Cisco Wide Area Application Services Command Reference (Software Versions 4.0.1 and 4.0.3)
Configuration Mode Commands
Downloads: This chapterpdf (PDF - 1.42MB) The complete bookPDF (PDF - 9.58MB) | Feedback

Configuration Mode Commands

Table Of Contents

Configuration Mode Commands

(config) aaa accounting

(config) alarm overload-detect

(config) asset

(config) authentication

(config) auto-register

(config) autosense

(config) bypass

(config) cdp

(config) central-manager

(config) clock

(config) cms

(config) device mode

(config) disk

(config) end

(config) exec-timeout

(config) exit

(config) help

(config) hostname

(config) inetd

(config) interface

(config) ip

(config) ip access-list

(config) kerberos

(config) kernel

(config) line

(config) logging

(config) no

(config) ntp

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine config

(config) port-channel

(config) primary-interface

(config) print-services

(config) radius-server

(config) smb-conf

(config) snmp-server access-list

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

(config) sshd

(config) ssh-key-generate

(config) tacacs

(config) tcp

(config) telnet enable

(config) tfo optimize

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) transaction-logs

(config) username

(config) wccp access-list

(config) wccp cifs-cache

(config) wccp flow-redirect

(config) wccp router-list

(config) wccp shutdown

(config) wccp slow-start

(config) wccp tcp-promiscuous

(config) wccp version

(config) windows-domain


Configuration Mode Commands


Use global configuration mode for setting, viewing, and testing configuration of WAAS software features for the entire device. To enter this mode, enter the configure command from privileged EXEC mode. The prompt for global configuration mode consists of the hostname of the WAE followed by (config) and the pound sign (#). You must be in global configuration mode to enter global configuration commands.

WAE# configure
WAE(config)#

Commands entered in global configuration mode update the running configuration file as soon as they are entered. These changes are not saved into the startup configuration file until you enter the copy running-config startup-config EXEC mode command. Once the configuration is saved, it is maintained across WAE reboots.

You also can use global configuration mode to enter specific configuration modes. From global configuration mode you can enter the interface configuration mode, standard ACL configuration mode, or the extended ACL configuration mode.

To exit global configuration mode and return to privileged-level EXEC mode, use either the exit or end global configuration command:

WAE(config)# exit
WAE#

(config) aaa accounting

To configure AAA accounting on a WAAS device, use the aaa accounting command in global configuration mode.

aaa accounting {commands {0 | 15} default {start-stop | stop-only | wait-start} tacacs | exec default {start-stop | stop-only | wait-start} tacacs | system default {start-stop | stop-only} tacacs}

Syntax Description

commands

Configures accounting for all commands at the specified privilege level.

0

User privilege level for a normal user.

15

User privilege level for an administrative user.

default

Sets AAA accounting to use the default accounting list.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.

stop-only

Sends a stop accounting notice at the end of the process requested by the user.

wait-start

Sends both a start and a stop accounting notice to the accounting server. However, the requested user service does not begin until the start accounting notice is acknowledged. The user cannot execute a CLI command or login until the user is on record.

A stop accounting notice is also sent but does not need acknowledgement.

tacacs

Enables use of TACACS+ for accounting.

exec

Enables accounting for user EXEC processes (user shells). When enabled, the EXEC shell accounting reports EXEC terminal session (user shell) events and login and logout by an administrator to the EXEC shell.

system

Enables accounting for all system-level events not associated with users, such as reloads.


Defaults

AAA accounting is disabled by default.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The AAA accounting feature enables you to track the activities of an administrative user, services that users access, and the amount of network resources they consume (for example, connection time or the bytes transferred). You can use the AAA accounting feature to track user activity for billing, auditing, reporting, or security purposes. WAAS uses TACACS+ to implement AAA accounting; RADIUS is not currently supported. When AAA accounting is enabled, the WAAS device reports user activity to the TACACS+ security server in the form of accounting records. This data can then be analyzed for network management, client billing, and auditing.

You can activate accounting for the following types of events:

EXEC—EXEC shell accounting is used to report the events of an administrator logging in and out of the EXEC shell through Telnet, FTP, or SSH (SSH Version 1 or Version 2). This type of accounting records information about user EXEC terminal sessions (user shells) on the WAAS device, including username, date, start and stop times for each session, time zone, and IP address of the system used to access the WAAS device. The EXEC shell accounting information can be accessed through the accounting log file on the TACACS+ server. This log file uses the following report format for this type of accounting information:

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#
EventTime#TaskId#Timezone#Service

Command—The WAAS device records information about the CLI commands that were executed on the WAAS device. Each command accounting record includes the executed command syntax, username of the user who executed the command, the privilege level of the user, and the date and time that each command was executed. The WAAS device supports two privilege levels, 0 and 15, representing normal users and administrative users, respectively. The command accounting information can be accessed through the accounting log file on the TACACS+ server. This log file uses the following report format for this type of accounting information:

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#
EventTime#TaskId#Timezone#Service#PrivilegeLevel#CLICommand

System—The WAAS device records information about all system-level events (for example, when the system reboots). You can access the system accounting information through the accounting log file on the TACACS+ server. This log file uses the following report format for this type of accounting information:

WeekDay#Month#Day#Time#Year#CEaddress#username#terminal#RemoteHost#Event#
EventTime#TaskId#Timezone#SystemService#SystemAccountingEvent#EventReason

WAAS software supports only the default accounting list.


Caution Before using the wait-start option, make sure that the WAAS device is configured with the TACACS+ server and is able to successfully contact the server. If the WAAS device cannot contact a configured TACACS+ server, it might become unresponsive.

The WAAS software displays the following warning message if the wait-start option is configured:

Warning: The device may become non-responsive if it cannot contact a configured TACACS+ server.

The administrator is asked to confirm the configuration in an indefinite loop until the administrator enters "yes" to the following prompt:

Are you sure you want to proceed? [yes]

Examples

The following example configures TACACS+ on the WAAS device and also specifies that a start accounting notice should be sent at the beginning of the process and a stop accounting notice at the end of the process, and the requested user process should begin regardless of whether the start accounting notice was received by the accounting server:

WAE(config)# tacacs key abc
WAE(config)# tacacs server 192.168.50.1 primary
WAE(config)# aaa accounting system default start-stop tacacs
WAE# show aaa accounting 
Accounting Type   Record event(s)  Protocol
----------------------------------------------------------------
Exec shell         unknown            unknown
Command level  0   unknown            unknown
Command level 15   unknown            unknown
System             start-stop         TACACS+

In the following example, the WAAS device is set to record all user EXEC sessions. The command also specifies that a stop accounting notice should be sent to the TACACS+ server at the end of the session.

WAE(config)# aaa accounting exec default stop-only tacacs

In the following example, the WAAS device is set to record all CLI commands executed by a normal user. The command also specifies that a stop accounting notice should be sent to the TACACS+ server at the end of each CLI command executed by a normal user.

WAE(config)# aaa accounting commands 0 default stop-only tacacs

In the following example, the WAAS device is set to record all CLI commands executed by an administrative user. The command also specifies that a start accounting notice should be sent to the TACACS+ server at the beginning of the process and a stop accounting notice at the end of the process. The CLI command executed by the administrative user does not proceed until the start accounting notice has been acknowledged.

WAE(config)# aaa accounting commands 15 default wait-start tacacs

The following are some examples of the EXEC shell accounting report that is available on the TACACS+ server:

Wed Apr 14 11:19:19 2004 172.16.0.0 super10 pts/0 172.31.0.0 start
start_time=1081919558 task_id=3028 timezone=PST service=shell
Wed Apr 14 11:19:23 2004 172.16.0.0 super10 pts/0 172.31.0.0
stop stop_time=1081919562 task_id=3028 timezone=PST service=shell
Wed Apr 14 11:22:13 2004 172.16.0.0 normal20 pts/0 via5.abc.com start
start_time=1081919732 task_id=3048 timezone=PST service=shell
Wed Apr 14 11:22:16 2004 172.16.0.0 normal20 pts/0 via5.abc.com stop
stop_time=1081919735 task_id=3048 timezone=PST service=shell
Wed Apr 14 11:25:29 2004 172.16.0.0 admin ftp via5.abc.com start start_time=1081919928
task_id=3069 timezone=PST service=shell
Wed Apr 14 11:25:33 2004 172.16.0.0 admin ftp via5.abc.com stop stop_time=1081919931
task_id=3069 timezone=PST service=shell

The following are some examples of the system accounting report that is available on the TACACS+ server:

Wed Apr 14 08:37:14 2004 172.16.0.0 unknown unknown 0.0.0.0 start start_time=1081909831
task_id=2725 timezone=PST service=system event=sys_acct reason=reload
Wed Apr 14 10:19:18 2004 172.16.0.0 admin ttyS0 0.0.0.0 stop stop_time=1081915955
task_id=5358 timezone=PST service=system event=sys_acct reason=shutdown

The following are some examples of the command accounting report that is available on the TACACS+ server:

Wed Apr 14 12:35:38 2004 172.16.0.0 admin ttyS0 0.0.0.0 start start_time=1081924137
task_id=3511 timezone=PST service=shell -lvl=0 cmd=logging console enable 
Wed Apr 14 12:35:39 2004 172.16.0.0 admin ttyS0 0.0.0.0 stop stop_time=1081924137
task_id=3511   timezone=PST service=shell priv-lvl=0 cmd=logging console enable

In addition to command accounting, the WAAS device records any executed CLI command in the system log (syslog.txt). The message format is as follows:

       ce_syslog(LOG_INFO, CESM_PARSER, PARSER_ALL, CESM_350232,
               "CLI_LOG %s: %s \n", __FUNCTION__, pd->command_line);

Related Commands

debug

show aaa accounting

(config) alarm overload-detect

To detect alarm overload situations, use the alarm overload-detect global configuration command.

alarm overload-detect {clear 1-999 [raise 10-1000] | enable | raise 10-1000 [clear 1-999]}

Syntax Description

clear

Specifies the threshold at which the alarm overload state on the WAAS device is cleared. When the alarm drops below this threshold, the alarm is cleared and the SNMP traps and alarm notifications are again sent to your NMS.

Note The alarm overload-detect clear value must be less than the alarm overload-detect raise value.

1-999

Number of alarms per second that ends an alarm overload condition.

raise

Specifies the threshold at which the WAAS device enters an alarm overload state and SNMP traps and alarm notifications to your network management station (NMS) are suspended.

enable

Enables the detection of alarm overload situations.

10-1000

Number of alarms per second that triggers an alarm overload.


Defaults

clear: 1 alarm per second

raise: 10 alarms per second

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

When multiple applications running on a WAAS device experience problems at the same time, numerous alarms are set off simultaneously, and the WAAS device may stop responding. You can use the alarm overload-detect global configuration command to set an overload limit for the incoming alarms from the node health manager. If the number of alarms exceeds the maximum number of alarms allowed, the WAAS device enters an alarm overload state until the number of alarms drops down to the number defined in the clear option.

When the WAAS device is in the alarm overload state, the following events occur:

An alarm overload notification is sent to SNMP and the NMS. The clear and raise values are also communicated to SNMP and the NMS.

SNMP traps and NMS notifications for subsequent alarm raise and clear operations are suspended.

Alarm overload clear notification is sent.

The WAAS device remains in the alarm overload state until the rate of incoming alarms decreases to the clear value.


Note In the alarm overload state, applications continue to raise alarms and the alarms are recorded within the WAAS device. The show alarms and show alarms history EXEC commands display all the alarms even in the alarm overload state.


Examples

The following example enables detection of alarm overload:

WAE(config)# alarm overload-detect enable

The following example sets the threshold for triggering the alarm overload at 100 alarms per second:

WAE(config)# alarm overload-detect raise 100

The following example sets the level for clearing the alarm overload at 10 alarms per second:

WAE(config)# alarm overload-detect clear 10

Related Commands

show alarms

(config) asset

To set the tag name for the asset tag string, use the asset global configuration command. To remove the asset tag name, use the no form of this command.

asset tag name

Syntax Description

tag

Sets the asset tag.

name

Asset tag name string.


Defaults

No default behaviors or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Examples

The following example shows how to configure a tag name for the asset tag string on a WAAS device:

WAE(config)# asset tag entitymib

(config) authentication

To specify administrative login authentication and authorization methods for a WAAS device, use the authentication global configuration mode command. Use the no form of this command to selectively disable options.

authentication {configuration {local | radius | tacacs | windows-domain} enable [primary | secondary | tertiary | quaternary] | fail-over server-unreachable | login {local | radius | tacacs | windows-domain} enable [primary | secondary | tertiary| quaternary] | content-request windows-domain disconnected-mode enable}

Syntax Description

configuration

Sets the administrative login authorization (configuration) parameters for the WAAS device.

local

Selects the local database method as a login authorization (configuration) method for the WAAS device.

radius

Selects the RADIUS method as a login authorization (configuration) method for the WAAS device.

tacacs

Selects the TACACS+ method as a login authorization (configuration) method for the WAAS device.

windows-domain

Selects the Windows domain controller method as a login authorization (configuration) method for the WAAS device

enable

Enables the specified administrative login authorization methods for the WAAS device

primary

(Optional) Specifies the first method the WAAS device should use for administrative login authorization.

secondary

(Optional) Specifies the second method the WAAS device should use for administrative login authorization if the primary method fails.

tertiary

(Optional) Specifies the third method the WAAS device should use for administrative login authorization if the primary and secondary methods fail.

quaternary

(Optional) Specifies the fourth method the WAAS device should use for administrative login authorization if the primary, secondary, and tertiary methods all fail.

fail-over server-unreachable

Specifies that the WAAS device is to query the secondary authentication database if the primary authentication server is unreachable.

login

Sets the administrative login authentication parameters for the WAAS device.

local

Selects the local database method as an administrative login authentication method for the WAAS device.

radius

Selects the RADIUS method as an administrative login authentication method for the WAAS device.

tacacs

Selects the TACACS+ method as an administrative login authentication method for the WAAS device.

windows-domain

Selects the Windows domain controller method as an administrative login authentication method for the WAAS device.

enable

Enables the selected administrative login authentication methods for the WAAS device.

primary

(Optional) Specifies the first method the WAAS device should use for administrative login authentication.

secondary

(Optional) Specifies the second method the WAAS device should use for administrative login authentication if the primary method fails

tertiary

(Optional) Specifies the second method the WAAS device should use for administrative login authentication if the primary method fails

quaternary

(Optional) Specifies the fourth method the WAAS device should use for administrative login authentication if the primary, secondary, and tertiary methods all fail.

content-request

Authenticates a request for content.

Note This option is available in the application-accelerator device mode only.

windows-domain

Selects a Windows domain controller for domain server authentication.

disconnected-mode

Authenticates in the disconnected mode.

enable

Enables authentication in the disconnected mode.


Defaults

The local authentication method is enabled by default.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Authentication, also referred to as login, is the act of verifying usernames and passwords. Authorization, or configuration, refers to the setting of privileges for authenticated users in a network. Generally, authentication precedes authorization in a network.

The authentication command configures both the authentication and authorization methods that govern login and configuration access to the WAAS device. Login and configuration privileges can be maintained in three different databases in the WAAS software: the local database, TACACS+ database, and RADIUS database. If all databases are enabled, then all databases are queried. If the user data cannot be found in the first database queried, then the second, and third databases are queried.

When defining or modifying the authentication configuration method for a WAAS device, follow these guidelines:

You can use the authentication command to choose between using an external access server or the internal (local) AAA system for user access management.

You can configure any combination of these authentication and authorization methods to control access and set privileges on a WAAS device:

Local authentication and authorization

RADIUS authentication and authorization

TACACS+ authentication and authorization

Windows domain authentication

Authentication configuration applies to the following:

Console and Telnet connection attempts

SSH (SSH Version 1 and Version 2)

If you configure a RADIUS or TACACS+ key on the WAAS device (the RADIUS and the TACACS+ client), make sure that you configure an identical key on the RADIUS or TACACS+ server.

If you configure multiple RADIUS or TACACS+ servers, the first server configured is the primary server, and authentication requests are sent to this server first. You can also specify secondary, tertiary, and quaternary servers for authentication and authorization purposes.

By default, the WAAS device uses the local database to authenticate and authorize administrative login requests. The WAAS device verifies whether all authentication databases are disabled, and if so, sets the system to the default state. For information about this default state, see the table in the "Default Administrative Login Authentication and Authorization Configuration" section).


Note We strongly recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to configure administrative login authentication and authorization for your WAAS devices, if possible. For information about how to use the WAAS Central Manager GUI to centrally configure administrative login authentication and authorization on an single WAE or group of WAEs, which are registered with a WAAS Central Manager, see the Cisco Wide Area Application Services Configuration Guide.


To use the WAAS CLI to configure administrative login authentication and authorization for a single WAAS device, you must complete the following tasks:

1. Determine the login authentication scheme that you want to configure the individual WAAS device to use when authenticating administrative login requests. (For example, use the local database as the primary login database and your RADIUS server as the secondary authentication database.)

2. Configure the login access control settings for the individual WAAS device.

3. Configure the administrative login authentication server settings on the individual WAAS device (if a remote authentication database is to be used). For example, specify the IP address of the remote RADIUS servers, TACACS+ servers, or Windows domain server that the WAAS device should use to authenticate administrative login requests.

4. Specify one or all of the following login authentication configuration schemes that the individual WAAS device should use to process administrative login requests:

Specify the administrative login authentication scheme.

Specify the administrative login authorization scheme.

Specify the failover scheme for the administrative login authentication server (optional).

For example, specify which authentication database the WAAS device should check to process an administrative login request.


Caution Make sure that RADIUS, TACACS+, or Windows domain authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS, TACACS+, or Windows domain settings are not configured correctly, or if the RADIUS, TACACS+, or Windows domain server is not online, you may be unable to log in to the WAAS device.

You can enable or disable the local and the remote databases (TACACS+, RADIUS, and Windows domain) through the WAAS Central Manager GUI or the WAAS CLI. The WAAS device verifies whether all databases are disabled and, if so, sets the system to the default state (see the table in the "Default Administrative Login Authentication and Authorization Configuration" section). If you have configured the WAAS device to use one or more of the external third-party databases (TACACS+, RADIUS, or Windows domain authentication) for administrative authentication and authorization, make sure that you have also enabled the local authentication and authorization method on the WAAS device, and that the local method is specified as the last option; otherwise, the WAAS device will not go to the local authentication and authorization method by default if the specified external third-party databases are not reachable.

By default, local login authentication is enabled first. Local authentication and authorization uses locally configured login and passwords to authenticate administrative login attempts. The login and passwords are local to each WAAS device and are not mapped to individual usernames. When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

You can disable local login authentication only after enabling one or more of the other administrative login authentication methods. However, when local login authentication is disabled, if you disable all other administrative login authentication methods, local login authentication is reenabled automatically. You cannot specify different administrative login authentication methods for console and Telnet connections.

We strongly recommend that you set the administrative login authentication and authorization methods in the same order. For example, configure the WAAS device to use RADIUS as the primary login method, TACACS+ as the secondary login method, Windows as the tertiary method, and the local method as the quaternary method for both administrative login authentication and authorization.


Note In the WAAS software release, the ability to specify a fourth method, the quaternary method, was added.


We strongly recommend that you specify the local method as the last method in your prioritized list of login authentication and authorization methods. By adhering to this practice, if the specified external third-party servers (TACACS+, RADIUS, or Windows domain servers) are not reachable, a WAAS administrator can still log in to a WAAS device through the local authentication and authorization method.

The authentication login command determines whether the user has any level of permission to access the WAAS device. The authentication configuration command authorizes the user with privileged access (configuration access) to the WAAS device.

The authentication login local and the authentication configuration local commands use a local database for authentication and authorization.

The authentication login tacacs and authentication configuration tacacs commands use a remote TACACS+ server to determine the level of user access.

The TACACS+ database validates users before they gain access to a WAAS device. TACACS+ is derived from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional control of nonprivileged and privileged mode access. WAAS software supports only TACACS+ and not TACACS or Extended TACACS.

To configure TACACS+, use the authentication and tacacs commands. To enable TACACS+, use the tacacs enable command. For more information on TACACS+ authentication, see the "(config) tacacs"command.

The authentication login radius and authentication configuration radius commands use a remote RADIUS server to determine the level of user access.

By default, the local method is enabled, with TACACS+ and RADIUS both disabled for login and configuration. Whenever TACACS+ and RADIUS are disabled, local is automatically enabled. TACACS+, RADIUS, and local methods can be enabled at the same time.

The primary option specifies the first method to attempt for both login and configuration; the secondary option specifies the method to use if the primary method fails. The tertiary option specifies the method to use if both primary and secondary methods fail. The quaternary option specifies the method to use if the primary, secondary, and tertiary methods fail. If all methods of an authentication login or authentication configuration command are configured as primary, or all as secondary or tertiary, local is attempted first, then TACACS+, and then RADIUS.

Default Administrative Login Authentication and Authorization Configuration

By default, the WAAS device uses the local database to obtain login authentication and authorization privileges for administrative users.


Note The authentication global configuration command configures the authentication methods that govern administrative login and configuration access to the WAAS device.


By default, a WAAS device uses the local database to obtain login authentication and authorization privileges for administrative users.

The following table lists the default configuration for administrative login authentication and authorization.

Feature
Default Value

Administrative login authentication

Enabled

Administrative configuration authorization

Enabled

Authentication server failover because the authentication server is unreachable

Disabled

TACACS+ login authentication (console and Telnet)

Disabled

TACACS+ login authorization (console and Telnet)

Disabled

TACACS+ key

None specified

TACACS+ server timeout

5 seconds

TACACS+ retransmit attempts

2 times

RADIUS login authentication (console and Telnet)

Disabled

RADIUS login authorization (console and Telnet)

Disabled

RADIUS server IP address

None specified

RADIUS server UDP authorization port

Port 1645

RADIUS key

None specified

RADIUS server timeout

5 seconds

RADIUS retransmit attempts

2 times

Windows domain login authentication

Disabled

Windows domain login authorization (added in the WAAS software release)

Disabled



Note If you configure a RADIUS or TACACS+ key on the WAAS device (the RADIUS and the TACACS+ client), make sure that you configure an identical key on the external RADIUS or TACACS+ server.


You can change these defaults on a WAE on a per device basis through the WAAS CLI.

Enforcing Authentication with the Primary Method

The authentication fail-over server-unreachable global configuration command allows you to specify that failover to the secondary authentication method should occur only if the primary authentication server is unreachable. This feature ensures that users gain access to the WAAS device using the local database only when remote authentication servers (TACACS+ or RADIUS) are unreachable. For example, when a TACACS+ server is enabled for authentication with user authentication failover configured and the user tries to log in to the WAAS device using an account defined in the local database, login fails. Login succeeds only when the TACACS+ server is unreachable.

Server Redundancy

Authentication servers can be specified with the corresponding authentication server (NTLM, LDAP, or RADIUS) host command options. In the case of TACACS+ servers, the server hostname command option is used to configure additional servers. These additional servers provide authentication redundancy and improved throughput, especially when WAAS device load-balancing schemes distribute the requests evenly between the servers. If the WAAS device cannot connect to any of the authentication servers, no authentication takes place and users who have not been previously authenticated are denied access.

Login Authentication and Authorization Through the Local Database

Local authentication and authorization uses locally configured login and passwords to authenticate administrative login attempts. The login and passwords are local to each WAAS device and are not mapped to individual usernames.

By default, local login authentication is enabled first. You can disable local login authentication only after enabling one or more of the other administrative login authentication methods. However, when local login authentication is disabled, if you disable all other administrative login authentication methods, local login authentication is reenabled automatically.

Specifying RADIUS Authentication and Authorization Settings

RADIUS authentication clients reside on the WAAS device running WAAS software. When enabled, these clients send authentication requests to a central (remote) RADIUS server, which contains login authentication and network service access information.

To configure RADIUS authentication on a WAAS device, you must configure a set of RADIUS authentication server settings on the WAAS device. You can use the WAAS Manager GUI or the CLI to configure this set of RADIUS authentication server settings for a WAAS device.

RADIUS authentication usually occurs when an administrator first logs in to the WAAS device to configure the device for monitoring, configuration, or troubleshooting purposes. RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods on a WAAS device at the same time. You can also specify which method to use first.

The following table describes the RADIUS settings for a WAAS device.

Setting
Description

RADIUS server

RADIUS servers that the WAAS device uses for RADIUS authentication. To enable the WAAS device to use a specific RADIUS server, enter the IP address or hostname of the RADIUS server and port information. Up to 5 different hosts are allowed. Early deployment of RADIUS was done using port number 1645, although the official port number for RADIUS is now 1812. Up to 5 different ports are allowed.

RADIUS key

Key used to encrypt and authenticate all communication between the RADIUS client (the WAAS device) and the RADIUS server. The maximum number of characters in the key is 15. There is no default.

RADIUS timeout
interval

Number of seconds that the WAAS device waits for a response from the specified RADIUS authentication server before declaring a timeout. The range is 1 to 20 seconds. The default value is 5 seconds.

RADIUS retransmit
count

Number of times the WAAS device is to retransmit its connection to the RADIUS server if the RADIUS timeout interval is exceeded. The range is 1 to 3 tries. The default value is 2 tries.


After configuring these RADIUS authentication settings on the WAAS device, you can enable RADIUS login authentication and authorization on the WAAS device:

Specifying TACACS+ Authentication and Authorization Settings

TACACS+ controls access to network devices by exchanging NAS information between a network device and a centralized database to determine the identity of a user or an entity. TACACS+ is an enhanced version of TACACS, a UDP-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.

TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication.

When a user requests restricted services, TACACS+ encrypts the user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.

A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use any or all of the three services.

When the TACACS+ server receives a packet, it does the following:

Authenticates the user information and notifies the client that the login authentication has either succeeded or failed.

Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until login authentication either succeeds or fails.

You can configure a TACACS+ key on the client and server. If you configure a key on the WAAS device, it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are not encrypted.

TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time.

To configure TACACS+ authentication on WAAS devices, you must configure a set of TACACS+ authentication settings on the WAAS device. You can use the WAE CLI or GUI to configure this set of TACACS+ authentication settings for a WAAS device.

The following table describes the TACACS+ authentication settings.


Note No TACACS+ authentication is performed if no TACACS+ servers are configured on the WAAS device.


Setting
Description

TACACS+ server

TACACS+ server that the WAAS device is to use for TACACS+ authentication. Explicitly specify the primary TACACS+ server; otherwise, the WAAS device makes its own decision. You an configure one primary TACACS+ server and two backup TACACS+ servers. TACACS+ uses the standard port (port 49) for communication, based on the specified service.

TACACS+ key

Secret key that the WAAS device will use to communicate with the TACACS+ server. The maximum number of characters in the TACACS+ key should not exceed 99 printable ASCII characters (except tabs). An empty key string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key. There is no default.

Tip Be sure the same TACACS+ key is specified on the TACACS+ server.

TACACS+ timeout interval

Number of seconds that the WAAS device will wait for a response from the specified TACACS+ authentication server before declaring a timeout. The range is 1 to 20 seconds. The default value is 5 seconds.

TACACS+ retransmit count

Number of times that the WAAS device is to retransmit its connection to the TACACS+ if the TACACS+ timeout interval is exceeded. The range is 1 to 3 tries. The default value is 2 tries.

TACACS+ password authentication method

Mechanism for password authentication. By default, the Password Authentication Protocol (PAP) is the mechanism for password authentication. The other option is to use ASCII clear text as the password authentication mechanism.


TACACS+ Enable Password Attribute

The WAAS software CLI EXEC mode is used for setting, viewing, and testing system operations. It is divided into two access levels, user and privileged. To access privileged-level EXEC mode, enter the enable EXEC command at the user access level prompt and specify a privileged EXEC password (superuser or admin-equivalent password) when prompted for a password.

In TACACS+ there is an "enable password" feature that allows an administrator to define a different enable password per administrative-level user. If an administrative-level user logs in to the WAAS device with a normal-level user account (privilege level of 0) instead of an administrator or administrator-equivalent user account (privilege level of 15), that user must enter the administrator password to access privileged-level EXEC mode.

WAE> enable

Password:

This caveat applies even if these WAAS users are using TACACS+ for login authentication.

Examples

To query the secondary authentication database if the primary authentication server is unreachable, enter the following command. This feature is referred to as the fail-over server-unreachable feature.

WAE(config)# authentication fail-over server-unreachable

If you enable the fail-over server-unreachable feature on the WAAS device, only two login authentication scheme (a primary and secondary scheme) can be configured on the WAAS device. The WAAS device fails over from the primary authentication scheme to the secondary authentication scheme only if the specified authentication server is unreachable.

To enable authentication privileges using the local, TACACS+, RADIUS, or Windows databases, and to specify the order of the administrative login authentication use the authentication login global configuration command. In the following example, RADIUS is specified as the primary method, TACACS+ as the secondary method, Windows as the third method, and the local database as the fourth method. In this example, four login authentication methods are specified because the fail-over server-unreachable feature is not enabled on the WAAS device.

WAE(config)# authentication login radius enable primary
WAE(config)# authentication login tacacs enable secondary
WAE(config)# authentication login windows-domain enable tertiary
WAE(config)# authentication login local enable quaternary


Note If you have enabled the failover server unreachable feature on the WAAS device, make sure that you specify either TACACS+ or RADIUS as the primary scheme for authentication, and specify local as the secondary scheme for authentication.


To enable authorization privileges using the local, TACACS+, RADIUS, or Windows databases, and to specify the order of the administrative login authorization (configuration), use the authentication configuration global configuration command.


Note Authorization privileges apply to console and Telnet connection attempts, secure FTP (SFTP) sessions, and Secure Shell (SSH, Version 1 and Version 2) sessions.

We strongly recommend that you set the administrative login authentication and authorization methods in the same order. For example, configure the WAAS device to use RADIUS as the primary login method, TACACS+ as the secondary login method, Windows as the tertiary method, and the local method as the quaternary method for both administrative login authentication and authorization.


In the following example, RADIUS is specified as the primary method, TACACS+ as the secondary method, Windows as the third method, and the local database as the fourth method. In this example, four login authorization (configuration) methods are specified because the fail-over server-unreachable feature is not enabled on the WAAS device.

WAE(config)# authentication configuration radius enable primary
WAE(config)# authentication configuration tacacs enable secondary
WAE(config)# authentication configuration windows-domain enable tertiary
WAE(config)# authentication configuration local enable quaternary


Note If you have enabled the failover server unreachable feature on the WAAS device, make sure that you specify either TACACS+ or RADIUS as the primary scheme for authorization (configuration), and specify local as the secondary scheme for authorization (configuration).



The following example shows the resulting output of the show authentication command:

WAE# show authentication user

Login Authentication:         Console/Telnet/Ftp/SSH Session
----------------------------- ------------------------------
local                         enabled (primary)
Windows domain 							 enabled
Radius                        disabled
Tacacs+                       disabled

Configuration Authentication: Console/Telnet/Ftp/SSH Session
----------------------------- ------------------------------
local                         enabled (primary)
Radius                        disabled
Tacacs+                       disabled

Note The Windows domain controller must be configured using the windows-domain wins-server global configuration command before authentication can be configured.


Related Commands

(config) radius-server

show authentication

show statistics radius

show statistics tacacs

(config) tacacs

windows-domain

(config) windows-domain

(config) auto-register

To enable discovery of a Fast Ethernet or Gigabit Ethernet WAE and its automatic registration with the WAAS Central Manager through Dynamic Host Configuration Protocol (DHCP), use the auto-register global configuration command. To disable the authoregisration feature on a WAE, use the no form of this command.

auto-register enable [FastEthernet slot/port | GigabitEthernet slot/port]

Syntax Description

enable

Enables the automatic registration of devices using DHCP with the WAAS Central Manager.

FastEthernet

(Optional) Selects a Fast Ethernet interface for automatic registration using DHCP.

slot/port

Fast Ethernet slot (0-3) and port number.

GigabitEthernet

(Optional) Selects a Gigabit Ethernet interface for automatic registration using DHCP.

slot/port

Gigabit Ethernet slot (1-2) and port number.


Defaults

Automatic registration using DHCP is enabled on a WAE by default.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

Autoregistration automatically configures network settings and registers WAEs with the WAAS Central Manager. On bootup, devices running WAAS software (with the exception of the WAAS Central Manager itself) automatically discover the WAAS Central Manager and register with it. The administrator does not have to do any manual configuration on the device. Once the WAE is registered, the administrator approves the device and configures it remotely using the WAAS Central Manager GUI.

The auto-register enable command allows a Fast Ethernet or Gigabit Ethernet WAE to discover the hostname of the WAAS Central Manager through DHCP and to automatically register the device with the WAAS Central Manager. Discovery and registration occur at bootup.

To assign a static IP address using the interface GigabitEthernet slot/port command, the automatic registration of devices through DHCP must be disabled by using the no auto-register enable command, because automatic registration through DHCP is enabled by default.

For autoregistration to work, you must have a DHCP server that is configured with the hostname of the WAAS Central Manager and that is capable of handling vendor class option 43.


Note The form of DHCP used for autoregistration is not the same as the interface-level DHCP that is configurable through the ip address dhcp interface configuration command.


The DHCP server needs to send the vendor class option (option 43) information to the WAAS device in the format for encapsulated vendor-specific options as provided in RFC 2132. The relevant section of RFC 2132, Section 8.4, is reproduced here as follows:

You should encode the encapsulated vendor-specific options field as a sequence of code/length/value fields of syntax identical to that of the DHCP options field with the following exceptions:

1. There should not be a "magic cookie" field in the encapsulated vendor-specific extensions field.

2. Codes other than 0 or 255 may be redefined by the vendor within the encapsulated vendor-specific extensions field but should conform to the tag-length-value syntax defined in section 2.

3. Code 255 (END), if present, signifies the end of the encapsulated vendor extensions, not the end of the vendor extensions field. If no code 255 is present, then the end of the enclosing vendor-specific information field is taken as the end of the encapsulated vendor-specific extensions field.

In accordance with the RFC standard, the DHCP server needs to send the WAAS Central Manager hostname information in code/length/value format. (Code and length are single octets.) The code for the WAAS Central Manager hostname is 0x01. DHCP server management and configuration are not within the scope of the autoregistration feature.

The WAAS device sends CISCOCDN as the vendor class identifier in option 60 to facilitate device groupings by customers.

Autoregistration DHCP also requires that the following options be present in the DHCP server's offer to be considered valid:

Subnet-mask (option 1)

Routers (option 3)

Domain-name (option 15)

Domain-name-servers (option 6)

Host-name (option 12)

Interface-level DHCP requires only subnet-mask (option 1) and routers (option 3) for an offer to be considered valid; domain-name (option 15), domain-name-servers (option 6), and host-name (option 12) are optional. All of the above options, with the exception of domain-name-servers (option 6), replace the existing configuration on the system. The domain-name-servers option is added to the existing list of name servers with the restriction of a maximum of eight name servers.

Autoregistration is enabled by default on the first interface of the device. The first interface depends on the WAE model as follows:

For the WAE-511, WAE-512, WAE-611, WAE-612, and WAE-7320, use GigabitEthernet 1/0.

If you do not have a DHCP server, the device is unable to complete autoregistration and eventually times out. You can disable autoregistration at any time after the device has booted and proceed with manual setup and registration.

Examples

The following example enables autoregistration on GigabitEthernet port 2/0:

WAE(config)# auto-register enable GigabitEthernet 2/0

The following example disables autoregistration on all configured interfaces on the WAE:

WAE(config)# no auto-register enable

Related Commands

show auto-register

show running-config

show startup-config

(config) autosense

To enable autosense on an interface, use the autosense interface configuration command. To disable this function, use the no form of this command.

autosense

Syntax Description

This command has no arguments or keywords.

Defaults

Autosense is enabled by default.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Cisco router Ethernet interfaces do not negotiate duplex settings. If the WAAS device is connected to a router directly with a crossover cable, the WAAS device interface must be manually set to match the router interface settings. Disable autosense before configuring an Ethernet interface. When autosense is on, manual configurations are overridden. You must reboot the WAAS device to start autosensing.

Examples

The following example disables autosense on Gigabit Ethernet port 1/0:

WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# no autosense

The following example reenables autosense on Gigabit Ethernet port 1/0:

WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# autosense
WAE(config-if)# exit
WAE(config)# exit
WAE# reload

Related Commands

(config) interface

show interface

show running-config

show startup-config

(config) bypass

To configure static bypass lists on a WAE, use the bypass global configuration command. To disable the bypass feature (clear the static bypass lists), use the no form of this command.

bypass static {clientip | any-client} {serverip | any-server}

Syntax Description

static

Adds a static entry to the bypass list.

clientip

Requests from this IP address bypass the WAE.

any-client

Bypasses the traffic from any client destined to a particular server.

serverip

Requests from this IP address bypass the WAE.

any-server

Requests from a specified client to any server bypass the WAE.


Defaults

No default behaviors or values

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

Using a static bypass allows traffic flows between a configurable set of clients and file servers to bypass handling by the WAE. By configuring static bypass entries on the Edge WAE, you can control traffic interception without modifying the router configuration. Separately, if so desired, IP access lists may be configured on the router to bypass traffic without first redirecting it to the Edge WAE. Typically, the WCCP accept list defines the group of file servers that are cached (and the file servers that are not). Static bypass can be used in rare cases when you want to prevent WAAS from caching a connection from a certain client to a certain file server (or from a certain client to all file servers).

The bypass static command permits traffic from specified sources to bypass the WAE. Wildcards in either the client or server IP addresses are not supported.


Note We recommend that you use IP access lists on the WCCP-enabled router, rather than using the static bypass feature, because access lists are more efficient.


Examples

The following example forces traffic from a specified client to a specified server to bypass the WAE:

WAE(config)# bypass static 10.1.17.1 172.16.7.52

The following example forces all traffic destined to a specified server to bypass the WAE:

WAE(config)# bypass static any-client 172.16.7.52

The following example forces all traffic from a specified client to any file server to bypass the WAE:

WAE(config)# bypass static 10.1.17.1 any-server

A static list of source and destination addresses helps to isolate instances of problem-causing clients and servers. To display static configuration list items, use the show bypass list command as follows:

WAE# show bypass list
Client              Server          Entry type
------              ------          ----------
10.1.17.1:0         172.16.7.52:0   static-config
any-client:0        172.16.7.52:0   static-config
10.1.17.2:0         any-server:0    static-config 

Related Commands

show bypass

(config) cdp

To configure the Cisco Discovery Protocol (CDP) options globally on all WAAS device interfaces, use the cdp command in global configuration mode.

cdp {enable | holdtime seconds | timer seconds}

Syntax Description

enable

Enables CDP globally.

holdtime

Sets the length of time in seconds that a receiver keeps CDP packets before they are discarded. The default is 180 seconds.

seconds

Length of time that a receiver keeps the CDP packet in seconds (10-255).

timer

Interval between the CDP advertisements in seconds. The default is 60 seconds.

seconds

Interval in seconds (5-254).


Defaults

holdtime: 180 seconds

timer: 60 seconds

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

When enabled with the cdp enable command, CDP obtains protocol addresses of neighboring devices and discovers the platform of those devices. It also shows information about the interfaces used by your device. CDP is media- and protocol-independent and runs on Cisco-manufactured equipment.

Use of SNMP with the CDP MIB allows network management applications to learn the device type and the SNMP agent address of neighboring devices and to send SNMP queries to those devices. Cisco Discovery Protocol uses the CISCO-CDP-MIB.

Each device configured for CDP sends periodic messages, known as advertisements, to a multicast address. The cdp timer seconds command specifies the rate at which CDP packets are sent. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain Time-To-Live or hold-time information. To set the hold time, use the cdp holdtime seconds command to specify the period of time in seconds that a receiver is to keep CDP packets. Each device also listens to the periodic CDP messages sent by others to learn about neighboring devices.

Examples

In the following example, CDP is first enabled, the hold time is set to 10 seconds for keeping CDP packets, and then the rate at which CDP packets are sent (15 seconds) is set:

WAE(config)# cdp enable
WAE(config)# cdp holdtime 10
WAE(config)# cdp timer 15

Related Commands

(config-if) cdp

clear

show cdp

(config) central-manager

To specify the WAAS Central Manager's role and port number, use the central-manager global configuration command in central-manager device mode. To specify the IP address or hostname of the WAAS Central Manager with which a WAE is to register, use the central-manager global configuration command in application-accelerator device mode. To negate these actions, use the no form of this command.

central-manager {address {hostname | ip-address} | role {primary | standby} | ui port port-num}

Syntax Description

address

Specifies the hostname or IP address of the WAAS Central Manager with which the WAE should register.

hostname

Hostname of the WAAS Central Manager with which the WAE should register.

ip-address

IP address of the WAAS Central Manager with which the WAE should register.

role

Configures the WAAS Central Manager role to either primary or standby.

primary

Configures the WAAS Central Manager to be the primary WAAS Central Manager for the WAEs that are registered with it.

standby

Configures the WAAS Central Manager to be the standby WAAS Central Manager for the WAEs that are registered with it.

ui

Configures the WAAS Central Manager GUI port address.

port

Configures the WAAS Central Manager GUI port. The default is port 8443.

port-num

Port number (1-65535).



Note The address option works in the application-accelerator device mode only. The role and ui port options work in the central-manager device mode only.


Defaults

The WAAS Central Manager GUI is preconfigured to use port 8443.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The central-manager address global configuration command associates a WAE device with the WAAS Central Manager so that the device can be approved as a part of the WAAS network. After the device is configured with the WAAS Central Manager IP address, it presents a self-signed security certificate and other essential information, such as its IP address or hostname, disk space allocation, and so forth, to the WAAS Central Manager.

If you change the WAAS Central Manager GUI port number, the Centralized Management System (CMS) service is automatically restarted on the WAAS Central Manager if the cms service has been enabled on the WAAS Central Manager by entering the cms enable global configuration command on the WAAS Central Manager.

Configuring Devices Inside a NAT

In a WAAS network, there are two methods for a WAAS device that is registered with the WAAS Central Manager (WAEs or a standby WAAS Central Manager) to obtain configuration information from the primary WAAS Central Manager. The primary method is for the device to periodically poll the primary WAAS Central Manager on port 443 to request a configuration update. You cannot configure this port number. The backup method is when the WAAS Central Manager pushes configuration updates to a registered device as soon as possible by issuing a notification to the registered device on port 443. This method allows changes to take effect in a timelier manner. You cannot configure this port number even when the backup method is being used. WAAS networks do not work reliably if devices registered with the WAAS Central Manager are unable to poll the WAAS Central Manager for configuration updates.

All of the above methods become complex in the presence of Network Address Translation (NAT) firewalls. When a WAAS device (WAEs at the edge of the network and the primary or standby WAAS Central Managers) is inside a NAT firewall, those devices that are inside the same NAT use one IP address (the inside local IP address) to access the device, and those devices that are outside the NAT use a different IP address (the inside global IP address) to access the device. A centrally managed device advertises only its inside local IP address to the WAAS Central Manager. All other devices inside the NAT use the inside local IP address to contact the centrally managed device that resides inside the NAT. A device that is not inside the same NAT as the centrally managed device is not able to contact it without special configuration.

If the primary WAAS Central Manager is inside a NAT, you can allow a device outside the NAT to poll it for getUpdate requests by configuring a static translation (inside global IP address) for the WAAS Central Manager's inside local IP address on its NAT, and using this address, rather than the WAAS Central Manager's inside local IP address, in the central-manager address ip-address global configuration command when you register the device to the WAAS Central Manager. If a WAAS device is inside a NAT and the WAAS Central Manager is outside the NAT, you can allow the WAAS device to poll for getUpdate requests by configuring a static translation (inside global IP address) for the WAAS device's inside local address on its NAT and specifying this address in the Use IP Address field under the NAT Configuration heading in the Device Activation window.


Note Static translation establishes a one-to-one mapping between your inside local address and an inside global address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside.


Standby WAAS Central Managers

The Cisco WAAS software implements a standby WAAS Central Manager. This process allows you to maintain a copy of the WAAS network configuration. If the primary WAAS Central Manager fails, the standby can be used to replace the primary.

For interoperability, when a standby WAAS Central Manager is used, it must be at the same software version as the primary WAAS Central Manager to maintain the full WAAS Central Manager configuration. Otherwise, the standby WAAS Central Manager detects this status and does not process any configuration updates that it receives from the primary WAAS Central Manager until the problem is corrected.


Note We recommend that you upgrade your standby WAAS Central Manager first and then upgrade your primary WAAS Central Manager. We also recommend that you create a database backup on your primary WAAS Central Manager and copy the database backup file to a safe place before you upgrade the software.


Switching a WAAS Central Manager from Warm Standby to Primary

If your primary WAAS Central Manager becomes inoperable, you can manually reconfigure one of your warm standby WAAS Central Managers to be the primary WAAS Central Manager. Configure the new role by using the global configuration central-manager role primary command as follows:

WAE# configure
WAE(config)# central-manager role primary

This command changes the role from standby to primary and restarts the management service to recognize the change.


Note Check the status of recent updates from the primary WAAS Central Manager. Use the show cms info EXEC command and check the time of the last update. To be current, the updated time should be between 1 and 5 minutes old. You are verifying that the standby WAAS Central Manager has fully replicated the primary WAAS Central Manager configuration. If the update time is not current, determine whether or not there is a connectivity problem or if the primary WAAS Central Manager is down. Fix the problem, if necessary, and wait until the configuration has replicated, as indicated by the time of the last update. Make sure that both WAAS Central Managers have the same Coordinated Universal Time (UTC) configured.


If you switch a warm standby WAAS Central Manager to primary while your primary WAAS Central Manager is still online and active, both WAAS Central Managers detect each other, automatically shut themselves down, and disable management services. The WAAS Central Managers are switched to halted, which is automatically saved in flash memory.

For more information about how to return halted WAAS Central Managers to an online status, see the Cisco Wide Area Application Services Configuration Guide.

Examples

The following example specifies that the WAAS device named waas-cm is to function as the primary WAAS Central Manager for the WAAS network:

waas-cm(config)# central-manager role primary

The following example specifies the WAE should register with the WAAS Central Manager that has an IP address of 10.1.1.1. This command associates the WAE with the primary WAAS Central Manager so that the WAE can be approved as a part of the WAAS network.

WAE(config)# central-manager address 10.1.1.1

The following example configures a new GUI port to access the WAAS Central Manager GUI:

WAE(config)# central-manager ui port 8550

The following example configures the WAAS Central Manager as the standby WAAS Central Manager:

WAE(config)# central-manager role standby
Switching CDM to standby will cause  all configuration settings made on this CDM to be 
lost.
Please confirm you want to continue  [no]?yes
Restarting CMS services

(config) clock

To set the summer daylight savings time and time zone for display purposes, use the clock global configuration command. To disable this function, use the no form of this command.

clock {summertime timezone {date startday startmonth startyear starthour endday endmonth endyear offset | recurring {1-4 startweekday startmonth starthour endweekday endmonth endhour offset | first startweekday startmonth starthour endweekday endmonth endhour
offset
| last startweekday startmonth starthour endweekday endmonth endhour offset}} | timezone {timezone hoursoffset minutesoffset}}

Syntax Description

summertime

Configures the summer or daylight savings time.

timezone

Name of the summer time zone.

date

Configures the absolute summer time.

startday

Date (1-31) to start.

startmonth

Month (January through December) to start.

startyear

Year (1993-2032) to start.

starthour

Hour (0-23) to start in hour:minute (hh:mm) format.

endday

Date (1-31) to end.

endmonth

Month (January through December) to end.

endyear

Year (1993-2032) to end.

endhour

Hour (0-23) to end in hour:minute (hh:mm) format.

offset

Minutes offset (see the table below in the "" section) from UTC (0-59).

recurring

Configures the recurring summer time.

1-4

Configures the starting week number 1-4.

first

Configures the summer time to recur beginning the first week of the month.

last

Configures the summer time to recur beginning the last week of the month.

startweekday

Day of the week (Monday-Friday) to start.

startmonth

Month (January-December) to start.

starthour

Hour (0-23) to start in hour:minute (hh:mm) format.

endweekday

Weekday (Monday-Friday) to end.

endmonth

Month (January-December) to end.

endhour

Hour (0-23) to end in hour:minute (hh:mm) format.

offset

Minutes offset (see the table below in the "" section) from UTC (0-59).

timezone

Configures the standard time zone.

timezone

Name of the time zone. (see the table below in the "" section.)

hoursoffset

Hours offset (see the table below in the "" section) from UTC (-23 to +23).

minutesoffset

Minutes offset (see the table below in the "" section) from UTC (0-59).


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

To set and display the local and UTC current time of day without an NTP server, use the clock timezone command with the clock set command. The clock timezone parameter specifies the difference between UTC and local time, which is set with the clock set EXEC command. The UTC and local time are displayed with the show clock detail EXEC command.

Use the clock timezone offset command to specify a time zone, where timezone is the desired time zone entry listed in the table below and 0 0 is the offset (ahead or behind) UTC is in hours and minutes. (UTC was formerly known as Greenwich mean time [GMT]).

WAE(config)# clock timezone timezone 0 0

Note The time zone entry is case sensitive and must be specified in the exact notation listed in the following time zone table. When you use a time zone entry from the following time zone table, the system is automatically adjusted for daylight saving time.


Time Zone
Offset from UTC

Africa/Algiers

+1

Africa/Cairo

+2

Africa/Casablanca

0

Africa/Harare

+2

Africa/Johannesburg

+2

Africa/Nairobi

+3

America/Buenos_Aires

-3

America/Caracas

-4

America/Mexico_City

-6

America/Lima

-5

America/Santiago

-4

Atlantic/Azores

-1

Atlantic/Cape_Verde

-1

Asia/Almaty

+6

Asia/Baghdad

+3

Asia/Baku

+4

Asia/Bangkok

+7

Asia/Colombo

+6

Asia/Dacca

+6

Asia/Hong_Kong

+8

Asia/Irkutsk

+8

Asia/Jerusalem

+2

Asia/Kabul

+4.30

Asia/Karachi

+5

Asia/Katmandu

+5.45

Asia/Krasnoyarsk

+7

Asia/Magadan

+11

Asia/Muscat

+4

Asia/New Delhi

+5.30

Asia/Rangoon

+6.30

Asia/Riyadh

+3

Asia/Seoul

+9

Asia/Singapore

+8

Asia/Taipei

+8

Asia/Tehran

+3.30

Asia/Vladivostok

+10

Asia/Yekaterinburg

+5

Asia/Yakutsk

+9

Australia/Adelaide

+9.30

Australia/Brisbane

+10

Australia/Darwin

+9.30

Australia/Hobart

+10

Australia/Perth

+8

Australia/Sydney

+10

Canada/Atlantic

-4

Canada/Newfoundland

-3.30

Canada/Saskatchewan

-6

Europe/Athens

+2

Europe/Berlin

+1

Europe/Bucharest

+2

Europe/Helsinki

+2

Europe/London

0

Europe/Moscow

+3

Europe/Paris

+1

Europe/Prague

+1

Europe/Warsaw

+1

Japan

+9

Pacific/Auckland

+12

Pacific/Fiji

+12

Pacific/Guam

+10

Pacific/Kwajalein

-12

Pacific/Samoa

-11

US/Alaska

-9

US/Central

-6

US/Eastern

-5

US/East-Indiana

-5

US/Hawaii

-10

US/Mountain

-7

US/Pacific

-8


Examples

The following example specifies the local time zone as Pacific Standard Time with an offset of 8 hours behind UTC:

WAE(config)# clock timezone US/Pacific -8 0

The following example negates the time zone setting on the WAAS device:

WAE(config)# no clock timezone

The following example configures daylight saving time:

WAE(config)# clock summertime US/Pacific date 10 October 2005 23:59 29 April 2006 23:59 60

Related Commands

clock

show clock

(config) cms

To schedule maintenance and enable the Centralized Management System (CMS) on a WAAS device, use the cms global configuration command. To negate these actions, use the no form of this command.

cms {database maintenance {full {enable | schedule weekday at time} | regular {enable | schedule weekday at time}} | enable | rpc timeout {connection 5-1800 | incoming-wait 10-600 | transfer 10-7200}}

Syntax Description

database maintenance

Configures the embedded database clean or reindex maintenance routine.

full

Configures the full maintenance routine and cleans the embedded database tables.

enable

Enables the full maintenance routine to be performed on the embedded database tables.

schedule

Sets the schedule for performing the maintenance routine.

weekday

Day of the week to start the maintenance routine.

every-day Every day
Mon          every Monday
Tue           every Tuesday
Wed          every Wednesday
Thu           every Thursday
Fri             every Friday
Sat             every Saturday
Sun            every Sunday

at

Sets the maintenance schedule time of day to start the maintenance routine.

time

Time of day to start the maintenance routine (0-23:0-59) (hh:mm).

at      Maintenance time of day
Mon    every Monday
Tue     every Tuesday
Wed    every Wednesday
Thu     every Thursday
Fri      every Friday
Sat      every Saturday
Sun     every Sunday

regular

Configures the regular maintenance routine and reindexes the embedded database tables.

enable

Enables the CMS process on the WAAS device.

rpc timeout

Configures the timeout values for remote procedure call connections.

connection

Specifies the maximum time to wait when making a connection.

5-1800

Timeout period in seconds. The default for the WAAS Central Manager is 30 seconds; the default for a WAE is 180 seconds.

incoming-wait

Specifies the maximum time to wait for a client response.

10-600

Timeout period in seconds. The default is 30 seconds.

transfer

Specifies the maximum time to allow a connection to remain open.

10-7200

Timeout period in seconds. The default is 300 seconds.


Defaults

database maintenance regular: enabled

database maintenance full: enabled

connection: 30 seconds for WAAS Central Manager; 180 seconds for a WAE

incoming wait: 30 seconds

transfer: 300 seconds

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use the cms database maintenance global configuration command to schedule routine full maintenance cleaning (vacuuming) or a regular maintenance reindexing of the embedded database. The full maintenance routine runs only when the disk is more than 90 percent full and only runs once a week. Cleaning the tables returns reusable space to the database system.

The cms enable global configuration command automatically registers the node in the database management tables and enables the CMS process. The no cms enable global configuration command only stops the management services on the WAAS device. Use the cms deregister EXEC command to de-register (remove) a WAAS device from the WAAS network.

Examples

The following example schedules a regular (reindexing) maintenance routine to start every Friday at 11:00 p.m on the WAAS device:

WAE(config)# cms database maintenance regular schedule Fri at 23:00

The following example shows how to enable the CMS process on a WAAS device:

WAE(config)# cms enable
Generating new RPC certificate/key pair
Restarting RPC services

Creating database backup file emerg-debug-db-01-25-2006-15-31.dump
Registering Wide Area Central Manager...
Registration complete.
Please preserve running configuration using 'copy running-config startup-config'.
Otherwise management service will not be started on reload and node will be shown
'offline' in Wide Area Central Manager UI.
management services enabled

Related Commands

cms

show cms

(config) device mode

To configure the device mode for the WAAS device, use the device mode global configuration command. To reset the mode of operation on your WAAS device, use the no form of this command.

device mode {application-accelerator | central-manager}

Syntax Description

application-accelerator

Configures the WAAS device to function as a WAAS Accelerator. All of your Edge WAEs and Core WAEs should be operating in this mode.

central-manager

Configures the WAAS device to function as a WAAS Central Manager.


Defaults

The default device operation mode is application-accelerator.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

You must deploy the WAAS Central Manager on a dedicated appliance. In the WAAS 4.0 software release, the device mode feature was added, which allows you to deploy a WAAS device as either a WAAS Central Manager or a WAE. Because you must deploy a WAAS Central Manager on a dedicated appliance, a WAAS device can operate in one device mode only: either in central-manager mode or application-accelerator mode.


Note A WAAS Central Manager is the device management station of a WAAS network that allows you to centrally configure, manage, and monitor your WAEs.


By default, a WAAS device uses the application-accelerator mode, which makes it operate as a WAE.

To support the new device mode feature, the device mode global configuration command and the show device mode EXEC commands were added in the WAAS 4.0 software release.

The set of WAAS CLI commands that are available vary based on the device mode of the WAAS device.

To enable WAAS network-related applications and services, use the cms enable global configuration command. Use the no form of this command to disable the WAAS network.

By default, a WAAS device uses the application-accelerator mode, which makes it operate as a Wide Area Application Engine (WAE). Before configuring network settings for your WAAS Central Managers using the WAAS CLI, you must change the device mode to the proper device mode.

Examples

To specify central manager as the device mode of a WAAS device, enter the following command from global configuration mode:

WAE(config)# device mode central-manager

To specify application accelerator as the device mode of a WAAS device, enter the following command from global configuration mode:

WAE(config)# device mode application-accelerator

Related Commands

show device-mode

(config) disk

To configure how disk errors are handled and to define a disk error-handling threshold on a WAAS device, use the disk global configuration command. Use the no form of this command to return to the default error-handling threshold.

disk error-handling {reload | remap | threshold number}

Syntax Description

error-handling

Configures disk error handling.

reload

Reloads the disk if the system file system (SYSFS) on disk00 has problems.

remap

Sets the disk to attempt to remap disk errors automatically.

threshold

Sets the number of disk errors allowed before the disk is marked as bad.

number

Number of disk errors allowed before the disk is marked as bad (0-100). The default is 10. A value of zero indicates that the disk should never be marked bad.


Defaults

error-handling threshold number: 10

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

If you have a two-drive system, the RAID software protects the SYSFS from single-drive failures and prevents applications from seeing I/O errors. With this configuration, error handling need not be specified. For all other configurations, error handling should be specified.

To operate properly, the WAAS device must have a disk drive named disk00. The WAAS device must also contain a disk drive that contains the first SYSFS (system file system) partition. The SYSFS partition is used to store log files, including system logs and internal debugging logs. It may also be used to store image files and configuration files on a WAAS device. Disk00 always contains the SYSFS partition. When software RAID is applied, the SYSFS partitions are contained on both disk00 and disk01. In either case, the disk00 disk and the disk that contains the first SYSFS partition are called critical drives and are required for proper operation of the WAAS device.

When a WAE is booted and a critical disk drive is not detected at system startup time, the WAAS device runs at a degraded state. If one of the critical disk drives becomes inoperable at run time, the WAAS device can exhibit symptoms such as the applications malfunctioning or failing, or the WAAS device can stop responding. You must monitor the critical disk drives on a WAAS device and report any disk drive errors to Cisco TAC.

With a WAAS device, a disk device error is defined as any of the following events:

A SCSI or IDE device error is printed by the Linux kernel.

A disk device access by an application (for example, an open(2), read(2), or write(2) system call) fails with an EIO error code.

A disk device that existed at startup time is not accessible at run time.

The disk status is recorded in Flash memory (nonvolatile storage). When an error occurs on the disk drive of a WAAS device, a message is written to the system log (syslog) if the SYSFS partition is still intact, and an SNMP trap is generated if SNMP is configured on the WAAS device.

Specifying the Disk Error-Handling Threshold

You can define a disk device error-handling threshold on the WAAS device. If the number of disk device errors reaches the specified threshold, the corresponding disk device is automatically marked as bad. By default, this threshold is set to 10. The device does not stop using the bad disk device immediately; it stops using the bad disk drive after the next reboot.

To change the default threshold, use the disk error-handling threshold global configuration command. Specify 0 if you never want the disk drive to be marked as bad.

If the specified threshold is exceeded, the WAAS device either records this event or reboots. If the bad disk drive is a critical disk drive, and the automatic reload feature (disk error-handling reload command) is enabled, then the WAAS software marks the disk drive as bad, and the WAAS device is automatically reloaded. After the WAAS device is reloaded, a syslog message and an SNMP trap are generated.

By default, the automatic reload feature is disabled on a WAAS device. To enable the automatic reload feature, use the disk error-handling reload global configuration command. After enabling the automatic reload feature, use the no disk error-handling reload global configuration command to disable it.

Examples

In the following example, an administrator configures five disk drive errors for a particular disk drive (for example, disk00) as the maximum number of errors allowed before the disk drive is automatically marked as bad:

WAE(config)# disk error-handling threshold 5

Related Commands

disk

show disks

(config) end

To exit global configuration mode, use the end global configuration command.

end

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use the end command to exit global configuration mode after completing any changes to the running configuration. To save new configurations to NVRAM, use the write command.

The Ctrl-Z command also exits global configuration mode.

Examples

The following example shows how to exit global configuration mode on a WAAS device:

WAE(config)# end
WAE#

Related Commands

(config) exit

(config) exec-timeout

To configure the length of time that an inactive Telnet or SSH session remains open on a WAAS device, use the exec-timeout global configuration command. To revert to the default value, use the no form of this command.

exec-timeout timeout

Syntax Description

timeout

Timeout in minutes (0-44640).


Defaults

The default is 15 minutes.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

A Telnet session or Secure Shell (SSH) session with the WAAS device can remain open and inactive for the interval of time specified by the exec-timeout command. When the exec-timeout interval elapses, the WAAS device automatically closes the Telnet or SSH session.

Examples

The following example configures a timeout of 100 minutes:

WAE(config)# exec-timeout 100

The following example negates the configured timeout of 100 minutes and reverts to the default value of 15 minutes:

WAE(config)# no exec-timeout

Related Commands

(config) telnet enable

(config) exit

To terminate global configuration mode and return to the privileged-level EXEC mode, use the exit command.

exit

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

All modes

Device Modes

application-accelerator

central-manager

Usage Guidelines

This command is equivalent to the Ctrl-Z or the end command.

Examples

The following example terminates global configuration mode and returns to the privileged-level EXEC mode:

WAE(config)# exit
WAE#

Related Commands

(config) end

(config) help

To obtain online help for the command-line interface, use the help global configuration command.

help

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC and global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

You can obtain help at any point in a command by entering a question mark (?). If nothing matches, the help list will be empty, and you must back up until entering a ? shows the available options.

Two styles of help are provided:

Full help is available when you are ready to enter a command argument (for example, show ?) and describes each possible argument.

Partial help is provided when you enter an abbreviated command and you want to know what arguments match the input (for example, show stat?).

Examples

The following example shows the output of the help global configuration command:

WAE# configure
WAE(config)# help
Help may be requested at any point in a command by entering a question mark '?'. If 
nothing matches, the help list will be empty and you must backup until entering a '?' 
shows the available options.

Two styles of help are provided:
1. Full help is available when you are ready to enter a command argument.
2. Partial help is provided when an abbreviated argument is entered.

The following example shows how to use full help to see what WCCP command arguments are available:

WAE# configure
WAE(config)# wccp ?
  access-list      Configure an IP access-list for inbound WCCP encapsulat
                   traffic
  cifs-cache       CIFS caching
  flow-redirect    Redirect moved flows
  router-list      Router List for use in WCCP services
  shutdown         Wccp Shutdown parameters
  slow-start       accept load in slow-start mode
  tcp-promiscuous  TCP promiscuous mode service
  version          WCCP Version Number

The following example shows how to use partial help to determine the syntax of a WCCP argument:

WAE(config)# wccp tcp ?
  mask             Specify mask used for CE assignment
  router-list-num  Router list number

(config) hostname

To configure the network hostname on a WAAS device, use the hostname global configuration command. To reset the hostname to the default setting, use the no form of this command.

hostname name

Syntax Description

name

New hostname for the WAAS device; the name is case sensitive. The name may be from 1 to 30 alphanumeric characters.


Defaults

The default hostname is the model number of the WAAS device (for example WAE-511, WAE-611, or WAE-7326).

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use this command to configure the hostname for the WAAS device. The hostname is used for the command prompts and default configuration filenames. This name is also used for routing, so it conforms to the following rules:

It can use only alphanumeric characters and hyphens (-).

The maximum length is 30 characters.

The following characters are considered illegal and cannot be used when naming a device: @, #, $,%, ^, &, *, (), |, \""/, <>.

Examples

The following example changes the hostname of the WAAS device to sandbox.

WAE-511(config)# hostname sandbox
Sandbox(config)#

The following example removes the hostname.

Sandbox(config)# no hostname
WAE-511(config)#

Related Commands

dnslookup

(config) ip

(config-if) ip

show hosts

(config) inetd

To enable FTP and RCP services on a WAAS device, use the inetd enable global configuration command. To disable these same services, use the no form of this command.

inetd enable {ftp | rcp }

Syntax Description

enable

Enables services.

ftp

Enables FTP services.

rcp

Enables RCP services.


Defaults

FTP is enabled; RCP is disabled.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Inetd (an Internet daemon pronounced eye net dee) is a program that listens for connection requests or messages for certain ports and starts server programs to perform the services associated with those ports. Use the inetd enable command with the ftp and rcp keywords to enable and disable services on the WAAS device. To disable the service, enter the no form of the inetd enable command. Use the show inetd EXEC command to see whether current inetd sessions are enabled or disabled.

Examples

The following example enables an FTP service session on the WAAS device:

WAE(config)# inetd enable ftp

The following example disables FTP services:

WAE(config)# no inetd enable ftp

Related Commands

show inetd

(config) interface

To configure a Fibre Channel, Gigabit Ethernet, port-channel, or standby interface, use the interface global configuration command. To disable selected options, restore default values, or enable a shut down interface, use the no form of this command.

interface FibreChannel slot/port [description text | mode {autosense | direct-attached | switched} | speed {1 | 2 | autosense}]

interface GigabitEthernet slot/port [autosense | bandwidth {10 | 100 | 1000} | cdp enable | channel-group {1 | 2} | description text | fullduplex | halfduplex | ip {access-group {acl-num | acl_name} {in | out} | address {ip_address netmask [secondary] | dhcp [client-id id hostname name | hostname name client-id id]}} | mtu mtusize | shutdown | standby grpnumber [priority priority]]

interface PortChannel {1 | 2} [description text | ip {access-group {acl-num | acl_name} {in | out} | address ip-address netmask} | shutdown]

interface Standby grpnumber {description text | errors max-error-number | ip ip_address | no {description text | errors max-error-number | ip ip_address | shutdown}| shutdown}

Syntax Description

FibreChannel

Selects the Fibre Channel interface to configure on the WAAS device.

slot/port

Slot and port number for the selected interface. The slot range is 0-0; the port range is 0-3. The slot number and port number are separated with a forward slash character (/).

description

(Optional) Sets the description for the specified interface.

text

Description for the specified interface. The maximum length of the description text is 240 characters.

mode

(Optional) Sets the Fibre Channel interface operation mode. For more information, see the "(config-if) mode" command.

autosense

Sets the operation mode of the FibreChannel interface to autosense.

direct-attached

Sets the operation mode when the WAAS device is directly connected to a storage array.

switched

Sets the operation mode when the WAAS device is connected to a switch.

speed

(Optional) Sets the Fibre Channel interface speed.

1

Sets the Fibre Channel interface speed to 1 gigabit per second (Gbps).

2

Sets the Fibre Channel interface speed to 2 Gbps.

autosense

(Optional) Sets the Fibre Channel to automatically sense the interface speed.

GigabitEthernet

Selects a Gigabit Ethernet interface to configure.

autosense

(Optional) Sets the GigabitEthernet interface to automatically sense the interface speed.

bandwidth

(Optional) Sets the bandwidth of the specified interface.

10

Sets the bandwidth of the interface to 10 megabits per second (Mbps).

100

Sets the bandwidth of the interface to 100 Mbps.

1000

Sets the bandwidth of the interface to 1000 Mbps. This option is not available on all ports and is the same as autosense.

cdp enable

(Optional) Enables Cisco Discovery Protocol (CDP) on the specified interface.

channel-group

(Optional) Configures the EtherChannel group.

1

Assigns the interface's EtherChannel to group 1.

2

Assigns the interface's EtherChannel to group 2.

fullduplex

(Optional) Sets the interface to full-duplex operation.

halfduplex

(Optional) Sets the interface to half-duplex operation.

dhcp

(Optional) Sets the IP address to that negotiated over Dynamic Host Configuration Protocol (DHCP).

client-id

(Optional) Specifies the client identifier.

id

Client identifier.

hostname

(Optional) Specifies the hostname.

name

Hostname.

mtu

(Optional) Sets the interface Maximum Transmission Unit (MTU) size.

mtusize

MTU size in bytes (68-1500).

standby

(Optional) Sets standby interface configuration commands.

grpnumber

Standby group number (1-4).

priority

(Optional) Sets the priority of an interface for the standby group.

priority

Interface priority for the standby group (0-4294967295).

slot/port

Slot and port number for the selected interface. The slot range is 0-2; the port range is 0-3. The slot number and port number are separated with a forward slash character (/).

PortChannel

Selects the EtherChannel of interfaces to configure.

1

Sets the port-channel interface number to 1.

2

Sets the port-channel interface number to 2.

ip

(Optional) Enables IP configuration commands for the interface.

access-group

Configures access control for IP packets on this interface using access control list (ACL).

acl_num

Numeric identifier that identifies the ACL to apply to the current interface. For standard ACLs, the valid range is 1-99; for extended ACLs, the valid range is 100-199.

acl_name

Alphanumeric identifier of up to 30 characters, beginning with a letter that identifies the ACL to apply to the current interface.

in

Applies the specified ACL to inbound packets on the current interface.

out

Applies the specified ACL to outbound packets on the current interface.

address

Sets the interface IP address.

ip-address

IP address of this interface.

netmask

Netmask of this interface.

secondary

(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

shutdown

(Optional) Shuts down this interface.

errors max-error-number

Specifies the maximum error number.

ip ip_address

Specifies the IP address of the interface.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

To configure an interface bandwidth on a WAAS device, use the bandwidth interface configuration command. The bandwidth is specified in megabits per second (Mbps). The 1000 Mbps option is not available on all ports. Using this option automatically enables autosense on the interface. You cannot change the interface speed on a WAE-7320 model that has an optical Gigabit Ethernet interface. Gigabit Ethernet interfaces only run at 1000 Mbps for a WAE-7320. For newer models of the WAAS device (for example, the WAE-611 or WAE-7326) that have a Gigabit Ethernet interface over copper, this restriction does not apply; you can configure these Gigabit Ethernet interfaces to run at 10, 100, or 1000 Mbps. On newer WAAS models, the 1000-Mbps setting implies autosense. For example, you cannot configure the Gigabit Ethernet interface to run at 1000 Mbps and half duplex.

Using the cdp enable command in global configuration mode enables CDP globally on all the interfaces. If you want to control CDP behavior per interface, then use the cdp enable command in interface configuration mode. The interface level control overrides the global control.

To display the interface identifiers (for example, interface GigabitEthernet 1/0), use the show running-config or show startup-config commands. The autosense, bandwidth, fullduplex, halfduplex, ip, and shutdown commands are listed separately in this command reference.

Configuring Multiple Secondary IP Addresses on a Single Physical Interface

Use the interface secondary global configuration command to configure more than one IP address on the same interface. By configuring multiple IP addresses on a single interface, the WAAS device can be present in more than one subnet. This configuration allows you to optimize the response time because the content goes directly from the WAAS device to the requesting client without being redirected through a router. The WAAS device becomes visible to the client because both are configured on the same subnet.

Up to four secondary addresses can be assigned to an interface. These addresses become active only after the primary address is configured. No two interfaces can have the same IP address in the same subnetwork. To set these secondary IP addresses, use the ip address command.

If a WAAS device has one physical interface that has multiple secondary IP addresses assigned to it, the egress traffic uses the source IP address that is chosen by IP routing. If the secondary IP addresses of a WAAS device in the same subnet as the primary IP address, then the egress traffic uses the primary IP address only. In contrast, if the secondary IP addresses are in a different subnet than the primary IP address, then the destination IP address determines which IP address on the WAAS device is used for the egress traffic.

Configuring Interfaces for DHCP

During the initial configuration of a WAAS device, you have the option of configuring a static IP address for the WAAS device or using interface-level DHCP to dynamically assign IP addresses to the interfaces on the WAAS device.

If you do not enable interface-level DHCP on the WAAS device, you must manually specify a static IP address and network mask for the WAAS device. If the WAAS device moves to another location in another part of the network, you must manually enter a new static IP address and network mask for this WAAS device.

An interface can be enabled for DHCP by using the ip address dhcp [client_id | hostname] interface configuration command. The client identifier is an ASCII value. The WAAS device sends its configured client identifier and hostname to the DHCP server when requesting network information. DHCP servers can be configured to identify the client identifier information and the hostname information that the WAAS device is sending and then send back the specific network settings that are assigned to the WAAS device.


Note You must disable autoregistration before you can manually configure an interface for DHCP. Autoregistration is enabled by default on the first interface of the device.


Defining Interface Descriptions

You can specify a one-line description for a specific interface on a WAAS device. Use the description text interface configuration command to enter the description for the specific interface. The maximum length of the description text is 240 characters. This feature is supported for the Gigabit Ethernet, Fibre Channel, port-channel, and Standby interfaces.


Note This feature is not currently supported for the SCSI or IDE interfaces.


After you define the description for an interface, use the show EXEC commands to display the defined interface descriptions. Enter the show interface interface type slot/port EXEC command to display the defined description for a specific interface on the WAE.

Fibre Channel Interface

The WAAS software supports Fibre Channel interfaces. Fibre Channel is the chosen technology for interconnecting storage devices and servers in a storage area network (SAN). In a SAN, the storage does not need to be directly attached to the server, and data transfer occurs over a high-throughput, high-availability network. Fibre Channel can operate at speeds of 1 gigabit per second (Gbps) and 2 Gbps.

To detect the presence of Fibre Channel storage, the storage array must be configured to assign storage space for the WAAS device, and the WAAS device must be reloaded before it can detect the storage assignment. To confirm whether or not the WAAS device has detected the storage assignment, use the show disks and the show disks details EXEC commands.

To configure the Fibre Channel interface on the WAAS device, use the interface FibreChannel slot/port command in interface configuration mode.

Port-Channel (EtherChannel) Interface

EtherChannel for the WAAS software supports the grouping of up to four same-speed network interfaces into one virtual interface. This grouping allows the setting or removing of a virtual interface that consists of two, three, or two Gigabit Ethernet interfaces. EtherChannel also provides interoperability with Cisco routers, switches, and other networking devices or hosts supporting EtherChannel, load balancing, and automatic failure detection and recovery based on each interface's current link status.

You can use either the Gigabit Ethernet ports to form an EtherChannel; however, an EtherChannel cannot contain both Gigabit Ethernet interfaces. A physical interface can be added to an EtherChannel subject to the device configuration.

Examples

The following example configures an attribute of an interface with a single CLI command:

WAE(config)# interface GigabitEthernet 1/0 half-duplex 

The following example shows that an interface can be configured in a sequence of CLI commands:

WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# half-duplex
WAE(config-if)# exit
WAE(config)#

The following example enables a shut down interface:

WAE(config)# no interface GigabitEthernet 1/0 shutdown

The following example creates an EtherChannel. The port channel is port channel 2 and is assigned an IP address of 10.10.10.10 and a netmask of 255.0.0.0:

WAE# configure
WAE(config)# interface PortChannel 2 
WAE(config-if)# ip address 10.10.10.10 255.0.0.0
WAE(config-if)# exit 

The following example removes an EtherChannel:

WAE(config)# interface PortChannel 2 
WAE(config-if)# no ip address 10.10.10.10 255.0.0.0
WAE(config-if)# exit
WAE(config)# no interface PortChannel 2 

The following example adds an interface to a channel group:

WAE# configure
WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# channel-group 2
WAE(config-if)# exit

The following example removes an interface from a channel group:

WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# no channel-group 2
WAE(config-if)# exit


The following example assigns a secondary IP address on a Gigabit Ethernet interface on a WAAS device using the ip address configuration interface command:

WAE# configure 
WAE(config)# interface GigabitEthernet 1/0 
WAE(config-if)# ip address 10.10.10.10 255.0.0.0 secondary

The following example configures a description for a Gigabit Ethernet interface:

WAE(config)# interface GigabitEthernet 1/0
WAE(config-if)# description This is a GigabitEthernet interface.

The following example shows a sample output of the show running-config EXEC command:

WAE# show running-config
.
.
.
interface GigabitEthernet 1/0
 description This is an interface to the WAN
 ip address dhcp
 ip address 192.168.1.200 255.255.255.0
 no autosense
 bandwidth 100
 full-duplex
 exit
.
.
.

The following example shows the sample output of the show interface command:

WAE# show interface GigabitEthernet 1/0
Description: This is the interface to the lab
type: Ethernet
.
.
.

Related Commands

show interface

show running-config

show startup-config

(config) ip

To change initial network device configuration settings, use the ip global configuration command. The dscp option allows you to set the global Type of Service (ToS) or differentiated services code point (DSCP) values in IP packets. To delete or disable these settings, use the no form of this command.

ip default-gateway ip-address

ip domain-name name1 name2 name3

ip dscp {client {cache-hit {match-server | set-dscp dscp-packets | set-tos tos-packets} | cache-miss {match-server | set-dscp dscp-packets | set-tos tos-packets}} | server {match-client | set-dscp dscp-packets | set-tos tos-packets}}

ip name-server ip-addresses

ip path-mtu-discovery enable

ip route dest_addrs net_addrs gateway_addrs

Syntax Description

default-gateway

Specifies the default gateway (if not routing IP).

ip-address

IP address of the default gateway.

domain-name

Specifies domain names.

name1 through name3

Domain name (up to three can be specified).

dscp

Configures IP differentiated services code point (DSCP) and Type of Service (ToS) fields.

client

Configures DSCP for responses to the client.

cache-hit

Configures the cache hit responses to the client.

cache-miss

Configures the cache miss responses to the client.

match-server

Uses the original ToS/DSCP value of the server.

set-dscp

Configures differentiated services code point (DSCP) values.

dscp-packets

DSCP values; see the table of DSCP packet values listed in the "Differentiated Services" section for valid values.

set-tos

Configures Type of Service (ToS).

tos-packets

ToS value; see the table of TOS packet values listed in the "How the IP Precedence Bits Are Used to Classify Packets" section for valid values.

server

Configures DSCP for outgoing requests.

match-client

Uses the original ToS/DSP value of the client.

name-server

Specifies the address of the name server.

ip-addresses

IP addresses of the name servers (up to a maximum of eight).

path-mtu-discovery

Configures RFC 1191 Path Maximum Transmission Unit (MTU) discovery.

enable

Enables Path MTU discovery.

route

Specifies the net route.

dest_addrs

Destination route address.

net_addrs

Netmask address.

gateway_addrs

Gateway address.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

To define a default gateway, use the ip default-gateway command. Only one default gateway can be configured. To remove the IP default gateway, use the no form of this command. The WAAS device uses the default gateway to route IP packets when there is no specific route found to the destination.

To define a default domain name, use the ip domain-name command. To remove the IP default domain name, use the no form of this command. Up to three domain names can be entered. If a request arrives without a domain name appended in its hostname, the proxy tries to resolve the hostname by appending name1, name2, and name3 in that order until one of these names succeeds.

The WAAS device appends the configured domain name to any IP hostname that does not contain a domain name. The appended name is resolved by the DNS server and then added to the host table. The WAAS device must have at least one domain name server specified for hostname resolution to work correctly.

To specify the address of one or more name servers to use for name and address resolution, use the ip name-server ip-addresses command. To disable IP name servers, use the no form of this command. For proper resolution of the hostname to the IP address or the IP address to the hostname, the WAAS device uses DNS servers. Use the ip name-server command to point the WAAS device to a specific DNS server. You can configure up to eight servers.

Path MTU autodiscovery discovers the MTU and automatically sets the correct value. Use the ip path-mtu-discovery enable command to start this autodiscovery utility. By default, this feature is enabled. When this feature is disabled, the sending device uses a packet size that is smaller than 576 bytes and the next hop MTU. Existing connections are not affected when this feature is turned on or off.

The WAAS software supports IP Path MTU Discovery, as defined in RFC 1191. When enabled, Path MTU Discovery discovers the largest IP packet size allowable between the various links along the forwarding path and automatically sets the correct value for the packet size. By using the largest MTU that the links will bear, the sending device can minimize the number of packets that it must send.


Note IP Path MTU Discovery is useful when a link in a network goes down, forcing the use of another, different MTU-sized link. IP Path MTU Discovery is also useful when a connection is first being established and the sender has no information at all about the intervening links.


IP Path MTU Discovery is initiated by the sending device. If a server does not support IP Path MTU Discovery, the receiving device will have no mechanism available to avoid fragmenting datagrams generated by the server.

Use the ip route command to add a specific static route for a network or host. Any IP packet designated for the specified destination uses the configured route.

To configure static IP routing, use the ip route command. To remove the route, use the no form of this command. Do not use the ip route 0.0.0.0 0.0.0.0 command to configure the default gateway; use the ip default-gateway command instead.

In the WAAS network, you can configure WAAS device for the type of service (ToS) or differentiated services code point (DSCP) using the ip dscp command.

Differentiated Services

The differentiated services (DiffServ) architecture is based on a simple model where traffic entering a network is classified and possibly conditioned at the boundaries of the network. The class of traffic is then identified with a differentiated services (DS) code point or bit marking in the IP header. Within the core of the network, packets are forwarded according to the per-hop behavior associated with the DS code point.

To set the global ToS or DSCP values for the IP header from the CLI, use the ip dscp command.

DiffServ describes a set of end-to-end QoS (quality of service) capabilities. End-to-end QoS is the ability of the network to deliver service required by specific network traffic from one end of the network to another. QoS in the WAAS software supports differentiated services.

With differentiated services, the network tries to deliver a particular kind of service based on the QoS specified by each packet. This specification can occur in different ways, for example, using the 6-bit DSCP setting in IP packets or source and destination addresses. The network uses the QoS specification to classify, mark, shape, and police traffic, and to perform intelligent queueing.

Differentiated services is used for several mission-critical applications and for providing end-to-end QoS. Typically, differentiated services is appropriate for aggregate flows because it performs a relatively coarse level of traffic classification.

Use the ip dscp {client | server} {cache-hit | cache-miss} set-dscp dscp-packets command to set the DSCP values for the IP header. Valid values for dscp-packets are listed in the following table.

Value or Keyword
Description 1

0-63

Sets DSCP values.

af11

Sets packets with AF11 DSCP (001010).

af12

Sets packets with AF12 DSCP (001100).

af13

Sets packets with AF13 DSCP (001110).

af21

Sets packets with AF21 DSCP (010010).

af22

Sets packets with AF22 DSCP (010100).

af23

Sets packets with AF23 DSCP (010110).

af31

Sets packets with AF31 DSCP (011010).

af32

Sets packets with AF32 DSCP (011100).

af33

Sets packets with AF33 DSCP (011110).

af41

Sets packets with AF41 DSCP (100010).

af42

Sets packets with AF42 DSCP (100100).

af43

Sets packets with AF43 DSCP (100110).

cs1

Sets packets with CS1 (precedence 1) DSCP (001000).

cs2

Sets packets with CS2 (precedence 2) DSCP (010000).

cs3

Sets packets with CS3 (precedence 3) DSCP (011000).

cs4

Sets packets with CS4 (precedence 4) DSCP (100000).

cs5

Sets packets with CS5 (precedence 5) DSCP (101000).

cs6

Sets packets with CS6 (precedence 6) DSCP (110000).

cs7

Sets packets with CS7 (precedence 7) DSCP (111000).

default

Sets packets with the default DSCP (000000).

ef

Sets packets with EF DSCP (101110).

1 The number in parentheses denotes the DSCP value for each per-hop behavior keyword.


DS Field Definition

A replacement header field, called the DS field, is defined by differentiated services. The DS field supersedes the existing definitions of the IPv4 ToS octet (RFC 791) and the IPv6 traffic class octet. Six bits of the DS field are used as the DSCP to select the Per Hop Behavior (PHB) at each interface. A currently unused (CU) 2-bit field is reserved for explicit congestion notification (ECN). The value of the CU bits is ignored by DS-compliant interfaces when determining the PHB to apply to a received packet.

Per-Hop Behaviors

RFC 2475 defines PHB as the externally observable forwarding behavior applied at a DiffServ-compliant node to a DiffServ Behavior Aggregate (BA).

With the ability of the system to mark packets according to the DSCP setting, collections of packets that have the same DSCP setting and that are sent in a particular direction can be grouped into a BA. Packets from multiple sources or applications can belong to the same BA.

A PHB refers to the packet scheduling, queueing, policing, or shaping behavior of a node on any given packet belonging to a BA, as configured by a service level agreement (SLA) or a policy map.

There are four available standard PHBs as follows:

Default PHB (as defined in RFC 2474)

Class-Selector PHB (as defined in RFC 2474)

Assured Forwarding (AFny) PHB (as defined in RFC 2597)

Expedited Forwarding (EF) PHB (as defined in RFC 2598)

The following sections describe the PHBs.

Default PHB

The default PHB specifies that a packet marked with a DSCP value of 000000 (recommended) receives the traditional best-effort service from a DS-compliant node (a network node that complies with all of the core DiffServ requirements). Also, if a packet arrives at a DS-compliant node, and the DSCP value is not mapped to any other PHB, the packet gets mapped to the default PHB.

Class-Selector PHB

To preserve backward compatibility with any IP precedence scheme currently in use on the network, DiffServ has defined a DSCP value in the form xxx000, where x is either 0 or 1. These DSCP values are called Class-Selector Code Points. (The DSCP value for a packet with default PHB 000000 is also called the Class-Selector Code Point.)

The PHB associated with a Class-Selector Code Point is a Class-Selector PHB. These Class-Selector PHBs retain most of the forwarding behavior as nodes that implement IP precedence-based classification and forwarding.

For example, packets with a DSCP value of 110000 (the equivalent of the IP precedence-based value of 110) have preferential forwarding treatment (for scheduling, queueing, and so on), as compared to packets with a DSCP value of 100000 (the equivalent of the IP precedence-based value of 100). These Class-Selector PHBs ensure that DS-compliant nodes can coexist with IP precedence-based nodes.

Assured Forwarding PHB

Assured Forwarding PHB is nearly equivalent to Controlled Load Service, which is available in the integrated services model. AFny PHB defines a method by which BAs can be given different forwarding assurances.

For example, network traffic can be divided into the following classes:

Gold—Traffic in this category is allocated 50 percent of the available bandwidth.

Silver—Traffic in this category is allocated 30 percent of the available bandwidth.

Bronze—Traffic in this category is allocated 20 percent of the available bandwidth.

The AFny PHB defines four AF classes: AF1, AF2, AF3, and AF4. Each class is assigned a specific amount of buffer space and interface bandwidth according to the SLA with the service provider or policy map.

Within each AF class, you can specify three drop precedence (dP) values: 1, 2, and 3. Assured Forwarding PHB can be expressed as shown in the following example: AFny. In this example, n represents the AF class number (1, 2, or 3) and y represents the dP value (1, 2, or 3) within the AFn class.

In instances of network traffic congestion, if packets in a particular AF class (for example, AF1) need to be dropped, packets in the AF1 class will be dropped according to the following guideline:

dP(AFny) >= dP(AFnz) >= dP(AFnx)

where dP (AFny) is the probability that packets of the AFny class will be dropped and y denotes the dP within an AFn class.

In the following example, packets in the AF13 class will be dropped before packets in the AF12 class, which in turn will be dropped before packets in the AF11 class:

dP(AF13) >= dP (AF12) >= dP(AF11)

The dP method penalizes traffic flows within a particular BA that exceed the assigned bandwidth. Packets on these offending flows could be re-marked by a policy to a higher drop precedence.

An AFx class can be denoted by the DSCP value, xyzab0, where xyz can be 001, 010, 011, or 100, and ab represents the dP value.

The following lists the DSCP value and corresponding dP value for each AF PHB class.

.

Drop Precedence
Class 1
Class 2
Class 3
Class 4

Low drop precedence

001010

010010

011010

100010

Medium drop precedence

001100

010100

011100

100100

High drop precedence

001110

010110

011110

100110


Expedited Forwarding PHB

Resource Reservation Protocol (RSVP), a component of the integrated services model, provides a guaranteed bandwidth service. Applications, such as Voice over IP (VoIP), video, and online trading programs, require this type of service. The EF PHB, a key ingredient of DiffServ, supplies this kind of service by providing low loss, low latency, low jitter, and assured bandwidth service.

You can implement EF by using priority queueing (PQ) and rate limiting on the class (or BA). When implemented in a DiffServ network, EF PHB provides a virtual leased line or premium service. For optimal efficiency, however, you should reserve EF PHB for only the most critical applications because, in instances of traffic congestion, it is not feasible to treat all or most traffic as high priority.

EF PHB is suited for applications such as VoIP that require low bandwidth, guaranteed bandwidth, low delay, and low jitter.

IP Precedence for ToS

IP precedence allows you to specify the class of service (CoS) for a packet. You use the three precedence bits in the IPv4 header's type of service (ToS) field for this purpose.

Using the ToS bits, you can define up to six classes of service. Other features configured throughout the network can then use these bits to determine how to treat the packet. These other QoS features can assign appropriate traffic-handling policies including congestion management strategy and bandwidth allocation. For example, although IP precedence is not a queueing method, queueing methods such as weighted fair queueing (WFQ) and Weighted Random Early Detection (WRED) can use the IP precedence setting of the packet to prioritize traffic.

By setting precedence levels on incoming traffic and using them with the WAAS software QoS queueing features, you can create differentiated service. You can use features, such as policy-based routing (PBR) and Committed Access Rate (CAR), to set the precedence based on an extended access list classification. For example, you can assign the precedence based on the application or user or by destination and source subnetwork.

So that each subsequent network element can provide service based on the determined policy, IP precedence is usually deployed as close to the edge of the network or the administrative domain as possible. IP precedence is an edge function that allows core or backbone QoS features, such as WRED, to forward traffic based on CoS. You can also set IP precedence in the host or network client, but this setting can be overridden by the service provisioning policy of the domain within the network.

The following QoS features can use the IP precedence field to determine how traffic is treated:

Distributed-WRED

WFQ

CAR

How the IP Precedence Bits Are Used to Classify Packets

You use the three IP precedence bits in the ToS field of the IP header to specify a CoS assignment for each packet. You can partition traffic into up to six classes—the remaining two classes are reserved for internal network use—and then use policy maps and extended ACLs to define network policies in terms of congestion handling and bandwidth allocation for each class.

Each precedence corresponds to a name. These names, which continue to evolve, are defined in RFC 791. The numbers and their corresponding names, are listed from least to most important.

IP precedence allows you to define your own classification mechanism. For example, you might want to assign the precedence based on an application or an access router. IP precedence bit settings 96 and 112 are reserved for network control information, such as routing updates.

The IP precedence field occupies the three most significant bits of the ToS byte. Only the three IP precedence bits reflect the priority or importance of the packet, not the full value of the ToS byte.

Use the ip dscp {client | server} {cache-hit | cache-miss} set-tos tos-packets command to specify either of the two arguments—IP precedence or ToS byte value—to set the same ToS. You may specify either the ToS byte value or IP precedence; one is required. IP precedence uses the three precedence bits in the ToS field of the IPv4 header to specify the class of service for each packet. The ToS byte in the IP header defines the three high-order bits as IP precedence bits and the five low-order bits as ToS bits. The ToS byte value is written to the five low-order bits (bits 0 to 4) of the ToS byte in the IP header of a packet. The IP precedence value is written to the three high-order bits (bits 5 to 7) of the ToS byte in the IP header of a packet.

The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of ToS names:

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

Valid values for tos-packets are listed in the following table.

Value, Precedence, or ToS Name
Description 1

0-127

Sets the ToS value.

critical

Sets packets with critical precedence (80).

flash

Sets packets with flash precedence (48).

flash-override

Sets packets with flash override precedence (64).

immediate

Sets packets with immediate precedence (32).

internet

Sets packets with internetwork control precedence (96).

max-reliability

Sets packets with maximum reliable ToS (2).

max-throughput

Sets packets with maximum throughput ToS (4).

min-delay

Sets packets with minimum delay ToS (8).

min-monetary-cost

Sets packets with minimum monetary cost ToS (1).

network

Sets packets with network control precedence (112).

normal

Sets packets with normal ToS (0).

priority

Sets packets with priority precedence (16).

1 The number in parentheses denotes the ToS value for each IP precedence or ToS name setting.


Examples

The following example configures a default gateway for the WAAS device:

WAE(config)# ip default-gateway 192.168.7.18

The following example disables the default gateway:

WAE(config)# no ip default-gateway

The following example configures a static IP route for the WAAS device:

WAE(config)# ip route 172.16.227.128 255.255.255.0 172.16.227.250

The following example negates the static IP route:

WAE(config)# no ip route 172.16.227.128 255.255.255.0 172.16.227.250

The following example configures a default domain name for the WAAS device:

WAE(config)# ip domain-name cisco.com

The following example negates the default domain name for the WAAS device:

WAE(config)# no ip domain-name

The following example configures a name server for the WAAS device:

WAE(config)# ip name-server 10.11.12.13

The following example disables the name server for the WAAS device:

WAE(config)# no ip name-server 10.11.12.13

Related Commands

show ip routes

(config) ip access-list

To create and modify access lists on a WAAS device for controlling access to interfaces or applications, use the ip access-list global configuration commands. To disable an access list, use the no form of the command.

ip access-list {standard | extended} {acl-name | acl-num}

Syntax Description

standard

Enables standard ACL configuration mode. The CLI enters the standard ACL configuration mode in which all subsequent commands apply to the current standard access list. The (config-std-nacl) prompt appears:

WAE(config-std-nacl)#

Refer to the "Standard ACL Configuration Mode Commands" section for details about working with entries in a standard access list and the commands available from the standard ACL configuration mode (config-std-nacl)#.

extended

Enables extended ACL configuration mode. The CLI enters the extended ACL configuration mode in which all subsequent commands apply to the current extended access list. The (config-ext-nacl) prompt appears:

WAE(config-ext-nacl)#

Refer to the "Extended ACL Configuration Mode Commands" secttion for details about working with entries in an extended access list and the commands available from the extended ACL configuration mode (config-ext-nacl)#.

acl-name

Access list to which all commands entered from ACL configuration mode apply, using an alphanumeric string of up to 30 characters, beginning with a letter.

acl-num

Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For standard access lists, the valid range is 1 to 99; for extended access lists, the valid range is 100 to 199.


Defaults

An access list drops all packets unless you configure at least one permit entry.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use access lists to control access to specific applications or interfaces on a WAAS device. An access control list consists of one or more condition entries that specify the kind of packets that the WAAS device will drop or accept for further processing. The WAAS device applies each entry in the order in which it occurs in the access list, which by default is the order in which you configured the entry.

The following list contains examples of how IP ACLs can be used in environments that use WAAS devices:

A WAAS device resides on the customer premises and is managed by a service provider, and the service provider wants to secure the device for its management only.

A WAAS device is deployed anywhere within the enterprise. As with routers and switches, the administrator wants to limit Telnet, SSH, and WAAS GUI access to the IT source subnets.

An application layer proxy firewall with a hardened outside interface has no ports exposed. (Hardened means that the interface carefully restricts which ports are available for access, primarily for security reasons. With an outside interface, many types of security attacks are possible.) The WAE's outside address is Internet global, and its inside address is private. The inside interface has an IP ACL to limit Telnet, SSH, and WAAS GUI access to the device.

A WAAS device using WCCP is positioned between a firewall and an Internet router or a subnet off the Internet router. Both the WAAS device and the router must have IP ACLs.


Note IP ACLs that are defined on a router take precedence over the IP ACLs that are defined on the WAE. IP ACLs that are defined on a WAE take precedence over the WAAS application definition policies that are defined on the WAE.


Within ACL configuration mode, you can use the editing commands (list, delete, and move) to display the current condition entries, to delete a specific entry, or to change the order in which the entries will be evaluated. To return to global configuration mode, enter exit at the ACL configuration mode prompt.

To create an entry, use a deny or permit keyword and specify the type of packets that you want the WAAS device to drop or to accept for further processing. By default, an access list denies everything because the list is terminated by an implicit deny any entry. Therefore, you must include at least one permit entry to create a valid access list.

After creating an access list, you can include the access list in an access group using the access-group command, which determines how the access list is applied. You can also apply the access list to a specific application using the appropriate command. A reference to an access list that does not exist is the equivalent of a permit any condition statement.

To work with access lists, enter either the ip access-list standard or ip access-list extended global configuration command. Identify the new or existing access list with a name up to 30 characters long beginning with a letter, or with a number. If you use a number to identify a standard access list, it must be between 1 and 99; for an extended access list, use a number from 100 to 199. You must use a standard access list for providing access to the SNMP server or to the TFTP gateway/server. However, you can use either a standard access list or an extended access list for providing access to the WCCP application.

After you identify the access list, the CLI enters the appropriate configuration mode and all subsequent commands apply to the specified access list. The prompt for each configuration mode is shown in the following examples.

WAE(config)# ip access-list standard test
WAE(config-std-nacl)# exit
WAE(config)# ip access-list extended test2
WAE(config-ext-nacl)#

Examples

The following commands create an access list on the WAAS device. You create this access list to allow the WAAS device to accept all web traffic that is redirected to it, but limits host administrative access using SSH:

WAE(config)# ip access-list extended example
WAE(config-ext-nacl)# permit tcp any any eq www
WAE(config-ext-nacl)# permit tcp host 10.1.1.5 any eq ssh
WAE(config-ext-nacl)# exit

The following commands activate the access list for an interface:

WAE(config)# interface gigabitethernet 1/0
WAE(config-if)# ip access-group example in
WAE(config-if)# exit

The following example shows how this configuration appears when you enter the show running-configuration command:

...
!
interface GigabitEthernet 1/0
 ip address 10.1.1.50 255.255.0.0
 ip access-group example in
 exit
. . .
ip access-list extended example
 permit tcp any any eq www
 permit tcp host 10.1.1.5 any eq ssh
 exit
. . .

Related Commands

clear

(config-if) ip access-group

show ip access-list

(config) kerberos

To authenticate a user that is defined in the Kerberos database, use the kerberos global configuration command. To disable authentication, use the no form of the command.

kerberos {local-realm kerberos-realm | realm {dns-domain | host} kerberos-realm | server kerberos-realm {hostname | ip-address} [port-number]}


Note Your Windows domain server must have a Reverse DNS Zone configured for this command to execute successfully.


Syntax Description

local-realm

Default realm for WAAS. Configures a switch to authenticate users defined in the Kerberos database.

kerberos-realm

IP address or name (in UPPERCASE letters) of the Kerberos realm. Default value is a NULL string.

realm

Maps a host name or DNS domain name to a Kerberos realm.

dns-domain

DNS domain name to map to Kerberos realm.

Note The name must begin with a leading dot (.).

host

Host IP address or name to map to Kerberos host realm.

server

Specifies the Key Distribution Center (KDC) to use in a given Kerberos realm and, optionally, the port number the KDC is monitoring.

hostname

Name of the host running the KDC.

ip-address

IP address of the host running the KDC.

port-number

(Optional) Number of the port on the KDC server.


Defaults

kerberos-realm: NULL string

port-number: 88

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

All Windows 2000 domains are also Kerberos realms. Because the Windows 2000 domain name is also a DNS domain name, the Kerberos realm name for the Windows 2000 domain name is always in uppercase letters. This capitalization follows the recommendation for using DNS names as realm names in the Kerberos Version 5 protocol document (RFC-1510) and affects only interoperability with other Kerberos-based environments.

The KDC server and all hosts with Kerberos authentication configured must interact within a 5-minute window or authentication will fail. All hosts, especially the KDC, should be running NTP. For information about configuring NTP, see the "(config) ntp" command.

The KDC server and Admin server must have the same IP address. The default port number for both servers is port 88.

The kerberos command modifies the krb5.conf file.

Examples

The following example shows how to configure the WAAS device to authenticate with a specified KDC in a specified Kerberos realm. The configuration is then verified.

WAE(config)# kerberos ?
  local-realm  Set local realm name
  realm        Add domain to realm mapping
  server       Add realm to host mapping
WAE(config)# kerberos local-realm WAE.ABC.COM
WAE(config)# kerberos realm wae.abc.com WAE.ABC.COM
WAE(config)# kerberos server wae.abc.com 10.10.192.50
WAE(config)# exit
WAE# show kerberos
  Kerberos Configuration:
  -----------------------
    Local Realm: WAE.ABC.COM
    DNS suffix: wae.abc.com
    Realm for DNS suffix: WAE.ABC.COM
    Name of host running KDC for realm:
    Master KDC: 10.10.192.50
    Port: 88

Related Commands

show kerberos

(config) kernel

To enable access to the kernel debugger (kdb), use the kernel kdb global configuration command. Once enabled, kdb is automatically activated if kernel problems occur, or you can manually activate it from the local console for the WAAS device by pressing the required key sequence. To disable access to the kernel debugger, use the no form of the command.

kernel kdb

Syntax Description

This command has no arguments or keywords.

Defaults

The kernel debugger is disabled by default.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Once enabled, kdb is automatically activated when kernel problems occur. Once activated, all normal functioning of the WAAS device is suspended until kdb is manually deactivated. The kdb prompt looks like this:

[0]kdb>

To deactivate kdb, enter go at the kdb prompt. If kdb was automatically activated because of kernel problems, the system generates a core dump and restarts. If you activated kdb manually for diagnostic purposes, the system resumes normal functioning in whatever state it was when you activated kdb. In either case, if you enter reboot, the system restarts and normal operation resumes.

kdb is disabled by default and you must enter the kernel kdb command in global configuration mode to enable it. If kdb has been previously enabled, you can enter the no kernel kdb global configuration command to disable it. When kdb is enabled, you can activate it manually from the local console by pressing Ctrl-_ followed by Ctrl-B.

The rationale for disabling the kernel debugger is as follows: the WAAS device is often unattended at many sites, and it is desirable for the WAAS device to automatically reboot after generating a core dump instead of requiring user intervention. Disabling the kernel debugger allows automatic recovery.

Examples

The following example enables, and then disables, access to the kernel debugger:

WAE(config)# kernel kdb
WAE(config)# no kernel kdb

(config) line

To specify terminal line settings, use the line global configuration command. To configure the WAAS device to not check for the carrier detect signal, use the no form of the command.

line console carrier-detect

Syntax Description

console

Configures the console terminal line settings.

carrier-detect

Sets the device to check the carrier detect signal before writing to the console.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Examples

The following example sets the WAAS device to check for the carrier detect signal:

WAE(config)# line console carrier-detect

(config) logging

To configure system logging, use the logging global configuration command. To disable logging functions, use the no form of this command.

logging {console {enable | priority loglevel} | disk {enable | filename filename | priority loglevel | recycle size} | facility facility | host {hostname | ip-address} [port port_num | priority loglevel | rate-limit message_rate]}

Syntax Description

console

Sets system logging to a console.

enable

Enables system logging to a console.

priority

Sets which priority level messages to send to syslog file.

loglevel

Use one of the following keywords.

alertImmediate action needed. Priority 1.

criticalImmediate action needed. Priority 2.

debug—Debugging messages. Priority 7.

emergencySystem is unusable. Priority 0.

error—Error conditions. Priority 3.

informationInformational messages. Priority 6.

notice—Normal but significant conditions. Priority 5.

warningWarning conditions. Priority 4.

disk

Sets system logging to a disk file.

enable

Enables system logging to a disk file.

filename

Sets the name of the syslog file.

filename

Specifies the name of the syslog file.

recycle

Overwrites syslog.txt when it surpasses the recycle size.

size

Size of syslog file in bytes (1000000-50000000).

facility

Sets facility parameter for syslog messages.

facility

Use one of the following keywords.

authAuthorization system

daemonSystem daemons

kernelKernel

local0Local use

local1Local use

local2Local use

local3Local use

local4Local use

local5Local use

local6Local use

local7Local use

mail—Mail system

news—USENET news

facility (continued)

syslog—Syslog itself

user—User process

uucp—UUCP system

host

Sets system logging to a remote host.

hostname

Hostname of the remote syslog host. Specify up to four remote syslog hosts.

Note To specify more than one syslog host, use multiple command lines; specify one host per command.

ip-address

IP address of the remote syslog host. Specify up to four remote syslog hosts.

Note To specify more than one syslog host, use multiple command lines; specify one host per command.

port

(Optional) Specifies the port to be used when logging to a host.

port_num

Port to be used when logging to a host. The default port is 514.

priority

(Optional) Sets the priority level for messages when logging messages to a host. The default priority is warning.

loglevel

Use one of the following keywords.

alertImmediate action needed. Priority 1.

criticalImmediate action needed. Priority 2.

debug—Debugging messages. Priority 7.

emergencySystem is unusable. Priority 0.

error—Error conditions. Priority 3.

informationInformational messages. Priority 6.

notice—Normal but significant conditions. Priority 5.

warningWarning conditions. Priority 4.

rate-limit

(Optional) Sets the rate limit (in messages per second) for sending messages to a host.

message_rate

Rate limit (in messages per second) for sending messages to the host. (0-10000). Setting the rate limit to 0 disables rate limiting.


Defaults

Logging: on

Priority of message for console: warning

Priority of message for disk log file: debug

Priority of message for a host: warning

Log file: /local1/syslog.txt

Log file recycle size: 10,000,000 bytes

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use the logging command to set specific parameters of the system log file. System logging is always enabled internally. By default, system logging is enabled on a WAAS device. The system log file is located on the SYSFS partition at /local1/syslog.txt. This file contains authentication entries, privilege levels, and administrative details.

WAAS supports filtering multiple syslog messages for a single failed section on SCSI disks and SATA disks.

To configure the WAAS device to send varying levels of event messages to an external syslog host, use the logging host option. Logging can be configured to send various levels of messages to the console using the logging console priority option.

The no logging disk recycle size command sets the file size to the default value. Whenever the current log file size surpasses the recycle size, the log file is rotated. The log file cycles through at most five rotations, and they are saved as [log file name].[1-5] under the same directory as the original log. The rotated log file is the one configured using the logging disk filename command.

Configuring System Logging to Remote Syslog Hosts

You can configure a WAAS device to send varying levels of messages to up to four remote syslog hosts. Use the logging host hostname global configuration command as follows:

WAE(config)# [no] logging host hostname [priority priority-code | port port |rate-limit 
limit]

where:

hostname is the hostname or IP address of the remote syslog host. Specify up to four remote syslog hosts. To specify more than one syslog host, use multiple command lines; specify one host per command.

priority-code is the severity level of the message that should be sent to the specified remote syslog host. The default priority-code is "warning" (level 4). Each syslog host is capable of receiving a different level of event messages.


Note You can achieve syslog host redundancy by configuring multiple syslog hosts on the WAAS device and assigning the same priority code to each configured syslog host (for example, assigning a priority code of "critical" level 2 to syslog host 1, syslog host 2, and syslog host 3).


port is the destination port of the remote syslog host to which the WAAS device is to send the messages. The default port is port 514.

rate-limit specifies the number of messages that are allowed to be sent to the remote syslog host per second. To limit bandwidth and other resource consumption, messages to the remote syslog host can be rate limited. If this limit is exceeded, the specified remote syslog host drops the messages. There is no default rate limit, and by default all syslog messages are sent to all of the configured syslog hosts. If the rate limit is exceeded, a "message of the day" (motd) will be printed for any CLI EXEC shell login.

Examples

In the following example, the WAAS device is configured to send messages that have a priority code of "error" (level 3) to the console:

WAE(config)# logging console priority error

In the following example, the WAAS device is configured to disable sending of messages that have a priority code of "error" (level 3) to the console:

WAE(config)# no logging console error

In the following example, the WAAS device is configured to send messages that have a priority code of "error" (level 3) to the remote syslog host that has an IP address of 172.31.2.160:

WAE(config)# logging host 172.31.2.160 priority error

Related Commands

clear

show logging

(config) no

To undo a global configuration command or set its defaults, use the no form of a global configuration command.

no command

Syntax Description

aaa

Unconfigures AAA.

alarm

Unconfigures alarm parameters.

authentication

Unconfigures login authentication and authorization.

bypass

Unconfigures bypass.

cdp

Unconfigures CDP.

clock

Unconfigures the time-of-day clock.

disk

Unconfigures disk-related parameters.

exec-timeout

Unconfigures the exec timeout.

help

Unconfigures assistance for the command-line interface.

hostname

Unconfigures the system's network name.

inetd

Unconfigures FTP, rcp, and TFTP services.

interface

Unconfigures a FibreChannel, Gigabit, PortChannel, or Standby interface.

ip

Unconfigures IP parameters.

ip access-list

Unconfigures IP access lists.

kerberos

Unconfigures kerberos security options.

kernel

Disables access to the kernel debugger.

line

Unconfigures terminal line settings.

logging

Unconfigures system logging (syslog).

ntp

Unconfigures NTP.

port-channel

Unconfigures port channel global options.

print-services

Unconfigures the parameters for the WAAS print services.

radius-server

Unconfigures RADIUS server parameters.

smb-conf

Unconfigures the Windows domain smb.conf file.

sshd

Unconfigures the parameters for the Secure Shell (SSH) service.

ssh-key-generate

Unconfigures the SSH host key.

tacacs

Unconfigures the TACACS+ parameters.

tcp

Unconfigures the global TCP parameters.

telnet enable

Disables the Telnet service.

username

Unconfigures username authentication.

wccp

Disables WCCP.

windows-domain

Unconfigures Windows domain server parameters.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use the no command to disable functions or negate a command. If you need to negate a specific argument in a command, such as the default gateway IP address, you must include the specific string in your command, such as no ip default-gateway ip-address.

Examples

The following example the Telnet service is disabled on the WAAS device:

WAE(config)# no telnet enable

(config) ntp

To configure the NTP server and to allow the system clock to be synchronized by a time server, use the ntp global configuration command. To disable this function, use the no form of this command.

ntp server {ip-address | hostname} [ip-addresses | hostnames]

Syntax Description

server

Sets the NTP server IP address for the WAAS device.

ip-address

NTP server IP address.

hostname

NTP server hostname.

ip-addresses

(Optional) IP address of the time server providing the clock synchronization (maximum of 4).

hostnames

(Optional) Hostname of the time server providing the clock synchronization (maximum of 4).


Defaults

The default NTP version number is 3.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use this command to synchronize the clock on the WAAS device with the specified NTP server. The ntp server command enables NTP servers for timekeeping purposes and is the only way to synchronize the system clock with a time server in WAAS software.

Examples

The following example specifies the NTP server IP address as the time source for a WAAS device. It also removes this configuration.

WAE(config)# ntp 172.16.22.44 
WAE(config)# no ntp 172.16.22.44 

Related Commands

clock

(config) clock

show clock

show ntp

(config) policy-engine application classifier

To create or edit an existing application classifier on a WAE, use the policy-engine application classifier global configuration command. You can use this command to add or modify rules, also known as match conditions, to identify specific types of traffic. You can also use this command to list the classifier's match conditions.


Note You cannot have more than 512 different application classifiers

We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


To delete an application classifier or a condition, use the no form of this command.

policy-engine application classifier classifier-name [list |
match {all | dst {host hostname | ip ip_address | port {eq port | range port1 port2}} |
src {host hostname | ip ip_address | port {eq port | range port1 port2}}}]

Syntax Description

classifier-name

The classifier name (up to 30 characters). The name must start with a letter representing the application class.

list

Lists the conditions contained in the specified classifier.

match

Specifies the criteria for matching traffic.

all

Matches any type of traffic.

dst

Specifies the criteria for identifying the destination host.

host hostname

Specifies the hostname of the system that is the source or destination of the traffic.

ip ip_address

Specifies the IP address of the system that is the source or destination of the traffic.

port

Specifies the criteria for identifying the port or ports used by the source or destination hosts.

eq port

Specifies the source or destination port number.

range port1 port2

Specifies a range of source or destination port numbers.

src

Specifies the criteria for identifying the source host.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

Deleting a classifier fails if there are policies using it. When creating a new application classifier or adding an existing application classifier, the WAAS CLI enters into an appropriate submode allowing you to specify one or more conditions. However, if the condition specified matches an already existing condition in the classifier's conditions list, no action is taken. A condition can be deleted by using the no form of this command. When creating a new classifier, you must add at least one condition.

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map adaptor EPM

To configure the application policy with advanced policy map lists of the EndPoint Mapper (EPM) service on a WAE, use the policy-engine application map adaptor EPM global configuration command. To disable the EPM service in the application policy configuration, use the no form of this command.


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


policy-engine application map adaptor EPM epm-map &{delete line-number |
disable line-number |
insert {first | last | pos line-number} name app-name {All | classifier classifier-name}
{action
{optimize {DRE {yes | no} compression {LZ | none}}| full} | pass-through} | disable action {optimize {DRE {yes | no} compression {LZ | none} | full} | pass-through}|
list
[from line-number [to line-number] | to line-number [from line-number]] |
move from line-number to line-number |
name app-name {All | classifier classifier-name} {action {optimize {DRE {yes | no} compression {LZ | none}}| full} | pass-through} | disable action {optimize {DRE {yes | no} compression {LZ | none} | full} | pass-through}}

Syntax Description

epm-map

Messaging Application Programming Interface (MAPI) or Universal Unique ID (UUID).

delete line-number

Deletes the application policy map specified by the line number.

disable line-number

Disables the application policy map specified by the line number.

insert

Inserts or adds a new policy map at the specified position.

first

Inserts the new application policy map at the beginning of the list.

last

Inserts the new application policy map at the end of the list.

pos line-number

Inserts the new application policy map at the specified line number.

name app-name

Name of the application name.

All

Specifies all traffic.

classifier classifier-name

Specifies the name of the application traffic classifier.

action

Specifies whether to optimize the traffic or let it pass through.

optimize

Applies general optimization.

DRE {yes | no}

Enables or disables DRE optimization.

compression {LZ | none}

Applies Lempel-Ziv (LZ) compression or no compression.

full

Applies full generic optimization.

pass-through

Allows traffic pass through without any optimization.

disable action

Disables optimization or pass-through.

list

Lists the specified application policy maps.

from

(Optional) Specifies the line number of the first application policy map to list.

to

(Optional) Specifies the line number of the last application policy map to list.

line-number

The line number or position of an application policy map in the list.

move

Moves the specified application policy map from one line to another.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

EndPoint Mapper (EPM) is a service that dynamically allocates server ports to certain applications. Unlike most applications that always use the same port, applications that rely on the EPM service can be assigned a different port at every request.

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than LZ compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map adaptor WAFS accept

Use the policy-engine application map adaptor WAFS accept global configuration command to configure application policies with the Wide Area File Services (WAFS) accept option. This option allows you to change the default behavior so the Edge WAE takes another action (such as optimize) for accepted CIFS traffic. To disable the WAFS accept option, use the no form of this command.

policy-engine application map adaptor WAFS accept {delete line-number | disable line-number |
insert
{{first | last} name app-name | pos line-number} | list [from line-number |
to line-number] | move from line-number | name app-name


Note By default, when you enable the WAFS accept option, the Edge WAE accelerates all CIFS traffic it accepts.

We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

delete

Deletes a specific application policy map from the list.

disable

Disables a specific application policy map in the list.

insert

Inserts or adds a new policy map at the specified position.

first

Inserts the new application policy map at the beginning of the list.

last

Inserts the new application policy map at the end of the list.

pos

Inserts the new application policy map at the specified line number.

name app-name

Name of the application name.

list

Lists the specified application policy maps.

from

(Optional) Specifies the line number of the first application policy map to list.

to

(Optional) Specifies the line number of the last application policy map to list.

line-number

The line number or position of an application policy map in the list.

move

Moves the specified application policy map from one line to another.

line-number

Indicates the exact position in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map adaptor WAFS transport

To configure application policies with the Wide Area File Services (WAFS) transport option, use the policy-engine application map adaptor WAFS transport global configuration command. To disable the WAFS transport policy map in the application policy configuration, use the no form of this command.

policy-engine application map adaptor WAFS transport {delete line-number | disable line-number | insert {{first | last} name app-name | pos line-number} | list [from line-number | to line-number] | move from line-number | name app-name}


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

delete

Deletes a specific application policy map from the list.

disable

Disables a specific application policy map in the list.

insert

Inserts or adds a new policy map at the specified position.

first

Inserts the new application policy map at the beginning of the list.

last

Inserts the new application policy map at the end of the list.

pos

Inserts the new application policy map at the specified line number.

name app-name

Name of the application name.

list

Lists the specified application policy maps.

from

(Optional) Specifies the line number of the first application policy map to list.

to

(Optional) Specifies the line number of the last application policy map to list.

line-number

The line number or position of an application policy map in the list.

move

Moves the specified application policy map from one line to another.

line-number

Indicates the exact position in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

By default, when you enable WAFS, all CIFS traffic going between an Edge WAE and a core cluster is accelerated. Use this command to specify another action (such as optimize) for CIFS traffic traveling between edge and core devices.

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map basic delete

To delete a specific basic (static) application policy map from the list of application policy maps on a WAE, use the policy-engine application map basic delete global configuration command.

policy-engine application map basic delete pos


Note A policy map consists of a set of application policies and the order in which they are checked.

We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

pos

Line number indicating the exact position of the policy map in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command is ignored if the line number specified does not represent a current policy map.

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map basic disable

To disable a specific basic (static) application policy map from the list of application policy maps on a WAE, use the policy-engine application map basic disable global configuration command.

policy-engine application map basic disable pos


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

pos

Line number indicating the exact position of the policy map in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command is ignored if the line number specified does not represent a current policy map.

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic insert

To insert a new basic (static) application policy map to the list of application policy maps on a WAE, use the policy-engine application map basic insert global configuration command.

policy-engine application map basic insert {first | last | pos pos} name app-name


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

first

Inserts the policy map at the beginning of the list.

last

Inserts the policy map at the end of the list.

pos

Inserts the policy map at a specific position in the list.

pos

The line number at which to insert the policy map.

name app-name

Specifies an already defined application name.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map basic list

To display a list of basic (static) application policy maps on a WAE, use the policy-engine application map basic list global configuration command.

policy-engine application map basic list [from pos [to pos] | to pos]


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

from

Starts the listing from the specified position.

to

Stops the listing at the specified position.

pos

The line number indicating the exact position of a policy map in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map basic move

To move the application policy with the basic policy map list based on only L3 or L4 parameters on a WAE, use the policy-engine application map basic global configuration command.

policy-engine application map basic move from pos to pos


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

from

Moves the policy at the specified line number.

to

Moves the policy to the specified line number.

pos

The line number indicating the exact position of a policy map in the list.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Examples

To move a policy map from line 10 to line 16:

WAE(config)# policy-engine application map basic move from 10 to 16

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map basic name

To configure the application policy with the basic policy map name, use the policy-engine application map basic name global configuration command.

policy-engine application map basic name app-name classifier classifier-name

policy-engine application map basic name app-name classifier classifier-name {
action {accelerate MS-port-mapper optimize {DRE {yes | no} compression {LZ | none} | full} | optimize {DRE {yes | no} compression {LZ | none} | full} | pass-through} |
disable action {accelerate MS-port-mapper optimize {DRE {yes | no}
compression {LZ | none} | full} | optimize {DRE {yes | no}
compression {LZ | none} | full} | pass-through}}}


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

app-name

Application name.

classifier classifier-name

Specifies the name of the application traffic classifier.

action

Specifies whether to optimize the traffic or allow it to pass through.

delete line-number

Deletes the application policy map specified by the line number.

accelerate MS-port-mapper

Accelerates the traffic using a the Microsoft EndPoint Port Mapper (EPM).

optimize

Applies general optimization.

DRE {yes | no}

Enables or disables DRE optimization.

compression {LZ | none}

Applies Lempel-Ziv (LZ) compression or no compression.

full

Applies full generic optimization.

pass-through

Allows traffic pass through without any optimization.

disable action

Disables optimization or pass-through.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than LZ compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map other optimize DRE

To configure the optimize DRE action on non-classified traffic on a WAE, use the policy-engine application map other optimize DRE global configuration command.

policy-engine application map other optimize DRE {yes | no} compression {LZ | none}


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

yes

Applies the optimize DRE action on non-classified traffic.

no

Does not apply the optimize DRE action on non-classified traffic.

compression

Applies the specified compression.

LZ

Applies the Lempel-Ziv (LZ) compression.

none

Applies no compression.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than LZ compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Examples

To configure the optimize DRE action on non-classified traffic with no compression:

WAE(config)# policy-engine application map other optimize DRE yes compression none

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map other optimize full

To configure the application policy on non-classified traffic with the optimize full action, use the policy-engine application map other optimize full global configuration command.

policy-engine application map other optimize full


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other pass-through

(config) policy-engine application name

(config) policy-engine application map other pass-through

To configure the application policy on non-classified traffic with the pass-through action on a WAE, use the policy-engine application map other pass-through global configuration command.

policy-engine application map other pass-through


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map basic name

(config) policy-engine application map other optimize full

(config) policy-engine application name

To create a new application definition that specifies general information about an application on a WAE, use the policy-engine application name global configuration command. To delete the application definition, use the no form of this command.

policy-engine application name app-name


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Syntax Description

app-name

The application name (up to 30 characters). The name cannot contain spaces or special characters.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command allows you to create a new application name that can be used later to gather statistics about an application. Deleting an application name fails if there are policies using this name. Successful deletion clears all statistics that were once associated with this application.


Note There is a limitation of 256 different application names.


The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Examples

To create an application definition for the Payroll application, enter this command:

WAE(config)# policy-engine application name Payroll

Related Commands

(config) policy-engine application classifier

(config) policy-engine application map adaptor EPM

(config) policy-engine application map adaptor WAFS accept

(config) policy-engine application map adaptor WAFS transport

(config) policy-engine application map basic delete

(config) policy-engine application map basic disable

(config) policy-engine application map basic insert

(config) policy-engine application map basic list

(config) policy-engine application map basic move

(config) policy-engine application map basic name

(config) policy-engine application map basic name

(config) policy-engine application map other optimize DRE

(config) policy-engine application map other optimize full

(config) policy-engine application map other pass-through

(config) policy-engine config

To replace application policy configurations with factory defaults (including the application names, classifiers, and policy maps) on a WAE, use the policy-engine config restore-predefined global configuration command. To remove the application policy configurations all together and reset other changed configuration, use the policy-engine config remove-all global configuration command. This action includes but is not limited to the following:

Remove all application names except "other."

Remove all classifiers.

Remove all policy maps.

Reset the default action to pass-through.

policy-engine config restore-predefined

policy-engine config remove-all


Note We strongly recommend that you use the WAAS Central Manager GUI to centrally configure application policies for your WAEs. For more information, see the Cisco Wide Area Application Services Configuration Guide.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The WAAS software comes with over 150 default application policies that help your WAAS system classify and optimize some of the most common traffic on your network.

For a list of the default applications and classifiers that WAAS will either optimize or pass through based on the policies that come bundled with the system, see the Cisco Wide Area Application Services Configuration Guide.

Before you create a new application policy, we recommend that you review the default policies and modify them as appropriate. It is usually easier to modify an existing policy than to create a new one.

WAAS takes the following actions based on the type of traffic it encounters:

TFO (Transport Flow Optimization)—A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgement that optimize all TCP traffic over your network.

RE (redundancy elimination)—A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. RE operates on significantly larger streams and maintains a much larger compression history than Lempel-Ziv (LZ) compression.

LZ (compression)—Another compression technology that operates on smaller data streams and keeps limited compression history compared to RE.

Related Commands

show policy-engine status

(config) port-channel

To configure the port channel load-balancing options on a WAAS device, use the port-channel global configuration command. Use the no form of this command to set load balancing on the port channel to its default method.

port-channel load-balance {dst-ip | dst-mac | round-robin}

Syntax Description

load-balance

Configures the load-balancing method.

dst-ip

Load-balancing method using destination IP addresses.

dst-mac

Load-balancing method using destination MAC addresses.

round-robin

Load-balancing method using round-robin sequential, cyclical resource allocation.


Defaults

Round-robin is the default load-balancing method.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The port-channel load-balance command configures one of three load-balancing algorithms and provides flexibility in choosing interfaces when an Ethernet frame is sent. The round-robin option allows evenly balanced usage of identical network interfaces in a channel group. Because this command takes effect globally, if two channel groups are configured, they must use the same load-balancing option.

Examples

The following example configures destination IP load balancing on a port channel and then disables it:

WAE(config)# port-channel load-balance dst-ip
WAE(config)# no port-channel load-balance

(config) primary-interface

To configure the primary interface for a WAAS device, use the primary-interface command in global configuration mode. Use the no form of the command to remove the configured primary interface.

primary-interface {GigabitEthernet 1-2/port | PortChannel 1-2 | Standby group_num}

Syntax Description

GigabitEthernet

Selects a Gigabit Ethernet interface as the primary interface of the WAAS device.

1-2/

Gigabit Ethernet slot number 1 or 2.

port

Port number of the Gigabit Ethernet interface.

PortChannel

Selects a Port Channel interface as the primary interface of the WAAS device.

1-2

Port Channel number 1 or 2.

Standby

Selects a standby group as the primary interface of the WAAS device.

group_num

Standby group number, 1-4.


Defaults

The default primary interface is the Gigabit Ethernet 1/0 interface. If this is not configured, then the first operational interface on which a link beat is detected becomes the default primary interface. Interfaces with lower-number IDs are polled first (for example, Gigabit Ethernet 1/0 is checked before 2/0). The Gigabit Ethernet interfaces are polled before the Port Channel interfaces.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The primary-interface global configuration command permits the administrator to specify the primary interface for the WAAS device.

The primary interface can be changed without disabling the WAAS device. To change the primary interface, reenter the command string and specify a different interface.


Note If you use the restore factory-default preserve basic-config command, the configuration for the primary interface is not preserved. If you want to reenable the WAAS device after using the restore factory-default preserve basic-config command, make sure to reconfigure the primary interface after the factory defaults are restored.


Setting the primary interface to be a Standby group does not imply that Standby functionality is available. You must configure relevant Standby interfaces using the interface standby global configuration command.

Examples

The following example shows how to specify the Gigabit Ethernet slot 1 port 0 as the primary interface on a WAAS device:

WAE(config)# primary-interface GigabitEthernet 1/0

The following example shows how to specify the Gigabit Ethernet slot 2 port 0 as the primary interface on a WAAS device:

WAE(config)# primary-interface GigabitEthernet 2/0

Related Commands

(config) interface

(config) print-services

To enable print services and designate a group name for administrators allowed configuration access on a WAAS device, use the print-services global configuration command. Use the no form of this command to disable print services on a WAAS device or to clear the administrative group.

print-services {enable | admin-group admin-group-name | guest-print enable}

Syntax Description

enable

Enables print services on the WAAS device.

admin-group

Configures a group of administrators with print services configuration privileges.

admin-group-name

Name of the administrative group, up to127 characters. No spaces are allowed.

guest-print enable

Enables the guest print service. Guest printing allows any user to print to the WAAS print server.

Note This option is available only in the application-accelerator device mode.


Defaults

By default, print services are disabled and no administrative group is defined (admin-group-name is null).

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

WAAS print services are typically enabled on WAEs residing in branch offices. The WAE acts as a print server and services requests from multiple clients for access to multiple printers. The WAAS print services feature enables administrators to perform the following print-related tasks.

Add, modify, and delete printers from the printer list

Add, modify, and delete a group of printers (Printer Cluster)

View and control print jobs

Monitor the status of individual printers

Perform diagnostics and troubleshooting

Install client printer driver from the print server

Download log files using FTP

Enforce printing quotas (1 GB total for spooling)

Allow any user to print to the WAAS print server

From the WAAS CLI, you can start and stop WAAS print services, configure a print services administrative group, and debug the print spooler. WAAS print services provide an alternative to Windows print services.

Starting and Stopping Print Services

When the print-services enable command is executed, the following sequence of events occurs:

The node manager starts the CUPS process (cupsd), checking every second for an updated timestamp in the printcap file.

CUPS must start within 30 seconds or print services are not enabled, and a "CUPS fails to start" message is logged by the node manager.

The node manager starts the Samba process (smbd).

If Samba could not be started, a "Samba fails to start" message is logged by the node manager. CUPS is not stopped.

Success messages are logged by the node manager.

The DataServer value (cfg/print-services/enable) is set to one.

Stopping print services is accomplished using the no print-services enable command. Entering this command causes the following sequence of events:

The node manager stops the Samba process (smbd).

The node manager stops the CUPS process (cupsd).

The corresponding DataServer value is set to zero.

Configuring the Print Services Administrative Group

You can define a set of administrators to have control over WAAS print services on a particular Edge WAE using the print-services admin-group command. When this command is entered, the following events occur:

The smb.conf file is updated with the specified administrative group.

If the update fails, and the print services administrative group can be returned to its original value, the error message "Failed to configure print-services admin group" is displayed. If the update fails, and the print services administrative group cannot be returned to its original value, two error messages, "Failed to configure print-services admin group." and "Failed to revert back the print-services admin group changes." are displayed.

The cupsd.conf file is updated with the specified administrative group.

If the update fails, the old setting is restored, the changes to the smb.conf file are reverted, and the error message: "Failed to configure print-services admin group" is displayed. If the update fails and the old setting cannot be restored, two error messages, "Failed to configure print-services admin group." and "Failed to revert back the print-services admin group changes." are displayed.

The DataServer value (/cfg/print-services/administrators) is updated with the specified administrative group.

If setting the DataServer value fails, both configurations of smb.conf and cupsd.conf are reverted, and an error message is displayed.

You can delete a print services administrative group using the no print-services admin-group command. When this command is executed, the following events occur:

The smb.conf setting is cleared.

If the clear fails, the old setting is restored and the error message "Failed to configure print-services admin group" is displayed. If the clear fails and the old setting cannot be restored, two error messages, "Failed to configure print-services admin group." and "Failed to revert back the print-services admin group changes." are displayed.

The cupsd.conf file is modified to clear the admin group setting.

If the clear fails, the old setting is restored, and changes in the smb.conf are reverted, the error message "Failed to configure print-services admin group" is displayed. If the clear fails and the old setting cannot be restored, two error messages, "Failed to configure print-services admin group." and "Failed to revert back the print-services admin group changes." are displayed.

The corresponding DataServer value is cleared.

If clearing the DataServer value fails, both configurations of smb.conf and cupsd.conf are reverted, and an error message is displayed.

The Samba and CUPS processes must be manually restarted for this change to take effect.

Examples

The following example enables print services on a WAAS device:

WAE(config)# print-services enable

The following example adds a print services administrative group called printAdmins:

WAE(config)# print-services admin-group printAdmins
The new print-services administrator group is configured successfully. Please restart 
print services for the change to take effect.
WAE(config)# no print-services enable
WAE(config)# print-services enable

The following example removes the print service's administrative group from the WAAS device:

WAE(config)# no print-services admin-group printAdmins
The print-services administrator group is removed successfully. Please restart print 
services for the change to take effect.
WAE(config)# no print-services enable
WAE(config)# print-services enable

Related Commands

debug

show print-services

show running-config

show startup-config

(config) radius-server

To configure RADIUS authentication parameters on a WAAS device, use the radius-server command in global configuration mode. To disable RADIUS authentication parameters, use the no form of this command. To disable RADIUS authentication parameters, use the no form of this command.

radius-server {host hostname | hostipaddr [primary] | key keyword | retransmit retries | timeout seconds}

Syntax Description

host

Specifies a RADIUS server. You can specify up to 5 servers.

hostname

Hostname of the RADIUS server.

hostipaddr

IP address of the RADIUS server.

primary

(Optional) Sets the server as the primary server.

key

Encryption key shared with the RADIUS servers.

keyword

Text of the shared key (15 characters maximum).

retransmit

Specifies the number of transmission attempts to an active server.

retries

Number of transmission attempts for a transaction (1-3). The default is 2.

timeout

Time to wait for a RADIUS server to reply.

seconds

Wait time in seconds (1-20). The default is 5 seconds.


Defaults

retransmit retries: 2

timeout seconds: 5

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

RADIUS is a client/server authentication and authorization access protocol used by a NAS to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between the RADIUS client and server.

You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network.


Note For more information about how the RADIUS protocol operates, refer to RFC 2138, Remote Authentication Dial In User Service (RADIUS).


RADIUS authentication usually occurs when an administrator first logs in to the WAAS device to configure the WAE for monitoring, configuration, or troubleshooting purposes.

RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can also specify which method to use first.

Enabling and Disabling Administrative Login Authentication and Authorization Through RADIUS

When configuring a WAAS device to use RADIUS to authenticate and authorize administrative login requests, follow these guidelines.

By default, RADIUS authentication and authorization is disabled on the WAAS device.

Before enabling RADIUS authentication on the WAAS device, you must specify at least one RADIUS server for the WAAS device to use.

You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword. When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.

You can use the WAAS GUI or the CLI to enable RADIUS authentication and authorization on a WAAS device.

To enable RADIUS authentication and authorization on a WAAS device, follow these steps.


Step 1 Use the authentication login radius global configuration command to enable RADIUS authentication for normal login mode.

WAE(config)# authentication login radius enable [primary] [secondary] [tertiary]

For example, to force the WAAS device to try RADIUS authentication first (to try it before using local, TACACS+, or Windows domain authentication), enter the following command.

WAE(config)# authentication login radius enable primary

Step 2 Use the authentication configuration radius global configuration command to enable RADIUS authorization.

WAE(config)# authentication configuration radius enable [primary] [secondary] [tertiary]

For example, to force the WAAS device to try RADIUS authorization first (to try it before using TACACS+ authorization), enter the following command:

WAE(config)# authentication configuration radius enable primary


To disable RADIUS authentication and authorization on a WAAS device, use the no form of the authentication global configuration command (for example, use the no authentication login radius enable command to disable RADIUS authentication).

Examples

The following example specifies a RADIUS server, specifies the RADIUS key, and accepts retransmit defaults. Configuration can be verified with the show radius-server command.

WAE(config)# radius-server host 172.16.90.121 
WAE(config)# radius-server key myradiuskey
WAE# show radius-server
Radius Configuration:
---------------------
Radius Authentication is on
    Timeout       = 5
    Retransmit    = 3
    Key           = ****
    Servers
    -------

Related Commands

show radius-server

(config) smb-conf

To manually configure the parameters for a WAAS device's Samba configuration file, smb.conf, use the smb-conf global configuration command. To return a parameter to its default value, use the no form of this command.

smb-conf section {global | print$ | printers} name attr-name value attr-value [service print]

Syntax Description

global

Specify one of the global print parameters.

print$

Specify one of the print$ parameters.

printers

Specify one of the printers parameters.

name

Specify the name of the parameter in the specified section that you want to manually configure.

attr-name

Parameter name, up to 80 characters.

value

Specify the value of the parameter.

attr-value

Parameter value, up to 255 characters.

service print

(Optional) Updates the Samba configuration file for print services. Without this option, the smb-conf command updates the Samba configuration file that is used for windows authentication.


See the table below in the "" section below for a description of the global, print$, and printers parameters, including names and default values.

Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The smb.conf file contains a variety of print related parameters, as described in the table below.

The global parameters apply to the server as a whole. Service level parameters that define default settings for all other sections and shares are included in this set of parameters. This avoids the need to set the same value repeatedly. You can override these globally set share settings and specify other values for each individual section or share. The print$ parameters apply to the printers. The printers parameters apply to the shares. They make it possible to share all printers with minimal configuration. These parameters apply as default to all printers.

Parameter Name
Default Value
Parameter Description
global parameters

idmap uid

70000-200000

Range of user IDs allocated for mapping UNIX users to NT user SIDs.

idmap gid

70000-200000

Range of group IDs allocated for mapping UNIX groups to NT group SIDs.

winbind enum users

no

Do not enumerate domain users using MSRPC.

winbind enum groups

no

Do not enumerate domain groups using MSRPC.

winbind cache time

10

Time that domain user or group information remains in the cache before expiring.

winbind use default domain

yes

Use default domain for users and groups.

printcap name

cups

Use CUPS to determine available printer names.

load printers

yes

Automatically create all available printer shares.

printing

cups

Use CUPS-compatible print commands.

cups options

raw

Sets the format of the print output to raw.

force printername

yes

Enforce the same printer name specified in the CUPS GUI to be used as the printer name in Samba.

lpq cache time

0

Controls the cache time for the results of the lpq command.

log file

/local/local1/errorlog/samba.log

Location where print-related errors are logged.

max log size

50

Maximum number of errors the log file can contain. After 50 errors, for each new error logged, the oldest error is removed.

socket options

TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Set controls on the network layer of the operating system to allow the connection with the client to be tuned. This option is typically used to tune your Samba server for optimal performance for your local network.

smb ports

50139

Available ports on the Samba server.

local master

no

Sets nmbd to be a local master browser on a subnet.

domain master

no

Sets nmbd to be a domain master browser for its given workgroup.

preferred master

no

Sets nmbd to be a preferred master browser for its workgroup

dns proxy

no

DNS proxy is not enabled.

template homedir

/local/local1/

Home directory on File Engine or WAE.

template shell

/admin-shell

Directory of the administrative shell.

comment

Comment:

Optional description of print server (or share) that is visible when a client queries the server. Can also be set by the windows-domain comment command.

netbios name

MYFILEENGINE

Name of the Samba server hosting print services. Can also be set by the windows-domain netbios-name command.

realm

CISCO

Active Directory domain name. Always uppercase. Can also be set by the windows-domain realm command.

wins server

10.10.10.1

IP address of the Windows domain server used to authenticate user access to print services. Can also be set by the windows-domain wins-server command.

password server

10.10.10.10

Optional IP address of the password server used for authentication of users. Can also be set by the windows-domain password-server command.

security

domain

Use Windows domain server for authentication. Can also be set by the windows-domain security command.

client schannel

no

Secure channel indicator used for Windows domain server authentication.

ldap ssl

on

Defines whether or not Samba should use SSL when connecting to the LDAP server. Default is to always use SSL when contacting the LDAP server. If set to "off," SSL is never used when querying the directory server. If set to "start_tls," LDAPv3 StartTLS extended operation (RFC2830) is used for communicating with the directory server.

print$ Parameters

path

/state/samba/printers

Location of printer list.

guest ok

yes

A password is not required to connect to the printer.

browseable

yes

Allows the printer to be visible in the list of printers.

read only

yes

Prevents users from creating or modifying the printer list.

write list

root

Allows the printer administrator (root user) to modify the printer list.

printers Parameters

path

/local/local1/spool/samba

Location where incoming files are spooled for printing.

browseable

no

Always set to no if printable = yes. It makes the printer share invisible in the list of available shares.

guest ok

yes

A password is not required to connect to the printer's service.

writable

no

Prevents users from creating or modifying files in the print service directory.

printable

yes

Allows connected clients to open, write to and submit spool files into the directory specified with the path parameter for printing. Used by Samba to differentiate printer shares from file shares. If this is set to no, printing is not allowed.

printer admin

root

Lets the print administrator (root user) add drivers and set printer properties.


Examples

The following example shows how to change the maximum size of the Samba error log file from the default of 50 errors to 75 errors:

WAE# smb-conf global max log size 75


The following example shows how to change the realm from the default of CISCO to MYCOMPANYNAME:

WAE# smb-conf global realm MYCOMPANYNAME

The following example shows how to enable and then disable LDAP server signing:

WAE# smb-conf global name "ldap ssl" value "start_tls"

Related Commands

show smb-conf

windows-domain

(config) windows-domain

(config) snmp-server access-list

To configure a standard access control list on a WAAS device to allow access through an SNMP agent, use the snmp-server access-list global configuration command. Use the no form of this command to remove a standard access control list.

snmp-server access-list {num | name}

Syntax Description

num

Standard access list number (1-99).

name

Standard access list name, up to a maximum of 30 characters.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The snmp-server access-list number global configuration command configures an access control list to allow access to an SNMP agent. The number variable is a number in the range 1 to 99, indicating a standard access control list. SNMP checks against the specified access control list before accepting or dropping incoming packets.

Examples

The following example allows the SNMP agent to check against access control list 12 before accepting or dropping packets:

WAE(config)# snmp-server access-list 12


Note You must first create access list 12 using the ip access-list standard global configuration command.


Related Commands

(config) ip access-list

show running-config

(config) snmp-server community

To enable the SNMP agent on a WAAS device and to set up the community access string to permit access to the SNMP agent, use the snmp-server community global configuration command. Use the no form of this command to disable the SNMP agent and to remove the previously configured community string.

snmp-server community string [group groupname | rw]

Syntax Description

string

Community string that acts like a password and permits access to the SNMP agent. Supports up to a maximum of 64 characters.

group

(Optional) Specifies the group to which the community string belongs.

groupname

Name of the group. Supports up to a maximum of 64 characters.

rw

(Optional) Enables read-write access to this community string.


Defaults

The SNMP agent is disabled and a community string is not configured. When configured, an SNMP community string by default permits read-only access to all objects.

Usage Guidelines

The SNMP community string is used as a password for authentication when accessing the SNMP agent on the WAE. To be authenticated, the Community Name field of any SNMP message sent to the WAAS device must match the SNMP community string defined on the WAAS device.

The SNMP agent on the WAAS device is enabled when an SNMP community string is defined on the WAAS device. The maximum number of SNMP communities that can be created is 10.

The snmp-server community string global configuration command provides view-based access control for SNMPv1, SNMPv2c, and SNMPv3, yet continues to provide backward compatibility between different versions.


Tip Any SNMP message sent to the WAAS device must have the "Community Name" field of the message match the community string defined here to be authenticated.


It is possible to configure a community string that grants access to only part of the MIB subtree. To provide backward compatibility with previous versions of this command, a default read group or default write group (if the rw option is specified on the command line) is associated with the community string if no group name is specified. Both of these default groups are hidden from users and not displayed in the configuration file or in the show snmp group EXEC command, but are created during initialization of the SNMP agent.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Examples

The following example enables the SNMP agent and assigns the community string comaccess to SNMP:

WAE(config)# snmp-server community comaccess

The following example disables the SNMP agent and removes the previously defined community string:

WAE(config)# no snmp-server community

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server contact

To set the system server contact string on a WAAS device, use the snmp-server contact global configuration command. Use the no form of this command to remove the system contact information.

snmp-server contact line

Syntax Description

contact

Specifies text for MIB-II object sysContact.

line

Identification of the contact person for this managed node.


Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Defaults

No system contact string is set.

Usage Guidelines

The system contact string is the value stored in the MIB-II system group sysContact object.

Examples

The following example sets a system contact string and then removes it:

WAE(config)# snmp-server contact Dial System Operator at beeper # 27345

WAE(config)# no snmp-server contact

Related Commands

(config) snmp-server community

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server enable traps

To enable the WAAS device to send SNMP traps, use the snmp-server enable traps global configuration command. Use the no form of this command to disable all SNMP traps or only SNMP authentication traps.

snmp-server enable traps [alarm [clear-critical | clear-major | clear-minor | raise-critical | raise-major | raise-minor] | config | content-engine [disk-fail | disk-read | disk-write | overload-bypass | transaction-log] | entity | event | snmp [authentication | cold-start] | wafs [cslog | eslog | mgrlog]]

Syntax Description

alarm

(Optional) Enables WAAS alarm traps.

clear-critical

(Optional) Enables clear-critical alarm trap.

clear-major

(Optional) Enables clear-major alarm trap.

clear-minor

(Optional) Enables clear-minor alarm trap.

raise-critical

(Optional) Enables raise-critical alarm trap.

raise-major

(Optional) Enables raise-major alarm trap.

raise-minor

(Optional) Enables raise-minor alarm trap.

config

(Optional) Enables CiscoConfigManEvent traps.

content-engine

(Optional) Enables SNMP WAAS traps.

disk-fail

(Optional) Enables disk failure error trap.

disk-read

(Optional) Enables disk read error trap.

disk-write

(Optional) Enables disk write error trap.

overload-bypass

(Optional) Enables WCCP overload bypass error trap.

transaction-log

(Optional) Enables transaction log write error trap.

entity

(Optional) Enables SNMP entity traps.

event

(Optional) Enables Event MIB traps.

snmp

(Optional) Enables SNMP-specific traps.

authentication

(Optional) Enables authentication trap.

cold-start

(Optional) Enables cold start trap.

wafs

(Optional) Enables all WAFS-specific traps.

cslog

(Optional) Enables the CS log traps.

eslog

(Optional) Enables the ES log traps.

mgrlog

(Optional) Enables the Manager log traps.


Defaults

This command is disabled by default. No traps are enabled.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

You can configure a WAAS device to generate an SNMP trap for a specific alarm condition. You can configure the generation of SNMP alarm traps on the WAAS device based on the following:

The severity of the alarm (critical, major, or minor)

The action (the alarm is raised or cleared).

In the WAAS software release, the following six generic alarm traps are available in the CISCO-CONTENT-ENGINE-MIB.

Name of Alarm Trap
Severity
Action

cceAlarmCriticalRaised

Critical

Raised

cceAlarmCriticalCleared

Critical

Cleared

cceAlarmMajorRaised

Major

Raised

cceAlarmMajorCleared

Major

Cleared

cceAlarmMinorRaised

Minor

Raised

cceAlarmMinorCleared

Minor

Cleared



Note By default, these six general alarm traps are disabled.


These six general alarm traps provide SNMP and Node Health Manager integration. Each of these six alarm traps can be enabled or disabled through the WAAS CLI.

To configure traps, you must enter the snmp-server enable traps command. If you do not enter an snmp-server enable traps command, no traps are sent.

The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP traps. To send traps, you must configure at least one host using the snmp-server host command.

For a host to receive a trap, both the snmp-server enable traps command and the snmp-server host command for that host must be enabled.

In addition, SNMP must be enabled with the snmp-server community command.

To disable the sending of the MIB-II SNMP authentication trap, you must enter the command no snmp-server enable traps snmp authentication.

Examples

The following example enables the WAAS device to send all traps to the host 172.31.2.160 using the community string public:

WAE(config)# snmp-server enable traps
WAE(config)# snmp-server host 172.31.2.160 public

The following example disables all traps:

WAE(config)# no snmp-server enable traps

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server group

To define a user security model group for a WAAS device, use the snmp-server group global configuration command. Use the no form of this command to remove the specified group.

snmp-server group name {v1 [notify name] [read name] [write name] | v2c [notify name] [read name] [write name] | v3 {auth [notify name] [read name] [write name] | noauth [notify name] [read name] [write name] | priv [notify name] [read name] [write name]}}

Syntax Description

name

Name of the SNMP group. Supports up to a maximum of 64 characters.

v1

Specifies the group using the Version 1 Security Model.

notify

(Optional) Specifies a notify view for the group that enables you to specify a notify, inform, or trap.

name

Notify view name. Supports up to a maximum of 64 characters.

read

(Optional) Specifies a read view for the group that enables you only to view the contents of the agent.

name

Read view name. Supports up to a maximum of 64 characters.

write

(Optional) Specifies a write view for the group that enables you to enter data and configure the contents of the agent.

name

Write view name. Supports up to a maximum of 64 characters.

v2c

Specifies the group using the Version 2c Security Model.

v3

Specifies the group using the User Security Model (SNMPv3).

auth

Specifies the group using the AuthNoPriv Security Level.

noauth

Specifies the group using the noAuthNoPriv Security Level.

priv

Specifies the group using the AuthPriv Security Level.


Defaults

The default is that no user security model group is defined.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The maximum number of SNMP groups that can be created is 10.

Select one of three SNMP security model groups: Version 1 (v1) Security Model, Version 2c (v2c) Security Model, or the User Security Model (v3 or SNMPv3). Optionally, you then specify a notify, read, or write view for the group for the particular security model chosen. The v3 option allows you to specify the group using one of three security levels: auth (AuthNoPriv Security Level), noauth (noAuthNoPriv Security Level), or priv (AuthPriv Security Level).

WAAS software supports the following versions of SNMP:

Version 1 (SNMPv1)—This is the initial implementation of SNMP. See the RFC 1157 for a full description of its functionality.

Version 2 (SNMPv2c)—This is the second release of SNMP, described in RFC 1902. It provides additions to data types, counter size, and protocol operations.

Version 3 (SNMPv3)—This is the most recent version of SNMP, defined in RFC 2271 through RFC 2275.

SNMP Security Models and Security Levels

SNMPv1 and SNMPv2c do not have any security (that is, authentication or privacy) mechanisms to keep SNMP packet traffic on the wire confidential. As a result, packets on the wire can be detected and SNMP community strings compromised.

To solve the security shortcomings of SNMPv1 and SNMPv2c, SNMPv3 provides secure access to WAAS devices by authenticating and encrypting packets over the network. The SNMP agent in the WAAS software supports SNMPv3 as well as SNMPv1 and SNMPv2c.

The following security features are provided in SNMPv3:

Message integrity—Ensures that nothing has interfered with a packet during transmission.

Authentication—Determines that the message is from a valid source.

Encryption—Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.

SNMPv3 provides security models as well as security levels. A security model is an authentication process that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security process is used when an SNMP packet is handled. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.

The following table describes the combinations of security models and security levels.

Model
Level
Authentication
Encryption
Process

v1

noAuthNoPriv

Community string

No

Uses a community string match for user authentication.

v2c

noAuthNoPriv

Community string

No

Uses a community string match for user authentication.

v3

noAuthNoPriv

Username

No

Uses a username match for user authentication.

v3

AuthNoPriv

MD5 or SHA

No

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

v3

AuthPriv

MD5 or SHA

Yes

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption (packet authentication) based on the CBC-DES (DES-56) standard.


The SNMPv3 agent can be used in the following modes:

noAuthNoPriv mode (that is, no security mechanisms turned on for packets)

AuthNoPriv mode (for packets that do not need to be encrypted using the privacy algorithm [DES 56])

AuthPriv mode (for packets that must be encrypted; privacy requires that authentication be performed on the packet)

Using SNMPv3, users can securely collect management information from their SNMP agents without fear that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a WAAS device's configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges.

Examples

The following example defines a user security model group named acme that uses SNMP version 1 security model and a view name of mymib for notifications:

WAE(config)# snmp-server group acme v1 notify mymib

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server host

To specify the recipient of a host SNMP trap operation, use the snmp-server host global configuration command. Use the no form of this command to remove the specified host.

snmp-server host {hostname | ip-address} communitystring [v2c [retry number] [timeout seconds] | [v3 {auth [retry number] [timeout seconds] | noauth [retry number] [timeout seconds] | priv [retry number] [timeout seconds]}]

Syntax Description

hostname

Hostname of the SNMP trap host that will be sent in the SNMP trap messages from the WAAS device.

ip-address

IP address of the SNMP trap host that will be sent in the SNMP trap messages from the WAAS device.

communitystring

Password-like community string sent in the SNMP trap messages from the WAE. You can enter a maximum of 64 characters.

v2c

(Optional) Specifies the Version 2c Security Model.

retry

(Optional) Sets the count for the number of retries for the inform request. (The default is 2 tries.)

number

Number of retries for the inform request (1-10).

timeout

(Optional) Sets the timeout for the inform request (1-1000). (The default is 15 seconds.)

seconds

Timeout value in seconds.

v3

(Optional) Specifies the User Security Model (SNMPv3).

auth

Sends notification using the AuthNoPriv Security Level.

noauth

Sends notification using the noAuthNoPriv Security Level.

priv

Sends notification using the AuthPriv Security Level.


Defaults

This command is disabled by default. No traps are sent. If enabled, the default version of the SNMP protocol used to send the traps is SNMP Version 1.

retry number: 2 retries

timeout: 15 seconds

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

If you do not enter an snmp-server host command, no traps are sent. To configure the WAAS device to send SNMP traps, you must enter at least one snmp-server host command. To enable multiple hosts, you must issue a separate snmp-server host command for each host. The maximum number of snmp-server host commands is four.

When multiple snmp-server host commands are given for the same host, the community string in the last command is used.

The snmp-server host command is used in conjunction with the snmp-server enable traps command to enable SNMP traps.

In addition, SNMP must be enabled with the snmp-server community command.

Examples

The following example sends the SNMP traps defined in RFC 1157 to the host specified by the IP address 172.16.2.160. The community string is comaccess:

WAE(config)# snmp-server enable traps
WAE(config)# snmp-server host 172.16.2.160 comaccess

The following example removes the host 172.16.2.160 from the SNMP trap recipient list:

WAE(config)# no snmp-server host 172.16.2.160

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server location

To set the SNMP system location string on a WAAS device, use the snmp-server location global configuration command. Use the no form of this command to remove the location string.

snmp-server location line

Syntax Description

location

Specifies text for MIB-II object sysLocation.

line

String that describes the physical location of this node.


Defaults

No system location string is set.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The system location string is the value stored in the MIB-II system group system location object. You can see the system location string with the show snmp EXEC command.

Examples

The following example shows a system location string:

WAE(config)# snmp-server location Building 3/Room 214

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server mib

To configure persistence for the SNMP Event MIB, use the snmp-server mib global configuration command. Use the no form of this command to disable the Event MIB.

snmp-server mib persist event

Syntax Description

persist

Configures MIB persistence.

event

Enables MIB persistence for the Event MIB.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

The Event MIB can set the threshold on any MIB variables supported by WAAS software and store the threshold permanently on disk.

The WAAS software implementation of SNMP supports the following MIBs:

MIB-II

ENTITY-MIB

EVENT-MIB

HOST-RESOURCES-MIB

CISCO-CONTENT-ENGINE-MIB (partial)

CISCO-ENTITY-ASSET-MIB

CISCO-CONFIG-MAN-MIB

CISCO-CDP-MIB

SNMPv2

ACTONA-ACTASTORE-MIB


Note In WAAS software, there are six generic alarm traps in the CISCO-CONTENT-ENGINE-MIB for SNMP and Node Health Manager integration.


In WAAS software, you can use IP ACLs to control SNMP access on a WAAS device.

Downloading MIB Files to WAEs

From the following Cisco FTP site you can download the MIB files for all of the MIBS that are supported by a WAAS device that is running WAAS software:

ftp://ftp.cisco.com/pub/mibs/v2

The MIB objects that are defined in each MIB are described in the MIB files at the above FTP site are self explanatory.

Examples

The following example sets persistence for the Event MIB:

WAE(config)# snmp-server mib persist event

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server notify inform

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server notify inform

To configure the SNMP notify inform request on WAAS device, use the snmp-server notify inform global configuration command. Use the no form of this command to return the setting to the default value.

snmp-server notify inform

Syntax Description

This command has no arguments or keywords.

Defaults

If you do not issue the snmp-server notify inform command, the default is an SNMP trap request.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Examples

The following example configures an SNMP notify inform request versus the default SNMP trap:

WAE(config)# snmp-server notify inform

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server user

(config) snmp-server view

snmp trigger

(config) snmp-server user

To define a user who can access the SNMP server, use the snmp-server user global configuration command. Use the no form of this command to remove access.

snmp-server user name group [auth {md5 password [priv password] | sha password [priv password]} | remote octetstring [auth {md5 password [priv password] | sha password [priv password]}]]

Syntax Description

name

Name of the SNMP user. Use letters, numbers, dashes, and underscores, but no blanks. This is the name of the user on the SNMP host who wants to communicate with the SNMP agent on the WAAS device. You can enter a maximum of 64 characters.

group

Name of the group to which the SNMP user belongs. You can enter a maximum of 64 characters.

auth

(Optional) Configures user authentication parameters.

md5

Configures HMAC MD5 authentication algorithm.

password

HMAC-MD5 user authentication password.

priv

(Optional) Configures authentication parameters for the packet.

password

HMAC-MD5 user private password. You can enter a maximum of 256 characters.

sha

Configures HMAC-SHA authentication algorithm.

password

HMAC-SHA authentication password. You can enter a maximum of 256 characters.

remote

(Optional) Specifies engine identity of remote SNMP entity to which the user belongs.

octetstring

Globally unique identifier for a remote SNMP entity (for example, the SNMP network management station) for at least one of the SNMP users.

Tip To send an SNMPv3 inform message, at least one SNMPv3 user with a remote SNMP ID option must be configured on the WAAS device. The SNMP ID is entered in octet string form. For example, if the IP address of a remote SNMP entity is 192.147.142.129, then the octet string would be 00:00:63:00:00:00:a1:c0:93:8e:81.

Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

When defining SNMP users for WAAS devices, note the following:

If the SNMPv3 protocol is going to be used for SNMP requests, you must define at least one SNMPv3 user account on the WAAS device for the WAAS device to be accessed through SNMP.

A group defined with the SNMPv1 or SNMPv2c security model should not be associated with SNMP users; they should only be associated with the community strings.

Examples

In the following example, an SNMPv3 user account is created on the WAAS device. The SNMPv3 user is named acme and belongs to the group named admin. Because this SNMP user account has been set up with no authentication password, the SNMP agent on the WAAS device does not perform authentication on SNMP requests from this user.

WAE(config)# snmp-server user acme admin

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server view

snmp trigger

(config) snmp-server view

To define a SNMPv2 MIB view on a WAAS device, use the snmp-server view global configuration command. Use the no form of this command to remove the MIB view definition.

snmp-server view viewname MIBfamily {excluded | included}

Syntax Description

viewname

Name of this family of view subtrees. You can enter a maximum of 64 characters.

MIBfamily

An object identifier that identifies a sub-tree of the MIB. You can enter a maximum of 64 characters.

excluded

Excludes MIB family from the view.

included

Includes MIB family in the view.


Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Examples

The following example defines an SNMPv2 MIB view:

WAE(config)# snmp-server view fileview ciscoFileEngineMIB included

Related Commands

(config) snmp-server community

(config) snmp-server contact

(config) snmp-server enable traps

(config) snmp-server group

(config) snmp-server host

(config) snmp-server location

(config) snmp-server mib

(config) snmp-server notify inform

(config) snmp-server user

snmp trigger

(config) sshd

To enable the SSH daemon on a WAAS device, use the sshd command in global configuration mode. Use the no form of this command to disable the SSH daemon on a WAAS device.

sshd {allow-non-admin-users | enable | password-guesses number | timeout seconds | version {1 | 2}}

Syntax Description

allow-non-admin-users

Allows non-administrative users to gain SSH access to the chosen device (or device group). By default, this option is disabled.

Note Non-administrative users are non-superuser administrators. All non-superuser administrators only have restricted access to a WAAS device because their login accounts have a privilege level of 0. Superuser administrators have full access to a WAAS device because their login accounts have the highest level of privileges, a privilege level of 15.

enable

Enables the SSH daemon on a WAAS device.

password-guesses

Specifies the number of allowable password guesses per connection.

number

Maximum number of incorrect password guesses allowed (1-99). (The default is 3.)

timeout

Configures the number of seconds for which an SSH session will be active during the negotiation (authentication) phase between client and server before it times out.

Note If you have established an SSH connection to the WAAS device but have not entered the username when prompted at the login prompt, the connection will be terminated by the WAAS device if the grace period expires even after successful login.

seconds

SSH login grace time value in seconds (1-99999). (The default is 300.)

version

Configures the SSH version to be supported on the WAAS device.

1

Specifies that SSH Version 1 is supported on the WAAS device.

2

Specifies that SSH Version 2 is supported on the WAAS device.


Defaults

By default, the SSH daemon is disabled on a WAAS device. If you use the sshd enable command to enable the SSH daemon on a WAAS device, the following default settings are used:

password-guesses number: 3 guesses

timeout seconds: 300 seconds

version: Both SSH Version 1 and 2 are enabled.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

SSH enables login access to the WAAS device through a secure and encrypted channel. SSH consists of a server and a client program. Like Telnet, you can use the client program to remotely log on to a machine that is running the SSH server, but unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.

Before you enable the sshd command, use the ssh-key-generate command to generate a private and a public host key, which the client programs use to verify the server's identity.

Although the sshd password-guesses command specifies the number of allowable password guesses from the SSH server side, the actual number of password guesses for an SSH login session is determined by the combined number of allowable password guesses of the SSH server and the SSH client. Some SSH clients limit the maximum number of allowable password guesses to three (or to one in some cases), even though SSH server side allows more than this number of guesses.

When sshd password-guesses is entered, specifying n allowable password guesses, certain SSH clients interpret this number as n+1. For example, when configuring the number of guesses to two by issuing the command sshd password-guesses 2 for a particular device, SSH sessions from some SSH clients will allow three password guesses.

You can enable both SSH Version 1 and Version 2, or you can enable one version and not the other. When you enable the SSH daemon using the sshd enable global configuration command, support for both SSH Version 1 and SSH Version 2 is enabled. If you want the WAAS device to support only one version of SSH (for example SSH version 2), you must disable the other version. For example, to disable SSH Version 1, enter the no sshd version 1 command.

If the SSH daemon is currently enabled on a WAAS device, at least one version of SSH must be enabled on the device. Before you can disable both versions of SSH, you must enter the no sshd enable command to disable the SSH daemon on the WAAS device. If you attempt to disable both versions of SSH before you have disabled the SSH daemon, the following message will appear on your console informing you that you must disable the SSH daemon before you can disable both versions of SSH:

WAE(config)#(config)# no sshd version 1
WAE(config)#(config)# no sshd version 2
Atleast SSHv1 or SSHv2 must be enabled with sshd enabled.
Disable sshd to disable both SSHv1 and SSHv2.
Did not update ssh version support. Please retry.

When support for both SSH version 1 and SSH version 2 are enabled in the WAAS device, the show running-config EXEC command output does not display any SSHD configuration.

If you have disabled the support for one version of SSH, the show running-config EXEC command output contains the following line:

no sshd version version_number


Note The Telnet daemon can still be used with the WAAS device. SSH does not replace Telnet.


Examples

The following example enables and configures a Secure Shell daemon on the WAAS device:

WAE(config)# sshd enable
WAE(config)# sshd password-guesses 4
WAE(config)# sshd timeout 20

The following example disables the support for SSH Version 1 in the WAAS device:

WAE(config)# no sshd version 1

Related Commands

(config) ssh-key-generate

(config) ssh-key-generate

To generate the SSH host key for a WAAS device, use the ssh-key-generate global configuration command. Use the no form of the command to remove the SSH key.

ssh-key-generate [key-length length]

Syntax Description

key-length

(Optional) Configures the length of the SSH key.

length

Specifies the number of bits to create an SSH key (512-2048).


Defaults

key-length length: 1024 bits

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Before you enter the sshd enable command, enter the ssh-key-generate command to generate a private and a public host key, which the client programs use to verify a server's identity.

When you use an SSH client and log in to a WAAS device, the public key for the SSH daemon that is running on the device is recorded in the client machine known_hosts file in your home directory. If you subsequently regenerate the host key by specifying the number of bits in the key-length command option, you must delete the old public key entry associated with the WAAS device in the known_hosts file before running the SSH client program to log in to the WAAS device. When you use the SSH client program after deleting the old entry, the known_hosts file is updated with the new SSH public key for the WAAS device.

Examples

The following example generates an SSH public key and then enables the SSH daemon on the WAAS devcie:

WAE(config)# ssh-key-generate
Ssh host key generated successfully
Saving the host key to box ...
Host key saved successfully
WAE(config)# sshd enable
Starting ssh daemon ...
Ssh daemon started successfully

Related Commands

(config) sshd

(config) tacacs

To configure TACACS+ server parameters on a WAAS device, use the tacacs command in global configuration mode. Use the no form of this command to disable individual options.

tacacs {host {hostname | ip-address} [primary] | key keyword | password ascii | retransmit retries | timeout seconds}

Syntax Description

host

Specify a server address.

hostname

Hostname of the TACACS+ server.

ip-address

IP address of the TACACS+ server.

primary

(Optional) Sets the server as the primary server.

key

Sets the security word.

keyword

Keyword. An empty string is the default.

password ascii

Specifies ASCII as the TACACS+ password type.

retransmit

Sets the number of times that requests are retransmitted to a server.

retries

Number of retry attempts allowed (1-3). The default is 2 retry attempts.

timeout

Sets the number of seconds to wait before a request to a server is timed out.

seconds

Timeout in seconds (1-20). The default is 5 seconds.


Defaults

keyword: none (empty string)

timeout seconds: 5

retries: 2

password: The default password type is PAP.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

One primary and two backup TACACS+ servers can be configured on a WAAS device; authentication is attempted on the primary server first, then on the others in the order in which they were configured. The primary server is the first server configured unless another is explicitly specified as primary with the tacacs host hostname primary command.

TACACS+ uses the standard port (port 49) for communication, based on the specified service. Using the tacacs command, configure the TACACS+ key, number of retransmits, server hostname or IP address, and timeout.

You must execute the following two commands to enable user authentication with a TACACS+ server.

WAE(config)# authentication login tacacs enable
WAE(config)# authentication configuration tacacs enable

The TACACS+ remote database can also be used to maintain login and configuration privileges for administrative users. The tacacs host command allows you to configure the network parameters required to access the remote database.

Use the tacacs key command to specify the TACACS+ key, used to encrypt the packets transmitted to the server. This key must be the same as the one specified on the server daemon. The maximum number of characters in the key should not exceed 99 printable ASCII characters (except tabs). An empty key string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key.

The tacacs timeout is the number of seconds that the WAAS device waits before declaring a timeout on a request to a particular TACACS+ server. The range is from 1 to 20 seconds, with 5 seconds as the default. The number of times that the WAAS device repeats a retry-timeout cycle before trying the next TACACS+ server is specified by the tacacs retransmit command. The default is two retry attempts.

Three unsuccessful login attempts are permitted. TACACS+ logins may appear to take more time than local logins depending on the number of TACACS+ servers and the configured timeout and retry values.

Use the tacacs password ascii command to specify the TACACS+ password type as ASCII. The default password type is PAP (Password Authentication Protocol).When the no tacacs password ascii command is used to disable the ASCII password type, the password type is once again reset to PAP.

The TACACS+ client can send different requests to the server for user authentication. The client can send a TACACS+ request with the PAP password type. In this scenario, the authentication packet includes both the username and password of the user. The server must have an appropriately configured account for the user.

Alternatively, the client can send a TACACS+ request with the ASCII password type as another option. In this scenario, the authentication packet includes the username only and waits for the server response. Once the server confirms that the account exists for a user, the client sends another Continue request with the password of the user. The authentication server must have an appropriately configured account for the user to support either type of password.

Examples

The following example configures the key used in encrypting packets:

WAE(config)# tacacs key human789

The following example configures the host named spearhead as the primary TACACS+ server:

WAE(config)# tacacs host spearhead primary

The following example sets the timeout interval for the TACACS+ server:

WAE(config)# tacacs timeout 10

The following example sets the number of times that authentication requests are retried (retransmitted) after a timeout:

WAE(config)# tacacs retransmit 5

The following example shows the password type to be PAP by default:

WAE# show tacacs 
    Login Authentication for Console/Telnet Session: enabled (secondary)
    Configuration Authentication for Console/Telnet Session: enabled (secondary)

    TACACS+ Configuration:
    ---------------------
    TACACS+ Authentication is off
    Key        = *****
    Timeout    = 5
    Retransmit = 2
    Password type: pap

    Server                         Status
    ----------------------------   ------
    10.107.192.148                primary
    10.107.192.168                
    10.77.140.77                   

However, you can configure the password type to be ASCII using the tacacs password ascii command. You can then verify the changes using the show tacacs command.

WAE(config)# tacacs password ascii 
WAE(config)# exit
WAE# show tacacs 
    Login Authentication for Console/Telnet Session: enabled (secondary)
    Configuration Authentication for Console/Telnet Session: enabled (secondary)

    TACACS+ Configuration:
    ---------------------
    TACACS+ Authentication is off
    Key        = *****
    Timeout    = 5
    Retransmit = 2
    Password type: ascii

    Server                         Status
    ----------------------------   ------
    10.107.192.148                primary
    10.107.192.168                
    10.77.140.77                   

Related Commands

(config) authentication

show authentication

show statistics authentication

show statistics tacacs

show tacacs

(config) tcp

To configure TCP parameters on a WAAS device, use the tcp global configuration command. To disable TCP parameters, use the no form of this command.

tcp cwnd-base segments

tcp ecn enable

tcp increase-xmit-timer-value value

tcp init-ss-threshold value

tcp keepalive-probe-cnt count

tcp keepalive-probe-interval seconds

tcp keepalive-timeout seconds

tcp memory-limit low-water-mark low high-water-mark-pressure high high-water-mark-absolute absolute

Syntax Description

cwnd-base

Sets initial send congestion window in segments.

segments

Initial send congestion window segments (1-10).

ecn enable

Enables TCP explicit congestion notification.

increase-xmit-timer-value

Factor (1-3) used to modify the length of the retransmit timer by 1 to 3 times the base value determined by the TCP algorithm.

Note Modify this factor with caution. It can improve throughput when TCP is used over slow reliable connections but should never be changed in an unreliable packet delivery environment.

value

Retransmit multiple (1-3).

init-ss-threshold

Sets initial slow start threshold value.

value

Slow start threshold value.

keepalive-probe-cnt

Length of time that the WAAS device keeps an idle connection open.

count

Number of probe counts (1-10).

keepalive-probe-interval

Number of times the WAAS device retries a connection.

seconds

Keepalive probe interval in seconds (1-300).

keepalive-timeout

Length of time that the WAAS device keeps a connection open before disconnecting.

seconds

Keepalive timeout in seconds (1 to 3600).

memory-limit

Specifies the system TCP memory usage limit (including send and receive buffer usage of all connections).


Caution To prevent TCP buffer overflow, do not modify the default values unless you are sure of the procedure.

low-water-mark

Specifies the memory usage mark (in megabytes) below which TCP goes out of the memory pressure mode and enters into the normal memory allocation mode.

low

Memory usage in megabytes (4-600).

high-water-mark-
pressure

Specifies the memory usage mark (in megabytes) above which TCP goes out of the normal memory allocation mode and enters the memory pressure mode.

high

Memory usage in megabytes (5-610).

high-water-mark-
absolute

Specifies the absolute hard limit on TCP's memory usage (in megabytes).

absolute

Memory usage in megabytes (6-620).


Defaults

tcp cwnd-base: 2

tcp increase-xmit-timer-value: 1

tcp init-ss-threshold: 2 segments

tcp keepalive-probe-cnt: 4

tcp keepalive-probe-interval: 75 seconds

tcp keepalive-timeout: 90 seconds

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Caches are typically deployed by customers for any of the following reasons:

To save bandwidth

To accelerate the delivery of file content

To apply policies that determine what files are viewed (content filtering)

To increase the throughput of HTTP streams over TCP end to end

The fourth reason is an often overlooked and much less understood property of deploying caching, and it can often have a huge benefit on the performance of TCP end to end.

Queries sent between a server and a client and the replies generated are defined as transactions. For data transactions between client and servers, the size of windows and buffers is important, and fine-tuning the TCP stack parameters therefore becomes the key to maximizing this benefit.

The relevant TCP parameters to maximize cache performance and throughput include the ability to tune timeout periods, client and server receive and send buffer sizes, and TCP window scaling behavior.


Note Because of the complexities involved in TCP parameters, care is advised in tuning these parameters. In nearly all environments, the default TCP settings are adequate. Fine tuning of TCP settings is for network administrators with adequate experience and full understanding of TCP operation details.


Explicit Congestion Notification

The TCP ECN feature allows an intermediate router to notify the end hosts of impending network congestion. It also provides enhanced support for TCP sessions associated with applications that are sensitive to delay or packet loss, including Telnet, web browsing, and transfer of audio and video data. The major issue with ECN is the need to change the operation of both the routers and the TCP software stacks to accommodate the operation of ECN.

Congestion Windows

The congestion window (cwnd) is a TCP state variable that limits the amount of data that a TCP sender can transmit onto the network before receiving an acknowledgment from the receiving side of the TCP transmission. The TCP cwnd variable is implemented by the TCP congestion avoidance algorithm. The goal of the congestion avoidance algorithm is to continually modify the sending rate so that the sender automatically senses any increase or decrease in available network capacity during the entire data flow. When congestion occurs (manifested as packet loss), the sending rate is first lowered and then gradually increased as the sender continues to probe the network for additional capacity.

Retransmit Time Multiplier

The TCP sender uses a timer to measure the time that has elapsed between sending a data segment and receiving the corresponding acknowledgment from the receiving side of the TCP transmission. When this retransmit timer expires, the sender (according to the RFC standards for TCP congestion control) must reduce its sending rate. However, because the sender is not reducing its sending rate in response to network congestion, the sender is not able to make any valid assumptions about the current state of the network. Therefore, to avoid congesting the network with an inappropriately large burst of data, the sender implements the slow start algorithm, which reduces the sending rate to one segment per transmission. (See the next section, "TCP Slow Start".)

You can modify the retransmit timer for the sender by using the tcp increase-xmit-timer-value global configuration command. The retransmit time multiplier modifies the length of the retransmit timer by one to three times the base value, as determined by the TCP algorithm that is being used for congestion control.

When making adjustments to the retransmit timer, be aware that they affect performance and efficiency. If the retransmit timer is triggered too early, the sender pushes duplicate data onto the network unnecessarily; if the timer is triggered too slowly, the sender remains idle for too long, unnecessarily slowing data flow.

TCP Slow Start

Slow start is one of four congestion control algorithms used by TCP. The slow start algorithm controls the amount of data being inserted into the network at the beginning of a TCP session, when the capacity of the network is not known.

For example, if a TCP session began by inserting a large amount of data into the network, much of the initial burst of data would probably be lost. Instead, TCP initially transmits a modest amount of data that has a high probability of successful transmission. TCP then probes the network by sending increasing amounts of data as long as the network does not show signs of congestion.

The slow start algorithm begins by sending packets at a rate that is determined by the congestion window, or cwnd variable. (See the "Congestion Windows" section.) The algorithm continues to increase the sending rate until it reaches the limit set by the slow start threshold (ssthresh) variable. (Initially, the value of the ssthresh variable is adjusted to the receiver's maximum window size [RMSS]. However, when congestion occurs, the ssthresh variable is set to half the current value of the cwnd variable, marking the point of the onset of network congestion for future reference.)

The starting value of the cwnd variable is set to that of the sender maximum segment size (SMSS), which is the size of the largest segment that the sender can transmit. The sender sends a single data segment, and because the congestion window is equal to the size of one segment, the congestion window is now full. The sender then waits for the corresponding acknowledgment from the receiving side of the transmission. When the acknowledgment is received, the sender increases its congestion window size by increasing the value of the cwnd variable by the value of one SMSS. Now the sender can transmit two segments before the congestion window is again full and the sender is once more required to wait for the corresponding acknowledgments for these segments. The slow start algorithm continues to increase the value of the cwnd variable and therefore increase the size of the congestion window by one SMSS for every acknowledgment received. If the value of the cwnd variable increases beyond the value of the ssthresh variable, then the TCP flow control algorithm changes from the slow start algorithm to the congestion avoidance algorithm.

TCP-Over-Satellite Extensions

The WAE has the ability to turn on TCP-over-satellite extensions (as documented in RFC 1323) to maximize performance and end-to-end throughput over satellite-type connections.

The large number of satellites available to network infrastructures has increased the amount of bandwidth available in the air. Taking advantage of these connections through satellite-type connections has created new challenges in the use of TCP transactions and acknowledgments.

Latency—Round trip times to satellites orbiting 24,000 miles above the earth are 550 milliseconds for a single satellite hop. Window size must be set to prevent low-throughput connections.

Bit errors—Packet loss can occur in a land-based device-to-satellite connection in addition to the losses caused by regular network congestion.

Asymmetric bandwidth—Return bandwidth from satellites can be narrower than receiving bandwidth, thereby affecting performance.

Use the tcp server-satellite and tcp client-satellite global configuration commands to set the TCP connection so that it complies with RFC 1323.

TCP Read-Write Timeout and Persistent Connections

The WAAS device keeps a connection persistent if persistence is allowed for the persistence idle timeout period (which is 600 seconds by default). If HTTP persistent connections are enabled, then no keepalive is needed and the WAE will keep the connection open until the idle timeout period is exceeded.


Note The WAE does not automatically send out keepalives. To configure the WAAS device to send out TCP keepalives over an HTTP connection, you must enter the http tcp-keepalives enable global configuration command.


Once a response or data is sent over the persistent connection, the idle period restarts. HTTP persistent connections can be configured for either the client or server or both.

Note that the persistence does not start until an initial request is made (for example, a GET request) or until data starts to flow over the persistent connection. If there is no initial request or data sent over a persistent connection, the read-write (rw)-timeout setting takes effect. The rw-timeout setting also is used if the connection goes idle for some reason before it has finished sending or receiving the data. In this case, the connection is timed out for the period specified by the rw-timeout setting. The rw-timeout setting can be set for reading and writing data to either the server or the client through the tcp server-rw-timeout and tcp client-rw-timeout global configuration commands. By default, the rw-timeout for both the server and the client is set to 120 seconds.

Configuring WAAS Devices to Send out TCP Keepalives

By default, the WAAS device does not automatically send out keepalives. To configure a WAAS device to send out TCP keepalives on HTTP connections, you must enter the http tcp-keepalive enable global configuration command. After entering the http tcp-keepalive enable command, the WAAS device will send out a keepalive every 75 seconds on an HTTP connection. If a response is received, the WAAS device continues to send a keepalive every 75 seconds. If a response if not received (the device does not respond), the WAAS device waits 90 seconds and logs a miss. After 4 misses, the WAAS device considers that the HTTP connection is down and closes the connection.

Use the tcp keepalive-probe-cnt global configuration command to specify how many times the WAAS device should attempt to connect to the device before closing the connection. The count can be from 1 to 10. The default is 4 attempts.

Use the tcp keepalive-probe-interval global configuration command to specify how often the WAAS device is to send out a TCP keepalive. The interval can be from 1 to 120 seconds. The default is 75 seconds.

Use the tcp keepalive-timeout global configuration command to wait for a response (the device does not respond) before the WAAS device logs a miss. The timeout can be from 1 to 120 seconds. The default is 90 seconds.

Examples

The following example enables TCP explicit congestion notification:

WAE(config)# tcp ecn enable

The following example specifies a low watermark memory usage of 100 megabytes, a high watermark memory usage of 450 megabytes, and an absolute high watermark memory usage of 500 megabytes:

WAE(config)# tcp memory-limit low-water-mark 100 high-water-mark-pressure 450 
high-water-mark-absolute 500 

Related Commands

clear

show statistics tcp

show tcp

(config) telnet enable

To enable Telnet on a WAAS device, use the telnet enable global configuration command.

telnet enable

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the Telnet service is enabled on a WAAS device.

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use terminal emulation software to start a Telnet session with a WAAS device.

You must use a console connection instead of a Telnet session to define device network settings on the WAAS device. However, after you have used a console connection to define the device network settings, you can use a Telnet session to perform subsequent configuration tasks.


Note Messages transported between the client and the device are not encrypted.


Examples

The following example enables the use of Telnet on the WAAS device:

WAE(config)# telnet enable

Related Commands

telnet

show telnet

(config) tfo optimize

To configure a WAE for Traffic Flow Optimization (TFO), use the tfo optimize global configuration command. Use the no form of this command to disable TFO optimization.

tfo optimize {DRE {yes | no} compression {LZ | none} | full}

Syntax Description

DRE

Configures TFO optimization with or without Data Redundancy Elimination (DRE).

yes

Enables DRE.

no

Disables DRE.

compression

Configures TFO optimization with or without generic compression.

LZ

Configures TFO optimization with Lempel-Ziv (LZ) compression.

none

Configures TFO optimization with no compression.

full

Configures TFO optimization with DRE and LZ compression. It is the same as specifying tfo optimize DRE yes compression LZ.


Defaults

The default TFO optimization on a WAAS device is tfo optimize full.

Command Modes

global configuration

Device Modes

application-accelerator

Related Commands

show statistics tfo

show tfo bufpool

show tfo status

(config) tfo tcp keepalive

To configure a WAE for Traffic Flow Optimization (TFO) optimization with TCP keepalive, use the tfo tcp keepalive global configuration command.

tfo tcp keepalive

Defaults

Keepalive is disabled by default.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command enables TCP keepalive on the TFO optimized sockets (the connection between two peer WAE's).

Related Commands

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) tfo tcp optimized-mss

To configure a WAE for Traffic Flow Optimization (TFO) optimization with optimized-side TCP maximum segment size, use the tfo tcp optimized-mss global configuration command.

tfo tcp optimized-mss segment-size

Syntax Description

segment-size

The segment size (512-1460).


Defaults

The default value of the segment size is 1432 bytes.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP maximum segment size on TFO optimized sockets (the connection between two peer WAE's).

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) tfo tcp optimized-receive-buffer

To configure a WAE for Traffic Flow Optimization (TFO) optimization with an optimized-side receive buffer, use the tfo tcp optimized-receive-buffer global configuration command.

tfo tcp optimized-receive-buffer buffer-size

Syntax Description

buffer-size

The receive buffer size in KB.


Defaults

32KB

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP receive buffer size on TFO optimized sockets (the connection between two peer WAE's). For high Bandwidth Delay Product (BDP) links it is best to use a value larger than the default.

The buffer should be equal to or greater than the BDP. The BDP is equivalent to bandwidth (in bits per second) * latency (in seconds). For example, for a 45 Mbps link with a 150 ms (0.15 sec) round trip delay, the BDP is 45 Mbps * 0.15 sec = 6.75 Mb, or 0.844 MB (844 KB). In this case, you could set the buffer size to 1024 KB.

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) tfo tcp optimized-send-buffer

To configure a WAE for Traffic Flow Optimization (TFO) optimization with an optimized-side send buffer, use the tfo tcp optimized-send-buffer global configuration command.

tfo tcp optimized-send-buffer buffer-size

Syntax Description

buffer-size

The receive buffer size in KB.


Defaults

32 KB

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP send buffer size on TFO optimized sockets (the connection between two peer WAE's). For high Bandwidth Delay Product (BDP) links it is best to use a value larger than the default.

The buffer should be equal to or greater than the BDP. The BDP is equivalent to bandwidth (in bits per second) * latency (in seconds). For example, for a 45 Mbps link with a 150 ms (0.15 sec) round trip delay, the BDP is 45 Mbps * 0.15 sec = 6.75 Mb, or 0.844 MB (844 KB). In this case, you could set the buffer size to 1024 KB.

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) tfo tcp original-mss

To configure a WAE for Traffic Flow Optimization (TFO) optimization with an unoptimized-side TCP maximum segment size, use the tfo tcp original-mss global configuration command.

tfo tcp original-mss segment-size

Syntax Description

segment-size

The segment size (512-1460).


Defaults

1,432 bytes

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP maximum segment size on TFO unoptimized sockets (the connection between the WAE and the client or the WAE and the server).

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-receive-buffer

(config) tfo tcp original-send-buffer

(config) tfo tcp original-receive-buffer

To configure a WAE for Traffic Flow Optimization (TFO) optimization with an unoptimized-side receive buffer, use the tfo tcp original-receive-buffer global configuration command.

tfo tcp original-receive-buffer buffer-size

Syntax Description

buffer-size

The receive buffer size in KB.


Defaults

32 KB

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP receive buffer size on TFO unoptimized sockets (the connection between the WAE and the client or the WAE and the server).

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-send-buffer

(config) tfo tcp original-send-buffer

To configure a WAE for Traffic Flow Optimization (TFO) optimization with unoptimized-side send buffer, use the tfo tcp original-send-buffer global configuration command.

tfo tcp original-send-buffer buffer-size

Syntax Description

buffer-size

The receive buffer size in KB.


Defaults

32 KB

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

This command sets the TCP send buffer size on TFO unoptimized sockets (the connection between the WAE and the client or the WAE and the server).

Related Commands

(config) tfo tcp keepalive

(config) tfo tcp optimized-mss

(config) tfo tcp optimized-receive-buffer

(config) tfo tcp optimized-send-buffer

(config) tfo tcp original-mss

(config) tfo tcp original-receive-buffer

(config) transaction-logs

To configure and enable transaction logging on a WAE, use the transaction-logs global configuration command. To disable a transaction logging option, use the no form of this command.

transaction-logs tfo archive interval seconds

transaction-logs tfo archive interval every-day {at hour:minute | every hours}

transaction-logs tfo archive interval every-hour {at minute | every minutes}

transaction-logs tfo archive interval every-week [on weekdays at hour:minute]

transaction-logs tfo archive max-file-size filesize

transaction-logs tfo enable

transaction-logs tfo logging {enable | facility parameter | host ip-address port port [rate-limit number-message-per-sec] | host ip-address rate-limit number-message-per-sec [ port port]}

transaction-logs export compress

transaction-logs export enable

transaction-logs export ftp-server {hostname | servipaddrs} login passw directory

transaction-logs export interval minutes

transaction-logs export interval every-day {at hour:minute | every hours}

transaction-logs export interval every-hour {at minute | every minutes}

transaction-logs export interval every-week [on weekdays at hour:minute]

transaction-logs export sftp-server {hostname | servipaddrs} login passw directory

Syntax Description

archive

Configures archive parameters.

interval

Determines how frequently the archive file is to be saved.

seconds

Frequency of archiving in seconds (120-604800).

every-day

Archives using intervals of 1 day or less.

at

Specifies the local time at which to archive each day.

hour:minute

Time of day at which to archive in local time (hh:mm).

every

Specifies the interval in hours. Interval aligns with midnight.

hours

Number of hours for daily file archive.

1    Hourly
12  Every 12 hours
2    Every 2 hours
24  Every 24 hours
3    Every 3 hours
4    Every 4 hours
6    Every 6 hours
8    Every 8 hours

every-hour

Specifies the archives using intervals of 1 hour or less.

at

Sets the time to archive at each hour.

minute

Minute alignment for the hourly archive (0-59).

every

Specifies the interval in minutes for hourly archive that aligns with the top of the hour.

minutes

Number of minutes for hourly archive.

10  Every 10 minutes
15  Every 15 minutes
2    Every 2 minutes
20  Every 20 minutes
30  Every 30 minutes
5    Every 5 minutes

every-week

Archives using intervals of 1 or more times a week.

on

(Optional) Sets the day of the week on which to archive.

weekdays

Weekdays on which to archive. One or more weekdays can be specified.

Fri    Every Friday
Mon  Every Monday
Sat    Every Saturday
Sun   Every Sunday
Thu   Every Thursday
Tue   Every Tuesday
Wed  Every Wednesday

at

(Optional) Sets the local time at which to archive each day.

hour:minute

Time of day at which to archive in local time (hh:mm).

max-file-size

Specifies the maximum size (in kilobytes) of the archive file to be maintained on the local disk.

filesize

Maximum archive file size in kilobytes (1000-2000000). This value is the maximum size of the archived file to be maintained on the local disk.

enable

Enables transaction logging to be exported to an FTP server.

export

Configures file export parameters. The FTP export feature can support up to four servers. Each server must be configured with a username, password, and directory that are valid for that server.

compress

Enables compression of archived log files into zip format before exporting them to external FTP servers.

enable

Enables the exporting of log files at the specified interval.

ftp-server

Sets the FTP server to receive exported archived files.

hostname

Hostname of the target FTP server.

servipaddrs

IP address of the target FTP server.

login

User login to target FTP server.

passw

User password to target FTP server.

directory

Target directory path for exported files on FTP server.

interval

Specifies the interval at which the working log should be cleared by moving data to the FTP server.

minutes

Number of minutes in the interval at which to export a file (1-10080).

every-day

Specifies the exports using intervals of 1 day or less.

at

Specifies the local time at which to export each day.

hour:minute

Time of day at which to export in local time (hh:mm).

every

Specifies the interval in hours for the daily export.

hours

Number of hours for the daily export.

1    Hourly
12  Every 12 hours
2    Every 2 hours
24  Every 24 hours
3    Every 3 hours
4    Every 4 hours
6    Every 6 hours
8    Every 8 hours

every-hour

Specifies the exports using intervals of 1 hour or less.

at

Specifies the time at which to export each hour.

minute

Minute (0-59) alignment for the hourly export.

every

Specifies the interval in minutes that align with the top of the hour.

minutes

Number of minutes for the hourly export.

10  Every 10 minutes
15  Every 15 minutes
2    Every 2 minutes
20  Every 20 minutes
30  Every 30 minutes
5    Every 5 minutes

every-week

Specifies the exports using intervals of 1 of more times a week.

on

(Optional) Specifies the days of the week for the export.

weekdays

Weekdays on which to export. One or more weekdays can be specified.

Fri    Every Friday
Mon  Every Monday
Sat    Every Saturday
Sun   Every Sunday
Thu   Every Thursday
Tue   Every Tuesday
Wed  Every Wednesday

at

(Optional) Specifies the time of day at which to perform the weekly export.

hour:minute

Time of day at which to export in the local time (hh:mm).

sftp-server

Sets the Secure File Transfer Protocol (SFTP) server to receive exported archived files.

hostname

Hostname of the target SFTP server.

servipaddrs

IP address of the target SFTP server.

login

User login to the target SFTP server (less than 40 characters).

passw

User password to the target SFTP server (less than 40 characters).

directory

Target directory path for exported files on the SFTP server.

logging

Enables real-time transaction logging. You can retain the logging host configuration for transaction logs even if you temporarily disable real-time transaction logging by unchecking the check box. This new logging option applies only to the cache's HTTP transaction log entries. The real-time transaction logging feature is disabled by default.

enable

Enables the transaction log files to be sent to a remote syslog host.

facility

Specifies the appropriate transaction log facility.

This drop-down list is set to an initial value of Do not set. This setting denotes that the facility sent to the syslog host will be the facility on the local host that is sending the syslog message. For instance, in the case of the transaction logging module that sends the real-time transaction log message, the facility is the "user" facility

parameter

Specifies one of the following facilities:

auth       Authorization system
daemon  System daemons
kern       Kernel
local0    Local use
local1    Local use
local2    Local use
local3    Local use
local4    Local use
local5    Local use
local6    Local use
local7    Local use
mail       Mail system
news      USENET news
syslog    Syslog itself
user        User process
uucp       UUCP system

host

Configures the remote syslog server.

hostname

The hostname or IP address of the remote syslog server to which transaction logs must be sent. No remote syslog server is specified by default.

ip-address

IP address of the remote syslog server.

port

Configures the port to use when sending transaction log messages to the syslog server.

port-num

The destination port on the remote syslog host to which the WAE should send the transaction log files. The default port number is 514. This port is a well-known port for system logging.

rate-limit

Configures the rate at which the transaction logger is allowed to send messages to the remote syslog server.

rate

The number of messages that are allowed to be sent to the remote syslog host per second. To limit bandwidth and other resource consumption, messages to the remote syslog host can be rate-limited.

If this limit is exceeded, the specified remote syslog host drops the messages. There is no default rate limit (rate-limit is set to 0), and by default all syslog messages are sent to all of the configured syslog hosts. The range is 1 to 10,000 messages per second.


Defaults

archive: disabled

enable: disabled

export compress: disabled

export: disabled

archive interval: every day, every one hour

archive max-file-size: 2,000,000 KB

export interval: every day, every one hour

logging port port-num: 514

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

Depending upon where the sysfs is mounted, transactions are logged to a working log on the local disk in one of these files:

/local1/logs/working.log

/local2/logs/working.log

When you enable transaction logging, you can specify the interval at which the working log should be cleared by moving the data to an archive log. The archive log files are located on the local disk in the directory /local1/logs/ or /local2/logs/, depending upon where the sysfs is mounted.

Because multiple archive files are saved, the filename includes the time stamp when the file was archived. Because the files can be exported to an FTP/SFTP server, the filename also contains the IP address of this WAE.

The archive file name use this format:

celog_IPADDRESS_YYYYMMDD_HHMMSS.txt.

You can monitor transaction logs in real-time for particular errors such as authentication errors. By sending HTTP transaction log messages to a remote syslog server, you can monitor the remote syslog server for HTTP request authentication failures in real-time. This real-time transaction log feature allows you to monitor transaction logs in real-time for particular errors such as HTTP request authentication errors. The existing transaction logging to the local file system remains unchanged.

For this purpose, you must configure the WAE to send transaction log messages to a remote syslog server using UDP as the transport protocol. Because UDP is an unreliable transport protocol, message transport to a remote syslog host is not reliable and you must monitor the syslog messages received at the remote syslog server. You can limit the rate at which the transaction logging module is allowed to send messages to the remote syslog server. The format of the syslog message is in standard syslog message format with the transaction log message as the payload of the syslog message.

Real-time transaction logging to a remote syslog server uses the standard syslog message format with the message payload as the transaction log entry. A new syslog error identifier is defined for this type of real-time transaction log message. You can configure a WAE to send transaction log messages in real-time to one remote syslog host. The message format of the transaction log entry to the remote syslog host is the same as in the transaction log file and prepended with Cisco's standard syslog header information.

The following is an example of the format of the real-time syslog message sent from the transaction logging module (WAE) to the remote syslog host:

fac-pri Apr 22 20:10:46 ce-host cache: %CE-TRNSLG-6-460012: translog formatted msg

The fields in the message are described as follows:

fac-pri denotes the facility parameter and priority for transaction log messages encoded (as in standard syslog format) as a 32-bit decimal value between 0 and 1023 (0x0000 and 0x03FF). The least significant 3 bits denote priority (0-7) and the next least significant 7 bits denote facility (0-127).

The facility parameter used by the transaction logging module when a real-time transaction log message is logged to the remote syslog host is user. The same facility is sent to the remote syslog host unless you configure a different facility parameter for transaction logging. The priority field is always set to LOG_INFO for real-time transaction log messages.

In the above example, the default value of fac-pri is 14 (0x000E) where facility = user (LOG_USER (1)) and priority = LOG_INFO (6).

The next field in the message is the date, which follows the format as shown in the above example.

ce-host is the hostname or IP of the WAE that is sending the message.

cache is the name of the process on the WAE that is sending the message.

%CE-TRNSLG-6-460012 is the Cisco standard formatted syslog header on the WAE for a real-time transaction log message. This identifier indicates a priority level of 6, which denotes informational messages.


Note The WAAS system syslog messages report communication errors with the remote syslog host that is configured for transaction logging. These syslog messages are in the error message range: %CE-TRNSLG-6-460013 to %CE-TRNSLG-3-460016. The last error message (%CE-TRNSLG-3-460016), shows level "3" (for error-level messages) instead of "6" (for information-level messages). Information-level messages are reported when messages are dropped due to rate limiting and the number of dropped messages are reported. For more information about these syslog messages, refer to the Cisco WAAS System Messages Reference.


translog formatted msg is the transaction log message as it appears in the transaction log file.


Note The total length of the real-time syslog message is 1024 characters. If the actual transaction log entry exceeds this limit, it is truncated.


When the remote syslog server logs this message to a file, the format appears as follows:

Apr 22 20:10:46 ce-host cache: %CE-TRNSLG-6-460012: translog formatted msg

where ce-host is the host name of the WAE that sent the real-time transaction log message to the remote syslog server.

The configuration of host settings for transaction logs is identical to the configuration settings for syslog messages except that you need not specify the priority level of the message for real time transaction logs. All messages are associated with the priority level of 6 (LOG_INFO). You are not required to filter messages based on priority levels.

Related Commands

clear

show transaction-logging

transaction-log

(config) username

To establish username authentication on a WAAS device, use the username global configuration command.

username name {cifs-password {0 plainword | 1 cryptoword} uid uid} | password {0 plainword | 1 cryptoword} uid uid} | privilege {0 | 15} | samba-password}

Syntax Description

name

Username.

cifs-password

Sets Windows user password.

0

Specifies an unencrypted Windows user password follows.

plainword

The actual clear-text Windows user password.

1

Specifies a hidden Windows user password follows.

cryptoword

Encrypted user password.

uid

Sets user ID for password.

uid

Text password user ID (2001-65535).

password

Sets user password.

privilege

Sets user privilege level.

0

User privilege level for normal user.

15

User privilege level for superuser.

samba-password

Deprecated, same as cifs-password.


Defaults

The password value is set to 0 (clear text) by default.

Default administrator account:

Uid: 0

Username: admin

Password: default

Privilege: superuser (15)

Command Modes

global configuration

Device Modes

application-accelerator

central-manager

Usage Guidelines

A system administrator can log in to a WAAS device that is functioning as a Core or Edge WAE through the console port or the WAE Device Manager GUI. An administrator can log in to the WAAS Central Manager through the console port or the WAAS Central Manager GUI.

When the system administrator logs in to a WAAS device before authentication and authorization have been configured, the administrator can access the WAAS device by using the predefined superuser account (the predefined username is admin and the predefined password is default). When you log in to a WAAS device using this predefined superuser account, you are granted access to all the WAAS services and entities in the WAAS system.

After you have initially configured your WAAS devices, we strongly recommend that you immediately change the password for the predefined superuser account (the predefined username is admin, the password is default, and the privilege level is superuser, privilege level 15) on each WAAS device.

If the predefined password for this superuser account has not been changed on a WAAS device, the following message is displayed each time you use this superuser account to log in to the WAAS CLI:

Device is configured with a (well known) default username/password
for ease of initial configuration. This default username/password
should be changed in order to avoid unwanted access to the device.

System Initialization Finished.
waas-cm#

If the predefined password for this superuser account has not been changed on a WAAS Central Manager, a dialog box is also displayed each time you use this superuser account to log in to the WAAS Central Manager GUI.


Note We strongly recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to configure passwords and privilege levels for users on your WAAS devices, if possible. For information about how to use the WAAS Central Manager GUI to centrally configure and administer users on an single WAE or group of WAEs, which are registered with a WAAS Central Manager, see the Cisco Wide Area Application Services Configuration Guide.


The username global configuration command allows you to change the password and privilege level for existing user accounts. To change the password for the predefined superuser account on a per device basis, use the password option of the username global configuration command:

waas-cm(config)# username admin password ?
  0     Specifies an UNENCRYPTED password will follow
  1     Specifies a HIDDEN password will follow
  WORD  The UNENCRYPTED (cleartext) user password

For example, change the predefined password for the superuser account to mysecret for the WAAS Central Manager named waas-cm, as follows:

waas-cm# config
waas-cm#(config)# username admin password mysecret
waas-cm#(config)# exit

User Authentication

User access is controlled at the authentication level. For every HTTP request, including every WAAS CLI request, that arrives at the WAAS device, the authentication level has visibility into the supplied username and password. Based on CLI-configured parameters, a decision is then made to either accept or reject the request. This decision is made either by checking local authentication or by performing a query against a remote authentication server. The authentication level is decoupled from the authorization level, and there is no concept of role or domain at the authentication level.

When local CLI authentication is used, all configured users can be displayed by entering the show running-config EXEC command.

User Authorization

Domains and roles are applied by the WAAS device at the authorization level. Requests must be accepted by the authentication level before they are considered by the authorization level. The authorization level regulates access to resources based on the specified role in WAAS Central Manager GUI and domain configuration.

Regardless of the authentication mechanism, all user authorization configuration is visible in the GUI.

Examples

The following example demonstrates how passwords and privilege levels are reconfigured:

WAE# show user username abeddoe
Uid                 : 2003
Username            : abeddoe
Password            : ghQ.GyGhP96K6
Privilege           : normal user

WAE# show user username bwhidney
Uid                 : 2002
Username            : bwhidney
Password            : bhlohlbIwAMOk
Privilege           : normal user 

WAE(config)# username bwhidney password 1 victoria

WAE(config)# username abeddoe privilege 15
User's privilege changed to super user (=15) 

WAE# show user username abeddoe
Uid                 : 2003
Username            : abeddoe
Password            : ghQ.GyGhP96K6
Privilege           : super user 

WAE# show user username bwhidney
Uid                 : 2002
Username            : bwhidney
Password            : mhYWYw.7P1Ld6
Privilege           : normal user 

Related Commands

show user

(config) wccp access-list

To configure an IP access list on a WAE for inbound WCCP GRE encapsulated traffic, use the wccp access-list global configuration command.

wccp access-list {acl-number | ext-acl-number | acl-name}

Syntax Description

acl-number

Standard IP access list number (1-99).

ext-acl-number

Extended IP access list number (100-199).

acl-name

Name of the access list (30 characters maximum ).


Defaults

WCCP access lists are not configured by default.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

The wccp access-list number global configuration command configures an access control list to allow access to WCCP applications. The number variable is a number in the range 1 to 99, indicating a standard access control list or a number in the range 100 to 199, indicating an extended access control list. WCCP checks against the specified access control list before accepting or dropping incoming packets.

Refer to the Cisco Wide Area Application Services Configuration Guide for a detailed description of how to use standard IP ACLs to control WCCP access on a WAE.


Note WCCP works only with IPv4 networks.


Examples

The following example configures the WAE to apply IP access list number 10 to inbound WCCP traffic:

WAE(config)# wccp access-list 10

The following example shows sample output from the show ip access-list EXEC command from a WAE that has several WCCP access lists configured:

WAE(config)# show ip access-list
Space available:
    40 access lists
   489 access list conditions

Standard IP access list 10
   1 deny 10.1.1.1
   2 deny any
     (implicit deny any: 0 matches)
   total invocations: 0
Standard IP access list 98
   1 permit any
     (implicit deny any: 0 matches)
   total invocations: 0
Extended IP access list 100
   1 permit icmp any any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list 101
   1 permit ip any any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list 102
   1 permit icmp 0.0.1.1 255.255.0.0 any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list 111
   1 permit gre 0.1.1.1 255.0.0.0 any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list 112
   1 permit ip any any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list 113
   1 permit gre 0.1.1.1 255.0.0.0 any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list ext_acl_2
   1 permit gre any any
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0
Extended IP access list extended_ip_acl
   1 permit tcp any eq 2 any eq exec
     (implicit fragment permit: 0 matches)
     (implicit deny ip any any: 0 matches)
   total invocations: 0

Interface access list references:
  PortChannel     2    inbound   extended_ip_acl
  PortChannel     2    outbound  101

Application access list references:
  snmp-server                     standard  2
    UDP ports: none (List Not Defined)
  WCCP                            either    10
    Any IP Protocol

The following example shows sample output from the show wccp gre EXEC command when WCCP access lists are defined on the WAE:

WAE# show wccp gre
Transparent GRE packets received:           366
Transparent non-GRE packets received:       0
Transparent non-GRE packets passed through: 0
Total packets accepted:                     337
Invalid packets received:                   0
Packets received with invalid service:      0
Packets received on a disabled service:     0
Packets received too small:                 0
Packets dropped due to zero TTL:            0
Packets dropped due to bad buckets:         0
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect:   0
Connections bypassed due to load:           0
Packets sent back to router:                0
Packets sent to another CE:                 0
GRE fragments redirected:                   0
Packets failed GRE encapsulation:           0
Packets dropped due to invalid fwd method:  0
Packets dropped due to insufficient memory: 0
Packets bypassed, no conn at all:           0
Packets bypassed, no pending connection:    0
Packets due to clean wccp shutdown:         0
Packets bypassed due to bypass-list lookup: 0
Packets received with client IP addresses:  0
Conditionally Accepted connections:         0
Conditionally Bypassed connections:         0
L2 Bypass packets destined for loopback:    0
Packets w/WCCP GRE received too small:      0
Packets dropped due to IP access-list deny: 29
L2 Packets fragmented for bypass:           0

Related Commands

show ip access-list

show wccp

(config) wccp cifs-cache

To configure which WAEs are to transparently redirect and process CIFS traffic in the WAAS network in your branch office, use the wccp cifs-cache global configuration command. Use the no form of the command to disable the configuration.

wccp cifs-cache {mask {[dst-ip-mask hex-num] | [src-ip-mask hex-num]} | router-list-num num [assign-method-strict] [hash-destination-ip] [hash-source-ip] [l2-redirect] [mask-assign] [password key] [weight percentage]}

Syntax Description

mask

Sets the mask used for WAE assignment. Configure at least 1; the maximum is 4.

dst-ip-mask

(Optional) Sets the mask used to match the packet destination IP address.

hex-num

IP address mask defined by a hexadecimal number between 0x00000000 and FE000000. The default for dst-ip-mask is 0x00000000. The default for src-ip-mask is 0x00001741.

src-ip-mask

(Optional) Sets the mask used to match the packet source IP address.

router-list-num

Sets the router list number.

num

Router list number (1-8).

assign-method-strict

Forces WCCP to strictly use only the configured assignment method.

hash-destination-ip

(Optional) Defines load-balancing hash of the destination IP address.

hash-source-ip

(Optional) Defines load-balancing hash of the source IP address (default).

l2-redirect

(Optional) Packet forwarding by Layer 2 redirect.

mask-assign

(Optional) Uses the mask method for WAE assignment.

password

(Optional) Sets the authentication password to be used for secure traffic among the WAEs within a cluster and the router for the CIFS service. Be sure to enable all other WAEs and routers within the cluster with the same password.

key

WCCP service password key. Passwords must not exceed eight characters.

weight

(Optional) Sets the weight percentage for load balancing.

percentage

Percentage value (0-100).


Defaults

The WCCP CIFS caching service is disabled by default. When it is configured, the following defaults apply:

dst-ip-mask: 0x00000000

src-ip-mask: 0x00001741

If neither hash option is specified, the default source IP hash load balancing method is used.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

In the WAAS software release, the following two WCCP services are supported:

TCP promiscuous mode service (services 61 and 62)

CIFS caching service (service 89)

Both of these WCCP services requires that WCCP Version 2 is running on the router and the WAE.

The TCP promiscuous mode service is a WCCP service that intercepts all TCP traffic and redirects it to the local WAE. The WCCP CIFS caching service is a dynamic service that intercepts all TCP traffic destined for ports 139 and 445 and redirects it to the corresponding redirect port (139 or 445). Load balancing distributes traffic based on the source IP address, by default. The WCCP-enabled router uses service ID 89 to access this service.


Note When you enable the TCP promiscuous mode service on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE. When the TCP promiscuous mode service is used, the CIFS caching service is not required.

WCCP works only with IPv4 networks.


Examples

The following example configures CIFS traffic to be handled by the WAEs matching a destination IP address mask:

WAE(config)# wccp cifs-cache mask dst-ip-mask 0x00005384

The following example disables the destination IP address mask just configured, but not the CIFS cache service:

WAE(config)# no wccp cifs-cache mask

The following example configures CIFS traffic to be handled by the WAEs that match the destination hash load-balancing method:

WAE(config)# wccp cifs-cache hash-destination-ip

The following example configures the CIFS traffic to be handled by the WAEs contained in router list 2:

WAE(config)# wccp cifs-cache router-list-num 2

Related Commands

show wccp

(config) wccp tcp-promiscuous

(config) wccp version

(config) wccp flow-redirect

To enable WCCP flow redirection on a WAE, use the flow-redirect enable global configuration command. Use the no form of this command to disable flow redirection.

wccp flow-redirect enable

Syntax Description

enable

Enables flow redirection.


Defaults

Enabled

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

WCCP flow protection is a mechanism that ensures that no existing flows are broken when a new WAE is brought online or removed from a service group. When transparent traffic interception or redirection first begins, WCCP flow protection ensures that no existing HTTP flows are broken by allowing preexisting, established HTTP flows to continue on. WCCP flow protection also ensures that when a new WAE joins an existing WAE group, existing flows serviced by preexisting WAEs in the cluster continue to receive those existing flows.

The mechanisms used by WCCP flow protection result in all of the benefits of maintaining per flow state information in a centralized location but without the overhead, scaling issues, and redundancy or resiliency issues (for example, asymmetrical traffic flows) associated with keeping per flow state information in the switching layer.

Use the wccp flow-redirect global configuration command to implement WCCP flow protection. Flow protection is designed to keep the TCP flow intact as well as to not overwhelm WAEs when they are first started up or are reassigned new traffic. This feature also has a slow start mechanism whereby the WAEs try to take a load appropriate for their capacity.


Note When bypass is enabled, the client itself tries to reach the origin web server. You must disable all bypass options to eliminate an unnecessary burden on the network.

WCCP works only with IPv4 networks.


Examples

The following example shows how to enable WCCP flow protection on a WAE:

WAE(config)# wccp flow-redirect enable

Related Commands

(config) wccp slow-start

(config) wccp router-list

To configure a router list for WCCP Version 2, use the wccp router-list global configuration command. To disable this function, use the no form of this command.

wccp router-list number ip-address

Syntax Description

number

Router list number (1-8).

ip-address

IP address of router to add to the list.


Defaults

Disabled

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

As part of configuring a WCCP Version 2 service on a WAE, you must create a list of WCCP Version 2-enabled routers that support the CIFS cache service for the WAE.

Each router list can contain up to eight routers. You can add up to 8 router lists and up to 32 IP addresses per list.


Note The ip wccp global configuration command must be used to enable WCCP on each router that is included on the router list.

WCCP works only with IPv4 networks.


Examples

In the following example, router list number 7 is created, and it contains a single router (the WCCP Version 2-enabled router with IP address 192.168.68.98).

WAE(config)# wccp router-list 7 192.168.68.98

The following example deletes the router list number 7 created in the previous example:

WAE(config)# no wccp router-list 7 192.168.68.98

The following example shows how to create a router list (router list 1) and then configure the WAE to accept redirected TCP traffic from the WCCP Version 2-enabled router on router list 1:

WAE(config)# wccp router-list 1 10.10.10.2
WAE(config)# wccp tcp-promiscuous router-list 1
WAE(config)# wccp version 2

Related Commands

(config) wccp version

(config) wccp shutdown

To set the maximum time interval after which the WAE will perform a clean shutdown of WCCP, use the wccp shutdown global configuration command. To disable the clean shutdown, use the no form of the command.

wccp shutdown max-wait seconds

Syntax Description

max-wait

Sets the clean shutdown time interval.

seconds

Time in seconds (0-86400). The default is 120 seconds.


Defaults

The maximum time interval before a clean shutdown is 120 seconds by default.

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

To prevent broken TCP connections, the WAE performs a clean shutdown of WCCP after a reload or wccp version command is issued. The WAE does not reboot until either all connections have been serviced or the configured max-wait interval has elapsed.

During a clean shutdown, the WAE continues to service the flows it is handling, but starts to bypass new flows. When the number of flows goes down to zero, the WAE takes itself out of the cluster by having its buckets reassigned to other WAEs by the lead WAE. TCP connections can still be broken if the WAE crashes or is rebooted without WCCP being cleanly shut down. The clean shutdown can be aborted while in progress.

You cannot shut down an individual WCCP service on a particular port on a WAE; you must shut down WCCP on the WAE. After WCCP is shut down on the WAE, the WAE preserves its WCCP configuration settings and services proxy-style requests (for example, HTTP requests that the FWAE receives directly from a client browser).


Note WCCP works only with IPv4 networks.


Examples

The following example shows how to configure the WAE to wait 1000 seconds:

WAE(config)# wccp shutdown max-wait 1000 

The following example shows how to shut down WCCP Version 2 on the WAE by entering the no wccp version 2 command. In this case, after you enter the no wccp version 2 command, the WAE waits 1000 seconds before it shuts down WCCP Version 2.

WAE(config)# no wccp version 2

A countdown message appears, indicating how many seconds remain before WCCP will be shut down on the WAE:

Waiting (999 seconds) for WCCP shutdown. Press ^C to skip shutdown

The clean shutdown can be aborted while in progress by simultaneously pressing ^C after 
the countdown message appears.

Related Commands

(config) wccp flow-redirect

(config) wccp slow-start

(config) wccp version

(config) wccp slow-start

To enable the slow start capability of the caching service on the WAE, use the wccp slow-start enable global configuration command. To disable slow start capability, use the no form of this command.

wccp slow-start enable

Syntax Description

enable

Enables WCCP slow start.


Defaults

Enabled

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

Within a service group of WAEs, TCP connections are redirected to other WAEs as units are added or removed. A WAE can be overloaded if it is reassigned new traffic too quickly or introduced abruptly into a fat pipe.

WCCP slow start performs the following tasks to prevent a WAE from being overwhelmed when it comes online or is reassigned new traffic:

TCP flow protection when WCCP 2 is enabled and a WAE is introduced into the service group

TCP flow protection when WCCP 2 is disabled and a WAE is leaving the service group

Load assignment to the WAE in slow increments rather than a full load at bootup

Slow start is applicable only in the following cases:

Initial bootup when there is no WAE yet present in the service group

When a new WAE is added to a service group that is not handling the full load; for example, when there are some buckets that are being shed by the service group

In all other cases slow start is not necessary, and all the WAEs can be immediately assigned their share of traffic.


Note WCCP works only with IPv4 networks.


Examples

The following example shows how to enable the slow start capability of the caching service on a WAE:

WAE(config)# wccp slow-start enable

The following example shows how to disable the slow start capability of the caching service on a WAE:

WAE(config)# no wccp slow-start enable

Related Commands

(config) wccp flow-redirect

(config) wccp tcp-promiscuous

To configure the Web Cache Coordination Protocol (WCCP) Version 2 TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE, use the wccp tcp-promiscuous global configuration command.

wccp tcp-promiscuous {mask tcp-promiscuous-mask | router-list-num number [router-list-options]}

Syntax Description

mask

Specifies the mask used for WAE assignment.

tcp-promiscuous-mask

Use the following syntax to specify the mask:

{dst-ip-mask | dst-port-mask | src-ip-mask | src-port-mask} mask [tcp-promiscuous-mask]

dst-ip-mask

Specifies the IP address mask defined by a hexadecimal number (for example, 0xFE000000) used to match the packet destination IP address. The range is 0x0000000-0XFE000000. The default is 0x00001741

dst-port-mask

Specifies the port mask defined by a hexadecimal number (for example, 0xFE00) used to match the packet destination port number. The port mask range is 0x00-0xFE. The default is 0x0.

src-ip-mask

Specifies the IP address mask defined by a hexadecimal number (for example, 0xFE000000) used to match the packet source IP address. The range is 0x00000000-0xFE000000. The default is 0x00000000.

src-port-mask

Specifies the port mask defined by a hexadecimal number (for example, 0xFE00) used to match the packet source port number. The port mask range is 0x00-0xFE. The default is 0x0.

mask

The mask in hexadecimal (0x0000000-0xFE000000).

router-list-num

Specifies the number of the WCCP router list that should be associated with the TCP promiscuous mode service.

number

The number of the WCCP router list (1-8) that should be associated with the TCP promiscuous mode service. (These WCCP Version 2-enabled routers will transparently redirect TCP traffic to the WAE.)

router-list-options

(Optional) Use the following syntax to specify the mask:

{assign-method-strict | l2-redirect | l2-return | mask-assign | password password | weight weight} [router-list-options]

assign-method-strict

Specifies that only the configured assignment method be used.

l2-redirect

Specifies that Layer 2 redirection be used for packet forwarding. If the WAE has a Layer 2 connection with the device, and the device is configured for Layer 2 redirection, Layer 2 redirection permits the WAE to receive transparently redirected traffic from a WCCP Version 2-enabled switch or router.

l2-return

Specifies that Layer 2 rewriting be used for packet return.

mask-assign

Specifies that the mask method be used for WAE assignment.

password

Specifies the password to be used for secure traffic between the WAEs within a cluster and the router for a specified service. Be sure to enable all other WAEs and routers within the cluster with the same password.

password

The WCCP service password. Passwords must not exceed 8 characters in length.

weight

Specifies that a weight percentage be used. The weight represents a percentage of the total load redirected to the device for load-balancing purposes (for example, a WAE with a weight of 30 receives 30 percent of the total load).

weight

The weight percentage. The weight value ranges from 0 to 100%. By default, weights are not assigned and the traffic load is distributed evenly between the WAEs in a service groups.


Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

WCCP provides the mechanism to transparently redirect client requests to a WAE for processing. To configure basic WCCP, you must enable the WCCP service on the router and the Core WAE in the data center and the router and Edge WAE in the branch office. It is not necessary to configure all of the available WCCP features or services to get a WAE up and running.

In the WAAS software release, the following two WCCP services are supported:

TCP promiscuous mode service (services 61 and 62)

CIFS caching service (service 89)

Both of these WCCP services requires that WCCP Version 2 is running on the router and the WAE.

The TCP promiscuous mode service is a WCCP service that intercepts all TCP traffic and redirects it to the local WAE. The WCCP CIFS caching service is a dynamic service that intercepts all TCP traffic destined for ports 139 and 445 and redirects it to the corresponding redirect port (139 or 445). Load balancing distributes traffic based on the source IP address, by default. The WCCP-enabled router uses service ID 89 to access this service.

In order for the WAE to function as a promiscuous TCP device for TCP traffic that is transparently redirected to it by the specified WCCP Version 2 routers, the WAE uses WCCP Version 2 services 61 and 62. The WCCP services 61 and 62 are represented by the canonical name of "tcp-promiscuous" on the WAE, as shown in the following sample output of the WAAS CLI on an Edge WAE:

Edge-WAE1(config)# wccp ?
  access-list      Configure an IP access-list for inbound WCCP encapsulated
                   traffic
  cifs-cache       CIFS caching
  flow-redirect    Redirect moved flows
  router-list      Router List for use in WCCP services
  shutdown         Wccp Shutdown parameters
  slow-start       accept load in slow-start mode
  tcp-promiscuous  TCP promiscuous mode service
  version          WCCP Version Number

Note When you enable the TCP promiscuous mode service on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE. When the TCP promiscuous mode service is used, the CIFS caching service is not required.

WCCP works with IPv4 networks only.


Examples

The following example shows how to turn on the TCP promiscuous mode service and associate this service with the router list by using the wccp tcp-promiscuous router-list-num command:

WAE # wccp tcp-promiscuous router-list-num 1
WCCP configuration for TCP Promiscuous service 61 succeeded.
WCCP configuration for TCP Promiscuous succeeded.
Please remember to configure WCCP service 61 and 62 on the corresponding router.

Related Commands

(config) wccp cifs-cache

(config) wccp router-list

show wccp

(config) wccp version

To specify the version of WCCP that the WAE should use, enter the wccp version global configuration command. Use the no form of the command to disable the currently running version.

wccp version 2

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

global configuration

Device Modes

application-accelerator

Usage Guidelines

You must configure a WAE to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 only supports web traffic (port 80).

The WAE performs a clean shutdown after a reload or no wccp version 2 command is entered. A clean shutdown prevents broken TCP connections.

The following sequence of events details the interaction between WAEs and routers that have been configured to run WCCP Version 2:

1. Each WAE is configured with a router list. (See the "(config) wccp router-list" command.)

2. Each WAE announces its presence and a list of all routers with which it has established communications. The routers reply with their view (list) of WAEs in the group.

Routers and WAEs become aware of one another and form a WCCP service group using a management protocol. The WAEs also send periodic "Here I am" messages to the routers that allow the routers to rediscover the WAEs. To properly depict the view, the protocol needs to include the list of routers in the service group as part of its messages.

3. Once the view is consistent across all the WAEs in the WAE cluster, one WAE is designated the lead. When there is a group of WAEs, the one seen by all routers and the one that has the lowest IP address becomes the lead WAE.

The role of this lead WAE is to determine how traffic should be allocated across the WAEs in the WAE group. The lead WAE sets the policy that the WCCP-enabled routers must adhere to when redirecting packets to the WAEs in this cluster. The assignment information is passed to the entire service group from the designated WAE so that the routers in the service group can redirect the packets properly and the WAEs in the service group can better manage their load.


Note WCCP works only with IPv4 networks.


Examples

The following example shows how to enable WCCP Version 2 on a WAE:

WAE(config)# wccp version 2

Related Commands

(config) wccp cifs-cache

(config) wccp tcp-promiscuous

(config) wccp router-list

(config) windows-domain

To configure Windows domain server options on a WAAS device, use the windows-domain global configuration command.

windows-domain {administrative group {normal-user | super-user} groupname | comment string | netbios-name name | password-server {hostname | ipaddress} | realm kerberos-realm | wins-server {hostname | ipaddress} | workgroup name | security ADS}

Syntax Description

administrative

Sets administrative options.

group

Sets an administrative group name.

normal-user

Sets the administrative group name for the normal user (privilege 0).

super-user

Sets the administrative group name for the super user (privilege 15).

groupname

The name of the administrative group.

comment

Specify a comment for the Windows domain server.

string

Text string.

netbios-name

Specify the NetBIOS name of the WAE. This is the name provided when the Edge FE announces its availability for print services.

name

NetBIOS name.

password-server

Specify the password server used to verify a client's password.

hostname

Hostname of the password server.

ipaddress

IP address of the password server.

realm

Kerberos realm to use for authentication. The realm is used as the Active Directory Service (ADS) equivalent of the NT4 domain. This argument is valid only when Kerberos ADS mode is used.

kerberos-realm

IP address or name (in UPPERCASE letters) of the Kerberos realm. The Kerberos realm is typically set to the DNS name of the Kerberos server or Active Directory domain. Default value is a NULL string.

Example: kerberos-realm = MYBOX.MYCOMPANY.COM

wins-server

Specify the Windows Internet Naming Service (WINS) server.

hostname

Hostname of the WINS server.

ipaddress

IP address of the WINS server.

workgroup

Specify the workgroup (or domain) in which the WAAS device resides.

name

Name of the workgroup or domain.

security

Sets Kerberos authentication.

ADS

Active Directory Service


Defaults

Windows domain options are disabled by default.

Command Modes

EXEC

Device Modes

application-accelerator

central-manager

Usage Guidelines

Use this EXEC command to set the Windows domain server parameters for a WAAS device.

When Kerberos authentication is enabled, the default realm is DOMAIN.COM and the security is ADS. If Kerberos authentication is disabled, security is domain.

Examples

The following example shows how to configure the Windows domain server at 10.10.24.1 for an Edge FE with a NetBIOS name of myFileEngine in the ABD domain. It also identifies the password server:

WAE(config)# windows-domain wins-server 10.10.24.1
WAE(config)# windows-domain password-server 10.10.100.4
WAE(config)# windows-domain netbios-name myFileEngine
WAE(config)# windows-domain workgroup ABC

The following example shows how to configure the windows domain server when Kerberos authentication is enabled using the kerberos command:

WAE(config)# windows-domain realm ABC.COM
WAE(config)# windows security ADS

 =============== checking new config using testparm ===================

Load smb config files from /state/actona/conf/smb.conf
Processing section "[print$]"
Processing section "[printers]"
Loaded services file OK.

WAE(config)# exit
WAE# show windows-domain
  Login Authentication for Console/Telnet Session: enabled

  Windows domain Configuration:
  -----------------------------
    Workgroup:
    Comment: Comment:
    Net BIOS: MYFILEENGINE
    Realm: ABC
    WINS Server: 10.10.10.1
    Password Server: 10.10.10.10
    Security: ADS

Related Commands

(config) kerberos

show windows-domain

windows-domain