Cisco Internet Streamer CDS 2.5 Software Configuration Guide
Configuring Devices
Downloads: This chapterpdf (PDF - 1.76MB) The complete bookPDF (PDF - 4.65MB) | Feedback

Configuring Devices

Table Of Contents

Configuring Devices

Configuring Locations

Configuring Device Groups

Working with Device Groups

Aggregate Settings

Device Group Overlap

Configuring the Service Engine

Activating a Service Engine

Assigning Devices to Device Groups

Configuring Bandwidth for Replication and Ingest

Default Bandwidth

Scheduled Bandwidth

Service Control

Configuring Service Rules

Configuring ICAP

Configuring PCMM QoS Policy

Configuring URL Signing

Configuring the Authorization Service

Configuring Transaction Logs

Application Control

Configuring Default and Maximum Bandwidth

Configuring Bandwidth Schedules

Configuring Windows Media Streaming—General Settings

Configuring Windows Media Streaming—Bypass List

Configuring Movie Streamer—General Settings

Configuring RTSP Advanced Settings

Configuring Flash Media Streaming—General Settings

Configuring Flash Media Streaming—FMS Administrator

Configuring Flash Media Streaming—Wholesale Licenses

Configuring Flash Media Streaming—Service Monitoring

Configuring Web Engine HTTP Connections

Configuring Web Engine HTTP Caching

Configuring Web Engine HTTP Cache Freshness

Configuring Web Engine Advanced HTTP Caching

General Settings

Configuring Content Management

Login Access Control

Authentication

Scheduling Database Maintenance

Setting Storage Handling

Network Settings

Configuring Notification and Tracking

Configuring Troubleshooting

Configuring Service Router Settings

Configuring the Service Router

Activating a Service Router

Configuring Routing Settings

Configuring Request Routing Settings

Configuring IP-Based Redirection

Configuring the Proximity Server Settings

Configuring Application Control

Configuring Last-Resort Routing

Creating ASX Error Message Files for Windows Media Live Programs

Configuring Transaction Logs for the Service Router

Configuring the CDSM


Configuring Devices


This chapter discusses configuring locations and device groups for devices, and detailed instructions on configuring the different types of devices-CDSMs, SEs, and, SRs. This chapter presents the following major topics:

Configuring Locations

Configuring Device Groups

Configuring the Service Engine

Configuring the Service Router

Configuring the CDSM

Configuring Locations

Locations are set up in the Internet Streaming CDSM to organize and group SEs into virtual networks for distribution of content through delivery services. For more information about locations, see the "Cisco CDS Topology" section.

Locations need to be configured before you can activate SEs and SRs and bring them online in the CDS network. Table 4-1 describes the icons for the Locations Table page.

Table 4-1 Location Icons 

Icon
Function

Create a new location.

Create a filtered table.

View all locations.

Refresh the table.

Print the current window.

Edit a location.


To create a new location or edit an existing one, do the following:


Step 1 Choose Devices > Locations. The Locations Table page is displayed (Figure 4-1).

The table is sortable by clicking the column headings.

Figure 4-1 Locations Table Page

Step 2 In the task bar, click the Create New Location icon. The Creating New Location page is displayed (Figure 4-2).

To edit a location, click the Edit icon next to the location name.

Figure 4-2 Creating New Location Page

Step 3 Enter the settings as appropriate. See Table 4-2 for a description of the fields.

Table 4-2 Location Fields

Field
Description

Name

Name of the location.

Parent Location

Choose a location from the drop-down list. A location with no parent, None, is level 1. The location level is displayed after you choose a parent location.

Comments

Enter any information about the location.


Step 4 Click Submit to save the settings.


To delete a location, from the Locations Table page, click the Edit icon next to the location you want to delete, and click the Delete icon in the task bar.

To view the location tree, click the Location Trees icon in the task bar. The location tree represents the network topology you configured when you assigned a parent to each location.

Configuring Device Groups

The Internet Streaming CDSM allows you to configure SEs into device groups so that the entire group of SEs is configured at one time. Device groups and SEs share the same configuration features and options.

Table 4-3 describes the icons for the Device Groups Table page.

Table 4-3 Device Group Table Icons

Icon
Function

Creates a new device group.

Creates a filtered table.

Views all device groups.

Refreshes the table.

Prints the current window.

Edits a device group.


This section covers creating, editing, and deleting device groups. All other configuration pages for a device group are covered in the "Configuring the Service Engine" section.

To create or edit a device group, do the following:


Step 1 Choose Devices > Device Groups. The Device Groups Table page is displayed (Figure 4-3).

The table is sortable by clicking the column headings.

Figure 4-3 Device Groups Table Page

Step 2 In the task bar, click the Create New Device Group icon. The Creating New Device Group page is displayed (Figure 4-4).

To edit a device group, click the Edit icon next to the device group name.

Figure 4-4 Creating New Device Group Page

Step 3 In the Name field, enter the name of the device group. The name must be unique and should be a name that is useful in distinguishing the device group from the others in the CDS.

Step 4 Check the Automatically assign all newly activated devices to this group check box if applicable.

Step 5 Choose Regular Group to indicate this group is not used as a baseline for all SEs or choose Baseline Group and select the baseline type to define this group as a baseline for all SEs.

For information about baseline groups, see the "Baseline Groups" section.

Step 6 To customize the left panel menu for this device group, click the Select pages to hide from the menu for this device group arrow, and check the pages you want to hide. To collapse these settings, click the arrow again.

Use this feature to remove from view any configuration pages that you do not need for the device group.

Step 7 In the Comments field, enter any information about the device group.

Step 8 Click Submit to save the settings.

If you are editing this device group, you can view a list of all settings configured for this device group by clicking the Pages configured for this device group arrow. To collapse this information list, click the arrow again.

To delete a device group, click the Delete icon in the task bar.

Step 9 To assign SEs to the device group, choose Assignments > Devices. The Assignment table is displayed listing all SEs in the CDS.


Note From this point forward, the steps to get to a configuration page are combined into one step using notation similar to the following: Device Group > Assignments > Devices.


Step 10 Click the Assign icon (blue cross mark) next to each SE name you want to assign to this group.

To assign all SEs, click Assign all Service Engines in the task bar.

Step 11 Click Submit to add the selected SEs to the device group.


To remove an SE from the device group, click the Unassign icon (green check mark) next to the name of the SE, and click Submit.

To remove all SEs from the device group, click the Unassign all Service Engines icon in the task bar, and click Submit.

Working with Device Groups

When you first create a device group, all settings you configure for the device group are automatically propagated to all the SEs assigned to that group.


Note All SE settings in the "Configuring the Service Engine" section, except those listed below, can also be configured for a device group. The following pages are not available for device group configuration:

Devices > Application Control > Windows Media Streaming > Bypass List. See the "Configuring Windows Media Streaming—Bypass List" section for more information.

Devices > General Settings > Network > Network Interfaces. See the "Viewing Network Interfaces" section for more information.

Devices > General Settings > Network > External IP. See the "Configuring External IP Addresses" section for more information.

Devices > General Settings > Network > IP ACL. See the "Configuring IP ACL" section for more information.


After configuring the device group settings, the task bar for the corresponding configuration page for an individual SE that is part of that device group displays the Override Group Settings icon and the Device Group drop-down list with the device group name displayed.

When an SE is associated with one or many device groups, the name of the device group whose settings were applied last are displayed.

To configure individual settings for an SE in a device group, click the Override Group Settings icon in the task bar. You can then edit the fields on the page and click Submit. The Device Group drop-down list displays "Select a Device Group."

To reapply the settings for the device group, select the device group from the Device Group drop-down list and click Submit. Alternatively, you can go to the corresponding device group configuration page and click the Force Settings on SEs in Group. The Force Settings on SEs in Group only displays for a device group configuration page when an SE's individual settings override the group settings.


Note The individual SE configuration page does not display the Override Group Settings icon and Device Group drop-down list in the task bar if the settings have not been configured for the corresponding device group configuration page .


To force all device group settings to all assigned SEs, go to the Device Group Home page and click the Force Group Settings icon in the task bar.


Note The last configuration submitted for the device, whether it is the device group configuration or the individual device configuration, is the configuration the device uses.


Table 4-4 describes the icons for the Device Groups configuration pages.

Table 4-4 Device Group Configuration Icons

Icon
Function

Deletes a device group.

Updates application statistics.

Forces full database update.

Reboots all devices in device group.

Forces the group settings. Forces the complete set of configurations made for a device group to all devices associated with that group.

Forces settings on SEs in a device group. Forces the configuration of the displayed page to all SEs in the device group.

Overrides the group settings on the device.

Prints the current window.


Aggregate Settings

The following device and device group configuration pages have aggregate settings:

Replication > Scheduled Bandwidth. See the "Scheduled Bandwidth" section for more information.

Service Control > Service Rules. See the "Configuring Service Rules" section for more information.

Service Control > ICAP Services. See the "Configuring ICAP" section for more information.

Service Control > URL Signing. See the "Configuring URL Signing" section for more information.

Application Control > Bandwidth Schedules. See the "Configuring Bandwidth Schedules" section for more information.

General Settings > Login Access Control > Users > Usernames. See the "Creating, Editing, and Deleting Users—Usernames" section for more information.

To access these pages, first choose Devices > Devices or Devices > Device Groups, followed by the Edit icon next to the device or device group you want to configure.

Aggregate Settings is set to Yes by default. When Aggregate Settings is set to Yes, the settings for the device group are aggregated with the settings for the SE. This means you can configure settings for all SEs in a device group, then configure individual settings for each SE, and the combined settings for the device group and individual SE are apply to the SE. Any settings for the device group are listed with the View icon and any settings for the individual SE are listed with the Edit icon on the individual SE configuration page.

If Aggregate Settings is set to No, only the individual SE settings are applied to the SE and the device group settings do not apply to the SE.

To edit the device group settings, or configure new settings for the device group, you must go to the device group corresponding configuration page.

If you remove all device group settings, all device settings displayed with Aggregate Settings enabled are removed as well.


Note The last configuration submitted for the device, whether it is the device group configuration or the individual device configuration, is the configuration the device uses.


Table 4-5 describes the icons for the configuration pages that have aggregate settings.

Table 4-5 Aggregate Settings Icons 

Icon
Function

Creates a new entry.

Edits an entry.

Deletes an entry.

Views read-only entry.

Creates a filtered table. Filter the table based on the field values.

Views all table entries. Click this icon to view all entries after you have created a filtered table.

Refreshes the table.

Prints the current window.


Device Group Overlap

If you want the ability to assign a device to more than one device group, you must enable device group overlap. Device group overlap is enabled by default.

To enable or disable device group overlap, do the following:


Step 1 Choose System > Configuration. The Config Properties page is displayed.

Step 2 Click the Edit icon next to the DeviceGroup.overlap property. The Modifying Config Property page is displayed.

Step 3 To enable device group overlap, choose true from the Value drop-down list.

To disable device group overlap, choose false from the Value drop-down list.

Step 4 Click Submit to save the settings.


You cannot disable device group overlap after you have assigned devices to multiple device groups.


Tip To force the complete configuration set of a device group to all devices in that group, click the Force Group Settings icon in the task bar.


Configuring the Service Engine

This section walks you through the different configuration pages available for a Service Engine. The main configuration groups are described as follows:

Service Control—Settings for access control by way of client request filtering, URL signing, and third-party QoS and conditional access policies; additionally, transaction logs are configured to monitor traffic

Application Control—Settings for bandwidth management of delivery services and protocol engines (Web, Windows Media, Movie Streamer, Flash Media Streaming, and RTSP advanced settings)

General Settings—Settings for access control of the device, maintenance, network connectivity, and monitoring

The first two pages, Device Activation and Assignment, cover activating an SE in the Internet Streaming CDSM and assigning it to a location, and assigning device groups to the SE.

Activating a Service Engine

Activating a device (Service Engine, Service Router, or CDSM) can be done through the Devices home page initially, or through the Device Activation page.

To activate a device from the Device Activation page, do the following:


Step 1 Choose Devices > Devices. The Devices Table page is displayed (Figure 4-5).

Figure 4-5 Devices Table Page

Step 2 Click the Edit icon next to the device you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and click Device Activation. The Device Activation page is displayed (Figure 4-6).

Figure 4-6 Device Activation Page

Step 4 Enter the settings as appropriate. See Table 4-6 for a description of the fields.

Table 4-6 Device Activation Fields 

Field
Description

Name

Name of the device.

Activate

To activate or deactivate the device, check or uncheck the Activate check box. Alternatively, you can click the Deactivate Device icon in the task bar.

When you uncheck the Activate check box and click Submit, the Replaceable check box is displayed. Check the Replaceable check box when you need to replace the device or recover lost registration information. For more information, see the "Recovering CDS Network Device Registration Information" section.

Server Offload

To offload this device for maintenance or a software upgrade, check the Server Offload check box. When checked, the Service Router stops sending requests to this device.

Note If a client paused a program at that moment Server Offload is enabled, most likely resuming the program will fail.

To monitor the current streams on an SE during the Server Offload state, use the show interface command. If the packets received or packets sent is increasing then the SE is streaming. The number of packets received is high if there is an incoming stream.

Note We recommend separating the management traffic from the streaming traffic by using the port channel configuration, see the "Configuring Port Channel" section for more information.

If management and streaming traffic are separated, the show interface command for the streaming port channel displays information on active sessions.

If management and streaming traffic are not separated, the show interface command shows very low traffic; the packets received and packets sent are lower than a client streaming session.

Once the SE has finished streaming, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the "Upgrading the Software" section.

The Status field on the Device Activation page and the Devices Table page displays "offloading" when Server Offload is checked.

Once the software upgrade or maintenance is complete, you need to uncheck the Server Offload check box so that the device can again participate in the system.

Note If the Server Offload option is set on an SE that is acting as the Content Acquirer for a delivery service for dynamic ingest or live stream splitting, a new SE is chosen as the Location Leader for the delivery service. However, if the Content Acquirer is up and communicating with the CDSM, it continues to perform content ingest and content distribution.

Content Cache

Informational only. The content cache size is the total disk space on the CDS network file system (CDNFS) on the SE that is designated for cache. The Content Cache represents the unused cache space. The used cache space is the disk space allotted for all the delivery services to which the SE is assigned. To view the used cache space, choose Services > Service Definition > Delivery Services > Assign Service Engines.

Set Default Coverage Zone File

When checked, which is the default setting, a default Coverage Zone file is generated with the SE serving the local subnet it resides on. The coverage zone is a CDS network-wide mapping of client IP addresses to SE IP addresses that should respond to client requests. For more information, see the "Coverage Zone File Registration" section.

The default coverage zone can be disabled and you can create and assign custom coverage zones using the Coverage Zone file import or upload.

Uncheck the Set Default Coverage Zone File check box to use a user-defined Coverage Zone file that was imported or uploaded.

Location

Lists all the locations configured for the CDS.

Use SE's primary IP address

Enables the CDSM to use the IP address on the primary interface of the SE for management communications.

Note If the Use SE's primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SE's primary IP address for communication.

Note Do not check the Use SE's primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent.

Management Communication Address

Manually configures a management IP address for the CDSM to communicate with the SE.

Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the "Configuring Port Channel and Load Balancing Settings" section and the "Configuring Port Channel" section.

Management Communication Port

Port number to enable communication between the CDSM and the SE.

Comments

Information about the settings.


Step 5 Click Submit to save the settings.


Assigning Devices to Device Groups

You can assign devices to device groups in three ways:

Through the Device Group Assignment page

Through the device Assignment page

Through the Devices home page, if the device group is a baseline group

To assign devices to device groups through the Assignment page, do the following:


Step 1 Choose Devices > Devices, and click the Edit icon next to the device you want to assign.

Step 2 Click Show All, and then choose Assignments > Device Groups. The Device Group Table page is displayed with all of the configured device groups listed (Figure 4-7).


Note From this point forward, the beginning steps in the procedures are combined into one step using notation similar to the following: Devices > Devices Assignments > Device Groups.


Figure 4-7 Assignment Page

Step 3 Click the Assign icon (blue cross mark) next to the device group you want to assign to this SE. Alternatively, click the Assign All Device Groups icon in the task bar.

A green arrow wrapped around the blue X indicates an SE assignment is ready to be submitted. To unassign an SE, click this icon. The SE assignment states are described in Figure 4-8.

Figure 4-8 SE Assignment State

Step 4 Click Submit to save the settings.

A green circle with a check mark indicates a device group is assigned to this SE. To unassign the device group, click this icon, or click the Remove All Device Groups icon in the task bar. Click Submit to save the changes.

Additionally, the Filter Table icon and View All Device Groups icon allow you to first filter a table and then view all device groups again.


Configuring Bandwidth for Replication and Ingest

The bandwidth used for replication and ingest is determined by the settings in the Default Bandwidth and the Scheduled Bandwidth pages. The replication configuration pages consist of the following:

Default Bandwidth

Scheduled Bandwidth

Table 4-7 describes the icons on the replication bandwidth configuration pages.

Table 4-7 Replication Bandwidth Configuration Icons

Icon
Function

Refreshes the table or page.

Displays a graph.

Applies the default settings to the device.

Creates a new item.

Creates a filtered table. Filter the scheduled bandwidth by start time, end time, days of the week, and bandwidth type.

Views all scheduled bandwidth. Click this icon to view all schedule bandwidths after you have created a filtered table.

Prints the current window.

Edits a scheduled bandwidth. Click this icon next to one of the scheduled bandwidths to edit the settings.

Deletes a scheduled bandwidth. To delete a scheduled bandwidth, click the Edit icon and then click this icon.


Default Bandwidth

The default bandwidth settings can be configured for acquisition (ingest) and distribution (replication) of content. The default settings are used unless a scheduled bandwidth is configured for a specified time period.

To set the default bandwidth for replication, do the following:


Step 1 Choose Devices > Devices > Replication > Default Bandwidth. The Replication Default Bandwidth page is displayed (Figure 4-9).

Figure 4-9 Replication Default Bandwidth Page

Step 2 Enter the settings as appropriate. See Table 4-8 for a description of the fields.

Table 4-8 Replication Default Bandwidth Fields

Field
Description

Acquisition-in Bandwidth

Bandwidth used for ingesting content when this SE is acting as the Content Acquirer.

The default is 1,000,000 kbps (kilobits per second).

Distribution-in Bandwidth

Bandwidth used for incoming content that is sent by a forwarding SE as part of the distribution process.

The default is 1,000,000 kbps.

Distribution-out Bandwidth

Bandwidth used for outgoing content that is sent to a downstream SE as part of the distribution process.

The default is 500,000 kbps.


Step 3 Click Submit to save the settings.


For information on the task bar icons, see Table 4-7.

Bandwidth Graph

To view a graphical representation of the bandwidth settings, click the Display Graph icon in the task bar. The Acquisition and Distribution Bandwidth graph is displayed in a new window.

The vertical axis of the graph represents the amount of bandwidth in Kbps (kilobits per second) and the horizontal axis represents the days of the week. The scale shown on the vertical axis is determined dynamically based on the bandwidth rate for a particular type of bandwidth and is incremented appropriately. The scale shown on the horizontal axis for each day is incremented for each hour. Each type of bandwidth is represented by a unique color. A legend at the bottom of the graph maps the colors to the corresponding bandwidths.

You can change the graph view by choosing the different options, as described in Table 4-9.

Table 4-9 Acquisition and Distribution Bandwidth Graph—Viewing Options 

Option
Description

Distribution In

Bandwidth settings for incoming content distribution traffic. The default is 1,000,000.

Distribution Out

Bandwidth settings for outgoing content distribution traffic. The default is 500,000.

Acquisition In

Bandwidth settings for incoming content acquisition traffic. The default is 1,000,000.

All Servers

A consolidated view of all configured bandwidth types. This is the default.

Show Detailed Bandwidth/Show Effective Bandwidth

Toggles between the two options:

Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification.

Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.

Show Aggregate View/Show Non-Aggregate View

Toggles between the two options:

Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups.

Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.

Sun, Mon, Tues, Wed, Thurs, Fri, Sat

Displays the bandwidth settings for the corresponding day of the week.

Full Week

Displays the bandwidth settings for the entire week This is the default view and is combined with the All Servers view.


Scheduled Bandwidth

Scheduled Bandwidth settings take precedence over Default Bandwidth settings.

To configure a bandwidth schedule, do the following:


Step 1 Choose Devices > Devices > Replication > Scheduled Bandwidth. The Replication Scheduled Bandwidth Table page is displayed (Figure 4-10).

The table is sortable by clicking the column headings.

Figure 4-10 Replication Scheduled Bandwidth Table Page

For information about Aggregate Settings, see the "Aggregate Settings" section


Note In Release 2.5.1, 2.5.3, 2.5.7, and 2.5.9, configuring Replication Bandwidth Scheduling is only supported on a per SE-basis; Device Group configuration of Replication Bandwidth Scheduling is not supported.


Step 2 Click the Create New icon in the task bar. The Replication Scheduled Bandwidth page is displayed (Figure 4-11).

To edit a scheduled bandwidth, click the Edit icon next to the scheduled bandwidth you want to edit.

Figure 4-11 Replication Scheduled Bandwidth Page

Step 3 Enter the settings as appropriate. See Table 4-10 for a description of the fields.

Table 4-10 Replication Scheduled Bandwidth Fields 

Field
Description

Bandwidth Type

Distribution-in—For incoming content distribution traffic from SEs.

Distribution-out—For outgoing content distribution traffic to SEs.

Acquisition-in—For incoming content acquisition traffic from origin servers.

Bandwidth Rate

Maximum amount of bandwidth that you want to allow (in kbps).

Start Time

Time of day for the bandwidth setting to begin, using a 24-hour clock in local time (hh:mm).

End Time

Time of day for the bandwidth setting to end (hh:mm).

Day Selection

Days on which bandwidth settings apply.

Full Week—Specifies that the allowable bandwidth settings are applied for an entire week.

Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specifies individual days of the week on which the allowable bandwidth settings take effect.


Step 4 Click Submit to save the settings.


For information on the task bar icons, see Table 4-7.

Service Control

The Service Control pages provide settings for client request filtering, URL signing, and third-party QoS and conditional access policies. Additionally, transaction logs that monitor traffic are configured under the Service Control. Configuring service control consists of the following procedures:

Configuring Service Rules

Configuring ICAP

Configuring PCMM QoS Policy

Configuring URL Signing

Configuring the Authorization Service

Configuring Transaction Logs

Table 4-11 describes the icons for the Service Control pages.

Table 4-11 Service Control Icons

Icon
Function

Refreshes the table or page.

Applies the default settings to the device.

Creates a new item.

Creates a filtered table.

Views all data. Click this icon to view all data after you have created a filtered table.

Prints the current window.

Edits an item.

Deletes an item. To delete an item, click the Edit icon and then click this icon.


Configuring Service Rules


Note This is a licensed feature. Please ensure that you have purchased a Service Rule license for this advanced feature.


The Rules Template licensed feature provides a flexible mechanism to specify configurable caching requests by allowing these requests to be matched against an arbitrary number of parameters, with an arbitrary number of policies applied against the matches. You can specify a set of rules, each clearly identified by an action and a pattern. Subsequently, for every incoming request, if a pattern for a rule matches the given request, the corresponding action for that rule is taken.


Note The processing time on the SE is directly related to the number of service rules configured. Processing times increase with an increase in the total number of rules configured. If the SE processing time is greater than twice the datafeed poll rate, then the device goes offline until the processing is completed. You can avoid this by configuring a higher datafeed poll rate. The recommended datafeed poll rate for 750 service rules is 300 seconds. To configure the datafeed poll rate, see the "Configuring System Settings" section.


Configuring a service rule consists of the following tasks:

Enabling the service rules. (Only needs to be performed once.)

Configuring a pattern list and adding a pattern to it.

Associating an action with an existing pattern list.

There are three cases for service rules:

1. If allow rules are configured, then it is an implicit deny.

2. If deny rules are configured, then it is an implicit allow.

3. If both allow and deny rules are configured, then it is an implicit allow.

For example, if all URL requests that match HTML are blocked implicitly, all requests that match other URL requests are allowed.

If all URL requests that match WMV are allowed implicitly, all request that match other URL requests are blocked.

If both of the above rules are configured, then HTML URL requests are blocked, and all other URL requests are allowed.

To configure or edit service rule settings, do the following:


Step 1 Choose Devices > Devices > Service Control > Enable Rules. The Enable Service Rules page is displayed.

Step 2 Check the Enable check box to enable the use of rule settings.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

Step 4 Choose Devices > Devices > Service Control > Service Rules. The Service Rules Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the "Aggregate Settings" section

Step 5 Click the Create New icon in the task bar. The Service Rules page is displayed (Figure 4-12).

To edit a service rule, click the Edit icon next to the service rule you want to edit.

Figure 4-12 Service Rules Page

Step 6 Create a pattern list and add a pattern to it.

a. From the Rule Type drop-down list, choose pattern-list.

b. In the Rule Parameters field, configure the pattern list number and the pattern type, following the rules usage guidelines shown on the Service Rules page. See Table 4-12 for a description of pattern types. The rule patterns are not case-sensitive.

For example, to create pattern list number 72 with the pattern type domain and the yahoo.com domain as the domain to be acted on, enter 72 domain yahoo.com in the Rule Parameters field.

Table 4-12 Service Rules Pattern Types 

Pattern Type
Description
Syntax

domain

Matches the domain name in the URL or the host header against a regular expression. For example, ".*ibm.*" matches any domain name that contains the "ibm" substring. "\.foo\.com$" matches any domain name that ends with the ".foo.com" substring.

In regular expression syntax, the dollar sign ($) metacharacter directs that a match is made only when the pattern is found at the end of a line.

rule pattern-list list_num domain dn_regexp

group-type

Patterns can be combined by using the AND or OR function with the group-type pattern (for example, rule pattern-list 1group-type and). The default is OR.

rule pattern-list list-num group-type {and | or}

header-field

Request header field pattern.

Request header field patterns referer, request-line, and user-agent are supported for the allow, block, and redirect actions. The referer pattern is matched against the Referer header in the request, the request-line pattern is matched against the first line of the request, and the user-agent pattern is matched against the User-Agent header in the request. The user-agent pattern is not case sensitive.

Note Flash Media Streaming supports the referer header field pattern for the allow and block actions.

rule pattern-list list_num header-field {referer ref_regexp | request-line req_regexp | user-agent ua_regexp}

scr-ip

Matches the source IP address and netmask of the request.

rule pattern-list list_num src-ip s_ipaddress s_subnet

url-regex

Matches the URL against a regular expression. The match is not case sensitive.

rule pattern-list list_num url-regex url_regexp

url-regsub

For the rewrite and redirect actions, matches the URL against a regular expression to form a new URL in accordance with the pattern substitution specification. The match is not case sensitive. The valid substitution index range is from 1 to 9.

Note For HTTP client requests for Windows Media Streaming live programs, an ASX file is created automatically; therefore, if you use the url-regsub pattern list to rewrite the filename from an .asf file extension to an .asx file extension, the SE is not able to find the file and returns a 404 error message.

Note In Release 2.5.7 and later releases, only one url-regsub pattern list is supported. Multiple substitutions for the same pattern list are not supported.

rule pattern-list list_num url-regsub url_regexp url_sub



Note A domain pattern list matching an SE IP address is not supported when IP-based redirection is enabled on the Service Router. See the "Configuring the Service Router" section for more information about IP-based redirection. Flash Media Streaming bypasses the rules configuration if the request is from another SE.


Step 7 Click Submit to save the settings.

The maximum number of pattern lists allowed is 128.

Step 8 Associate an action with an existing pattern list.

a. Choose an action type from the Rule Type drop-down list. See Table 4-13 for a description of rule actions.

b. In the Rule Parameters field, enter the list number of the pattern list that you want to associate with this action.

For example, if you want to block access by any protocol to yahoo.com, then choose block from the Rule Type drop-down list, and enter pattern-list 72 protocol all in the Rule Parameters field.


Note Movie Streamer and Flash Media Streaming support URL signing. Flash Media Streaming only supports the following actions: allow, block, and validate-url-signature.



Note In Release 2.5.7 and later releases, for the Web Engine, the Service Rule file must be used if service rules are to be configured. See the "Creating Service Rule Files" for more information.


Table 4-13 Service Rule Actions 

Action Type
Description
Syntax

allow

Allows incoming requests that match the pattern list.

This rule action can be used in combination with block actions to allow selective types of requests. The allow action does not carry any meaning as a standalone action.

rule action allow pattern-list list_num [protocol {all | http | rtmp | rtsp}]

block

Blocks this request and allows all others.

rule action block pattern-list list_num [protocol {all | http | rtmp | rtsp}]

generate-url-
signature

Generates the URL signatures in the Windows Media metafile response associated with prefetched content, based on the SE configuration for the URL signature and this rule action.

rule action generate-url-signature [include-client-src-ip] key-id-owner owner_num key-id-number id_num pattern-list list_num [protocol {all | http}]

no-cache

Does not cache this object.

rule action no-cache pattern-list list_num [protocol {all | http | rtmp | rtsp}]

redirect

Redirects the original request to a specified URL. Redirect is relevant to the RADIUS server only if the RADIUS server has been configured for redirect.

rule action redirect url pattern-list list_num [protocol {all | http | rtmp | rtsp}]

refresh

For a cache hit, forces an object freshness check with the server.

rule action refresh pattern-list list_num [protocol {all | http}]

replace

Replace the text string in the object.

rule action replace string_to_find string_to_replace pattern-list list_num [protocol {all | http | rtmp | rtsp}]

rewrite

Rewrites the original request as a specified URL.

rule action rewrite pattern-list list_num [protocol {all | http | rtmp | rtsp}]

use-icap-service

Applies ICAP processing and uses a specific ICAP service only for those requests that match this Rules Template action.

An ICAP service is a collection of attributes that defines the type of modification to be performed on HTTP requests and responses. If this action is configured, you can allow requests and responses to be processed by ICAP servers for content adaptation.

Note This service rule action is not supported in Release 2.5.7 and later releases.

rule action use-icap-service service-name pattern-list list_num [protocol {all | http}]

validate-url-
signature

Validates the URL signature for a request using the configuration on your SE for the URL signature and allows the request processing to proceed for this request.

The error-redirect-url keyword redirects requests that failed validation to a specified URL. The error-redirect-url keyword is only supported for HTTP URLs.

The exclude keyword excludes the client IP address, the content expiry time, domain, or both the client IP address and expiry time from the URL signature validation, and redirects requests that failed validation to a specified URL.

The exclude client-ip keywords instruct the SE to ignore the client's IP address when processing the validation of the signed URL. The command could be configured as rule action validate-url-signature exclude client-ip error-redirect-url aa pattern-list 1 protocol all.

The exclude expiry-time keywords instruct the SE to ignore the expiry time that normally limits access to the content when the expiry time has occurred. The command could be configured as rule action validate-url-signature exclude expiry-time error-redirect-url pattern-list 1 protocol all.

The exclude domain-name keyword instructs the SEs to ignore the domain in the URL when processing the validation of the signed URL. The command could be configured as rule action validate-url-signature exclude domain-name error-redirect-url pattern-list 1 protocol all.

The exclude all keywords instruct the SE to ignore both the client IP address and the content expiration time when processing the validation of the signed URL. The command could be configured as rule action validate-url-signature exclude all error-redirect-url aa pattern-list 1 protocol all.

rule action validate-url-signature {error-redirect-url url | exclude {all error-redirect-url url | client-ip error-redirect-url url | expiry-time error-redirect-url url | domain-name error-redirect-url url} pattern-list list_num [protocol {all | http | rtmp | rtsp}]}


Step 9 Click Submit to save the settings.


Execution Order of Rule Actions

The order in which the rule actions are executed is different between the Web Engine and the other protocol engines (Windows Media Streaming, Movie Streamer, and Flash Media Streaming).


Note In Release 2.5.7 and later releases, for the Web Engine, the Service Rule file must be used if service rules are to be configured. See the "Creating Service Rule Files" for more information.



Note When configuring service rules, you must configure the same service rules on all SEs participating in a delivery service in order for the service rules to be fully implemented. The rule action must be common for all client requests because the SR may redirect a client request to any SE in a delivery service depending on threshold conditions.


Web Engine Rule Action Order

The order in which the rule actions are executed for the Web Engine in Release 2.5.1 and 2.5.3 is as follows:

1. redirect (before cache lookup)

2. block or allow


Note The allow and block actions carry the same precedence. The order of execution depends on the order of configuration between allow and block actions. Other actions always take precedence over allow.


3. rewrite (before cache lookup)

4. use-icap-service

5. generate-url-signature

6. validate-url-signature

7. refresh (after cache lookup, in the case of cache hit)

8. no-cache

For Release 2.5.7 and later releases, the Web Engine uses the Service Rule XML file. For more information, see "Creating Service Rule Files."

All Other Protocol Engine Rule Action Order

The order in which the rule actions are executed for the other protocol engines is the order in which they were configured, except for the validate-url-signature action. If the rule pattern associated with the validate-url-signature action is matched, regardless of the configuration order the rules, the validate-url-signature action is performed before any other action.

1. validate-url-signature

2. block or allow


Note The allow and block actions carry the same precedence. The order of execution depends on the order of configuration between allow and block actions. Other actions always take precedence over allow.


3. redirect (before cache lookup)

4. rewrite (before cache lookup)

Configuring ICAP

The Internet Content Adaptation Protocol (ICAP) is an open-standards protocol that can be used for content adaptation. Content adaptation includes content translation, content filtering, and content insertion. ICAP specifies how the SE, acting as an HTTP proxy server, can communicate with an external server, which filters and adapts the requested content. This allows you to set up interoperability with Camiant PCMM-compliant third-party policy servers to allocate guaranteed bandwidth for authorized requests of content.


Note ICAP is not supported in Release 2.5.7 and later releases, therefore the associated CDSM GUI pages are not displayed.


ICAP provides two content-processing modes for HTTP services. These modes define the transactions that can occur between an SE acting as an ICAP client and the external ICAP server. The two modes are as follows:

Request modification (reqmod)—Allows modification of requests as they are sent from the SE to the ICAP server on their way to the origin server. The ICAP server can modify these requests depending on the content requested.

Response modification (respmod)—Allows modification of requests after they return from the origin server. The ICAP server only acts on requested objects only after they return from the origin server.

An ICAP service is a collection of attributes that define the service and one or more ICAP servers that provide the ICAP services. You can configure a maximum of ten ICAP services per Content Engine, with an upper limit of five ICAP servers per ICAP service. Also, you can choose to apply ICAP services on all HTTP requests processed by the Content Engine or apply ICAP processing only to requests that match the Rules Template.


Caution The maximum file size supported is 2 GB. Files that exceed this size limit are not supported for ICAP processing.

To configure ICAP settings, do the following:


Step 1 Choose Devices > Devices > Service Control > ICAP. The ICAP page is displayed (Figure 4-13).

Figure 4-13 ICAP Page

Step 2 Check the Enable apply to rules-template check box, if you want to apply ICAP processing only to the requests that match the use-icap-service rule from the Service Rules page.

Step 3 Check the Append X-Client-IP headers check box to add an X-client-IP header for ICAP processing of HTTP requests.

Step 4 Check the Append X-Server-IP headers check box to add an X-server-IP header for ICAP processing.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

Step 6 Choose Devices > Devices > Service Control > ICAP Services. The ICAP Services Table is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the "Aggregate Settings" section

Step 7 Click the Create New icon in the task bar. The ICAP Services page is displayed (Figure 4-14).

To edit the ICAP service, click the Edit icon next to the ICAP service you want to edit.

Figure 4-14 ICAP Services Page

Step 8 In the Name field, enter a name for the ICAP service.

Step 9 Check the Enable check box to enable ICAP service.

Step 10 From the Error Handling drop-down list, choose the type of error-handling mechanism for ICAP processing. To bypass this ICAP service, choose Bypass. Otherwise, choose Return Error if you want errors to be returned for client requests. These errors are also entered in the transaction log to show the status of the action performed by the ICAP services.

Step 11 Click Submit to save the settings and to continue to configure an ICAP server.

Step 12 From the ICAP Services Table page, click the Edit icon next to the ICAP server you want to edit.

Step 13 Click the Create New icon in the ICAP servers area of the page. The ICAP Server page is displayed (Figure 4-15).

To edit an existing ICAP server, click the Edit icon next to the ICAP server.

Figure 4-15 ICAP Server Page

Step 14 Enter the settings as appropriate. See Table 4-14 for a description of the fields.

Table 4-14 ICAP Server Fields

Field
Description

Server Host

Hostname or IP address of the ICAP server.

Server Port

Port number on which the ICAP server is to be configured to process HTTP requests. The default port number is 1344. If no port number is specified, the default is used.

Server Service Name

Path to the ICAP server configured on the SE. Use the URL format:

icap://ICAPserverIPaddress:port/service-name.

The service name entered here must be supported by the ICAP vendor.


Step 15 Click Submit to save the settings.


Configuring PCMM QoS Policy

The SE can interoperate with Camiant PCMM-compliant third-party policy servers to allocate guaranteed bandwidth for requests from authenticated clients.


Note PCMM is not supported in Release 2.5.7 and later releases, therefore the associated CDSM GUI pages are not displayed.



Note This is a licensed feature. Please ensure you have purchased a PCMM license for this advanced feature. To use this license-enabled feature, you must have a Camiant PCMM-compliant policy server in your network and it must be configured as an ICAP server. See the "Configuring ICAP" section for more information.


To configure a PCMM QoS Policy, do the following:


Step 1 Choose Devices > Devices > Service Control > PCMM QoS Policy. The PCMM QoS Policy page is displayed (Figure 4-16).

Figure 4-16 PCMM QoS Policy Page

Step 2 Check the Enable check box to enable policy server settings for the device.

Step 3 Check the Set Config File or URL check box to specify the configuration file for the HTTP callout to the policy server.

The configuration file is an XML file that contains information on the callout URLs, attributes, application type, protocol, and so on.

Step 4 In the Config File or URL field, enter the URL from which the SE can download the configuration file. This field supports only URLs that use HTTP, HTTPS, or FTP.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.


Configuring URL Signing

URL signature keys are word values that ensure URL-level security. The URL signature key is a shared secret between the device that assigns the key and the device that decrypts the key. Based on your network settings, either the SE itself or some other external device can assign the signature key to the URL, but the SE decrypts the URL signature key.

The CDS uses a combination of key owners, key ID numbers, and a word value to generate URL signature keys. You can have a maximum of 32 key owners. Each key owner can have up to 16 key ID numbers.

To create request-specific URL signature keys, you can choose to append the IP address of the client that has made the request to the URL signature key.

To create a URL signature key, do the following:


Step 1 Choose Devices > Devices > Service Control > URL Signing. The URL Signing Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the "Aggregate Settings" section

Step 2 Click the Create New icon in the task bar. The URL Signing page is displayed.

To edit the URL signature, click the Edit icon next to the URL Signature Key ID owner you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-15 for a description of the fields.

Table 4-15 URL Signature Key Settings

Field
Description

Cryptographic Algorithm

Choose either Symmetric Key or Asymmetric Key. For more information, see the "URL Signing and Validating" section.

Key ID Owner

Specify the ID number for the owner of this encryption key. Valid entries are from 1 to 32.

Key ID

Specify the encryption key ID number. Valid entries are from 1 to 16.

Key

Field for Symmetric Key only. Enter a unique URL signature key with up to 16 characters (excluding double quotes at the beginning and end of the string). This field accepts only 7-bit printable ASCII characters (alphabetic, numerics, and others) and does not support a space or the following special characters: pipe (|), question mark (?), double quotes ("), and apostrophe ('). The following special characters are allowed: {}!#$%&()*+,-./;:<=>@\~^[]_

Quoted and unquoted strings are allowed. Double quotes (") are allowed at the beginning and end of the string only. If you do not surround the key string with double quotes, quotes are added when you click Submit.

Public Key URL

Field for Asymmetric Key only. The location of the public key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.

Private Key URL

Field for Asymmetric Key only. The location of the private key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.

Symmetric Key

Field for Asymmetric Key only. A 16-byte American Encryption Standard (AES) key used for AES encryption of the signed URL.


Step 4 Click Submit to save the settings.

For information on the URL signing mechanism, see "URL Signing and Validation."


Service Rules for Directing Requests to a Policy Server

If your network is configured to work with Camiant PCMM-compliant third-party policy servers for servicing requests that require guaranteed bandwidth, you can use the following rule patterns and rule actions to filter the requests and to direct them to the policy server. The rule patterns and rule actions also enable you to generate URL signatures in the response for a valid request for a Windows Media metafile (.asx file extension), Movie Streamer file, or Flash Media Streaming file, and to validate the URL signature on incoming requests to the SE. For more information on creating service rules, see the "Configuring Service Rules" section.


Note PCMM and ICAP are only supported in Releases 2.5.1 and 2.5.3.


URL signature key authentication is implemented by using the generate-url-signature and validate-url-signature rule actions that can be applied to specific rule patterns.


Note Movie Streamer and Flash Media Streaming support URL signing. Flash Media Streaming only supports the following actions: allow, block, and validate-url-signature.


Table 4-16 lists the rule patterns that support the use-icap-service rule action for directing requests that require guaranteed bandwidth to the third-party policy server:

Table 4-16 Rule Patterns Supported for use-icap-service

Rule Pattern
Description

url-regex

Filters the request based on any regular expression n the URL.

domain

Filters the request based on the domain name specified.

src-ip

Filters the request based on the IP address of the source.

header-field user-agent

Filters the request based on the user agent specified in the request header.

header-field referer

Filters the request based on the referer in the request header.

header-field request-line

Filters the request based on the request line in the request header.


You can set the use-icap-service rule action for any of the rule patterns above. If the request matches the parameters that you have set for the rule pattern, then the SE redirects the request to the third-party policy server using ICAP services. However, you must make sure that your network is configured to interoperate with the third-party policy server using ICAP services. You can set up the necessary ICAP configurations from the ICAP Services page. See the "Configuring ICAP" section.

You can also use the rule pattern and rule action to generate URL signatures in the response for a valid request for a Windows Media metafile. You can use the following rule patterns to filter out requests for which you want to generate a URL signature key:

Rule Pattern
Description

url-regex

Filters the request based on any regular expression in the URL.

domain

Filters the request based on the domain name specified.


For the rule patterns mentioned above, you can set the following rule actions:

Rule Action
Description

generate-url-signature

Generates the URL signatures in the Windows Media metafile response associated with pre-positioned content, based on the SE configuration for the URL signature and this rule action.

validate-url-signature

Validates the URL signature for a request by using the configuration on your SE for the URL signature and allows the request processing to proceed for this request



Note When configuring service rules, you must configure the same service rules on all SEs participating in a delivery service for the service rules to be fully implemented. The rule action must be common for all client requests because the SR may redirect a client request to any SE in a delivery service depending on threshold conditions.


Configuring the Authorization Service

When Authorization Service is enabled, client requests are blocked if the request is for an unknown server or if the client's IP address or geographic location is not allowed to request content. The Authorization Service is enabled by default and includes both types of blocking.

The Authorization Service verifies that all client requests have a service routing fully qualified domain name (SRFQDN) or origin server FQDN (OFQDN) that is recognized as part of a delivery service. For more information about RFQDNs and origin server, see the "Content Origins" section. If you want to allow client requests for unknown hosts, check the Enable Unknown-Server Requests check box.


Note The string ".se." cannot be used in the SRFQDN and OFQDN.


To block client requests based on geographical location, the SE communicates with a Geo-Location server, which maps IP addresses to a geographic locations. The Geo-Location server, which is the same Geo-Location server used for location-based routing on the SR, identifies the geographic location of a client request by the country, state, and city of the client. See the "Configuring Request Routing Settings" section. For more information about the Geo-Location servers, see the "Geo-Location Servers" section.

Each delivery service participating in the Authorization Service has an XML configuration file that contains information on the allowed client IP addresses and geographic locations and denied client IP addresses and geographic locations. The Authorization Service blocks client requests based on the XML configuration file uploaded for the delivery service.

The SE that receives the client request compares the client's information, as well as the URL string pattern, with the information configured for the delivery service and allows or denies the request. If the Authorization Service denies the request, the protocol engine receives the denied message and sends a request denied message to the client. For more information, see the"Authorization Service" section

To enable the Authorization Service, do the following:


Step 1 Choose Devices > Devices > Service Control > Authorization Service. The Authorization Service page is displayed.

Step 2 To enable the Authorization Service, check the Enable Authorization check box.

The Authorization Service is enabled by default.

Step 3 In the Primary Address and associated Port fields, enter the IP address and port number of the primary Geo-Location Server.

Step 4 In the Secondary Address and associated Port fields, enter the IP address and port number of the primary Geo-Location Server.

Step 5 To allow client requests for unknown hosts, while at the same time keeping the Authorization Service enabled, check the Enable Unknown-Server Requests check box.

Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.


Note Changing the primary or secondary Geo-Location server configuration requires a restart of the Authorization Service process for the configuration change to take effect. To restart the Authorization Service, disable it (uncheck the Enable authorization check box and click Submit) and then re-enable it (check the Enable authorization check box and click Submit).

If the primary Geo-Location server is shut down and a secondary Geo-location server is configured and is up, requests are sent to the secondary Geo-Location server in a failover-type scenario. If the primary Geo-Location server is brought back up and is online, requests are still routed to the secondary Geo-Location server as long as the secondary Geo-Location server is up. Only if the secondary Geo-Location server goes down and the primary Geo-Location server is up will a fallback occur and requests once again will be routed to the primary Geo-Location server.



Configuring Transaction Logs

Transaction logs allow administrators to view the traffic that has passed through the SE. Typical fields in the transaction log are the date and time when a request was made, the URL that was requested, whether it was a cache hit or a cache miss, the type of request, the number of bytes transferred, and the source IP address. For more information about transaction logs and their formats, see the "Transaction Logs" section.

To enable transaction logging, do the following:


Step 1 Choose Devices > Devices > Service Control > Transaction Logging. The Transaction Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-17 for a description of the fields.

Table 4-17 Transaction Log Settings Fields 

Field
Description
General Settings

Transaction Log Enable

Enables transaction logging.

Log Windows Domain

If NTLM authentication is configured, you can record the Windows domain name and username in the "authenticated username" field of the transaction log by checking this check box. For more information, see the "Transaction Logging and NTLM Authentication" section.

Compress Files before Export

When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers

Log File Format

Log Format Custom

Log file format choices are extended-squid or apache. The default is apache. For more information, see the "Transaction Log Formats for Web Engine" section.

Or, choose Log Format Custom and enter a custom format string. For more information, see the "Custom Format" section.

Archive Settings

Max size of Archive File

Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1000 to 2000000. The default is 500000.

Max number of files to be archived

Maximum number of files to be maintained on the local disk. The range is from 1 to 10000. The default is 10.

Archive occurs

How often the working log is archived and the data is cleared from the working log. Choose one of the following:

Choose every to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800.

Choose every hour to archive using intervals of one hour or less, and choose one of the following:

at—Specifies the minute in which each hourly archive occurs

every—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)

Choose every day to archive using intervals of one day or less, and choose one of the following:

at—Specifies the hour in which each daily archive occurs

every—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)

Choose every week on to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.

Export Settings

Enable Export

Enables exporting of the transaction log to an FTP server.

Export occurs

How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following:

Choose every to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 10080.

Choose every hour to export using intervals of one hour or less, and choose one of the following:

at—Specifies the minute in which each hourly export occurs

every—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)

Choose every day to export using intervals of one day or less, and choose one of the following:

at—Specifies the hour in which each daily export occurs

every—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)

Choose every week on to export using intervals of one or more times a week, choose the days of the week, and what time each day.

FTP Export Server

IP address or hostname of the FTP server.

Name

Name of the user.

Password

Password for the user.

Confirm Password

Confirms the password for the user.

Directory

Name of the directory used to store the transaction logs on the FTP server.

SFTP

Check the SFTP check box, if you are using an SFTP server.

Windows Media Settings

Enable Windows Media Settings

Enables Windows Media transaction logging.

Log File Format

Sets Windows Media Streaming Engine to generate transaction logs in the following formats:

extended wms-41

Uses the standard Windows Media Services 4.1 format to generate the transaction log and includes the following three additional fields in the transaction log:

SE_action (cache hit or cache miss)

SE-bytes (number of bytes sent from the SE for a cache hit)

username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)

extended wms-90

Uses the standard Windows Media Services 9 format to generate the transaction log and includes the following three additional fields in the transaction log:

SE_action (cache hit or cache miss)

SE-bytes (number of bytes sent from the SE for a cache hit)

username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)

wms-41

Standard Windows Media Services 4.1 format

wms-90

Standard Windows Media Services 9 format

The default is wms-41. For more information, see the "Windows Media Transaction Logging" section.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.


Application Control

The Application Control pages provide settings for bandwidth management of delivery services and protocol engines. Configuring application control consists of the following procedures:

Configuring Default and Maximum Bandwidth

Configuring Bandwidth Schedules

Configuring Windows Media Streaming—General Settings

Configuring Windows Media Streaming—Bypass List

Configuring Movie Streamer—General Settings

Configuring RTSP Advanced Settings

Configuring Flash Media Streaming—General Settings

Configuring Flash Media Streaming—FMS Administrator

Configuring Flash Media Streaming—Wholesale Licenses

Configuring Flash Media Streaming—Service Monitoring

Configuring Web Engine HTTP Connections

Configuring Web Engine HTTP Caching

Configuring Web Engine HTTP Cache Freshness

Configuring Web Engine Advanced HTTP Caching

Configuring Default and Maximum Bandwidth

The bandwidth used for delivering content is determined by the settings in the Default and Maximum Bandwidth page, and the Scheduled Bandwidth page. The default settings are used unless a scheduled bandwidth is configured for a specified time period. For Flash Media Streaming bandwidth limits, see the "Configuring Flash Media Streaming—General Settings" section and the "Configuring Flash Media Streaming—Wholesale Licenses" section.


Note The bandwidth used for delivering content is always the minimum bandwidth configured of the following configurations: default bandwidth, maximum bandwidth, and scheduled bandwidth. When the bandwidth limit is reached, new client requests are dropped and a syslog entry is written. The client receives an error message "453: Not enough bandwidth."


To configure the default and maximum bandwidth settings, do the following:


Step 1 Choose Devices > Devices > Application Control > Default and Maximum Bandwidth. The Default and Maximum Bandwidth page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-18 for a description of the fields.

Table 4-18 Application Control Default and Maximum Bandwidth Fields 

Field
Description

Windows Media Incoming

Default Bandwidth

Default bandwidth allowed for incoming Windows Media traffic from client devices.

Maximum Bandwidth

Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting.

Note The default value, without this performance-based license, is 500 megabits per second (Mbps). In Release 2.5.7 and later releases, the default is 200 Mbps. The maximum allowed is 4 gigabits per second (Gbps) on a CDE200 and 8 Gbps on a CDE220-2G2. In Release 2.5.7 and later releases, the maximum allowed is 12 Gbps on a CDE220-2S3i (available in Release 2.5.7 and later releases).

Windows Media Outgoing

Default Bandwidth

Default bandwidth allowed for outgoing Windows Media traffic from the SE.

Maximum Bandwidth

Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting.

Note The default value, without this performance-based license, is 500 Mbps. In Release 2.5.7 and later releases, the default is 200 Mbps. The maximum allowed is 4 Gbps on a CDE200 and 8 Gbps on a CDE2202G2. In Release 2.5.7 and later releases, the maximum allowed is 12 Gbps on a CDE220-2S3i (available in Release 2.5.7 and later releases).

Movie Streamer Incoming

Default Bandwidth

Default bandwidth allowed for incoming Movie Streamer traffic from client devices.

Maximum Bandwidth

Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions.

Note The default value, without this performance-based license, is 2 Gbps. In Release 2.5.7 and later releases, the default is 200 Mbps.

Movie Streamer Outgoing

Default Bandwidth

Default bandwidth allowed for outgoing Movie Streamer traffic from the SE.

Maximum Bandwidth

Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions.

Note The default value, without this performance-based license, is 2 Gbps. In Release 2.5.7 and later releases, the default is 200 Mbps.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Bandwidth Schedules

Bandwidth Schedule settings take precedence over Default Bandwidth settings.

To configure a Bandwidth Schedule, do the following:


Step 1 Choose Devices > Devices > Application Control > Bandwidth Schedules. The Application Control Bandwidth Schedule Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the "Aggregate Settings" section

Step 2 Click Create New in the task bar. The Scheduled Bandwidth page is displayed.

To edit a bandwidth schedule, click the Edit icon next to the scheduled bandwidth you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-19 for a description of the fields.

Table 4-19 Application Control Bandwidth Schedule Fields 

Field
Description

Bandwidth Type

Windows Media Incoming—Incoming Windows Media streaming content requests from end users.

Windows Media Outgoing—Outgoing Windows Media content from SEs.

 

Movie Streamer Incoming—Incoming Movie Streamer content requests from SEs or origin servers.

Movie Streamer Outgoing—Outgoing Movie Streamer content in response to RTSP requests from end users.

Bandwidth Rate

Maximum amount of bandwidth you want to allow (in kilobits per second).

Start Time

Time of day for the bandwidth rate setting to start, using a 24-hour clock in local time (hh:mm).

End Time

Time of day for the bandwidth rate setting to end (hh:mm).

Use Specific Days

Days of the week on which configured bandwidth settings apply.

Full Week—Bandwidth settings are applied to the entire week.

Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specific days of the week on which configured bandwidth settings apply.

Specific Day Range

Range of days of the week on which configured bandwidth settings apply.

Start day—Day of the week to start for allowable bandwidth.

End day—Day of the week to end for allowable bandwidth.


Step 4 Click Submit to save the settings.

To delete a bandwidth schedule, click the Edit icon for the group, then click the Delete icon in the task bar.


Bandwidth Graph

To view a graphical representation of the bandwidth settings, click the Display Graph icon in the task bar. The Application Bandwidth graph is displayed in a new window.

The vertical axis of the graph represents the amount of bandwidth in kilobits per second (kb/s) , and the horizontal axis represents the days of the week. The units shown on the vertical axis are determined dynamically based on the bandwidth rate for a particular bandwidth type. The units shown on the horizontal axis represent 24 hours per each day of the week. Each type of bandwidth is represented by a different color. A legend at the bottom of the graph maps colors to the corresponding bandwidth type.

To view the graph by bandwidth type, detailed or composite view, or days of the week, click a view option in the text at the top of the window. Table 4-20 describes the view options.

Table 4-20 Viewing Options for Content Services Bandwidth Graph 

Option
Description

Windows Media In

Displays the bandwidth settings for incoming Windows Media traffic.

Windows Media Out

Displays the bandwidth settings for outgoing Windows Media traffic.

Movie Streamer In

Displays the bandwidth settings for incoming Movie Streamer traffic.

Movie Streamer Out

Displays the bandwidth settings for outgoing Movie Streamer traffic.

All Servers

Displays a consolidated view of all configured bandwidth types. This is the default view and is combined with the Full Week view.

Show Detailed Bandwidth/Show Effective Bandwidth

Toggles between the two options:

Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification.

Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.

Show Aggregate View/Show Non-Aggregate View

Toggles between the two options:

Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups.

Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.

Sun, Mon, Tues, Wed, Thurs, Fri, Sat

Displays the bandwidth settings for the corresponding day of the week.

Full Week

Displays the bandwidth settings for the entire week. This is the default view and is combined with the All Servers view.


Configuring Windows Media Streaming—General Settings

To configure the General Settings for Windows Media Streaming, do the following:


Step 1 Choose Devices > Devices > Application Control > Windows Media Streaming > General Settings. The Windows Media Streaming General Settings page is displayed (Figure 4-17).

Figure 4-17 Windows Media Streaming Page—General Settings

Step 2 Enter the settings as appropriate. See Table 4-21 for a description of the fields.

Table 4-21 Windows Media Streaming General Settings Fields 

Field
Description

Enable Windows Media Services

When checked, Windows Media Services is enabled. To disable services, uncheck the check box.

Windows Media Proxy Settings

Enable Outgoing HTTP Proxy

When enabled, allows an outgoing HTTP proxy server for streaming media in MMS format (MMS-over-HTTP). The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.

Outgoing HTTP Proxy Host Name and Port

Hostname, or IP address, and port of the outgoing HTTP proxy. Valid port numbers range from 1 to 65535.

Enable Outgoing RTSP Proxy

When enabled, allows an outgoing RTSP proxy server for streaming media using RTSP. The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.

Outgoing RTSP Proxy Host Name and Port

Hostname, or IP address, and port of the outgoing RTSP proxy. Valid port numbers range from 1 to 65535.

Enable Accelerate Proxy Cache Performance

When enabled, caching performance improvements are applied to the Windows Media proxy.

Windows Media General Settings

Disable HTTP Windows Media Traffic

To disallow streaming over HTTP, check the check box.

Disable RTSPT WMT Traffic

To disallow streaming over RTSPT (RTSP using TCP), check the check box.

Disable RTSPU WMT Traffic

To disallow streaming over RTSPU (RTSP using UDP), check the check box.

Maximum Concurrent Connections: Override Default and Custom Value

To override the default maximum number of concurrent sessions, check the check box and enter a value in the Custom Value field.

The default is 14000 sessions. The range is from 1 to 14000.

Note In Release 2.5.7 and later releases, the default is 200 sessions.

Enforce Maximum Outgoing Bitrate

Enforces the maximum stream bit rate for serving content when checked.

Maximum Outgoing Bitrate

The maximum streaming bit rate that can be served in kilobits per second (kbps).

Enforce Maximum Incoming Bitrate

Enforces the maximum incoming bit rate for receiving content when checked.

Maximum Incoming Bitrate

The maximum streaming bit rate (kbps) that can be received.

Enable Accelerate Live-Split Performance

Enables performance improvements in live splitting for the Windows Media proxy.

Enable Accelerate VOD Performance

Enables performance improvements in Video On Demand for the Windows Media proxy.

Restrict HTTP Allowed Extensions

Allows you to add or remove permitted extensions.

HTTP Allowed Extensions

List of allowable extensions for HTTP.

You can add or delete filename extensions from this list with the following restrictions:

Each extension must be alphanumeric, with the first character in the extension being an alphabetic character.

You cannot have more than 10 characters in a filename extension.

You cannot add more than 6filename extensions to the allowed list.

Enable Fast Start Feature

Enables Fast Start for MMS-over-HTTP or RTSP.

Fast Start Max Bandwidth

Maximum bandwidth (kbps) allowed per Windows Media Player when Fast Start is used to serve packets to this player. The default is 3500. The range is from 1 to 65535.

Enable Fast Cache

Enables Fast Cache for MMS-over-HTTP or RTSP.

Fast Cache Max Delivery Rate

Maximum delivery rate (kbps) allowed per Windows Media Player when Fast Cache is used to deliver packets to this player. The default is 5. The range is from 1 to 65535.

Windows Media Multicast Settings

Number of hops to live

Number of hops to live for multicast Windows Media packets. The default is 5. The range is from 0 to 255.

Windows Media Advanced Client Settings

Idle Timeout

Number of seconds to timeout when the client connection is idle. The default is 60 The range is from 30 to 300.

Maximum Data Packet Size

Maximum packet size (in bytes) allowed. The default is 1500. The range is from 576 to 16,000.

Windows Media Advanced Server Settings

Enable Log Forwarding

Enables log forwarding to an upstream SE or Windows Media server.

Inactive Timeout

Number of seconds to timeout when the upstream SE or Windows Media server connection is idle. The default is 65535. The range is from 60 to 65535.

Windows Media Cache Settings

Enable

When checked, Windows Media cache settings are enabled.

Max Object Size

The maximum content object size (in megabytes) the SE can cache. The default is 25600. The range is from 1 to 1000000.

Age Multiplier

The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.

Maximum TTL

The maximum time-to-live for objects in the cache. The value ranges are the following:
1 to 157680000 seconds
1 to 2628000 minutes
1 to 43800 hours
1 to 1825 days
The default is 1 day.

Minimum TTL

The minimum time-to-live (in minutes) for objects in the cache. The default is 60. The range is from 0 to 86400.

Enable Re-evaluate Request

When checked, the cache is validated with the origin server instead of validating the cache using heuristics. When Enable Re-evaluate Request is checked, the cached content freshness is revalidated every time the content is requested, which limits the effectiveness of the other cache settings and increases the time to start streaming the content.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Windows Media Streaming—Bypass List

Incoming bandwidth refers to the bandwidth between a local SE and the origin server. When the SE is configured for Windows Media proxy services, incoming bandwidth usage for Video On Demand (VOD) content is unpredictable. This unpredictability is because the consumption of incoming bandwidth for VOD content can be triggered arbitrarily by an end user requesting the content. If the VOD content is not found in the SE cache, a cache miss occurs, and the Windows Media proxy must fetch the content from the origin server. The SE administrator cannot predict the incoming bandwidth usage for such events, so a large number of cache-miss VOD requests can consume all of the incoming bandwidth.

The Windows Media incoming bandwidth bypass configuration allows the administrator to configure a list of hosts that bypasses the incoming bandwidth limitation.

To configure the list of hosts for bypassing incoming bandwidth limits, do the following:


Step 1 Choose Devices > Devices > Application Control > Windows Media Streaming > Bypass List. The Bypass List page is displayed.

Step 2 In the Windows Media BW Incoming Bypass List field, enter up to four IP addresses or hostnames of hosts you want to bypass the incoming bandwidth check. Separate each entry with a space.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Movie Streamer—General Settings

The Movie Streamer is an open-source, standards-based, streaming server that delivers hinted MPEG-4, hinted 3GPP, and hinted MOV files to clients over the Internet and mobile networks using the industry-standard RTP and RTSP.

To configure the general settings for Movie Streamer, do the following:


Step 1 Choose Devices > Devices > Application Control > Movie Streamer > General Settings. The Movie Streamer General Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-22 for a description of the fields.

Table 4-22 Movie Streamer General Settings Fields 

Field
Description

Enable Movie Streamer Services

When checked, Movie Streamer Services is enabled. To disable services, uncheck the check box.

Movie Streamer Proxy Settings

Host Name

Hostname or IP address of the proxy server for Movie Streamer.

Port

Port of the proxy server for Movie Streamer. Valid port numbers range from 1 to 65535. The default is 554.

Movie Streamer General Settings

Maximum Concurrent Connections: Override Default and Custom Value

To override the default maximum number of concurrent sessions, check the check box and enter a value in the Custom Value field.

The default is 8000 sessions. The range is from 1 to 16000.

Note In Release 2.5.7 and later releases, the default is 200 sessions.

Enforce Maximum Outgoing Bitrate

Enforces the maximum stream bit rate for serving content when checked.

Maximum Outgoing Bitrate

The maximum streaming bit rate that can be served in kilobytes per second (Kbps). The range is from 1 to 2147483647, depending on the hardware model.

Enforce Maximum Incoming Bitrate

Enforces the maximum incoming bit rate for receiving content when checked.

Maximum Incoming Bitrate

The maximum streaming bit rate (Kbps) that can be received. The range is from 1 to 2147483647, depending on the hardware model.

Enable Accelerate VOD Performance

Enables performance improvements in Video On Demand for the Movie Streamer proxy.

Movie Streamer Advanced Client Settings

Idle Timeout

The Idle Timeout field and the movie-streamer advanced client idle-timeout command (as well as the movie-streamer advanced client rtp-timeout command), are only intended for performance testing when using certain testing tools that do not have full support of the RTCP receiver report. Setting these timeouts to high values causes inefficient tear-down of client connections when the streaming sessions have ended.

The movie-streamer advanced client idle-timeout command has a range from 0 to 300, whereas the Idle Timeout field has a range from 30-180. This is by design.

For typical deployments, it is preferable to leave these parameters set to their defaults. The default is 60.

Movie Streamer Cache Settings

Enable

When checked, Movie Streamer caches content on the SE and the cache settings are enabled.

Age Multiplier

The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.

Maximum TTL

The maximum time-to-live for objects in the cache. The value ranges are the following:
1 to 157680000 seconds
1 to 2628000 minutes
1 to 43800 hours
1 to 1825 days
The default is 1 day.

Enable Re-evaluate Request

When checked, the cache is validated with the origin server instead of validating the cache using heuristics.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring RTSP Advanced Settings

To configure RTSP advanced settings for Movie Streamer and Windows Media Streaming, do the following:


Step 1 Choose Devices > Devices > Application Control > RTSP Advanced Settings. The RTSP Advanced Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-23 for a description of the fields.

Table 4-23 RTSP Advanced Settings Fields 

Field
Description

Maximum Initial Setup Delay

Maximum delay allowed (in seconds) between TCP accept and the first RTSP message from the client. The default is 10 seconds.

Maximum Request Rate

Maximum number of incoming requests per second that the RTSP gateway allows. The default is 40 requests per second.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Flash Media Streaming—General Settings

The Flash Media Streaming engine delivers Adobe Flash applications and video files, as well as MP3 audio files using HTTP and an Adobe proprietary protocol, RTMP. For more information, see the "Flash Media Streaming Engine" section.


Note Flash Media Streaming uses port 1935 for RTMP and RTMPE streaming. Flash Media Streaming also supports RTMPT and RTMPTE over port 80.


To enable Flash Media Streaming, do the following:


Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > General Settings. The Flash Media Streaming General Settings page is displayed.

Step 2 Check the Enable Flash Media Streaming check box.

Step 3 Enter the settings as appropriate. See Table 4-24 for a description of the fields.

Table 4-24 Flash Media Streaming Fields 

Field
Description

Non-Wholesale License Bandwidth

Maximum bandwidth of the perpetual license. The range is from 1000 to 8000000 Kbps. The default is 200000.

Restricted Maximum Bandwidth

Maximum bandwidth allowed for Flash Media Streaming. The range is from 1000 to 8000000 Kbps. The default is 200000.

Restricted Maximum Sessions

Maximum concurrent sessions the Flash Media Streaming engine supports. The range is from 1 to 15000. The default is 200.


Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Flash Media Streaming—FMS Administrator

To enable servers to send Flash Media Server (FMS) Administration API calls to this device, do the following:


Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > FMS Admin Allow Hosts. The FMS Admin Allow Hosts page is displayed.

Step 2 Check the Enable check box.

Step 3 In the FMS Admin Allow Hosts field, enter the IP addresses (space delimited) of the servers that are allowed to send Flash Media Server Administration API calls to this device.

The Adobe Flash Media Server Administration APIs and the Administration Console that was built using the Administration APIs are supported. These APIs can be used to monitor and manage the Adobe Flash Media Server running on a Cisco CDS Service Engine.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Flash Media Streaming—Wholesale Licenses

The CDS includes a perpetual Flash Media Streaming license that provides bandwidth for streaming Flash Media Streaming content. If your service requirements are greater than the bandwidth provided in the perpetual license or you have specific customer requirements, you can purchase a wholesale license for a specified bandwidth and a specified duration.

The wholesale license bandwidth is separate from the perpetual license bandwidth. Whichever bandwidth is greater is considered the available bandwidth for Flash Media Streaming.

The CDSM notifies you as early as three months before a wholesale license is about to expire, with the notifications getting more frequent and with a higher alert status as the expiration date gets closer. Notification can be turned off after the initial three month alert. For more information, see the "System Status" section.

To configure a Flash Media Streaming wholesale license, do the following:


Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > Wholesale Licenses. The Wholesale Licenses Table page is displayed.

The Wholesale Licenses Table page has two sections, Bandwidth Summary and Wholesale Licenses table. Table 4-25 describes the information displayed in the Bandwidth Summary section.

Table 4-25 Bandwidth Summary Fields 

Field
Description

FMS Service Status1

Shows whether Flash Media Streaming is enabled or disabled.

Non-Wholesale Bandwidth1

Displays the bandwidth configured for the perpetual license.

Restricted Maximum Bandwidth1

Displays the Restricted Maximum Bandwidth for Flash Media Streaming.

Total Wholesale Bandwidth

Displays the sum total of all active wholesale bandwidth licenses. The Available Bandwidth is determined by whichever is greater, the Total Wholesale Bandwidth or the Non-Wholesale Bandwidth.

FMS Allowed Bandwidth

Displays the FMS Allowed Bandwidth is determined by whichever is lesser, the Available Bandwidth or the Restricted Maximum Bandwidth.

For example, if the Non-Wholesale bandwidth is 200,000 Kbps, and the Total Wholesale Bandwidth is 300,000 Kbps, then the Available Bandwidth is 300,000 Kbps (the greater of the two).

If the Restricted Maximum Bandwidth is 600,000 Kbps and the Available Bandwidth is 300,000 Kbps, the FMS Allowed Bandwidth is 300,000 Kbps (the lesser of the two).

1 To change the settings for this field, see the "Configuring Flash Media Streaming—General Settings" section.


Table 4-26 describes the information displayed in the Wholesale Licenses section. The table is sortable by clicking the column headings.

Table 4-26 Wholesale Licenses Columns 

Field
Description

Sequence #

Displays the number assigned to the wholesale license by the CDSM.

License Name

Displays the name of the wholesale license.

Bandwidth

Displays the bandwidth, in Kbps, for the wholesale license.

Start Date

Displays the start date of the wholesale license.

Expiration Date

Displays the expiration date of the wholesale license, calculated by using the start date and the duration of the license.

License Status

Displays the status of the license (active, inactive, expired). The status is active when the license is in effect. The status is inactive when the start date for the license has not occurred yet. The status is expired when the license has expired.

Severity

Displays the severity of the license alert is based on how many days are left before the license expires. When you roll your mouse over an alarm light in the Severity bar, a pop-up message provides further details about the license status.

For more information, see the "License Alerts" section.

Days Left

Displays the number of days left before the license expires.

Expiration Alert Status

Displays whether the Expiration Alert Status is enabled or disabled. The Expiration Alert Status cannot be disabled until after the initial three-month alert has been triggered.


Step 2 Click the Create New icon in the task bar. The Wholesale License page is displayed.

To edit a license, click the Edit icon next to the license you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-27 for a description of the fields.

Table 4-27 Wholesale License (Term-Based) Fields 

Field
Description

License Name

The name for the wholesale license.

License Bandwidth

The bandwidth for the wholesale license. The range is from 1000 to 8000000 Kbps.

License Start Date

The date on the Flash Media Streaming Wholesale License paper. Choose the month from the drop-down list, and enter the day and year. This date is checked based on the local time on the SE.

License Duration

The number of months the license is good for. The range is from 1 to 120 months.

Expiration Alert Status

The Expiration Alert Status check box can be unchecked after the initial three-month license expiration alert has been triggered.


Step 4 Click Submit to save the settings.

To delete a license, click the Edit icon for the license, then click the Delete icon in the task bar. You can remove expired licenses, as well as active or inactive licenses. The Total Wholesale Bandwidth will be decreased for any deleted active licenses.


Configuring Flash Media Streaming—Service Monitoring

To enable Flash Media Streaming Service Monitoring, do the following:


Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > Service Monitoring. The Service Monitoring page is displayed.

Step 2 Check the Enable Service Monitoring check box.

Service Monitoring monitors the Flash Media Streaming engine memory usage. If the memory usage reaches the 1.5 GB limit for either the Flash Media Streaming core process or the Flash Media Streaming edge process, an alarm is raised and the Service Router does not redirect any new Flash Media Streaming requests to this SE.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Web Engine HTTP Connections


Note In Release 2.5.7 and later releases, the Web Engine has been enhanced and the configuration settings on this page are no longer supported, therefore this CDSM GUI page is not displayed. The Web Engine follows the RFC 2616 standard with regards to caching content.


To configure web engine HTTP connections, do the following:


Step 1 Choose Devices > Devices > Application Control > Web > HTTP > HTTP Connections. The HTTP Connections page is displayed (Figure 4-18).

Figure 4-18 HTTP Connections Page

Step 2 Enter the settings as appropriate. See Table 4-28 for a description of the fields.

Table 4-28 HTTP Connections Fields 

Field
Description

Web engine Maximum Concurrent Connections

The maximum concurrent sessions the Web engine supports. The range is from 100 to 12,000. The default is 2000.

Note In Release 2.5.7 and later releases, there is no syslog entry or alarm when the number of concurrent connections for the Web Engine exceeds the maximum configured.

Enable Incoming Proxy

When enabled, accepts incoming requests on configured ports, in addition to port 80.

List of Incoming HTTP Ports

Additional ports on which to accept incoming HTTP requests. Separate port numbers with a space.

Enable Outgoing Proxy

When enabled, allows a proxy server or another SE to receive HTTP cache miss request traffic. The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.

Note Outgoing proxy is not supported on the Web Engine in Release 2.5.7 and later releases.

Content Acquirer Outgoing Proxy Authentication

Hostname

Hostname or IP address of the outgoing proxy. The first host name or IP address entered designates that outgoing proxy server as the primary server. You can configure up to eight proxy servers. If the primary fails to respond, the request is redirected to the next proxy server.

Port

Enter the port number the proxy server uses to receive requests.

Username

If authentication is required, enter a username. This username is used for both NTLM and basic authentication.

Password

Enter the password for the user.

Confirm Password

Re-enter the password for the user.

NTLM User Domain

The NTLM server domain name used to authenticate the user.

Disable Basic Authentication

If checked, basic authentication will not occur as a fallback to an NTLM authentication failure.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Web Engine HTTP Caching


Note In Release 2.5.7 and later releases, the Web Engine has been enhanced and the configuration settings on this page are no longer supported, therefore this CDSM GUI page is not displayed. The Web Engine follows the RFC 2616 standard with regards to caching content.


To configure web engine HTTP caching, do the following:


Step 1 Choose Devices > Devices > Application Control > Web > HTTP > HTTP Caching. The HTTP Caching page is displayed (Figure 4-19).

Figure 4-19 HTTP Caching Page

Step 2 In the Max Object Size field, enter the maximum content object size (in megabytes) that the SE will cache. The range is from 0 to 2047. Zero (0) means no limit.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Web Engine HTTP Cache Freshness

To configure the web engine HTTP cache freshness, do the following:


Step 1 Choose Devices > Devices > Application Control > Web > HTTP > HTTP Cache Freshness. The HTTP Cache Freshness page is displayed (Figure 4-20).

Figure 4-20 HTTP Cache Freshness Page

Step 2 Enter the settings as appropriate. See Table 4-29 for a description of the fields.

Table 4-29 HTTP Cache Freshness Fields 

Field
Description

Enable

When checked, HTTP cache freshness is enabled.

Object Age Multiplier

The age multiplier value (as a percentage) enables the SE to guess the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The range is from 0 to 100. The default value is 30.

Max TTL Scale

The scale (seconds, hours, minutes, or days) to use for the Max Object TTL.

The time-to-live (TTL) sets a ceiling on estimated expiration dates. If an object has an explicit expiration date, this takes precedence over the configured TTL. The default is days.

Max Object TTL

The maximum time-to-live (TTL) for objects in cache. The ranges are as follows:
1 to 1825 days
1 to 43800 hours
1 to 2628000 minutes
1 to 157680000 seconds

The default is 61 day.

Minimum TTL

The minimum time-to-live (in minutes) for objects in the cache. The range is from 0 to 86400. The default value is 60.

Enable Re-evaluate Request All

When enabled, all requests are re-evaluated, whether for objects or directory listings.

Note In Release 2.5.7 and later releases, the Web Engine has been enhanced and the Enable Re-evaluate Request All field is no longer supported.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Web Engine Advanced HTTP Caching


Note In Release 2.5.7 and later releases, the Web Engine has been enhanced and the configuration settings on this page are no longer supported, therefore this CDSM GUI page is not displayed. The Web Engine follows the RFC 2616 standard with regards to caching content.

In Release 2.5.9 and later releases, to enable cache-fill for range requests, use the
web-engine range-cache-fill enable command. This enables the Web Engine to cache the full content when a client requests a content range where the first byte of the range is zero (0). The full content is cached and only the requested range is sent to the client. If the first byte is not zero, the content is not cached and the client receives the requested content range from the content origin server. If web-engine range-cache-fill is not enabled and the range request is specified with the first byte of the range being zero and the last byte not specified, the full content is cached on the SE and served to the client. Only a single byte range can be specified in the GET request.


To configure web engine advanced HTTP cache settings, do the following:


Step 1 Choose Devices > Devices > Application Control > Web > HTTP > Advanced HTTP Caching. The Advanced HTTP Caching page is displayed (Figure 4-21).

Figure 4-21 Advanced HTTP Caching Page

Step 2 Enter the settings as appropriate. See Table 4-30 for a description of the fields.

Table 4-30 Advanced HTTP Caching Fields 

Field
Description

Enable Cache Cookies

When enabled, the Web engine caches requests with a cookie header in the response.

Enable Cache Fill Range

When enabled, the complete content is cached when the range request for the same is given by the client. The range request starts with zero (0).

Enable Cache on Abort

When enabled, caching an object is continued even though the client has aborted the request.

Note The Abort Percentage Threshold field must be set for content to be cached when the client aborts.

Use Percentage Threshold

When enabled, caches an object if the percentage of the object already downloaded is greater than the percentage threshold value entered.

Abort Percentage Threshold

The percentage threshold at which the content is still cached even if the client aborts.

Note To ensure content is cached when the client aborts, set the Abort Percentage Threshold to a very small value.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


General Settings

The General Settings pages provide settings for access control of the device, maintenance, network connectivity, and monitoring. The configuring of general settings consists of the following procedures:

Configuring Content Management

Login Access Control

Authentication

Scheduling Database Maintenance

Setting Storage Handling

Network Settings

Configuring Notification and Tracking

Configuring Troubleshooting

Configuring Service Router Settings

Configuring Content Management

To configure the maximum number of entries for cache content, do the following:


Step 1 Choose Devices > Devices > General Settings > Content Management. The Content Management page is displayed.

Step 2 In the Max Cache Content Entries field, enter the value for the maximum entries of cached content allowed. The range is from 1 to 10,000,000. The default is 3,000,000.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Login Access Control

Login authentication and authorization are used to control user access and configuration rights to CDSMs, SEs, and SRs. Login authentication is the process by which the devices verify whether the person who is attempting to log in to the device has a valid username and password. The person logging in must have a user account registered with the device. User account information serves to authorize the user for login and configuration privileges. The user account information is stored in an authentication, authorization, and accounting (AAA) database, and the devices must be configured to access the particular authentication server (or servers) where the AAA database is kept.

In a CDS network, user accounts can be created for access to the CDSM and, independently, for access to the SEs and SRs that are registered to the CDSM. For user accounts that access the CDSM, see the "Configuring AAA" section.

Login Authentication

Login authentication provides the configuration for independent logins; in other words, login access to the device only.

Login authentication can also be used to log in to the CDSM GUI. When logging in to the CDSM GUI with an external user account (RADIUS or TACACS+), the user is authenticated by the external database. After the external user is authenticated, its role depends on the privilege configured in the external database (zero [0] means a normal user and 15 means a super user). The privilege level of 0 or 15 is mapped to the read-only or admin user role in the CDSM GUI. No CDSM local user is created in the CDSM database for the external user that logs in, so the external user cannot be managed by the CDSM GUI.


Note If you plan to use a RADIUS server or a TACACS+ server for authentication, you must configure the server settings before you configure and submit these settings. See the "Configuring RADlUS Server Settings" section and the "Configuring TACACS+ Server Settings" section for more information.


When the primary login server and the primary configuration server are set to local, usernames and passwords are local to each device. Local authentication and authorization uses locally configured login and passwords to authenticate login attempts.


Note If you are going to use different servers for authentication and authorization (for example, local for authentication login and RADIUS for authentication configuration), then the username and password must be the same for both servers.


By default, local login authentication is enabled. You can disable local login authentication only after enabling one or more of the other login authentication servers. However, when local login authentication is disabled, if you disable all other login authentication methods, a warning message is displayed stating "At least one authentication method is required to select for login."


Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the device.

To configure the login authentication and configuration authorization schemes for the device, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > Login Authentication. The Login Authentication page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-31 for a description of the fields.

Table 4-31 Login Authentication Fields 

Field
Description

Enable Failover Server Unreachable

If Enable Failover Server Unreachable is enabled, the device fails over to the secondary server only if the primary server is unreachable. In any other case, for example, the authentication fails in the RADIUS server, the local database is not contacted for authentication. Conversely, if the Enable Failover Server Unreachable option is disabled, the device contacts the secondary server, regardless of the reason the authentication failed with the primary server.

Authentication Login Servers

When enabled, authentication login servers are used to authenticate user logins.

Primary Login Server

Choose local, RADIUS, or TACACS+.

Secondary Login Server

Choose local, RADIUS, or TACACS+.

Tertiary Login Server

Choose local, RADIUS, or TACACS+.

Authentication Config Server

When enabled, authentication configuration servers are used to authenticate user privileges.

Primary Config Server

Choose local, RADIUS, or TACACS+.

Secondary Config Server

Choose local, RADIUS, or TACACS+.

Tertiary Config Server

Choose local, RADIUS, or TACACS+.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring SSH

Secure Shell (SSH) consists of a server and a client program. Like Telnet, you can use the client program to remotely log in to a machine that is running the SSH server. However, unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.

The SSH page allows you to specify the key length and login grace time.

To enable the SSH daemon, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > SSH. The SSH page is displayed.

Step 2 Check Enable to enable the SSH feature. SSH enables login access to the device through a secure and encrypted channel.

Step 3 In the Length of Key field, specify the number of bits needed to create an SSH key. The default is 2048.

Step 4 In the Login Grace Time field, specify the number of seconds the server waits for the user to successfully log in before it ends the connection. The authentication procedure must be completed within this time limit. The default is 300 seconds.


Note When changing the Login Grace Time, you need to first uncheck the Enable check box and click Submit. Enter the new Login Grace Time, check Enable, and click Submit.


Step 5 Select the SSH version.

a. To allow clients to connect using SSH protocol version 1, check the Enable SSHv1 check box.

b. To allow clients to connect using SSH protocol version 2, check the Enable SSHv2 check box.


Note You can enable both SSHv1 and SSHv2, or you can enable one version and not the other. You cannot disable both versions of SSH unless you disable the SSH feature by unchecking the Enable check box.


Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Enabling Telnet

To enable the Telnet service, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > Telnet. The Telnet page is displayed.

Step 2 Check Telnet Enable to enable the terminal emulation protocol for remote terminal connections.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Setting the Message of the Day

The Message of the Day (MOTD) feature enables you to provide information bits to the users when they log in to a device. There are three types of messages that you can set up:

MOTD banner

EXEC process creation banner

Login banner

To configure the Message of the Day settings, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > Message of the Day. The MOTD page is displayed.

Step 2 Check Enable to enable the MOTD settings. The Message of the Day (MOTD) banner, EXEC process creation banner, and Login banner fields become enabled.

Step 3 In the Message of the Day (MOTD) Banner field, enter a string that you want to display as the MOTD banner when a user attempts to log in to the device.


Note In the Message of the Day (MOTD) Banner, EXEC Process Creation Banner, and Login Banner fields, you can enter a maximum of 980 characters. A new line character (or Enter) is counted as two characters, as it is interpreted as \n by the system. You cannot use special characters such as `, % ,^ , and " in the MOTD text.


Step 4 In the EXEC Process Creation Banner field, enter a string to be displayed as the EXEC process creation banner when a user enters into the EXEC shell of the device.

Step 5 In the Login Banner field, enter a string to be displayed after the MOTD banner when a user attempts to log in to the device.

Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Changing the CLI Session Time

To change the CLI session time, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > CLI Session Time. The CLI Session Time page is displayed.

Step 2 In the CLI Session Time field, enter the time (in minutes) that the device waits for a response before ending the session.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Changing Users—Admin Password

Every device (CDSM, SE, and SR) has a built-in user account. The username is admin and the default password is default. This account allows access to all services and entities in the CDS. Any user that can access the Admin Password page in the CDSM can configure a new password for the administrator user account on individual SEs and SRs.

To change the Admin password, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > Users > Admin Password. The Admin Password page is displayed.

Step 2 In the Password field, enter a new password.

The following characters are not allowed: ?./;[]{}"@=|

Step 3 In the Confirm Password field, re-enter the password.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Creating, Editing, and Deleting Users—Usernames

You can create, edit, and delete user accounts for login access to individual devices or device groups. A privilege profile must be assigned to each new user account. The Usernames page uses privilege profiles to determine which tasks a user can perform and the level of access provided. Users with administrative privileges can add, delete, or modify user accounts through the CDSM or the device CLI.

To create, edit, or delete a user account, do the following:


Step 1 Choose Devices > Devices > General Settings > Login Access Control > Users > Usernames. The User Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the "Aggregate Settings" section

Step 2 Click the Create New icon in the task bar. The Local User page is displayed.

To edit a local user, click the Edit icon next to the name you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-32 for a description of the fields.

Table 4-32 Local User Fields 

Field
Description

Username

Name of user.

Password

User password.

Confirm Password

Re-enter user password.

Privilege

There are two types of predefined privilege profiles:

Normal user—User has read access and can see some of the SE, SR, or CDSM settings.

Superuser—User has administrative privileges such as creating new users and modifying the SE, SR, or CDSM settings.


Step 4 Click Submit to save the settings.

To delete a user, click the Edit icon for the user, then click the Delete icon in the task bar.


Authentication

User authentication and authorization (configuration rights) data can be maintained in any combination of these three databases:

Local database (located on the device)

RADIUS server (external database)

TACACS+ server (external database)

The Login Authentication page allows you to choose an external access server or the internal (local) device-based authentication, authorization, and accounting (AAA) system for user access management. You can choose one method or a combination of the three methods. The default is to use the local database for authentication.

Configuring RADlUS Server Settings


Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Remote Authentication Dial In User Service (RADIUS) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.


To configure the RADIUS server settings, do the following:


Step 1 Choose Devices > Devices > General Settings > Authentication > RADIUS Server. The RADIUS Server Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-33 for a description of the fields.

Table 4-33 RADIUS Server Settings Fields 

Field
Description

Enable RADIUS Servers

Enables RADIUS authentication.

Time to wait

Number of seconds to wait for a response before timing out on a connection to a RADIUS server. The range is from 1 to 20. The default is 5.

Number of retransmits

Number of attempts allowed to connect to a RADIUS server. The default is 2.

Enable redirect

Redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails.

Redirect Message [1-3]

Message sent to the user if redirection occurs.

Note If the redirect message has a space, it must be in quotes (" ").

Location [1-3]

Sets an HTML page location. This is the URL destination of the redirect message that is sent when authentication fails.

Shared Encryption Key

Encryption key shared with the RADIUS server. The maximum number of characters allowed is 15.

Server Name [1-5]

IP address or hostname of the RADIUS server.

Server Port [1-5]

Port number on which the RADIUS server is listening. The default is 1645.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


To use RADIUS for login or configuration authentication, see the "Login Authentication" section.

Configuring TACACS+ Server Settings


Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Terminal Access Controller Access Control System Plus (TACACS+) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.


To configure the TACACS+ server settings, do the following:


Step 1 Choose Devices > Devices > General Settings > Authentication > TACACS+ Server. The TACACS+ Server Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-34 for a description of the fields.

Table 4-34 TACACS+ Server Settings Fields 

Field
Description

Enable TACACS+ Servers

Enables TACACS+ authentication.

Use ASCII Password Authentication

Changes the default password type from Password Authentication Protocol (PAP) to ASCII clear text format.

Time to wait

Number of seconds to wait for a response before timing out on a connection to a TACACS+ server. The range is from 1 to 20. The default is 5.

Number of retransmits

Number of attempts allowed to connect to a TACACS+ server. The default is 2.

Security Word

Encryption key shared with the TACACS+ server. The range is from 1 to 99. An empty string is the default.

Primary Server

IP address or hostname of the primary TACACS+ server.

Secondary Server

Tertiary Server

IP address or hostname of the backup TACACS+ server. Up to two backup servers are allowed.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


To use TACACS+ for login or configuration authentication, see the "Login Authentication" section.

Configuring an Access Control List

To configure an access control list (ACL) for group authorization, do the following:


Step 1 Choose Devices > Devices > General Settings > Authentication > Access Control List > Configure Access Control List. The Access Control List Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The Configure Access Control List page is displayed.

To edit a group, click the Edit icon next to the name you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-35 for a description of the fields.

Table 4-35 Access Control List Fields 

Field
Description

Action

Whether to permit or deny access for this group.

Group Name

If this action is for all groups, choose Any Group Name.

If this action is for a specific group, choose Enter Group Name and enter the group name in the field.

Change Position

To change the order of this group in the access control list, which is displayed in the Access Control List Table page, click Change Position.


Step 4 Click Submit to save the settings.

To delete a group, click the Edit icon for the group, then click the Delete icon in the task bar.

Step 5 From the left-panel menu, choose Enable Access Control List. The Enable Access Control List page is displayed.

Step 6 Check the Enable Access Control List check box and click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


To move a group up or down in the Access Control List table, click the Up arrow or Down arrow in the Move column.

The ACL can be applied from the device or from a device group. The source of the currently applied settings is shown in the Access Control List Table page.

Scheduling Database Maintenance

The database maintenance runs at the scheduled time only when the following three conditions are satisfied:

Last vacuum process happened more than 30 minutes in the past.

Percent increase in disk space usage is greater than 10 percent.

Available free disk space is greater than 10 percent of the total disk space.

If any of these conditions are not satisfied, the database maintenance does not run at the scheduled time.

To schedule a database cleaning or reindexing, do the following:


Step 1 Choose Devices > Devices > General Settings > Database Maintenance. The Database Maintenance Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-36 for a description of the fields.

Table 4-36 Database Maintenance Settings Fields 

Field
Description

Full Database Maintenance Settings

Enable

When enabled, a full database maintenance routine is performed on the device.

Every Day

Sun-Sat

The days of the week when the maintenance is performed

When Every Day is enabled, all days of the week are also enabled.

At (time)

Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 04:00.

Regular Database Maintenance Settings

Enable

When enabled, a re-indexing routine is performed on the device.

Every Day

Sun-Sat

The days of the week when the maintenance is performed.

When Every Day is enabled, all days of the week are also enabled.

At (time)

Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 02:00.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Setting Storage Handling

The Storage option offers disk error-handling settings.

Enabling Disk Error Handling

The Disk Error Handling page allows you to configure how disk errors are handled, and to define a disk device error-handling threshold.

If a bad disk drive is a critical disk drive, and the automatic reload feature (disk error-handling reload command) is enabled, the disk drive is marked as "bad" and the device is automatically reloaded. After the device is reloaded, a syslog message and an SNMP trap are generated.

The disk error-handling threshold option determines how many disk errors can be detected before the disk drive is automatically marked "bad." By default, this threshold is set to 10.

For information about repairing latent sector errors (LSEs) on a disk, see the "Disk Latent Sector Error Handling" section.

To configure a disk error-handling method, do the following:


Step 1 Choose Devices > Devices > General Settings > Storage > Disk Error Handling. The Disk Error Handling Settings page is displayed.

Step 2 Check the Enable check box.

Step 3 Check the Enable Disk Error Handling Reload check box if you want the device to reload the disk when a disk with a system file system (sysfs) has problems.

Step 4 Check the Enable Disk Error Handling Threshold check box if you want to set the number of disk errors allowed before the disk is marked as bad, and enter a number (0 to 100) in the Threshold field. The default threshold is 10.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Network Settings

The Network pages provide settings for network connectivity. Configuring network settings consist of the following procedures:

Enabling FTP Services

Enabling DNS

Enabling RCP

Configuring NTP

Setting the Time Zone

Viewing Network Interfaces

Configuring External IP Addresses

Configuring Port Channel and Load Balancing Settings

Configuring IP General Settings

Configuring IP ACL

Configuring Static IP Routes

Configuring DSR VIP

Enabling FTP Services

To enable FTP services to listen for connection requests, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > FTP. The FTP Settings page is displayed.

Step 2 Check the Enable FTP Services check box.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Enabling DNS

DNS Settings are required on all SEs, SRs, and CDSMs. The SEs need to be able to resolve the content origin server host name, the SRs need to be able to communicate with the DNS servers, and the CDSMs need to resolve host names.

To configure Domain Name System (DNS) servers, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > DNS. The DNS Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-37 for a description of the fields.

Table 4-37 DNS Settings Fields 

Field
Description

Enable

Enables Domain Name System (DNS) on the device.

List of DNS Servers

Space-delimited list of IP addresses for up to eight name servers for name and address resolution.

Domain Names

A space-delimited list of up to three default domain names. A default domain name allows the system to resolve any unqualified hostnames. Any IP hostname that does not contain a domain name will have the configured domain name appended to it. This appended name is resolved by the DNS server and then added to the host table. A DNS server must be configured on the system for hostname resolution to work correctly. To do this, use the List of DNS Servers field.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Enabling RCP

Remote Copy Protocol (RCP) lets you download, upload, and copy configuration files between remote hosts and a switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection oriented. This service listens for requests on TCP port 514.

To enable RCP services, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > RCP. The RCP page is displayed.

Step 2 Check the RCP Enable check box to have the RCP services listen for RCP requests.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring NTP

To configure the device to synchronize its clock with an NTP server, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > NTP. The NTP page is displayed.

Step 2 Check Enable to enable NTP.

Step 3 In the NTP Server field, enter the IP address or hostname of up to four NTP servers. Use a space to separate the entries.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Setting the Time Zone

If you have an outside source on your network that provides time services, such as an NTP server, you do not need to set the system clock manually. When manually setting the clock, enter the local time. The device calculates Coordinated Universal Time (UTC) based on the time zone set.


Note Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at startup to initialize the software clock.



Caution We highly recommend that you use NTP servers to synchronize the devices in your CDS network. If you change the local time on the device, you must change the BIOS clock time as well; otherwise, the timestamps on the error logs are not synchronized. Changing the BIOS clock is required because the kernel does not handle time zones.

To manually configure the time zone, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > Time Zone. The Time Zone page is displayed with the default settings of UTC (offset = 0) and no daylight savings time configured.

Step 2 To configure a standard time zone, do the following:

a. Click the Standard Time Zone radio button.

The standard convention for time zones uses a Location/Area format in which Location is a continent or a geographic region of the world and Area is a time zone region within that location. For a list of standard time zones that can be configured and their UTC offsets, see Table 4-38.

b. From the Standard Time Zone drop-down list, choose a location for the time zone. The page refreshes, displaying all area time zones for the chosen location in the second drop-down list.

c. Choose an area for the time zone.

The UTC offset (hours and minutes ahead or behind UTC) for the corresponding time zone is displayed. During summer time savings, the offset may differ and is displayed accordingly.


Note Some of the standard time zones (mostly time zones within the United States) have daylight savings time zones configured automatically.


Step 3 To configure a customized time zone, do the following:

a. Click the Customized Time Zone radio button.

b. In the Customized Time Zone field, enter a name to for the time zone. The time zone entry is case sensitive and can contain up to 40 characters. Spaces are not allowed. If you specify any of the standard time zone names, an error message is displayed when you click Submit.

c. For UTC offset, choose + or - from the UTC Offset drop-down list to indicate whether the configured time zone is ahead or behind UTC. Also, choose the number of hours (0 to 23) and minutes (0 to 59) offset from UTC for the customized time zone. The range for the UTC offset is from -23:59 to 23:59, and the default is 0:0.

Step 4 To configure customized summer time savings, do the following:


Note Customized summer time can be specified for both standard and customized time zones.


The start and end dates for summer time can be configured in two ways: absolute dates or recurring dates. Absolute dates apply once and must be reset every year. Recurring dates apply every year.

a. Click the Absolute Dates radio button to configure summer settings once.

b. In the Start Date and End Date fields, specify the month, day, and year that the summer time savings starts and ends in mm/dd/yyyy format.

Alternatively, click the Calendar icon and select a date. The chosen date is highlighted in blue. Click Apply.

c. Click the Recurring Dates radio button to configure a recurring summer setting.

d. Using the drop-down lists, choose the start day, week, and month when the summer time savings starts. For example, if the summer time savings begins the first Sunday in March, you would select Sunday, 1st, March from the drop-down lists.

e. Using the drop-down lists, choose the start day, week, and month when the summer time savings ends.

Step 5 Using the Start Time drop-down lists and the End Time drop-down lists, choose the hour (0 to 23) and minute (0 to 59) at which daylight savings time starts and ends.

Start Time and End Time fields for summer time are the times of the day when the clock is changed to reflect summer time. By default, both start and end times are set at 00:00.

Step 6 In the Offset field, specify the minutes offset from UTC (0 to 1439). (See Table 4-38.)

The summer time offset specifies the number of minutes that the system clock moves forward at the specified start time and backward at the end time.

Step 7 To not specify a summer or daylight savings time for the corresponding time zone, click the No Customized Summer Time Configured radio button.

Step 8 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Table 4-38 lists the UTC offsets for the different locations around the world.

Table 4-38 Time Zone—Offset from UTC 

Time Zone
Offset from UTC (in hours)
Time Zone
Offset from UTC (in hours)

Africa/Algiers

+1

Asia/Vladivostok

+10

Africa/Cairo

+2

Asia/Yekaterinburg

+5

Africa/Casablanca

0

Asia/Yakutsk

+9

Africa/Harare

+2

Australia/Adelaide

+9.30

Africa/Johannesburg

+2

Australia/Brisbane

+10

Africa/Nairobi

+3

Australia/Darwin

+9.30

America/Buenos_Aires

-3

Australia/Hobart

+10

America/Caracas

-4

Australia/Perth

+8

America/Mexico_City

-6

Australia/Sydney

+10

America/Lima

-5

Canada/Atlantic

-4

America/Santiago

-4

Canada/Newfoundland

-3.30

Atlantic/Azores

-1

Canada/Saskatchewan

-6

Atlantic/Cape_Verde

-1

Europe/Athens

+2

Asia/Almaty

+6

Europe/Berlin

+1

Asia/Baghdad

+3

Europe/Bucharest

+2

Asia/Baku

+4

Europe/Helsinki

+2

Asia/Bangkok

+7

Europe/London

0

Asia/Colombo

+6

Europe/Moscow

+3

Asia/Dacca

+6

Europe/Paris

+1

Asia/Hong_Kong

+8

Europe/Prague

+1

Asia/Irkutsk

+8

Europe/Warsaw

+1

Asia/Jerusalem

+2

Japan

+9

Asia/Kabul

+4.30

Pacific/Auckland

+12

Asia/Karachi

+5

Pacific/Fiji

+12

Asia/Katmandu

+5.45

Pacific/Guam

+10

Asia/Krasnoyarsk

+7

Pacific/Kwajalein

-12

Asia/Magadan

+11

Pacific/Samoa

-11

Asia/Muscat

+4

US/Alaska

-9

Asia/New Delhi

+5.30

US/Central

-6

Asia/Rangoon

+6.30

US/Eastern

-5

Asia/Riyadh

+3

US/East-Indiana

-5

Asia/Seoul

+9

US/Hawaii

-10

Asia/Singapore

+8

US/Mountain

-7

Asia/Taipei

+8

US/Pacific

-8

Asia/Tehran

+3.30

   

The offset time (number of hours ahead or behind UTC) as displayed in the table is in effect during winter time. During summer time or daylight savings time, the offset may be different from the values in the table and is calculated and displayed accordingly by the system clock.

Viewing Network Interfaces

The Network Interfaces page is informational only. To view this information, choose Devices > Devices > General Settings > Network > Network Interfaces. Information about the network interfaces configured for the device is displayed.

Configuring External IP Addresses

The External IP page allows you to configure up to eight Network Address Translation (NAT) IP addresses. This allows a router to translate up to eight internal addresses to registered unique addresses and translate external registered addresses to addresses that are unique to the private network.

To configure NAT IP addresses, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > External IP. The External IP Settings page is displayed.

Step 2 Check the Enable check box.

Step 3 In the External IP Address fields (1-8), enter up to eight IP addresses.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Port Channel and Load Balancing Settings

For information about configuring port channels using the CLI, see the "Redundant Dedicated Management Ports" section.

To configure load balancing on port channels, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > Port Channel Settings. The Port Channel Settings page is displayed.

Step 2 From the Load Balancing Method drop-down list, choose one of the following load balancing methods:

dst-ip—Destination IP address

dst-mac—Destination MAC address

dst-port—Destination port

round robin—Each interface in the channel group

src-dst-mac—Source and destination MAC address

src-dst-port—Source and destination port

src-port—Source port

Round robin allows traffic to be distributed evenly among all interfaces in the channel group. The other balancing options give you the flexibility to choose specific interfaces (by IP address, MAC address, port) when sending an Ethernet frame.

The source and destination options means, while calculating the outgoing interface, take into account both the source and destination (MAC address or port).

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring IP General Settings

The Path Maximum Transmission Unit (MTU) Discovery discovers the largest IP packet size allowable between the various links along the forwarding path and automatically sets the correct value for the packet size. By using the largest MTU the links can support, the sending device can minimize the number of packets it must send.


Note The Path MTU Discovery is a process initiated by the sending device. If a server does not support IP Path MTU Discovery, the receiving device has no mechanism available to avoid fragmenting datagrams generated by the server.


To enable Path MTU Discovery, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > IP General Settings. The IP General Settings page is displayed.

Step 2 Check Enable Path MTU Discovery.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring IP ACL

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Packet filtering helps to control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices.

You can also apply ACLs to management services such as SNMP, SSH, HTTPS, Telnet, and FTP. ACLs can be used to control the traffic that these applications provide by restricting the type of traffic that the applications handle.

In a managed CDS network environment, administrators need to be able to prevent unauthorized access to various devices and services. CDS supports standard and extended ACLs that allow administrators to restrict access to or through a CDS network device, such as the SE. Administrators can use ACLs to reduce the infiltration of hackers, worms, and viruses that can harm the network.

ACLs provide controls that allow various services to be tied to a particular interface. For example, the administrator can use IP ACLs to define a public interface on the Service Engine for content serving and a private interface for management services (for example, Telnet, SSH, SNMP, HTTPS, and software upgrades). A device attempting to access one of the services must be on a list of trusted devices before it is allowed access. The implementation of ACLs for incoming traffic on certain ports for a particular protocol type is similar to the ACL support for the Cisco Global Site Selector and Cisco routers.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific services. The following are some examples of how IP ACLs can be used in various enterprise deployments:

Application layer proxy firewall with a hardened outside interface has no ports exposed. (Hardened means that the interface carefully restricts which ports are available for access primarily for security reasons. Because the interface is outside, many types of attacks are possible.) The device's outside address is globally accessible from the Internet, while its inside address is private. The inside interface has an ACL to limit Telnet, SSH, and CDSM traffic.

Device is deployed anywhere within the enterprise. Like routers and switches, the administrator wants to limit Telnet, SSH, and CDSM access to the IT source subnets.

Device is deployed as a reverse proxy in an untrusted environment, and the administrator wishes to allow only port 80 inbound traffic on the outside interface and outbound connections on the back-end interface.


Note IP ACLs are defined for individual devices only. IP ACLs cannot be managed through device groups.


When you create an IP ACL, you should note the following constraints:

IP ACL names must be unique within the device.

IP ACL names must be limited to 30 characters and contain no spaces or special characters.

CDSM can manage up to 50 IP ACLs and a total of 500 conditions per device.

When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers 100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain nonnumeric characters.

Extended IP ACLs cannot be used with SNMP applications.

Creating a New IP ACL

To create a new IP ACL, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > IP ACL. The IP ACL Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The IP ACL page is displayed.

To edit an ACL, click the Edit icon next to the name you want to edit.

Step 3 In the Name field, enter a name, observing the naming rules for IP ACLs.

Step 4 From the ACL Type drop-down list, choose an IP ACL type (Standard or Extended). The default is Standard.

Step 5 Click Submit. The page refreshes and the Modifying IP ACL page for a newly created IP ACL is displayed.


Note Clicking Submit at this point merely saves the IP ACL; IP ACLs without any conditions defined do not appear on the individual devices.



Adding Conditions to an IP ACL

To add conditions to an IP ACL, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > IP ACL. The IP ACL Table page is displayed.

Step 2 Click the Edit icon next to the name of the IP ACL you want to add a condition to. The Modifying IP ACL page is displayed.

Step 3 Click the Create New icon in the task bar. The Condition page is displayed.

To edit a condition, click the Edit icon next to the name you want to edit.


Note The number of available fields for creating IP ACL conditions depends on the whether the IP ACL type is standard or extended.


Step 4 Enter values for the properties that are enabled for the type of IP ACL that you are creating.

To create a standard IP ACL, go to Step 5.

To create an extended IP ACL, go to Step 6.

Step 5 To set up conditions for a standard IP ACL, do the following:

a. From the Purpose drop-down list, choose a purpose (Permit or Deny).

b. In the Source IP field, enter the source IP address.

c. In the Source IP Wildcard field, enter a source IP wildcard address.

d. Click Submit. The Modifying IP ACL page is displayed showing the new condition and its configuration.

e. To add another condition to the IP ACL, repeat the steps.

f. To reorder your list of conditions in the Modifying IP ACL page, use the Up arrow or Down arrow in the Order column, or click a column heading to sort by any configured parameter.


Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.


g. When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries and the order in which the conditions are listed, click Submit in the Modifying IP ACL page to commit the IP ACL to the device database.

A green "Change submitted" indicator appears in the lower right corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.

Table 4-39 describes the fields in a standard IP ACL.

Table 4-39 Standard IP ACL Conditions 

Field
Default Value
Description

Purpose1

Permit

Specifies whether a packet is to be passed (Permit) or dropped (Deny).

Source IP1

0.0.0.0

IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.

Source IP1 Wildcard

255.255.255.255

Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.

1 Required field.


Step 6 To set up conditions for an extended IP ACL, do the following:

a. From the Purpose drop-down list, choose a purpose (Permit or Deny).

b. From the Extended Type drop-down list, choose Generic, TCP, UDP, or ICMP.

After you choose a type of extended IP ACL, various options become available depending on what type you choose.

c. Enter the settings as appropriate. See Table 4-40 for descriptions of the extended IP ACL fields.

d. Click Submit. The Modifying IP ACL page is displayed showing the new condition and its configuration.

e. To add another condition to the IP ACL, repeat the steps.

f. To reorder your list of conditions from the Modifying IP ACL page, use the Up arrow or Down arrow in the Order column, or click a column heading to sort by any configured parameter.


Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.


g. When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries and the order in which the conditions are listed, click Submit in the Modifying IP ACL page to commit the IP ACL to the device database.

A green "Change submitted" indicator appears in the lower-left corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.


Table 4-40 Extended IP ACL Conditions 

Field
Default Value
Description
Extended Type

Purpose1

Permit

Specifies whether a packet is to be passed (Permit) or dropped (Deny).

Generic, TCP, UDP, ICMP

Protocol

ip

Internet protocol (gre, icmp, ip, tcp, or udp). To match any Internet protocol, use the ip keyword.

Generic

Established

Unchecked (false)

When checked, a match with the ACL condition occurs if the TCP datagram has the ACK or RST bits set, indicating an established connection. Initial TCP datagrams used to form a connection are not matched.

TCP

Source IP1

0.0.0.0

IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.

Generic, TCP, UDP, ICMP

Source IP Wildcard1

255.255.255.255

Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.

Generic, TCP, UDP, ICMP

Source Port 1

0

Decimal number or name of a port. Valid port numbers are 0 to 65535. See Table 4-41 and Table 4-42 for port name descriptions and associated port numbers.

TCP, UDP

Valid TCP port names are as follows:

domain

exec

ftp

ftp-data

https

nfs

rtsp

ssh

telnet

www

Valid UDP port names are as follows:

bootpc

bootps

domain

netbios-dgm

netbios-ns

netbios-ss

nfs

ntp

snmp

snmptrap

Source Operator

range

Specifies how to compare the source ports against incoming packets. Choices are <, >, ==, !=, or range.

TCP, UDP

Source Port 2

65535

Decimal number or name of a port. See Source Port 1.

TCP, UDP

Destination IP

0.0.0.0

IP address of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.

Generic, TCP, UDP, ICMP

Destination IP Wildcard

255.255.255.255

Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.

Generic, TCP, UDP, ICMP

Destination Port 1

0

Decimal number or name of a port. Valid port numbers are 0 to 65535. See Table 4-41 and Table 4-42 for port name descriptions and associated port numbers.

TCP, UDP

Valid TCP port names are as follows:

domain

exec

ftp

ftp-data

https

nfs

rtsp

ssh

telnet

www

Valid UDP port names are as follows:

bootpc

bootps

domain

netbios-dgm

netbios-ns

netbios-ss

nfs

ntp

snmp

snmptrap

Destination Operator

range

Specifies how to compare the destination ports against incoming packets. Choices are <, >, ==, !=, or range.

TCP, UDP

Destination Port 2

65535

Decimal number or name of a port. See Destination Port 1.

TCP, UDP

ICMP Param Type1

None

Choices are None, Type/Code, or Msg.

None—Disables the ICMP Type, Code, and Message fields.

Type/Code—Allows ICMP messages to be filtered by ICMP message type and code. Also enables the ability to set an ICMP message code number.

Msg—Allows a combination of type and code to be specified using a keyword. Activates the ICMP Message drop-down list. Disables the ICMP Type field.

ICMP

ICMP Message1

administratively-
prohibited

Allows a combination of ICMP type and code to be specified using a keyword chosen from the drop-down list.

See Table 4-43 for descriptions of the ICMP messages.

ICMP

ICMP Type1

0

Number from 0 to 255. This field is enabled when you choose Type/Code.

ICMP

Use ICMP Code1

Unchecked

When checked, enables the ICMP Code field.

ICMP

ICMP Code1

0

Number from 0 to 255. Message code option that allows ICMP messages of a particular type to be further filtered by an ICMP message code.

ICMP

1 Required field.


Table 4-41 lists the UDP keywords that you can use with extended access control lists.

Table 4-41 UDP Keywords and Port Numbers 

Port Name
Description
UDP Port Number

bootpc

Bootstrap Protocol (BOOTP) client service

68

bootps

Bootstrap Protocol (BOOTP) server service

67

domain

Domain Name System (DNS) service

53

netbios-dgm

NetBIOS datagram service

138

netbios-ns

NetBIOS name resolution service

137

netbios-ss

NetBIOS session service

139

nfs

Network File System service

2049

ntp

Network Time Protocol settings

123

snmp

Simple Network Management Protocol service

161

snmptrap

SNMP traps

162


Table 4-42 lists the TCP keywords that you can use with extended access control lists.

Table 4-42 TCP Keywords and Port Numbers 

Port Name
Description
TCP Port Number

domain

Domain Name System service

53

exec

Remote process execution

512

ftp

File Transfer Protocol service

21

ftp-data

FTP data connections (used infrequently)

20

https

Secure HTTP service

443

nfs

Network File System service applications

2049

rtsp

Real-Time Streaming Protocol applications

554

ssh

Secure Shell login

22

telnet

Remote login using Telnet

23

www

World Wide Web (HTTP) service

80


Table 4-43 lists the keywords that you can use to match specific ICMP message types and codes.

Table 4-43 Keywords for ICMP Message Type and Code 

Message
Description

administratively-prohibited

Messages that are administratively prohibited from being allowed access.

alternate-address

Messages that specify alternate IP addresses.

conversion-error

Messages that denote a datagram conversion error.

dod-host-prohibited

Messages that signify a Department of Defense (DoD) protocol Internet host denial.

dod-net-prohibited

Messages that specify a DoD protocol network denial.

echo

Messages that are used to send echo packets to test basic network connectivity.

echo-reply

Messages that are used to send echo reply packets.

general-parameter-problem

Messages that report general parameter problems.

host-isolated

Messages that indicate that the host is isolated.

host-precedence-unreachable

Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable). This is the most common response. Large numbers of this datagram type on the network are indicative of network difficulties or may be indicative of hostile actions.

host-redirect

Messages that specify redirection to a host.

host-tos-redirect

Messages that specify redirection to a host for type of service-based (ToS) routing.

host-tos-unreachable

Messages that denote that the host is unreachable for ToS-based routing.

host-unknown

Messages that specify that the host or source is unknown.

host-unreachable

Messages that specify that the host is unreachable.

information-reply

Messages that contain domain name replies.

information-request

Messages that contain domain name requests.

mask-reply

Messages that contain subnet mask replies.

mask-request

Messages that contain subnet mask requests.

mobile-redirect

Messages that specify redirection to a mobile host.

net-redirect

Messages that are used for redirection to a different network.

net-tos-redirect

Messages that are used for redirection to a different network for ToS-based routing.

net-tos-unreachable

Messages that specify that the network is unreachable for the ToS-based routing.

net-unreachable

Messages that specify that the network is unreachable.

network-unknown

Messages that denote that the network is unknown.

no-room-for-option

Messages that specify the requirement of a parameter, but that no room is available for it.

option-missing

Messages that specify the requirement of a parameter, but that parameter is not available.

packet-too-big

Messages that specify that the ICMP packet requires fragmentation but the Do Not Fragment (DF) bit is set.

parameter-problem

Messages that signify parameter-related problems.

port-unreachable

Messages that specify that the port is unreachable.

precedence-unreachable

Messages that specify that host precedence is not available.

protocol-unreachable

Messages that specify that the protocol is unreachable.

reassembly-timeout

Messages that specify a timeout during reassembling of packets.

redirect

Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect). ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.

router-advertisement

Messages that contain ICMP router discovery messages called router advertisements.

router-solicitation

Messages that are multicast to ask for immediate updates on neighboring router interface states.

source-quench

Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). This datagram may be used in network management to provide congestion control. A source quench packet is issued when a router is beginning to lose packets due to the transmission rate of a source. The source quench is a request to the source to reduce the rate of a datagram transmission.

source-route-failed

Messages that specify the failure of a source route.

time-exceeded

Messages that specify information about all instances when specified times were exceeded.

timestamp-reply

Messages that contain timestamp replies.

timestamp-request

Messages that contain timestamp requests.

traceroute

Messages that specify the entire route to a network host from the source.

ttl-exceeded

Messages that specify that ICMP packets have exceeded the time-to-live configuration.

unreachable

Messages that are sent when packets are denied by an access control list; these packets are not dropped in the hardware but generate the ICMP-unreachable message.


Applying an IP ACL to an Interface

The IP ACLs can be applied to a particular interface (such as management services to a private IP address) so that the device can have one interface in a public IP address space that serves content and another interface in a private IP address space that the administrator uses for management purposes. This feature ensures that clients can access the Service Engine only in the public IP address space for serving content and not access it for management purposes. A device attempting to access one of these applications that is associated with an IP ACL must be on the list of trusted devices to be allowed access.

To apply an IP ACL to an interface from the CLI, use the following interface configuration command:

interface {FastEthernet | GigabitEthernet} slot/port ip access-group {accesslistnumber | accesslistname} {in | out}

Deleting an IP ACL

You can delete an IP ACL, including all conditions and associations with network interfaces, or you can delete only the IP ACL conditions. Deleting all conditions allows you to change the IP ACL type if you choose to do so. The IP ACL entry continues to appear in the IP ACL listing; however, it is in effect nonexistent.

To delete an IP ACL, do the following:


Step 1 Choose Devices > Devices. > General Settings > Network > IP ACL. The IP ACL Table page is displayed.

Step 2 Click the Edit icon next to the name of the IP ACL that you want to delete. The Modifying IP ACL page is displayed. If you created conditions for the IP ACL, you have three options for deletion:

Delete ACL—This option removes the IP ACL, including all conditions and associations with network interfaces and applications.

Delete All Conditions—This option removes all the conditions, while preserving the IP ACL name.

Delete IP ACL Condition—This option removes one condition from the ACL.

Step 3 To delete the entire IP ACL, click Delete ACL in the task bar. You are prompted to confirm your action. Click OK. The record is deleted.

Step 4 To delete only the conditions, click Delete All Conditions in the task bar. You are prompted to confirm your action. Click OK. The window refreshes, conditions are deleted, and the ACL Type field becomes available.

Step 5 To delete one condition, do the following:

a. Click the Edit icon next to the condition. The condition settings are displayed.

b. Click the Delete IP ACL Condition icon in the task bar. The IP ACL table is displayed.

c. Click Submit to save the IP ACL table to the database.


Configuring Static IP Routes

The Static IP Routes page allows you to configure a static route for a network or host. Any IP packet designated for the specified destination uses the configured route.

To configure a static IP route, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > IP Routes. The IP Route Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The IP Route page is displayed.

To edit a static route, click the Edit icon next to the name you want to edit.

Step 3 In the Destination Network Address field, enter the destination network IP address.

Step 4 In the Netmask field, enter the destination host netmask.

Step 5 In the Gateway's IP Address field, enter the IP address of the gateway interface.

Step 6 Click Submit to save the settings.

To delete a route, click the Edit icon for the route, then click the Delete icon in the task bar.


Configuring DSR VIP

The CDS supports Virtual IP (VIP) configuration for Direct Server Return (DSR) when working with networks that use load balancers. DSR bypasses the load balancer for all server responses to client requests by using MAC Address Translation (MAT).

The CDS allows for the configuration of up to four VIPs (on loopback interfaces).

Client requests are sent to the load balancer and the load balancer sends the requests on to the Service Router. If DSR VIP is configured on the CDS (and supported on the load balancer), all CDS responses to the client are sent directly to the client, bypassing the load balancer.

To configure a DSR VIP, do the following:


Step 1 Choose Devices > Devices > General Settings > Network > DSR VIP. The DSR VIP page is displayed.

Step 2 In the Direct Server Return VIP 1 field, enter the IP address of the Direct Server Return VIP.

Step 3 Enter any additional DSR VIPs in the remaining fields (Direct Server Return VIP 2 to 4).

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Notification and Tracking

The Notification and Tracking pages provide settings for alarms, thresholds, SNMP connectivity, and device monitoring. Configuring notification and tracking consists of the following procedures:

Enabling Alarm Overload Detection

Setting Service Monitor Thresholds

Configuring SNMP

Enabling System Logs

Enabling Alarm Overload Detection

The device tracks the rate of incoming alarms from the Node Health Manager. If the rate of incoming alarms exceeds the high-water mark (HWM) threshold, the device enters an alarm overload state. This condition occurs when multiple applications raise alarms at the same time. When a device is in an alarm overload state, the following events occur:

Traps for the raise alarm-overload alarm and clear alarm-overload alarm are sent. SNMP traps for subsequent alarm raise-and-clear operations are suspended.

Traps for alarm operations that occur between the raise-alarm-overload alarm and the clear-alarm-overload alarm operations are suspended, but individual device alarm information is still collected and available using the CLI.

Device remains in an alarm overload state until the rate of incoming alarms decreases to less than the low-water mark (LWM).

If the incoming alarm rate falls below the LWM, the device comes out of the alarm overload state and begins to report the alarm counts to the SNMP servers and the CDSM.

Alarms that have been raised on a device can be listed by using the CLI commands shown in Table 4-44. These CLI commands allow you to systematically drill down to the source of an alarm.

Table 4-44 Viewing Device Alarms 

Command
Syntax
Description

show alarms

 

Displays a list of all currently raised alarms (critical, major, and minor alarms) on the device.

 

show alarms critical

Displays a list of only currently raised critical alarms on the device.

 

show alarms major

Displays a list of only currently raised major alarms on the device.

 

show alarms minor

Displays a list of only currently raised minor alarms on the device.

 

show alarms detail

Displays detailed information about the currently raised alarms.

 

show alarms history

Displays a history of alarms that have been raised and cleared on the device. The CLI retains the last 100 alarm raise and clear events only.

 

show alarms status

Displays the counts for the currently raised alarms on the device. Also lists the alarm-overload state and the alarm-overload settings.


To configure the alarm overload detection, do the following:


Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Alarm Overload Detection. The Alarm Overload Detection page is displayed.

Step 2 Uncheck the Enable Alarm Overload Detection check box if you do not want to configure the device to suspend alarm raise and clear operations when multiple applications report error conditions. Alarm overload detection is enabled by default.

Step 3 In the Alarm Overload Low Water Mark field, enter the number of alarms per second for the clear alarm overload threshold. The low water mark is the level to which the number of alarms must drop below before alarm traps can be sent. The default value is 1.

Step 4 In the Alarm Overload High Water Mark field, enter the number of alarms per second for the raise alarm-overload threshold. The high-water mark is the level the number of alarms must exceed before alarms are suspended. The default value is 10.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Setting Service Monitor Thresholds

The Service Monitor page is where you configure workload thresholds for the device. In load-based routing, these thresholds are used to determine the best device to serve requested content. For more information about load-based routing, see the "Configuring the Service Router" section.


Note Threshold monitoring is performed on each device in the CDS. The protocol engine and NIC bandwidth thresholds are only monitored on the SE. They are not monitored on the SR and CDSM.



Note Previously, the license limit was set to 500 Mbps and each protocol engine had a maximum number of sessions allowed. In Release 2.5.9-b120, the base license limit is set to 200 sessions and 200 Mbps bandwidth.

The burst count, which indicates the number of days after which a major alarm is raised, is configurable. On the Service Engine, use the service-router service-monitor threshold burstcnt command to configure the burst count. The default setting is one (1), which means all the minor alarms that occur in a single day (24-hour interval) are counted as one single alarm. If the service-router service-monitor threshold burstcnt command is set to two, all minor alarms that occur in two days (48-hour interval) are counted as a single alarm.

A universal license is similar to a regular license, except it has a higher bandwidth and applies to all protocol engines (except Web Engine). When a universal license is purchased and configured, the alarm data for all protocol engines are cleared. Thereafter, the monitoring of the protocol engines continues as usual for any future alarms.

On the Service Engine, use the service-router service-monitor license-universal enable command to enable the universal license. The service-router service-monitor license-universal command is disabled by default.


To configure workload thresholds, do the following:


Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Service Monitor. The Service Monitor page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-45 for a description of the fields.

Table 4-45 Service Monitor Fields 

Field
Description
CPU Settings

Enable

Allows the SR to collect CPU load information from the device.

Threshold

Value (as a percentage) that determines when the device is overloaded. The threshold determines the extent of CPU usage allowed. The range is from 1 to 100. The default is 80.

Sample Period

Time interval (in seconds) between two consecutive samples. The sample period is the time during which the device and the SR exchange keep-alive messages that contain the device load information. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

Disk Settings

Enable

Allows the SR to collect disk transaction information from the device.

Threshold

The threshold, as a percentage, determines the extent of disk usage allowed. The range is from 1 to 100. The default is 80.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

Memory Settings

Enable

Allows the SR to collect memory usage information from the device.

Threshold

The threshold (in percent) determines the extent of memory usage allowed. The range is from 1 to 100. The default is 80.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

KMemory Settings

Enable

Allows the SR to collect kernel memory usage information from the device.

Threshold

The threshold (in percent) determines the extent of kernel memory usage allowed. The range is from 1 to 100. The default is 50.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

WMT Settings1

Enable

Allows the SR to collect Windows Media Streaming stream count information from the SE.

Threshold

Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

FMS Settings 1

Enable

Allows the SR to collect Flash Media Streaming stream count information from the SE.

Threshold

Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

Movie Streamer Settings 1 , 2

Enable

Allows the SR to collect stream count information from the SE.

Threshold

Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.

Web Engine Settings 1 , 2

Enable

Allows the SR to collect stream count information from the SE.

Threshold

Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.

We recommend setting the Web Engine Threshold to 80 percent or higher when Flash Media Streaming is enabled.

Note The Web Engine threshold is only applicable in Release 2.5.1 and Release 2.5.3. The Web Engine threshold fields are not available in Release 2.5.7 and later releases.

NIC Bandwidth Settings 1

Enable

Allows the SR to collect NIC bandwidth information from the SE.

Threshold

The threshold, as a percentage, determines the extent of NIC bandwidth usage allowed. The range is from 1 to 100. The default is 90.

Sample Period

Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 3.

Number of Samples

Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.

Disk Failure Count Settings

Threshold

When the number of failed disks exceeds this threshold, no further requests are sent to this device. The Disk Failure Count Threshold is only for the CDNFS disks. The maximum threshold that can be configured is determined by the physical number of CDNFS disks (up to 15) installed on the device. The default is 1.

Note When an alarm is received for a SYSFS disk, it is immediately marked as a failed disk. It is not checked against the Disk Failure Count Threshold. The SR continues redirecting to the SE, unless all SYSFS disks on the SE are marked as failed disks.

1 Protocol engines and NIC bandwidth are only monitored on the SE. They are not monitored on the CDSM and SR.

2 Sample period and number of samples are not required for Movie Streamer and Web Engine because these protocol engines do not support bandwidth-based threshold monitoring.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring SNMP

The Cisco CDS supports the following versions of SNMP:

Version 1 (SNMPv1)—A network management protocol that provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.

Version 2 (SNMPv2c)—The second version of SNMP, it supports centralized and distributed network management strategies, and includes improvements in the Structure of Management Information (SMI), protocol operations, management architecture, and security.

Version 3 (SNMPv3)—An interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are:

Message integrity—Ensuring that a packet has not been tampered with in-transit.

Authentication—Determining the message is from a valid source.

Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.

Table 4-46 identifies what the combinations of security models and levels mean.

Table 4-46 SNMP Security Models and Levels

Model
Level
Authentication
Encryption
Process

v1

noAuthNoPriv

Community String

No

Uses a community string match for authentication.

v2c

noAuthNoPriv

Community String

No

Uses a community string match for authentication.

v3

noAuthNoPriv

Username

No

Uses a username match for authentication.

v3

authNoPriv

MD5 or SHA

No

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

v3

authPriv

MD5 or SHA

DES

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard.


The SNMPv3 agent can be used in the following modes:

noAuthNoPriv mode (that is, no security mechanisms turned on for packets)

AuthNoPriv mode (for packets that do not need to be encrypted using the privacy algorithm [DES 56])

AuthPriv mode (for packets that must be encrypted; privacy requires that authentication be performed on the packet)

Using SNMPv3, users can securely collect management information from their SNMP agents without worrying that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a Content Engine's configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges.

Note the following about SNMPv3 objects:

Each user belongs to a group.

Group defines the access policy for a set of users.

Access policy is what SNMP objects can be accessed for reading, writing, and creating.

Group determines the list of notifications its users can receive.

Group also defines the security model and security level for its users.

To configure the SNMP settings, do the following:


Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > SNMP > General Settings. The SNMP General Settings page is displayed.

Step 2 Enable the settings as appropriate. See Table 4-47 for a description of the fields.

Table 4-47 SNMP General Settings Fields 

Field
Description

Traps

Enable SNMP Settings

Enables the SNMP agent to transmit traps to the SNMP server.

Service Engine

Enables the Disk Fail trap, which is the disk failure error trap.

SNMP

Enables SNMP-specific traps:

Authentication—Enables authentication trap.

Cold Start—Enables cold start trap.

SE Alarm

Enables alarm traps:

Raise Critical—Enables raise-critical alarm trap.

Clear Critical—Enables clear-critical alarm trap.

Raise Major—Enables raise-major alarm trap.

Clear Major—Enables clear-major alarm trap.

Raise Minor—Enables raise-minor alarm trap.

Clear Minor—Enables clear-minor alarm trap.

Entity

Enables SNMP entity traps.

Config

Enables CiscoConfigManEvent error traps.

Miscellaneous Settings

Notify Inform

Enables the SNMP notify inform request.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 4 From the left-panel menu, click Community. The SNMP Community Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of community strings that can be created is ten.

Step 5 Click the Create New icon in the task bar. The SNMP Community page is displayed.

Click the Edit icon next to the community name to edit a community setting.

Step 6 Enter the settings as appropriate. See Table 4-48 for a description of the fields.

Table 4-48 SNMP Community Fields 

Field
Description

Community

Community string used as a password for authentication when you access the SNMP agent of the device using SNMPv1 or SNMPv2. The "Community Name" field of any SNMP message sent to the device must match the community string defined here to be authenticated. You can enter a maximum of 64 characters in this field.

Group name/rw

Group to which the community string belongs. The Read/Write option allows a read or write group to be associated with this community string. The Read/Write option permits access to only a portion of the MIB subtree. Choose one of the following three options from the drop-down list:

None—Choose this option if you do not want to specify a group name to be associated with the community string.

Read/Write—Choose this option if you want to allow read-write access to the group associated with this community string.

Group—Choose this option if you want to specify a group name.

Group Name

Name of the group to which the community string belongs. You can enter a maximum of 64 characters in this field. This field is available only if you have chosen the Group option in the Group name/rw field.


Step 7 Click Submit to save the settings.

To delete an SNMP community, click the Edit icon for the community, then click the Delete icon in the task bar.

Step 8 From the left-panel menu, click Group. The SNMP Group Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of groups that can be created is ten.

Step 9 Click the Create New icon in the task bar. The SNMP Group page is displayed.

Click the Edit icon next to the Group Name to edit a group.

Step 10 Enter the settings as appropriate. See Table 4-49 for a description of the fields.

Table 4-49 SNMP Group Fields 

Field
Description

Name

Name of the SNMP group. You can enter a maximum of 256 characters.

A group defines a set of users belonging to a particular security model. A group defines the access rights for all the users belonging to it. Access rights define what SNMP objects can be read, written to, or created. In addition, the group defines what notifications a user is allowed to receive.

An SNMP group is a collection of SNMP users that belong to a common SNMP list that defines an access policy, in which object identification numbers (OIDs) are both read-accessible and write-accessible. Users belonging to a particular SNMP group inherit all of the attributes defined by the group.

Sec Model

Security model for the group. Choose one of the following options from the drop-down list:

v1—Version 1 security model (SNMP Version 1 [noAuthNoPriv]).

v2c—Version 2c security model (SNMP Version 2 [noAuthNoPriv]).

v3-auth—User security level SNMP Version 3 (AuthNoPriv).

v3-noauth—User security level SNMP Version 3 (noAuthNoPriv).

v3-priv— User security level SNMP Version 3 (AuthPriv).

The Sec Model you choose determines which of the following three security algorithms is used on each SNMP packet:

noAuthNoPriv—Authenticates a packet by a string match of the username.

AuthNoPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms.

AuthPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm.

Read View

Name of the view (a maximum of 64 characters) that enables you only to view the contents of the agent. By default, no view is defined. To provide read access to users of the group, a view must be specified.

A read view defines the list of object identifiers (OIDs) that are accessible for reading by users belonging to the group.

Write View

Name of the view (a maximum of 64 characters) that enables you to enter data and configure the contents of the agent. By default, no view is defined.

A write view defines the list of object identifiers (OIDs) that are able to be created or modified by users of the group.

Notify View

Name of the view (a maximum of 64 characters) that enables you to specify a notify, inform, or trap. By default, no view is defined.

A notify view defines the list of notifications that can be sent to each user in the group.


Step 11 Click Submit to save the settings.

To delete an SNMP group, click the Edit icon for the group, then click the Delete icon in the task bar.

Step 12 From the left-panel menu, click User. The SNMP User Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of users that can be created is ten.

Step 13 Click the Create New icon in the task bar. The SNMP User page is displayed.

Click the Edit icon next to the username to edit a user.

Step 14 Enter the settings as appropriate. See Table 4-50 for a description of the fields.

Table 4-50 SNMP User Fields 

Field
Description

Name

String representing the name of the user (256 characters maximum) who can access the device.

An SNMP user is a person for which an SNMP management operation is performed.

Group

Name of the group (256 characters maximum) to which the user belongs.

Remote SNMP ID

Globally unique identifier for a remote SNMP entity. To send an SNMPv3 message to the device, at least one user with a remote SNMP ID must be configured on the device. The SNMP ID must be entered in octet string format. For example, if the IP address of a remote SNMP entity is 192.147.142.129, then the octet string would be 00:00:63:00:00:00:a1:c0:93:8e:81.

Authentication Algorithm

Authentication algorithm that ensures the integrity of SNMP packets during transmission. Choose one of the following three options from the drop-down list:

No-auth—Requires no security mechanism to be turned on for SNMP packets.

MD5—Provides authentication based on the hash-based Message Authentication Code Message Digest 5 (HMAC-MD5) algorithm.

SHA—Provides authentication based on the hash-based Message Authentication Code Secure Hash (HMAC-SHA) algorithm.

Authentication Password

String (256 characters maximum) that configures the user authentication (HMAC-MD5 or HMAC-SHA) password. The number of characters is adjusted to fit the display area if it exceeds the limit for display.

This field is optional if the no-auth option is chosen for the authentication algorithm. Otherwise, this field must contain a value.

Confirmation Password

Authentication password for confirmation. The re-entered password must be the same as the one entered in the Authentication Password field.

Private Password

String (256 characters maximum) that configures the authentication (HMAC-MD5 or HMAC-SHA) parameters to enable the SNMP agent to receive packets from the SNMP host. The number of characters is adjusted to fit the display area if it exceeds the limit for display.

Confirmation Password

Private password for confirmation. The re-entered password must be the same as the one entered in the Private Password field.


Step 15 Click Submit to save the settings.

To delete an SNMP user, click the Edit icon for the user, then click the Delete icon in the task bar.

Step 16 To define a SNMPv2 MIB view, click View from the left-panel menu. The SNMP View Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of SNMPv2 views that can be created is ten.

SNMP view—A mapping between SNMP objects and the access rights available for those objects. An object can have different access rights in each view. Access rights indicate whether the object is accessible by either a community string or a user.

Step 17 Click the Create New icon in the task bar. The SNMP View page is displayed.

Click the Edit icon next to the username to edit a view.

Step 18 Enter the settings as appropriate. See Table 4-51 for a description of the fields.

Table 4-51 SNMP View Fields 

Field
Description

Name

String representing the name of this family of view subtrees (256 characters maximum). The family name must be a valid MIB name such as ENTITY-MIB.

Family

Object identifier (256 characters maximum) that identifies a subtree of the MIB.

View Type

View option that determines the inclusion or exclusion of the MIB family from the view. Choose one of the following two options from the drop-down list:

Included—The MIB family is included in the view.

Excluded—The MIB family is excluded from the view.


Step 19 Click Submit to save the settings.

To delete an SNMP view, click the Edit icon for the view, then click the Delete icon in the task bar.

Step 20 From the left-panel menu, click Host. The SNMP Host Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of hosts that can be created is four.

Step 21 Click the Create New icon in the task bar. The SNMP Host page is displayed.

Click the Edit icon next to the hostname to edit a host.

Step 22 Enter the settings as appropriate. See Table 4-52 for a description of the fields.

Table 4-52 SNMP Host Fields 

Field
Description

Trap Host

Hostname or IP address an SNMP entity to which notifications (traps and informs) are to be sent.

Community/User

Name of the SNMP community or user (256 characters maximum) that is sent in SNMP trap messages from the device.

Authentication

Security model to use for sending notification to the recipient of an SNMP trap operation. Choose one of the following options from the drop-down list:

No-auth—Sends notification without any security mechanism.

v2c—Sends notification using Version 2c security.

Model v3-auth—Sends notification using SNMP Version 3 (AuthNoPriv).

Security Level v3-noauth—Sends notification using SNMP Version 3 (NoAuthNoPriv security).

Level v3-priv—Sends notification using SNMP Version 3 (AuthPriv security).

Retry

Number of retries (1 to 10) allowed for the inform request. The default is 2.

Timeout

Timeout for the inform request in seconds (1 to 1000). The default is 15.


Step 23 Click Submit to save the settings.

To delete an SNMP host, click the Edit icon for the host, then click the Delete icon in the task bar.

Step 24 From the left-panel menu, click Asset Tag. The SNMP Asset Tag page is displayed.

Step 25 In the Asset Tag Name field, enter a name for the asset tag and click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 26 From the left-panel menu, click Contact. The SNMP Contact page is displayed.

Step 27 In the Contact field, enter a name of the contact person for this device.

Step 28 In the Location field, enter a location of the contact person for this device.

Step 29 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Supported MIBs

The SNMP agent supports the following MIBs:

ENTITY-MIB (RFC 2037 Revision 199610310000Z))

MIB-II (RFC 1213)

HOST-RESOURCES-MIB (RFC 2790, hrSWInstalled and hrPrinterTable subgroups are not supported)

CISCO-ENTITY-ASSET-MIB

CISCO-CONFIG-MAN-MIB (Revision 9511280000Z)

CISCO-SERVICE-ENGINE-MIB (supports streaming media-related MIB objects)

ENTITY-MIB, MIB-II, and HOST-RESOURCES-MIB are public-available MIBs.

To download a copy of the CISCO-SERVICE-ENGINE-MIB, do the following:


Step 1 Choose System > CDS-IS Files > Snmp MIB. The CISCO_SERVICE-ENGINE-MIB.my is listed.

Step 2 Click the CISCO_SERVICE-ENGINE-MIB.my link. Your browser program displays a dialog box asking if you want to open or save the file.

Step 3 Choose the appropriate option; either open or save the file.


The CISCO-SERVICE-ENGINE-MIB is extended to incorporate MIB objects related to streaming. The WMT and Movie Streamer groups incorporate statistics about the WMT server or proxy, and Movie Streamer. The Flash Media Streaming group incorporates statistics about the Flash Media Streaming protocol engine. For each 64-bit counter MIB object, a 32-bit counter MIB object is implemented so that SNMP clients using SNMPv1 can retrieve data associated with 64-bit counter MIB objects. The MIB objects of each of these groups are read-only.

WMT MIB group provides statistics about WMT proxy and server performance. Twenty-eight MIB objects are implemented in this group. Six of these MIB objects are implemented as 64-bit counters.

Movie Streamer MIB group provides statistics about RTSP streaming engine performance. Seven MIB objects are implemented in this group. Two of these MIB objects are implemented as 64-bit counters.

Flash Media Streaming MIB group provides statistics about HTTP and RTMP streaming engine performance.

Use the following link to access the CISCO-ENTITY-ASSET-MIB and the CISCO-CONFIG-MAN-MIB:

ftp://ftp.cisco.com/pub/mibs/v2/


Note If your browser is located behind a firewall or you are connecting to the Internet with a DSL modem and you are unable to access this file folder, you must change your web browser compatibility settings. In the Internet Explorer (IE) web browser, choose Tools > Internet Options > Advanced, and check the Use Passive FTP check box.


Enabling System Logs

Use the System Logs page to set specific parameters for the system log file (syslog). This file contains authentication entries, privilege level settings, and administrative details. System logging is always enabled. By default, the system log file is stored as /local1/syslog.txt.

To enable system logging, do the following:


Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > System Logs. The System Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-53 for a description of the fields.

Table 4-53 System Logs Settings Fields 

Field
Description
System Logs

Enable

Enables system logs.

Facility

Facility where the system log is sent.

Console Settings

Enable

Enable sending the system log to the console.

Priority

Severity level of the message that should be sent to the specified remote syslog host. The default priority is warning. The priorities are:

Emergency—System is unusable.

Alert—Immediate action needed.

Critical—Critical condition.

Error—Error conditions.

Warning—Warning conditions.

Notice—Normal but significant conditions.

Information—Informational messages.

Debug—Debugging messages.

Disk Settings

Enable

Enables saving the system logs to disk.

File Name

Path and filename where the system log file is stored on the disk. The default is /local1/syslog.txt.

Priority

Severity level of the message that should be sent to the specified remote syslog host.

Recycle

The maximum size of the system log file before it is recycled. The default is 10000000 bytes.

Host Settings

Enable

Enables sending the system log file to a host. You can configure up to four hosts.

Hostname

A hostname or IP address of a remote syslog host.

Priority

Severity level of the message that should be sent to the specified remote syslog host.

Port

The destination port on the remote host. The default is 514.

Rate Limit

The message rate per second. To limit bandwidth and other resource consumption, messages can be rate limited. If this limit is exceeded, the remote host drops the messages. There is no default rate limit, and by default all system log messages are sent to all syslog hosts.


Step 3 Click Submit to save the settings.


Multiple Hosts for System Logging

Each syslog host can receive different priority levels of syslog messages. Therefore, you can configure different syslog hosts with a different syslog message priority code to enable the device to send varying levels of syslog messages to the four external syslog hosts.

However, if you want to achieve syslog host redundancy or failover to a different syslog host, you must configure multiple syslog hosts on the device and assign the same priority code to each configured syslog host.

Configuring Troubleshooting

The Kernel Debugger troubleshooting page allows you to enable or disable access to the kernel debugger. Once enabled, the kernel debugger is automatically activated when kernel problems occur.


Note The "hardware watchdog" is enabled by default and automatically reboots a device that has stopped responding for over ten minutes. Enabling the kernel debugger disables the "hardware watchdog."


If the device runs out of memory and kernel debugger (KDB) is enabled, the KDB is activated and dump information. If the KDB is disabled and the device runs out of memory, the syslog reports only dump information and reboots the device.

Enabling the Kernel Debugger

To enable the kernel debugger, do the following:


Step 1 Choose Devices > Devices > General Settings > Troubleshooting > Kernel Debugger. The Kernel Debugger window appears.

Step 2 To enable the kernel debugger, check the Enable check box, and click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


For information about monitoring the SEs, see the "Device Monitoring" section.

Configuring Service Router Settings

The keep-alive interval is used by the SE to send keep-alive messages to the SR. If the SE is configured with more than one streaming interface (multi-port support on a CDE220-2S3i available in Release 2.5.7 and later releases), the keepalives are sent for each streaming interface.

To configure the keep-alive interval the SE uses for messages to this SR, do the following:


Step 1 Choose Devices > Devices > General Settings > Service Routing Settings. The Service Routing Settings page is displayed.

Step 2 In the Keepalive-Interval field, enter the number of seconds the messages from the SR should be kept alive on this SE. The range is from 1 to 120. The default is 2.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring the Service Router

Configuring a Service Router (SR) consists of the following procedures:

Activating a Service Router

Configuring Routing Settings

Configuring Application Control

Configuring Last-Resort Routing

Configuring Transaction Logs for the Service Router

For information on configuring the general settings, except last-resort routing and transaction logging, see the "General Settings" section.

Activating a Service Router

Activating an SR can be done through the Devices home page initially, or through the Device Activation page.

To activate an SR from the Device Activation page, do the following:


Step 1 Choose Devices > Devices. The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose Device Activation. The Device Activation page is displayed.

Step 4 Enter the settings as appropriate. See Table 4-54 for a description of the fields.

Table 4-54 Service Router Activation Fields 

Field
Description

Name

Name of the device.

Location

The Location drop-down list lists all the location configured for the CDS.

Activate

To activate or deactivate the device, check or uncheck the Activate check box. Alternatively, you can click the Deactivate Device icon in the task bar.

When you uncheck the Activate check box and click Submit, the Replaceable check box is displayed. Check the Replaceable check box when you need to replace the device or recover lost registration information. For more information, see the "Recovering CDS Network Device Registration Information" section.

Server Offload

To offload this device for maintenance or a software upgrade, check the Server Offload check box. When checked, the Service Router stops processing client requests.

When the SR is marked as inactive or is marked with server offload on the CDSM it stops responding to DNS queries. Instead, the SR sends a SERVFAIL error as the DNS response, and for RTSP/HTTP requests, the SR sends a 503 Service Unavailable message.

To monitor the current activity on an SR during the Server Offload state, use the show interface command. If the packets received or packets sent is increasing then the SR is processing client requests.

Note We recommend separating the management traffic from the client request traffic by using the port channel configuration, see the "Configuring Port Channel" section for more information.

If management and client request traffic are separated, the show interface command for the client request port channel displays information on active sessions.

If management and streaming traffic are not separated, the show interface command shows very low traffic; the packets received and packets sent are lower than a client request session.

Once the SR has finished processing client requests, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the "Upgrading the Software" section.

The Status field on the Device Activation page and the Devices Table page displays "offloading" when Server Offload is checked.

Once the software upgrade or maintenance is complete, you need to uncheck the Server Offload check box so that the device can again participate in the system.

Work Type

From the Work Type drop-down list, choose SR & Proximity Engine if you want to enable the Proximity Engine; otherwise, choose Service Router only. For more information, see the "Configuring the Proximity Server Settings" section.

Coverage Zone File

To have a local Coverage Zone file overwrite the CDS network-wide Coverage Zone file, choose a file from the Coverage Zone drop-down list. See the "Coverage Zone File Registration" section for information about creating and registering a Coverage Zone file. Otherwise, choose None.

Enable CDN Selector

To enable CDN Selector, check the Enable CDN Selector check box.

Note CDN Selector is an early field trial (EFT) feature for Release 2.5.7 and later releases.

CDN Selector File

The CDN Selector File drop-down list is populated with the CDN Selector files that are registered to the CDSM. See the "CDN Selector File Registration" section for information on registering a CDN Selector file.

The CDN Selector must be enabled on the SR.

See "Creating CDN Selector Files" for information on creating a CDN Selector file.

Note CDN Selector is an EFT feature for Release 2.5.7 and later releases.

Use SR's primary IP address

Enables the CDSM to use the IP address on the primary interface of the SR for management communications.

Note If the Use SR's primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SR's primary IP address for communication.

Note Do not check the Use SR's primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent.

Management Communication Address

Manually configures a management IP address for the CDSM to communicate with the SR.

Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the "Configuring Port Channel and Load Balancing Settings" section and the "Configuring Port Channel" section.

Management Communication Port

Port number to enable communication between the CDSM and the SR.

Comments

Information about the settings.


Step 5 Click Submit to save the settings.


Configuring Routing Settings

The Routing Settings pages provide settings for the Request Routing Engine and the Proximity Engine. Configuring the Service Router engines consists of the following procedures:

Configuring Request Routing Settings

Configuring IP-Based Redirection

Configuring the Proximity Server Settings

In Release 2.5, the Service Router has two engines, the Request Routing Engine and the Proximity Engine.

The Request Routing Engine contains all the functionality that was part of the Service Router in Release 2.4 and previous releases. The Proximity Engine contains the functionality of the Proximity Servers used for proximity-based routing. For more information, see the "Service Router" section.

Configuring Request Routing Settings

To configure the Request Routing Settings, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Request Routing Settings > General Settings. The Request Routing Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-55 for a description of the fields.

Table 4-55 Request Routing Settings—General Settings Fields 

Field
Description

Enable Location Based Routing

When location-based routing is enabled, the Service Router first looks up the client's IP address in the Coverage Zone file. If there is no subnet in the Coverage Zone file that matches the client's IP address, the client's geographical location is compared to the geographical location of the Service Engines listed in the Coverage Zone file, and the closest and least-loaded Service Engine is selected. Geographically locating a client is used when users roam outside of their home networks.

Primary Geo-Location Server IP Address and Port

The IP address and port number of the primary Geo-Location Server for location-based routing and CDN Selector. For more information, see the "Geo-Location Servers" section.

Secondary Geo-Location Server IP Address and Port

The IP address and port number of the secondary Geo-Location Server.

Enable Content Based Routing

When enabled, the SR redirects requests based on the URI. Requests for the same URI are redirected to the same SE, provided the SE's thresholds have not been exceeded. This optimizes disk usage in the CDS by storing only one copy of the content on one SE, instead of multiple copies on several SEs. For more information about content-based routing, see the "Content-Based Routing" section.

Number of Redundant Copies

Number of copies of a content to keep among SEs in a delivery service. The range is from 1 to 4. The default is 1. If redundancy is configured with more than one copy, multiple Service Engines are picked for a request with the same URI hash.

Enable Proximity Based Routing

When enabled, the SR contacts the Proximity Server with the client IP address and a list of SEs. The Proximity Server returns a list of SEs ordered by distance or metric, and provides a client subnet mask. The SR caches this information for this client. The SR redirects the client request to the SE selected, which is based on load, availability, and delivery service subscription.

To configure a standalone Proximity Engine, see the Cisco Internet Streamer 2.5 Command Reference.

To configure a collocated Proximity Engine, see the "Configuring the Proximity Server Settings" section

For more information, see the "Proximity-Based Routing" section.

Proximity Cache Timeout

The maximum number of seconds the proximity response from the Proximity Server is valid for a client subnet. After the Proximity Cache Timeout period has elapsed, any new request from the same client subnet causes the SR to query the Proximity server for a new proximity response. The proximity range is from 1 to 86400. The default is 1800.

Proximity ratings for overlapping subnets are not cached.

Hostname [1-8]

The IP address of the Proximity Server. If you are using the collocated Proximity Engine as one of the Proximity Servers, enter 127.0.0.1 as the IP address. For more information on configuring the Proximity Engine, see the "Configuring the Proximity Server Settings" section


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Geo-Location Servers

The Geo-Location servers work with the following Internet Streamer CDS features:

Location-based routing

CDN Selector

Authorization Service

For location-based routing, the Geo-Location servers identifies the latitude and longitude of a client based on the IP address of the client. The Request Routing Engine compares the latitude and longitude of each Service Engine, which is defined in the Coverage Zone file, with the latitude and longitude of the client to assign a Service Engine that is geographically closest to the client. For more information on location-based routing, see the "Location-Based Routing" section and "Creating Coverage Zone Files."

For CDN Selector, the Geo-Location server identifies the country of a client by the IP address of the client. The CDN Selector compares the client's country with the countries defined in the CDN Selector file. If the client's country matches a country specified in the CDN Selector file, then the translated URL associated with that CDN is used. If a match is not found, the default CDN and translated URL is used. The Service Router then sends a 302 redirect to the client with the translated URL for the selected third-party streaming service. For more information about CDN Selector, see "Creating CDN Selector Files."

For Authorization Service, the Geo-Location servers identify the city, state, and country of the client based on the IP address of the client. The Authorization Service on the Service Engine compares the city, state, and country of the client with city, state, and country defined in the Authorization Service file. If a match is found, the client is either allowed or denied based on what is specified in the Authorization Service file. For more information about configuring the Authorization Service, see the "Configuring the Authorization Service" section.

Caching Geo-Location Server Information

The SR or SE caches the Geo-Location information returned from the Geo-Location servers and the device (SE or SR) queries their own cache first before contacting the Geo-Location servers. If the IP address of the client is found in the cache on the device, the look-up is performed using that information and the Geo-Location servers are not contacted.

For location-based routing, the SR caches up to 10,000 IP addresses. The IP addresses are discrete, which means they do not describe subnets. The cached information expires after 8 days. If the cache is full, the entries are replaced according to the least recently used (LRU) mechanism.

For CDN Selector, the SR caches information on the country, state, and city of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to LRU mechanism.

For Authorization Service, the SE caches information on the country of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to the LRU mechanism.


Note Currently, there is no command to clear the Geo-location cache on the device.


Redundant Geo-Location Servers

The CDS offers the ability to configure primary and secondary Geo-Location servers. In the possible event that the primary server is not reachable, the secondary Geo-Location server is contacted. The secondary Geo-Location server is then used unless it becomes unreachable, in which case the primary Geo-Location server is contacted. The Geo-Location server configuration determines the time to wait before failing over to the other server. The default is 245 milliseconds.

For all features, location-based routing, CDN Selector, and Authorization Service, the cached client information on the CDS device is checked first before querying the Geo-Location servers.

For location-based routing, if both primary and secondary Geo-Location servers are down, the CDS uses the default route configured through the zero-IP based configuration in the Coverage Zone file. For more information, see the "Zero-IP Based Configuration" section.

For CDN Selector, if both primary and secondary Geo-Location servers are down, the CDS uses the default CDN configured in the CDN Selector file.

For Authorization Service, if both the primary and secondary Geo-Location servers are down, a request denied message is returned to the client. The type of message that is returned depends on the protocol engine (for example, the Flash Media Streaming engine sends "Denied by auth server"). However, the client receives the same denied message from the protocol engine whether the client is denied based on the Authorization Service configuration, or based on the Geo-Location servers being down and the client information not being available in the SE cache.

Communicating with the Geo-Location Servers

The CDS communicates with the Geo-Location servers by using a proprietary version of TCP. The port number used for communication is 7000 by default, but it can be changed as long as the Geo-Location servers and the Internet Streamer CDS devices are configured with the same port number.

Configuring IP-Based Redirection

IP-based redirection uses IP addresses to route client requests to the SR and on to the SE. For more information, see the "IP-Based Redirection" section.


Note In Release 2.5.7 and later releases, the Web Engine does not support IP-based redirection.


To enable IP-based redirection, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Request Routing Settings > IP-based Redirection. The IP-based Redirection page is displayed.

Step 2 Check the Enable IP-based Redirection check box and click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring the Proximity Server Settings

The Proximity Server Settings are available when you choose the SR & Proximity Engine as the Work Type in the Device Activation page for the SR. See the "Activating a Service Router" section for more information. The Proximity Server Settings pages are only for a Proximity Engine that is collocated with the SR. To configure a standalone Proximity Engine, see the Cisco Internet Streamer 2.5 Command Reference.

To include the Proximity Engine on the SR as one of the Proximity Servers, you must enable proximity-based routing and add 127.0.0.1 as one of the Proximity Servers. See the "Configuring Request Routing Settings" section for more information.


Note The Proximity Engine is only supported on the CDE205 platform.


For more information on the Proximity Engine, see the "Proximity Engine" section

The Proximity Server Settings for the Proximity Engine consists of the following pages:

General Settings—Enables the BGP proximity algorithms

IS-IS—Configures IS-IS adjacencies

OSPF—Configures the OSPF adjacencies

BGP—Configures the location community for the BGP community-based proximity

SRP—Configures Service Routing Protocol (SRP)

IGP and BGP protocol peering with the network routers are the basic building blocks for the proximity calculation. The peering with the routers is to learn the network topology and compute the best path for each prefix. Prefixes are deposited to the routing information base (RIB).


Note Although the Proximity Engine participates in both IGP and BGP with the routers, the routes that the Proximity Engine learns are purely for proximity computation only. Proximity Engine is not a router.


In order for the proximity function to work, at least one of the following is required:

Enabled link-state protocol, such as OSPF or IS-IS for IGP proximity, which is required if the Proximity Engine is going to peer with IGP routers.

Enabled policy routing protocol, such as BGP for best-path proximity and location-community proximity, which is required if the Proximity Engine is going to peer with BGP routers.


Note All BGP routes must resolve to IGP next hops or directly connected routes.



Note Release 2.5.7 and later releases only supports one IGP (IS-IS or OSPF) for the Proximity Engine. When upgrading to Release 2.5.7 or later releases from Release 2.5.1 or Release 2.5.3, if both IGPs (IS-IS and OSPF) were configured for the Proximity Engine, then one of the configurations must be removed.


Enabling the BGP Proximity Algorithms

See the "BGP Proximity Algorithms" section for more information.

To enable the BGP community-based proximity, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > General Settings. The Proximity Routing General Settings page is displayed.

Step 2 To enable the BGP best-path proximity, check the Enable proximity algorithm BGP best-path check box.


Note BGP best-path proximity algorithm is a Release 2.5.7 and later releases feature and requires the configuration of the BGP proximity settings. See the "Configuring the BGP Community-based Proximity Settings" section.


Step 3 To enable the BGP community-based proximity, check the Enable proximity algorithm BGP location-community check box.

Step 4 To enable the BGP redirect proximity, check the Enable proximity algorithm BGP redirect check box.


Note Redirect proximity algorithm is a Release 2.5.7 and later releases feature and requires the configuration of the BGP and the SRP proximity settings. See the "Configuring the BGP Community-based Proximity Settings" section and the "Configuring SRP" section for more information.


Step 5 Click Submit.

To remove the settings, click the Delete icon.

To restore the default settings, click the default settings icon.


Configuring the IS-IS Adjacencies

The Proximity IS-IS page allows the Proximity Engine to establish an adjacency with its directly connected neighbor and to receive the whole LSDB content. Protocol parameters, such as IS-type and IS network entity title (NET), vary according to network topology and deployment.

IS-IS is a link-state routing protocol for IGP. Its protocol stack runs directly on Layer 2. The main characteristic of the link-state protocols is that every node in the network contains an exact view of the routing topology. It has faster convergence than vector distance protocols. Each node in the network generates a Link State Packet (LSP) to describe its neighbors. The LSP is flooded throughout the network to every node. Reliability of the flooding is obtained by Complete Sequence Number Packet (CSNP) which is sent by the Designator Router (DR) periodically in the LAN. CSNP describes all the LSPs that the DR contains. The receiver of the CSNP can compare what it has against what is listed in the CSNP and requests the missing LSPs from the DR. Each node uses Dijkstra's algorithm (shortest path first [SPF]) to compute the routes from the LSPs. Routes are then added into the routing information base (RIB).


Note Release 2.5.7 and later releases only supports one IGP (IS-IS or OSPF) for the Proximity Engine. When upgrading to Release 2.5.7 or later releases from Release 2.5.1 or Release 2.5.3, if both IGPs (IS-IS and OSPF) were configured for the Proximity Engine, then one of the configurations must be removed.


To configure the IS-IS adjacencies, do the following:


Step 1 In Release 2.5.7 and later releases, choose Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > General Settings. In Releases 2.5.1 or 2.5.3, choose Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS. The Proximity IS-IS page is displayed.

Step 2 To enable ISIS adjacencies, check the Enable check box and click Submit. The Create new Proximity IS-IS interface icon displays.

Step 3 Enter the settings as appropriate. See Table 4-56 for a description of the fields.

Table 4-56 Proximity IS-IS Fields 

Field
Description

Network Entity

Enter the Network Entity (network entity title [NET]) for a Connectionless Network Service (CLNS). Under most circumstances, one and only one NET must be configured. A NET is a network service access point (NSAP) where the last byte is always zero and the length can be 8 to 20 bytes. The last byte is always the n-selector and must be zero.

The six bytes directly in front of the n-selector are the system ID. The system ID length is a fixed size and cannot be changed. The system ID must be unique throughout each area (Level 1) and throughout the backbone (Level 2). All bytes in front of the system ID are the area ID. The area ID must match the area ID of the IS-IS router that the Proximity Engine is peering with.

A NET must be configured to define the system ID and area ID.

Enable log-adjacency-changes

Check the Enable log-adjacency-changes check box to enable logging of changes to adjacency. When enabled, syslog messages are sent whenever an IS-IS neighbor goes up or down.

LSP MTU

Set the maximum transmission unit (MTU) size, in bytes, for link state packets (LSPs). The LSP MTU size describes the amount of information that can be recorded in a single LSP. The LSP MTU range is from 128 to 4352. If the LSP MTU is not configured, the default is used. The default is 1492.

IS-Type

From the IS-Type drop-down list, choose one of the following routing algorithms:

level-1—Level 1 is intra-area. The Proximity Engine learns only about destinations inside its area.

level-1-2—The Proximity Engine runs both Level 1 and Level two routing algorithms.

For Level 1, it has one link state packet database (LSDB) for destinations inside the area (Level 1) and runs a shortest path first (SPF) calculation to discover the area topology.

For Level 2, it also has another LSDB with link-state packets (LSPs) of all other backbone (Level 2) routers, and runs another SPF calculation to discover the topology of the backbone, and the existence of all other areas.

level-2—The Proximity Engine communicates with Level 2 (inter-area) routers only. The Proximity Engine is part of the backbone and does not communicate with Level 1-only routers in its own area.

The default is level-1-2.

Authentication Type [Level-1 or Level-2]

From the Authentication Type Level-1 drop-down list or the Authentication Type Level-2 drop-down list, choose one of the following authentication types for the corresponding level:

None—Do not use MD-5 authentication

cleartext—Do not encrypt the key

md5—Encrypt the key

Note MD-5 authentication is a Release 2.5.7 and later releases feature.

Enable Authentication Check

[Level-1 or Level-2]

To enable authentication check for Level 1, check the Enable Authentication Check Level-1 check box. To enable authentication check for Level 2, check the Enable Authentication Check Level-2 check box.

When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.

Note MD-5 authentication is a Release 2.5.7 and later releases feature.

Authentication KeyChain

[Level 1 or Level-2]

Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.

Note MD-5 authentication is a Release 2.5.7 and later releases feature.


Step 4 Click Submit. The Create new Proximity IS-IS Interface icon displays.

To delete the IS-IS configuration, click the Delete icon.

Step 5 To configure the proximity IS-IS interface, click the Create new Proximity IS-IS Interface icon. The Proximity IS-IS Interface page is displayed.

Step 6 From the Name drop-down list, choose an interface to configure for IS-IS. The number of available interfaces depends on the CDE.

Step 7 Enter the settings as appropriate. See Table 4-57 for a description of the fields.

Table 4-57 Proximity IS-IS Interface Fields 

Field
Description

Enable IP IS-IS router

Check the Enable IP IS-IS router check box to enable IS-IS routing protocol on this interface.

IS-IS Priority for level-1

Enter the priority of this interface for IS-IS Level 1(intra-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 1 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The IS-IS Priority for level-1 range is from 0 to 127. The default is 64.

IS-IS Priority for level-2

Enter the priority of this interface for IS-IS Level 2 (inter-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 2 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The IS-IS Priority for level-2 range is from 0 to 127. The default is 64.

IS-IS Circuit Type

From the IS-IS Circuit Type drop-down list, choose one of the following adjacency levels:

level-1—For Level 1 adjacency

level-1-2—For Level 1 and Level 2 adjacency.

level-2—For Level 2 adjacency.

The default is level-1-2.

IS-IS Authentication Type [Level-1 or Level-2]

From the Authentication Type Level-1 drop-down list or the Authentication Type Level-2 drop-down list, choose one of the following authentication types for the corresponding level:

None—Do not use MD-5 authentication

cleartext—Do not encrypt the key

md5—Encrypt the key

Note MD-5 authentication is a Release 2.5.7 and later releases feature.

Enable IS-IS Authentication Check

[Level-1 or Level-2]

To enable authentication check for Level 1, check the Enable Authentication Check Level-1 check box. To enable authentication check for Level 2, check the Enable Authentication Check Level-2 check box.

When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.

Note MD-5 authentication is a Release 2.5.7 and later releases feature.

IS-IS Authentication KeyChain

[Level 1 or Level-2]

Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.

Note MD-5 authentication is a Release 2.5.7 and later releases feature.


Step 8 Click Submit.

To delete an IS-IS interface configuration, click the Edit icon for the interface, then click the Delete icon in the task bar.

Step 9 Repeat Step 5 through Step 8 for each IS-IS interface.

Step 10 To configure the MD-5 key chains for IS-IS, choose Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > MD5 Settings. The IS-IS Keychain page is displayed.


Note MD-5 authentication is a Release 2.5.7 and later releases feature.


Step 11 Click the Create new KeyChain icon. The Creating New KeyChain page is displayed.

Step 12 In the Key ID field, enter the identifier for the keychain and click Submit. The page refreshes.

The Key ID is identifier for the multiple key IDs that can be configured for the key chain.

Step 13 Click the Create New KeyChain Key icon. The KeyChain Key page is displayed.

Step 14 In the Key ID field, enter the key ID. The range is from 0 to 65535.

Step 15 In the Key String field, enter the key string to be used for authentication. The key string can be up to 64 alphanumeric characters, except a space, single (`) and double quotes ("), and the "|" symbol.


Configuring the OSPF Adjacencies

The Proximity OSPF page allows the Proximity Engine to establish an adjacency with its directly connected neighbor (router) to receive the whole LSDB content. Other OSPF settings depend on network topology, deployment and configuration of neighbor nodes.

OSPF is a link-state routing protocol for IGP. It runs on top of the IP protocol stack. Each node describes its neighbors in the link state advertisement (LSA) packets. The LSAs are flooded throughout the OSPF nodes. Each node uses shortest path first (SPF) to compute routes from the LSAs. The routes are then deposited into RIB.


Note Release 2.5.7 and later releases only supports one IGP (IS-IS or OSPF) for the Proximity Engine. When upgrading to Release 2.5.7 or later releases from Release 2.5.1 or Release 2.5.3, if both IGPs (IS-IS and OSPF) were configured for the Proximity Engine, then one of the configurations must be removed.


To configure the OSPF adjacencies, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > OSPF. The Proximity OSPF page is displayed.

Step 2 To enable OSPF adjacencies, check the Enable check box and click Submit. The Create new icons for Proximity OSPF Network, Proximity OSPF Area, and Proximity OSPF Interface icons display.

To delete the OSPF configuration, click the Delete icon.

Step 3 Check the Enable log-adjacency-changes check box to enable logging changes to the adjacency and click Submit.

To delete the OSPF configuration, click the Delete icon.

Step 4 To configure the proximity OSPF network, click the Create new Proximity OSPF Network icon. The Proximity OSPF Network page is displayed.

Step 5 Enter the settings as appropriate. See Table 4-58 for a description of the fields.

Table 4-58 Proximity OSPF Network Fields 

Field
Description

IP Prefix

IP address that is used in combination with the Network Mask to produce the IP prefix. The IP prefix is used to define the OSPF area and consists of a combination of the IP address and netmask.

Wildcard Mask

Network mask is used with the IP Prefix to define the area on this network. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, for example, 0.0.255.255 indicates a match in the first two bytes of the network number.

Area ID

Identifier of the area for which IP prefix defines. The identifier can be specified as either a decimal value or an IP address. Valid entries are from 0 to 4294967295 or an IP address (A.B.C.D) can be used if you intend to associate areas with IP subnets.

Each area is interface specific. For OSPF to operate on the OSPF interface, the primary address of the interface must be covered by the network area. The Proximity Engine sequentially evaluates the IP Prefix/ Network Mask pair for each interface as follows:

1. The Network Mask is logically ORed with the OSPF interface IP address.

2. The Network Mask is logically ORed with the IP Prefix.

3. The software compares the two resulting values. If they match, OSPF is enabled on the associated interface and the associated OSPF interface is attached to the OSPF area specified.

There is no limit to the number of network areas that can be configured.

Note An interface can only be associated to a single area. If the address ranges specified for different areas overlap, the software adopts the first area in the list and ignores the subsequent overlapping portions. In general, we recommend that you configure address ranges that do not overlap to avoid inadvertent conflicts.

When a smaller OSPF network area is removed, the OSPF interfaces belonging to that network area are retained and remain active if a larger network area that encompasses those interfaces still exists. Interfaces that are part of a larger area are removed and become part of another area only if the other area is a smaller area (subset) of the larger area.


Step 6 Click Submit.

To delete an OSPF network configuration, click the Edit icon for the network, then click the Delete icon in the task bar.

Step 7 Repeat Step 4 through Step 6 for each OSPF network.

To delete an OSPF network, click the OSPF network to display the settings and click the Delete icon.

Step 8 To configure the proximity OSPF area, click the Create new Proximity OSPF Area icon. The Proximity OSPF Area page is displayed.

Step 9 Enter the settings as appropriate. See Table 4-59 for a description of the fields.

Table 4-59 Proximity OSPF Area Fields 

Field
Description

Area ID

Enter an Area ID that was defined in the Proximity OSPF Network page.

Type

Choose one of the following area types:

NSSA (not-so-stubby area)—For areas that include an autonomous system boundary router (ASBR) that generates type 7 LSAs and an area border router (ABR) that translates them into type 5 LSAs. .

Stub—An area with only one OSPF router that does not contain an ASBR.


Step 10 Click Submit.

To delete an OSPF area configuration, click the Edit icon for the area, then click the Delete icon in the task bar.

Step 11 Repeat Step 8 through Step 10 for each OSPF area.

To delete an OSPF area, click the OSPF area to display the settings and click the Delete icon.

Step 12 To configure the proximity OSPF network, click the Create new Proximity OSPF Interface icon. The Proximity OSPF Interface page is displayed.

Step 13 From the Name drop-down list, choose an interface to configure for OSPF. The number of available interfaces depends on the CDE.

Step 14 In the OSPF Priority field, enter the OSPF priority. The range is 0 to 255. The default is 1.

The highest OSPF priority on a segment becomes the designated router (DR) for that segment. A priority value of zero indicates an interface which is not to be elected as DR or backup designated router (BDR).

Step 15 Click Submit.

To delete an OSPF interface configuration, click the Edit icon for the interface, then click the Delete icon in the task bar.

Step 16 Repeat Step 12 through Step 15 for each OSPF interface.


Configuring the BGP Community-based Proximity Settings

A BGP community is a group of prefixes that share some common property and can be configured with the BGP community attribute. The BGP community attribute is an optional transitive attribute of variable length. The attribute consists of a set of four octet values that specify a community. The community attribute values are encoded with an autonomous system (AS) number in the first two octets, with the remaining two octets defined by the AS. A prefix can have more than one community attribute. A BGP speaker that sees multiple community attributes in a prefix can act based on one, some, or all the attributes.

See the "BGP Proximity Algorithms" section for more information.

To configure the BGP community-based proximity settings, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > BGP. The Proximity BGP page is displayed.

Step 2 In the Local AS Number field, enter the autonomous system (AS) number that identifies the Proximity Engine and tags the routing information that is passed along.

AS numbers are globally unique numbers that are used to identify ASes, and which enable an AS to exchange exterior routing information between neighboring ASes. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy.

There are a limited number of available AS numbers. Therefore, it is important to determine which sites require unique AS numbers and which do not. Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use, which are in the range from 64512 to 65535.

Step 3 Check the Enable Log Neighbor Changes check box to enable logging of status changes (up, down, or resets) to BGP neighbors.

Use the show ip bgp neighbors command to view the status changes.

Step 4 Click Submit. The Create new icons for Location Community for BGP and Neighbor for BGP icons display.

To delete the BGP configuration, click the Delete icon.

Step 5 To configure a BGP location community, click the Create new Location Community for BGP. The BGP Location Community page is displayed.


Note The maximum number of location communities allowed for each SE is 128. The show running-config command displays the location communities in ascending order.


Step 6 In the Location Community field, enter the location community for the AS in one of the following formats:

<AS>:<POP> 
<AS1>:<POP1>-<AS2>:<POP2>
 
   

The location community numbers are used within the network to locate prefix origination points. The configuration includes all community values that represent a location. The Location Community field entry could be in the form of a list of community numbers, for example, 100:3535, 100:4566, 100:5678, 100:5678, 100:6789. Or, the community numbers can be expressed as intervals, such as 100:3000-100:4000, 100:5000-100:6000, and so on.

Step 7 In the Weight field, enter the weight to assigned to the location community. The default is 1. The range is from 1 to 7.

The weight is considered in the proximity ranking algorithm. If PTA1 and PTA2 have at least one community in common as the PSA, then the weight assigned to the location community is considered. The larger the number, the more weight the community has. If PTA1 has a weight of 5 and PTA2 has a weight of 2, PTA1 is preferred over PTA2.


Note The Weight field is only available in Release 2.5.9 and later releases.


Step 8 Click Submit.

Step 9 To configure a BGP neighbor, click the Create new Neighbor for BGP. The BGP Neighbor page is displayed.

Step 10 Enter the settings as appropriate. See Table 4-60 for a description of the fields.

Table 4-60 BGP Neighbor Fields 

Field
Description

IP Address

IP address of the neighbor.

Remote AS Number

AS number to which the neighbor belongs. The range is from 1 to 65535).

EBGP multihop TTL

Time-to-live value for the external BGP (eBGP) multihop scenarios. The range is from 2 to 255. The default is 1.

Keep Alive Interval

The keepalive interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 60.

Hold Timer

The hold timer interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 180.

Password

Enter the password to enable Message Digest 5 (MD-5) authentication on a TCP connection between the Proximity Engine and the BGP neighbor.

The password is case sensitive and can be up to 79 characters. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces. You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.


To delete an BGP neighbor configuration, click the Edit icon for the neighbor, then click the Delete icon in the task bar.

Step 11 Click Submit.

Step 12 Repeat Step 9 through Step 11 for each BGP neighbor.

To delete a BGP neighbor, click the BGP neighbor to display the settings and click the Delete icon.


Configuring SRP

The Service Routing Protocol (SRP) uses distributed hash table (DHT) technology to form a distributed network of Proximity Engines. For more information, see the "Service Routing Protocol" section.


Note SRP is a Release 2.5.7 and later releases feature and is required if the Redirect proximity algorithm is enabled. SRP is used to gather and store information about all the Proximity Engines that are available for redirection. See the "Configuring the BGP Community-based Proximity Settings" section for more information.


To configure SRP, do the following:


Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > SRP. The SRP page is displayed.

Step 2 To enable SRP, check the Enable check box and click Submit. The Create new Bootstrap for SRP icon displays.

Step 3 In the Domain field, enter a number that identifies the domain. The range is from 0 to 4294967295. The default is 0.

All Proximity Engines running SRP routing with the same domain ID form a single network if the nodes are found through a bootstrap node. By changing a Proximity Engine's domain, the Proximity Engine leaves its current network.

We recommend that a domain ID value be configured for your DHT network so that all Proximity Engines that join this network share the same domain ID.

Step 4 In the Flooding Threshold field, enter the maximum number of subscribers to flood or send messages to. The range is from 0 to 65535. The default is 50.

SRP uses flooding to send multicast messages for a multicast group if the number of subscribers in the group is equal to or more than the value specified in Flooding Threshold. An effective threshold value may improve protocol message overhead. The threshold value depends on the number of nodes in your DHT network. In general, the threshold value should be greater than half and smaller than 3/4 of the total number of DHT nodes in the network.

Step 5 Click Submit.

To delete the SRP configuration, click the Delete icon.

Step 6 To configure a SRP bootstrap, click the Create new Bootstrap for SRP. The Bootstrap SRP page is displayed.

Step 7 In the Bootstrap IP address field, enter the IP address of the bootstrap node.

An IP address of a bootstrap node must be configured for each Proximity Engine before the Proximity Engine can join the network with others under the same domain ID. The first Proximity Engine in the network, which acts as the bootstrap node for others, does not need to configure its self as the bootstrap node; this is the only exception to configuring a bootstrap node. All other nodes must have the bootstrap node configured before they can join a DHT network. A maximum 25 bootstrap nodes are allowed per Proximity Engine. The port number for a bootstrap node is 9000.

Step 8 Click Submit.

Step 9 Repeat Step 6 through Step 8 for each bootstrap node.

To delete a bootstrap node, click the edit icon next to the IP address of the bootstrap node to display the settings and click the Delete icon.


Configuring Application Control

The Application Control pages allow you to enable Flash Media Streaming, to enable HTTP proxy on an SR, and to enable HTTP 302 redirection for Windows Media Technology files with an .asx extension.

To configure the application control for the SR, do the following:


Step 1 Choose Devices > Devices. The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose Application Control.

Step 4 To enable Flash Media Streaming on the SR, choose Flash Media Streaming > General Settings. The Flash Media Streaming Settings page is displayed.

a. Check the Enable Flash Media Streaming check box.

b. Click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 5 To enable service monitoring for Flash Media Streaming on the SR, choose Flash Media Streaming > Service Monitoring. The Service Monitoring Settings page is displayed.

a. Check the Enable Service Monitoring check box.

b. Click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 6 To enable HTTP proxy on the SR, do the following:

a. Choose Web > HTTP > HTTP Connections. The HTTP Connections Settings page is displayed.

b. Check the Enable Incoming Proxy check box.

c. Enter the port numbers that receive HTTP in the associated field.

Separate each port number by a space. The default is port 80.

d. Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Note In Release 2.5.7 and later releases, the Web Engine has been enhanced and the configuration settings on this page are no longer supported, therefore this CDSM GUI page is not displayed.


Step 7 To enable the HTTP 302 redirection for Windows Media Technology files with an .asx extension, do the following:

a. Choose Web > HTTP > HTTP Redirect. The HTTP Redirect Settings page is displayed.

b. Check the Enable HTTP 302 for .asx File check box.

c. Click Submit.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring Last-Resort Routing

For information on configuring all general settings, except last-resort routing, see the "General Settings" section.


Note Last-resort routing is not supported when DNS-based redirection is enabled.


Last-resort routing is useful when all Service Engines have exceeded their thresholds or all Service Engines in the domain are offline, or the client is unknown. If last-resort routing is configured, the Service Router redirects requests to a configurable alternate domain when all Service Engines serving a client network region are unavailable, or the client is unknown. A client is considered unknown if the client's IP address is not part of a subnet range listed in the Coverage Zone file or part of a defined geographical area (for location-based routing) listed in the Coverage Zone file.

For more information, see the "Last-Resort Routing" section.


Note If the last-resort domain is not configured and the Service Engine thresholds are exceeded, known client requests are redirected to the origin server and unknown clients either receive an error URL (if the Error Domain and Error Filename fields are configured), or a 404 "not found" message.

Unknown clients are only redirected to the alternate domain (last-resort domain) when the Allow Redirect All Client Request check box is checked or the equivalent service-router last-resort domain <RFQDN> allow all command is entered.


To configure last-resort routing, do the following:


Step 1 Choose Devices > Devices. The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose General Settings > Last Resort. The Last Resort Table page is displayed.

The table is sortable by clicking the column headings.

Step 4 Click the Create New icon.

Click the Edit icon next to the domain name to edit a table entry.

Step 5 Enter the settings as appropriate. See Table 4-61 for a description of the fields.

Table 4-61 Service Router Last Resort Fields 

Field
Description

Domain Name

The Service Routing Domain Name (SRDN) (for example, srfqdn.cisco.com).

Allow Redirect All Client Request

Check the Allow Redirect All Client Request check box to redirect all unknown clients to the alternate domain or content origin.

If the Allow Redirect All Client Request check box is not checked, unknown clients (clients' subnets are not included in the Coverage Zone file) receive a 404 message if the error URL is not configured. If the error URL is configured, client requests are redirected to the Error URL.

If the Allow Redirect All Client Request check box is checked, unknown client requests are redirected to the alternate domain; otherwise, they are redirected to the origin server.

Alternate Domain Name

The domain (for example, www.cisco.com) used to route requests to when the SEs are unavailable, or the client is unknown. A client is considered unknown if the client's IP address is not part of a subnet range listed in the Coverage Zone file.

If an Alternate Domain Name is not specified, requests for the domain entered in the Domain Name are routed to the origin server.

The Alternate Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.

Error Domain Name

To redirect the request to an error URL for any unknown clients or when all SEs in the delivery service are unavailable, enter the domain name of the URL.

The Error Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.

Error File Name

The filename of the error URL (for example, error.html or error/errorfile.flv).

The error URL is made using the Error Domain Name plus the Error File Name. The Error File Name could be a filename with an extension (for example, error.html or errorfile.flv), or a directory and filename (for example, error/errorfile.flv or reroute/reroute.avi), or a filename without an extension. If no extension is specified, the extension is determined by the protocol used in the request.

If a filename has a specific extension, and the request comes from a protocol that does not support the configured extension, the filename extension is automatically changed to an extension that is supported by the protocol.

Note For Flash Media Streaming, an external FMS server must exist that hosts an application for error handling. The SR redirects Flash Media Streaming requests to an application on the external FMS server. An example of a Flash Media Streaming error URL is rtmp://errordomain.com/<application>, where the application name is any application hosted on that server. The Error File Name, in the case of Flash Media Streaming, is the name of the application.


Step 6 Click Submit to save the settings. The entry is added to the Last Resort Table.

To delete a last-resort configuration, click the Edit icon for the configuration, then click the Delete icon in the task bar.


As an example configuration for an error URL to redirect unknown clients to or to redirect clients to when all SEs in the delivery service are unavailable follows:

Domain Name—wmt.cdsordis.com

Error Domain Name—ssftorig.ssft.com

Error File Name—testMessage

This configuration states that for any request where the domain name is wmt.cdsordis.com, if the client IP address is not included in the Coverage Zone file (or the client is not part of a defined geographical area if location-based routing is enabled) or there are no available SEs assigned to the delivery service, redirect the request to ssforig.ssft.com/testMessage.<original_extension>.

To be more specific, if the client request was http://wmt.cdsordis.com/vod/video.wmv and the service rule conditions were met, the client would receive a 302 redirect to http://ssftorig.ssft.com/testMessage.wmv.

If you want the Error File Name to reside in a different directory, you can configure that as well. If the error message file was located in the "vod" directory, then the Error File Name would be configured as vod/testMessage.

Creating ASX Error Message Files for Windows Media Live Programs

There is one thing to remember when redirecting a client request for live Windows Media Streaming programs. Because live programs deliver an ASX file to the client, the error message must have the same format. If you try to use an HTML or JPEG instead of an ASX file, the redirect will not work because the Windows Media player is trying to parse the ASX file.

To satisfy the requirements of the Windows Media player, create an ASX file for the error message file and put the URL to the error message file inside the ASX file. For example, below is a simple ASX file.

<ASX VERSION="3.0"> <Entry> 
 
   
<REF HREF="http://<IP-Address-of-Server/path/filename"/> 
 
   
</Entry> </ASX> 
 
   

If you wanted the error file to be a GIF file on server 3.1.1.1 called testMessage.gif under the directory vod then this file would look like:

<ASX VERSION="3.0"> <Entry> 
 
   
<REF HREF="http://3.1.1.1/vod/testMessage.gif"/> 
 
   
</Entry> </ASX>
 
   
 
   

There are other ways to use an ASX file to display information. Below is an example of an approach to have the Windows Media player display an HTML web page with PARM HTMLView.

<ASX version="3.0"> <PARAM name="HTMLView" 
value="http://111.254.21.99/playlist/error.htm"/> <REPEAT> <ENTRY> 
 
   
<REF href="http://3.1.1.1/vod/testMessage.gif"/> 
 
   
</ENTRY> </REPEAT> </ASX> 
 
   
 
   

There are many ways to format and structure ASX files to display whatever error message you want, in whatever format you want.

Configuring Transaction Logs for the Service Router

Transaction logs allow administrators to view the traffic that has passed through the SR. The fields in the transaction log are the client's IP address, the date and time when a request was made, the URL that was requested, the SE selected to serve the content, the protocol, and the status of the redirect. The SR transaction log file uses the W3C Common Log file format. For more information about transaction logs and their formats, see the "Service Router Transaction Log Fields" section.

To enable transaction logging for the SR, do the following:


Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Transaction Logging. The Transaction Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-62 for a description of the fields.

Table 4-62 Transaction Log Settings Fields 

Field
Description
General Settings

Transaction Log Enable

Enables transaction logging.

Compress Files before Export

When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers

Archive Settings

Max size of Archive File

Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1,000 to 2,000,000. The default is 2,000,000.

Max number of files to be archived

Maximum number of files to be maintained on the local disk. The range is from 1 to 1000. The default is 50.

Archive occurs

How often the working log is archived and the data is cleared from the working log. Choose one of the following:

Choose every to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800.

Choose every hour to archive using intervals of one hour or less, and choose one of the following:

at—Specifies the minute in which each hourly archive occurs

every—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)

Choose every day to archive using intervals of one day or less, and choose one of the following:

at—Specifies the hour in which each daily archive occurs

every—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)

Choose every week on to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.

Export Settings

Enable Export

Enables exporting of the transaction log to an FTP server.

Export occurs

How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following:

Choose every to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 100800.

Choose every hour to export using intervals of one hour or less, and choose one of the following:

at—Specifies the minute in which each hourly export occurs

every—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)

Choose every day to export using intervals of one day or less, and choose one of the following:

at—Specifies the hour in which each daily export occurs

every—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)

Choose every week on to export using intervals of one or more times a week, choose the days of the week, and what time each day.

FTP Export Server

IP address or hostname of the FTP server.

Name

Name of the user.

Password

Password for the user.

Confirm Password

Confirms the password for the user.

Directory

Name of the directory used to store the transaction logs on the FTP server.

SFTP

Check the SFTP check box, if you are using an SFTP server.


Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.


Configuring the CDSM

Configuring a CDSM consists of the General Settings menu items. For information on configuring general settings, see the "General Settings" section.

Device activation is accomplished during installation and initialization of the CDS devices. See Cisco Content Delivery Engine 100/200/300/400 Hardware Installation Guide for more information.

The Device Activation page for the CDSM displays information about the management IP address and the role of the CDSM. To change the name of the CDSM, enter a new name in the Name field and click Submit.

For information about primary and standby CDSMs, see the "Configuring Primary and Standby CDSMs" section.