CSS Command Reference (Software Version 7.40)
Global Configuration Mode Commands (L through Z)
Downloads: This chapterpdf (PDF - 772.0KB) The complete bookPDF (PDF - 5.06MB) | Feedback

(config) load

Table Of Contents

(config) load

load absolute-sensitivity

load ageout-timer

load calculation

load reporting

load step

load teardown-timer

load threshold

(config) logging

logging buffer

logging commands enable

logging disk

logging host

logging line

logging sendmail

logging subsystem

logging to-disk

show log-state
(config) logging buffer
(config) no logging disk
(config) logging subsystem(config) no

(config) noflow-portmap

(config) nql

(config) ospf

ospf advertise

ospf area

ospf as-boundary

ospf default

ospf enable

ospf equal-cost

ospf range

ospf redistribute

ospf router-id

(config) owner

(config) persistence reset

(config) prelogin-banner

(config) proximity

proximity cache-remove

proximity cache-size

proximity db

proximity probe rtt interval

proximity probe rtt method

proximity probe rtt metric-weighting

proximity probe rtt samples

proximity probe rtt tcp-ports

proximity ttl

(config) radius-server

radius-server dead-time

radius-server primary

radius-server retransmit

radius-server secondary

radius-server source interface

radius-server timeout

(config) replication file-error

(config) reporter

(config) restrict

(config) rip

rip advertise

rip equal-cost

rip redistribute

(config) rmon-alarm

(config) rmon-event

(config) rmon-history

(config) service

(config) setspan

(config) snmp

snmp auth-traps

snmp community

snmp contact

snmp location

snmp name

snmp reload-enable

snmp trap-host

snmp trap-source

snmp trap-type enterprise

snmp trap-type generic

(config) sntp

(config) spanning-packets

(config) sshd

sshd keepalive

sshd port

sshd server-keybits

(config) ssl-l4-fallback

(config) ssl associate

(config) ssl crl-record

(config) ssl gencert

(config) ssl gencsr

(config) ssl gendh

(config) ssl gendsa

(config) ssl genrsa

(config) ssl verify

(config) ssl-proxy-list

(config) tacacs-server

tacacs-server ip_address port

tacacs-server account

tacacs-server authorize

tacacs-server frequency

tacacs-server key

tacacs-server send-full-command

tacacs-server timeout

(config) tcp-ip-fragment-enabled

(config) udp-ip-fragment-enabled

(config) urql

(config) username

(config) username-offdm

(config) username-technician

(config) virtual authentication

(config) vrrp-backup-timer

(config) web-mgmt state

(config) zero flow-state-counters


(config) load

To configure global load parameters for the eligibility and ineligibility of CSS services, use the load command. Load is a measurement of a service's ability to handle flows. There are two types of loads: relative load and absolute load.

The CSS calculates relative load by using the variances in normalized response times for each service. You can adjust relative load calculations by changing the load step size, which is the difference in milliseconds between load numbers. The CSS can determine the load step size dynamically or you can configure it.

Absolute load takes into account the actual observed load on a service and allows you to configure the response times that correlate with values within the CSS load number scale. Unlike the relative load number scale, where all the load numbers between 2 and 254 represent equal steps or increases in response times, absolute load creates 16 different divisions or ranges within the CSS load number scale. Ranges are groups of consecutive load numbers that share a common step size (delta) between numbers. For more information on relative load and absolute load, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

The load on a service has a range from 2 to 255, with an eligible load state from 2 to 254. An eligible service is an active service that can receive flows. A service with a lower load receives more flows than a service with a higher load. When a service initially comes up, its load value is 2. A load of 255 indicates that the service is down, as detected through the keepalive.

The load command has the following options:

load absolute-sensitivity - Sets the maximum response time upper boundary and the step size of the absolute load number scale

load ageout-timer - Sets the time interval after which load information for a service is considered stale and the service load is reset to 2

load calculation - Sets the method (relative or absolute) that the CSS uses to assign load numbers to all configured services

load reporting - Enables the CSS to generate teardown reports and derive load numbers

load step - Sets the load step of the relative load number scale

load teardown-timer - Sets the maximum time for the CSS before sending a teardown report

load threshold - Sets the load threshold for a service, determining its eligibility to receive flows

For more information on these options and associated variables, see the following commands.

load absolute-sensitivity

To set the maximum response time upper boundary and the step size of the absolute load number scale, use the load absolute-sensitivity command. Use the no form of this command to set the absolute load sensitivity to the default of 21.

load absolute-sensitivity number

no load absolute-sensitivity

Syntax Description

number

Sensitivity of the absolute load number scale. Enter an integer from 1 to 25. The default is 21.


Command Modes

Global configuration mode

Usage Guidelines

Increasing the load absolute-sensitivity value increases the maximum response time upper boundary and the absolute load number scale step size (granularity), which reduces the load value for a given service response time. Conversely, decreasing the load absolute-sensitivity value decreases the maximum response time upper boundary and the absolute load number scale step size (granularity), which increases the load value for a given service response time.

For number values from 1 to 20, the absolute load number ranges are linear, which means that the step sizes are equal among all the ranges. For values from 21 to 25, the ranges are nonlinear, which means different ranges have different step sizes that increase as the range number increases.

Related Commands

show load
(config)
load calculation
(config)
dns-peer load-variance
(config) dns-server zone

load ageout-timer

To set the time interval in seconds in which stale load information for a service is aged out, use the load ageout-timer command. Use the no form of this command to set the ageout time to the default of 60.

load ageout-timer seconds

no load ageout-timer

Syntax Description

seconds

Number of seconds to age out load information for a service. Enter an integer from 0 to 1000000000. The default is 60. The value of 0 disables the timer.


Command Modes

Global configuration mode

Usage Guidelines

When the ageout timer interval expires, the CSS erases the load information and resets the service load to 2. Load information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval because no flows (long or short) are being torn down on the service.

At the beginning of the time interval, the ageout timer saves the number of the current teardown report. When the CSS generates a new teardown report, the report number in the CSS increments, and any services in the report saves this number. At the end of the ageout time interval, the CSS compares the initial teardown number saved at the beginning of the time interval with the current teardown number saved by each service. If the number of a service is less than or equal to the timer number, the load information is stale. The CSS erases it and resets the service load to 2.

Related Commands

show load
(config)
load reporting

load calculation

To set the method that the CSS uses to assign load numbers to all configured services, use the load calculation command. Use the no form of this command to set the load calculation method to the default of relative.

load calculation relative|absolute

no load calculation

Syntax Description

relative

The CSS assigns load numbers to services based on a comparison with the fastest service.

absolute

The CSS assigns load numbers to services based on pure response times.


Command Modes

Global configuration mode

Usage Guidelines

The default behavior of a CSS is to use the relative load calculation method when assigning loads to services. With relative load, the CSS takes the service with the fastest response time and then compares all other services configured on the CSS with that service. Relative load may suffice in situations where load is not critical to your application and you are generally satisfied with service load assignments.

Consider using absolute load instead of relative load when you have a single CSS serving multiple applications, or when you are using GSLB to balance between multiple CSSs. Absolute load takes into consideration the actual load and response times of all the services in your configuration and fits them into the CSS absolute load number scale. For more information, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.


Note You must configure the load reporting command to enable the CSS to derive loads on services.


Related Commands

show load
(config)
load absolute-sensitivity
(config)
dns-peer load-variance
(config) dns-server zone

load reporting

To enable the CSS to generate teardown reports and derive load numbers, use the load reporting command. A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. Use the no form of this command to disable load reporting.

load reporting

no load reporting

Command Modes

Global configuration mode

Related Commands

show load

load step

To set the difference in milliseconds between load numbers, use the load step command. Use the no form of this command to set the load step to the default of 10.

load step msec [dynamic|static]

no load step

Syntax Description

msec

Load step in milliseconds. Enter an integer from 1 to 1000000000. The default is 10.

dynamic

Sets the initial load step. The CSS modifies it after the CSS collects sufficient response time information from the services.

static

Sets a constant load step. This option disables the dynamic calculations made by the CSS.


Command Modes

Global configuration mode

Usage Guidelines

Eligible load numbers have a range from 2 to 254. By default, the CSS dynamically calculates the load step as it accumulates minimum and maximum response times for the services.

When you configure the load step to reduce the flows to a slower service, consider the differences in response times between services. For example:

Increasing the load step causes the load for services to be closer to each other, thus increasing the number of flows to a slower service.

Decreasing the load step causes the load for services to be further from each other, thus decreasing the flows to a slower service.

Related Commands

show load
(config)
load reporting

load teardown-timer

To set the maximum time between teardown reports, use the load teardown-timer command. Use the no form of this command to reset the teardown time interval to its default of 20 seconds.

load teardown-timer seconds

no load teardown-timer

Syntax Description

seconds

Number of seconds between teardown reports. Enter an integer from 0 to 1000000000. The default is 20. The value of 0 disables the timer.


Command Modes

Global configuration mode

Usage Guidelines

A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. When the CSS has sufficient teardown activity for a service, it generates a teardown report and the teardown timer is reset. If a teardown report is not triggered at the end of the teardown timer interval due to insufficient activity, the CSS generate a teardown report based on the current activity. If there is no activity, no report is generated and the timer resets.


Note The teardown timer is overridden when a service is reset. After 10 teardown reports are recorded, the timer is reset to its configured value.


Related Commands

show load
(config)
load reporting

load threshold

To define the global load number that the CSS uses to determine if a service is eligible to receive flows, use the load threshold command. Use the no form of this command to set the load threshold to the default of 254.

load threshold number

no load threshold

Syntax Description

number

Threshold number. Enter a number from 2 to 254. The default is 254.


Command Modes

Global configuration mode

Usage Guidelines

If you do not configure a load threshold for the content rule with the (config-owner-content) load-threshold command, the rule inherits this global load threshold.

If the service load exceeds the threshold, the service becomes ineligible to receive flows until its load information is stale. Information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval.

Related Commands

show load
(config)
load ageout-timer

(config) logging

Use the logging command to:

Select a CSS subsystem and determine which activities to log

Determine where to send the log activity

Set the size of the disk buffer, if applicable

By default, the sys.log file on the CSS disk contains the Notice-level activities for all CSS subsystems. The options for this global configuration mode command are:

logging buffer - Sets the size of the disk buffer

logging commands enable - Enables the logging of CLI commands

logging disk - Sends the log activity to a new or existing file on the disk

logging host - Sends the log activity to a host

logging line - Sends the log activity to an active session

logging sendmail - Sends logging messages to an e-mail address

logging subsystem - Selects a CSS subsystem and determine which activities to log

logging to-disk - Disables logging to the sys.log file on the CSS disk

For more information on these options and associated variables, see the following commands.

Related Commands

clear log
show log

logging buffer

To set the size of the disk buffer, use the logging buffer command. Use the no form of this command to set the disk buffer size to the default of 0.

logging buffer size

no logging buffer

Syntax Description

size

Size of the disk buffer in bytes. Enter an integer from 0 to 64000. The default is 0, where the CSS sends the logging information directly to the disk.


Command Modes

Global configuration mode

Usage Guidelines

The logging buffer command is only applicable when you configure logging to the CSS disk through the logging disk command.

When the log activity information for the subsystem fills the buffer, the CSS empties it into the log file on the disk. The larger you configure the buffer size, the less frequently the CSS empties the buffer.

Related Commands

(config) logging disk

logging commands enable

To enable the CSS to log CLI commands, use the logging commands enable command. Use the no form of this command to disable the logging of CLI commands.

logging commands enable

no logging commands

Command Modes

Global configuration mode

Usage Guidelines

For the CSS to send CLI commands to the sys. log file, you must set the logging level of the netman subsystem to info-6. For example:

(config)# logging subsystem netman info-6

logging disk

To log the activity of a subsystem to a new or existing file on the disk, use the logging disk command. Use the no form of this command to turn off logging to the specified file on the disk and reenable logging to the sys.log file.

logging disk filename

no logging disk

Syntax Description

filename

New or existing filename in the log directory where you want to send the log information. The default file is sys.log. Enter an unquoted text string with a maximum length of 32 characters. To see a list of log filenames, enter:

logging disk ?

Command Modes

Global configuration mode

Usage Guidelines

You can have only one active log file on the disk. If you want to send the log information to a different log file, reenter the logging disk command.


Caution Logging to a CSS disk causes the performance of the CSS to degrade.

Related Commands

(config) logging buffer
(config)
logging to-disk
(config)
logging subsystem

logging host

To send the log activity of a subsystem to the syslog daemon on the host system, use the logging host command. Use the no form of this command to turn off logging to the syslog daemon on the host.

logging host ip_or_host facility number log-level number

no logging host ip_or_host

Syntax Description

ip_or_host

IP address of the syslog daemon on the host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1) or the mnemonic host name (for example, myhost.mydomain.com).

facility number

Syslog daemon facility level. Enter a number from 0 to 7. For more information on the syslog daemon and facility levels, refer to the syslog daemon documentation that accompanied the host system.

log-level number

Logging level of the messages sent to the syslog daemon. Enter one of the following valid log levels for the CSS: fatal-0, alert-1, critical-2, error-3, warning-4 (default), notice-5, info-6, debug-7. The logging levels are listed in order of severity, with a fatal-0 level being the most severe error and an info-6 level being the least severe error. This level must be equal to or less than the log level you configure for the logging subsystem command.


Command Modes

Global configuration mode

Usage Guidelines

When you use the logging host command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.

The log level that you enter must be equal to or less than the logging level set for a CSS subsystem with the logging subsystem command. If the level is set to a value greater than the logging level, the CSS displays only the subsystem log messages for the specified subsystem level. The log level is a subset of the subsystem level you set. For example, if you specify logging subsystem netman level warning-4 and logging host <ip address> log-level 7. You should expect to see messages only at level 4 or lower sent to the syslog daemon. Although the facility number is set to 7, log messages 5, 6, or 7 would not be displayed in the sys.log file on the CSS or sent to the syslog daemon.

Related Commands

(config) logging subsystem

logging line

To send the log activity of a subsystem to an active CSS session, use the logging line command. Use the no form of this command to turn off logging to a session.

logging line session

no logging line session

Syntax Description

session

Valid active session on the CSS. Enter a case-sensitive unquoted text string with a maximum length of 32 characters. To see a list of sessions, enter:

logging line ?

Command Modes

Global configuration mode

Usage Guidelines

When you use the logging line command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.

Related Commands

(config) logging subsystem

logging sendmail

To send the log activity of a subsystem to an e-mail address, use the logging sendmail command. Use the no form of this command to turn off logging to an e-mail address.

logging sendmail email_address host_address level {domain}

no logging sendmail email_address

Syntax Description

email_address

E-mail address for the recipient. Enter a case-sensitive unquoted text string with a maximum length of 30 characters.

host_address

IP address for the SMTP host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

level

The type of information to log. Enter one of these levels:

fatal-0 - Fatal error log messages

alert-1 - Alert error log messages

critical-2 - Critical error log messages

error-3 - General error log messages

warning-4 - Warning error log messages

notice-5 - Notice error log messages

info-6 - Information messages

domain

The domain name for the SMTP host. Enter an unquoted text string with a maximum length of 64 characters (for example, cisco.com).

Do not insert an "@" sign before the domain name. The CSS prepends it to the domain name automatically.


Command Modes

Global configuration mode

logging subsystem

To select a CSS subsystem and determine which type of activity to log, use the logging subsystem command. Use the no form of this command to reset a subsystem logging level to the default setting of warning.

logging subsystem name level level

no logging subsystem name

Syntax Description

name

Name of a CSS subsystem. Enter one of the following subsystem names:

acl - Access control lists

all - All subsystems

app - Application Peering Protocol (APP)

boomerang - DNS Content Routing Agent

buffer - Buffer Manager

chassis - Chassis Manager

circuit - Circuit Manager

csdpeer - Content Server Database (CSD) Peer

dql - Domain qualifier list (DQL)

eql - Extension qualifier list (EQL)

fac - Flow Admission Control (FAC)

flowmgr - Flow Manager

hfg - Header field group (HFG)

ipv4 - Internet Protocol version 4

keepalive - Keepalive

netman - Network Management

nql - Network qualifier list (NQL)

ospf - OSPF

name
(cont.)

pcm - Proximity CAPP Messaging (PCM)

portmapper - Port Mapper

proximity - Proximity

publish - Publish

radius - Remote Authentication Dial-In User Server (RADIUS)

replicate - Replication

redundancy - CSS redundancy

rip - RIP

security - Security Manager

sntp - Simple Network Time Protocol (SNTP)

syssoft - System software

urql - Uniform Resource qualifier list

vlanmgr - VLAN Manager

vpm - Virtual Pipe Manager

vrrp - Virtual Router Redundancy Protocol

wcc - Web Conversation Control

To see a list of subsystems, enter:

logging subsystem ?

level

The log level for the message. Enter one of these levels:

fatal-0 - Fatal errors only.

alert-1 - Alert errors, including errors at the fatal-0 level.

critical-2 - Critical errors, including errors at the alert-1 level.

error-3 - Error errors, including errors at the critical-2 level.

warning-4 - Warning errors (default), including errors at the error-3 level.

notice-5 - Notice messages, including errors at the warning-4 level.

info-6 - Informational messages, including errors at the notice-5 level.

debug-7 - All errors and messages. Setting the logging level to debug-7 may decrease the performance of the CSS. When you enter this keyword, the CSS prompts you with the following message:

Logging at the debug level may degrade the CSS 
performance. Continue, [y/n]: 

Enter y to verify that you want to set the log level to debug-7. Enter n to cancel the executing of the debug-7 log level.


Command Modes

Global configuration mode

Related Commands

clear log
(config)
logging disk
(config)
logging host
(config)
logging line

logging to-disk

To disable or enable logging to the sys.log file on the CSS disk, use the logging to-disk command. By default, the CSS logs to the sys.log file.

logging to-disk [disable|enable]

Syntax Description

disable

Disables logging to the sys.log file

enable

Reenables logging to the sys.log file


Command Modes

Global configuration mode

Usage Guidelines

Use the logging to-disk disable command to prevent excessive writes to the disk or to increase the performance of the CSS. Logging to a file on a CSS disk degrades the performance of the CSS.

The logging to-disk disable command affects the sys.log file only. It does not affect a disk log file that you specified through the logging disk command. To disable all logging to the CSS disk, use the no logging disk command, and enter the logging to-disk command to disable logging to the sys.log file.

Related Commands

show log-state
(config) logging buffer
(config) no logging disk
(config) logging subsystem(config) no

To negate a command or set it to its default, use the no command. Not all commands have a no form. For information on general no commands that you can use in this mode, see the general no command.

All of the following options are available in global configuration mode.

Syntax Description

no acl index

Deletes an existing ACL

no app

Disables APP on the CSS

no app framesz

Restores the default APP frame size to 10240

no app port

Restores the default APP port number to 5001

no app session ip_address

Terminates an APP session

no app-udp

Disables APP-UDP messaging on the CSS

no app-udp options ip_address

Deletes the APP-UDP options from the IP address

no app-udp port

Restores the default APP-UDP port number to 5002

no app-udp options ip_address

Deletes the APP-UDP options from the IP address

no app-udp secure

Restores the default behavior of accepting all APP datagrams

no arp ip_or_host

Removes a static mapping address

no arp timeout

Restores the default timeout of 14400 seconds

no arp wait

Restores the default wait time of 5 seconds

no arrowpoint-cookie rfc2822-compliant

Disables the RFC2822 compliant format for the arrowpoint-cookie expiration time syntax

no bridge aging-time

Restores the default aging time of 300

no bridge forward-time

Restores the default delay time of 4

no bridge hello-time

Restores the default hello time interval of 1

no bridge max-age

Restores the default maximum age of 6

no bridge priority

Restores the default priority of 32768

no cmd-sched

Disables the execution of scheduled CLI commands

no cmd-sched record

Deletes a configuration record for the execution of CLI commands

no console authentication

Sets console authentication to none

no date european-date

Resets the format for the clock date command to its default of month, day, and year

no dhcp-relay-agent max-hops

Resets the maximum allowable number in the hops field of the BOOTP header to 4

no dns primary

Removes the primary DNS server

no dns secondary ip_or_host

Removes a secondary DNS server

no dns suffix

Removes the default suffix

no dns-boomerang client cpu-threshold

Resets the CSS CPU threshold to the default value of 99

no dns-boomerang client domain dns_name {alias alias_name}

Removes a client domain or the alias for the domain

no dns-boomerang client enable

Disables the Content Routing Agent (CRA) functionality on the CSS

no dns-peer interval

Resets the time between load reports to the CSS DNS peers to its default of 5 seconds

no dns-peer receive-slots

Resets the maximum number of DNS names received from a peer to its default value of 128

no dns-peer send-slots

Resets the maximum number of DNS names sent to a peer to its default value of 128

no dns-peer variance

Resets the load-variance to its default value of 50

no dns-record a dns_name

Deletes a domain address record

no dns-record accel dns_name

Deletes a DNS acceleration record

no dns-record ns dns_name

Deletes a domain name server record

no dns-server

Disables the DNS server functionality on the CSS

no dns-server accelerate domains

Disables domain acceleration

no dns-server bufferCount

Restores the default response buffer count to 10

no dns-server domain-cache

Disables domain caching

no dns-server forwarder primary|secondary

Deletes a CSS DNS forwarder

no dns-server respTasks

Restores the default responder task count to 2

no dns-server zone

Disables the CSS Proximity Domain Name Server

no domain hotlist

Disables the domain hot list

no domain hotlist interval

Resets the domain hot-list interval to 1 minute

no domain hotlist size

Resets the maximum number of entries in the domain hotlist to 100

no domain hotlist threshold

Resets the domain hot-list threshold to 0, which disables the threshold

no dql dql_name

Deletes the specified DQL

no eql eql_name

Deletes the specified EQL

no flow-state number udp|tcp

Resets the flow state and, for flow-disabled UDP ports, the PAT state of a port to its default settings

no flow permanent port[1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20]

Resets a port to its default number of 0

no flow port-reset

Disables Fast and Gigabit Ethernet port resets on the CSS

no flow reserve-clean

Resets the reclaiming of port numbers to 10 seconds

no flow tcp-mss

Resets the TCP maximum segment size to 1460 bytes

no ftp-record ftp_record

Deletes an FTP record file from the CSS

no global-portmap

Resets the starting port and range to their default values

no group existing_group_name

Deletes an existing group

no gsdb

Disables the GSDB

no gsdb ttl

Resets the time to live for GSDB entries to its default of 7200 seconds

no gsdb-interface [primary|secondary]

Removes the GSDB primary or secondary interface

no header-field-group existing_group_name

Deletes an existing header-field group

no host host_name

Removes an existing host from the Host table

no idle timeout

Sets the idle timeout for any session connected to the CSS to the default of 0 (disabled)

no ip advanced-route-remap

Disables the CSS from remapping flows using the best-available route

no ip ecmp no-prefer-ingress

Resets the ECMP ingress path for a flow to be its preferred reverse egress path

no ip firewall index

Deletes a configured firewall

no ip management no-icmp-redirect

Resets the CSS to accept ICMP redirect packets on the Ethernet management port

no ip no-implicit-service

Resets the CSS to start an implicit service for the next hop of static routes

no ip opportunistic

Allows opportunistic Layer 3 forwarding for local destinations

no ip record-route

Disables processing of frames with a record-route option

no ip redundancy

Disables CSS-to-CSS redundancy

no ip redundancy master

Unassigns the CSS as the master CSS

no ip route ip_address subnet_mask ip_address2

Removes a static route

no ip route ip_address subnet_mask blackhole

Disables the dropping of packets to a blackhole route

no ip route ip_address subnet_mask firewall index

Removes a firewall route

no ip source-route

Disables processing of source-routed frames

no ip subnet-broadcast

Disables forwarding of subnet broadcast addressed frames

no ip uncond-bridging

Reenables the routing table lookup to override a bridging decision

no ip-fragment max-assembled-size

Resets the maximum IP fragment assembled size to the default of 5120 bytes

no ip-fragment min-fragment-size

Resets the minimum IP fragment payload size to the default of 1024 bytes

no keepalive name

Deletes an existing keepalive

no load ageout-timer

Resets the number of ageout time interval for load information to its default value of 60 seconds

no load reporting

Disables load reporting

no load step

Resets the load step to its default value of 10 ms

no load teardown-timer

Resets the teardown time interval to its default value of 20 seconds

no load threshold

Resets the global load threshold to its default value of 254

no logging buffer

Sets the disk buffer size to the default of 0

no logging commands

Disables the logging of CLI commands

no logging disk

Turns off logging to a specified file on disk

no logging host ip_or_host

Turns off logging to the syslog daemon on the host

no logging line session

Turns off logging to an active CSS session

no logging sendmail email_address

Turns off logging to an e-mail address

no logging subsystem name

Resets the logging level of a subsystem to the default setting of warning

no noflow-portmap

Resets the starting port and range to their default values

no nql name

Deletes an existing NQL

no ospf advertise ip_address subnet_mask

Stops advertising of the route as OSPF ASE through the OSPF interfaces

no ospf area ip_address

Removes the OSPF area

no ospf as-boundary

Unassigns the CSS as a AS boundary router

no ospf default

Stops advertising the routes originated through OSPF

no ospf enable

Disables OSPF

no ospf equal-cost

Resets the number of equal-cost routes OSPF can use to its default of 15

no ospf range area_id address mask

Removes the range to summarize routes at an area border

no ospf redistribute [firewall|local|rip|static]

Stops advertising a route of a specific protocol type through OSPF

no ospf router-id

Deletes the OSPF router ID on the CSS

no owner existing_owner_name

Deletes an existing owner

no prelogin-banner

Removes a previously configured pre-login banner

no proximity cache-size

Restores the proximity lookup cache size to its default of 16000 entries

no proximity db

Disables the CSS Proximity Database in a dedicated CSS 11150

no proximity probe rtt interval

Resets the delay in seconds between ICMP samples to its default of 1 second

no proximity probe rtt metric-weighting

Resets the percentage of the previous metric value to derive the new metric to its default of 0

no proximity probe rtt samples

Resets the number of ICMP echo requests that the CSS uses for averaging during an initial probe to its default of 2

no proximity probe rtt tcp-ports

Resets the default probe ports for SYN proximity metric discovery

no proximity ttl assigned

Resets the TTL value to its default of 60 minutes

no proximity ttl probe

Resets the TTL value to its default of 0, which disables the caching of responses at the Proximity Database

no radius-server dead-time

Resets the dead-time period to its default of 5 seconds

no radius-server primary

Deletes the primary RADIUS server

no radius-server source-interface

Removes a specified RADIUS server source interface

no radius-server retransmit

Resets the retransmission of authentication request to its default of 3

no radius-server secondary

Deletes the secondary RADIUS server

no radius-server timeout

Resets the time interval that the CSS waits for a reply to a RADIUS request to 10 seconds

no restrict console

Enables access to the CSS from a console

no restrict ftp

Enables FTP access to the CSS

no restrict secure-xml

Enables secure SSL XML access to the CSS

no restrict snmp

Enables SNMP access to the CSS

no restrict ssh

Enables SSHD access to the CSS

no restrict telnet

Enables Telnet access to the CSS

no restrict xml

Enables unsecure XML access to the CSS

no restrict web-mgmt

Enables web management access to the CSS

no rip advertise ip_address/ip_mask

Stops advertising a route through all RIP interfaces

no rip equal-cost

Resets the number of equal-cost routes RIP can use to its default of 1

no rip redistribute [local|ospf|static|
firewall]

Stops advertising routes from other protocols

no rmon-alarm index

Deletes an RMON alarm

no rmon-event index

Deletes an RMON event

no rmon-history index

Deletes an RMON history

no service service_name

Deletes an existing service

no setspan src_port number dest_port number

Disables the switched port analyzer (SPAN) feature

no snmp auth-traps

Disables reception of authentication traps

no snmp community community_name

Removes a community name and defaults it to Cisco Systems, Content Network Systems

no snmp contact

Removes the contact name

no snmp location

Removes the location and defaults it to Customer Premises

no snmp name

Removes the SNMP name for this system and defaults it to Support

no snmp reload-enable

Disallows an SNMP-based reboot of the CSS

no snmp trap-host ip_or_host

Removes a specified trap host

no snmp trap-source

Resets the SNMP source traps to the default of the management port IP address

no snmp trap-type generic

Disables generic traps

no snmp trap-type enterprise

Disables enterprise traps

no snmp trap-type enterprise dos_attack_type

Disables the generation of an SNMP enterprise trap for a Denial of Service attack type, as configured with the (config) snmp trap-type enterprise command

no snmp trap-type enterprise chmgr-module-transition

Disables the generation of an SNMP enterprise trap when a module is inserted into or removed from the chassis

no snmp trap-type enterprise chmgr-ps-transition

Disables the generation of an SNMP enterprise trap when a power supply changes state

no snmp trap-type enterprise isc-lifetick-failure

Disables the generation of an SNMP enterprise traps on ISC lifetick message failures

no snmp trap-type enterprise isc-state-transition

Disables the generation of an SNMP enterprise trap when an ISC link fails over

no snmp trap-type enterprise login-failure

Disables the generation of an SNMP enterprise trap when a login fails

no snmp trap-type enterprise reload

Disables the generation of an SNMP enterprise trap when the CSS reboots initiated directly through SNMP

no snmp trap-type enterprise redundancy-transition

Disables the generation of an SNMP enterprise trap when a redundant CSS transitions state

no snmp trap-type enterprise reporter transition

Disables the generation of an SNMP enterprise trap when a reporter transitions state

no snmp trap-type enterprise service-transition

Disables the generation of an SNMP enterprise trap when a service transitions state

no sntp poll-interval

Resets the poll interval to its default to 64 seconds

no sntp server

Removes the SNTP server

no sshd keepalive

Disables the SSHD keepalive

no sshd port

Resets the SSHD port number to 22

no sshd server-keybits

Resets the number of bits for the server key to 768

no ssl crl-record name

Removes the specified CRL record from the CSS

no tacacs-server ip_address port

Removes the TACACS+ server

no tacacs-server account config|non-config

Disables TACACS+ accounting for running and non-running configuration commands

no tacacs-server authorize config|non-config

Disables TACACS+ authorization for running and non-running configuration commands

no tacacs-server key

Removes the global encryption key

no tacacs-server timeout

Resets the TACACS+ server timeout period to its default of 5 second

no urql name

Deletes an existing URQL

no username name

Deletes an existing username

no virtual authentication

Disables virtual authentication

no vrrp-backup-timer

Resets the timer to the default value of 3 seconds


Command Modes

Global configuration mode

(config) noflow-portmap

To control the port translation (port-mapping) range of DNS UDP source-port numbers greater than 1023 on a CSS, use the noflow-portmap command. This command is always enabled. Use the no form of this command to reset the starting port number and portmap range to their default values.

noflow-portmap base-port number1 range number2

no noflow-portmap

Syntax Description

base-port number1

Starting port number for no-flow (DNS flows are disabled) port mapping on a CSS. Enter an integer from 2016 to 63456. The default is 2016.


Caution Changing the value of the number1 variable may cause port conflicts on existing flows.

range number2

range number2 - The total number of ports in the port-map range that the CSS allocates to each SP. Each SP can use the full range of configured ports.


Caution Changing the value of the number2 variable may cause port conflicts on existing flows.

Enter an integer from 2048 to 63488. The default is 63488. If you enter a value that is not a multiple of 32, the CSS rounds up the value to the next possible multiple of 32.


Usage Guidelines

Before a CSS can use the noflow-portmap command, you must enter the dnsflow disable command to disable DNS flows on the CSS.

The portmap command values configured in a source group take precedence over the noflow-portmap command values, unless you configure the portmap disable command. For details on configuring the portmap commands in a source group, refer to Cisco Content Services Content Load-Balancing Configuration Guide.

Related Commands

show noflow-portmap
(config) dnsflow
(config-group) portmap

(config) nql

To access network qualifier list (NQL) configuration mode and configure an NQL, use the nql command. An NQL is a collection of subnet and host IP addresses which you can assign to an ACL clause, instead of creating a clause for each address. Use the no form of this command to remove an existing NQL.

nql nql_name

no nql existing_nql_name

Syntax Description

nql_name

The name of a new NQL you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing NQL names, enter:

nql ?

Command Modes

Global configuration mode

Usage Guidelines

You can access NQL mode from any configuration mode except boot, group, RMON alarm, RMON event, and RMON history configuration modes. The prompt changes to (config-nql [name]). You can also use the nql command from NQL mode to access another NQL. For information about commands available in this mode, see the "NQL Configuration Mode Commands" section.

You can configure a maximum of 512 networks to an NQL and a maximum of 512 NQLs on the CSS.

(config) ospf

To configure global Open Shortest Path First (OSPF) parameters on the CSS, use the ospf command. The options for this global configuration mode command are:

ospf advertise - Advertises a route as OSPF Autonomous System external (ASE) through all OSPF interfaces

ospf area - Configures an OSPF area

ospf as-boundary - Configures the CSS as an Autonomous System (AS) boundary router

ospf default - Advertises default ASE default routes through OSPF

ospf enable - Enables OSPF

ospf equal-cost - Sets the number of equal-cost routes that OSPF can use

ospf range - Configures summarize routes at an area border

ospf redistribute - Advertises other routes through OSPF

ospf router-id - Configures the OSPF router ID

For more detailed information about these options and their variables, see the following sections.

Related Commands

show ospf
(config-circuit-ip) ospf

ospf advertise

To advertise a route as OSPF ASE through all OSPF interfaces, use the ospf advertise command. Use the no form of this command to stop advertising the route as OSPF ASE through all OSPF interfaces.

ospf advertise ip_address subnet_mask {metric number1} {tag number2} {type1}

no ospf advertise ip_address subnet_mask

Syntax Description

ip_address

IP address for the route prefix. Enter an IP address in dotted-decimal notation (for example, 192.168.128.0).

subnet_mask

Subnet mask. Enter the mask as either:

A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

A dotted-decimal notation (for example, 255.255.254.0).

number1

(Optional) Metric to use when advertising a route. Enter a number from 1 to 16777215. The default is 1.

tag number2

(Optional) 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

(Optional) Advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

Usage Guidelines

Before you enter the ospf advertise command, you must configure the CSS as an Autonomous System (AS) boundary router. For more information, see the ospf as-boundary command.

The AS boundary router can perform external route summarization to consolidate multiple routes into a single advertisement. For a CSS, this is useful when you want to advertise VIP addresses for content as OSPF AS external (ASE) through all OSPF interfaces.


Note When you configure OSPF to advertise a VIP address as ASE, it continues to advertise the route even when the underlying service is not active or does not exist anymore. However, if you configure the VIP as a redundant VIP within a virtual router, OSPF will stop advertising this VIP when the virtual router state is Down or Backup.

For more information on configuring a redundant VIP within a virtual router, refer to the Cisco Content Services Switch Redundancy Configuration Guide. To stop the advertisement of the route, enter the no ospf advertise command.


ospf area

To configure an OSPF area, use the ospf area command. To remove an OSPF area, disable OSPF and then use the no form of this command.

ospf area area_id {stub {default-metric metric|send-summaries}}

no ospf area area_id

Syntax Description

area_id

The OSPF area ID. Enter the ID in dotted-decimal notation (for example, 0.0.0.1). Although an area ID has the same form as an IP address, the area ID address space is its own distinct address space. The area ID of 0.0.0.0 is reserved for the backbone.

stub

(Optional) Allows you to configure the area as a stub area. AS-external link state advertisements are not flooded into stub areas. This reduces the link-state database size and the memory requirements for internal routers in the stub area.

default-metric

(Optional) Sets a metric for the default route advertised into the stub area.

metric

(Optional) Metric value. By default, this value equals the least metric among the interfaces to other areas. Enter an integer from 1 to 16777215.

send-summaries

(Optional) Propagates summary link state advertisements (LSAs) into the stub area.


Command Modes

Global configuration mode

ospf as-boundary

To configure the CSS as an Autonomous System (AS) boundary router, use the ospf as-boundary command. An AS boundary router exchanges routing information with routers belonging to other Autonomous Systems. It advertises AS external routing information throughout the Autonomous System. Use the no form of this command to unassign the CSS as an AS boundary router.

ospf as-boundary

no ospf as-boundary

Command Modes

Global configuration mode

Usage Guidelines

You can enter the ospf as-boundary command only if OSPF is disabled.

ospf default

To advertise default ASE routes through OSPF, use the ospf default command. Routers use default routes when no more specific routes exist to AS external destinations. Use the no form of this command to shut off the advertising of default ASE routes originated through OSPF.

ospf default {metric number1} {tag number2} {type1}

no ospf default

Syntax Description

metric number1

(Optional) Metric to advertise. Enter a number from 1 to 16777215. The default is 1.

tag number2

(Optional) 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

(Optional) Advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

Usage Guidelines

Use the ospf default command to force an AS boundary router to generate a default route. Normally, AS boundary routers do not generate default routes into the OSPF routing domain.

ospf enable

To enable OSPF, use the ospf enable command. Use the no form of this command to disable OSPF.

ospf enable

no ospf enable

Command Modes

Global configuration mode

Usage Guidelines

You must configure a router ID before enabling OSPF. For more information, see the ospf router-id command.

ospf equal-cost

To configure the number of equal-cost routes that OSPF can use, use the ospf equal-cost command. Use the no form of this command to reset the number of routes to its default value of 15.

ospf equal-cost number

no ospf equal-cost

Syntax Description

number

Number of equal-cost routes. Enter a number from 1 to 15. The default is 15.


Command Modes

Global configuration mode

ospf range

To specify an IP address range to summarize routes at the CSS area border router, use the ospf range command. Use the no form of this command to remove the range.

ospf range area_id ip_address mask {block}
no ospf range area_id ip_address mask

Syntax Description

area_id

OSPF area ID. Enter the ID in dotted-decimal notation (for example, 0.0.0.1).

ip_address mask

Range of addresses you want to summarize in one range. Enter the IP address and mask in dotted-decimal notation (for example, 192.168.128.0 255.255.224.0). You can also enter the mask in prefix-length format (for example, /24).

block

(Optional) Hides the range from the rest of the autonomous system.


Command Modes

Global configuration mode

Usage Guidelines

You can enter the ospf range command only if OSPF is disabled.

Define an address range by specifying an IP address and mask pair that represent networks in the area being summarized. You can also determine whether you want to advertise this range.

The CSS advertises a single summary route or network ranges that cover all the individual networks within its area that fall into the specified range. This summarization applies to inter-area paths, which are paths to destinations in other OSPF areas. This summarization helps control routing table sizes and prevents the constant changing of routes whenever an interface within an area comes online or goes offline. These route changes do not cause route changes in backbone ABRs and other area routers.

ospf redistribute

To advertise routes from other protocols through OSPF, use the ospf redistribute command. Redistribution of these routes makes them OSPF external routes. Use the no form of this command to shut off the advertising of routes via OSPF.

ospf redistribute protocol {metric number1} {tag number2} {type1}

no ospf redistribute protocol

Syntax Description

protocol

The type of route to advertise. Enter one of the following:

firewall - Firewall route

local - Local route

rip - RIP route

static - Static route

metric number1

(Optional) Metric to advertise. Enter a number from 1 to 16777215. The default is 1.

tag number2

(Optional) 32-bit tag value to advertise each external route. This is not used by the OSPF protocol itself. You can use it to communicate information between AS boundary routers.

type1

(Optional) Advertises the routes as ASE type1. By default, the type is ASE type2. The difference between type1 and type2 is how the cost is calculated. For a type2 ASE, only the external cost (metric) is considered when comparing multiple paths to the same destination. For type1 ASE, the combination of the external cost and the cost to reach the ASBR is used.


Command Modes

Global configuration mode

ospf router-id

To configure the OSPF router ID for the CSS, use the ospf router-id command. Use the no form of this command to delete the router ID on the CSS.

ospf router-id id_number

no ospf router-id

Syntax Description

id_number

Router ID 32-bit number that identifies the CSS within the AS. Enter the ID in dotted-decimal notation (for example, 121.23.21.1).


Command Modes

Global configuration mode

Usage Guidelines

Before you can enable OSPF, you must configure the router ID. To change the router ID, you must disable OSPF.

(config) owner

To access owner configuration mode and configure an owner, use the owner command. An owner is an entity that owns web content and uses the CSS to manage access to the content through content rules. A maximum of 255 owners can use a single CSS and each owner has a configurable profile. Use the no form of this command to delete an existing owner.

owner owner_name

no owner existing_owner_name

Syntax Description

owner_name

Name of a new owner you want to create or the name of an existing owner. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing owner names, enter:

owner ?

Usage Guidelines

When you access owner mode, the prompt changes to (config-owner [owner_name]). For information about commands available in this mode, see the "Owner Configuration Mode Commands" section.


Caution Before you use the no owner command to delete an existing owner, make sure you want to permanently delete the owner and its associated content rules. You cannot undo this command. If you want a prompt before the CSS performs a command, use the no expert command.

(config) persistence reset

To choose between an HTTP redirection or a back-end service remapping operation when resetting a connection to a new back-end service, use the persistence reset command. This command affects all flow setups that require redirecting or remapping.

persistence reset [redirect|remap]

Syntax Description

redirect

Causes an HTTP redirection when resetting a connection to a new back-end service. An HTTP redirection resets both sides of the connection.

remap

Uses a back-end remapping operation when resetting a connection to a new back-end service.


Usage Guidelines

The CSS does not use a remapping method when selecting services of type redirect.

You cannot use the persistence reset command with the (config-owner-content) redundancy-l4-stateless command.

If your topology consists of a CSS 11800 using ECMP to the servers and server port NAT configured on the services, to ensure the correct processing of packets either:

Enable Service Remapping with the persistence reset remap command.

Create source groups for the services in the content rule with the add destination service command.

Related Commands

show remap
(config) bypass persistence
(config-owner-content) persistent

(config) prelogin-banner

To configure a banner that appears when you connect to a CSS before you log in, use the prelogin-banner command.

prelogin-banner "filename"

no prelogin-banner

Syntax Description

filename

Name of the ASCII text file that contains the pre-login banner text. Enter a quoted text string with a maximum of 32 characters.


Usage Guidelines

Create a banner using any text editor (for example, Notepad or Wordpad). Save the file as a text file, and then FTP the file to the CSS script directory. Configure the prelogin-banner command. The next time you connect to the CSS, the pre-login banner appears. For more information, refer to the Cisco Content Services Switch Administration Guide.

(config) proximity

To configure proximity on the CSS, use the proximity command and its options. The command options are:

proximity cache-remove - Removes entries from the proximity lookup cache

proximity cache-size - Sets the entry size for the proximity lookup cache

proximity db - Enables the Proximity Database (PDB) in a dedicated CSS 11150

proximity probe rtt interval - Configures the delay in seconds between ICMP samples

proximity probe rtt method - Configures the primary method to be used for proximity metric discovery

proximity probe rtt metric-weighting - Configures the percentage of the previously stored metric value in the database that is used to determine the new metric value

proximity probe rtt samples - Configures the number of ICMP requests to send

proximity probe rtt tcp-ports - Configures the probe defaults for SYN proximity metric discovery

proximity ttl - Sets the Time-to-Live value for each Proximity Database response

For more information, see the following commands.

proximity cache-remove

To remove entries from the proximity lookup cache, use the proximity cache-remove command. The prefix length parameter allows you to remove multiple entries in a single operation.

proximity cache-remove [ip_address ip_prefix|all]

Syntax Description

ip_address

IP address to remove from the cache.

ip_prefix

IP prefix length to be associated with ip_address for removal. Enter the prefix as either:

A prefix length in CIDR bitcount notation (for example, /24)

A subnet mask in dotted-decimal notation (for example, 255.255.255.0)

all

Removes all entries from the proximity cache.


Command Modes

Global configuration mode

Usage Guidelines

The proximity cache-remove command is functional on a CSS with the Enhanced feature set.

Related Commands

show proximity cache

proximity cache-size

To set the size of the proximity lookup cache, use the proximity cache-size command. Use the no form of this command to restore the default cache size of 16000 entries.

proximity cache-size cache_size

no proximity cache-size

Syntax Description

cache_size

Size of the cache. Enter a size between 0 and 48,000. The default value is 16000 entries. Entering a value of 0 disables the cache.


Command Modes

Global configuration mode

Usage Guidelines

The proximity cache-size command is functional on a CSS with the Enhanced feature set. By default, the cache supports approximately 16,000 entries using 1 MB of CSS memory. You can increase or decrease the entries, depending upon your CSS configuration.


Note Dynamically modifying the cache size results in flushing the existing entries.


Related Commands

show proximity cache
(config)
proximity cache-remove

proximity db

To enable the Proximity Database (PDB) on the CSS, use the proximity db command. This service allows the CSS to respond to proximity lookup requests and enables proximity probing. Use the no form of this command to disable the CSS Proximity Database.

proximity db zoneIndex {tier1|tier2 {"description"}}

no proximity db

Syntax Description

zoneIndex

Numeric identifier of the proximity zone of the CSS. This number should match the zoneIndex configured on the PDNS. Enter an integer from 0 to 15. There is no default.

tier1|tier2

(Optional) Maximum number of zones the CSS expects to participate in its proximity zone mesh. Enter tier1 for a maximum of 6 zones, 0 through 5. Enter tier2 for a maximum of 16 zones, 0 through 15. The tier1 option is the default.

"description"

(Optional) Text description of this CSS zone. Enter a quoted string with a maximum of 20 characters.


Command Modes

Global configuration mode

Usage Guidelines

The proximity db command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

proximity probe rtt interval

To configure the delay in seconds between samples for the configured probe method, use the proximity probe rtt interval command. Use the no form of this command to reset the delay between samples to its default value of 1 second.

proximity probe rtt interval seconds

no proximity probe rtt interval

Syntax Description

seconds

Length of time in seconds to delay between samples. Enter a number from 1 to 10. The default is 1.


Command Modes

Global configuration mode

Usage Guidelines

The proximity probe rtt interval command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

proximity probe rtt method

To configure the primary and secondary methods to be used for proximity metric discovery, use the proximity probe rtt method command. The discovery method uses ICMP Echo requests or a TCP SYN, SYN-ACK, RST sequence to the configured TCP ports as the Round-Trip Time (RTT) discovery method.

proximity probe rtt method [icmp tcp|icmp|tcp icmp|tcp]

Syntax Description

icmp tcp

Configures the ICMP as the primary discovery method and TCP as the secondary method (default)

icmp

Configures the ICMP as the primary discovery method only

tcp icmp

Configures the TCP as the primary discovery method and ICMP as the secondary method

tcp

Configures the TCP as the primary discovery method only


Command Modes

Global configuration mode

Usage Guidelines

The proximity probe rtt method command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

proximity probe rtt metric-weighting

To configure the percentage of the previously stored metric value in the database that is used to determine the new metric value, use the proximity probe rtt metric-weighting command. Use the no form of this command to reset the percentage to its default value of 0.

proximity probe rtt metric-weighting number

no proximity probe rtt metric-weighting

Syntax Description

number

Percentage of the previous metric value used. Enter a number from 0 to 99. The default is 0.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

The proximity probe rtt metric-weighting command allows the PDB to smooth network metric variation caused by network congestion and flash crowds.

proximity probe rtt samples

To configure the number of ICMP requests to send for each configured probe method, use the proximity probe rtt samples command. Use the no form of this command to reset the number of requests to its default value of 2.

proximity probe rtt samples number

no proximity probe rtt samples

Syntax Description

number

Number of requests that the CSS uses for averaging during an initial probe. Enter a number from 1 to 30. The default is 2.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

proximity probe rtt tcp-ports

To configure the probe ports for SYN proximity metric discovery, use the proximity probe rtt tcp-ports command. Use the no form of this command to reset the probe ports to their default values.

proximity probe rtt tcp-ports port_number1 {port_number2 {port_number3 {port_number4}}}

no proximity probe rtt tcp-ports

Syntax Description

port_number

Maximum of four port numbers to be tried, in order of preference. Enter a number from 0 to 65535. The default for the ports are as follows:

port_number1 is 23, Telnet port

port_number2 is 21, FTP port

port_number3 is 80, HTTP port

port_number4 is 0, this port is not tried


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

proximity ttl

To set the time-to-live (TTL) value, in minutes, for each Proximity Database response, use the proximity ttl command. This value informs the proximity DNS how long to cache the response. Use the no form of this command to reset the TTL value to its default value.

proximity ttl [assigned assigned_minutes|probe probe_minutes]

no proximity ttl [assigned|probe]

Syntax Description

assigned

Sets the TTL value for client addresses that are assigned to the Proximity Database.

assigned_minutes

TTL value in minutes for client addresses that are assigned to the Proximity Database. Enter a number from 0 to 255. The default value is 60.

probe

Sets the TTL value for client addresses that are being probed.

probe_minutes

TTL value in minutes for client addresses that are being probed. Enter a number from 0 to 255. The default value is 0, which disables the caching of responses at the Proximity Database.


Command Modes

Global configuration mode

Usage Guidelines

This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.

(config) radius-server

To configure the CSS as a RADIUS server client, use the radius-server command and its options. The command options are:

radius-server dead-time - Sets the time interval to send probe access-request packets to verify that the RADIUS server is available and can receive authentication requests

radius-server primary - Configures the primary RADIUS server

radius-server retransmit - Sets the number of authentication request retransmissions to a timed-out RADIUS server before the server is considered dead

radius-server secondary - Configures the CSS with the secondary RADIUS server information

radius-server source interface - Specifies the IP interface where RADIUS packets are transmitted to and from the RADIUS server.

radius-server source interface - Configures the time interval that the CSS waits before retransmitting an authentication request

For more information, see the following commands.

radius-server dead-time

To set the time interval to send probe access-request packets to verify that the RADIUS server is available and can receive authentication requests, use the radius-server dead-time command. Use the no form of this command to reset the dead-time period to its default of 5 seconds.

radius-server dead-time seconds

no radius-server dead-time

Syntax Description

seconds

The time period in seconds. Enter a number from 0 to 255. The default is 5. If you enter 0, the dead time is disabled and the CSS does not send probe access-request packets to the nonresponsive server.


Usage Guidelines

The dead-time interval starts when the server does not respond to the number of authentication request retransmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the CSS transmits the authentication request to the server.

This command applies to primary and secondary servers.

Command Modes

Global configuration mode

Related Commands

show radius config
(config) radius-server retransmit

radius-server primary

To configure the remote primary RADIUS server that authenticates user information from the CSS client, use the radius-server primary command. Use the no form of this command to delete the primary RADIUS server.

radius-server primary ip_or_host secret string {auth-port number}

no radius-server primary

Syntax Description

ip_or_host

IP address or the host name for the primary RADIUS server.

secret string

Defines the secret string for authentication transactions between the RADIUS server and the CSS. Enter a case-sensitive string with a maximum of 16 characters.

auth-port number

(Optional) Defines the UDP port on the primary RADIUS server that receives authentication packets from RADIUS clients. Enter a number from 0 to 65535. The default port is 1645.


Usage Guidelines

When you configure a primary server and enable RADIUS console or virtual authentication on the CSS, the CSS enables the RADIUS protocol, allowing the CSS to become a RADIUS client.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config) console authentication
(config)
radius-server dead-time
(config)
radius-server source interface
(config)
radius-server source interface
(config) virtual authentication

radius-server retransmit

To configure the number of times that the CSS retransmits an authentication request to an active RADIUS server after the timeout interval occurred, use the radius-server retransmit command. Use the no form of this command to reset the retransmission of authentication request to its default of 3.

radius-server retransmit number

no radius-server retransmit

Syntax Description

number

Number of times that the CSS retransmits an authentication request. Enter a number from 1 to 30. The default number is 3.


Usage Guidelines

If the RADIUS server does not respond to the CSS retransmitted requests, the CSS considers the server as dead, stops transmitting to the server, and starts the dead timer as defined through the radius-server dead-time command.

If a secondary server is configured, the CSS transmits the requests to the secondary server. If the secondary server does not respond to the request, the CSS considers it dead and starts the dead timer.

If there is no active server, the CSS stops transmitting request until one of the servers becomes alive.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server dead-time

radius-server secondary

To configure the remote secondary RADIUS server, use the radius-server secondary command. When the primary server becomes unavailable, the CSS directs authentication requests to the secondary server. Use the no form of this command to delete the secondary RADIUS server.

radius-server secondary host_or_ip secret text {auth-port number}

no radius-server secondary

Syntax Description

ip_or_host

IP address or the host name for the secondary RADIUS server.

secret string

Defines the secret string for authentication transactions between the RADIUS server and the CSS. Enter a case-sensitive string with a maximum of 16 characters.

auth-port number

(Optional) Defines the UDP port on the secondary RADIUS server that receives authentication packets from clients. Enter a number from 0 to 65535. The default is 1645.


Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server dead-time
(config)
radius-server source interface
(config)
radius-server source interface

radius-server source interface

To specify the IP interface of the CSS RADIUS client, use the radius-server source-interface command. Some RADIUS servers require that the radius-server source-interface command be configured in order to accept authentication from the RADIUS client. Note that this IP interface address is used for the NAS-IP-Address RADIUS attribute in the RADIUS Authentication Request.

radius-server source-interface ip_or_host

no radius-server source-interface

Syntax Description

ip_or_host

IP address or host name for the CSS RADIUS client. Enter the address in either dotted-decimal IP notation (for example, 192.168.11.1) or mnemonic host-name format (for example, myhost.mydomain.com).


Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server dead-time
(config)
radius-server source interface

radius-server timeout

To specify the time interval that the CSS waits for a reply to a RADIUS request before retransmitting requests to the RADIUS server, use the radius-server timeout command. Configure the number of retransmitted requests to the server through the radius-server retransmit command. Use the no form of this command to reset the interval to its default of 10 seconds.

radius-server timeout time

no radius-server timeout

Syntax Description

time

Time interval in seconds. Enter a number from 1 to 255. The default interval is 10.


Usage Guidelines

This command applies to the primary and secondary RADIUS servers.

Command Modes

Global configuration mode

Related Commands

show radius config
show radius stat
(config)
radius-server retransmit

(config) replication file-error

To specify how the CSS handles file errors during content replication, use the replication file-error command.

replication file-error retry|skip

Syntax Description

retry

(Default) Replication pauses while the CSS periodically attempts to replicate a missing file

skip

The CSS skips the missing file and continues the replication process


Usage Guidelines

Under certain rare circumstances, it is possible for the CSS to encounter a file error during content replication. A file error can occur when an application or a user deletes a file from the publisher tree during a replication operation. If such an event occurs, the scan does not detect the deleted file and during replication the CSS may keep retrying the file until another scan occurs or the file becomes available.

Command Modes

Global configuration mode

Related Commands

replicate

(config) reporter

To create a reporter and enter reporter configuration mode, use the reporter command. A reporter is a software monitoring agent that a CSS uses to check and report the state of critical interfaces. You can also use a reporter to synchronize the states of the virtual routers that you associate with it.

reporter reporter_name

no reporter reporter_name

Syntax Description

reporter_name

Name of the reporter you are creating. Enter an unquoted text string with no spaces from 1 to 31 characters.


Command Modes

Global configuration mode

Usage Guidelines

When you enter the reporter command to access reporter configuration mode, the prompt changes to (config-reporter [reporter_name]). For information about commands available in this mode, see the "Reporter Configuration Mode Commands" section.

For more information about configuring and using a reporter, refer to the Cisco Content Services Switch Redundancy Configuration Guide.

Related Commands

(config-reporter) type
(config-reporter) vrid
(config-reporter) phy
(config-reporter) active
(config-reporter) suspend
show reporter

(config) restrict

To disable Telnet, SNMP, SSH, console, FTP, user database, secure or unsecure XML, or web management access to the CSS, use the restrict command. Use the no form of this command to enable access to the CSS.

restrict [console|ftp|secure-xml|snmp|ssh|telnet|user-database|xml
|web-mgmt]

no restrict [console|ftp|secure-xml|snmp|ssh|telnet|user-database|xml
|web-mgmt]

Syntax Description

console

Disables console access to the CSS. By default, this access is enabled.

ftp

Disables FTP access to the CSS. By default, this access is enabled.

secure-xml

Disables the transfer of XML configuration files to the CSS through secure SSL connections. By default, this access is disabled.

snmp

Disables SNMP access to the CSS. By default, this access is enabled.

ssh

Disables SSH access to the CSS. By default, this access is enabled.

telnet

Disables Telnet access to the CSS. By default, this access is enabled.

user-database

Disables users from clearing the running-config and creating or modifying usernames. Only administrator and technician users can perform these tasks. By default, this access is enabled.

xml

Disables the transfer of XML configuration files to the CSS through unsecure connections. By default, this access is disabled.

web-mgmt

Disables web management access to the CSS. By default, this access is disabled.


Command Modes

Global configuration mode

Usage Guidelines

Disable Telnet access when you want to use the Secure Shell Host (SSH) server.

If you enable secure XML through the no restrict secure-xml command, the CSS listens for connection requests on port 443. The client application can use SSL v2/3 or v3. However, the CSS performs all negotiations using SSL v3. The CSS requires a Secure Management license key to negotiate a secure connection using SSL strong encryption. Without the key, the CSS uses SSL weak encryption.

If you enable unsecure XML through the no restrict xml command, the CSS listens for XML connections on port 80.

Entering the restrict command does not prevent the CSS from listening for connection attempts on the restricted port. The CSS completes the TCP 3-way handshake and then terminates the connection with an error to prevent any data transfer from occurring. For UDP SNMP connections, the CSS simply discards the packets.

To secure restricted ports from unauthorized access, configure additional ACL clauses to deny packets destined to the ports, while permitting normal flow-through traffic. You can also use ACLs to secure the CSS.

Related Commandstransfer from occurring.

show user-database
(config) sshd
(config) username

(config) rip

To configure the Routing Information Protocol (RIP) parameters on the CSS, use the rip command. The default mode is to send RIP version 2 (v2) and receive either version. The options for this global configuration mode command are:

rip advertise - Advertises a route through RIP on the CSS

rip equal-cost - Sets the number of equal-cost routes

rip redistribute - Advertises routes from other protocols through RIP

For information on these options and associated variables, see the following commands. For information on additional rip command options in IP mode, see the (config-circuit-ip) rip command.

rip advertise

To advertise a route through RIP on the CSS, use the rip advertise command. Use the no form of this command to stop advertising a route through all RIP interfaces.

rip advertise ip_address ip_mask_prefix {metric}

no rip advertise ip_address ip_mask_prefix

Syntax Description

ip_address

IP address for the route prefix. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1).

ip_mask_prefix

IP mask. Enter the mask as either:

A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

A subnet mask in dotted-decimal notation (for example, 255.255.255.0).

metric

(Optional) Metric to use when advertising this route. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

rip equal-cost

To set the maximum number of routes RIP can use, use the rip equal-cost command. Use the no form of this command to reset the number of routes to the default of 1.

rip equal-cost number

no rip equal-cost

Syntax Description

number

Maximum number of routes. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

rip redistribute

To advertise routes from other protocols through RIP, use the rip redistribute command. By default, RIP advertises RIP routes and local routes for interfaces running RIP. This command advertises other routes. Use the no form of this command to stop advertising routes.

rip redistribute [firewall|local|ospf|static] {metric}

no rip redistribute [firewall|local|ospf|static]

Syntax Description

firewall

Advertises firewall routes through RIP.

local

Advertises local routes.

ospf

Advertises OSPF routes.

static

Advertises static routes.

metric

(Optional) Metric to use when advertising the route. Enter a number from 1 to 15. The default is 1.


Command Modes

Global configuration mode

(config) rmon-alarm

To enter RMON alarm configuration mode, use the rmon-alarm command. An RMON alarm allows you to monitor every SNMP object in the CSS for a desired transitory state. Use the no form of this command to delete an RMON alarm.

rmon-alarm index

no rmon-alarm index

Syntax Description

index

RMON alarm index number. Enter an integer from 1 to 65535.

The RMON alarm index 65535 is administratively predefined and cannot be modified. If you enter this index number, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-alarm command to access this mode, the prompt changes to (config-rmonalarm [index]). For information about commands available in this mode, see the "RMON Alarm Configuration Mode Commands" section.

(config) rmon-event

To enter RMON event configuration mode, use the rmon-event command. An RMON event is associated with an RMON alarm. It defines what should occur when an RMON alarm is triggered. Use the no form of this command to delete an RMON event.

rmon-event index

no rmon-event index

Syntax Description

index

RMON event index number. Enter an integer from 1 to 65535.

The RMON event index 65535 is administratively predefined and cannot be modified. If you enter this index number, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-event command to access this mode, the prompt changes to (config-rmonevent [index]). For information about commands available in this mode, see the "RMON Event Configuration Mode Commands" section.

(config) rmon-history

To enter RMON history configuration mode, use the rmon-history command. Use the no form of this command to delete an RMON history.

rmon-history index

no rmon-history index

Syntax Description

index

RMON history index number. Enter an integer from 1 to 65535.

Some history index numbers are administratively predefined and cannot be modified. If you enter an index number under administrative control, a message similar to the following appears:

%% Index internally used. Administrative 
control not allowed.

Usage Guidelines

When you use the rmon-history command to access this mode, the prompt changes to (config-rmonhistory [index]). For information about commands available in this mode, see the "RMON History Configuration Mode Commands" section.

(config) service

To access service configuration mode and configure a service, use the service command. A service is an entity that contains and provides Internet content. It is identified by a name, an IP address, and optimally, a protocol and a port number. When you create a service, you can apply content rules to it. The rules allow the CSS to direct or deny requests for content from the service.

Use the no form of this command to delete an existing service.

service service_name

no service service_name

Syntax Description

service_name

The name of a new service you want to create or an existing service you want to modify. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing service names, enter:

service ? 

Usage Guidelines

When you use the service command to access service mode, the prompt changes to (config-service [name]). For information about commands available in this mode, see the "Service Configuration Mode Commands" section.

Related Commands

(config-service) ip address
(config-service) port

(config) setspan

To configure switched port analyzer (SPAN) on a CSS, use the setspan command. This command instructs the CSS to monitor all incoming and/or outgoing traffic on a specified SSPAN port by copying the packets to a specified DSPAN port on the same module in the CSS. This command is disabled by default.

Use the no form of the command to reset the default SPAN state to disabled.

setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly

no setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly

Syntax Description

src_port number

Source port keyword and number of the SSPAN port (in slot/port format) that you want to monitor. The CSS copies all packets that are received or transmitted on this port to the DSPAN port.

dest_port number

Destination port keyword and number of the DSPAN port (in slot/port format) where you want to connect the network analyzer, protocol analyzer, or RMON probe. The CSS copies the packets that flow through the SSPAN port to the DSPAN port that you specify. The DSPAN port must reside on the same module as the SSPAN port.

copyBoth

CSS copies to the DSPAN port packets that the SSPAN port transmits to the network (egress traffic) and receives from the network (ingress traffic).

copyTxOnly

CSS copies to the DSPAN port only those packets that the SSPAN port transmits to the network.

copyRxOnly

CSS copies to the DSPAN port only those packets that the SSPAN port receives from the network.


Usage Guidelines

Once you configure a port as a DSPAN port, the CSS removes it from all VLANs and ignores ingress traffic on that port. In addition, the DSPAN port does not participate in Spanning Tree Protocol (STP) or routing protocols such as RIP and OSPF.


Note If the combined bandwidth of the ingress and egress traffic of the SSPAN port exceeds the bandwidth of the DSPAN port, the DSPAN port may become oversubscribed.


Related Commands

show setspan

(config) snmp

To configure Simple Network Management Protocol (SNMP) parameters, use the snmp command. The options for this global configuration mode command are:

snmp auth-traps - Enables reception of SNMP authentication traps

snmp community - Sets or modifies SNMP community names and access properties

snmp contact - Sets or modifies the SNMP system contact name

snmp location - Sets or modifies the SNMP system location

snmp name - Sets or modifies the SNMP name for this system

snmp reload-enable - allows SNMP-based reset of the CSS

snmp trap-host - Sets or modifies the SNMP host to receive traps from this system

snmp trap-source - Sets the source IP address in the traps generated by the CSS

snmp trap-type enterprise - Enables SNMP enterprise trap types

snmp trap-type generic - Enables SNMP generic trap types


Note The CSS supports SNMP version 2C (SNMPv2C), known as "community-based SNMP," and standard Management Information Base (MIB-II) objects, along with an extensive set of enterprise objects. You can use any compatible network management system to monitor and control a CSS.

The CSS generates traps in SNMP version 1 (SNMP v1) format.


For more information on these options and associated variables, see the following commands.

Related Commands

(config) restrict telnet
(config) rmon-alarm
(config) rmon-event
(config) rmon-history

snmp auth-traps

To enable reception of SNMP authentication traps, use the snmp auth-traps command. Use the no form of this command to disable reception of authentication traps.

snmp auth-traps

no snmp auth-traps

Usage Guidelines

The CSS generates these traps when an SNMP management station attempts to access your system with invalid community names. The CSS generates traps in SNMP v1 format.

Command Modes

Global configuration mode

Related Commands

snmp trap-type generic

snmp community

To set or modify SNMP community names and access properties, use the snmp community command. You may specify as many community names as you wish. Use the no form of this command to remove a community name and set it to Cisco Systems, Content Network Systems.

snmp community community_name [read-only|read-write]

no snmp community community_name

Syntax Description

community_name

SNMP community name for this system. Enter an unquoted text string with no space and a maximum length of 12 characters.

read-only

Allows read-only access for this community.

read-write

Allows read-write access for this community.


Command Modes

Global configuration mode

snmp contact

To set or modify the contact name for the SNMP system, use the snmp contact command. You can specify only one contact name. Use the no form of this command to remove the contact name.

snmp contact "contact_name"

no snmp contact

Syntax Description

"contact_name"

Name of the contact person for this system. You can also include information on how to contact the person; for example, a phone number or e-mail address. Enter a quoted text string with a maximum of 255 characters including spaces.


Command Modes

Global configuration mode

snmp location

To set or modify the SNMP system location, use the snmp location command. You can specify only one location. Use the no form of this command to remove the location and set it to Customer Premises.

snmp location "location"

no snmp location

Syntax Description

"location"

Physical location of this system. Enter a quoted text string with a maximum length of 255 characters.


Command Modes

Global configuration mode

snmp name

To set or modify the SNMP name for this system, use the snmp name command. You can specify only one name. Use the no form of this command to remove the SNMP name for this system and set it to Support.

snmp name "name"

no snmp name

Syntax Description

"name"

Unique name assigned to this system by the system administrator. The standard convention is the system's fully-qualified domain name (for example, user.domain.com). Enter a quoted text string with a maximum of 255 characters.


Command Modes

Global configuration mode

snmp reload-enable

To allow the rebooting of the CSS through SNMP, use the snmp reload-enable command. Use the no form of this command to disallow a CSS reboot through SNMP (default behavior).

snmp reload-enable {reload_value}

no snmp reload-enable

Syntax Description

reload_value

Object used to control apSnmpExtReloadSet, providing the SNMP-based reboot. When the object is set to 0, an SNMP reboot is not allowed. When the object is set between 1 to 232, a reboot may be caused with any write value to apSnmpExtReloadSet. For security purposes, this object always returns 0 when read.


Command Modes

Global configuration mode

Usage Guidelines

When you use the snmp reload-enable command, it allows any SNMP write to the reload object to force a CSS reboot. The reload object name is apSnmpExtReloadSet (1.3.6.1.4.1.2467.1.22.7). You can find this object in the enterprise MIB, snmpext.mib. When you include a reload value, an SNMP write equal to the reload_value forces a CSS reboot.

snmp trap-host

To set or modify the SNMP host to receive traps from this system, use the snmp trap-host command. Use the no form of this command to remove a specified trap host.

snmp trap-host ip_or_host community_name snmpv2

no snmp trap-host ip_or_host

Syntax Description

ip_or_host

IP address or host name of an SNMP host that has been configured to receive traps. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or in mnemonic host-name format (for example, myhost.mydomain.com).

You can specify a maximum of five hosts.

community_name

Community name to use when sending traps to the specified SNMP host. Enter an unquoted text string with no spaces and a maximum length of 12 characters.

snmpv2

Specifies that traps be sent to the host in SNMP v2C format.


Usage Guidelines

The CSS generates traps in SNMP v1 format.

Command Modes

Global configuration mode

snmp trap-source

To set the source IP address in the traps generated by the CSS, use the snmp trap-source command. Use the no form of this command to return SNMP source traps to the default of the management port IP address.

snmp trap-source [egress-port|management|specified source_ip_address]

no snmp trap-source

Syntax Description

egress-port

Obtains the source IP address for the SNMP traps from the VLAN circuit IP address configured on the egress port used to send the trap. You do not need to enter an IP address because the address is determined dynamically by the CSS.

management

Places the management port IP address in the source IP field of the trap. This is the default setting.

specified source_ip address

Allows you to enter the IP address to be used in the source IP field of the traps. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).


Command Modes

Global configuration mode

snmp trap-type enterprise

To enable SNMP enterprise traps and configure trap types, use the snmp trap-type enterprise command. Use the no form of this command to disable all or a specific trap. Use the no snmp trap-type enterprise command to disable all traps.

snmp trap-type enterprise {dos_attack_type {trap-threshold threshold_value}|chmgr-module-transition|chmgr-ps-transition
|isc-lifetick-failure|login-failure|reload|redundancy-transition
|reporter-transition|service-transition}

no snmp trap-type enterprise {dos_attack_type
|chmgr-module-transition|chmgr-ps-transition|isc-lifetick-failure
|login-failure|reload|redundancy-transition
|reporter-transition|service-transition}

Syntax Description

enterprise

When you use this keyword alone, it enables enterprise traps. You must enable enterprise traps before you configure an enterprise trap option.

dos_attack_type

(Optional) Generates SNMP enterprise traps when a Denial of Service (DoS) attack event occurs. One trap is generated each second when the number of attacks during that second exceeds the threshold for the configured DoS attack type. The options are as follows:

dos-illegal-attack generates traps for illegal addresses, either source or destination. Illegal addresses are loopback source addresses, broadcast source addresses, loopback destination addresses, multicast source addresses, or source addresses that you own. The default trap threshold for this type of attack is 1 per second.

dos-land-attack generates traps for packets that have identical source and destination addresses. The default trap threshold for this type of attack is 1 per second.

dos-smurf-attack generates traps when the number of pings with a broadcast destination address exceeds the threshold value. The default trap threshold for this type of attack is 1 per second.

dos-syn-attack generates traps when the number of TCP connections that are initiated by a source, but not followed with an acknowledgment (ACK) frame to complete the three-way TCP handshake, exceeds the threshold value. The default trap threshold for this type of attack is 10 per second.

trap-threshold threshold_value

(Optional) Overrides a default trap threshold. For the threshold_value, enter a number from 1 to 65535.

chmgr-module-transition

(Optional) Generates SNMP enterprise traps if a module (for example, SCM, FEM, GEM) is inserted into or removed from a powered-on CSS 11503 or 11506 chassis.

chmgr-ps-transition

(Optional) Generates SNMP enterprise traps when the CSS 11503 or 11506 power supply changes state (powered off, on, or removed from the CSS chassis).

isc-lifetick-failure

(Optional) Generates SNMP enterprise traps when an ISC lifetick message failure occurs on a CSS.

login-failure

(Optional) Generates SNMP enterprise traps when a CSS login failure occurs. An alert-level log message is also generated.

reload

(Optional) Generates SNMP enterprise traps when a CSS reboot occurs. A trap is generated when a reboot is initiated directly through SNMP.

redundancy-transition

(Optional) Generates SNMP enterprise traps when the CSS redundancy transitions state.

reporter-transition

(Optional) Generates SNMP enterprise traps when the CSS reporter transitions state (for example, the reporter is activated or suspended, or the VRID peering virtual routers or critical phy interfaces change state).

service-transition

(Optional) Generates SNMP enterprise traps when a CSS service transitions state. A trap is generated when a service fails and when a failed service resumes proper operation.


Command Modes

Global configuration mode

Usage Guidelines

You must enable enterprise traps before you configure an enterprise trap option. You can enable the CSS to generate enterprise traps when DoS attack events occur, a login fails, or a CSS service transitions state.

The CSS generates traps in SNMP v1 format.

Related Commands

snmp auth-traps
snmp trap-host
show log traplog

snmp trap-type generic

To enable SNMP generic trap types, use the snmp trap-type generic command. The generic SNMP traps consist of cold start, warm start, link down, and link up. Use the no form of this command to disable a generic trap.

snmp trap-type generic

no snmp trap-type generic

Command Modes

Global configuration mode

Usage Guidelines

The CSS generates traps in SNMP v1 format.

Related Commands

snmp auth-traps
snmp trap-host
show log traplog

(config) sntp

To configure the SNTP server on the CSS, use the sntp command. You can configure one SNTP server. Use the no form of this command to remove the SNTP server or reset the poll interval.

sntp [server ip_address {version number}|poll-interval seconds]

no sntp [server|poll-interval]

Syntax Description

server ip_address

Defines the SNTP server. Enter the IP address for the server.

version number

Defines the version of the SNTP server. For the number value, enter a number from 1 to 4. The default version is 1.

poll-interval seconds

Defines the poll interval in seconds between SNTP request messages. For the seconds value, enter a number from 16 to 16284. The default is 64.


Command Modes

Global configuration mode

Usage Guidelines

Before you synchronize the CSS with an SNTP server, make sure you configure the proper time zone for the CSS (for example, to EST). Also make sure that the time difference between the CSS internal clock and the SNTP server clock is less than 24 hours. Otherwise, the CSS will not synchronize its clock with the SNTP server.

Related Commands

clock
show sntp global

(config) spanning-packets

To configure the number of packets spanned for the search of the HTTP Header termination string, use the spanning-packets command. Use the no form of this command to reset the number of packets spanned to the default value of 6.

spanning-packets number

no spanning-packets

Syntax Description

number

Number of packets spanned for the search of the HTTP Header termination string. Enter a number from 1 to 20.


Usage Guidelines

In some environments, URL, cookie strings, or HTTP header information can span over multiple packets. In these environments, the CSS can parse multiple packets for Layer 5 information before making load-balancing decisions. Through the global configuration mode spanning-packets command, the CSS can parse a maximum of 20 packets with a default of 6.

The CSS makes the load-balancing decision as soon as it finds a match and does not require parsing of all of the configured number of spanned packets. Because parsing multiple packets does impose a longer delay in connection, performance can be impacted by longer strings that span mulitple packets.

Command Modes

Global configuration mode

(config) sshd

To control the Secure Shell Host server, use the sshd command. The options for this global configuration mode command are:

sshd keepalive - Enables SSHD keepalive

sshd port - Sets the SSHD port

sshd server-keybits - Sets the number of bits in the server key


Note Disable Telnet access when you want to use the Secure Shell Host (SSH) server.


For more information on these options and associated variables, see the following commands.

Related Commands

(config) restrict telnet

sshd keepalive

To enable SSHD keepalive, use the sshd keepalive command. SSHD keepalive is enabled by default. Use the no form of this command to disable SSHD keepalive.

sshd keepalive

no sshd keepalive

Command Modes

Global configuration mode

sshd port

To set the port number that the server listens to connections from clients, use the sshd port command. Use the no form of this command to reset the port number to the default of 22.

sshd port number

no sshd port

Syntax Description

number

Port number. Enter a number from 22 to 65535. The default is 22.


Command Modes

Global configuration mode

sshd server-keybits

To set the number of bits in the server key, use the sshd server-keybits command. Use the no form of this command to reset the number of bits to the default of 768.

sshd server-keybits number

no sshd server-keybits

Syntax Description

number

Number of bits in the server key. Enter a number from 512 to 1024. The default is 768.


Command Modes

Global configuration mode

Usage Guidelines

The valid range for this command is 512 to 1024. However, to maintain backward compatibility with version 5.00, the CSS allows you to enter a value from 512 to 32768. If you enter a value greater than 1024, the CSS changes the value to the default of 768.

When you reboot the CSS, the following error message appears to remind you of the valid range:

NETMAN-3: sshd: Bad server key size <configured value; range 512 
to 1024; defaulting to 768

(config) ssl-l4-fallback

To disable or reenable the CSS insertion of the Layer 4 hash value, based on the source IP address and destination address pair, into the sticky table, use the ssl-l4-fallback command. By default, the CSS inserts the Layer 4 hash value into the sticky table.

ssl-l4-fallback disable|enable

Syntax Description

disable

Disables the CSS from inserting the Layer 4 hash value into the sticky table and continues to look for SSL version 3 session IDs

enable

Resets the CSS to its default behavior of inserting a Layer 4 hash value into the sticky table


Usage Guidelines

Insertion of the Layer 4 hash value into the sticky table occurs when more than three frames are transmitted in either direction (client-to-server, server-to-client) or if SSL version 2 is in use on the network. If either condition occurs, the CSS inserts the Layer 4 hash value into the sticky table, overriding the further use of the SSL version 3 session ID.

The ssl-l4-fallback command is only applicable when the (config-owner-content) advanced-balance ssl method is specified for a content rule, which forces the content rule to stick to a server based on SSL version 3 session ID.

The use of the ssl-l4-fallback command may be necessary in a lab environment when testing SSL with a small number of clients and servers, where some retransmissions might occur. In this case, you would not want to use the Layer 4 hash value because it will skew the test results.


Note Do not use the ssl-l4-fallback disable command if SSL version 2 is in use on the network.


Related Commands

(config-owner-content) advanced-balance

(config) ssl associate

To specify an SSL certificate, RSA key or DSA key pair, or Diffie-Hellman parameter association to an imported or generated file, use the ssl associate command. Use the no form of the command to remove an association.

ssl associate association_type association_name filename

no ssl associate association_type association_name

Syntax Description

association_type

SSL association type. Enter one of the following:

cert - A certificate

rsakey - An RSA key pair

dsakey - ADSA key pair

dhparam - A Diffie-Hellman key exchange parameter file

association_name

Name of the association. Enter a name with a maximum of 31 characters.

filename

Name of the file containing the certificate, key pair, or Diffie-Hellman parameters. Enter a filename with a maximum of 128 characters.


Usage Guidelines

After you import or generate certificate and key pair files, you must distinguish to the CSS whether these files contain certificates, private keys, or Diffie-Hellman parameters. You do this by associating certificate names, private/public key pair names, or Diffie-Hellman parameter names to the particular imported files.

When you associate the entries specified in the various certificate and private key commands to files, CSS stores the bindings in the running configuration. Before you log out or reboot the CSS, you must copy the contents of the running-config file to the startup-config file to save configuration changes and have the CSS use this configuration on subsequent reboots. When you reboot the CSS, the certificate and key associations are automatically loaded.

The no form of this command will not function if the association is in use by an active SSL proxy list.

Related Commands

copy ssl
show ssl
(ssl-proxy-list) ssl-server

(config) ssl crl-record

To configure the CSS to obtain a certificate revocation list (CRL) from a certificate authority (CA) and periodically download the CRL through HTTP, use the ssl crl-record command. Use the no form of the command to remove the CRL record.

ssl crl-record crl_name url sign_cert hours

no ssl crl-record crl_name

Syntax Description

crl_name

Name for the CRL record. Enter a string with a maximum of 31 characters and no spaces.

url

URL where the CRL is located. Enter a string with a maximum of 168 characters and no spaces (for example, http://www.example.com/crl/clientcrllist.crl).

sign_cert

Name of the CA certificate that signed the CRL. The CA certificate verifies that the CRL is authentic. You must import this certificate on the CSS before configuring the CRL.

hours

Number of hours to wait before retrieving an updated CRL. Enter a value from 0 to 2000. If you enter a value of 0, the CSS will not retrieve or update the CRL.


Usage Guidelines

You can assign only one CRL record to a virtual SSL server. However, you can configure a maximum of 10 CRL records.

Related Commands

show ssl crl-record
(ssl-proxy-list)
ssl-server number crl

(config) ssl gencert

To generate and save a temporary certificate to a file on a CSS disk, use the ssl gencert command. For purposes of SSL testing, you may want to generate a temporary certificate by generating a CSR and signing it with your own private key.

ssl gencert certkey certkey signkey signkey certfile "password"

Syntax Description

certkey certkey

Name of the RSA or DSA key pair that the certificate is based on. Enter an unquoted string with a maximum of 31 characters.

signkey signkey

RSA or DSA key pair to be used to sign the certificate. Enter an unquoted string with a maximum of 31 characters.

certfile

Name of the file used to store the certificate as a file on the CSS disk. Enter an unquoted string with a maximum of 31 characters.

"password"

Password used to DES encode the certificate file before it is stored as a file on the CSS disk. Encoding the file prevents unauthorized access to the imported certificate and private key on the disk. Enter the password as a quoted string. The password appears in the CSS running configuration as a DES-encoded string.


Usage Guidelines

Generate keys and certificates on the CSS for purposes of testing. This command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.

The ssl gencert command can sign RSA or DSA certificates with either an RSA key pair or a DSA key pair. You generate the certificate based on:

The key pair that the certificate is based on (RSA or DSA)

The key used to sign the certificate

For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.

Related Commands

show ssl

(config) ssl gencsr

To generate a Certificate Signing Request (CSR) file for an RSA key pair file and transfer the certificate request to the Certificate Authority (CA), use the ssl gencsr command. You must generate a CSR file if you are requesting a new certificate or renewing a certificate. When the CA signs the CSR, using its RSA private key, the CSR becomes the certificate.

ssl gencsr rsakey

Syntax Description

rsakey

Key that the RSA certificate is built on. It is the public key that is embedded in the certificate.

The RSA key pair must already be loaded on the CSS and you must associate an RSA key pair name to the generated RSA key pair. If the appropriate key pair does not exist, the CSS logs an error message


Usage Guidelines

The ssl gencsr command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.

The ssl gencsr command generates a CSR in PKCS10 format.

For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.

Related Commands

show ssl

(config) ssl gendh

To generate a Diffie-Hellman key agreement parameter file on the CSS, use the ssl gendh command. Diffie-Hellman is a shared key agreement algorithm. Diffie-Hellman key exchange uses a complex algorithm and public and private keys to encrypt and then decrypt packet data. The CSS disk stores the generated parameters as a file.

ssl gendh filename numbit "password"

Syntax Description

filename

Name of the key or key pair file. Enter a name with a maximum of 31 characters. The filename is used only for identification in the CSS.

numbits

Key strength. The number of bits in the file defines the size of the key or key pair used to secure web transactions. Longer keys produce a more secure implementation by increasing the strength of the DSA security policy. Available selections in bits are:

512 - Least security

768 - Normal security

1024 - High security

2048 - Highest security

"password"

Password used to DES encode the certificate file before it is stored as a file on the CSS disk. Encoding the file prevents unauthorized access to the imported certificate and private key on the disk. Enter the password as a quoted string. The password appears in the CSS running configuration as a DES-encoded string.


Usage Guidelines

Generation of a Diffie-Hellman key agreement parameter file can sometimes take a lengthy period of time (perhaps a maximum of 20 minutes) and is a CPU-intensive utility. If you use the ssl gendh command, ensure that the CSS is not actively passing traffic at the same time to avoid impacting CSS performance. For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.

Related Commands

show ssl

(config) ssl gendsa

To generate a DSA private/public key pair for asymmetric encryption on the CSS, use the ssl gendsa command. DSA is the public key exchange cryptographic system developed by the National Institutes of Science and Technology. DSA can only be used for digital signatures (signings) but not for key exchange. The CSS disk stores the generated DSA key pair as a file.

ssl gendsa filename numbit "password"

Syntax Description

filename

Name of the key or key pair file. Enter a name with a maximum of 31 characters. The filename is used only for identification in the CSS.

numbits

Key strength. The number of bits in the file defines the size of the key or key pair used to secure web transactions. Longer keys produce a more secure implementation by increasing the strength of the DSA security policy. Available selections in bits are:

512 - Least security

768 - Normal security

1024 - High security

The 2048 selection, highest security, is not available for use with the ssl gendsa command.

"password"

Password used to DES encode the certificate file before it is stored as a file on the CSS disk. Encoding the file prevents unauthorized access to the imported certificate and private key on the disk. Enter the password as a quoted string. The password appears in the CSS running configuration as a DES-encoded string.


Usage Guidelines

The ssl gendsa command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.

For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.

Related Commands

show ssl

(config) ssl genrsa

To generate an RSA private/public key pair for asymmetric encryption on the CSS, use the ssl genrsa command. RSA key pairs are used to sign and encrypt packet data, and are a requirement before another device (client or web server) can exchange an SSL certificate with the CSS. The key pair refers to a public key and its corresponding private (secret) key. The CSS stores the generated RSA key pair as a file.

ssl genrsa filename numbit "password"

Syntax Description

filename

Name of the key or key pair file. Enter a name with a maximum of 31 characters. The filename is used only for identification in the CSS.

numbits

Key strength. The number of bits in the file defines the size of the key or key pair used to secure web transactions. Longer keys produce a more secure implementation by increasing the strength of the DSA security policy. Available selections in bits are:

512 - Least security

768 - Normal security

1024 - High security

2048 - Highest security

"password"

The password used to DES encode the certificate file before it is stored as a file on the CSS disk. Encoding the file prevents unauthorized access to the imported certificate and private key on the disk. Enter the password as a quoted string. The password appears in the CSS running configuration as a DES-encoded string.


Usage Guidelines

The ssl genrsa command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most Web browsers will flag the certificate as signed by an unrecognized signing authority.

For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.

Related Commands

show ssl

(config) ssl verify

To verify a certificate against a key pair, use the ssl verify command. A digital certificate is built around a public key, and it can only be used with one key pair. This command compares the public key in the associated certificate with the public key stored with the associated private key, and verify that they are both the same.

ssl verify certname keyname

Syntax Description

certname

Association name of the certificate used to verify against the specified key pair

keyname

Association name of the key pair used to verify against the specified certificate


Usage Guidelines

If the certificate does not match the public and private key pair, the CSS logs an error message.

(config) ssl-proxy-list

To access SSL proxy list configuration mode and configure an SSL proxy configuration list, use the ssl-proxy-list command. An SSL proxy configuration list is a group of related virtual SSL servers that are associated with an SSL service. The SSL modules in the CSS use these servers to properly process and terminate SSL communications between the client and the web server.

In global configuration mode, use the no form of this command to delete an existing list.

ssl-proxy-list name

(config) no ssl-proxy-list name

Syntax Description

name

Name of a new SSL proxy list you want to create or an existing list you want to modify. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing names, enter:

#(config) ssl-proxy-list ? 

Usage Guidelines

You can access the ssl-proxy-list configuration mode from any configuration mode except for the ACL, boot, group, RMON, or owner configuration modes. When you use the ssl-proxy-list command to access this mode, the prompt changes to (ssl-proxy-list [name]). For information about commands available in this mode, see the "SSL-Proxy-List Configuration Mode Commands" section.


Note You cannot delete an SSL proxy list if an SSL service is in use and contains the active SSL proxy list. You must first suspend the SSL service to delete a specific list.


(config) tacacs-server

To configure the CSS as a client of a TACACS+ server, authenticates users, and authorizes and accounts for configuration and nonconfiguration commands, use the tacac-server command. The options for this command are:

tacacs-server ip_address port - Defines a TACACS+ server

tacacs-server account - Enables the the TACACS+ server to receive accounting reports for CSS commands

tacacs-server authorize - Enables the the TACACS+ server to authorize CSS commands

tacacs-server frequency - Sets the global CSS TACACS+ keepalive frequency

tacacs-server key - Defines a global encryption key

tacacs-server send-full-command - Enables the CSS to expand user-executed abbreviated commands to their full command syntax before sending them to the TACACS+ server

tacacs-server timeout - Sets the global CSS TACACS+ timeout period

For information about these commands and any associated arguments, see the tacac-server commands in this section.

tacacs-server ip_address port

To define a TACACS+ server, use the tacacs-server ip_address port command. You must provide the IP address and port number for the server. You can define the keepalive frequency, timeout period, and encryption key, and designate the server as the primary server. Use the no form of this command to remove the server.

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}

no tacacs-server ip_address port

Syntax Description

ip_address

IP address of the TACACS+ server. Enter the IP address in dotted-decimal format.

port

TCP port of TACACS+ server. The default port is 49. You can enter a port number from 1 to 65535.

timeout

(Optional) Amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds. Defining this option overrides the tacacs-server timeout command.

"cleartext_key"|des_key

Shared secret between the CSS and the server. You must define an encryption key to encrypt TACACS+ packet transactions between the CSS and the TACACS+ server. If you do not define an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The shared secret key can be either clear text entered in quotes or the DES encrypted secret entered without quotes. The clear text key is DES encrypted before it is placed in the running configuration. Either key type can have a maximum of 100 characters.

Defining this option overrides the tacacs-server key command.

primary

(Optional) Assigns the TACACS+ server precedence over the other configured servers. You can specify only one primary server.

frequency number

(Optional) Allows you to set the keepalive frequency for the specified TACACS+ server. The default number variable is 5 seconds. The range for the variable is 0 to 255. A setting of 0 disables keepalives. Defining this option overrides the tacacs-server frequency command.


Command Modes

Global configuration mode

Usage Guidelines

To change the keepalive frequency, timeout period, or encryption key for a specific TACACS+ server, you must delete the server and then redefine it with the updated parameter.

To apply a global keepalive frequency, timeout period, or encryption key change to a TACACS+ server, you must delete the server and then reconfigure the server.

After configuring the TACACS+ server, enable TACACS+ authentication for console and virtual logins (if the user and password pair is not in the local user database) through the (config) console authentication and (config) virtual authentication commands.


Note The TACACS+ server must be configured before defining the server on the CSS.


Related Commands

show tacacs-server
(config) console authentication
(config) virtual authentication

tacacs-server account

To enable the TACACS+ server to receive accounting reports for all commands that change or do not change the CSS running configuration, use the tacacs-server account command. Use the no form of this command to disable accounting.

tacacs-server account config|non-config

no tacacs-server account config|non-config

Syntax Description

config

Enables the TACACS+ server to receive accounting reports for all commands that change the running configuration

non-config

Enables the TACACS+ server to receive accounting reports for all commands that do not change the running configuration


Usage Guidelines

TACACS+ accounting allows the TACACS+ server to receive an accounting report for commands that the user can execute. CSS accounting divides the command set into two categories:

Configuration commands that change the CSS running configuration.

Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition commands, show commands, and administrative commands.

By default, the CSS disables accounting. When you enable accounting, you can account for configuration commands, nonconfiguration commands, or both.


Note Failure of the TACACS+ server does not result in the suspension of user activity.


Related Commands

show tacacs-server

tacacs-server authorize

To enable the TACACS+ server to authorize commands that change or do not change the CSS running configuration, use the tacacs-server authorize command. Use the no form of this command to disable authorization.

tacacs-server authorize config|non-config

no tacacs-server authorize config|non-config

Syntax Description

config

Enables authorization of all commands that change the running configuration

non-config

Enables authorization of all commands that do not change the running configuration


Usage Guidelines

TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:

Configuration commands that change the CSS running configuration.

Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition, show, and administrative commands.

By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to execute commands. When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command.


Note Failure of the TACACS+ server results in the failure of all authorization requests and the suspension of user activity unless another server is reachable. To enable users to execute commands in this case, configure a failover authentication method to a local user database. Users will need to log back into the CSS.


Related Commands

show tacacs-server

tacacs-server frequency

To define the global keepalive frequency for use with all configured TACACS+ servers, use the tacacs-server frequency command. Use the no form of the command to reset the keepalive frequency to its default of 5 seconds.

tacacs-server frequency seconds

no tacacs-server frequency

Syntax Description

seconds

Keepalive frequency in seconds. Enter an integer from 0 to 255. The default is 5 seconds. A setting of 0 disables keepalives.


Usage Guidelines

To determine the availability of the TACACS+ servers, the CSS sends periodic TCP keepalive probes to them. If the server does not respond to the probes within the configured timeout period, the CSS considers the server unavailable.

A keepalive frequency defined when specifying a TACACS+ server overrides the global keepalive frequency.

To apply a modified global keepalive frequency to a configured CSS TACACS+ server, remove the server and reconfigure it.

Related Commands

show tacacs-server

tacacs-server key

To specify a global shared secret between the CSS and the server, use the tacacs-server key command. Use the no form of this command to remove the global key.

tacacs-server key ["cleartext_key"|des_key]

no tacacs-server key

Syntax Description

"cleartext_key"|des_key

Shared secret between the CSS and the server. You must define an encryption key to encrypt TACACS+ packet transactions between the CSS and the TACACS+ server. If you do not define an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The shared secret key can be either clear text entered in quotes or the DES encrypted secret entered without quotes. The clear text key is DES encrypted before it is placed in the running configuration. Either key type can have a maximum of 100 characters.


Command Modes

Global configuration mode

Usage Guidelines

The CSS allows you to define a global encryption key for communications with all configured TACACS+ servers. To encrypt TACACS+ packet transactions between the CSS and the TACACS+ server, you must define an encryption key. If you do not define an encryption key, packets are not encrypted. The key is a shared secret value that is identical to the one on the TACACS+ server. A shared secret defined when specifying a TACACS+ server overrides the global secret. See the tacacs-server ip_address port command.

Related Commands

show tacacs-server

tacacs-server send-full-command

To reset the CSS default behavior of expanding user-executed abbreviated commands to their full command syntax before the CSS sends them to the TACACS+ server, use the tacacs-server send-full-command command. Use the no form of the command to send user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.

tacacs-server send-full-command

no tacacs-server send-full-command

tacacs-server timeout

To define the global timeout period for use with all configured TACACS+ servers, use the tacacs-server timeout command. Use the no form of the command to reset the timeout period to its default of 5 seconds.

tacacs-server timeout seconds

no tacacs-server timeout

Syntax Description

seconds

Amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds.


Usage Guidelines

To determine the availability of the TACACS+ servers, the CSS sends periodic keepalive probes to them. If the server does not respond to the probe within the timeout period, the CSS considers the server unavailable.

If the CSS attempts to contact the server and does not receive a response within the defined timeout value, it will use another server. The next configured server is contacted and the process repeated. If a second (or third) TACACS+ server has been identified, that server is selected as the active server.

If the CSS cannot reach all three TACACS+ servers, users will not be authenticated and cannot log into the CSS unless TACACS+ is used in combination with a RADIUS or local server, as defined through the (config) console authentication command or the (config) virtual authentication command.


Note The timeout period defined when specifying a TACACS+ server overrides the global timeout period. See the tacacs-server ip_address port command.


Related Commands

show tacacs-server

(config) tcp-ip-fragment-enabled

To allow a CSS to flow-process TCP IP fragments, use the tcp-ip-fragments-enabled command. When a CSS flow-processes IP fragments, it has the potential to match the fragmented packets to content rules and source groups for intelligent routing and load balancing. This command is disabled by default. Use the no form of this command to reset the default behavior of the CSS to forwarding TCP IP fragments.

tcp-ip-fragment-enabled

no tcp-ip-fragment-enabled

Command Modes

Global configuration mode

Usage Guidelines

This feature performs content rule-based forwarding using the Layer 3 (IP address) and Layer 4 (TCP port) information in the IP header and the TCP header. Layer 5 forwarding decisions for IP fragments, based on the packet payload (data), are not supported. For more information, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

Related Commands

show ip-fragment-stats
zero ip-fragment-stats
(config) ip-fragment max-assembled-size
(config) udp-ip-fragment-enabled

(config) udp-ip-fragment-enabled

To allow a CSS to flow-process UDP IP fragments, use the ip-udp-fragment-enabled command. When a CSS flow-processes IP fragments, it has the potential to match the fragmented packets to content rules and source groups for intelligent routing and load balancing. This command is disabled by default. Use the no form of this command to reset the default behavior of the CSS to forwarding UDP IP fragments.

udp-ip-fragment-enabled

no udp-ip-fragment-enabled

Command Modes

Global configuration mode

Usage Guidelines

This feature performs content rule-based forwarding using the Layer 3 (IP address) and Layer 4 (UDP port) information in the IP header and the UDP header. Layer 5 forwarding decisions for IP fragments, based on the packet payload (data), are not supported. For more information refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.

Related Commands

show ip-fragment-stats
zero ip-fragment-stats
(config) ip-fragment max-assembled-size
(config) tcp-ip-fragment-enabled

(config) urql

To access Uniform Resource Locator qualifier list (URQL) configuration mode and configure a URQL, use the urql command. Use the no form of this command to an existing URQL.

urql urql_name

no urql existing_urql_name

Syntax Description

urql_name

Name of a new URQL you want to create or of an existing list. Enter an unquoted text string with no spaces and a maximum length of 31 characters. To see a list of existing URQL names, enter:

urql ?

Usage Guidelines

A URQL is a collection of URLs for content requests that you can associate to one or more content rules. The CSS uses this list to identify which requests to send to a service.

You cannot configure a URQL with subscribers services.

You can access this mode from any configuration mode except ACL, boot, group, keepalive, and owner configuration modes. The prompt changes to (config-urql [name]). You can also use this command from URQL mode to access another URQL. For information about commands available in this mode, see the "URQL Configuration Mode Commands" section.

(config) username

To configure a local username and its password for logging into the CSS, and allow it to access SuperUser mode, use the username command. Use the no form of this command to delete an existing username.

username name [password password {superuser}{dir-access access}
|
des-password password {superuser}{dir-access access}]

no username name

Syntax Description

name

Username you want to assign or change. Enter an unquoted text string with no spaces and a maximum of 16 characters. To see a list of existing usernames, enter:

username ?

password

Password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters. A DES password can have a length of 6 to 64 characters.

When you enter a password with the des-password keyword, the CSS encrypts the password. Use the show running-config command to view the encrypted password in the running configuration. You must use the encrypted form of the password to log in to the CSS.

superuser

(Optional) Allows this user to access SuperUser mode. If you do not enter this option, the user can only access User mode.

password

Specifies that the password is not encrypted. Use this keyword when you dynamically use the CLI to create new users.

des-password

Specifies that the password is Data Encryption Standard (DES) encrypted. Use this keyword only when you are creating a file for use as a script or a startup configuration file.

dir-access

(Optional) Defines the CSS directory access levels. By default, the CSS assigns users with read and write access to the directories.

Changing the access level also affects the use of the CLI commands associated with the directories.

access

(Optional) The access levels for the CSS script, log, root, archive, release root, core, and MIB directories, in this order. Sequentially enter one of the following levels for each of the directories:

N - No access to the directory

B - Read and write access

W - Write access

R - Read access

For example, to allow no access for the root and release root directories but read and write access for all other directories, enter BBNBNBB.

Note that the release root directory contains the configuration files. The root directory contains the installed CSS software.


Usage Guidelines

If the (config) restrict user-database command is entered, only a user with administrative or technician privileges can use the username command.

The CSS can support a maximum of 32 usernames including the administrator and technician usernames. It ships with a default username of admin and password of system.

You cannot permanently delete an administrative username and password. If you delete this username by using the no username command, it removes it from use until you reboot the CSS. When you reboot the CSS, it restores the username and password from NVRAM.

Related Commands

show running-config
show user-database
(config) restrict

(config) username-offdm

To change the administrative username and password without having to use the Offline DM menu, use the username-offdm command. The CSS ships with a default administrative username of admin and password of system.

username-offdm name password password

Syntax Description

name

Username you want to assign as the administrative username. Enter an unquoted text string with no spaces and a maximum of 16 characters. The CSS does not allow you to set the administrative username to the same name as the technician username.

password

Password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters.


Usage Guidelines

Unlike other usernames and passwords, the CSS saves the administrative username and password in nonvolatile RAM (NVRAM). When you reboot the CSS, it reads the username and password from NVRAM and reinserts them into the user database.


Note You cannot permanently delete an administrative username and password. If you delete the username by using the no username command, it removes it from use until you reboot the CSS. When you reboot the CSS, it restores the username and password from NVRAM.


(config) username-technician


Caution This command is for use by technical personnel only. The technician user is created primarily for CSS troubleshooting and should not be used to perform normal CSS administrative purposes.

A technician user has access to all directories in the WebNS directory structure in the CSS. This user can remove or copy valuable system files (including encrypted certificates or keys in an CSS 11503 or 11506 containing an SSL module). The removing of system files could make the CSS unusable.

To set the technician username and password without having to use the Technician Offline DM menu, use the username-technician command.

username-technician name password password

Syntax Description

name

Username you want to assign as the technician username. Enter an unquoted text string with no spaces and a maximum of 16 characters. The CSS does not allow you to set the technician username to the same name as the administrative username.

password

Password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters.


(config) virtual authentication

To configure the primary, secondary, or tertiary virtual authentication on the CSS, use the virtual authentication command. Use this command to require users to enter a username and password to remotely log in to the CSS.

virtual authentication [primary|secondary|tertiary [local|radius|tacacs|disallowed]]

Syntax Description

primary

Defines the first authentication method that the CSS uses. The default primary virtual authentication method is the local user database.

secondary

Defines the second authentication method that the CSS uses if the first method fails. The default secondary virtual authentication method disallows all user access.

If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local.

tertiary

Defines the third authentication method that the CSS uses if the second method fails. The default tertiary virtual authentication method disallows all user access.

local

The CSS uses the local user database for authentication.

radius

The CSS uses the configured RADIUS server for authentication.

tacacs

The CSS uses the configured TACACS+ server for authentication.

disallowed

The CSS does not allow access by all remote users. Entering this option does not terminate existing connections.

To remove users currently logged into the CSS, use the disconnect command.


Usage Guidelines

Virtual authentication allows remote users to log into the CSS through FTP or Telnet with or without requiring a username and password. The CSS can also deny access to all remote users.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users and disallows user access for the secondary and tertiary method.

Before you can use RADIUS or TACACS+ as the virtual authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the (config) radius-server command or the (config) tacacs-server command.

Related Commands

show user-database
(config) console authentication
(config) radius-server
(config) restrict
(config) tacacs-server

(config) vrrp-backup-timer

To specify the time interval in seconds that the backup CSS waits to assume mastership when the master CSS goes down, use the vrrp-backup-timer command. Use the no form of this command to reset the timer to the default value of 3 seconds.

vrrp-backup-timer wait_time

no vrrp-backup-timer

Syntax Description

wait_time

Interval in seconds. Enter an integer from 3 to 120 seconds. The default is 3 seconds.


Usage Guidelines

Timer values greater than the 3-second default cause longer failover times. Use the vrrp-backup-timer command only in environments where the CPU utilization on the CSS is close to 100 percent.

After you set the timer value, you need to reenter the (config-circuit-ip) redundancy-protocol command on the redundant circuit between the CSSs for the new timer value to take effect.


Note If you intend to use the commit_redundancy script to synchronize your redundant configuration, be sure to specify the -a argument in the script play command to ensure that the script copies the timer configuration setting from the master CSS to the backup CSS.


Related Commands

script play
(config-circuit-ip) redundancy-protocol

(config) web-mgmt state

To allow or deny client access to the XML HTTP server running on the CSS, use the web-mgmt state command.

web-mgmt state [disable|enable]

Syntax Description

disable

Denies client access to the HTTP server on the CSS. Performs the same function as the restrict xml command.

enable

Allows client access to the HTTP server on the CSS. Performs the same function as the no restrict xml command.


Usage Guidelines

The web-mgmt state command performs the same function as the (config) restrict xml command and its no form of the command. Note that when you use this command, it does not appear in the configuration file. Instead, the (config) restrict or its no form of the command appears in the configuration file.

When XML is enabled, the CSS listens for XML connections on port 80.

Related Commands

(config) restrict

(config) zero flow-state-counters

To reset all the hit counters in the flow state table to zero, use the zero flow-state-counters command. The flow state table contains hit counters that total the number of hits for each port entry in the table.

zero flow-state-counters

Related Commands

(config) flow-state
show flow-state-table