements (LSAs) into the stub area.


Command Modes

Global configuration mode

ospf as-boundary

To configure the CSS as an Autonomous System (AS) boundary router, use the ospf as-boundary command. An AS boundary router exchanges routing information with routers belonging to other Autonomous Systems. It advertises AS external routing information throughout the Autonomous System. Use the no form of this command to unassign the CSS as an AS boundary router.

ospf as-boundary
no ospf as-boundary

Command Modes

Global configuration mode

Usage Guidelines

You can enter the ospf as-boundary command only if OSPF is disabled.

ospf default

To advertise default ASE routes through OSPF, use the ospf default command. Routers use default routes when no more specific routes exist to AS external destinations. Use the no form of this command to shut off the advertising of default ASE routes originated through OSPF.

ospf default {metric number1} {tag number2} {type1}
no ospf default

Syntax Description

metric number1

The optional metric to advertise. Enter a number from 1 to 16777215. The default is 1.

tag number2

An optional 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

Optionally, advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

Usage Guidelines

Use the ospf default command to force an AS boundary router to generate a default route. Normally, AS boundary routers do not generate default routes into the OSPF routing domain.

ospf enable

To enable OSPF, use the ospf enable command. Use the no form of this command to disable OSPF.

ospf enable
no ospf enable

Command Modes

Global configuration mode

Usage Guidelines

You must configure a router ID before enabling OSPF. For more information, see the ospf router-id command.

ospf equal-cost

To configure the number of equal-cost routes that OSPF can use, use the ospf equal-cost command. Use the no form of this command to reset the number of routes to its default value of 15.

ospf equal-cost number
no ospf equal-cost

Syntax Description

number

The number of equal-cost routes. Enter a number from 1 to 15. The default is 15.


Command Modes

Global configuration mode

ospf range

To specify an IP address range to summarize routes at the CSS area border router, use the ospf range command. Use the no form of this command to remove the range.

ospf range area_id ip_address mask {block}
no ospf range area_id ip_address mask

Syntax Description

area_id

OSPF area ID. Enter the ID in dotted-decimal notation (for example, 0.0.0.1).

ip_address mask

The range of addresses you want to summarize in one range. Enter the IP address and mask in dotted-decimal notation (for example, 192.168.128.0 255.255.224.0). You can also enter the mask in prefix-length format (for example, /24).

block

This optional keyword hides the range from the rest of the autonomous system.


Command Modes

Global configuration mode

Usage Guidelines

You can enter the ospf range command only if OSPF is disabled.

Define an address range by specifying an IP address and mask pair that represent networks in the area being summarized. You can also determine whether you want to advertise this range.

The CSS advertises a single summary route or network ranges that cover all the individual networks within its area that fall into the specified range. This summarization applies to inter-area paths, which are paths to destinations in other OSPF areas. This summarization helps control routing table sizes and prevents the constant changing of routes whenever an interface within an area comes online or goes offline. These route changes do not cause route changes in backbone ABRs and other area routers.

ospf redistribute

To advertise routes from other protocols through OSPF, use the ospf redistribute command. Redistribution of these routes makes them OSPF external routes. Use the no form of this command to shut off the advertising of routes via OSPF.

ospf redistribute protocol {metric number1} {tag number2} {type1}
no ospf redistribute [firewall|local|rip|static]

Syntax Description

protocol

The type of route to advertise. Enter one of the following:

firewall, firewall route

local, local route

rip, RIP route

static, static route

metric number1

The optional metric to advertise. Enter a number from 1 to 16777215. The default is 1.

tag number2

An optional 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

Optionally advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

ospf router-id

To configure the OSPF router ID for the CSS, use the ospf router-id command. Use the no form of this command to delete the router ID on the CSS.

ospf router-id id_number
no ospf router-id

Syntax Description

id_number

The router ID 32-bit number that identifies the CSS within the AS. Enter the ID in dotted-decimal notation (for example, 121.23.21.1).


Command Modes

Global configuration mode

Usage Guidelines

Before you can enable OSPF, you must configure the router ID. To change the router ID, you must disable OSPF.

(config) owner

To access owner configuration mode and configure an owner, use the owner command. An owner is an entity that owns Web content and uses the CSS to manage access to the content through content rules. A maximum of 255 owners can use a single CSS and each owner has a configurable profile. Use the no form of this command to delete an existing owner.

owner owner_name
no owner existing_owner_name

Syntax Description

owner_name

The name of a new owner you want to create or the name of an existing owner. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing owner names, enter:

owner ?

Usage Guidelines

When you access owner mode, the prompt changes to (config-owner [owner_name]). For information about commands available in this mode, see "Owner Configuration Mode Commands".


Caution Before you use the no owner command to delete an existing owner, make sure you want to permanently delete the owner and its associated content rules. You cannot undo this command. If you want a prompt before the CSS performs a command, use the no expert command.

(config) persistence reset

To choose between an HTTP redirection or a back-end service remapping operation when resetting a connection to a new back-end service, use the persistence reset command. This command affects all flow setups that require redirecting or remapping.

persistence reset [redirect|remap]

Syntax Description

redirect

Causes an HTTP redirection when resetting a connection to a new back-end service. An HTTP redirection resets both sides of the connection.

remap

Uses a back-end remapping operation when resetting a connection to a new back-end service.


Usage Guidelines

The CSS does not use a remapping method when selecting services of type redirect.

You cannot use the persistence reset command with the (config-owner-content) redundancy-l4-stateless command.

Related Commands

show remap
(config) bypass persistence
(config-owner-content) persistent

(config) proximity

To configure proximity on the CSS, use the proximity command and its options. The command options are:

proximity cache-remove..., removes entries from the proximity lookup cache

proximity cache-size..., sets the entry size for the proximity lookup cache

proximity db..., enables the Proximity Database (PDB) in the CSS

proximity probe rtt interval..., configures the delay in seconds between ICMP samples

proximity probe rtt method..., configures the primary method to be used for proximity metric discovery

proximity probe rtt metric-weighting..., configures the percentage of the previously stored metric value in the database that is used to determine the new metric value

proximity probe rtt samples..., configures the number of ICMP requests to send

proximity probe rtt tcp-ports..., configures the probe defaults for SYN proximity metric discovery

proximity ttl..., sets the Time to Live value for each Proximity Database response

For more information, see the following commands.

proximity cache-remove

To remove entries from the proximity lookup cache, use the proximity cache-remove command. The prefix length parameter allows you to remove multiple entries in a single operation.

proximity cache-remove [ip_address ip_prefix|all]

Syntax Description

ip_address

The IP address to remove from the cache.

ip_prefix

The IP prefix length to be associated with ip_address for removal. Enter the prefix as either:

A prefix length in CIDR bitcount notation (for example, /24)

A subnet mask in dotted-decimal notation (for example, 255.255.255.0)

all

Removes all entries from the proximity cache.


Command Modes

Global configuration mode

Usage Guidelines

The proximity cache-remove command is functional on a CSS with the Enhanced feature set.

Related Commands

show proximity cache

proximity cache-size

To set the size of the proximity lookup cache, use the proximity cache-size command. Use the no form of this command to restore the default cache size of 16000 entries.

proximity cache-size cache_size
no proximity cache-size

Syntax Description

cache_size

The size of the cache. Enter a size between 0 and 48,000. The default value is 16000 entries. Entering a value of 0 disables the cache.


Command Modes

Global configuration mode

Usage Guidelines

The proximity cache-size command is functional on a CSS with the Enhanced feature set. By default, the cache supports approximately 16,000 entries using 1 MB of CSS memory. You can increase or decrease the entries, depending upon your CSS configuration.


Note Dynamically modifying the cache size results in flushing the existing entries.


Related Commands

show proximity cache
(config)
proximity cache-remove

proximity db

To enable the Proximity Database (PDB) on the CSS, use the proximity db command. This service allows the CSS to respond to proximity lookup requests and enables proximity probing. Use the no form of this command to disable the CSS Proximity Database.

proximity db zoneIndex {tier1|tier2 {"description"}}
no proximity db

Syntax Description

zoneIndex

The numeric identifier of the proximity zone of the CSS. This number should match the zoneIndex configured on the PDNS. Enter an integer from 0 to 15. There is no default.

tier1|tier2

The optional maximum number of zones the CSS expects to participate in its proximity zone mesh. Enter tier1 for a maximum of 6 zones, 0 through 5. Enter tier2 for a maximum of 16 zones, 0 through 15. The tier1 option is the default.

description

The optional text description of this CSS zone. Enter a quoted string with a maximum of 20 characters.


Command Modes

Global configuration mode

Usage Guidelines

The proximity db command is functional only on a Proximity Database CSS.

proximity probe rtt interval

To configure the delay in seconds between samples for the configured probe method, use the proximity probe rtt interval command. Use the no form of this command to reset the delay between samples to its default value of 1 second.

proximity probe rtt interval seconds
no proximity probe rtt interval

Syntax Description

seconds

The length of time in seconds to delay between samples. Enter a number from 1 to 10. The default is 1.


Command Modes

Global configuration mode

Usage Guidelines

The proximity probe rtt interval command is functional only on a Proximity Database CSS.

proximity probe rtt method

To configure the primary and secondary methods to be used for proximity metric discovery, use the proximity probe rtt method command. The discovery method uses ICMP Echo requests or a TCP SYN, SYN-ACK, RST sequence to the configured TCP ports as the Round-Trip Time (RTT) discovery method.

proximity probe rtt method [icmp tcp|icmp|tcp icmp|tcp]

Syntax Description

icmp tcp

Configures the ICMP as the primary discovery method and TCP as the secondary method (default)

icmp

Configures the ICMP as the primary discovery method only

tcp icmp

Configures the TCP as the primary discovery method and ICMP as the secondary method

tcp

Configures the TCP as the primary discovery method only


Command Modes

Global configuration mode

Usage Guidelines

The proximity probe rtt method command is functional only on a Proximity Database CSS.

proximity probe rtt metric-weighting

To configure the percentage of the previously stored metric value in the database that is used to determine the new metric value, use the proximity probe rtt metric-weighting command. Use the no form of this command to reset the percentage to its default value of 0.

proximity probe rtt metric-weighting number
no proximity probe rtt metric-weighting

Syntax Description

number

The percentage of the previous metric value used. Enter a number from 0 to 99. The default is 0.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS.

The proximity probe rtt metric-weighting command allows the PDB to smooth network metric variation caused by network congestion and flash crowds.

proximity probe rtt samples

To configure the number of ICMP requests to send for each configured probe method, use the proximity probe rtt samples command. Use the no form of this command to reset the number of requests to its default value of 2.

proximity probe rtt samples number
no proximity probe rtt samples

Syntax Description

number

The number of requests that the CSS uses for averaging during an initial probe. Enter a number from 1 to 30. The default is 2.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS.

proximity probe rtt tcp-ports

To configure the probe ports for SYN proximity metric discovery, use the proximity probe rtt tcp-ports command. Use the no form of this command to reset the probe ports to their default values.

proximity probe rtt tcp-ports port_number1 {port_number2 {port_number3 {port_number4}}}

no proximity probe rtt tcp-ports

Syntax Description

port_number

A maximum of four port numbers to be tried, in order of preference. Enter a number from 0 to 65535. The default for the ports are as follows:

port_number1 is 23, Telnet port

port_number2 is 21, FTP port

port_number3 is 80, HTTP port

port_number4 is 0, this port is not tried


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS.

proximity ttl

To set the time-to-live (TTL) value, in minutes, for each Proximity Database response, use the proximity ttl command. This value informs the proximity DNS how long to cache the response. Use the no form of this command to reset the TTL value to its default value.

proximity ttl [assigned assigned_minutes|probe probe_minutes]
no proximity ttl [assigned|probe]

Syntax Description

assigned

Sets the TTL value for client addresses that are assigned to the Proximity Database.

assigned_minutes

The TTL value in minutes for client addresses that are assigned to the Proximity Database. Enter a number from 0 to 255. The default value is 60.

probe

Sets the TTL value for client addresses that are being probed.

probe_minutes

The TTL value in minutes for client addresses that are being probed. Enter a number from 0 to 255. The default value is 0, which disables the caching of responses at the Proximity Database.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS.

(config) radius-server

To configure the CSS as a RADIUS server client, use the radius-server command and its options. The command options are:

radius-server dead-time..., sets the time interval to send probe access-request packets to verify that the RADIUS server is available and can receive authentication requests

radius-server primary..., configures the primary RADIUS server

radius-server retransmit..., sets the number of authentication request retransmissions to a timed-out RADIUS server before the server is considered dead

radius-server secondary..., configures the CSS with the secondary RADIUS server information

radius-server timeout..., configures the time interval that the CSS waits before retransmitting an authentication request

For more information, see the following commands.

radius-server dead-time

To set the time interval to send probe access-request packets to verify that the RADIUS server is available and can receive authentication requests, use the radius-server dead-time command. Use the no form of this command to reset the dead-time period to its default of 5 seconds.

radius-server dead-time seconds
no radius-server dead-time

Syntax Description

seconds

The time period in seconds. Enter a number from 0 to 255. The default is 5. If you enter 0, the dead time is disabled and the CSS does not send probe access-request packets to the non-responding server.


Usage Guidelines

The dead-time interval starts when the server does not respond to the number of authentication request retransmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the CSS transmits the authentication request to the server.

This command applies to primary and secondary servers.

Command Modes

Global configuration mode

Related Commands

show radius config
(config) radius-server retransmit

radius-server primary

To configure the remote primary RADIUS server that authenticates user information from the CSS client, use the radius-server primary command. Use the no form of this command to delete the primary RADIUS server.

radius-server primary ip_or_host secret string {auth-port number}
no radius-server primary

Syntax Description

ip_or_host

The IP address or the hostname for the primary RADIUS server.

secret string

Defines the secret string for authentication transactions between the RADIUS server and the CSS. Enter a case-sensitive string with a maximum of 16 characters.

auth-port number

Optionally defines the UDP port on the primary RADIUS server that receives authentication packets from RADIUS clients. Enter a number from 0 to 65535. The default port is 1645.


Usage Guidelines

When you configure a primary server and enable RADIUS console or virtual authentication on the CSS, the CSS enables the RADIUS protocol, allowing the CSS to become a RADIUS client.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config) console authentication
(config)
radius-server dead-time
(config)
radius-server timeout
(config) virtual authentication

radius-server retransmit

To configure the number of times that the CSS retransmits an authentication request to an active RADIUS server after the timeout interval occurred, use the radius-server retransmit command. Use the no form of this command to reset the retransmission of authentication request to its default of 3.

radius-server retransmit number
no radius-server retransmit

Syntax Description

number

The number of times that the CSS retransmits an authentication request. Enter a number from 1 to 30. The default number is 3.


Usage Guidelines

If the RADIUS server does not respond to the CSS retransmitted requests, the CSS considers the server as dead, stops transmitting to the server, and starts the dead timer as defined through the radius-server dead-time command.

If a secondary server is configured, the CSS transmits the requests to the secondary server. If the secondary server does not respond to the request, the CSS considers it dead and starts the dead timer.

If there is no active server, the CSS stops transmitting request until one of the servers becomes alive.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server dead-time

radius-server secondary

To configure the remote secondary RADIUS server, use the radius-server secondary command. When the primary server becomes unavailable, the CSS directs authentication requests to the secondary server. Use the no form of this command to delete the secondary RADIUS server.

radius-server secondary host_or_ip secret text {auth-port number}
no radius-server secondary

Syntax Description

ip_or_host

The IP address or the hostname for the secondary RADIUS server.

secret string

Defines the secret string for authentication transactions between the RADIUS server and the CSS. Enter a case-sensitive string with a maximum of 16 characters.

auth-port number

Optionally defines the UDP port on the secondary RADIUS server that receives authentication packets from clients. Enter a number from 0 to 65535. The default is 1645.


Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server dead-time
(config)
radius-server timeout

radius-server timeout

To specify the time interval that the CSS waits for a reply to a RADIUS request before retransmitting requests to the RADIUS server, use the radius-server timeout command. Configure the number of retransmitted requests to the server through the radius-server retransmit command. Use the no form of this command to reset the interval to its default of 10 seconds.

radius-server timeout time
no radius-server timeout

Syntax Description

time

The time interval in seconds. Enter a number from 1 to 255. The default interval is 10.


Usage Guidelines

This command applies to the primary and secondary RADIUS servers.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server retransmit

(config) restrict

To enable or disable Telnet, SNMP, SSHD, console, FTP, user database, XML, or Web Management access to the CSS, use the restrict command. Use the no form of this command to enable access to the CSS.

restrict [console|ftp|snmp|ssh|telnet|user-database|xml|web-mgmt]

no restrict [console|ftp|snmp|ssh|telnet|user-database
|xml|web-mgmt]

Syntax Description

console

Disables console access to the CSS. By default, this is enabled.

ftp

Disables FTP access to the CSS. By default, this is enabled.

snmp

Disables SNMP access to the CSS. By default, this is enabled.

ssh

Disables SSHD access to the CSS. By default, this is enabled.

telnet

Disables Telnet access to the CSS. By default, this is enabled.

user-database

Disables users from clearing the running-config and creating or modifying usernames. Only administrator and technician users can perform these tasks. By default, this is enabled.

xml

Disables XML access to the CSS. By default, this is disabled.

web-mgmt

Disables Web management access to the CSS. By default, this is disabled.


Command Modes

Global configuration mode

Usage Guidelines

Disable Telnet access when you want to use the Secure Shell Host (SSH) server.

When XML is enabled, the CSS listens for XML connections on port 80.

Entering the restrict command does not prevent the CSS from listening for connection attempts on the restricted port. The CSS completes the TCP 3-way handshake and then terminates the connection with an error to prevent any data transfer from occurring. For UDP SNMP connections, the CSS simply discards the packets.

To secure restricted ports from unauthorized access, configure additional ACL clauses to deny packets destined to the ports, while permitting normal flow through traffic. You can also use ACLs to secure the CSS.

Related Commandstransfer from occurring.

show user-database
(config) sshd
(config) username

(config) rip

To configure the Routing Information Protocol (RIP) parameters on the CSS, use the rip command. The default mode is to send RIP version 2 (v2) and receive either version. The options for this global configuration mode command are:

rip advertise..., advertises a route through RIP on the CSS

rip equal-cost..., sets the number of equal-cost routes

rip redistribute..., advertises routes from other protocols through RIP

For information on these options and associated variables, see the following commands. For information on additional rip command options in IP mode, see the (config-circuit-ip) rip command.

rip advertise

To advertise a route through RIP on the CSS, use the rip advertise command. Use the no form of this command to stop advertising a route through all RIP interfaces.

rip advertise ip_address ip_mask_prefix {metric}
no rip advertise ip_address ip_mask_prefix

Syntax Description

ip_address

The IP address for the route prefix. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1).

ip_mask_prefix

The IP mask. Enter the mask as either:

A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

A subnet mask in dotted-decimal notation (for example, 255.255.255.0).

metric

An optional metric to use when advertising this route. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

rip equal-cost

To set the maximum number of routes RIP can use, use the rip equal-cost command. Use the no form of this command to reset the number of routes to the default of 1.

rip equal-cost number
no rip equal-cost

Syntax Description

number

The maximum number of routes. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

rip redistribute

To advertise routes from other protocols through RIP, use the rip redistribute command. By default, RIP advertises RIP routes and local routes for interfaces running RIP. This command advertises other routes. Use the no form of this command to stop advertising routes.

rip redistribute [firewall|local|ospf|static] {metric}
no rip redistribute [firewall|local|ospf|static]

Syntax Description

firewall

Advertises firewall routes through RIP.

local

Advertises local routes.

ospf

Advertises OSPF routes.

static

Advertises static routes.

metric

An optional metric to use when advertising the route. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

(config) rmon-alarm

To enter RMON alarm configuration mode, use the rmon-alarm command. An RMON alarm allows you to monitor every SNMP object in the CSS for a desired transitory state. Use the no form of this command to delete an RMON alarm.

rmon-alarm index
no rmon-alarm index

Syntax Description

index

The RMON alarm index number. Enter an integer from 1 to 65535.

The RMON alarm index 65535 is administratively predefined and cannot be modified. If you enter this index number, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-alarm command to access this mode, the prompt changes to (config-rmonalarm [index]). For information about commands available in this mode, see "RMON Alarm Configuration Mode Commands".

(config) rmon-event

To enter RMON event configuration mode, use the rmon-event command. An RMON event is associated with an RMON alarm. It defines what should occur when an RMON alarm is triggered. Use the no form of this command to delete an RMON event.

rmon-event index
no rmon-event index

Syntax Description

index

The RMON event index number. Enter an integer from 1 to 65535.

The RMON event index 65535 is administratively predefined and cannot be modified. If you enter this index number, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-event command to access this mode, the prompt changes to (config-rmonevent [index]). For information about commands available in this mode, see "RMON Event Configuration Mode Commands".

(config) rmon-history

To enter RMON history configuration mode, use the rmon-history command. Use the no form of this command to delete an RMON history.

rmon-history index
no rmon-history index

Syntax Description

index

The RMON history index number. Enter an integer from 1 to 65535.

Some history index numbers are administratively predefined and cannot be modified. If you enter an index number under administrative control, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-history command to access this mode, the prompt changes to (config-rmonhistory [index]). For information about commands available in this mode, see "RMON History Configuration Mode Commands".

(config) service

To access service configuration mode and configure a service, use the service command. A service is an entity that contains and provides Internet content. It is identified by a name, an IP address, and optimally, a protocol and a port number. When you create a service, you can apply content rules to it. The rules allow the CSS to direct or deny requests for content from the service.

Use the no form of this command to delete an existing service.

service service_name
no service service_name

Syntax Description

service_name

The name of a new service you want to create or an existing service you want to modify. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing service names, enter:

service ? 

Usage Guidelines

When you use the service command to access service mode, the prompt changes to (config-service [name]). For information about commands available in this mode, see "Service Configuration Mode Commands".

Related Commands

(config-service) ip address
(config-service) port

(config) snmp

To configure Simple Network Management Protocol (SNMP) parameters, use the snmp command. The options for this global configuration mode command are:

snmp auth-traps, enables reception of SNMP authentication traps

snmp community..., sets or modifies SNMP community names and access properties

snmp contact..., sets or modifies the SNMP system contact name

snmp location..., sets or modifies the SNMP system location

snmp name..., sets or modifies the SNMP name for this system

snmp reload-enable..., allows SNMP-based reset of the CSS

snmp trap-host..., sets or modifies the SNMP host to receive traps from this system

snmp trap-source..., sets the source IP address in the traps generated by the CSS

snmp trap-type enterprise..., enables SNMP enterprise trap types

snmp trap-type generic..., enables SNMP generic trap types


Note The CSS supports SNMP version 2C (SNMPv2C), known as "community-based SNMP," and standard Management Information Base (MIB-II) objects, along with an extensive set of enterprise objects. You can use any compatible network management system to monitor and control a CSS.

The CSS generates traps in SNMP version 1 (SNMP v1) format.


For more information on these options and associated variables, see the following commands.

Related Commands

(config) restrict telnet
(config) rmon-alarm
(config) rmon-event
(config) rmon-history

snmp auth-traps

To enable reception of SNMP authentication traps, use the snmp auth-traps command. Use the no form of this command to disable reception of authentication traps.

snmp auth-traps
no snmp auth-traps

Usage Guidelines

The CSS generates these traps when an SNMP management station attempts to access your system with invalid community names. The CSS generates traps in SNMP v1 format.

Command Modes

Global configuration mode

Related Commands

snmp trap-type generic

snmp community

To set or modify SNMP community names and access properties, use the snmp community command. You may specify as many community names as you wish. Use the no form of this command to remove a community name and set it to Cisco Systems, Content Network Systems.

snmp community community_name [read-only|read-write]
no snmp community community_name

Syntax Description

community_name

The SNMP community name for this system. Enter an unquoted text string with no space and a maximum length of 12 characters.

read-only

Allows read-only access for this community.

read-write

Allows read-write access for this community.


Command Modes

Global configuration mode

snmp contact

To set or modify the contact name for the SNMP system, use the snmp contact command. You can specify only one contact name. Use the no form of this command to remove the contact name.

snmp contact "contact_name"
no snmp contact

Syntax Description

contact_name

The name of the contact person for this system. You can also include information on how to contact the person; for example, a phone number or email address. Enter a quoted text string with a maximum of 255 characters including spaces.


Command Modes

Global configuration mode

snmp location

To set or modify the SNMP system location, use the snmp location command. You can specify only one location. Use the no form of this command to remove the location and set it to Customer Premises.

snmp location "location"
no snmp location

Syntax Description

location

The physical location of this system. Enter a quoted text string with a maximum length of 255 characters.


Command Modes

Global configuration mode

snmp name

To set or modify the SNMP name for this system, use the snmp name command. You can specify only one name. Use the no form of this command to remove the SNMP name for this system and set it to Support.

snmp name "name"
no snmp name

Syntax Description

name

The unique name assigned to this system by the system administrator. The standard convention is the system's fully-qualified domain name (for example, user.domain.com). Enter a quoted text string with a maximum of 255 characters.


Command Modes

Global configuration mode

snmp reload-enable

To allow the rebooting of the CSS through SNMP, use the snmp reload-enable command. Use the no form of this command to disallow a CSS reboot through SNMP (default behavior).

snmp reload-enable {reload_value}
no snmp reload-enable

Syntax Description

reload_value

The object used to control apSnmpExtReloadSet, providing the SNMP-based reboot. When the object is set to 0, an SNMP reboot is not allowed. When the object is set between 1 to 232, a reboot may be caused with any write value to apSnmpExtReloadSet. For security purposes, this object always returns 0 when read.


Command Modes

Global configuration mode

Usage Guidelines

When you use the snmp reload-enable command, it allows any SNMP write to the reload object to force a CSS reboot. The reload object name is apSnmpExtReloadSet (1.3.6.1.4.1.2467.1.22.7). You can find this object in the enterprise MIB, snmpext.mib. When you include a reload value, an SNMP write equal to the reload_value forces a CSS reboot.

snmp trap-host

To set or modify the SNMP host to receive traps from this system, use the snmp trap-host command. Use the no form of this command to remove a specified trap host.

snmp trap-host ip_or_host community_name
no snmp trap-host ip_or_host

Syntax Description

ip_or_host

The IP address or host name of an SNMP host that has been configured to receive traps. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or in mnemonic host-name format (for example, myhost.mydomain.com).

You can specify a maximum of five hosts.

community_name

The community name to use when sending traps to the specified SNMP host. Enter an unquoted text string with no spaces and a maximum length of 12 characters.


Usage Guidelines

The CSS generates traps in SNMP v1 format.

Command Modes

Global configuration mode

snmp trap-source

To set the source IP address in the traps generated by the CSS, use the snmp trap-source command. Use the no form of this command to return SNMP source traps to the default of the management port IP address.

snmp trap-source [egress-port|management|specified source_ip_address]
no snmp trap-source

Syntax Description

egress-port

Obtains the source IP address for the SNMP traps from the VLAN circuit IP address configured on the egress port used to send the trap. You do not need to enter an IP address because the address is determined dynamically by the CSS.

management

Places the management port IP address in the source IP field of the trap. This is the default setting.

specified source_ip address

Allows you to enter the IP address to be used in the source IP field of the traps. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).


Command Modes

Global configuration mode

snmp trap-type enterprise

To enable SNMP enterprise traps and configure trap types, use the snmp trap-type enterprise command. Use the no form of this command to disable all or a specific trap. Use the no snmp trap-type enterprise command to disable all traps.

snmp trap-type enterprise {dos_attack_type {trap-threshold threshold_value}|chmgr-module-transition|chmgr-ps-transition
|isc-lifetick-failure|login-failure|reload|redundancy-transition
|service-transition}

no snmp trap-type enterprise {dos_attack_type
|chmgr-module-transition|chmgr-ps-transition|isc-lifetick-failure
|login-failure|reload|redundancy-transition|service-transition}

Syntax Description

enterprise

When you use this keyword alone, it enables enterprise traps. You must enable enterprise traps before you configure an enterprise trap option.

dos_attack_type

Generates SNMP enterprise traps when a Denial of Service (DoS) attack event occurs. One trap is generated each second when the number of attacks during that second exceeds the threshold for the configured DoS attack type. The options are as follows:

dos-illegal-attack generates traps for illegal addresses, either source or destination. Illegal addresses are loopback source addresses, broadcast source addresses, loopback destination addresses, multicast source addresses, or source addresses that you own. The default trap threshold for this type of attack is 1 per second.

dos-land-attack generates traps for packets that have identical source and destination addresses. The default trap threshold for this type of attack is 1 per second.

dos-smurf-attack generates traps when the number of pings with a broadcast destination address exceeds the threshold value. The default trap threshold for this type of attack is 1 per second.

dos-syn-attack generates traps when the number of TCP connections that are initiated by a source, but not followed with an acknowledgment (ACK) frame to complete the three-way TCP handshake, exceeds the threshold value. The default trap threshold for this type of attack is 10 per second.

chmgr-module-transition

Generates SNMP enterprise traps if a module (for example, SCM, FEM, GEM) is inserted into or removed from a powered-on CSS 11503 or CSS 11506 chassis.

chmgr-ps-transition

Generates SNMP enterprise traps when the CSS 11503 or CSS 11506 power supply changes state (powered off, on, or removed from the CSS chassis).

trap-threshold threshold_value

Overrides a default trap threshold. For the threshold_value, enter a number from 1 to 65535.

isc-lifetick-failure

Generates SNMP enterprise traps when the CSS ISC lifetick message failure occurs.

login-failure

Generates SNMP enterprise traps when a CSS login failure occurs. An alert-level log message is also generated.

reload

Generates SNMP enterprise traps when a CSS reboot occurs. A trap is generated when a reboot is initiated directly through SNMP.

redundancy-transition

Generates SNMP enterprise traps when the CSS redundancy transitions state.

service-transition

Generates SNMP enterprise traps when a CSS service transitions state. A trap is generated when a service fails and when a failed service resumes proper operation.


Command Modes

Global configuration mode

Usage Guidelines

You must enable enterprise traps before you configure an enterprise trap option. You can enable the CSS to generate enterprise traps when DoS attack events occur, a login fails, or a CSS service transitions state.

The CSS generates traps in SNMP v1 format.

Related Commands

snmp auth-traps
snmp trap-host
show log traplog

snmp trap-type generic

To enable SNMP generic trap types, use the snmp trap-type generic command. The generic SNMP traps consist of cold start, warm start, link down, and link up. Use the no form of this command to disable a generic trap.

snmp trap-type generic
no snmp trap-type generic

Command Modes

Global configuration mode

Usage Guidelines

The CSS generates traps in SNMP v1 format.

Related Commands

snmp auth-traps
snmp trap-host
show log traplog

(config) sntp

To configure the SNTP server on the CSS, use the sntp command. You can configure one SNTP server. Use the no form of this command to remove the SNTP server or reset the poll interval.

sntp [server ip_address {version number}|poll-interval seconds]
no sntp [server|poll-interval]

Syntax Description

server ip_address

Defines the SNTP server. Enter the IP address for the server.

version number

Defines the version of the SNTP server. For the number value, enter a number from 1 to 4. The default version is 1.

poll-interval seconds

Defines the poll interval in seconds between SNTP request messages. For the seconds value, enter a number from 16 to 16284. The default is 64.


Command Modes

Global configuration mode

Usage Guidelines

Before you synchronize the CSS with an SNTP server, make sure you configure the proper time zone for the CSS (for example, to EST). Also make sure that the time difference between the CSS internal clock and the SNTP server clock is less than 24 hours. Otherwise, the CSS will not synchronize its clock with the SNTP server.

Related Commands

clock
show sntp global

(config) spanning-packets

To configure the number of packets spanned for the search of the HTTP Header termination string, use the spanning-packets command. Use the no form of this command to reset the number of packets spanned to the default value of 6.

spanning-packets number
no spanning-packets

Syntax Description

number

The number of packets spanned for the search of the HTTP Header termination string. Enter a number from 1 to 20.


Usage Guidelines

In some environments, URL, cookie strings, or HTTP header information can span over multiple packets. In these environments, the CSS can parse multiple packets for Layer 5 information before making load-balancing decisions. Through the global configuration mode spanning-packets command, the CSS can parse a maximum of 20 packets with a default of 6.

The CSS makes the load-balancing decision as soon as it finds a match and does not require parsing of all of the configured number of spanned packets. Because parsing multiple packets does impose a longer delay in connection, performance can be impacted by longer strings that span mulitple packets.

Command Modes

Global configuration mode

(config) sshd

To control the Secure Shell Host server, use the sshd command. The options for this global configuration mode command are:

sshd keepalive, enables SSHD keepalive

sshd port..., sets the SSHD port

sshd server-keybits..., sets the number of bits in the server key


Note Disable Telnet access when you want to use the Secure Shell Host (SSH) server.


For more information on these options and associated variables, see the following commands.

Related Commands

(config) restrict telnet

sshd keepalive

To enable SSHD keepalive, use the sshd keepalive command. SSHD keepalive is enabled by default. Use the no form of this command to disable SSHD keepalive.

sshd keepalive
no sshd keepalive

Command Modes

Global configuration mode

sshd port

To set the port number that the server listens to connections from clients, use the sshd port command. Use the no form of this command to reset the port number to the default of 22.

sshd port number
no sshd port

Syntax Description

number

The port number. Enter a number from 22 to 65535. The default is 22.


Command Modes

Global configuration mode

sshd server-keybits

To set the number of bits in the server key, use the sshd server-keybits command. Use the no form of this command to reset the number of bits to the default of 768.

sshd server-keybits number
no sshd server-keybits

Syntax Description

number

The number of bits in the server key. Enter a number from 512 to 32768. The default is 768.


Command Modes

Global configuration mode

(config) ssl-l4-fallback

To disable or re-enable the CSS insertion of the Layer 4 hash value, based on the source IP address and destination address pair, into the sticky table, use the ssl-l4-fallback command. By default, the CSS inserts the Layer 4 hash value into the sticky table.

ssl-l4-fallback disable|enable

Syntax Description

disable

Disables the CSS from inserting the Layer 4 hash value into the sticky table and continues to look for SSL version 3 session IDs

enable

Resets the CSS to its default behavior of inserting a Layer 4 hash value into the sticky table


Usage Guidelines

Insertion of the Layer 4 hash value into the sticky table occurs when more than three frames are transmitted in either direction (client-to-server, server-to-client) or if SSL version 2 is in use on the network. If either condition occurs, the CSS inserts the Layer 4 hash value into the sticky table, overriding the further use of the SSL version 3 session ID.

The ssl-l4-fallback command is only applicable when the (config-owner-content) advanced-balance ssl method is specified for a content rule, which forces the content rule to stick to a server based on SSL version 3 session ID.

The use of the ssl-l4-fallback command may be necessary in a lab environment when testing SSL with a small number of clients and servers, where some retransmissions might occur. In this case, you would not want to use the Layer 4 hash value because it will skew the test results.


Note Do not use the ssl-l4-fallback disable command if SSL version 2 is in use on the network.


Related Commands

(config-owner-content) advanced-balance

(config) ssl associate

To specify an SSL certificate, RSA key or DSA key pair, or Diffie-Hellman parameter association to an imported or generated file, use the ssl associate command. Use the no form of the command to remove an association.

ssl associate association_type association_name filename
no ssl associate association_type association_name

Syntax Description

associate

Associates a certificate, key pair, or Diffie-Hellman parameters to a file.

association_type

The SSL association type. Enter one of the following:

cert, a certificate

rsakey, an RSA key pair

dsakey, a DSA key pair

dhparam, a Diffie-Hellman key exchange parameter file

association_name

The name of the association. Enter a name with a maximum of 31 characters.

filename

The name of the file containing the certificate, key pair or Diffie-Hellman parameters. Enter a filename with a maximum of 128 characters.


Usage Guidelines

After you import or generate certificate and key pair files, you must distinguish to the CSS whether these files contain certificates, private keys, or Diffie-Hellman parameters. You do this by associating certificate names, private/public key pair names, or Diffie-Hellman parameter names to the particular imported files.

When you associate the entries specified in the various certificate and private key commands to files, CSS stores the bindings in the running configuration. Before you log out or reboot the CSS, you must copy the contents of the running-config file to the startup-config file to save configuration changes and have the CSS use this configuration on subsequent reboots. When you reboot the CSS, the certificate and key associations are automatically loaded.

The no form of this command will not function if the association is in use by an active SSL proxy list.

Related Commands

copy ssl
show ssl
(ssl-proxy-list) ssl-server

(config) ssl gen...

To generate certificates, key pairs, or Diffie-Hellman parameter files on the CSS, use the ssl gen command.

ssl gencert certkey certkey signkey signkey certfile "password"
|gencsr rsakey|[gendh|genrsa|gendsa] filename numbit "password"

Syntax Description

gencert

Generates and saves a temporary certificate to a file on a CSS disk. For purposes of SSL testing, you may want to generate a temporary certificate by generating a CSR and signing it with your own private key.

certkey certkey

The name of the RSA or DSA key pair that the certificate is based on. Enter an unquoted string with a maximum of 31 characters.

signkey signkey

The RSA or DSA key pair to be used to sign the certificate. Enter an unquoted string with a maximum of 31 characters.

certfile

The name of the file used to store the certificate as a file on the CSS disk. Enter an unquoted string with a maximum of 31 characters.

"password"

The password used to DES encode the certificate file before it is stored as a file on the CSS disk. Encoding the file prevents unauthorized access to the imported certificate and private key on the disk. Enter the password as a quoted string. The password appears in the CSS running configuration as a DES-encoded string.

gencsr rsakey

Generates a Certificate Signing Request (CSR) file for an RSA key pair file, and transfers the certificate request to the Certificate Authority (CA). You must generate a CSR file if you are requesting a new certificate or renewing a certificate. When the CA signs the CSR, using its RSA private key, the CSR becomes the certificate.

The rsakey variable specifies the key that the RSA certificate is built on. It is the public key that is embedded in the certificate.

The RSA key pair must already be loaded on the CSS and you must associate an RSA key pair name to the generated RSA key pair. If the appropriate key pair does not exist, the CSS logs an error message

gendh

Generates a Diffie-Hellman key agreement parameter file. Diffie-Hellman is a shared key agreement algorithm. Diffie-Hellman key exchange uses a complex algorithm and public and private keys to encrypt and then decrypt packet data. The CSS disk stores the generated parameters as a file.

gendsa

Generates a DSA private/public key pair for asymmetric encryption. DSA is the public key exchange cryptographic system developed by the National Institutes of Science and Technology. DSA can only be used for digital signatures (signings) but not for key exchange. The CSS disk stores the generated DSA key pair as a file.

genrsa

Generates an RSA private/public key pair for asymmetric encryption. RSA key pairs are used to sign and encrypt packet data, and are a requirement before another device (client or Web server) can exchange an SSL certificate with the CSS. The key pair refers to a public key and its corresponding private (secret) key. The CSS stores the generated RSA key pair as a file.

filename

The name of the key or key pair file. Enter a name with a maximum of 31 characters. The filename is used only for identification in the CSS.

numbits

The key strength. The number of bits in the file defines the size of the key or key pair used to secure Web transactions. Longer keys produce a more secure implementation by increasing the strength of the DSA security policy. Available selections in bits are:

512, least security

768, normal security

1024, high security

2048, highest security (not available for use with the gendsa option)


Usage Guidelines

Generate keys and certificates on the CSS for purposes of testing. The ssl gen command allows you to generate a private key (RSA, DSA), a Diffie-Hellman parameter file, a certificate signing request (CSR), and a self-signed temporary certificate. This command also compares the public key in the certificate with the public key stored with the private key and verifies that they are the same.

The ssl genrsa, gencsr, gendsa, and gencert commands all produce a valid certificate or key pair (primarily useful for testing purposes). Be aware that most Web browsers will flag the certificate as signed by an unrecognized signing authority.

The ssl gencert command can sign RSA or DSA certificates with either an RSA key pair or a DSA key pair. You generate the certificate based on:

The key pair that the certificate is based on (RSA or DSA)

The key used to sign the certificate

Generation of a Diffie-Hellman key agreement parameter file can sometimes take a lengthy period of time (perhaps a maximum of 20 minutes) and is a CPU-intensive utility. If you use the ssl gendh command, ensure that the CSS is not actively passing traffic at the same time to avoid impacting CSS performance. For detailed information on using this ssl command and options, refer to the Cisco Content Services Switch Advanced Configuration Guide.

Related Commands

show ssl

(config) ssl verify

To verify a certificate against a key pair, use the ssl verify command. A digital certificate is built around a public key, and it can only be used with one key pair. Use this command to compare the public key in the associated certificate with the public key stored with the associated private key, and verify that they are both the same.

ssl verify certname keyname

Syntax Description

certname

The association name of the certificate used to verify against the specified key pair

keyname

The association name of the key pair used to verify against the specified certificate


Usage Guidelines

If the certificate does not match the public and private key pair, the CSS logs an error message.

(config) ssl-proxy-list

To access SSL proxy list configuration mode and configure an SSL proxy configuration list, use the ssl-proxy-list command. An SSL proxy configuration list is a group of related virtual SSL servers that are associated with an SSL service. The SSL modules in the CSS use these servers to properly process and terminate SSL communications between the client and the Web server.

In global configuration mode, use the no form of this command to delete an existing list.

ssl-proxy-list name
(config) no ssl-proxy-list name

Syntax Description

name

The name of a new SSL proxy list you want to create or an existing list you want to modify. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing names, enter:

#(config) ssl-proxy-list ? 

Usage Guidelines

You can access the ssl-proxy-list configuration mode from any configuration mode except for the ACL, boot, group, RMON, or owner configuration modes. When you use the ssl-proxy-list command to access this mode, the prompt changes to (ssl-proxy-list [name]). For information about commands available in this mode, see "SSL-Proxy-List Configuration Mode Commands".


Note You cannot delete an SSL proxy list if an SSL service is in use and contains the active SSL proxy list. You must first suspend the SSL service to delete a specific list.


(config) tacacs-server

To configure the CSS as a client of a TACACS+ server, authenticate users, and authorize and account for configuration and nonconfiguration commands, use the tacac-server command. The options for this command are:

tacacs-server ip_address port..., defines a TACACS+ server

tacacs-server account.., enables the the TACACS+ server to receive accounting reports for CSS commands

tacacs-server authorize..., enables the the TACACS+ server to authorize CSS commands

tacacs-server key..., defines a global encryption key

tacacs-server timeout..., sets the global CSS TACACS+ timeout period

For information about these options and any associated variables, see the tacac-server commands in this section.

tacacs-server ip_address port

To define a TACACS+ server, use the tacacs-server ip_address port command. You must provide the IP address and port number for the server. You can optionally define the timeout period and encryption key, and designate the server as the primary server. Use the no form of this command to remove the server.

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary}
no tacacs-server ip_address port

Syntax Description

ip_address

The IP address of the TACACS+ server. Enter the IP address in dotted-decimal format.

port

The TCP port of TACACS+ server. The default port is 49. You can enter a port number from 1 to 65535.

timeout

The amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds. Defining this option overrides the tacacs-server timeout command.

"cleartext_key"|des_key

The shared secret between the CSS and the server. You must define an encryption key to encrypt TACACS+ packet transactions between the CSS and the TACACS+ server. If you do not define an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The shared secret key can be either clear text entered in quotes or the DES encrypted secret entered without quotes. The clear text key is DES encrypted before it is placed in the running configuration. Either key type can have a maximum of 100 characters.

Defining this option overrides the tacacs-server key command.

primary

Assigns the TACACS+ server precedence over the other configured servers. You can specify only one primary server.


Command Modes

Global configuration mode

Usage Guidelines

To change the timeout period or encryption key for a specific TACACS+ server, you must delete the server and then redefine it with the updated parameter.

After configuring the TACACS+ server, enable TACACS+ authentication for console and virtual logins (if the user and password pair is not in the local user database) through the (config) console authentication and (config) virtual authentication commands.


Note The TACACS+ server must be configured before defining the server on the CSS.


Related Commands

show tacacs-server
(config) console authentication
(config) virtual authentication

tacacs-server account

To enable the TACACS+ server to receive accounting reports for all commands that change or do not change the CSS running configuration, use the tacacs-server account command. Use the no form of this command to disable accounting.

tacacs-server account config|non-config
no tacacs-server account config|non-config

Syntax Description

config

Enables the TACACS+ server to receive accounting reports for all commands that change the running configuration

non-config

Enables the TACACS+ server to receive accounting reports for all commands that do not change the running configuration


Usage Guidelines

TACACS+ accounting allows the TACACS+ server to receive an accounting report for commands that the user can execute. CSS accounting divides the command set into two categories:

Configuration commands that change the CSS running configuration.

Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition commands, show commands, and administrative commands.

By default, the CSS disables accounting. When you enable accounting, you can account for configuration commands, nonconfiguration commands, or both.


Note Failure of the TACACS+ server does not result in the suspension of user activity.


Related Commands

show tacacs-server

tacacs-server authorize

To enable the TACACS+ server to authorize commands that change or do not change the CSS running configuration, use the tacacs-server authorize command. Use the no form of this command to disable authorization.

tacacs-server authorize config|non-config
no tacacs-server authorize config|non-config

Syntax Description

config

Enables authorization of all commands that change the running configuration

non-config

Enables authorization of all commands that do not change the running configuration


Usage Guidelines

TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:

Configuration commands that change the CSS running configuration.

Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition, show, and administrative commands.

By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to execute commands. When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command.


Note Failure of the TACACS+ server results in the failure of all authorization requests and the suspension of user activity unless another server is reachable. To enable users to execute commands in this case, configure a failover authentication method to a local user database. Users will need to log back into the CSS.


Related Commands

show tacacs-server

tacacs-server key

To specify a global shared secret between the CSS and the server, use the tacacs-server key command. Use the no form of this command to remove the global key.

tacacs-server key ["cleartext_key"|des_key]
no tacacs-server key

Syntax Description

"cleartext_key"|des_key

The shared secret between the CSS and the server. You must define an encryption key to encrypt TACACS+ packet transactions between the CSS and the TACACS+ server. If you do not define an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The shared secret key can be either clear text entered in quotes or the DES encrypted secret entered without quotes. The clear text key is DES encrypted before it is placed in the running configuration. Either key type can have a maximum of 100 characters.


Command Modes

Global configuration mode

Usage Guidelines

The CSS allows you to define a global encryption key for communications with all configured TACACS+ servers. To encrypt TACACS+ packet transactions between the CSS and the TACACS+ server, you must define an encryption key. If you do not define an encryption key, packets are not encrypted. The key is a shared secret value that is identical to the one on the TACACS+ server.

A shared secret defined when specifying a TACACS+ server overrides the global secret. See the tacacs-server ip_address port command.

Related Commands

show tacacs-server

tacacs-server timeout

To define the global timeout period for use with all configured TACACS+ servers, use the tacacs-server timeout command. Use the no form of the command to reset the timeout period to its default of 5 seconds.

tacacs-server timeout seconds
no tacacs-server timeout

Syntax Description

seconds

The amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds.


Usage Guidelines

To determine the availability of the TACACS+ servers, the CSS sends periodic keepalive probes to them. If the server does not respond to the probe within the timeout period, the CSS considers the server unavailable.

If the CSS attempts to contact the server and does not receive a response within the defined timeout value, it will use another server. The next configured server is contacted and the process repeated. If a second (or third) TACACS+ server has been identified, that server is selected as the active server.

If the CSS cannot reach all three TACACS+ servers, users will not be authenticated and cannot log into the CSS unless TACACS+ is used in combination with a RADIUS or local server, as defined through the (config) console authentication command or the (config) virtual authentication command.


Note The timeout period defined when specifying a TACACS+ server overrides the global timeout period. See the tacacs-server ip_address port command.


Related Commands

show tacacs-server

(config) urql

To access Uniform Resource Locator Qualifier List (URQL) configuration mode and configure a URQL, use the urql command. Use the no form of this command to an existing URQL.

urql urql_name
no urql existing_urql_name

Syntax Description

urql_name

The name of a new URQL you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing URQL names, enter:

urql ?

Usage Guidelines

A URQL is a collection of URLs for content requests that you can associate to one or more content rules. The CSS uses this list to identify which requests to send to a service.

You cannot configure a URQL with subscriber services.

You can access this mode from any configuration mode except ACL, boot, group, keepalive, and owner configuration modes. The prompt changes to (config-urql [name]). You can also use this command from URQL mode to access another URQL. For information about commands available in this mode, see "URQL Configuration Mode Commands".

(config) username

To configure a local username and its password for logging into the CSS, and allow it to access SuperUser mode, use the username command. Use the no form of this command to delete an existing username.

username name [encrypted-password password {superuser}
|
password password {superuser}{dir-access access}
|
des-password password {superuser}{dir-access access}]

no username name

Syntax Description

name

The username you want to assign or change. Enter an unquoted text string with no spaces and a maximum of 16 characters. To see a list of existing usernames, enter:

username ?

des-password

Specifies that the password is Data Encryption Standard (DES) encrypted. Use this option only when you are creating a file for use as a script or a startup configuration file.

encrypted-password

Specifies that the password is encrypted. Use this option only when you are creating a file for use as a script or a startup configuration file.

password

Specifies that the password is not encrypted. Use this option when you dynamically use the CLI to create new users.

password

The password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters. A DES password can have a length of 6 to 64 characters.

When you enter a password with the des-password or encrypted-password keyword, the CSS encrypts the password. Use the show running-config command to view the encrypted password in the running configuration. You must use the encrypted form of the password to log in to the CSS.

superuser

Optionally allows this user to access SuperUser mode. If you do not enter this option, the user can only access User mode.

dir-access

Optionally defines the CSS directory access levels. By default, the CSS assigns users with read and write access to the directories.

Changing the access level also affects the use of the CLI commands associated with the directories.

access

The access levels for the CSS script, log, root, archive, release root, core, and MIB directories, in this order. Sequentially enter one of the following levels for each of the directories:

N, no access to the directory

B, read and write access

W, write access

R, read access

For example, to allow no access for the root and release root directories but read and write access for all other directories, enter BBNBNBB.

Note that the release root directory contains the configuration files. The root directory contains the installed CSS software.


Usage Guidelines

If the (config) restrict user-database command is entered, only a user with administrative or technician privileges can use the username command.

The CSS can support a maximum of 32 usernames including the administrator and technician usernames. It ships with a default username of admin and password of system.

You cannot permanently delete an administrative username and password. If you delete this username by using the no username command, it removes it from use until you reboot the CSS. When you reboot the CSS, it restores the username and password from NVRAM.

Related Commands

show running-config
show user-database
(config) restrict

(config) username-offdm

To change the administrative username and password without having to use the Offline DM menu, use the username-offdm command. The CSS ships with a default administrative username of admin and password of system.

username-offdm name password password

Syntax Description

name

The username you want to assign as the administrative username. Enter an unquoted text string with no spaces and a maximum of 16 characters. The CSS does not allow you to set the administrative username to the same name as the technician username.

password

The password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters.


Usage Guidelines

Unlike other usernames and passwords, the CSS saves the administrative username and password in nonvolatile RAM (NVRAM). When you reboot the CSS, it reads the username and password from NVRAM and reinserts them into the user database.


Note You cannot permanently delete an administrative username and password. If you delete the username by using the no username command, it removes it from use until you reboot the CSS. When you reboot the CSS, it restores the username and password from NVRAM.


(config) username-technician


Caution This command is for use by technical personnel only. The technician user is created primarily for CSS troubleshooting and should not be used to perform normal CSS administrative purposes.

A technician user has access to all directories in the WebNS directory structure in the CSS. This user can remove or copy valuable system files (including encrypted certificates or keys in a CSS 11503 or CSS 11506 containing an SSL module). The removing of system files could make the CSS unusable.

To set the technician username and password without having to use the Technician Offline DM menu, use the username-technician command.

username-technician name password password

Syntax Description

name

The username you want to assign as the technician username. Enter an unquoted text string with no spaces and a maximum of 16 characters. The CSS does not allow you to set the technician username to the same name as the administrative username.

password

The password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters.


(config) virtual authentication

To configure the primary, secondary, or tertiary virtual authentication on the CSS, use the virtual authentication command. Use this command to require users to enter a username and password to remotely log in to the CSS.

virtual authentication [primary|secondary|tertiary [local|radius|tacacs|disallowed]]

Syntax Description

primary

Defines the first authentication method that the CSS uses. The default primary virtual authentication method is the local user database.

secondary

Defines the second authentication method that the CSS uses if the first method fails. The default secondary virtual authentication method disallows all user access.

If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local.

tertiary

Defines the third authentication method that the CSS uses if the second method fails. The default tertiary virtual authentication method disallows all user access.

local

The CSS uses the local user database for authentication.

radius

The CSS uses the configured RADIUS server for authentication.

tacacs

The CSS uses the configured TACACS+ server for authentication.

disallowed

The CSS does not allow access by all remote users. Entering this option does not terminate existing connections.

To remove users currently logged into the CSS, use the disconnect command.


Usage Guidelines

Virtual authentication allows remote users to log into the CSS through FTP or Telnet with or without requiring a username and password. The CSS can also deny access to all remote users.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users and disallows user access for the secondary and tertiary method.

Before you can use RADIUS or TACACS+ as the virtual authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the (config) radius-server command or the (config) tacacs-server command.

Related Commands

show user-database
(config) console authentication
(config) radius-server
(config) restrict
(config) tacacs-server

(config) vrrp-backup-timer

To specify the time interval in seconds that the backup CSS waits to assume mastership when the master CSS goes down, use the vrrp-backup-timer command. Use the no form of this command to reset the timer to the default value of 3 seconds.

vrrp-backup-timer wait_time
no vrrp-backup-timer

Syntax Description

wait_time

The interval in seconds. Enter an integer from 3 to 120 seconds. The default is 3 seconds.


Usage Guidelines

Timer values greater than the 3-second default cause longer failover times. Use the vrrp-backup-timer command only in environments where the CPU utilization on the CSS is close to 100 percent.

After you set the timer value, you need to r-eenter the (config-circuit-ip) redundancy-protocol command on the redundant circuit between the CSSs for the new timer value to take effect.


Note If you intend to use the commit_redundancy script to synchronize your redundant configuration, be sure to specify the -a argument in the script play command to ensure that the script copies the timer configuration setting from the master CSS to the backup CSS.


Related Commands

script play
(config-circuit-ip) redundancy-protocol

(config) web-mgmt state

To allow or deny client access to the XML HTTP server running on the CSS, use the web-mgmt state command.

web-mgmt state [disable|enable]

Syntax Description

disable

Denies client access to the HTTP server on the CSS. Performs the same function as the restrict xml command.

enable

Allows client access to the HTTP server on the CSS. Performs the same function as the no restrict xml command.


Usage Guidelines

The web-mgmt state command performs the same function as the (config) restrict xml command and its no form of the command. Note that when you use this command, it does not appear in the configuration file. Instead, the (config) restrict or its no form of the command appears in the configuration file.

When XML is enabled, the CSS listens for XML connections on port 80.

Related Commands

(config) restrict