-
CSS Command Reference (Software Version 7.40)
-
Preface
-
Using the Command-Line Interface
-
General Commands (A through R)
-
General Commands (S through Z)
-
Global Configuration Mode Commands (A through K)
-
Global Configuration Mode Commands (L through Z)
-
ACL Configuration Mode Commands
-
Boot Configuration Mode Commands
-
Circuit and IP Configuration Mode Commands
-
DQL Configuration Mode Commands
-
EQL Configuration Mode Commands
-
Group Configuration Mode Commands
-
Header-Field Group Configuration Mode Commands
-
Interface Configuration Mode Commands
-
Keepalive Configuration Mode Commands
-
NQL Configuration Mode Commands
-
Owner and Content Configuration Mode Commands
-
Reporter Configuration Mode Commands
-
RMON Alarm, Event, and History Configuration Mode Commands
-
Service Configuration Mode Commands
-
SSL-Proxy-List Configuration Mode Commands
-
URQL Configuration Mode Commands
-
Feedback
Table Of Contents
show log-state
(config) logging buffer
(config) no logging disk
(config) logging subsystem(config) noproximity probe rtt metric-weighting
radius-server source interface
(config) replication file-error
tacacs-server send-full-command
(config) tcp-ip-fragment-enabled
(config) udp-ip-fragment-enabled
(config) virtual authentication
(config) zero flow-state-counters
(config) load
To configure global load parameters for the eligibility and ineligibility of CSS services, use the load command. Load is a measurement of a service's ability to handle flows. There are two types of loads: relative load and absolute load.
The CSS calculates relative load by using the variances in normalized response times for each service. You can adjust relative load calculations by changing the load step size, which is the difference in milliseconds between load numbers. The CSS can determine the load step size dynamically or you can configure it.
Absolute load takes into account the actual observed load on a service and allows you to configure the response times that correlate with values within the CSS load number scale. Unlike the relative load number scale, where all the load numbers between 2 and 254 represent equal steps or increases in response times, absolute load creates 16 different divisions or ranges within the CSS load number scale. Ranges are groups of consecutive load numbers that share a common step size (delta) between numbers. For more information on relative load and absolute load, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
The load on a service has a range from 2 to 255, with an eligible load state from 2 to 254. An eligible service is an active service that can receive flows. A service with a lower load receives more flows than a service with a higher load. When a service initially comes up, its load value is 2. A load of 255 indicates that the service is down, as detected through the keepalive.
The load command has the following options:
•
load absolute-sensitivity - Sets the maximum response time upper boundary and the step size of the absolute load number scale
•
•
•
•
•
•
For more information on these options and associated variables, see the following commands.
load absolute-sensitivity
To set the maximum response time upper boundary and the step size of the absolute load number scale, use the load absolute-sensitivity command. Use the no form of this command to set the absolute load sensitivity to the default of 21.
load absolute-sensitivity number
no load absolute-sensitivity
Syntax Description
number
Sensitivity of the absolute load number scale. Enter an integer from 1 to 25. The default is 21.
Command Modes
Global configuration mode
Usage Guidelines
Increasing the load absolute-sensitivity value increases the maximum response time upper boundary and the absolute load number scale step size (granularity), which reduces the load value for a given service response time. Conversely, decreasing the load absolute-sensitivity value decreases the maximum response time upper boundary and the absolute load number scale step size (granularity), which increases the load value for a given service response time.
For number values from 1 to 20, the absolute load number ranges are linear, which means that the step sizes are equal among all the ranges. For values from 21 to 25, the ranges are nonlinear, which means different ranges have different step sizes that increase as the range number increases.
Related Commands
show load
(config) load calculation
(config) dns-peer load-variance
(config) dns-server zoneload ageout-timer
To set the time interval in seconds in which stale load information for a service is aged out, use the load ageout-timer command. Use the no form of this command to set the ageout time to the default of 60.
load ageout-timer seconds
no load ageout-timer
Syntax Description
seconds
Number of seconds to age out load information for a service. Enter an integer from 0 to 1000000000. The default is 60. The value of 0 disables the timer.
Command Modes
Global configuration mode
Usage Guidelines
When the ageout timer interval expires, the CSS erases the load information and resets the service load to 2. Load information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval because no flows (long or short) are being torn down on the service.
At the beginning of the time interval, the ageout timer saves the number of the current teardown report. When the CSS generates a new teardown report, the report number in the CSS increments, and any services in the report saves this number. At the end of the ageout time interval, the CSS compares the initial teardown number saved at the beginning of the time interval with the current teardown number saved by each service. If the number of a service is less than or equal to the timer number, the load information is stale. The CSS erases it and resets the service load to 2.
Related Commands
show load
(config) load reportingload calculation
To set the method that the CSS uses to assign load numbers to all configured services, use the load calculation command. Use the no form of this command to set the load calculation method to the default of relative.
load calculation relative|absolute
no load calculation
Syntax Description
relative
The CSS assigns load numbers to services based on a comparison with the fastest service.
absolute
The CSS assigns load numbers to services based on pure response times.
Command Modes
Global configuration mode
Usage Guidelines
The default behavior of a CSS is to use the relative load calculation method when assigning loads to services. With relative load, the CSS takes the service with the fastest response time and then compares all other services configured on the CSS with that service. Relative load may suffice in situations where load is not critical to your application and you are generally satisfied with service load assignments.
Consider using absolute load instead of relative load when you have a single CSS serving multiple applications, or when you are using GSLB to balance between multiple CSSs. Absolute load takes into consideration the actual load and response times of all the services in your configuration and fits them into the CSS absolute load number scale. For more information, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Note
Related Commands
show load
(config) load absolute-sensitivity
(config) dns-peer load-variance
(config) dns-server zoneload reporting
To enable the CSS to generate teardown reports and derive load numbers, use the load reporting command. A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. Use the no form of this command to disable load reporting.
load reporting
no load reporting
Command Modes
Global configuration mode
Related Commands
load step
To set the difference in milliseconds between load numbers, use the load step command. Use the no form of this command to set the load step to the default of 10.
load step msec [dynamic|static]
no load step
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Eligible load numbers have a range from 2 to 254. By default, the CSS dynamically calculates the load step as it accumulates minimum and maximum response times for the services.
When you configure the load step to reduce the flows to a slower service, consider the differences in response times between services. For example:
•
•
Related Commands
show load
(config) load reportingload teardown-timer
To set the maximum time between teardown reports, use the load teardown-timer command. Use the no form of this command to reset the teardown time interval to its default of 20 seconds.
load teardown-timer seconds
no load teardown-timer
Syntax Description
seconds
Number of seconds between teardown reports. Enter an integer from 0 to 1000000000. The default is 20. The value of 0 disables the timer.
Command Modes
Global configuration mode
Usage Guidelines
A teardown report is a summary of response times for services when flows are being torn down. The CSS uses the teardown report to derive the load number for a service. When the CSS has sufficient teardown activity for a service, it generates a teardown report and the teardown timer is reset. If a teardown report is not triggered at the end of the teardown timer interval due to insufficient activity, the CSS generate a teardown report based on the current activity. If there is no activity, no report is generated and the timer resets.
Note
Related Commands
show load
(config) load reportingload threshold
To define the global load number that the CSS uses to determine if a service is eligible to receive flows, use the load threshold command. Use the no form of this command to set the load threshold to the default of 254.
load threshold number
no load threshold
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
If you do not configure a load threshold for the content rule with the (config-owner-content) load-threshold command, the rule inherits this global load threshold.
If the service load exceeds the threshold, the service becomes ineligible to receive flows until its load information is stale. Information is stale when the teardown report number recorded on a service has not incremented during the ageout time interval.
Related Commands
show load
(config) load ageout-timer(config) logging
Use the logging command to:
•
•
•
By default, the sys.log file on the CSS disk contains the Notice-level activities for all CSS subsystems. The options for this global configuration mode command are:
•
•
•
•
•
•
•
•
For more information on these options and associated variables, see the following commands.
Related Commands
logging buffer
To set the size of the disk buffer, use the logging buffer command. Use the no form of this command to set the disk buffer size to the default of 0.
logging buffer size
no logging buffer
Syntax Description
size
Size of the disk buffer in bytes. Enter an integer from 0 to 64000. The default is 0, where the CSS sends the logging information directly to the disk.
Command Modes
Global configuration mode
Usage Guidelines
The logging buffer command is only applicable when you configure logging to the CSS disk through the logging disk command.
When the log activity information for the subsystem fills the buffer, the CSS empties it into the log file on the disk. The larger you configure the buffer size, the less frequently the CSS empties the buffer.
Related Commands
(config) logging disk
logging commands enable
To enable the CSS to log CLI commands, use the logging commands enable command. Use the no form of this command to disable the logging of CLI commands.
logging commands enable
no logging commands
Command Modes
Global configuration mode
Usage Guidelines
For the CSS to send CLI commands to the sys. log file, you must set the logging level of the netman subsystem to info-6. For example:
(config)# logging subsystem netman info-6logging disk
To log the activity of a subsystem to a new or existing file on the disk, use the logging disk command. Use the no form of this command to turn off logging to the specified file on the disk and reenable logging to the sys.log file.
logging disk filename
no logging disk
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
You can have only one active log file on the disk. If you want to send the log information to a different log file, reenter the logging disk command.
Caution
Related Commands
(config) logging buffer
(config) logging to-disk
(config) logging subsystemlogging host
To send the log activity of a subsystem to the syslog daemon on the host system, use the logging host command. Use the no form of this command to turn off logging to the syslog daemon on the host.
logging host ip_or_host facility number log-level number
no logging host ip_or_host
Syntax Description
ip_or_host
IP address of the syslog daemon on the host. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1) or the mnemonic host name (for example, myhost.mydomain.com).
facility number
Syslog daemon facility level. Enter a number from 0 to 7. For more information on the syslog daemon and facility levels, refer to the syslog daemon documentation that accompanied the host system.
log-level number
Logging level of the messages sent to the syslog daemon. Enter one of the following valid log levels for the CSS: fatal-0, alert-1, critical-2, error-3, warning-4 (default), notice-5, info-6, debug-7. The logging levels are listed in order of severity, with a fatal-0 level being the most severe error and an info-6 level being the least severe error. This level must be equal to or less than the log level you configure for the logging subsystem command.
Command Modes
Global configuration mode
Usage Guidelines
When you use the logging host command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.
The log level that you enter must be equal to or less than the logging level set for a CSS subsystem with the logging subsystem command. If the level is set to a value greater than the logging level, the CSS displays only the subsystem log messages for the specified subsystem level. The log level is a subset of the subsystem level you set. For example, if you specify logging subsystem netman level warning-4 and logging host <ip address> log-level 7. You should expect to see messages only at level 4 or lower sent to the syslog daemon. Although the facility number is set to 7, log messages 5, 6, or 7 would not be displayed in the sys.log file on the CSS or sent to the syslog daemon.
Related Commands
(config) logging subsystem
logging line
To send the log activity of a subsystem to an active CSS session, use the logging line command. Use the no form of this command to turn off logging to a session.
logging line session
no logging line session
Syntax Description
session
Valid active session on the CSS. Enter a case-sensitive unquoted text string with a maximum length of 32 characters. To see a list of sessions, enter:
logging line ?
Command Modes
Global configuration mode
Usage Guidelines
When you use the logging line command, the CSS continues to send logging activity to the sys.log file on the disk. To disable logging to the sys.log file, use the logging to-disk disable command.
Related Commands
(config) logging subsystem
logging sendmail
To send the log activity of a subsystem to an e-mail address, use the logging sendmail command. Use the no form of this command to turn off logging to an e-mail address.
logging sendmail email_address host_address level {domain}
no logging sendmail email_address
Syntax Description
Command Modes
Global configuration mode
logging subsystem
To select a CSS subsystem and determine which type of activity to log, use the logging subsystem command. Use the no form of this command to reset a subsystem logging level to the default setting of warning.
logging subsystem name level level
no logging subsystem name
Syntax Description
Command Modes
Global configuration mode
Related Commands
clear log
(config) logging disk
(config) logging host
(config) logging linelogging to-disk
To disable or enable logging to the sys.log file on the CSS disk, use the logging to-disk command. By default, the CSS logs to the sys.log file.
logging to-disk [disable|enable]
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Use the logging to-disk disable command to prevent excessive writes to the disk or to increase the performance of the CSS. Logging to a file on a CSS disk degrades the performance of the CSS.
The logging to-disk disable command affects the sys.log file only. It does not affect a disk log file that you specified through the logging disk command. To disable all logging to the CSS disk, use the no logging disk command, and enter the logging to-disk command to disable logging to the sys.log file.
Related Commands
show log-state
(config) logging buffer
(config) no logging disk
(config) logging subsystem(config) noTo negate a command or set it to its default, use the no command. Not all commands have a no form. For information on general no commands that you can use in this mode, see the general no command.
All of the following options are available in global configuration mode.
Syntax Description
no acl index
Deletes an existing ACL
no app
Disables APP on the CSS
no app framesz
Restores the default APP frame size to 10240
no app port
Restores the default APP port number to 5001
no app session ip_address
Terminates an APP session
no app-udp
Disables APP-UDP messaging on the CSS
no app-udp options ip_address
Deletes the APP-UDP options from the IP address
no app-udp port
Restores the default APP-UDP port number to 5002
no app-udp options ip_address
Deletes the APP-UDP options from the IP address
no app-udp secure
Restores the default behavior of accepting all APP datagrams
no arp ip_or_host
Removes a static mapping address
no arp timeout
Restores the default timeout of 14400 seconds
no arp wait
Restores the default wait time of 5 seconds
no arrowpoint-cookie rfc2822-compliant
Disables the RFC2822 compliant format for the arrowpoint-cookie expiration time syntax
no bridge aging-time
Restores the default aging time of 300
no bridge forward-time
Restores the default delay time of 4
no bridge hello-time
Restores the default hello time interval of 1
no bridge max-age
Restores the default maximum age of 6
no bridge priority
Restores the default priority of 32768
no cmd-sched
Disables the execution of scheduled CLI commands
no cmd-sched record
Deletes a configuration record for the execution of CLI commands
no console authentication
Sets console authentication to none
no date european-date
Resets the format for the clock date command to its default of month, day, and year
no dhcp-relay-agent max-hops
Resets the maximum allowable number in the hops field of the BOOTP header to 4
no dns primary
Removes the primary DNS server
no dns secondary ip_or_host
Removes a secondary DNS server
no dns suffix
Removes the default suffix
no dns-boomerang client cpu-threshold
Resets the CSS CPU threshold to the default value of 99
no dns-boomerang client domain dns_name {alias alias_name}
Removes a client domain or the alias for the domain
no dns-boomerang client enable
Disables the Content Routing Agent (CRA) functionality on the CSS
no dns-peer interval
Resets the time between load reports to the CSS DNS peers to its default of 5 seconds
no dns-peer receive-slots
Resets the maximum number of DNS names received from a peer to its default value of 128
no dns-peer send-slots
Resets the maximum number of DNS names sent to a peer to its default value of 128
no dns-peer variance
Resets the load-variance to its default value of 50
no dns-record a dns_name
Deletes a domain address record
no dns-record accel dns_name
Deletes a DNS acceleration record
no dns-record ns dns_name
Deletes a domain name server record
no dns-server
Disables the DNS server functionality on the CSS
no dns-server accelerate domains
Disables domain acceleration
no dns-server bufferCount
Restores the default response buffer count to 10
no dns-server domain-cache
Disables domain caching
no dns-server forwarder primary|secondary
Deletes a CSS DNS forwarder
no dns-server respTasks
Restores the default responder task count to 2
no dns-server zone
Disables the CSS Proximity Domain Name Server
no domain hotlist
Disables the domain hot list
no domain hotlist interval
Resets the domain hot-list interval to 1 minute
no domain hotlist size
Resets the maximum number of entries in the domain hotlist to 100
no domain hotlist threshold
Resets the domain hot-list threshold to 0, which disables the threshold
no dql dql_name
Deletes the specified DQL
no eql eql_name
Deletes the specified EQL
no flow-state number udp|tcp
Resets the flow state and, for flow-disabled UDP ports, the PAT state of a port to its default settings
no flow permanent port[1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20]
Resets a port to its default number of 0
no flow port-reset
Disables Fast and Gigabit Ethernet port resets on the CSS
no flow reserve-clean
Resets the reclaiming of port numbers to 10 seconds
no flow tcp-mss
Resets the TCP maximum segment size to 1460 bytes
no ftp-record ftp_record
Deletes an FTP record file from the CSS
no global-portmap
Resets the starting port and range to their default values
no group existing_group_name
Deletes an existing group
no gsdb
Disables the GSDB
no gsdb ttl
Resets the time to live for GSDB entries to its default of 7200 seconds
no gsdb-interface [primary|secondary]
Removes the GSDB primary or secondary interface
no header-field-group existing_group_name
Deletes an existing header-field group
no host host_name
Removes an existing host from the Host table
no idle timeout
Sets the idle timeout for any session connected to the CSS to the default of 0 (disabled)
no ip advanced-route-remap
Disables the CSS from remapping flows using the best-available route
no ip ecmp no-prefer-ingress
Resets the ECMP ingress path for a flow to be its preferred reverse egress path
no ip firewall index
Deletes a configured firewall
no ip management no-icmp-redirect
Resets the CSS to accept ICMP redirect packets on the Ethernet management port
no ip no-implicit-service
Resets the CSS to start an implicit service for the next hop of static routes
no ip opportunistic
Allows opportunistic Layer 3 forwarding for local destinations
no ip record-route
Disables processing of frames with a record-route option
no ip redundancy
Disables CSS-to-CSS redundancy
no ip redundancy master
Unassigns the CSS as the master CSS
no ip route ip_address subnet_mask ip_address2
Removes a static route
no ip route ip_address subnet_mask blackhole
Disables the dropping of packets to a blackhole route
no ip route ip_address subnet_mask firewall index
Removes a firewall route
no ip source-route
Disables processing of source-routed frames
no ip subnet-broadcast
Disables forwarding of subnet broadcast addressed frames
no ip uncond-bridging
Reenables the routing table lookup to override a bridging decision
no ip-fragment max-assembled-size
Resets the maximum IP fragment assembled size to the default of 5120 bytes
no ip-fragment min-fragment-size
Resets the minimum IP fragment payload size to the default of 1024 bytes
no keepalive name
Deletes an existing keepalive
no load ageout-timer
Resets the number of ageout time interval for load information to its default value of 60 seconds
no load reporting
Disables load reporting
no load step
Resets the load step to its default value of 10 ms
no load teardown-timer
Resets the teardown time interval to its default value of 20 seconds
no load threshold
Resets the global load threshold to its default value of 254
no logging buffer
Sets the disk buffer size to the default of 0
no logging commands
Disables the logging of CLI commands
no logging disk
Turns off logging to a specified file on disk
no logging host ip_or_host
Turns off logging to the syslog daemon on the host
no logging line session
Turns off logging to an active CSS session
no logging sendmail email_address
Turns off logging to an e-mail address
no logging subsystem name
Resets the logging level of a subsystem to the default setting of warning
no noflow-portmap
Resets the starting port and range to their default values
no nql name
Deletes an existing NQL
no ospf advertise ip_address subnet_mask
Stops advertising of the route as OSPF ASE through the OSPF interfaces
no ospf area ip_address
Removes the OSPF area
no ospf as-boundary
Unassigns the CSS as a AS boundary router
no ospf default
Stops advertising the routes originated through OSPF
no ospf enable
Disables OSPF
no ospf equal-cost
Resets the number of equal-cost routes OSPF can use to its default of 15
no ospf range area_id address mask
Removes the range to summarize routes at an area border
no ospf redistribute [firewall|local|rip|static]
Stops advertising a route of a specific protocol type through OSPF
no ospf router-id
Deletes the OSPF router ID on the CSS
no owner existing_owner_name
Deletes an existing owner
no prelogin-banner
Removes a previously configured pre-login banner
no proximity cache-size
Restores the proximity lookup cache size to its default of 16000 entries
no proximity db
Disables the CSS Proximity Database in a dedicated CSS 11150
no proximity probe rtt interval
Resets the delay in seconds between ICMP samples to its default of 1 second
no proximity probe rtt metric-weighting
Resets the percentage of the previous metric value to derive the new metric to its default of 0
no proximity probe rtt samples
Resets the number of ICMP echo requests that the CSS uses for averaging during an initial probe to its default of 2
no proximity probe rtt tcp-ports
Resets the default probe ports for SYN proximity metric discovery
no proximity ttl assigned
Resets the TTL value to its default of 60 minutes
no proximity ttl probe
Resets the TTL value to its default of 0, which disables the caching of responses at the Proximity Database
no radius-server dead-time
Resets the dead-time period to its default of 5 seconds
no radius-server primary
Deletes the primary RADIUS server
no radius-server source-interface
Removes a specified RADIUS server source interface
no radius-server retransmit
Resets the retransmission of authentication request to its default of 3
no radius-server secondary
Deletes the secondary RADIUS server
no radius-server timeout
Resets the time interval that the CSS waits for a reply to a RADIUS request to 10 seconds
no restrict console
Enables access to the CSS from a console
no restrict ftp
Enables FTP access to the CSS
no restrict secure-xml
Enables secure SSL XML access to the CSS
no restrict snmp
Enables SNMP access to the CSS
no restrict ssh
Enables SSHD access to the CSS
no restrict telnet
Enables Telnet access to the CSS
no restrict xml
Enables unsecure XML access to the CSS
no restrict web-mgmt
Enables web management access to the CSS
no rip advertise ip_address/ip_mask
Stops advertising a route through all RIP interfaces
no rip equal-cost
Resets the number of equal-cost routes RIP can use to its default of 1
no rip redistribute [local|ospf|static|
firewall]Stops advertising routes from other protocols
no rmon-alarm index
Deletes an RMON alarm
no rmon-event index
Deletes an RMON event
no rmon-history index
Deletes an RMON history
no service service_name
Deletes an existing service
no setspan src_port number dest_port number
Disables the switched port analyzer (SPAN) feature
no snmp auth-traps
Disables reception of authentication traps
no snmp community community_name
Removes a community name and defaults it to Cisco Systems, Content Network Systems
no snmp contact
Removes the contact name
no snmp location
Removes the location and defaults it to Customer Premises
no snmp name
Removes the SNMP name for this system and defaults it to Support
no snmp reload-enable
Disallows an SNMP-based reboot of the CSS
no snmp trap-host ip_or_host
Removes a specified trap host
no snmp trap-source
Resets the SNMP source traps to the default of the management port IP address
no snmp trap-type generic
Disables generic traps
no snmp trap-type enterprise
Disables enterprise traps
no snmp trap-type enterprise dos_attack_type
Disables the generation of an SNMP enterprise trap for a Denial of Service attack type, as configured with the (config) snmp trap-type enterprise command
no snmp trap-type enterprise chmgr-module-transition
Disables the generation of an SNMP enterprise trap when a module is inserted into or removed from the chassis
no snmp trap-type enterprise chmgr-ps-transition
Disables the generation of an SNMP enterprise trap when a power supply changes state
no snmp trap-type enterprise isc-lifetick-failure
Disables the generation of an SNMP enterprise traps on ISC lifetick message failures
no snmp trap-type enterprise isc-state-transition
Disables the generation of an SNMP enterprise trap when an ISC link fails over
no snmp trap-type enterprise login-failure
Disables the generation of an SNMP enterprise trap when a login fails
no snmp trap-type enterprise reload
Disables the generation of an SNMP enterprise trap when the CSS reboots initiated directly through SNMP
no snmp trap-type enterprise redundancy-transition
Disables the generation of an SNMP enterprise trap when a redundant CSS transitions state
no snmp trap-type enterprise reporter transition
Disables the generation of an SNMP enterprise trap when a reporter transitions state
no snmp trap-type enterprise service-transition
Disables the generation of an SNMP enterprise trap when a service transitions state
no sntp poll-interval
Resets the poll interval to its default to 64 seconds
no sntp server
Removes the SNTP server
no sshd keepalive
Disables the SSHD keepalive
no sshd port
Resets the SSHD port number to 22
no sshd server-keybits
Resets the number of bits for the server key to 768
no ssl crl-record name
Removes the specified CRL record from the CSS
no tacacs-server ip_address port
Removes the TACACS+ server
no tacacs-server account config|non-config
Disables TACACS+ accounting for running and non-running configuration commands
no tacacs-server authorize config|non-config
Disables TACACS+ authorization for running and non-running configuration commands
no tacacs-server key
Removes the global encryption key
no tacacs-server timeout
Resets the TACACS+ server timeout period to its default of 5 second
no urql name
Deletes an existing URQL
no username name
Deletes an existing username
no virtual authentication
Disables virtual authentication
no vrrp-backup-timer
Resets the timer to the default value of 3 seconds
Command Modes
Global configuration mode
(config) noflow-portmap
To control the port translation (port-mapping) range of DNS UDP source-port numbers greater than 1023 on a CSS, use the noflow-portmap command. This command is always enabled. Use the no form of this command to reset the starting port number and portmap range to their default values.
noflow-portmap base-port number1 range number2
no noflow-portmap
Syntax Description
Usage Guidelines
Before a CSS can use the noflow-portmap command, you must enter the dnsflow disable command to disable DNS flows on the CSS.
The portmap command values configured in a source group take precedence over the noflow-portmap command values, unless you configure the portmap disable command. For details on configuring the portmap commands in a source group, refer to Cisco Content Services Content Load-Balancing Configuration Guide.
Related Commands
show noflow-portmap
(config) dnsflow
(config-group) portmap(config) nql
To access network qualifier list (NQL) configuration mode and configure an NQL, use the nql command. An NQL is a collection of subnet and host IP addresses which you can assign to an ACL clause, instead of creating a clause for each address. Use the no form of this command to remove an existing NQL.
nql nql_name
no nql existing_nql_name
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
You can access NQL mode from any configuration mode except boot, group, RMON alarm, RMON event, and RMON history configuration modes. The prompt changes to (config-nql [name]). You can also use the nql command from NQL mode to access another NQL. For information about commands available in this mode, see the "NQL Configuration Mode Commands" section.
You can configure a maximum of 512 networks to an NQL and a maximum of 512 NQLs on the CSS.
(config) ospf
To configure global Open Shortest Path First (OSPF) parameters on the CSS, use the ospf command. The options for this global configuration mode command are:
•
•
•
•
•
•
•
•
•
For more detailed information about these options and their variables, see the following sections.
Related Commands
show ospf
(config-circuit-ip) ospfospf advertise
To advertise a route as OSPF ASE through all OSPF interfaces, use the ospf advertise command. Use the no form of this command to stop advertising the route as OSPF ASE through all OSPF interfaces.
ospf advertise ip_address subnet_mask {metric number1} {tag number2} {type1}
no ospf advertise ip_address subnet_mask
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Before you enter the ospf advertise command, you must configure the CSS as an Autonomous System (AS) boundary router. For more information, see the ospf as-boundary command.
The AS boundary router can perform external route summarization to consolidate multiple routes into a single advertisement. For a CSS, this is useful when you want to advertise VIP addresses for content as OSPF AS external (ASE) through all OSPF interfaces.
Note
For more information on configuring a redundant VIP within a virtual router, refer to the Cisco Content Services Switch Redundancy Configuration Guide. To stop the advertisement of the route, enter the no ospf advertise command.
ospf area
To configure an OSPF area, use the ospf area command. To remove an OSPF area, disable OSPF and then use the no form of this command.
ospf area area_id {stub {default-metric metric|send-summaries}}
no ospf area area_id
Syntax Description
Command Modes
Global configuration mode
ospf as-boundary
To configure the CSS as an Autonomous System (AS) boundary router, use the ospf as-boundary command. An AS boundary router exchanges routing information with routers belonging to other Autonomous Systems. It advertises AS external routing information throughout the Autonomous System. Use the no form of this command to unassign the CSS as an AS boundary router.
ospf as-boundary
no ospf as-boundary
Command Modes
Global configuration mode
Usage Guidelines
You can enter the ospf as-boundary command only if OSPF is disabled.
ospf default
To advertise default ASE routes through OSPF, use the ospf default command. Routers use default routes when no more specific routes exist to AS external destinations. Use the no form of this command to shut off the advertising of default ASE routes originated through OSPF.
ospf default {metric number1} {tag number2} {type1}
no ospf default
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Use the ospf default command to force an AS boundary router to generate a default route. Normally, AS boundary routers do not generate default routes into the OSPF routing domain.
ospf enable
To enable OSPF, use the ospf enable command. Use the no form of this command to disable OSPF.
ospf enable
no ospf enable
Command Modes
Global configuration mode
Usage Guidelines
You must configure a router ID before enabling OSPF. For more information, see the ospf router-id command.
ospf equal-cost
To configure the number of equal-cost routes that OSPF can use, use the ospf equal-cost command. Use the no form of this command to reset the number of routes to its default value of 15.
ospf equal-cost number
no ospf equal-cost
Syntax Description
Command Modes
Global configuration mode
ospf range
To specify an IP address range to summarize routes at the CSS area border router, use the ospf range command. Use the no form of this command to remove the range.
ospf range area_id ip_address mask {block}
no ospf range area_id ip_address maskSyntax Description
Command Modes
Global configuration mode
Usage Guidelines
You can enter the ospf range command only if OSPF is disabled.
Define an address range by specifying an IP address and mask pair that represent networks in the area being summarized. You can also determine whether you want to advertise this range.
The CSS advertises a single summary route or network ranges that cover all the individual networks within its area that fall into the specified range. This summarization applies to inter-area paths, which are paths to destinations in other OSPF areas. This summarization helps control routing table sizes and prevents the constant changing of routes whenever an interface within an area comes online or goes offline. These route changes do not cause route changes in backbone ABRs and other area routers.
ospf redistribute
To advertise routes from other protocols through OSPF, use the ospf redistribute command. Redistribution of these routes makes them OSPF external routes. Use the no form of this command to shut off the advertising of routes via OSPF.
ospf redistribute protocol {metric number1} {tag number2} {type1}
no ospf redistribute protocol
Syntax Description
Command Modes
Global configuration mode
ospf router-id
To configure the OSPF router ID for the CSS, use the ospf router-id command. Use the no form of this command to delete the router ID on the CSS.
ospf router-id id_number
no ospf router-id
Syntax Description
id_number
Router ID 32-bit number that identifies the CSS within the AS. Enter the ID in dotted-decimal notation (for example, 121.23.21.1).
Command Modes
Global configuration mode
Usage Guidelines
Before you can enable OSPF, you must configure the router ID. To change the router ID, you must disable OSPF.
(config) owner
To access owner configuration mode and configure an owner, use the owner command. An owner is an entity that owns web content and uses the CSS to manage access to the content through content rules. A maximum of 255 owners can use a single CSS and each owner has a configurable profile. Use the no form of this command to delete an existing owner.
owner owner_name
no owner existing_owner_name
Syntax Description
Usage Guidelines
When you access owner mode, the prompt changes to (config-owner [owner_name]). For information about commands available in this mode, see the "Owner Configuration Mode Commands" section.
Caution
(config) persistence reset
To choose between an HTTP redirection or a back-end service remapping operation when resetting a connection to a new back-end service, use the persistence reset command. This command affects all flow setups that require redirecting or remapping.
persistence reset [redirect|remap]
Syntax Description
Usage Guidelines
The CSS does not use a remapping method when selecting services of type redirect.
You cannot use the persistence reset command with the (config-owner-content) redundancy-l4-stateless command.
If your topology consists of a CSS 11800 using ECMP to the servers and server port NAT configured on the services, to ensure the correct processing of packets either:
•
•
Related Commands
show remap
(config) bypass persistence
(config-owner-content) persistent(config) prelogin-banner
To configure a banner that appears when you connect to a CSS before you log in, use the prelogin-banner command.
prelogin-banner "filename"
no prelogin-banner
Syntax Description
filename
Name of the ASCII text file that contains the pre-login banner text. Enter a quoted text string with a maximum of 32 characters.
Usage Guidelines
Create a banner using any text editor (for example, Notepad or Wordpad). Save the file as a text file, and then FTP the file to the CSS script directory. Configure the prelogin-banner command. The next time you connect to the CSS, the pre-login banner appears. For more information, refer to the Cisco Content Services Switch Administration Guide.
(config) proximity
To configure proximity on the CSS, use the proximity command and its options. The command options are:
•
•
•
•
•
•
•
•
•
For more information, see the following commands.
proximity cache-remove
To remove entries from the proximity lookup cache, use the proximity cache-remove command. The prefix length parameter allows you to remove multiple entries in a single operation.
proximity cache-remove [ip_address ip_prefix|all]
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
The proximity cache-remove command is functional on a CSS with the Enhanced feature set.
Related Commands
proximity cache-size
To set the size of the proximity lookup cache, use the proximity cache-size command. Use the no form of this command to restore the default cache size of 16000 entries.
proximity cache-size cache_size
no proximity cache-size
Syntax Description
cache_size
Size of the cache. Enter a size between 0 and 48,000. The default value is 16000 entries. Entering a value of 0 disables the cache.
Command Modes
Global configuration mode
Usage Guidelines
The proximity cache-size command is functional on a CSS with the Enhanced feature set. By default, the cache supports approximately 16,000 entries using 1 MB of CSS memory. You can increase or decrease the entries, depending upon your CSS configuration.
Note
Related Commands
show proximity cache
(config) proximity cache-removeproximity db
To enable the Proximity Database (PDB) on the CSS, use the proximity db command. This service allows the CSS to respond to proximity lookup requests and enables proximity probing. Use the no form of this command to disable the CSS Proximity Database.
proximity db zoneIndex {tier1|tier2 {"description"}}
no proximity db
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
The proximity db command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
proximity probe rtt interval
To configure the delay in seconds between samples for the configured probe method, use the proximity probe rtt interval command. Use the no form of this command to reset the delay between samples to its default value of 1 second.
proximity probe rtt interval seconds
no proximity probe rtt interval
Syntax Description
seconds
Length of time in seconds to delay between samples. Enter a number from 1 to 10. The default is 1.
Command Modes
Global configuration mode
Usage Guidelines
The proximity probe rtt interval command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
proximity probe rtt method
To configure the primary and secondary methods to be used for proximity metric discovery, use the proximity probe rtt method command. The discovery method uses ICMP Echo requests or a TCP SYN, SYN-ACK, RST sequence to the configured TCP ports as the Round-Trip Time (RTT) discovery method.
proximity probe rtt method [icmp tcp|icmp|tcp icmp|tcp]
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
The proximity probe rtt method command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
proximity probe rtt metric-weighting
To configure the percentage of the previously stored metric value in the database that is used to determine the new metric value, use the proximity probe rtt metric-weighting command. Use the no form of this command to reset the percentage to its default value of 0.
proximity probe rtt metric-weighting number
no proximity probe rtt metric-weighting
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
The proximity probe rtt metric-weighting command allows the PDB to smooth network metric variation caused by network congestion and flash crowds.
proximity probe rtt samples
To configure the number of ICMP requests to send for each configured probe method, use the proximity probe rtt samples command. Use the no form of this command to reset the number of requests to its default value of 2.
proximity probe rtt samples number
no proximity probe rtt samples
Syntax Description
number
Number of requests that the CSS uses for averaging during an initial probe. Enter a number from 1 to 30. The default is 2.
Command Modes
Global configuration mode
Usage Guidelines
This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
proximity probe rtt tcp-ports
To configure the probe ports for SYN proximity metric discovery, use the proximity probe rtt tcp-ports command. Use the no form of this command to reset the probe ports to their default values.
proximity probe rtt tcp-ports port_number1 {port_number2 {port_number3 {port_number4}}}
no proximity probe rtt tcp-ports
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
proximity ttl
To set the time-to-live (TTL) value, in minutes, for each Proximity Database response, use the proximity ttl command. This value informs the proximity DNS how long to cache the response. Use the no form of this command to reset the TTL value to its default value.
proximity ttl [assigned assigned_minutes|probe probe_minutes]
no proximity ttl [assigned|probe]
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
This command is functional only on a Proximity Database CSS in a dedicated CSS 11150.
(config) radius-server
To configure the CSS as a RADIUS server client, use the radius-server command and its options. The command options are:
•
•
•
•
•
•
For more information, see the following commands.
radius-server dead-time
To set the time interval to send probe access-request packets to verify that the RADIUS server is available and can receive authentication requests, use the radius-server dead-time command. Use the no form of this command to reset the dead-time period to its default of 5 seconds.
radius-server dead-time seconds
no radius-server dead-time
Syntax Description
Usage Guidelines
The dead-time interval starts when the server does not respond to the number of authentication request retransmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the CSS transmits the authentication request to the server.
This command applies to primary and secondary servers.
Command Modes
Global configuration mode
Related Commands
show radius config
(config) radius-server retransmitradius-server primary
To configure the remote primary RADIUS server that authenticates user information from the CSS client, use the radius-server primary command. Use the no form of this command to delete the primary RADIUS server.
radius-server primary ip_or_host secret string {auth-port number}
no radius-server primary
Syntax Description
Usage Guidelines
When you configure a primary server and enable RADIUS console or virtual authentication on the CSS, the CSS enables the RADIUS protocol, allowing the CSS to become a RADIUS client.
Command Modes
Global configuration mode
Related Commands
show radius config
show radius stat
(config) console authentication
(config) radius-server dead-time
(config) radius-server source interface
(config) radius-server source interface
(config) virtual authenticationradius-server retransmit
To configure the number of times that the CSS retransmits an authentication request to an active RADIUS server after the timeout interval occurred, use the radius-server retransmit command. Use the no form of this command to reset the retransmission of authentication request to its default of 3.
radius-server retransmit number
no radius-server retransmit
Syntax Description
number
Number of times that the CSS retransmits an authentication request. Enter a number from 1 to 30. The default number is 3.
Usage Guidelines
If the RADIUS server does not respond to the CSS retransmitted requests, the CSS considers the server as dead, stops transmitting to the server, and starts the dead timer as defined through the radius-server dead-time command.
If a secondary server is configured, the CSS transmits the requests to the secondary server. If the secondary server does not respond to the request, the CSS considers it dead and starts the dead timer.
If there is no active server, the CSS stops transmitting request until one of the servers becomes alive.
Command Modes
Global configuration mode
Related Commands
show radius config
show radius stat
(config) radius-server dead-timeradius-server secondary
To configure the remote secondary RADIUS server, use the radius-server secondary command. When the primary server becomes unavailable, the CSS directs authentication requests to the secondary server. Use the no form of this command to delete the secondary RADIUS server.
radius-server secondary host_or_ip secret text {auth-port number}
no radius-server secondary
Syntax Description
Command Modes
Global configuration mode
Related Commands
show radius config
show radius stat
(config) radius-server dead-time
(config) radius-server source interface
(config) radius-server source interfaceradius-server source interface
To specify the IP interface of the CSS RADIUS client, use the radius-server source-interface command. Some RADIUS servers require that the radius-server source-interface command be configured in order to accept authentication from the RADIUS client. Note that this IP interface address is used for the NAS-IP-Address RADIUS attribute in the RADIUS Authentication Request.
radius-server source-interface ip_or_host
no radius-server source-interface
Syntax Description
Command Modes
Global configuration mode
Related Commands
show radius config
show radius stat
(config) radius-server dead-time
(config) radius-server source interfaceradius-server timeout
To specify the time interval that the CSS waits for a reply to a RADIUS request before retransmitting requests to the RADIUS server, use the radius-server timeout command. Configure the number of retransmitted requests to the server through the radius-server retransmit command. Use the no form of this command to reset the interval to its default of 10 seconds.
radius-server timeout time
no radius-server timeout
Syntax Description
Usage Guidelines
This command applies to the primary and secondary RADIUS servers.
Command Modes
Global configuration mode
Related Commands
show radius config
show radius stat
(config) radius-server retransmit(config) replication file-error
To specify how the CSS handles file errors during content replication, use the replication file-error command.
replication file-error retry|skip
Syntax Description
retry
(Default) Replication pauses while the CSS periodically attempts to replicate a missing file
skip
The CSS skips the missing file and continues the replication process
Usage Guidelines
Under certain rare circumstances, it is possible for the CSS to encounter a file error during content replication. A file error can occur when an application or a user deletes a file from the publisher tree during a replication operation. If such an event occurs, the scan does not detect the deleted file and during replication the CSS may keep retrying the file until another scan occurs or the file becomes available.
Command Modes
Global configuration mode
Related Commands
(config) reporter
To create a reporter and enter reporter configuration mode, use the reporter command. A reporter is a software monitoring agent that a CSS uses to check and report the state of critical interfaces. You can also use a reporter to synchronize the states of the virtual routers that you associate with it.
reporter reporter_name
no reporter reporter_name
Syntax Description
reporter_name
Name of the reporter you are creating. Enter an unquoted text string with no spaces from 1 to 31 characters.
Command Modes
Global configuration mode
Usage Guidelines
When you enter the reporter command to access reporter configuration mode, the prompt changes to (config-reporter [reporter_name]). For information about commands available in this mode, see the "Reporter Configuration Mode Commands" section.
For more information about configuring and using a reporter, refer to the Cisco Content Services Switch Redundancy Configuration Guide.
Related Commands
(config-reporter) type
(config-reporter) vrid
(config-reporter) phy
(config-reporter) active
(config-reporter) suspend
show reporter(config) restrict
To disable Telnet, SNMP, SSH, console, FTP, user database, secure or unsecure XML, or web management access to the CSS, use the restrict command. Use the no form of this command to enable access to the CSS.
restrict [console|ftp|secure-xml|snmp|ssh|telnet|user-database|xml
|web-mgmt]no restrict [console|ftp|secure-xml|snmp|ssh|telnet|user-database|xml
|web-mgmt]Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Disable Telnet access when you want to use the Secure Shell Host (SSH) server.
If you enable secure XML through the no restrict secure-xml command, the CSS listens for connection requests on port 443. The client application can use SSL v2/3 or v3. However, the CSS performs all negotiations using SSL v3. The CSS requires a Secure Management license key to negotiate a secure connection using SSL strong encryption. Without the key, the CSS uses SSL weak encryption.
If you enable unsecure XML through the no restrict xml command, the CSS listens for XML connections on port 80.
Entering the restrict command does not prevent the CSS from listening for connection attempts on the restricted port. The CSS completes the TCP 3-way handshake and then terminates the connection with an error to prevent any data transfer from occurring. For UDP SNMP connections, the CSS simply discards the packets.
To secure restricted ports from unauthorized access, configure additional ACL clauses to deny packets destined to the ports, while permitting normal flow-through traffic. You can also use ACLs to secure the CSS.
Related Commandstransfer from occurring.
show user-database
(config) sshd
(config) username(config) rip
To configure the Routing Information Protocol (RIP) parameters on the CSS, use the rip command. The default mode is to send RIP version 2 (v2) and receive either version. The options for this global configuration mode command are:
•
•
•
For information on these options and associated variables, see the following commands. For information on additional rip command options in IP mode, see the (config-circuit-ip) rip command.
rip advertise
To advertise a route through RIP on the CSS, use the rip advertise command. Use the no form of this command to stop advertising a route through all RIP interfaces.
rip advertise ip_address ip_mask_prefix {metric}
no rip advertise ip_address ip_mask_prefix
Syntax Description
Command Modes
Global configuration mode
rip equal-cost
To set the maximum number of routes RIP can use, use the rip equal-cost command. Use the no form of this command to reset the number of routes to the default of 1.
rip equal-cost number
no rip equal-cost
Syntax Description
Command Modes
Global configuration mode
rip redistribute
To advertise routes from other protocols through RIP, use the rip redistribute command. By default, RIP advertises RIP routes and local routes for interfaces running RIP. This command advertises other routes. Use the no form of this command to stop advertising routes.
rip redistribute [firewall|local|ospf|static] {metric}
no rip redistribute [firewall|local|ospf|static]
Syntax Description
Command Modes
Global configuration mode
(config) rmon-alarm
To enter RMON alarm configuration mode, use the rmon-alarm command. An RMON alarm allows you to monitor every SNMP object in the CSS for a desired transitory state. Use the no form of this command to delete an RMON alarm.
rmon-alarm index
no rmon-alarm index
Syntax Description
Usage Guidelines
When you use the rmon-alarm command to access this mode, the prompt changes to (config-rmonalarm [index]). For information about commands available in this mode, see the "RMON Alarm Configuration Mode Commands" section.
(config) rmon-event
To enter RMON event configuration mode, use the rmon-event command. An RMON event is associated with an RMON alarm. It defines what should occur when an RMON alarm is triggered. Use the no form of this command to delete an RMON event.
rmon-event index
no rmon-event index
Syntax Description
Usage Guidelines
When you use the rmon-event command to access this mode, the prompt changes to (config-rmonevent [index]). For information about commands available in this mode, see the "RMON Event Configuration Mode Commands" section.
(config) rmon-history
To enter RMON history configuration mode, use the rmon-history command. Use the no form of this command to delete an RMON history.
rmon-history index
no rmon-history index
Syntax Description
Usage Guidelines
When you use the rmon-history command to access this mode, the prompt changes to (config-rmonhistory [index]). For information about commands available in this mode, see the "RMON History Configuration Mode Commands" section.
(config) service
To access service configuration mode and configure a service, use the service command. A service is an entity that contains and provides Internet content. It is identified by a name, an IP address, and optimally, a protocol and a port number. When you create a service, you can apply content rules to it. The rules allow the CSS to direct or deny requests for content from the service.
Use the no form of this command to delete an existing service.
service service_name
no service service_name
Syntax Description
Usage Guidelines
When you use the service command to access service mode, the prompt changes to (config-service [name]). For information about commands available in this mode, see the "Service Configuration Mode Commands" section.
Related Commands
(config-service) ip address
(config-service) port(config) setspan
To configure switched port analyzer (SPAN) on a CSS, use the setspan command. This command instructs the CSS to monitor all incoming and/or outgoing traffic on a specified SSPAN port by copying the packets to a specified DSPAN port on the same module in the CSS. This command is disabled by default.
Use the no form of the command to reset the default SPAN state to disabled.
setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
no setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
Syntax Description
Usage Guidelines
Once you configure a port as a DSPAN port, the CSS removes it from all VLANs and ignores ingress traffic on that port. In addition, the DSPAN port does not participate in Spanning Tree Protocol (STP) or routing protocols such as RIP and OSPF.
Note
Related Commands
(config) snmp
To configure Simple Network Management Protocol (SNMP) parameters, use the snmp command. The options for this global configuration mode command are:
•
•
•
•
•
•
•
•
•
•
Note
The CSS generates traps in SNMP version 1 (SNMP v1) format.For more information on these options and associated variables, see the following commands.
Related Commands
(config) restrict telnet
(config) rmon-alarm
(config) rmon-event
(config) rmon-historysnmp auth-traps
To enable reception of SNMP authentication traps, use the snmp auth-traps command. Use the no form of this command to disable reception of authentication traps.
snmp auth-traps
no snmp auth-traps
Usage Guidelines
The CSS generates these traps when an SNMP management station attempts to access your system with invalid community names. The CSS generates traps in SNMP v1 format.
Command Modes
Global configuration mode
Related Commands
snmp community
To set or modify SNMP community names and access properties, use the snmp community command. You may specify as many community names as you wish. Use the no form of this command to remove a community name and set it to Cisco Systems, Content Network Systems.
snmp community community_name [read-only|read-write]
no snmp community community_name
Syntax Description
Command Modes
Global configuration mode
snmp contact
To set or modify the contact name for the SNMP system, use the snmp contact command. You can specify only one contact name. Use the no form of this command to remove the contact name.
snmp contact "contact_name"
no snmp contact
Syntax Description
Command Modes
Global configuration mode
snmp location
To set or modify the SNMP system location, use the snmp location command. You can specify only one location. Use the no form of this command to remove the location and set it to Customer Premises.
snmp location "location"
no snmp location
Syntax Description
"location"
Physical location of this system. Enter a quoted text string with a maximum length of 255 characters.
Command Modes
Global configuration mode
snmp name
To set or modify the SNMP name for this system, use the snmp name command. You can specify only one name. Use the no form of this command to remove the SNMP name for this system and set it to Support.
snmp name "name"
no snmp name
Syntax Description
Command Modes
Global configuration mode
snmp reload-enable
To allow the rebooting of the CSS through SNMP, use the snmp reload-enable command. Use the no form of this command to disallow a CSS reboot through SNMP (default behavior).
snmp reload-enable {reload_value}
no snmp reload-enable
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
When you use the snmp reload-enable command, it allows any SNMP write to the reload object to force a CSS reboot. The reload object name is apSnmpExtReloadSet (1.3.6.1.4.1.2467.1.22.7). You can find this object in the enterprise MIB, snmpext.mib. When you include a reload value, an SNMP write equal to the reload_value forces a CSS reboot.
snmp trap-host
To set or modify the SNMP host to receive traps from this system, use the snmp trap-host command. Use the no form of this command to remove a specified trap host.
snmp trap-host ip_or_host community_name snmpv2
no snmp trap-host ip_or_host
Syntax Description
Usage Guidelines
The CSS generates traps in SNMP v1 format.
Command Modes
Global configuration mode
snmp trap-source
To set the source IP address in the traps generated by the CSS, use the snmp trap-source command. Use the no form of this command to return SNMP source traps to the default of the management port IP address.
snmp trap-source [egress-port|management|specified source_ip_address]
no snmp trap-source
Syntax Description
Command Modes
Global configuration mode
snmp trap-type enterprise
To enable SNMP enterprise traps and configure trap types, use the snmp trap-type enterprise command. Use the no form of this command to disable all or a specific trap. Use the no snmp trap-type enterprise command to disable all traps.
snmp trap-type enterprise {dos_attack_type {trap-threshold threshold_value}|chmgr-module-transition|chmgr-ps-transition
|isc-lifetick-failure|login-failure|reload|redundancy-transition
|reporter-transition|service-transition}no snmp trap-type enterprise {dos_attack_type
|chmgr-module-transition|chmgr-ps-transition|isc-lifetick-failure
|login-failure|reload|redundancy-transition
|reporter-transition|service-transition}Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
You must enable enterprise traps before you configure an enterprise trap option. You can enable the CSS to generate enterprise traps when DoS attack events occur, a login fails, or a CSS service transitions state.
The CSS generates traps in SNMP v1 format.
Related Commands
snmp auth-traps
snmp trap-host
show log traplogsnmp trap-type generic
To enable SNMP generic trap types, use the snmp trap-type generic command. The generic SNMP traps consist of cold start, warm start, link down, and link up. Use the no form of this command to disable a generic trap.
snmp trap-type generic
no snmp trap-type generic
Command Modes
Global configuration mode
Usage Guidelines
The CSS generates traps in SNMP v1 format.
Related Commands
snmp auth-traps
snmp trap-host
show log traplog(config) sntp
To configure the SNTP server on the CSS, use the sntp command. You can configure one SNTP server. Use the no form of this command to remove the SNTP server or reset the poll interval.
sntp [server ip_address {version number}|poll-interval seconds]
no sntp [server|poll-interval]
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
Before you synchronize the CSS with an SNTP server, make sure you configure the proper time zone for the CSS (for example, to EST). Also make sure that the time difference between the CSS internal clock and the SNTP server clock is less than 24 hours. Otherwise, the CSS will not synchronize its clock with the SNTP server.
Related Commands
(config) spanning-packets
To configure the number of packets spanned for the search of the HTTP Header termination string, use the spanning-packets command. Use the no form of this command to reset the number of packets spanned to the default value of 6.
spanning-packets number
no spanning-packets
Syntax Description
number
Number of packets spanned for the search of the HTTP Header termination string. Enter a number from 1 to 20.
Usage Guidelines
In some environments, URL, cookie strings, or HTTP header information can span over multiple packets. In these environments, the CSS can parse multiple packets for Layer 5 information before making load-balancing decisions. Through the global configuration mode spanning-packets command, the CSS can parse a maximum of 20 packets with a default of 6.
The CSS makes the load-balancing decision as soon as it finds a match and does not require parsing of all of the configured number of spanned packets. Because parsing multiple packets does impose a longer delay in connection, performance can be impacted by longer strings that span mulitple packets.
Command Modes
Global configuration mode
(config) sshd
To control the Secure Shell Host server, use the sshd command. The options for this global configuration mode command are:
•
•
•
Note
For more information on these options and associated variables, see the following commands.
Related Commands
(config) restrict telnet
sshd keepalive
To enable SSHD keepalive, use the sshd keepalive command. SSHD keepalive is enabled by default. Use the no form of this command to disable SSHD keepalive.
sshd keepalive
no sshd keepalive
Command Modes
Global configuration mode
sshd port
To set the port number that the server listens to connections from clients, use the sshd port command. Use the no form of this command to reset the port number to the default of 22.
sshd port number
no sshd port
Syntax Description
Command Modes
Global configuration mode
sshd server-keybits
To set the number of bits in the server key, use the sshd server-keybits command. Use the no form of this command to reset the number of bits to the default of 768.
sshd server-keybits number
no sshd server-keybits
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
The valid range for this command is 512 to 1024. However, to maintain backward compatibility with version 5.00, the CSS allows you to enter a value from 512 to 32768. If you enter a value greater than 1024, the CSS changes the value to the default of 768.
When you reboot the CSS, the following error message appears to remind you of the valid range:
NETMAN-3: sshd: Bad server key size <configured value; range 512 to 1024; defaulting to 768(config) ssl-l4-fallback
To disable or reenable the CSS insertion of the Layer 4 hash value, based on the source IP address and destination address pair, into the sticky table, use the ssl-l4-fallback command. By default, the CSS inserts the Layer 4 hash value into the sticky table.
ssl-l4-fallback disable|enable
Syntax Description
Usage Guidelines
Insertion of the Layer 4 hash value into the sticky table occurs when more than three frames are transmitted in either direction (client-to-server, server-to-client) or if SSL version 2 is in use on the network. If either condition occurs, the CSS inserts the Layer 4 hash value into the sticky table, overriding the further use of the SSL version 3 session ID.
The ssl-l4-fallback command is only applicable when the (config-owner-content) advanced-balance ssl method is specified for a content rule, which forces the content rule to stick to a server based on SSL version 3 session ID.
The use of the ssl-l4-fallback command may be necessary in a lab environment when testing SSL with a small number of clients and servers, where some retransmissions might occur. In this case, you would not want to use the Layer 4 hash value because it will skew the test results.
Note
Related Commands
(config-owner-content) advanced-balance
(config) ssl associate
To specify an SSL certificate, RSA key or DSA key pair, or Diffie-Hellman parameter association to an imported or generated file, use the ssl associate command. Use the no form of the command to remove an association.
ssl associate association_type association_name filename
no ssl associate association_type association_name
Syntax Description
Usage Guidelines
After you import or generate certificate and key pair files, you must distinguish to the CSS whether these files contain certificates, private keys, or Diffie-Hellman parameters. You do this by associating certificate names, private/public key pair names, or Diffie-Hellman parameter names to the particular imported files.
When you associate the entries specified in the various certificate and private key commands to files, CSS stores the bindings in the running configuration. Before you log out or reboot the CSS, you must copy the contents of the running-config file to the startup-config file to save configuration changes and have the CSS use this configuration on subsequent reboots. When you reboot the CSS, the certificate and key associations are automatically loaded.
The no form of this command will not function if the association is in use by an active SSL proxy list.
Related Commands
copy ssl
show ssl
(ssl-proxy-list) ssl-server(config) ssl crl-record
To configure the CSS to obtain a certificate revocation list (CRL) from a certificate authority (CA) and periodically download the CRL through HTTP, use the ssl crl-record command. Use the no form of the command to remove the CRL record.
ssl crl-record crl_name url sign_cert hours
no ssl crl-record crl_name
Syntax Description
Usage Guidelines
You can assign only one CRL record to a virtual SSL server. However, you can configure a maximum of 10 CRL records.
Related Commands
show ssl crl-record
(ssl-proxy-list) ssl-server number crl(config) ssl gencert
To generate and save a temporary certificate to a file on a CSS disk, use the ssl gencert command. For purposes of SSL testing, you may want to generate a temporary certificate by generating a CSR and signing it with your own private key.
ssl gencert certkey certkey signkey signkey certfile "password"
Syntax Description
Usage Guidelines
Generate keys and certificates on the CSS for purposes of testing. This command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.
The ssl gencert command can sign RSA or DSA certificates with either an RSA key pair or a DSA key pair. You generate the certificate based on:
•
•
For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.
Related Commands
(config) ssl gencsr
To generate a Certificate Signing Request (CSR) file for an RSA key pair file and transfer the certificate request to the Certificate Authority (CA), use the ssl gencsr command. You must generate a CSR file if you are requesting a new certificate or renewing a certificate. When the CA signs the CSR, using its RSA private key, the CSR becomes the certificate.
ssl gencsr rsakey
Syntax Description
Usage Guidelines
The ssl gencsr command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.
The ssl gencsr command generates a CSR in PKCS10 format.
For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.
Related Commands
(config) ssl gendh
To generate a Diffie-Hellman key agreement parameter file on the CSS, use the ssl gendh command. Diffie-Hellman is a shared key agreement algorithm. Diffie-Hellman key exchange uses a complex algorithm and public and private keys to encrypt and then decrypt packet data. The CSS disk stores the generated parameters as a file.
ssl gendh filename numbit "password"
Syntax Description
Usage Guidelines
Generation of a Diffie-Hellman key agreement parameter file can sometimes take a lengthy period of time (perhaps a maximum of 20 minutes) and is a CPU-intensive utility. If you use the ssl gendh command, ensure that the CSS is not actively passing traffic at the same time to avoid impacting CSS performance. For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.
Related Commands
(config) ssl gendsa
To generate a DSA private/public key pair for asymmetric encryption on the CSS, use the ssl gendsa command. DSA is the public key exchange cryptographic system developed by the National Institutes of Science and Technology. DSA can only be used for digital signatures (signings) but not for key exchange. The CSS disk stores the generated DSA key pair as a file.
ssl gendsa filename numbit "password"
Syntax Description
Usage Guidelines
The ssl gendsa command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most web browsers will flag the certificate as signed by an unrecognized signing authority.
For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.
Related Commands
(config) ssl genrsa
To generate an RSA private/public key pair for asymmetric encryption on the CSS, use the ssl genrsa command. RSA key pairs are used to sign and encrypt packet data, and are a requirement before another device (client or web server) can exchange an SSL certificate with the CSS. The key pair refers to a public key and its corresponding private (secret) key. The CSS stores the generated RSA key pair as a file.
ssl genrsa filename numbit "password"
Syntax Description
Usage Guidelines
The ssl genrsa command produces a valid certificate or key pair (primarily useful for testing purposes). Be aware that most Web browsers will flag the certificate as signed by an unrecognized signing authority.
For detailed information on using this command, refer to the Cisco Content Services Switch SSL Configuration Guide.
Related Commands
(config) ssl verify
To verify a certificate against a key pair, use the ssl verify command. A digital certificate is built around a public key, and it can only be used with one key pair. This command compares the public key in the associated certificate with the public key stored with the associated private key, and verify that they are both the same.
ssl verify certname keyname
Syntax Description
certname
Association name of the certificate used to verify against the specified key pair
keyname
Association name of the key pair used to verify against the specified certificate
Usage Guidelines
If the certificate does not match the public and private key pair, the CSS logs an error message.
(config) ssl-proxy-list
To access SSL proxy list configuration mode and configure an SSL proxy configuration list, use the ssl-proxy-list command. An SSL proxy configuration list is a group of related virtual SSL servers that are associated with an SSL service. The SSL modules in the CSS use these servers to properly process and terminate SSL communications between the client and the web server.
In global configuration mode, use the no form of this command to delete an existing list.
ssl-proxy-list name
(config) no ssl-proxy-list name
Syntax Description
Usage Guidelines
You can access the ssl-proxy-list configuration mode from any configuration mode except for the ACL, boot, group, RMON, or owner configuration modes. When you use the ssl-proxy-list command to access this mode, the prompt changes to (ssl-proxy-list [name]). For information about commands available in this mode, see the "SSL-Proxy-List Configuration Mode Commands" section.
Note
(config) tacacs-server
To configure the CSS as a client of a TACACS+ server, authenticates users, and authorizes and accounts for configuration and nonconfiguration commands, use the tacac-server command. The options for this command are:
•
•
•
•
•
•
•
For information about these commands and any associated arguments, see the tacac-server commands in this section.
tacacs-server ip_address port
To define a TACACS+ server, use the tacacs-server ip_address port command. You must provide the IP address and port number for the server. You can define the keepalive frequency, timeout period, and encryption key, and designate the server as the primary server. Use the no form of this command to remove the server.
tacacs-server ip_address port {timeout ["cleartext_key"|des_key]} {primary} {frequency number}
no tacacs-server ip_address port
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
To change the keepalive frequency, timeout period, or encryption key for a specific TACACS+ server, you must delete the server and then redefine it with the updated parameter.
To apply a global keepalive frequency, timeout period, or encryption key change to a TACACS+ server, you must delete the server and then reconfigure the server.
After configuring the TACACS+ server, enable TACACS+ authentication for console and virtual logins (if the user and password pair is not in the local user database) through the (config) console authentication and (config) virtual authentication commands.
Note
Related Commands
show tacacs-server
(config) console authentication
(config) virtual authenticationtacacs-server account
To enable the TACACS+ server to receive accounting reports for all commands that change or do not change the CSS running configuration, use the tacacs-server account command. Use the no form of this command to disable accounting.
tacacs-server account config|non-config
no tacacs-server account config|non-config
Syntax Description
Usage Guidelines
TACACS+ accounting allows the TACACS+ server to receive an accounting report for commands that the user can execute. CSS accounting divides the command set into two categories:
•
•
By default, the CSS disables accounting. When you enable accounting, you can account for configuration commands, nonconfiguration commands, or both.
Note
Related Commands
tacacs-server authorize
To enable the TACACS+ server to authorize commands that change or do not change the CSS running configuration, use the tacacs-server authorize command. Use the no form of this command to disable authorization.
tacacs-server authorize config|non-config
no tacacs-server authorize config|non-config
Syntax Description
config
Enables authorization of all commands that change the running configuration
non-config
Enables authorization of all commands that do not change the running configuration
Usage Guidelines
TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:
•
•
By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to execute commands. When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command.
Note
Related Commands
tacacs-server frequency
To define the global keepalive frequency for use with all configured TACACS+ servers, use the tacacs-server frequency command. Use the no form of the command to reset the keepalive frequency to its default of 5 seconds.
tacacs-server frequency seconds
no tacacs-server frequency
Syntax Description
seconds
Keepalive frequency in seconds. Enter an integer from 0 to 255. The default is 5 seconds. A setting of 0 disables keepalives.
Usage Guidelines
To determine the availability of the TACACS+ servers, the CSS sends periodic TCP keepalive probes to them. If the server does not respond to the probes within the configured timeout period, the CSS considers the server unavailable.
A keepalive frequency defined when specifying a TACACS+ server overrides the global keepalive frequency.
To apply a modified global keepalive frequency to a configured CSS TACACS+ server, remove the server and reconfigure it.
Related Commands
tacacs-server key
To specify a global shared secret between the CSS and the server, use the tacacs-server key command. Use the no form of this command to remove the global key.
tacacs-server key ["cleartext_key"|des_key]
no tacacs-server key
Syntax Description
Command Modes
Global configuration mode
Usage Guidelines
The CSS allows you to define a global encryption key for communications with all configured TACACS+ servers. To encrypt TACACS+ packet transactions between the CSS and the TACACS+ server, you must define an encryption key. If you do not define an encryption key, packets are not encrypted. The key is a shared secret value that is identical to the one on the TACACS+ server. A shared secret defined when specifying a TACACS+ server overrides the global secret. See the tacacs-server ip_address port command.
Related Commands
tacacs-server send-full-command
To reset the CSS default behavior of expanding user-executed abbreviated commands to their full command syntax before the CSS sends them to the TACACS+ server, use the tacacs-server send-full-command command. Use the no form of the command to send user-executed commands exactly as entered to the TACACS+ server without expanding abbreviated commands.
tacacs-server send-full-command
no tacacs-server send-full-command
tacacs-server timeout
To define the global timeout period for use with all configured TACACS+ servers, use the tacacs-server timeout command. Use the no form of the command to reset the timeout period to its default of 5 seconds.
tacacs-server timeout seconds
no tacacs-server timeout
Syntax Description
seconds
Amount of time to wait for a response from the server. Enter a number from 1 to 255. The default is 5 seconds.
Usage Guidelines
To determine the availability of the TACACS+ servers, the CSS sends periodic keepalive probes to them. If the server does not respond to the probe within the timeout period, the CSS considers the server unavailable.
If the CSS attempts to contact the server and does not receive a response within the defined timeout value, it will use another server. The next configured server is contacted and the process repeated. If a second (or third) TACACS+ server has been identified, that server is selected as the active server.
If the CSS cannot reach all three TACACS+ servers, users will not be authenticated and cannot log into the CSS unless TACACS+ is used in combination with a RADIUS or local server, as defined through the (config) console authentication command or the (config) virtual authentication command.
Note
Related Commands
(config) tcp-ip-fragment-enabled
To allow a CSS to flow-process TCP IP fragments, use the tcp-ip-fragments-enabled command. When a CSS flow-processes IP fragments, it has the potential to match the fragmented packets to content rules and source groups for intelligent routing and load balancing. This command is disabled by default. Use the no form of this command to reset the default behavior of the CSS to forwarding TCP IP fragments.
tcp-ip-fragment-enabled
no tcp-ip-fragment-enabled
Command Modes
Global configuration mode
Usage Guidelines
This feature performs content rule-based forwarding using the Layer 3 (IP address) and Layer 4 (TCP port) information in the IP header and the TCP header. Layer 5 forwarding decisions for IP fragments, based on the packet payload (data), are not supported. For more information, refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Related Commands
show ip-fragment-stats
zero ip-fragment-stats
(config) ip-fragment max-assembled-size
(config) udp-ip-fragment-enabled
(config) udp-ip-fragment-enabled
To allow a CSS to flow-process UDP IP fragments, use the ip-udp-fragment-enabled command. When a CSS flow-processes IP fragments, it has the potential to match the fragmented packets to content rules and source groups for intelligent routing and load balancing. This command is disabled by default. Use the no form of this command to reset the default behavior of the CSS to forwarding UDP IP fragments.
udp-ip-fragment-enabled
no udp-ip-fragment-enabled
Command Modes
Global configuration mode
Usage Guidelines
This feature performs content rule-based forwarding using the Layer 3 (IP address) and Layer 4 (UDP port) information in the IP header and the UDP header. Layer 5 forwarding decisions for IP fragments, based on the packet payload (data), are not supported. For more information refer to the Cisco Content Services Switch Content Load-Balancing Configuration Guide.
Related Commands
show ip-fragment-stats
zero ip-fragment-stats
(config) ip-fragment max-assembled-size
(config) tcp-ip-fragment-enabled(config) urql
To access Uniform Resource Locator qualifier list (URQL) configuration mode and configure a URQL, use the urql command. Use the no form of this command to an existing URQL.
urql urql_name
no urql existing_urql_name
Syntax Description
Usage Guidelines
A URQL is a collection of URLs for content requests that you can associate to one or more content rules. The CSS uses this list to identify which requests to send to a service.
You cannot configure a URQL with subscribers services.
You can access this mode from any configuration mode except ACL, boot, group, keepalive, and owner configuration modes. The prompt changes to (config-urql [name]). You can also use this command from URQL mode to access another URQL. For information about commands available in this mode, see the "URQL Configuration Mode Commands" section.
(config) username
To configure a local username and its password for logging into the CSS, and allow it to access SuperUser mode, use the username command. Use the no form of this command to delete an existing username.
username name [password password {superuser}{dir-access access}
|des-password password {superuser}{dir-access access}]no username name
Syntax Description
Usage Guidelines
If the (config) restrict user-database command is entered, only a user with administrative or technician privileges can use the username command.
The CSS can support a maximum of 32 usernames including the administrator and technician usernames. It ships with a default username of admin and password of system.
You cannot permanently delete an administrative username and password. If you delete this username by using the no username command, it removes it from use until you reboot the CSS. When you reboot the CSS, it restores the username and password from NVRAM.
Related Commands
show running-config
show user-database
(config) restrict(config) username-offdm
To change the administrative username and password without having to use the Offline DM menu, use the username-offdm command. The CSS ships with a default administrative username of admin and password of system.
username-offdm name password password
Syntax Description
Usage Guidelines
Unlike other usernames and passwords, the CSS saves the administrative username and password in nonvolatile RAM (NVRAM). When you reboot the CSS, it reads the username and password from NVRAM and reinserts them into the user database.
Note
(config) username-technician
Caution
A technician user has access to all directories in the WebNS directory structure in the CSS. This user can remove or copy valuable system files (including encrypted certificates or keys in an CSS 11503 or 11506 containing an SSL module). The removing of system files could make the CSS unusable.
To set the technician username and password without having to use the Technician Offline DM menu, use the username-technician command.
username-technician name password password
Syntax Description
(config) virtual authentication
To configure the primary, secondary, or tertiary virtual authentication on the CSS, use the virtual authentication command. Use this command to require users to enter a username and password to remotely log in to the CSS.
virtual authentication [primary|secondary|tertiary [local|radius|tacacs|disallowed]]
Syntax Description
Usage Guidelines
Virtual authentication allows remote users to log into the CSS through FTP or Telnet with or without requiring a username and password. The CSS can also deny access to all remote users.
You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users and disallows user access for the secondary and tertiary method.
Before you can use RADIUS or TACACS+ as the virtual authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the (config) radius-server command or the (config) tacacs-server command.
Related Commands
show user-database
(config) console authentication
(config) radius-server
(config) restrict
(config) tacacs-server(config) vrrp-backup-timer
To specify the time interval in seconds that the backup CSS waits to assume mastership when the master CSS goes down, use the vrrp-backup-timer command. Use the no form of this command to reset the timer to the default value of 3 seconds.
vrrp-backup-timer wait_time
no vrrp-backup-timer
Syntax Description
Usage Guidelines
Timer values greater than the 3-second default cause longer failover times. Use the vrrp-backup-timer command only in environments where the CPU utilization on the CSS is close to 100 percent.
After you set the timer value, you need to reenter the (config-circuit-ip) redundancy-protocol command on the redundant circuit between the CSSs for the new timer value to take effect.
Note
Related Commands
script play
(config-circuit-ip) redundancy-protocol(config) web-mgmt state
To allow or deny client access to the XML HTTP server running on the CSS, use the web-mgmt state command.
web-mgmt state [disable|enable]
Syntax Description
Usage Guidelines
The web-mgmt state command performs the same function as the (config) restrict xml command and its no form of the command. Note that when you use this command, it does not appear in the configuration file. Instead, the (config) restrict or its no form of the command appears in the configuration file.
When XML is enabled, the CSS listens for XML connections on port 80.
Related Commands
(config) zero flow-state-counters
To reset all the hit counters in the flow state table to zero, use the zero flow-state-counters command. The flow state table contains hit counters that total the number of hits for each port entry in the table.
zero flow-state-counters
Related Commands
