-
CSS Advanced Configuration Guide (Software Version 7.20)
-
Index
-
Preface
-
Configuring the CSS Domain Name Service
-
Configuring the DNS Sticky Feature
-
Configuring a CSS as a Content Routing Agent
-
Configuring a Client Side Accelerator
-
Configuring Network Proximity
-
Configuring VIP and Virtual Interface Redundancy
-
Configuring Adaptive Session Redundancy
-
Configuring Box-to-Box Redundancy
-
Configuring Content Replication
-
Configuring SSL Traffic through the CSS
-
Configuring Firewall Load Balancing
-
Using the CSS Scripting Language
-
Using an XML Document to Configure the CSS
-
Feedback
Table Of Contents
A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
A
accelerated domain4-13
access FTP
demand-based replication9-6
publishing and subscribing9-9
Adaptive Session Redundancy
configuration quick start7-10
configuration requirements and restrictions7-7
content rule, redundant7-13
displaying information7-15
index, redundant7-6
Inter-Switch Communications7-12
overview7-4
service, redundant7-13
source group, redundant7-14
administrative distance, configuring for firewall load balancing11-5
APP
configurations, displaying1-9
frame size1-6
overview1-3
port1-6
Proximity Database5-20
Proximity Domain Name Server5-45
session between two CSSs1-7
session using RCMD1-9
using with Network Proximity5-15
Application Peering Protocol. See APP
Application Peering Protocol-User Datagram Protocol. See APP-UDP
Application Program Interface (API), configuring13-1
APP-UDP
configurations, displaying5-19
configuring5-15
enabling5-16
options, configuring5-17
options, removing5-18
port5-18
Proximity Database5-20
Proximity Domain Name Server5-45
security5-16
A-record1-25
ASR. See Adaptive Session Redundancy
associating (SSL)
Diffie-Hellman parameter file10-33
DSA key pair10-32
RSA key pair10-32
SSL certificates10-31
audiencexxviii
B
backend SSL server
acceleration service type10-82
activating service10-84
cipher suites10-69
configuration quick start10-13
configuring10-65
configuring proxy list entry10-66
configuring service IP address10-83
configuring service port number10-83
configuring to a service10-82
content rule10-86
handshake negotiation10-71
IP address10-67
server IP address10-68
server port number10-68
server-side TCP SYN timeout10-74
session cache timeout10-70
SSL TCP client-side connection options10-76
SSL version10-69
TCP nagle algorithm, client-side connection10-76
TCP nagle algorithm, server-side connection10-76
virtual client TCP inactivity timeout10-73
virtual client TCP SYN timeout10-73
virtual port10-67
boomerang3-2
box-to-box redundancy. See IP redundancy
buffer count, DNS server1-16
C
cable, crossover for IP redundancy8-9
cache
domain, for Client Side Accelerator4-11
certificates (SSL)
associating10-31
associations, viewing10-35, 10-41
certificate signing request, generating10-27
DSA certificate association, SSL proxy list10-49
file formats10-22
importing/exporting10-20, 10-21
removing10-42
RSA certificate association, SSL proxy list10-48
self-signed certificate, generating10-29
storage10-7
verifying10-34
cipher suites (SSL)10-51
circuit IP interface, configuring for VIP redundancy6-17
circuits, redundant for IP redundancy8-12
CLI
command scheduler12-3
content API, configuring13-1
conventions in XML code13-3
hierarchy in XML code13-2
Client Side Accelerator
configuration, displaying4-14
disabling4-11
DNS server forwarder4-12
DNS server zones4-14
domain cache4-11
domain cache statistics, displaying4-16
enabling4-10
information, displaying4-14
overview4-2
quick start4-7
command scheduler
configuring12-3
displaying records12-5
configuration example
firewall load balancing11-7
SSL proxy configurations10-99
configuration quick start
Adaptive Session Redundancy7-10
Client Side Accelerator4-7
Content Routing Agent3-4
DNS Sticky2-5
IP redundancy8-6
Network Proximity5-12
Proximity Database5-12
Proximity Domain Name Server5-13
RSA certificate and key generation10-9
RSA certificate and key import10-11
SSL proxy configuration list10-9
SSL proxy list, backend SSL server10-13
SSL proxy list, virtual server10-12
SSL service10-14
VIP redundancy6-15
virtual IP interface redundancy6-15
configuration synchronization
script for IP redundancy8-15
script for VIP redundancy6-24, 6-25
content
displaying9-16
domain, creating using APP session1-7
router3-2
staging and replication9-8
content API
creating XML code13-1
mode hierarchy13-2
parsing XML code13-4
special characters13-2
testing XML code13-5
Content Routing Agent
configuration quick start3-4
configuring3-5
CPU load threshold3-5
disabling3-5
displaying statistics3-10
domain alias3-8
domain records3-6
domain statistics, clearing3-9
enabling3-5
example3-3
overview3-2
content rule
backend SSL service10-86
hot list9-2
replication and staging9-15
SSL rule quick start10-14
virtual SSL service10-85
Content Services Switch
HTTP server, controlling access13-4
CRA. See Content Routing Agent
critical services
configuring for CSS-to-CSS redundancy8-20
configuring for VIP redundancy6-22
displaying for CSS-to-CSS redundancy8-22
displaying for VIP redundancy6-29
crossover cable pinouts for IP redundancy8-9
CSA. See Client Side Accelerator
D
database
proximity2-4, 2-12, 5-5, 5-12, 5-14, 5-20, 5-35
demand-based replication
FTP access9-6
FTP record9-7
max age9-5
max content9-5
max usage9-5
service type9-4
Diffie-Hellman
associating key exchange file10-33
cipher suites10-51
generating key agreement file10-26
key exchange parameter file association, SSL proxy list10-51
overview10-4
parameter associations, viewing10-40
DNS
Client Side Accelerator4-2
content domain1-2
Content Routing Agent3-2
converting content rule-based to zone-based2-11
owner1-42
peer interval1-40
peer receive slots1-40
peer send slots1-41
proximity record statistics, displaying5-52
record statistics, resetting4-14
removing from content rule1-43
service, adding to content rule1-42
weighted roundrobin1-14, 1-15, 1-25, 1-28, 1-30, 1-33, 1-34, 1-38
DNS peer
CSS, configuring as1-40
information, displaying1-41
DNS records
A-records1-25
configuring1-25
NS-records1-29
DNS server
authoritative1-13
buffer count1-16
configuration, displaying1-19
database information, displaying1-20
domain records1-25, 1-35, 1-36
domain statistics, displaying1-21
forwarder1-17
forwarder statistics, displaying1-22
peer interval1-40
responder task count1-16
server and zone information, displaying1-18
DNS Sticky
configuration quick start2-5
converting content rule-based DNS to zone-based2-11
displaying statistics2-16
domain load statistics2-18
domain records1-27, 1-32, 2-15
domain record statistics, displaying2-18
Global Sticky Database2-12
interface for GSDB2-13
overview2-2
TTL for GSDB2-15
with a GSDB2-3
with Network Proximity2-4
without GSDB2-3
documentation
audiencexxviii
chapter contentsxxviii
setxxx
symbols and conventionsxxxi
domain
accelerated4-13
content1-7
load statistics2-19
names, configuring for server resolution1-43
name service, overview1-2
statistics, displaying1-21
summary information, displaying1-45
domain records
configuring1-25
displaying information1-36
removing1-35
resetting statistics1-35
DSA
associating key pair10-32
certificate association, SSL proxy list10-49
cipher suites10-51
generating key pair10-25
key pair association, SSL proxy list10-50
key pair associations, viewing10-39, 10-41
overview10-5
E
example
IP redundancy uplink services8-21
Network Proximity, operation5-9
Network Proximity tiers5-31
SSL proxy configurations10-99
stateless redundancy failover for IP redundancy8-27
stateless redundancy failover for VIP redundancy8-31
static route for firewall load balancing11-7
exporting SSL keys and certificates10-21
F
failover
stateful7-4
stateless8-23
firewall
caution when deleting11-4
load balancing11-2
RIP redistribute, configuring11-7
synchronization11-3
timeout11-4
firewall load balancing
configuring11-3
flow summaries, displaying11-15
IP information, displaying11-17
IP routes, displaying11-16
IP static route, configuring11-4, 11-5
overview11-2
static route configuration example11-7
flows
displaying firewall configuration11-15
forwarder
statistics, displaying1-22
frame size, configuring for APP1-6
FTP access
demand-based content replication9-6
publishing and subscribing9-9
FTP record
associating with replication services9-6, 9-9
demand-based content replication9-7
G
Global Sticky Database
configuration quick start2-6
enabling2-12
interface, configuring2-13
interface statistics, displaying2-17
interface statistics, resetting2-14
metrics2-20
statistics, displaying2-16
statistics, resetting2-13
TTL for entries2-15
GSDB. See Global Sticky Database
H
hot list
disabling9-3
enabling9-3
HTTP server, configuring on CSS13-4
I
importing SSL keys and certificates10-21
Inter-Switch Communications
configuring7-12
displaying information7-16
overview7-6
restrictions7-7
IP critical services
configuring for VIP redundancy6-22
displaying6-29
IP redundancy
cabling CSSs8-9
configuration quick start8-6
configurations, displaying8-35
configuring8-10
disabling8-11
overview8-1
protocol, configuring8-13
synchronizing configurations8-14
IP redundant interface
configuring for VIP redundancy6-21
displaying6-31
IP redundant VIP, configuring for VIP redundancy6-20
IP route
firewall load balancing, displaying11-16, 11-17
static, for firewall load balancing11-5
IP virtual router, configuring for VIP redundancy6-18
ISC. See Inter-Switch Communications
K
keepalive
disabling for SSL Acceleration Module10-80
IP critical services6-22
IP redundant uplink services8-20
script examples12-44
keys (SSL)
Diffie-Hellman key agreement file10-26
Diffie-Hellman key exchange parameter file association, SSL proxy list10-51
Diffie-Hellman parameter associations, viewing10-40
DSA key pair association, SSL proxy list10-50
DSA key pair associations, viewing10-39, 10-41
DSA key pairs10-25
importing/exporting10-20, 10-21
removing10-42
RSA certificate association, SSL proxy list10-49
RSA key pair, generating10-24
RSA key pair associations, viewing10-38, 10-41
storage10-7
L
license key
Enhanced feature set5-2
Proximity Database5-2
license key, Secure Management5-2
LifeTick7-6
load balancing
DNS records1-15
firewall, configuring11-3
firewall, overview11-2
weighted roundrobin1-14, 1-15, 1-25, 1-28, 1-30, 1-33, 1-34, 1-38
logging, configuration synchronization results6-28, 8-19
lookup cache
displaying statistics5-49
enabling5-47
removing entries5-48
lookup cache, PDNS5-49
M
master CSS, temporary8-20
max
age, demand-based replication9-5
content, demand-based replication9-5
usage, demand-based replication9-5
mesh, peer5-8
metrics, assigning proximity5-21
N
name-server record. See NS-record
Network Address Translation. See NAT
Network Proximity
APP5-15
APP-UDP5-15
configuration quick start5-12
license keys5-2
peer mesh5-8
Proximity Database5-5, 5-12, 5-14
Proximity Domain Name Server5-6, 5-13
tiers5-31
NS-record1-29
O
owner, DNS exchange policy1-42
P
password for imported certificates/keys10-22
PDNS. See Proximity Domain Name Server
peer
interval, configuring for DNS1-40
mesh5-8
receive slots, configuring for DNS1-40
send slots, configuring for DNS1-41
peering protocol, overview1-3
physical interfaces, configuring for IP redundancy8-22
physical link list8-22
probe module
ICMP delay interval5-30
ICMP requests5-29
methods5-28
metric weighting5-29
statistics5-42
TCP ports5-30
probes, resending proximity5-27
protocol
VRRP6-5
proximity. See Network Proximity
Proximity Database
activity, displaying5-36
archiving5-24
assignments, displaying5-40
assignments, flushing5-22
clearing5-27
configuration quick start5-12
configuring5-14
enabling5-20
IP address1-15
metrics, assigning5-21
metrics, displaying5-37
metrics, refining5-26
overview5-5
probe module5-28
probe module statistics, displaying5-42
refinement, displaying5-39
reprobing5-27
retrieving5-25
statistics, displaying5-38
TTL, configuring5-23
Proximity Domain Name Server
APP5-45
APP-UDP5-45
A-record1-25
cache5-23
configuration overview5-44
configuration quick start5-13
configurations, displaying5-49
disabling5-47
DNS-record keepalives, displaying5-51
DNS-record proximity statistics, displaying5-52
DNS-record statistics, displaying5-51
DNS server information, displaying5-53
DNS server statistics, clearing5-47
DNS Sticky2-4
domain records1-35, 1-36, 5-46
NS-record1-29
overview5-6
zones, displaying5-51
publisher
content replication9-15
displaying service configurations9-11
service9-9
Q
quick start
Adaptive Session Redundancy7-10
certificate management10-9
Content Routing Agent3-4
DNS Sticky2-5
IP redundancy8-6
Network Proximity5-12
Proximity Database5-12
Proximity Domain Name Server5-13
RSA certificate and key generation10-9
RSA certificate and key import10-11
SSL proxy configuration list10-9
SSL proxy list for backend SSL server10-13
SSL proxy list for virtual server10-12
SSL service10-14
VIP redundancy6-15
virtual IP interface redundancy6-15
R
RCMD command1-8
records
address (A)1-25
configuring1-25
name server (NS)1-29
removing1-35
statistics1-36
statistics, resetting1-35, 4-14
weight, displaying1-38
redundancy
configuration quick start6-15, 8-6
configurations, displaying8-35
critical services6-22
interfaces, displaying6-31
IP8-1
IP redundant VIP6-20
physical interfaces8-22
redundant VIPs, displaying6-32
session7-4
stateless failover8-23, 8-26, 8-30
synchronizing configurations6-24, 8-14
uplink configuration example8-21
uplink services8-20
virtual interface6-17
virtual IP interface6-1, 6-4, 6-6, 6-21, 7-1
redundancy protocol
configuring8-13
IP, overview8-4
redundant
circuits, configuring for IP redundancy8-12
replication
content rule9-15
content staging9-8
demand-based9-1
FTP access9-6
FTP record, creating9-7
hot lists9-2
max age9-5
max content9-5
max usage9-5
publisher9-15
publishing and subscribing9-9
service type9-4
replication and staging, configuring a content rule9-15
roundrobin, DNS weighted1-14, 1-15, 1-25, 1-28, 1-30, 1-33, 1-34, 1-38
route
IP static, for firewall load balancing11-5
router
VRID6-18
RSA
associating key pair10-32
certificate association, SSL proxy list10-48
certificate association in SSL proxy list10-49
cipher suites10-51
generating key pair10-24
key pair associations, viewing10-38
overview10-4
S
scripting language
!no echo command12-7
arithmetic operators12-11
arrays12-22
bitwise logical operators12-30
Boolean logic operators12-13
branch commands12-13
capturing user input12-26
command line arguments12-27
comments12-6
echo command12-6
functions12-28
grep command12-34
increment and decrement operators12-12
overview12-1
relational operators12-13
set and no set commands12-10
socket commands12-36
special variables12-16
syntax errors12-31
terminating a script12-31
variables12-8
scripts
commit_redundancy8-14
commit_vip_redundancy6-25
configuration synchronization6-25, 8-14
keepalive examples12-44
playing12-2
showtech12-42
upgrade considerations12-41
Secure Management license key5-2
service
activating10-84
configuring backend SSL server IP address10-83
configuring backend SSL server port number10-83
keepalive messages, disabling for SSL Acceleration Module10-80
publisher9-9
replication9-1
SSL Acceleration Module slot, specifying10-80
SSL acceleration type10-79, 10-82
SSL proxy lists, adding10-78, 10-79, 10-83
SSL service, creating10-79
SSL service quick start10-14
SSL session ID cache size10-81
subscriber9-13
suspending10-85
service type
replication cache redirect9-4
replication-store9-4
replication-store redirect9-4
specifying for replication9-4
ssl-accel10-79
ssl-accel-backend10-82
session redundancy
configuration quick start7-10
configuration requirements and restrictions7-7
content rule, redundant7-13
displaying information7-15
index, redundant7-6
Inter-Switch Communications7-12
overview7-4
service, redundant7-13
source group, redundant7-14
showtech script12-42
socket commands12-36
software
source group
configuring for domain name resolution1-43
SSHD
Secure Management license key, entering5-2
SSL
certificate associations, viewing10-35, 10-41
certificates10-4, 10-20, 10-21, 10-29, 10-31, 10-42
certificate signing request, generating10-27
cipher suites, specifying10-51
configuration information, viewing10-87
cryptography capabilities10-6
Diffie-Hellman key agreement file10-4, 10-26, 10-33, 10-40
DSA digital signatures10-5
generating keys and certificates10-24
handshake negotation10-60
HTTP 300-series redirects10-56
importing/exporting certificates and keys10-21
key pairs10-38, 10-39, 10-41, 10-42
nagle algorithm, client-side connection10-64, 10-76
nagle algorithm, server-side connection10-64, 10-76
overview10-2
processing of flows10-100
public key infrastructure10-3
quick start procedures10-9
RSA key pairs10-4, 10-24, 10-32
SSL Acceleration Module10-7
SSL flows, viewing10-97
SSL proxy configurations examples10-99
SSL proxy list, creating10-44
TCP client-side connection options10-61, 10-64, 10-76
TCP server-side connection options10-63
URL rewrite10-56
URL rewrite statistics, viewing10-90
SSL Acceleration Module
creating SSL service10-79
specifying in SSL service10-80
statistics, viewing10-90, 10-92
SSL backend server, see backend SSL server
SSL proxy configurations
full proxy example10-116
transparent example - HTTP and backend SSL servers10-111
transparent example - one module10-103
transparent example - two SSL modules10-107
SSL proxy list
activating10-77
adding to SSL services10-78
backend SSL server, configuring10-65
creating10-44
mode10-44
overview10-43
quick start for backend SSL server10-13
quick start for virtual server10-12
suspending10-77
viewing10-87
virtual server, configuring10-45
ssl-server. See virtual SSL server
staging and replication, configuring for content9-8
stateful failover7-4
stateless redundancy failover
configuration restrictions8-24
configuration synchronization8-26
CSS parameters, configuring8-25
example configuration for IP redundancy8-27
example for VIP redundancy8-31
IP redundancy configuration8-26
overview8-23
VIP and virtual IP interface redundancy8-30
sticky domain records1-27, 1-32
subscriber service
configuring9-13
displaying configurations9-13
synchronizing redundant configurations6-24
system configuration information script12-42
T
TCP port number, configuring for APP1-6
temporary master CSS, for IP redundancy8-20
tiers
example5-31
TTL
proximity5-23
U
uplink services, configuring IP redundant8-20
V
VIP redundancy
circuit IP interface, configuring6-17
configuration quick start6-15
configurations, displaying6-29
critical services6-22
IP virtual router6-18
overview6-4
redundant interface6-21
redundant VIP, configuring6-20
synchronizing configurations6-24
VIPs, displaying6-32
with session redundancy7-7
virtual interface redundancy
configuring6-17
virtual IP interface, configuring6-21
virtual IP interface redundancy
configuration quick start6-15
overview6-6
virtual router
configurations, displaying6-33
configuring6-18
ID6-20
Virtual Router Redundancy Protocol. See VRRP
virtual SSL server
acceleration service type10-79
activating service10-84
cipher suites10-51
configuration quick start10-12
configuring content rule10-85
configuring to a service10-78
Diffie-Hellman parameter file association10-51
DSA certificate association10-49
DSA key pair association, specifying10-50
HTTP 300-series redirects10-56
RSA certificate association10-48
RSA key pair association10-49
SSL session cache timeout10-59
SSL session handshake renegotation10-60
SSL TCP client-side connection options10-61, 10-64
SSL TCP server-side connection options10-63
TCP nagle algorithm, client-side connection10-64
TCP nagle algorithm, server-side connection10-64
URL rewrite10-56
version10-55
VIP address10-47
virtual TCP port10-48
W
weight
configuring DNS record1-28, 1-34
displaying DNS record1-38
weighted roundrobin, DNS1-14, 1-15, 1-25, 1-28, 1-30, 1-33, 1-34, 1-38
X
XML
enabling access to the CSS13-4
restricting access to the CSS13-4
XML code
CLI command conventions13-3
creating13-1
mode hierarchy13-2
parsing13-4
publishing13-4
special characters13-2
testing13-5
using on the CSS13-1
XML document example13-3
Z
zones
Client Side Accelerator4-14
displaying data5-41
DNS server1-14
information, displaying1-23
Network Proximity5-7, 5-45, 5-51
proximity statistics, displaying5-42
zone transfer, unsupported among DNS servers1-2