CSS Administration Guide (Software Version 7.10) - Configuring User Profiles and CSS Parameters [Cisco CSS 11500 Series Content Services Switches]

Table Of Contents

Configuring User Profiles and CSS Parameters

Configuring User Profiles

Configuring User Terminal Parameters

Configuring Terminal Idle

Configuring Terminal Length

Configuring Terminal More

Configuring Terminal Netmask-Format

Configuring Terminal Timeout

Using Expert Mode

Changing the CLI Prompt

Modifying the History Buffer

Displaying the History Buffer

Copying and Saving User Profiles

Copying the Running Profile to the Default-Profile

Copying the Running Profile to a User Profile

Copying the Running Profile to an FTP Server

Copying the Running Profile to a TFTP Server

Configuring a Login Banner

Configuring Host Name

Configuring Idle Timeout

Configuring the CSS as a Client of a RADIUS Server

Configuring the CSS as a RADIUS Client

Specifying a Primary RADIUS Server

Specifying a Secondary RADIUS Server

Configuring the RADIUS Server Timeouts

Configuring the RADIUS Server Retransmits

Configuring the RADIUS Server Dead-Time

Configuring a RADIUS Server for Use With the CSS

Showing RADIUS Server Configuration Information

Configuring the CSS as a Client of a TACACS+ Server

Configuring TACACS+ Server User Accounts for Use with the CSS

Configuring Authentication Settings

Configuring Authorization Settings

Defining a TACACS+ Server

Defining a Global Encryption Key

Setting the Global CSS TACACS+ Timeout Period

Setting TACACS+ Authorization

Setting TACACS+ Accounting

Showing TACACS+ Server Configuration Information

Controlling Remote Access to the CSS

Configuring Virtual Authentication

Configuring Console Authentication

Restricting Access to the CSS

Finding an IP Address

Configuring Flow Parameters

Configuring Permanent Connections for TCP/UDP Ports

Resetting Fast Ethernet and Gigabit Ethernet Ports

Configuring TCP Maximum Segment Size

Reclaiming Reserved Telnet and FTP Control Ports

Showing Flow Statistics

Configuring Flow Resource Reclamation

Timeout Value Precedence

Configuring Flow Timeouts

Displaying Flow Timeout Statistics

Displaying Content Rule and Source Group Information

Configuring CSS Portmapping

Configuring Global Portmapping

Displaying Global Portmapping Statistics

Configuring Noflow Portmapping

Displaying Noflow Portmapping Statistics

Enabling and Disabling Core Dumps

Displaying Core Dumps

Configuring Content API

Creating XML Code

XML Document Example

Controlling Access to the CSS HTTP Server

Parsing the XML Code

Publishing the XML Code to the CSS

Testing the Output of the XML Code

Configuring the Command Scheduler

Showing Configured Command Scheduler Records

Where to Go Next

Configuring User Profiles and CSS Parameters

This chapter describes how to configure user profiles and CSS parameters. This chapter also contains information on using the Content API and Command Scheduler features. Information in this chapter applies to all models of the CSS, except where noted.

This chapter contains the following sections:

•Configuring User Profiles

•Configuring Host Name

•Configuring Idle Timeout

•Configuring the CSS as a Client of a RADIUS Server

•Configuring the CSS as a Client of a TACACS+ Server

•Controlling Remote Access to the CSS

•Restricting Access to the CSS

•Finding an IP Address

•Configuring Flow Parameters

•Configuring Flow Resource Reclamation

•Configuring CSS Portmapping

•Enabling and Disabling Core Dumps

•Configuring Content API

•Configuring the Command Scheduler

Configuring User Profiles

The CSS contains a default-profile that resides in the scripts directory on the CSS disk (hard disk or flash disk). This file contains settings that are user-specific; that is, they apply uniquely to each user when the user logs in.

You can customize the following settings for each user:

•CLI prompt

•Expert mode

•History buffer

•Terminal parameters, including idle time, length, more, netmask format, and timeout

•Login banner

Though the settings are user-specific, each default setting applies to all users until the user saves the default-profile to a username-profile (where username is the current login username). You can continue using the default-profile so that all users logging into a CSS use the same settings. See "Copying and Saving User Profiles" in this chapter for information on saving the default-profile.

If you change a user setting and want to save it in the scripts directory of the current ADI, use the copy profile command. If you do not, the CSS stores the setting temporarily in a running-profile. If you attempt to log out of the CSS without saving profile changes, the CSS prompts you that profile changes have been made and allows you to save or discard the changes.

When you upgrade the ADI, user profiles, which are saved in the current ADI directory, are deleted. If you wish to save user profiles permanently, use the save_profile command. This command saves the profiles in both the scripts and archive directories in the current ADI. The archive directory is not overwritten during a software upgrade.

To access the CSS disk, FTP to the CSS. Use the appropriate commands to access the scripts directory and list the contents of the default-profile. When logged into the CSS, use the show profile command to display either the default-profile or your username-profile.

For example:
# show profile
@prompt CSS11503
@no expert
alias all reboot "@configure;boot;rebo"
alias all shutdown "@configure;boot;shutd"
alias all logon "@configure;logging line \${LINE};exit"
alias all logoff "@configure;no logging line \${LINE};exit"
alias all aca-load "@script play service-load"
alias all dnslookup "@script play dnslookup"
alias super save_config "copy running-config startup-config;archive 
startup-config"
alias super setup "script play setup"
alias super upgrade "script play upgrade"
alias super monitor "script play monitor"
alias super save_profile "copy profile user-profile;archive script 
admin-profile
"
set CHECK_STARTUP_ERRORS "1" session
This section contains information on:

•Configuring User Terminal Parameters

•Using Expert Mode

•Changing the CLI Prompt

•Modifying the History Buffer

•Copying and Saving User Profiles

Configuring User Terminal Parameters

To configure terminal parameters, use the terminal command. These parameters control output to the system terminal screen. Terminal parameters are user-specific, that is, they apply uniquely to each CSS user.

Use the copy profile user-profile command to add terminal command parameters to your user profile so that the parameters are used each time you log in. Otherwise you must reenter the commands for the parameters to take effect each time you log in.

The options for this command are:

•terminal idle - Set the session idle timer

•terminal length - Set the terminal screen output length

•terminal more - Enable terminal more support. The default is enabled

•terminal netmask-format - Control subnet mask display

•terminal timeout - Set the session maximum login time

Configuring Terminal Idle

To set the time a session can be idle before the CSS terminates a console or Telnet session, use the terminal idle command. This command is available at the User and SuperUser prompts. Enter an idle time between 0 and 65535 minutes. The default value is 0 (disabled).

To set a terminal idle time, enter:
# terminal idle 15
To restore the terminal idle time to its default of disabled, enter:
# no terminal idle
Configuring Terminal Length

To set the number of output lines the CLI displays on the terminal screen, use the terminal length command. This command is available at the User and SuperUser prompts. Enter the number of lines you want the CLI to display from 2 to 65535. The default is 25 lines.

To set the line number to 35, enter:
# terminal length 35
To reset the number of lines to the default of 25 lines, enter:
# no terminal length
Configuring Terminal More

To enable support for more terminal functions, use the terminal more command. This command is available at the User and SuperUser prompts. You can also toggle the more function on and off within a session by using the ESC-M key sequence. The default is enabled.

To enable more terminal functions, enter:
# terminal more
To disable support for more terminal functions, enter:
# no terminal more
Configuring Terminal Netmask-Format

To determine how the CSS displays subnet masks in show screens, use the terminal netmask-format command. This command is available at the User and SuperUser prompts. The options for this command are:

•terminal netmask-format bitcount - Displays masks in CIDR bitcount (for example, /24).

•terminal netmask-format decimal - Displays masks in dotted-decimal format (for example, 255.255.255.0). This is the default format.

•terminal netmask-format hexadecimal - Displays masks in hexadecimal format (for example, OXFFFFFFOO).

To display subnet masks in bitcount format, enter:
# terminal netmask-format bitcount
To restore the default display format (decimal), enter:
# no terminal netmask format
Configuring Terminal Timeout

To set the total amount of time a session can be logged in before the CSS terminates a console or Telnet session, use the terminal timeout command. This command is available at the User and SuperUser prompts. Enter a timeout value between 0 and 65535 minutes. The default value is 0 (disabled).

To set a terminal timeout value, enter:
# terminal timeout 30
To restore the terminal timeout value to its default (disabled), enter:
# no terminal timeout
Using Expert Mode

Expert mode allows you to turn the CSS confirmation capability on or off. Expert mode is available at the SuperUser prompt and is off by default. When expert mode is off, the CSS prompts you for confirmation when you:

•Execute commands that could delete or change operating parameters

•Exit a terminal session (console or Telnet) without copying the running configuration to the startup configuration

•Create services, owners, and content rules

Caution Turning expert mode on disables the CSS from prompting you for confirmation when you make changes. As you exit from the CSS, all configuration changes are automatically saved to the profile and to the running-config file. You are not prompted for confirmation to save the changes.

To enable expert mode, enter:
# expert
To allow the CSS to prompt you for confirmation before executing configuration commands, enter:
# no expert
For example, when you enter the command to create an owner and expert mode is off, the CSS prompts you to verify the command, enter:
(config)# owner arrowpoint.com
Create owner <arrowpoint.com>, [y/n]:y
(config-owner[arrowpoint.com])#
Changing the CLI Prompt

The CLI default prompt displays as the product model number followed by the # symbol. The CSS adds a # sign to the prompt automatically to indicate SuperUser mode. To change the default prompt, enter the prompt command as shown in the following example:
CSS11506# prompt CSS1-lab
CSS1-lab# 
You can enter a maximum of 15 characters.

To save the new prompt, add it to your user- or default-profile. To restore the prompt to its default, use the no prompt command.

Modifying the History Buffer

Use the history command to modify the history buffer length. The command line history buffer stores the most recent CLI commands that you enter. Enter the number of lines you want in the history buffer as an integer from 0 to 256. The default is 20. This command is available in SuperUser mode.

To set the history buffer to 80 lines, enter:
# history length 80
To disable the history function (setting of 0), enter:
# history length 0
To restore the history buffer to the default of 20 lines, enter:
# no history length
Displaying the History Buffer

Use the show history command to display the history buffer. The history buffer is cleared automatically upon reboot.

For example:
# show history
	history
	show history
	show ip routes
	show ip summary
	show ip stat
	clock
	clock date
	clock time
	show history
Copying and Saving User Profiles

Use the copy profile command to copy the running profile from the CSS to the default-profile, an FTP server, a TFTP server, or your user-profile. This command is available in SuperUser mode. The options are:

•copy profile default-profile - Copy the running profile to the default profile

•copy profile user-profile - Copy the running profile to your user profile

•copy profile ftp - Copy the running profile to an FTP server

•copy profile tftp - Copy the running profile to a TFTP server

Note If you exit the CSS without copying changes in the running profile to your username-profile or default-profile, the CSS prompts you that the profile has changed and queries whether you want to save your changes. If you respond with y, the CSS copies the running profile to your username-profile or the default-profile.

See the following sections for information on these options.

Copying the Running Profile to the Default-Profile

Use the copy profile default-profile command to copy the running profile to the default profile. This command is available in SuperUser mode.

For example:
# copy profile default-profile
Copying the Running Profile to a User Profile

Use the copy profile user-profile command to copy the changes made to the running profile to the user profile. This command is available in SuperUser mode. This command creates a file username-profile if one does not exist (where username is the current username).

For example:
# copy profile user-profile
Copying the Running Profile to an FTP Server

Use the copy profile ftp command to copy the running profile to an FTP server. This command is available in SuperUser mode. The syntax is:

copy profile ftp ftp_record filename
The variables are:

•ftp_record - The name of the FTP record file that contains the server IP address, username, and password. Enter an unquoted text string with no spaces and a maximum of 32 characters.

•filename - The name you want to assign to the file on the server. Include the full path to the file. Enter an unquoted text string with no spaces.

For example:
# copy profile ftp arrowrecord \records\arrowftprecord
Copying the Running Profile to a TFTP Server

Use the copy profile tftp command to copy the running profile to a TFTP server. This command is available in SuperUser mode. The syntax is:
copy profile tftp ip_or_host filename
The variables are:

•ip_address or host - The IP address or host name of the server to receive the file. Enter an IP address in dotted-decimal notation (for example, 192.168.11.1) or in mnemonic host-name format (for example, myhost.mydomain.com).

•filename - The name you want to assign to the file on the server. Include the full path to the file. Enter an unquoted text string with no spaces and a maximum of 32 characters.

For example:
# copy profile tftp 192.168.3.6 \home\bobo\bobo-profile
Configuring a Login Banner

You can create and display a custom banner that appears after you log in to a CSS. The banner is an ASCII text file that you provide, and it resides in the CSS /script directory. Because this feature is part of your user profile, you can have your own custom banner associated with your login name.

To configure a login banner, use the set BANNER command as follows.

1. Use any text editor (for example, Notepad, Wordpad) to create a custom banner and save it as a text file in the CSS /script directory. Line width has a maximum of 80 characters.
2. For example, to set the environment variable BANNER and point to the mybanner file, enter:
# set BANNER "mybanner" session
The keyword session causes the CSS to create the environment variable every time you log in.

3. To complete the configuration, enter:
# copy profile user-profile
The next time you log in to the CSS, your custom banner will appear.

To provide the same banner for all users, replace the command in Step 3 with:
# copy profile default-profile
Configuring Host Name

Use the host command to manage entries in the Host table. The Host table is the static mapping of mnemonic host names to IP address, analogous to the ARP table. The syntax for this global configuration mode command is:

host host_name ip_address

The variables are:

•host_name - The name of the host. Enter an unquoted text string with no spaces and a length from 1 to 16 characters.

•ip_address - The address associated with the host name. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

For example:
(config)# host CSS11150-LML 192.168.3.6
Note To add a host to the Host table, the host name must not already exist. To change a current host address, remove it and then add it again.

To remove an existing host from the Host table, enter:
(config)# no host CSS11150-LML
To display a list of host names, enter:
(config)# show running-config global
Configuring Idle Timeout

To globally set the total amount of time all sessions can be active before the CSS terminates a console or Telnet session, use the idle timeout command. Enter a timeout value between 0 and 65535 minutes. The default value is enabled for 5 minutes.

Note To override the idle timeout value for a specific session, configure the terminal timeout command. Terminal commands are user-specific; that is, they apply uniquely to each CSS user.

Cisco recommends that you configure the idle timeout for at least 30 minutes. Setting this value to 30 minutes:

•Cleans up idle Telnet sessions

•Helps prevent busy conditions due to a high number of active Telnet sessions

To set an idle timeout value, enter:
(config)# idle timeout 15
To restore the terminal timeout value to its default of enabled for 5 minutes, enter:
(config)# no idle timeout
Configuring the CSS as a Client of a RADIUS Server

The Remote Authentication Dial-In User Server (RADIUS) protocol is a distributed client/server protocol that protects networks against unauthorized access. It uses the User Datagram Protocol (UDP) to exchange authentication and configuration information between the CSS authentication client and the active authentication server that contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software.

Use the radius-server command to configure the CSS as a client of a RADIUS server for authentication requests by remote or local users who require authorization to access network resources.

When a user remotely logs into a CSS operating as a RADIUS client, the CSS sends an authentication request (including user name, encrypted password, client IP address, and port ID) to the central RADIUS server. The RADIUS server is responsible for receiving user connection requests, authenticating users, and returning all configuration information necessary for the client to deliver services to the users. Transactions between the RADIUS client and the RADIUS server are authenticated through the use of a shared secret.

Once the RADIUS server receives the authentication request, it validates the sending client and consults a database of users to match the login request. After the RADIUS server performs user authentication, it transmits one of the following authentication responses back to the RADIUS client:

•Accept - The user is authenticated (all conditions are met).

•Reject - The user is not authenticated and is prompted to reenter the username and password, or access is denied (username does not exist in the database).

If no response is returned by the RADIUS server within a period of time, the authentication request is retransmitted a predefined number of times (both options are specified in the radius-server command). The RADIUS client can forward requests to an alternate secondary RADIUS server in the event that the primary server is down or is unreachable.

In a configuration where both a primary RADIUS server and a secondary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically transmits a keepalive authentication request to query the server(s). The CSS transmits the username "query" and the password "areyouup" to the RADIUS server (encrypted with the RADIUS server's key) to determine its state. The CSS continues to send this keepalive authentication request until the RADIUS server indicates that it is available.

Configuring the CSS as a RADIUS Client

Note For general guidelines on the recommended setup of a RADIUS server (the Cisco Secure Access Control Server in this example), refer to "Configuring a RADIUS Server for Use With the CSS" later in this section.

Use the radius-server command and its options to specify the RADIUS server host (primary RADIUS server, and, optionally, a secondary RADIUS Server), communication time interval settings, and a shared secret text string. This command is available in global configuration mode. The options for this command are:

•radius-server primary ip_address secret string {auth-port port_number}- Specify the primary RADIUS server.

•radius-server secondary ip_address secret string {auth-port port_number} - Specify the secondary RADIUS server. Configuration of a secondary RADIUS server is optional.

•radius-server dead-time seconds - Set the time interval (in seconds) that the CSS probes an inactive RADIUS server (primary and secondary) to determine if it is back online.

•radius-server retransmit number - Set the number of retransmissions for an authentication request to the RADIUS server.

•radius-server timeout seconds - Set the time interval the CSS waits before retransmitting an authentication request.

Note After configuring the RADIUS server, enable RADIUS authentication for console and virtual logins (if the user and password pair is not in the local user database) through the virtual authentication and console authentication commands. See "Controlling Remote Access to the CSS" later in this chapter for details.

Specifying a Primary RADIUS Server

Use the radius-server primary command to specify a primary RADIUS server to authenticate user information from the CSS RADIUS client (console or virtual authentication). The syntax for this global configuration mode command is:

radius-server primary ip_address secret string {auth-port port_number}

Options and variables include:

•primary ip_address - The IP address or host name for the primary RADIUS server. Enter the address in either dotted-decimal IP notation (for example, 192.168.11.1) or mnemonic host-name format (for example, myhost.mydomain.com).

•secret string - The shared secret text string between the primary RADIUS server and the CSS RADIUS client. The shared secret allows authentication transactions between the client and primary RADIUS server to occur. Enter the shared secret as a case-sensitive string with no spaces (16 characters maximum).

•auth-port port_number - Optional. The UDP port on the primary RADIUS server allocated to receive authentication packets from the RADIUS client. Valid entries are 0 to 65535. The default is 1645.

To specify a primary RADIUS server, enter:
(config)# radius-server primary 172.27.56.76 secret Hello 
auth-port 30658
To remove a primary RADIUS server, enter:
(config)# no radius-server primary
Specifying a Secondary RADIUS Server

Use the radius-server secondary command to specify a secondary RADIUS server to authenticate user information from the CSS RADIUS client (console or virtual authentication). The CSS directs authentication requests to the secondary RADIUS server when the specified RADIUS primary server is unavailable. The syntax for this global configuration mode command is:

radius-server secondary ip_address secret string {auth-port port_number}

Note Configuration of a secondary RADIUS server is optional.

Options and variables include:

•secondary ip_address - The IP address or host name for the secondary RADIUS server. Enter the address in either dotted-decimal IP notation (for example, 192.168.11.1) or mnemonic host-name format (for example, myhost.mydomain.com).

•secret string - The shared secret text string between the secondary RADIUS server and the CSS RADIUS client. The shared secret allows authentication transactions between the client and secondary RADIUS server to occur. Enter the shared secret as a case-sensitive string with no spaces (16 characters maximum).

•auth-port port_number - Optional. The UDP port on the primary RADIUS server allocated to receive authentication packets from the RADIUS client. Valid entries are 0 to 65535. The default is 1645.

To specify a secondary RADIUS server, enter:
(config)# radius-server secondary 172.27.56.79 secret Hello 
auth-port 30658
To remove a secondary RADIUS server, enter:
(config)# no radius-server secondary
Configuring the RADIUS Server Timeouts

Use the radius-server timeout command to specify the time interval that the CSS waits for the RADIUS server (primary or secondary) to reply to an authentication request before retransmitting requests to the RADIUS server. You configure the number of retransmitted requests to the server through the radius-server retransmit command. Valid entries are 1 to 255 seconds. The default is 10 seconds.

To configure the configure the RADIUS server timeout interval to 1 minute (60 seconds), enter:
(config)# radius-server timeout 60
To reset the RADIUS server retransmit request to the default of 10 seconds, enter:
(config)# no radius-server timeout
Configuring the RADIUS Server Retransmits

Use the radius-server retransmit command to specify the number of times the CSS retransmits an authentication request to a timed-out RADIUS server before considering the server dead and stopping transmission. If a secondary RADIUS server has been identified, that server is selected as the active server. Valid entries are 1 to 30 retries. The default is 3 retransmits.

If the RADIUS server does not respond to the CSS retransmitted requests, the CSS considers the server as dead, stops transmitting to the server, and starts the dead timer as defined through the radius-server dead-time command. If a secondary server is configured, the CSS transmits the requests to the secondary server. If the secondary server does not respond to the request, the CSS considers it dead and starts the dead timer. If there is no active server, the CSS stops transmitting requests until the primary RADIUS server becomes alive.

To configure the number of RADIUS server retransmits to 5, enter:
(config)# radius-server retransmit 5
To reset the RADIUS server retransmit request to the default of 3 retransmits, enter:
(config)# no radius-server retransmit
Configuring the RADIUS Server Dead-Time

Use the radius-server dead-time command to set the time interval in which the CSS verifies whether a non-responsive server is operational. During the set time interval, the CSS sends probe access-request packets to verify that the RADIUS server (primary or secondary) is available and can receive authentication requests. The dead-time interval starts when the server does not respond to the number of authentication request transmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the CSS transmits the authentication request to the server. Valid entries are 1 to 255 seconds. The default is 5 seconds.

To configure the RADIUS server dead-time to 15 seconds, with probe access-requests enabled, enter:
(config)# radius-server dead-time 15
To reset the RADIUS server dead-time request to the default of 5 seconds, enter:
(config)# no radius-server dead-time
Configuring a RADIUS Server for Use With the CSS

This section provides background information on the setup of a RADIUS server. It is intended as a guide to help ensure proper communication with a RADIUS server and a CSS operating as a RADIUS client.

The following example summarizes the recommended settings for the Cisco Secure Access Control Server (ACS) when used as a centralized RADIUS server with the CSS:

•Network Configuration Section, Add AAA Client page:

–AAA Client Hostname - Enter a name you want assigned to the CSS.

–AAA Client IP Address - Enter the IP address of the CSS Ethernet Management port or of a CSS circuit (depending on how the CSS is configured to communicate with the Cisco Secure ACS).

–Key - Enter the shared secret that the CSS and Cisco Secure ACS use to authenticate transactions.

Note For correct operation, you must specify the identical shared secret on both the Cisco Secure ACS and the CSS. Keys are case-sensitive.

–Authenticate Using - Select the RADIUS (IETF) network security protocol to use the standard IETF RADIUS attributes with the CSS.

•Group Setup Section:

–Group Setup Select page - Select the group for which you want to configure RADIUS attributes.

–Group Settings page - Click the checkbox next to IETF RADIUS Attributes, [006] Service-Type, then select Administrative. Administrative is required to enable RADIUS authentication for privileged user (SuperUser) connection with the CSS.

•User Setup Section:

–User Setup Select page - Specify a user name.

–User Setup Edit page:

•Password Authentication - Select an applicable authentication type from the list.

•Password - Specify and confirm a password.

•Group - Select the previously created RADIUS group to which you want to assign the user.

Showing RADIUS Server Configuration Information

Use the show radius command to display information and statistics about the RADIUS server configuration. The syntax and options are:

•show radius config [primary|secondary|all] - Display RADIUS configuration information for a specific server or all servers, identified by type

•show radius stat [primary|secondary|all] - Display RADIUS authentication statistics for a specific server or all servers, identified by type

To view the configuration for a RADIUS primary server, enter:
(config)# show radius config primary
To view the authentication statistics for a RADIUS secondary server, enter:
(config)# show radius stats secondary
Table 6-1 describes the fields in the show radius config output.

Table 6-1 Field Descriptions for the show radius config Command

Field

Description

Server IP Address

The IP address or host name for the specified RADIUS server.

Secret

The shared secret text string between the specified RADIUS server and the CSS RADIUS client.

Port

The UDP port on the specified RADIUS server allocated to receive authentication packets from the CSS RADIUS client. The default port number is 1645.

State

The operational stats of the RADIUS server (ALIVE, DOWN, UNKNOWN).

Dead Timer

The time interval (in seconds) that the CSS probes a non-responsive RADIUS server (primary or secondary) to determine whether it is operational and can receive authentication requests.

Timeout

The interval (in seconds) the CSS RADIUS client waits for the RADIUS server to reply to an authentication request before retransmitting requests to the RADIUS server.

Retransmit Limit

The number of times the CSS RADIUS client retransmits an authentication request to a timed out RADIUS server before stopping transmission to that server.

Probes

The packets that the CSS RADIUS client automatically transmits to determine whether the RADIUS server is still available and can receive authentication requests.

Table 6-2 describes the fields in the show radius stat output.

Table 6-2 Field Descriptions for the show radius stat Command

Field

Description

Server IP address

The IP address or host name of the specified RADIUS server.

Accepts

The number of times the RADIUS server accepts an authentication request from the CSS RADIUS client.

Requests

The number of times the CSS RADIUS client issues an authentication request to the RADIUS server.

Retransmits

The number of times the CSS RADIUS client retransmits an authentication request to the active RADIUS server after a timeout occurred.

Rejects

The number of times the CSS RADIUS client receives a reject notification from the RADIUS server while trying to establish an authentication request.

Bad Responses

The number of times the CSS RADIUS client receives a bad transmission from the RADIUS server.

Bad Authenticators

The number of times the RADIUS server denies an authentication request from the CSS RADIUS client.

Pending Requests

The number of pending authentication requests to the RADIUS server.

Timeouts

The number of times the CSS RADIUS client reached the specified timeout interval while waiting for the RADIUS server to reply to an authentication request.

Discarded Authentication Requests

The number of authentication requests that were discarded while the primary or secondary RADIUS server was down.

Configuring the CSS as a Client of a TACACS+ Server

The Terminal Access Controller Access Control System (TACACS+) protocol provides access control for routers, network access servers (NAS) or other devices through one or more daemon servers. It encrypts all traffic between the NAS and daemon using TCP communications for reliable delivery.

You can configure the CSS as a client of a TACACS+ server, providing a method for authentication of users, and authorization and accounting of configuration and non-configuration commands. The following sections provide information on:

•Configuring TACACS+ Server User Accounts for Use with the CSS

•Defining a TACACS+ Server

•Defining a Global Encryption Key

•Setting the Global CSS TACACS+ Timeout Period

•Setting TACACS+ Authorization

•Setting TACACS+ Accounting

•Showing TACACS+ Server Configuration Information

After you configure the TACACS+ server on the CSS, configure TACACS+ authentication for virtual or console authentication. See "Controlling Remote Access to the CSS".

Configuring TACACS+ Server User Accounts for Use with the CSS

This section provides background information on the setup of a TACACS+ server. It is intended as a guide to help ensure proper communication with a TACACS+ server and a CSS operating as a TACACS+ client.

The following sections summarizes the following recommended Cisco Secure Access Control Server (ACS) TACACS+ user authentication and authorization settings.

Configuring Authentication Settings

To configure the authentication settings on Cisco Secure ACS, go to the Network Configuration section of the Cisco Secure ACS HTML interface, the Add AAA Client page, and complete the following fields:

•AAA Client Hostname - Enter a name you want assigned to the CSS.

•AAA Client IP Address - Enter the IP address of the CSS Ethernet Management port or of a CSS circuit (depending on how the CSS is configured to communicate with the Cisco Secure ACS).

•Key - Enter the shared secret that the CSS and Cisco Secure ACS use to authenticate transactions. For correct operation, you must specify the identical shared secret on both the Cisco Secure ACS and the CSS. Keys are case-sensitive.

•Authenticate Using - Select TACACS+ (Cisco IOS).

Configuring Authorization Settings

To determine the privilege level of users accessing the CSS, you must configure the user accounts on the TACACS+ server to permit or deny execution of the privilege command. The CSS queries the TACACS+ server for authorization to execute the privilege command. If the server allows the privilege command, the user is granted privileged (SuperUser and configuration mode) access to the CSS. If the server denies the privilege command, the user is granted non-privileged (User mode) access to the CSS.

To configure the group authorization settings:

1. From the Group Setup section of the Cisco Secure ACS HTML interface, Group Setup Select page, select the group for which you want to configure TACACS+ settings.

2. On the Shell Command Authorization Set page, click the checkbox next to Per Group Command Authorization.

3. Under Unmatched Cisco IOS Commands, either permit or deny execution of the privilege command.

•For a group that has SuperUser privileges on the CSS, select Permit. A SuperUser can issue any CSS command.

•For a group that has User privileges on the CSS, select Deny. A user can issue CSS commands that does not change the CSS configuration; for example, show commands.

An alternative way to configure the group authorization settings is as follows:

1. Select Shared Profile Components, Shell Command Authorization Sets page.

2. Click the Add button to add a set, or edit an existing set.

3. Enter a name and description.

4. Proceed next to Unmatched Commands, either permit or deny execution of the privilege command.

•For a user that has SuperUser privileges on the CSS, click Permit. A SuperUser can issue any CSS command.

•For a user that has User privileges on the CSS, click Deny. A user can issue CSS commands that does not change the CSS configuration; for example, show commands.

5. From the Group Setup section, Group Setup Select page, select the group for which you want to configure TACACS+ settings.

6. On the Shell Command Authorization Set section, select Assign a Shell Command Authorization Set for any network device.

7. Select the set from the list.

To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface:

•On the User Setup Select page, specify a user name.

•On the User Setup Edit page, specify the following:

–Password Authentication - Select an applicable authentication type from the list.

–Password - Specify and confirm a password.

–Group - Select the previously created TACACS+ group to which you want to assign the user.

Defining a TACACS+ Server

The TACACS+ server contains the TACACS+ authentication, authorization, and accounting databases. You can designate a maximum of three servers on the CSS. However, the CSS uses only one server at a time. The CSS selects the server based upon availability, giving preference to the configured primary server. The CSS sends periodic TCP keepalive probes at a frequency of every five seconds to the TACACS+ server to determine its operational state: Alive, Dying, or Dead. The TCP keepalive frequency is not user-configurable in the CSS.

Note For general guidelines on the recommended setup of a TACACS+ server (the Cisco Secure Access Control Server in this example), refer to "Configuring TACACS+ Server User Accounts for Use with the CSS" earlier in this section.

To apply a TACACS+ global attribute, such as the timeout period or shared secret, to a TACACS+ server, you must configure the global attribute before you configure the server. To apply a modified global attribute to a configured CSS TACACS+ server, remove the server and reconfigure it.

To define a server, use the tacacs-server command. You must provide the IP address and port number for the server. You can optionally define the timeout period and encryption key, and designate the server as the primary server.

The syntax for this global configuration command is:

tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary}
The variables and options are:

•ip_address - The IP address of the TACACS+ server. Enter the IP address in dotted-decimal format.

•port - The TCP port of TACACS+ server. The default port is 49. You can enter a port number from 1 to 65535.

•timeout - The amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds. Defining this option overrides the tacacs-server timeout command. For more information on the TACACS+ timeout period and setting a global timeout, see "Setting the Global CSS TACACS+ Timeout Period" in this chapter.

Note If you need to change a timeout period or the shared secret for a specific server, you must delete and redefine the server.

•"cleartext_key"|des_key - The shared secret between the CSS and the server. You must define an encryption key to encrypt TACACS+ packet transactions between the CSS and the TACACS+ server. If you do not define an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The shared secret key can be either clear text entered in quotes or the DES-encrypted secret entered without quotes. The clear text key is DES-encrypted before it is placed in the running configuration. Either key type can have a maximum of 100 characters.

Defining this option overrides the tacacs-server key command. For more information on defining a global encryption key, see "Defining a Global Encryption Key" in this chapter.

•primary - Assigns the TACACS+ server precedence over the other configured servers. You can specify only one primary server.

For example, to define a primary TACACS+ server at IP address 192.168.11.1 with a default port of 49, a timeout period of 12 seconds, and a clear text shared secret of summary, enter:
#(config) tacacs-server 192.168.11.1 12 "summary" primary
Note The CSS sends periodic TCP keepalive probes to the TACACS+ server to determine its operational state (Alive, Dying, or Dead).

To delete a TACACS+ server at IP address 23.43.23.12 with a default port of 49, enter:
#(config) no tacacs-server 192.168.11.1 49
Note To change the timeout period or encryption key for a specific TACACS+ server, you must delete the server and then redefine it with the updated parameter.

After configuring the TACACS+ server, enable TACACS+ authentication for console and virtual logins (if the user and password pair is not in the local user database) through the virtual authentication and console authentication commands. See "Controlling Remote Access to the CSS".

Defining a Global Encryption Key

The CSS allows you to define a global encryption key for communications with all configured TACACS+ servers. To encrypt TACACS+ packet transactions between the CSS and the TACACS+ server, you must define an encryption key. If you do not define an encryption key, packets are not encrypted. The key is a shared secret value that is identical to the one on the TACACS+ server. To specify a shared secret between the CSS and the server, use the tacacs-server key command.

Note A shared secret defined when specifying a TACACS+ server overrides the global secret. See "Defining a TACACS+ Server" in this chapter. To apply a modified global shared secret to a configured CSS TACACS+ server, remove the server and reconfigure it.

The shared secret key can be either clear text entered in quotes or the DES-encrypted secret. The clear text key is DES encrypted before it is placed in the running configuration. Either key types can have a maximum of 100 characters.

For example, to define the clear text key, enter:
#(config) tacacs-server key "market"
To define a DES encrypted key, enter:
#(config) tacacs-server key acskefterefesdtx
To remove the key, enter:
#(config) no tacacs-server key
Setting the Global CSS TACACS+ Timeout Period

The CSS allows you to define a global TACACS+ timeout period for use with all configured TACACS+ servers. To determine the availability of the TACACS+ servers, the CSS sends periodic TCP keepalive probes to them. If the server does not respond to the probe within the timeout period, the CSS considers the server unavailable.

If the CSS attempts to contact the server and does not receive a response within the defined timeout value, it will use another server. The next configured server is contacted and the process repeated. If a second (or third) TACACS+ server has been identified, that server is selected as the active server.

If the CSS cannot reach all three TACACS+ servers, users will not be authenticated and cannot log into the CSS unless TACACS+ is used in combination with a RADIUS or local server, as defined through the virtual command or the console command. See the "Controlling Remote Access to the CSS" in this chapter.

By default, the global timeout period is 5 seconds. To change the timeout period, use the tacacs-server timeout command. Enter a number from 1 to 255.

Note The timeout period defined when specifying a TACACS+ server overrides the global timeout period. See "Defining a TACACS+ Server" in this chapter. To apply a modified global timeout period to a configured CSS TACACS+ server, remove the server and reconfigure it.

For example, to set the timeout period to 60 seconds, enter:
#(config) tacacs-server timeout 60
To reset the timeout period to its default of 5 seconds, enter:
#(config) no tacacs-server timeout
Setting TACACS+ Authorization

TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:

•Configuration commands that change the CSS running configuration.

•Non-configuration commands that do not change the running configuration. These commands include, but are not limited to, mode transition, show, and administrative commands.

By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to issue commands.

Note When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command.

Failure of the TACACS+ server results in the failure of all authorization requests and the suspension of user activity unless another server is reachable. To enable users to execute commands in this case, configure a failover authentication method to a local user database. Users will need to log back into the CSS.

To enable authorization of all commands that change the running configuration, use the tacacs-server authorize config command. For example:
#(config) tacacs-server authorize config
To enable authorization of all commands that do not change the running configuration, use the tacacs-server authorize non-config command. For example:
#(config) tacacs-server authorize non-config
To disable authorization, use the no form of these commands. For example, to disable authorization for commands that affect the running configuration, enter:
#(config) no tacacs-server authorize config
To disable authorization for commands that do not affect the running configuration, enter:
#(config) no tacacs-server authorize non-config
Setting TACACS+ Accounting

TACACS+ accounting allows the TACACS+ server to receive an accounting report for commands that the user can execute. CSS accounting divides the command set into two categories:

•Configuration commands that change the CSS running configuration.

•Non-configuration commands that do not change the running configuration. These commands include, but are not limited to, mode transition commands, show commands, and administrative commands.

By default, the CSS disables accounting. When you enable accounting, you can account for configuration commands, non-configuration commands, or both.

Note Failure of the TACACS+ server does not result in the suspension of user activity.

To enable the TACACS+ server to receive accounting reports for all commands that change the running configuration, use the tacacs-server account config command. For example:
#(config) tacacs-server account config
To enable the TACACS+ server to receive accounting reports for all commands that do not change the running configuration, use the tacacs-server account non-config command. For example:
#(config) tacacs-server account non-config
To disable accounting, use the no form of these commands. For example, to disable accounting for commands that affect the running configuration, enter:
#(config) no tacacs-server account config
To disable accounting for commands that do not affect the running configuration, enter:
#(config) no tacacs-server account non-config
Showing TACACS+ Server Configuration Information

Use the show tacacs-server command to display the TACACS+ server configuration information. To view this information, enter:
(config)# show tacacs-server
Table 6-3 describes the fields in the show tacacs-server output.

Table 6-3 Field Descriptions for the show tacacs-server Command

Field

Description

IP/Port

The TACACS+ server IP address and port number

State

The operational state of the server (Alive, Dying, or Dead) determined by the internal TCP Keepalive

Primary

Indicates whether this record is the primary TACACS+ server

Authen

The number of authentication requests made to the TACACS+ server

Author

The number of authorization requests made to the TACACS+ server

Account

The number of accounting requests made to the TACACS+ server

Global Timeout

How long the CSS waits for a response from a TACACS+ server

Global Key

Shared secret, used by all TACACS+ servers, unless individually configured for the server

Authorize Config Commands

Indicates whether configuration commands receive authorization

Authorize Non-Config

Indicates whether non-configuration commands receive authorization

Controlling Remote Access to the CSS

To control access to the CSS, you can configure the CSS to authenticate remote (virtual) or console users. The CSS can authenticate users by using the local user database, RADIUS server, or TACACS+ server. You can also allow user access without authenticating or disallowing all remote user access to the CSS.

You can set a maximum of three authentication methods: a primary, secondary, or tertiary authentication method. The primary method is the first authentication method that the CSS tries. If the primary authentication method fails, the CSS tries the secondary method. And if the secondary method fails, then the CSS tries the tertiary method. In the event that the tertiary method also fails, the CSS displays a message that authentication has failed.

The following sections provide information on:

•Configuring Virtual Authentication

•Configuring Console Authentication

Note Before you can use RADIUS or TACACS+ as either the virtual authentication method or the console authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the radius-server command (see "Configuring the CSS as a Client of a RADIUS Server" in this chapter) or the tacacs-server command (see "Configuring the CSS as a Client of a TACACS+ Server" in this chapter).

To display virtual and console authentication settings, use the show user-database command (refer to Chapter 1, Logging In and Getting Started, "Showing User Information").

Configuring Virtual Authentication

Virtual authentication allows remote users to log in to the CSS when they are using FTP, Telnet, SSHD, or the Device Management user interface with or without requiring a username and password. The CSS can also deny access to all remote users.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users, and disallows user access for the secondary and tertiary method.

To configure the primary, secondary, or tertiary virtual authentication method, use the virtual authentication command. The syntax for this global configuration command is:

virtual authentication [primary|secondary|tertiary [local|radius|tacacs|disallowed]]
The options are:

•primary - Defines the first authentication method that the CSS uses. The default primary virtual authentication method is the local user database.

•secondary - Defines the second authentication method that the CSS uses if the first method fails. The default secondary virtual authentication method is to disallow all user access.

Note If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local.

•tertiary - Defines the third authentication method that the CSS uses if the second method fails. The default tertiary virtual authentication method is to disallow all user access.

•local - The CSS uses the local user database for authentication.

•radius - The CSS uses the configured RADIUS server for authentication.

•tacacs - The CSS uses the configured TACACS+ server for authentication.

•disallowed - The CSS disallows access by all remote users. Entering this option does not terminate existing connections.

Note To remove users currently logged into the CSS, use the disconnect command.

To define the TACACS+ server as the primary virtual authentication method, enter:
#(config) virtual authentication primary tacacs
To define local user database as the secondary virtual authentication method, enter:
#(config) virtual authentication secondary local
Configuring Console Authentication

Console authentication allows users to log into the CSS through a terminal connected to the console port with or without requiring a username and password. The CSS cannot disallow user access as a primary authentication method, however, it can disallow user access as a secondary or tertiary authentication method.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users, and disallows user access for the secondary and tertiary method.

To configure the primary, secondary, or tertiary console authentication method, use the console authentication command. The syntax for this global configuration command is:

console authentication [primary [local|radius|tacacs|none]
|secondary|tertiary [local|radius|tacacs|none|disallowed]]
The options are:

•primary - Defines the first authentication method that the CSS uses. The default primary console authentication method is the local user database.

•secondary - Defines the second authentication method that the CSS uses if the first method fails. The default secondary console authentication method is to disallow all user access.

Note If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local. If you do not configure a secondary method and use the default of disallowed, you have the possibility of being locked out of the CSS.

•tertiary - Defines the third authentication method that the CSS uses if the second method fails. The default tertiary console authentication method is to disallow all user access.

•local - The CSS uses the local user database for authentication.

•radius - The CSS uses the configured RADIUS server for authentication.

•tacacs - The CSS uses the configured TACACS+ server for authentication.

•none - The CSS uses no authentication method. All users can access the CSS.

•disallowed - The CSS disallows access by all users (secondary or tertiary authentication method only). Entering this option does not terminate existing connections.

Note To remove users currently logged into the CSS, use the disconnect command.

To define the TACACS+ server as the primary console authentication method, enter:
#(config) console authentication primary tacacs
To define local user database as the secondary console authentication method, enter:
#(config) console authentication secondary local
To disable authentication on the console port allowing users to access the CSS without a username and password, enter:
#(config) no console authentication 
Restricting Access to the CSS

Use the restrict command to enable or disable console, FTP, SNMP, SSH, Telnet, user database, XML, and Web management data transfer to the CSS. CSS access through a console, FTP, SSHD, SNMP, and Telnet is enabled by default.

Entering the restrict command does not prevent the CSS from listening for connection attempts on the restricted port. For TCP connections, the CSS completes the TCP 3-way handshake, then terminates the connection with an error to prevent any data transfer from occurring. For UDP SNMP connections, the CSS simply discards the packets.

To secure restricted ports from unauthorized access, configure ACL clauses to deny packets destined to these ports, while permitting normal traffic to flow through the CSS. You can also use ACLs to secure the CSS itself. For more information, refer to the Cisco Content Services Switch Basic Configuration Guide.

Note Disable Telnet access when you want to use the Secure Shell Host (SSH) server. For details, refer to Chapter 3, Configuring CSS Network Protocols.

The syntax and options for this global configuration mode command are:

•restrict console - Disables console access to the CSS (enabled by default)

•restrict ftp - Disables FTP access to the CSS (enabled by default)

•restrict snmp - Disables SNMP access to the CSS (enabled by default)

•restrict ssh - Disables SSHD access to the CSS (enabled by default)

•restrict telnet - Disables Telnet access to the CSS (enabled by default)

•restrict user-database - Disables users from clearing the running-configuration, and creating or modifying usernames. Only administrator and technician users can perform these tasks (enabled by default).

•restrict xml - Disables XML access to the CSS (disabled by default)

•restrict web-mgmt - Disables Web management access to the CSS (disabled by default)

To enable access to the CSS:

•no restrict console - Enables console access to the CSS (enabled by default)

•no restrict ftp - Enables FTP access to the CSS (enabled by default)

•no restrict ssh - Enables SSHD access to the CSS (enabled by default)

•no restrict snmp - Enables SNMP access to the CSS (enabled by default)

•no restrict telnet - Enables Telnet access to the CSS (enabled by default)

•no restrict user-database - Enables users to clear the running-configuration, and create or modify usernames. Only administrator and technician users can perform these tasks (enabled by default).

•no restrict xml - Enables XML access to the CSS (disabled by default)

•no restrict web-mgmt - Enables Web management access to the CSS (disabled by default)

For example:
(config)# restrict telnet
Finding an IP Address

Use the find ip address command to search the CSS configuration for the specified IP address. You can include a netmask for subnet (wildcard) searches. This search can help you avoid IP address conflicts when you configure the CSS.

When you use this command, it checks services, source groups, content rules, ACLs, the management port, syslog, APP sessions, and local interfaces for the specified IP address. If the address is found, the locations of its use are displayed. If no addresses are found, the CSS returns you to the command prompt.

This command is available in all modes. The syntax is:

find ip address ip_or_host {subnet_mask|range number}

The options and variables for this command are:

•ip_or_host - IP address in dotted-decimal notation (for example, 192.168.11.1) or enter the host name in mnemonic host-name format (for example, host.domain.com).

•subnet mask - Enter as either:

–A prefix length in CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length.

–An IP address in dotted-decimal notation (for example, 255.255.255.0).

If you enter a mask of 0.0.0.0, the CSS finds all addresses.

•range number - Defines how many IP addresses you want to find, starting with the ip_or_host address. Enter a number from 1 to 65535. The default range is 1.

For example, if you enter an IP address of 203.1.1.1 with a range of 10, the CSS tries to find the addresses from 203.1.1.1 through 203.1.1.10.

For example:
(config)# find ip address 192.168.0.0
Users of IP address 192.168.0.0
Content Rule - 192.168.12.1, layer 3, owner: lml, state:Active
Content Rule - 192.168.12.1, layer 5, owner: lml, state:Active
Service - 192.168.3.6, serv1, state:Active
Service - 192.168.3.7, serv3, state:Active
Interface - 192.168.1.117. VLAN1
Interface - 192.168.2.117. VLAN1
Configuring Flow Parameters

The CSS enables you to configure the following flow parameters for the CSS using the flow command:

•flow permanent - Creates permanent TCP/UDP ports that are not reclaimed

•flow port-resets - Resets Fast Ethernet and Gigabit Ethernet ports automatically when the CSS detects that they are not responding

•flow reserve-clean - Reclaims interval flows with port numbers less than or equal to 23

•flow tcp-mss - Configures the TCP maximum segment size that the CSS expects to receive from the transmitting device

•flow statistics - Displays statistics on currently allocated flows

Note Flow parameter setup is restricted on the following TCP/UDP ports: 67 (BOOTP server), 68 (BOOTP client), 137 (NETBIOS name service), 138 (NETBIOS datagram service), 161 (SNMP), 162 (SNMP traps), 520 (RIP), and 8089 (restricted UDP only).

Configuring Permanent Connections for TCP/UDP Ports

The CSS allows you to configure a maximum of 10 TCP/UDP ports that will have permanent connections and will not be reclaimed by the CSS when the flows are inactive. To configure a TCP/UDP port as a permanent connection, use the flow permanent command. This command is typically used when you are load-balancing long-lived connections or you observe the CSS dropping long-lived idle TCP connections.

Enter a port number from 0 to 65535. The default is 0.

Note A CSS may reclaim TCP/UDP flows that have not received an ACK or content request after approximately 15 seconds. To prevent the CSS from reclaiming TCP/UDP flows to a specific source or destination port, use the flow permanent command and specify the TCP/UDP port number you do not want reclaimed.

The options for this command are:

•flow permanent port1 portnumber

•flow permanent port2 portnumber

•flow permanent port3 portnumber

•flow permanent port4 portnumber

•flow permanent port5 portnumber

•flow permanent port6 portnumber

•flow permanent port7 portnumber

•flow permanent port8 portnumber

•flow permanent port9 portnumber

•flow permanent port10 portnumber

To configure port 1520 as a permanent connection, enter:
(config) flow permanent port1 1520
To reset a permanent connection to its default port number of 0, use the no flow permanent command. To reset the port number for port1 to 0, enter:
(config) no flow permanent port1
Resetting Fast Ethernet and Gigabit Ethernet Ports

You can configure a CSS to reset its Fast Ethernet and Gigabit Ethernet ports automatically when it detects that they are not responding during operation. Use the flow port-resets command to enable this function. By default, port resetting is enabled on a CSS.

Caution Do not disable port-resets without guidance from Cisco Systems support personnel.

For example:
(config)# flow port-resets
To disable port resets on the CSS, enter:
(config)# no flow port-resets
Configuring TCP Maximum Segment Size

Use the flow tcp-mss command to configure the TCP maximum segment size (MSS) that the CSS expects to receive from the transmitting device. The MSS is the largest amount of TCP data that can be transmitted in one segment. The flow tcp-mss command changes the MSS value in the TCP header OPTIONS field of a SYN segment. You can use the flow tcp-mss command to reduce the MSS from the default value of 1460 bytes. The need for a smaller MSS between devices may be necessary in rare instances due to network restrictions between devices.

Note The flow tcp-mss command applies only when the client is accessing a Layer 5 content rule. The CSS does not negotiate TCP maximum segment size for Layer 3 or Layer 4 content rules.

Enter a maximum segment size (in bytes) from 1 to 1460. The default is 1460 bytes. Use the no form of the command to reset the TCP maximum segment size back to the default value of 1460 bytes.

Caution Do not define a smaller than necessary TCP maximum segment size with the flow tcp-mss command. Smaller payloads may be less efficient due to increased overhead.

To configure a TCP maximum segment size of 1400 bytes, enter:
(config)# flow tcp-mss 1400
To reset the TCP maximum segment size to the default value of 1460 bytes, enter:
(config)# no flow tcp-mss
Reclaiming Reserved Telnet and FTP Control Ports

Use the flow reserve-clean command in global configuration mode to define how often the CSS scans flows from reserved Telnet and FTP control ports to reclaim them. Control ports have port numbers less than or equal to 23. When the CSS determines that one of these ports has a flow with asymmetrical routing, it reclaims the port.

Enter the flow reserve-clean time in seconds as the interval the CSS uses to scan flows. Enter an integer from 0 to 100. The default is 10. To disable the flow reclaiming process, enter a flow reserve-clean value of 0.

For example:
(config)# flow reserve-clean 36
To disable flow cleanup on Telnet and FTP control ports, enter:
(config)# no flow reserve-clean
Showing Flow Statistics

Use the flow statistics command to display statistics on currently allocated flows.

For example:
(config)# flow statistics
Flow Manager Statistics:
                         Current   High     Avg
UDP Flows per second     0         0        0
TCP Flows per second     0         4        0
Total Flows per second   0         4        0
Hits per second          0         0        0
-------------------------------------------------------------
Port      Active      Total         TCP     UDP
-------------------------------------------------------------
1         13          43339169      13      0
2         16          43337519      16      0
5         18          3167362       18      0
6         9           33483528      9       0
Configuring Flow Resource Reclamation

Use this feature to configure flow inactivity timeout values for TCP and UDP flows on a per rule and per source group basis. Note that this timeout value is not the frequency with which a CSS reclaims flow resources, but the time period that must elapse for an idle flow before the CSS marks the flow for cleanup.

To set up and keep track of flows, a CSS uses data structures called flow control blocks (FCBs). For optimal performance, the CSS reuses FCBs that are no longer needed by flows. Flow resource reclamation involves removing FCBs from the TCP and UDP lists.

Normally, flow cleanup occurs at a rate that is directly related to the overall number of flows that are currently active on a CSS. A CSS always cleans up UDP flows. For TCP flows, a CSS reclaims resources when the number of used FCBs reaches a certain percentage of the total FCBs. A CSS also cleans up long-lived TCP flows that have received a FIN or a RST, or whose timeout values have been met.

Timeout Value Precedence

The CSS uses the following guidelines in the order presented when reclaiming flow resources:

1. If a flow matches on a content rule, the CSS checks for a user-configured timeout value and uses that value if one exists.

2. If the flow matches on a source group, the CSS checks for a user-configured timeout and uses that value if one exists.

3. If you have configured a permanent port using the flow permanent port command, the CSS sets the flow timeout value to 0, which means that the flow should never time out.

4. If none of the above conditions are met, then the CSS uses the default timeout value for the protocol type. For the default timeout values, see "Displaying Flow Timeout Statistics" in this chapter.

Configuring Flow Timeouts

To specify the number of seconds for which an idle flow can exist before the CSS tears it down, use the flow-timeout-multiplier command in owner-content or group configuration mode.

The syntax for this command is:

flow-timeout-multiplier number
Enter an integer for the number variable from 0 to 65533. The CSS multiplies the value you specify by 16 to calculate the flow timeout in seconds. The default value depends on the TCP or UDP port number (see the show flow-timeout default command description later in this chapter). This default value applies only to flows that are created under a content rule or source group.

A value of zero (no timeout) instructs the CSS to never tear down the flow, resulting in a permanent flow and lost resources. This is equivalent to entering the flow permanent port command (see "Configuring Permanent Connections for TCP/UDP Ports" in this chapter).

These examples show flow timeout periods of 80 seconds:
(config-owner-content[cisco-rule1])# flow-timeout-multiplier 5
(config-group[group1])# flow-timeout-multiplier 5
To disable the configured flow-timeout-multiplier value and restore the default timeout for the port type, enter:
(config-owner-content[cisco-rule1])# no flow-timeout
(config-group[group1])# no flow-timeout
Displaying Flow Timeout Statistics

Use the show flow-timeout default command to display the default timeout values for TCP and UDP ports and applications. The default values are not user configurable.

Table 6-4 shows the fields in the show flow-timeout default output.

Table 6-4 Field Descriptions for show flow-timeout default Command

Field

Description

TCP/IP Port

Default TCP or UDP port numbers.

Application

Names of the default TCP or UDP applications.

Inactivity Timeout Seconds

Default flow inactivity timeouts in seconds for the TCP or UDP port. If a flow is idle for the amount of time specified in the timeout value, the CSS tears down the flow and reclaims the flow resources.

Use the show flow-timeout configured command to display the configured flow timeout values. The command output includes the content rule or source group for which you configured the flow timeout value.

Table 6-5 describes the fields in the show flow-timeout configured output.

Table 6-5 Field Descriptions for the show flow-timeout configured Command

Field

Description

Port

TCP or UDP port number.

Content Rule

Name of the content rule for which the flow timeout is configured.

Source Group

Name of the source group for which the flow timeout is configured.

Timeout

Configured inactivity timeout in 16-second increments for the TCP or UDP port. When this time period elapses for an idle flow, the CSS tears down the connection and reclaims the FCBs.

Displaying Content Rule and Source Group Information

If you configure a flow timeout value in a content rule or a source group, the show rule or show group command output will have an additional field called Flow Timeout Multiplier. This field contains the configured timeout value assigned to flows that match on the rule or group.

For details on the show rule command, refer to the Cisco Content Services Switch Basic Configuration Guide, Chapter 3, Configuring Content Rules. For details on the show group command, refer to the Cisco Content Services Switch Basic Configuration Guide, Chapter 5, Configuring Source Groups, ACLs, EQLs, URQLs, NQLs, and DQLs.

Configuring CSS Portmapping

The following sections describe how to globally control the range of port numbers a CSS uses when it translates (portmaps) TCP and UDP source port numbers specified in packets sent from clients. A CSS assigns unique port numbers within a configurable range for the source port numbers specified in the packets, then sends the packets to the appropriate server port. When a server initiates a return flow, the packets flow through the CSS. The CSS matches the translated port number with the client who initiated the request and sends the server packets to the appropriate client.

Each CSS maintains a database of used and available portmap numbers. When a CSS needs to portmap a source port, it uses the next unused port number in its database.

For information on portmapping with source groups, refer to Cisco Content Services Switch Basic Configuration Guide, Chapter 5, Configuring Source Groups, ACLs, EQLs, URQLs, NQLs, and DQLs.

Configuring Global Portmapping

The global portmapper in a CSS is called the megaportmapper. The megaportmapper database comprises 16 banks of portmap numbers (megamap banks) in each session processor (SP) with unique ranges. A CSS uses a source port hash algorithm to select a megamap bank.

Use the global-portmap command to control the global source-port translation (portmapping) for TCP flows on a CSS. This command is always enabled. You can use this command to specify the source-port mapping range on:

•An 11500 series CSS when you configure a service that uses a non-default destination port number. A CSS changes a TCP destination port number configured on a service in a content rule when a request hits the content rule and the CSS sends a packet to the selected server. The CSS uses the global portmap command parameters to translate the corresponding client source port number to distinguish it from other clients requesting the same service.

•Redundant 11500 series CSS peers in an Adaptive Session Redundancy (ASR) configuration. For information on ASR, refer to the Cisco Content Services Switch Advanced Configuration Guide, Chapter 6, Configuring VIP and Virtual IP Interface Redundancy.

•Any CSS with back-end server remapping enabled (refer to the Cisco Content Services Switch Basic Configuration Guide, Chapter 3, Configuring Content Rules).

Note When you configure a source group, the portmap command parameter values take precedence over the global-portmap command parameter values. Note that the portmap disable command has no effect on TCP flows.

The syntax for this global configuration mode command is:

global-portmap base-port number1 range number2
The options and variables for this command are:

•base-port number1 - The starting port number for global portmapping on a CSS. Enter an integer from 2016 to 63456. The default is 2016.

•range number2 - The number of ports in the portmap range. Enter an integer from 2048 to 63488. The default is 63488.

Note If you enter a portmap range that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number you specify from 65504.

For example:
(config)# global-portmap base-port 3096 range 42308
To return the global-portmap command parameters to their default values, enter:
(config)# no global-portmap
Displaying Global Portmapping Statistics

Use the show global-portmap command to display statistics for global portmapping on a CSS. This command is available in all modes except RMON, URQL, and VLAN configuration modes.

The syntax for this command is:

show global-portmap [all-banks [all-sps|slot number1]|number2 [all-sps|slot number1]]
The options and variables for this command are:

•all-banks - Specifies the display of global portmap information for all portmap banks (0 to 15).

•all-sps - Specifies the display of global portmap information for all session processors (SPs) in the CSS.

•slot number1 - The chassis slot where the module resides. For a CSS 11503, enter an integer from 1 to 3. For a CSS 11506, enter an integer from 1 to 6.

To display the available active slots in the CSS, enter the show global-portmap all-banks slot ? command. If you enter an invalid slot number, the CLI displays values for only the first two parameters listed in Table 6-6.

•number2 - Global portmap bank number. Enter an integer from 0 to 15.

To display portmapping statistics for all megamap banks (up to 16) on every active SP in the CSS, enter:
(config)# show global-portmap all-banks all-sps
To display global portmapping statistics for megamap bank 12 in the SP that resides in slot 3, enter:
(config)# show global-portmap 12 slot 3
Table 6-6 describes the fields in the show global-portmap output.

Table 6-6 Field Descriptions for show global-portmap Command

Field

Description

MegaMap Banks in Use Per SP

The number of global portmapping banks being used in each session processor (SP). There are 16 banks available in each SP. A CSS selects a bank by hashing the source address contained in a packet.

Configured Base Port

The base-port (starting port number) specified with the global-portmap command or the default of 2016.

Total Configured Ports

The total number of ports specified with the global-portmap range command or the default of 63488.

Slot

The number of the slot in the CSS 11503 or CSS 11506 where the specified SP resides.

MegaMap Bank #

The number of the portmapping bank. Possible values are 0 to 15 for a total of 16 banks for each SP.

Number Normal Avail Ports

The number of ports available for use by the NATing algorithm when the source port number is different from the destination port number in a TCP packet.

Current Mapped Ports

The total number of ports currently in use or mapped.

Last Normal Mapped Port

The most recent port number used by the NATing algorithm when the source port number is different from the destination port number in a TCP packet.

Equal Port Base Port

The starting port number that the NATing algorithm uses when the source port number is the same as the destination port number in a TCP packet.

Number Equal Avail Ports

The number of ports available for use by the NATing algorithm when the source port number is the same as the destination port number in a TCP packet.

High Water Mark

The largest number of ports ever mapped or in use at one time.

Last Equal Mapped Port

The last port number used by the NATing algorithm when the source port number is the same as the destination port number in a TCP packet.

No Portmap Errors

The number of times that a failure occurred because no ports were available (all ports were mapped).

Configuring Noflow Portmapping

Use the noflow-portmap command to control the port translation (portmapping) range of DNS UDP source-port numbers greater than 1023 on a CSS. This command is always enabled. However, before a CSS can use this command, you must enter the dnsflow disable command to disable DNS flows on the CSS. For details on the dnsflow command, refer to Chapter 3, Configuring CSS Network Protocols, "Specifying UDP Traffic on the DNS Server Port".

Note The portmap command values configured in a source group take precedence over the noflow-portmap command values, unless you configure the portmap disable command. For details on configuring the portmap commands in a source group, refer to Cisco Content Services Switch Basic Configuration Guide, Chapter 5, Configuring Source Groups, ACLs, EQLs, URQLs, NQLs, and DQLs.

The syntax for this global configuration mode command is:

noflow-portmap base-port number1 range number2
The options and variables for this command are:

•base-port number1 - The starting port number for no-flow (DNS flows are disabled) portmapping on a CSS. Enter an integer from 2016 to 63456. The default is 2016.

•range number2 - The number of ports in the portmap range. Enter an integer from 2048 to 63488. The default is 63488.

Note If you enter a value for the portmap range that exceeds the number of available ports, you get an error. To determine the number of available ports, subtract the starting port number from 65504.

For example:
(config)# noflow-portmap base-port 4317 range 35421
To reset the starting port number and portmap range to their default values, enter:
(config)# no noflow-portmap
Displaying Noflow Portmapping Statistics

Use the show noflow-portmap command to display statistics for noflow portmapping on a CSS. This command is available in all modes except RMON, URQL, and VLAN configuration modes.

The syntax for this command is:

show noflow-portmap [all-sps|slot number]
The options and variables for this command are:

•all-sps - Specifies the display of noflow portmap information for all session processors (SPs) in the CSS.

•slot number - The chassis slot number where the module resides. For a CSS 11503, enter an integer from 1 to 3. For a CSS 11506, enter an integer from 1 to 6.

Note To display the available active slots in the CSS, enter the show noflow-portmap slot ? command. If you enter an invalid slot number, the CLI displays values for only the first two parameters listed in Table 6-7.

For example:
(config)# show noflow-portmap slot 3
Table 6-7 describes the fields in the show noflow-portmap output.

Table 6-7 Field Descriptions for show noflow-portmap Command

Field

Description

Configured Base Port

The starting port number specified by the noflow-portmap base-port command or the default of 2016

Total Configured Ports

The total number of ports specified by the noflow-portmap range command or the default of 63488

Slot

The number of the slot in the CSS 11503 or CSS 11506 where the specified SP resides

Number Normal Avail Ports

The number of ports available for use by the NATing algorithm when the source port number is different from the destination port number in a UDP packet

Current Mapped Ports

The total number of ports currently in use or mapped

Last Normal Mapped Port

The most recent port number used by the NATing algorithm when the source port number is different from the destination port number in a UDP packet

Equal Port Base Port

The starting port number that the NATing algorithm uses when the source port number is the same as the destination port number in a UDP packet

Number Equal Avail Ports

The number of ports available for use by the NATing algorithm when the source port number is the same as the destination port number in a UDP packet

High Water Mark

The largest number of ports ever mapped or in use at one time

Last Equal Mapped Port

The last port number used by the NATing algorithm when the source port number was the same as the destination port number in a UDP packet

No Portmap Errors

The number of times that a failure occurred because no ports were available (all ports were mapped)

Enabling and Disabling Core Dumps

A core dump occurs when the CSS experiences a fatal error. The CSS allows you to enable or disable core dumps. Core dumps are enabled by default.

When the CSS experiences a fatal error and core dumps are enabled, the CSS:

•Writes information about the fatal error to the Core directory of the volume root (for example, c:\core) on either the hard or flash disk. On the:

–11000 series CSSs, the hard disk can store up to 30 sequentially numbered dump files. The flash disk stores one compressed dump file of 70 MB.

–11500 series CSSs, the hard or flash disk stores one dump file per slot per card type until the disk is full. Files can be 10 to 20 MB in size.

•Reboots automatically.

Note For a flash disk-based system, if the core dump file is older than 15 minutes, it may be overwritten. If you want to save the core dump file for later examination, archive it to another directory or disk before it is overwritten. For details on using the archive log command, refer to Chapter 1, Logging In and Getting Started, "Archiving a Log File".

When the CSS experiences a fatal error and core dumps are disabled, the CSS reboots automatically. The CSS does not write information to the hard disk or the flash disk.

Note Core dump information is for Customer Support use only.

To disable core dumps, enter:
(config)# dump disable
To reenable core dumps (the default setting), enter:
(config)# dump enable
Displaying Core Dumps

Use the show core command to display the core dump files stored in the Core directory of the volume root (for example, c:\core) on the hard disk or flash disk. This command is available in all mode except for User mode.

Use the show core disk_slot command to display the core dump files stored in the Core directory of the volume root of a specific disk in the CSS 11501, CSS 11503, or CSS 11506. Valid selections are 0 (for the disk in slot 0) or 1 (for the disk in slot 1).

For example:
# show core
SCP0101_4.80_115... OCT 31 15:06:26       16708412
SCP0101_4.80_109... OCT 29 16:56:16       37806459
SCP0101_4.80_116... NOV  1 15:54:28       38403870 
Configuring Content API

The CSS Content Application Program Interface (API) feature allows you to use a network management workstation to make Web-based configuration changes to the CSS using Extensible Markup Language (XML) documents. XML is a powerful tool that can be used to automatically configure a CSS using all of the CLI commands included in the CSS software, such as to specify server weight and load, to configure load balancing across a group of servers, or to configure content rules to restrict access to a group of directories or files on the servers.

XML code loads a series of CLI commands into the CSS without the need to respond to the prompts, similar to operating in expert mode. As the CSS administrator, plan which type of changes you want to implement and the consequences of these changes as they are performed.

After you create the XML document, you publish (upload) the XML file to the Hypertext Transfer Protocol (HTTP) server embedded in the CSS using an HTTP PUT method.

Creating XML Code

When developing XML code for the Content API to issue CLI commands, adhere to the following guidelines. You can use any text editor for creating the XML code.

1. Include the following line as the first line in the XML file:
<?xml version="1.0" standalone="yes"?>
2. Enclose the CLI commands within the <action></action> tag set. For example:
<action>add service MyServiceName</action>
<action>vip address 10.2.3.4</action>
Note A nested script play command (to execute a script line by line from the CLI) is not allowed in an XML file. This restriction is enforced because the actual execution of the XML tag set is performed within a script play command

3. If special characters are required in an XML configuration, be aware of the following considerations:

–The CSS supports the inclusion of the ~, !, @, #, $, ^, &, *, (, and ) characters in XML content. All other special characters (such as <, >, and %) are not supported in an XML configuration.

–Special characters can be included in a service, owner, or content name provided that the name is included in the content of the XML element and the name is enclosed within an <action></action> tag set. For example, <action>service My@#Service</action>.

–If special characters do form part of an XML tag, specifically an attribute, these characters are not supported (for example, <service name = My@#Service>. In this case, the command request may be rejected or the special characters may be discarded. You must enclose the special characters within an <action></action> tag set, as described above.

4. Pay attention to mode hierarchy of the CLI commands in the XML file. Each mode has its own set of commands. Many of the modes have commands allowing you to access other related modes. If you enter a series of commands in the improper mode hierarchy, this will result in an XML file that fails to execute properly.

As an example, the following commands configure an access control list (ACL):
<?xml version="1.0" standalone="yes" ?>
<config>
    <action>acl 98</action>
        <action>clause 10 permit any any dest any</action>
    <action>apply circuit-(VLAN3)</action>
</config>
In another example, the following commands configure a CSS Ethernet interface:
<?xml version="1.0" standalone="yes" ?>
<config>
    <action>interface ethernet-6</action>
    <action>bridge vlan 3</action>
    <action>circuit VLAN3</action>
        <action>ip address 10.10.104.1/16</action>
</config>
5. Pay attention to the allowable CLI command conventions for syntax and variable argument in the XML file. If you enter an invalid or incomplete command, this will result in an XML file that fails to execute properly.

Note For overview information on the CLI commands you can use in global configuration mode and its subordinate modes, refer to the Cisco Content Services Switch Command Reference, Chapter 2, CLI Commands.

XML Document Example

The following example is a complete XML document. The XML document creates three services, an owner, and a content rule, and assigns one of the newly created services to the content rule.
<?xml version="1.0" standalone="yes"?>
<config>
    <service name="router">
        <ip_address>10.0.3.1</ip_address>
        <action>active</action>
    </service>
    <service name="sname2">
        <ip_address>10.0.3.2</ip_address>
        <weight>4</weight>
        <action>active</action>
    </service>
    <service name="sname3">
        <ip_address>10.0.3.3</ip_address>
        <weight>5</weight>
        <protocol>udp</protocol>
        <action>suspend</action>
    </service>
    <service name="nick">
        <ip_address>10.0.3.93</ip_address>
        <action>active</action>
    </service>
    <owner name="test">
    <content name="rule">
        <vip_address>10.0.3.100</vip_address>
        <protocol>udp</protocol>
        <port>8080</port>
        <add_service>nick</add_service>
        <action>active</action>
    </content>
    </owner>
</config>
Controlling Access to the CSS HTTP Server

To control access to the HTTP server running on the CSS, use the restrict xml and no restrict xml commands. Clients can send XML documents to this server to configure the CSS. The options for this global configuration mode command are:

•no restrict xml - Allow client access to the HTTP server on the CSS

•restrict xml - Deny client access to the HTTP server on the CSS

Parsing the XML Code

After you complete the XML file, parse the code to ensure that it is syntactically correct. The easiest way to parse XML code is to open the XML file directly from Microsoft® Internet Explorer. Syntax errors are flagged automatically when the file is loaded. If an error occurs, review your XML code and correct all syntax errors.

Publishing the XML Code to the CSS

The completed XML file is remotely published (uploaded) to the HTTP server in the CSS from the external network management workstation by using a HTTP PUT method. The HTTP PUT method uses the IP address of the CSS as the destination URL where you want to publish the XML file.

Note When XML is enabled, the CSS listens for XML connections on port 80.

When you publish XML files to the HTTP server in the CSS, the CSS requires a valid username and password as part of the user authentication process. The username must have SuperUser privileges to be able to add XML files to the CSS.

Note Ensure that the CLI commands in the XML document do not have an impact on the interface configuration through which the XML file transfer process occurs (for example, including the command no ip addr, which identifies the IP address of the CSS receiving the XML file). If this occurs, you will disconnect the workstation performing the XML file transfer.

Software is available to simplify the process of publishing XML files to the CSS HTTP server. These software packages offer a simple method to publish files to a Web server. This software uses the HTTP protocol to publish files and require no special software on the Web server side of the connection.

Note An error code in the publishing process usually means that no restrict xml (for CSS software version 4.x) or the webmgmt-state enable (for CSS software version 3.x) commands have not been issued on the CSS prior to publishing the XML file. See the "Controlling Access to the CSS HTTP Server" section for details.

Testing the Output of the XML Code

Test the output of the XML code by reviewing the running configuration of the CSS. After the XML has been successfully published to the CSS, Telnet to the switch and enter the show running-config command to verify that the XML changes have properly occurred. If the XML changes are incorrect or missing, republish the XML code to the CSS as described in the "Publishing the XML Code to the CSS" section.

Configuring the Command Scheduler

Use the cmd-sched command to configure the scheduled execution of any CLI commands, including playing scripts. The commands that will be executed are referred to as the command string. To schedule commands, you must create a configuration record, which includes a provision about when to execute the commands, and the command string.

For example, you can use this command to schedule periodic content replication, the gathering of statistics, and scheduled configuration changes. At the specified time, the command scheduler executes a command string by creating a pseudo-login shell where each string is executed. A cmd-sched record is scheduled for execution only upon completion of its shell. Use the show lines command to display information about active pseudo shells (refer to Chapter 1, Logging In and Getting Started, "Showing Current Logins").

Note To terminate the execution of a command string, use the disconnect command.

The syntax and options for this global configuration mode command are:

•cmd-sched - Enable command scheduling.

•cmd-sched record name minute hour day month weekday "commands..." {logfile_name} - Create a configuration record for the scheduled execution of any CLI commands, including the playing of scripts.

The variables are listed below. When entering minute, hour, day, month, and weekday variables, you may enter a single integer, a wildcard (*), a list separated by commas, or a range separated by a dash (-).

•name - The name of the configuration record. Enter an unquoted text string with a maximum of 16 characters.

•minutes - The minute of the hour to execute this command. Enter an integer from 0 to 59.

•hour - The hour of the day. Enter an integer from 0 to 23.

•day - The day of the month. Enter an integer from 0 to 31.

•month - The month of the year. Enter an integer from 1 to 12.

•weekday - The day of the week. Enter an integer from 1 to 7. Sunday is 1.

•command - The commands you want to execute. Enter a quoted text string with a maximum of 255 characters. Separate multiple commands with a semicolon (;) character. If the command string includes quoted characters, use a single quote character; any single quoted characters not preceded by a backslash (\) character is converted to double quotes when the command string is executed.

•logfile_name, as an optional variable that defines the name of the log file. Enter a text string with a maximum of 32 characters.

Any of the time variables can contain one or some combination of the following values:

•A single number to define a single or exact value for the specified time variable.

•A wildcard (*) character matching any valid number for the specified time variable.

•A list of numbers separated by commas, with a maximum of 40 characters, to define multiple values for a time variable.

•Two numbers separated by a dash (-) character indicating a range of values for a time variable.

For example:
(config)# cmd-sched record periodic_shows 30 21 3 6 1 "show 
history;show service;show rule;show system-resources"
To enable command scheduler, enter:
(config)# cmd-sched
To disable command scheduling, enter:
(config)# no cmd-sched
To delete a configuration record, enter:
(config)# no cmd-sched periodic_shows
Showing Configured Command Scheduler Records

Use the show cmd-sched command to display the state of the command scheduler and information about the records for the scheduled CLI commands. The syntax and options are:

•show cmd-sched - Lists the state of the command scheduler and all scheduled CLI command records

•show cmd-sched name record_name - Lists information about the specified scheduled CLI command record

To view the command scheduler state and all scheduled CLI command records, enter:
(config)# show cmd-sched
Cmd Scheduler: Enabled	1 record currently configured.
Sched Rec: suspendRule id: 8265b980 Next exec: APR 14 10:46:00 
executions:1145
	minList:         0
	hourList:        12
	dayList:         *
	monthList:       *
	weekdayList:     2,3,4,5,6
	cmd:             config;owner owner1;content content1;suspend
Table 6-8 describes the fields in the show cmd-sched output.

Table 6-8 Field Descriptions for the show cmd-sched Command

Field

Description

Cmd Scheduler

State of the command scheduler (enabled or disabled) and the number of configured records.

Sched Rec

The name of the configuration record.

id

The ID for the record.

next exec

The day and time when the record will be executed.

executions

How many times the record has executed.

minList

The configured minute of the hour to execute the command.

hourList

The configured hour of the day to execute the command.

dayList

The configured day of the month to execute the command.

monthList

The configured month of the year to execute the command.

weekdayList

The configured day of the week to execute the command. Sunday is 1.

cmd

The commands you want to execute. Separate multiple commands with a ; (semicolon) character.

Where to Go Next

Chapter 7, Configuring Simple Network Management Protocol (SNMP), describes how to configure SNMP on the CSS.