Table Of Contents
Release Note for the Cisco Global Site Selector, Release 1.1(1)
Contents
Before Upgrading to Version 1.1(1)
Cisco-Supported Hardware and Software Compatibility
New Features in Software Version 1.1(0)
Additional Information for Building and Modifying DNS Rules
Operating Conditions for Software Version 1.1(1)
Open Caveats for Software Version 1.1(1)
Resolved Caveats for Software Version 1.1(1)
CLI Command Changes in Software Version 1.1(1)
CLI Command Changes in Software Version 1.1(0)
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Global Site Selector, Release 1.1(1)
May 16, 2006
Note 
The most current Cisco GSS documentation for released products is available on Cisco.com.
Contents
This release note applies to software version 1.1(1) for the Cisco Global Site Selector (GSS). It contains the following sections:
•Before Upgrading to Version 1.1(1)
•Cisco-Supported Hardware and Software Compatibility
•New Features in Software Version 1.1(0)
•Additional Information for Building and Modifying DNS Rules
•Operating Conditions for Software Version 1.1(1)
•Open Caveats for Software Version 1.1(1)
•Resolved Caveats for Software Version 1.1(1)
•CLI Command Changes in Software Version 1.1(1)
•CLI Command Changes in Software Version 1.1(0)
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Before Upgrading to Version 1.1(1)
Before you upgrade your GSS software to version 1.1(1), review the software upgrade sequence as described in the Cisco Global Site Selector Configuration Guide, Chapter 9, GSS Administration and Troubleshooting, the "Upgrading the Cisco GSS Software" section, located on Cisco.com at:
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/prod_configuration_guides_list.html
To take full advantage of all of the features and capabilities of software version 1.1(1), we recommend that you update all GSS devices in your network within the same time frame, starting with the primary GSSM. However, if you plan to upgrade the other GSS devices in your network over time, note that the following keepalive features of software version 1.1(1) are downgraded on the GSS software version 1.0 devices as follows:
•The new TCP connect keepalive method is automatically configured as the ICMP keepalive method.
•The new graceful HTTP HEAD keepalive connection termination method is automatically configured as the HTTP HEAD reset termination method.
•The new Fast mode for keepalives is automatically changed to Standard mode.
Cisco-Supported Hardware and Software Compatibility
Cisco Global Site Selector software operates with the following Cisco hardware:
•Cisco Global Site Selector 4490 or 4480 platform (configured in software as the primary GSSM, the standby GSSM, or as a GSS device)
•Cisco Content Services Switch running the following recommended WebNS software releases:
–Cisco 11500 Series CSS—Software releases 7.10.3.05 or greater, 7.20.1.04 or greater
–Cisco 11000 Series CSS—Software releases 5.00.3.09 or greater, 6.10.1.07 or greater
•Cisco Catalyst 6500 Content Switching Module (CSM) running the following software releases:
| |
Recommended CSM Versions
|
Minimum Supported CSM Versions
|
Cisco Catalyst 6500 Content Switching Module (CSM)
|
Software releases:
•3.1(10)
•3.2(1)
•4.1(4)
•4.2(1)
|
Software releases:
•3.1(4)
•3.2(1)
•4.1(4)
•4.2(1)
|
Refer to the Cisco documentation that came with each device for detailed, device-specific instructions on handling, installing, and configuring your Cisco hardware.
You can upgrade to GSS software version 1.1(1) from any GSS version 1.0 release (versions 1.0, 1.0.1, or 1.0.2) or from the GSS version 1.1(0) release.
New Features in Software Version 1.1(0)
The Cisco Global Site Selector software version 1.1(0) provides the following new features and enhancements:
•Cisco Standard Graphical User Interface Look and Feel—The look and feel of the primary GSSM graphical user interface has been completely revised to match the Cisco Systems standard for graphical user interface design.
•Fast Keepalive Rate—Each type of VIP-answer GSS keepalive can support a Fast or Standard keepalive rate. The Fast keepalive rate can be as fast as four seconds, while the Standard keepalive rate is 40 to 255 seconds. For the Fast keepalive rate, you can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and KAL-AP keepalive types, which adjusts the detection time determined by the GSS. The Fast keepalive rate also allows you to specify the number of consecutive successful keepalive attempts (probes) that must be recognized by the GSS before bringing an answer back online (PERS request 8139).
•TCP Connect Keepalive Method—The GSS now supports the TCP connect keepalive type. The TCP keepalive is used when the GSS answer that you are testing is transmitted to GSLB devices other than a Cisco Content Services Switch (CSS) or Content Switching Module (CSM). GSLB remote devices may include webservers, LocalDirectors, WAP gateways, and other devices that can be checked using a TCP keepalive. The TCP keepalive initiates a TCP connection to the remote device by performing the three-way handshake sequence. The TCP termination connection method can be Graceful (FIN) or Reset (RST). The choice in termination connection method has been also been added for HTTP-HEAD keepalives.
•DNS Rate Monitoring—Using the show statistics dns CLI command, you can monitor the number of DNS requests over a one-minute, five-minute, 30-minute, or 4-hour time interval.
•Configuration Export—Using the show tech-support config CLI command, you may export the output of all configured fields from the primary GSSM GUI to the screen or a file.
•Miscellaneous Enhancements—The GSS software version 1.1(0) also includes the following miscellaneous enhancements:
–Primary GSSM GUI Saves Sort Method and List Position—The primary GSSM GUI remembers sorting method and list position when you press the Refresh button, or when an item is modified and returns you to the list page (PERS request 8122).
–DNS over TCP—The GSS provides basic support for DNS requests that arrive over TCP to port 53.
–Ability to Access the GSS CLI Using a Private and Public Key Pair—The GSS supports remote login to the device over an SSH session using private and public key pairs for authentication. With this method of remote connection, you use a generated private/public key pair to participate in a secure communication by encrypting and decrypting messages.
–CLI Setup Script—A setup script for the CLI steps you through basic GSS network and device configurations. This setup capability is offered by default for a new GSS device, and can also be run at any time with the setup CLI command.
–SSL Certificate Modification Support—The certificate set-attributes command allows you to customize the X.509 fields, extensions, and properties found on the security certificate issued by Cisco Systems for the primary GSSM GUI.
–Telnet Client Allows Port Option—The telnet CLI command allows you to change the port number for the Telnet session to a port other than port 23 (the Telnet port) (PERS request 8265).
–CLI Commands for Configuring SNMP—The GSS allows you to specify the SNMP community name, the name of the contact person, and the physical location of a GSS device.
–GUI Session Inactivity Timeout—A check box on the GUI Configuration details page enables or disables the use of the GUI Session Inactivity Timeout function (PERS request 8117).
For details on the new features and enhancements included in GSS software version 1.1(0), refer to the Cisco Global Site Selector Configuration Guide and Cisco Global Site Selector Command Reference located on:
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/index.html
Additional Information for Building and Modifying DNS Rules
This information augments the information provided in Chapter 8, Building and Modifying DNS Rules in the Cisco Global Site Selector Global Server Load Balancing Configuration Guide.
The balance clauses that you configure in a DNS rule are evaluated in order, with parameters established to determine when a clause should be skipped and the next clause is to be used. A balance clause is skipped when any one of the following conditions exits:
•A least-loaded balance method is selected and the load threshold for all online answers is exceeded.
•The VIP answers in the specified VIP answer group are offline.
•Proximity is enabled for a VIP-type answer group and the DRP agents do not return any RTT values that meet the value set for acceptable-rtt.
•All answers in a CRA- or NS-type answer group are offline and keepalives are enabled to monitor the answers.
Operating Conditions for Software Version 1.1(1)
The following operating conditions exist for software version 1.1(1):
•A software version 1.1(1) database backup is not backward-compatible with software version 1.0. However, a software version 1.0 database backup is compatible with software version 1.1(1). Before upgrading to software version 1.1(1), be sure to perform a full database backup and archive your software version 1.0 database.
•The GSS supports only HTTP-HEAD and TCP keepalives on a single Ethernet interface. Use the gss-tcp-keepalive CLI command to choose the interface. The default is interface ethernet 0. If the configured IP routing results in HTTP-HEAD or TCP packets transmitted out the other interface, these packets will not have proper checksums and will fail to reach their destination. This is a known restriction of the current GSS software releases. You can determine if this routing problem exists by entering the show statistics keepalive command and verifying that the keepalives reach the ONLINE status. Make sure the routing in your network is properly set up for the interface configuration and keepalive addresses.
•The GSS 1.1(1) software release supports several important new keepalive features, as described in the "New Features in Software Version 1.1(0)" section. Due to the nature and the variety of applications, as well as the software and hardware platforms on which they run, not all of the keepalive methods may be appropriate for all applications and platforms. It is important that you understand the specific device health detection requirements and choose the most appropriate keepalive for each situation.
For example, certain older versions of the Linux operating system running the internet superserver application (inetd) prevent a large number of Telnet connections during a short period of time. If you configure the GSS with default Fast TCP keepalive rate to the Telnet port, the Fast keepalive rate may cause inetd to shut down the port for a period of time. If one keepalive method does not work, try other settings and methods to find the appropriate combinations for your application.
Open Caveats for Software Version 1.1(1)
This section lists the open caveats for Cisco Global Site Selector Version 1.1(1).
•CSCec01715—When creating a VIP-type answer for a TCP or HTTP-HEAD keepalive in the Creating New Answer details page of the primary GSSM GUI, configuration issues may occur when you perform the following sequence:
a. Deselect the VIP Address check box.
b. Choose a Shared Keepalive from the drop-down list.
In this instance, the GSS still allows you to specify entries in the Port Number, Connection Termination Method, and the Host Tag and Path fields (for HTTP HEAD keepalive only), which are ignored by the GSS. This behavior occurs with Netscape Navigator 4.78, but is not reproducible with Microsoft Internet Explorer.
•CSCeb24053—Attempting to log in to the GSS by Telnet, SSH, or FTP may take several minutes if an associated nameserver is unreachable. The GSS requires an operating nameserver to function properly. If you do not configure the nameserver using ip name-server commands or the configured nameservers are not reachable for any reason (for example, down, network loss, firewall issues), the GSS is unable to perform DNS resolutions when users log in. When this problem occurs, the timeout may take several minutes to occur.
Workaround: There is no workaround; the GSS requires a functioning nameserver. To avoid problems, always configure more than one nameserver. For example:
gss.yourdomain.com(config)#ip name-server 192.168.1.1
gss.yourdomain.com(config)#ip name-server 192.168.2.2
gss.yourdomain.com(config)#ip name-server 192.168.3.3
If the GSS has access lists configured, this problem may also occur. The workaround is to create access lists to allow the DNS responses from a nameserver. This can be done through the access-list command. For example:
gss.yourdomain.com(config)#access-list <name> permit udp any eq 53
Another workaround is to allow only DNS response packets received from your configured nameservers. For example:
gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.1 255.255.255.255
eq 53
gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.2 255.255.255.255
eq 53
gss.yourdomain.com(config)#access-list <name> permit udp 192.168.1.3 255.255.255.255
eq 53
•CSCec34850—On rare occasions, the FTP client on the GSS software may perform a core dump to the GSS /home directory and terminate the FTP process. This behavior has no impact on GSS performance or on subsequent FTP attempts.
•CSCec45409—The RSA libraries in the GSS are potentially vulnerable to an SSL exploit. It is unknown whether the RSA BSAFE SSL-J libraries are exploitable. Refer to the following link for information:
http://www-tac.cisco.com/Teams/PSIRT/HOT/ssl1003_status.html
•CSCec46317—Attempting to enable a standby GSSM or GSS devices on the network immediately after enabling the primary GSSM may result in the primary GSSM failing to register the other GSS devices. Symptoms of this problem include: the standby GSSM or GSS devices not appearing in the primary GSSM GUI Global Site Selectors list page (Resources tab) and errors reported in the log files of the standby GSSM or GSS device. If this problem occurs, enter the gss disable and gss enable commands on the other GSS devices.
Workaround: Perform the following sequence to enable the primary GSSM and the other GSS devices and properly register those devices with the primary GSSM:
a. Enable the primary GSSM using the gss enable gssm-primary command.
b. Enter the gss status command and observe when the primary GSSM reaches the
Normal Operation [runmode = 5] state, then wait an additional minute. If necessary, repeat entering the command until the Normal Operation [runmode = 5] message appears. The primary GSSM is now ready to properly register the other GSSs devices within the network.
c. Register the other GSSs in the network with the primary GSSM using the gss enable gssm-standby primary_GSSM_IP_address or gss enable gss primary_GSSM_IP_address commands.
•CSCec46406—Restoring the database backup file from one primary GSSM to another primary GSSM may cause the latter primary GSSM to malfunction if you incorrectly answer certain restore questions. When moving a primary GSSM backup file from one primary GSSM to a different primary GSSM, even in a different GSS network configuration, it is important to properly answer the following network restore question: Do you want to replace your current GSS network configuration with the one specified in the backup file? (y/n):
–Answer y (yes) at the prompt if you intend for the new primary GSSM to completely replace the primary GSSM on which the backup was created.
–Answer n (no) at the prompt if the backup is being copied onto a different primary GSSM in a different GSS network configuration.
Incorrectly answering y (yes) for the wrong GSS configuration may result in improper behavior of the other GSSs in the network after you enter the gss enable command to register those devices with the new primary GSSM. As a general rule, if you intend only to copy elements such as DNS rules, keepalives, answers, and answer groups from the primary GSSM backup file, and not the GSS network relationships, always answer n to the database network restore question.
•CSCeb46763—When you change an Ethernet interface configuration to either the bandwidth speed or duplex operation of one of the two Ethernet interfaces (0 or 1) on a Cisco GSS 4490, both interfaces are temporarily brought offline and then back online. This behavior occurs because the two Ethernet interfaces on the Cisco GSS 4490 are not independent of one another when configuring the link bandwidth speed or a duplex operation. The temporary offline state does not interfere with the GSS 4490 servicing DNS requests because interface commands cannot be executed while the GSS is running. You must issue the gss stop command before executing the interface command.
Note The Cisco GSS 4480 does not exhibit this behavior.
•CSCdx58395—Content and Application Peering Protocol (CAPP) may not recognize dropped fragments when a KAL-AP keepalive spans multiple packets. When the KAL-AP keepalive spans multiple datagrams due to large payloads and one of the spanned packets is dropped, the GSS does not `retry' the request. This results in the dropped datagram not getting updated load values on the VIPs that are expecting them. Instead, the GSS waits until the next period and sends the packets again. This behavior occurs only in situations where the GSS consumes the full datagram (roughly 1.4 K) with tag names or VIPs. Otherwise, all data fits in one single datagram. Workaround: Use the KAL-AP by VIP format if there is a need to query the load on hundreds of VIPs configured to a single primary or secondary IP address. Alternately, use the KAL-AP by Tag format, but limit the length of Tag Names so that the packets do not exceed 1.4K.
•CSCeb67314—The GSS does not allow you to assign the same pre-existing access list to the two Ethernet interfaces. If you attempt to use the access-group CLI command to assign the same access list to Ethernet 0 and Ethernet 1, the following error message appears: %access-list list1 is already assigned to interface eth1. To resolve this issue, generate an identical access list for the second Ethernet interface.
Resolved Caveats for Software Version 1.1(1)
This section lists the resolved caveats for Cisco Global Site Selector Version 1.1(1).
•CSCed08205—The meta file is no longer posted with the GSS .upg file on Cisco.com, on the Cisco Global Site Selector Software download page. The meta file is unnecessary for the installation, and is only used as a check to let you verify the file size of the upgrade file. The Cisco Global Site Selector Software download page contains information on the GSS file size, the MD5 checksum, and other important details about the GSS software upgrade file. Use this file information to verify the integrity of the software upgrade file. In addition, during a new installation the GSS software displays the following information to allow you to verify the details before installing the upgrade file. For example
gssm1#install gss-1.1.1.0.0-k9.upg
File: gss-1.1.1.0.0-k9.upg
Md5sum: 63cf1603ed74bf28b42d556a268a12fb
Proceed with install (the device will reboot)? (y/n): y
•CSCec10915—The exec-timeout CLI command does not log you out of the GSS, but takes you from privileged EXEC mode to user EXEC mode. The exec-timeout command should log you out of the GSS to prevent another user from gaining access to the available GSS CLI session. This is especially important for a dial-up modem connected to the console port on the Cisco GSS 4490. If you get disconnected from the GSS 4490 console while connected to the device over a dial-up modem, another user could then connect to the GSS 4490 without having to log in to the device.
•CSCed18598—The GSS continuously uses the same TCP source port number when transmitting TCP or HTTP HEAD keepalives to devices being monitored. The reuse of the same TCP source port number prevents the keepalive from being transmitted through firewalls using SYN guard. In addition, remote web servers stop responding to the transmitted keepalives. During the sequence, the keepalive performs a TCP three-way handshake, issues an HTTP HEAD request, receives a 200OK response, and then immediately sends a RST packet. However, the remote web server has already transmitted a FIN/ACK packet. This sequence of events causes a remote web server to refuse any additional connections for the two-minute maximum segment length time. To correct this behavior, the GSS software now cycles TCP source ports for each TCP or HTTP HEAD keepalive probe attempt. The keepalive target (web-server, firewall) does not encounter the same TCP source port from the same source IP address.
•CSCed22806—The scp CLI command prepends the name of the user executing the command to the hostname. By default, this command always uses root if no username is specified before the @ symbol. For example:
gssm1.cisco.com#scp yourdomain.com:~/foo.txt.
root@yourdomain.com's password:
gssm1.cisco.com#scp user@yourdomain.com:~/foo.txt.
user@yourdomain.com's password:
This behavior has been changed to prepend the name of the current logged in user, unless another username is specified. In the following example, the admin user is logged in.
gssm1.cisco.com#scp yourdomain.com:~/foo.txt.
admin@yourdomain.com's password:
gssm1.cisco.com#scp user@yourdomain.com:~/foo.txt.
user@yourdomain.com's password:
•CSCed32456—The GSS log file shows a TCP sequence number mismatch. The sequence number mismatch log message is at debug level for software version 1.0 and at warning level for software version v1.1(0). The GSS cannot handle retransimission of certain TCP packets by servers and causes this log message to be generated.
•CSCed34350—The tcpdump CLI command has been expanded to include a series of filter options. These options allow you to filter traffic and capture only the traffic of certain protocols, going to or coming from certain hosts or certain ports. The new tcpdump command filter options include:
tcpdump interface {any | eth0 | eth1} | protocol {any| icmp|tcp|udp} | host {any | ip_or_host} | port {any | port} | network {any | ip-address ip-subnet} | file {filename}
For details on the new filter options for the tcpdump command, refer to the "CLI Command Changes in Software Version 1.1(1)" section.
If you exceute the tcpdump command without any specified options, no filtering is performed. If you wish to use the defaults for the remaining tcpdump command parameters, press Enter at each option. No further filtering is performed by the GSS, other than what has been specified. For example, if you enter tcpdump interface eth0 protocol tcp, the GSS performs only protocol filtering and does not perform host, port, or network filtering.
•CSCed44850—After restoring the primary GSSM database, the restored database may not operate properly in the standby GSSM and standalone GSS devices if some of the configuration elements (such as answers, answer groups, DNS rules, and so on) restored by the new database have been deleted or modified in the current database. Symptoms of this condition on the standby GSSM and standalone GSS devices may include the following:
–Keepalives of type NONE switch from an Online to Offline state, resulting in DNS request failures
–The generation of core files in the DNS server subsystems
–DNS rules are not properly defined due to database restore issues with domain, domain groups, or answer group changes
•CSCed45045—When you modify the Path field to a null string ("") in the Configure Global KeepAlive Properties Details page for HTTP HEAD keepalives, the KeepAlive Engine may restart. With at least one HTTP HEAD keepalive configured on the GSS, when you click the Submit button after deleting all characters from the Path field, the following log message appears to indicate that the GSS has restarted the Keepalive Engine.:
Jan 19 22:27:00 gss1 NMR-5-CRDR01[4716] process-wrapper [0] (core=0) complete: keepalive
The log message reappears if you toggle the Path field from a string value back to the null string. After a few attempts, the following log message appears to indicate that the GSS created a core file due to the restarting of the Keepalive Engine:
Jan 19 22:32:01 gss1 SYS-5-RENAME_CORE[5634] Found core [./core-files/keepalive/
core-keepalive-Mon-Jan-19-22.28.55].
•CSCed54607—The GSS Keepalive Engine restarts after you configure approximately 500 standard TCP keepalives while the target addresses are offline. When this behavior occurs, symptoms may include:
–Log messages indicating that the Keepalive Engine performed a core dump, then restarted
–An unexpected reset of the keepalive counters.
Conditions under which this issue occurs are rare, and typically occur after a significant period of usage. This specific GSS configuration may reach 500 keepalives after an extended duration of additions to your GSS network infrustructure and supported domain names.
•CSCdx59427—Displays that show Content Routing Agent (CRA) round-trip time (RTT) should also show a one-way delay. RTT values are displayed for the CRAs in the show stat kale cra list and show stat kale cra commands, and on the primary GSSM GUI Answer Keepalive Statistics list page. To be consistent with other Cisco products, such as the CR 4430B, the show statistics should include the one-way delay values. The one-way delay value is simply RTT/2.
•CSCed60156—Keepalive list statistics have been added to the gss tech-report and show tech-support CLI command output to aid in understanding the state of the keepalives when you evaluate or debug GSS keepalive operation.
•CSCec64988—When a DNS rule includes a clause containing a least-loaded balance method, multiple VIPs with non-load-reporting keepalives (such as ICMP), and multiple VIPs with load-reporting keepalives (such KAL-AP), hits on this clause may return answers that include VIPs with non-load-reporting keepalives. In this case, the GSS should return only VIPs with load-reporting keepalives for least loaded clauses.
•CSCec69273—Additional answers may go offline when a single answer is taken offline. For example, an application contains one DNS rule with two clauses: a primary DNS answer group and a fallback DNS answer group. The primary DNS answer group contains two answers: a forwarding CSS and an authoritative CSS. The fallback contains a single authoritative PC BIND server as the only answer. Whenever the fallback name server is taken offline, the GSS devices correctly see this answer go offline, but then immediately take another answer offline.
•CSCec75764—When using a KAL-AP global keepalive with the fast KAL-AP keepalive transmission rate (the Fast KAL Type), the GSS may not properly poll the specified optional secondary (backup) circuit address. This behavior may cause all domains to go down if the secondary (backup) circuit is the master for those domains.
•CSCec79027—A GSS 4490 device failure occurs the first time you enter the gss disable CLI command to disable the selected device and then enter the gss enable CLI command to reenable it. This behavior occurs once, and only on the GSS 4490 hardware. The Cisco GSS 4480 does not exhibit this behavior. The following example illustrates the CLI output when this specific problem occurs:
# gss enable gssm primary !GSS 4490 functions normally, database is created
# gss enable gssm primary
Note: GSSM database is required only on the primary GSSM and the standby GSSM.
Creating database. This may take a few minutes...
Deploying certificates for interbox communications.
EXT2-fs error (device ide0(3,12)): ext2_add_entry: bad entry in
directory #2: rec_len is smaller than minimal - offset=0, inode=0,
EXT2-fs error (device ide0(3,12)): ext2_add_entry: bad entry in
directory #2: rec_len is smaller than minimal - offset=0, inode=0,
% Error creating the database
•CSCeb82870—The GSS may fail to service DNS requests after restoring the database on a primary GSSM.
•CSCec88216—When you upgraded the GSS software from 1.0 to 1.1(0) by following the upgrade procedure outlined in the previous version of the v 1.1(0) Cisco Global Site Selector Configuration Guide (dated October 21, 2003), the DNS server on the GSS may have entered an invalid state. In this instance, the DNS server may send out 0.0.0.0 answers or other wrong answers. Certain applications included in GSS software version 1.1(1) reference a version 1.0 configuration file (the node.state file) that is not upgraded properly for use with software version 1.1(1).
CLI Command Changes in Software Version 1.1(1)
Table 1 lists the commands and options that have been added or modified in GSS software version 1.1(1). For detailed information about the CLI commands in the GSS software, refer to the Cisco Global Site Selector Command Reference.
Table 1 CLI Commands Added or Modified in Version 1.1(1)
Command and Syntax
|
Description
|
tcpdump interface {any | eth0 | eth1} | protocol {any| icmp|tcp|udp} | host {any | ip_or_host} | port {any | port} | network {any | ip-address ip-subnet} | file {filename}
|
The protocol, port, network, and file options of the tcpdump command allow you to filter traffic and capture only the traffic of certain protocols, going to or coming from certain hosts or certain ports.
•The any option instructs the GSS software to accept all selections for an associated option. For example, if you enter tcpdump interface any any, the GSS filters the ICMP, TCP, and UDP IP protocols on Ethernet 0 and 1.
•The protocol {icmp|tcp|udp} options filter the protocol for the traffic type. Recognized IP protocols include:
–icmp—Internet Control Message Protocol
–tcp—Transmission Control Protocol
–udp—User Datagram Protocol
•The host {ip_or_host} option filters the host machine that is the source or destination of the packet. The software uses the IP address or host name of the device that is the source or destination of the packet.
•The port {port} option filters the source or destination port of the packet.
•The network {ip-address ip-subnet} option filters the network IP address from which the packet originated. The software uses the ip-address and ip-subnet arguments to match the incoming packet to a source network.
•The file {filename} option enables you to capture raw data to a file. Then you can open the captured raw data in a Sniffer tool. When capturing data to a file, note that the entire packet is captured. A maximum of 20,000 filtered packets can be captured to disk. This packet limit is meant to prevent you from accidentally filling up the disk when capturing data using the tcpdump command.
If the file parameter is not specified, captured data is dumped to the screen. In that case, only header data is displayed and there is no limit to number of packets captured.
If you exceute the tcpdump command without any specified options, no filtering is performed. If you wish to use the defaults for the remaining tcpdump command parameters, press Enter at each option. No further filtering is performed by the GSS, other than what has been specified. For example, if you enter tcpdump interface eth0 protocol tcp, the GSS performs only IP protocol filtering and does not perform host, port, or network filtering.
|
CLI Command Changes in Software Version 1.1(0)
Table 2 lists the commands and options that have been added or modified in GSS software version 1.1(0). For detailed information about the CLI commands in the GSS software, refer to the Cisco Global Site Selector Command Reference.
Table 2 CLI Commands Added or Modified in Version 1.1(0)
Command and Syntax
|
Description
|
certificate set-attributes
no certificate set-attributes
|
The new certificate set-attributes command allows you to customize the X.509 fields, extensions, and properties found on the security certificate issued by Cisco Systems. The attribute changes that you make affect the fields on the Details tab of the certificate.
|
clear statistics {boomerang | dns | keepalive {all | cra | http-head | icmp | kalap | ns | tcp}}
|
The tcp option for the clear statistics command allows you to reset statistics for the new TCP-type keepalive maintained by the GSS.
|
duplex {auto | full | half}
|
The duplex command replaces the fullduplex and halfduplex commands to configure an interface for duplex operation.
|
gss {disable | enable {gssm-primary | gssm-standby {gssm_hostname | gssm_IP_address} | gss {gssm_hostname | gssm_IP_address}} | restart | start | status [verbose] | stop | tech-report filename}
|
The disable option of the gss command disables the selected device (GSSM or GSS) and removes an existing configuration, including deleting the GSSM database from the GSS device. This option replaces the gssm database {create | delete} options. The disable option returns the GSS device to the initial, unenabled state. Disabling a GSS device is necessary only when you want to switch the role of a GSS within a network (for example, change a GSS to a GSSM or if you need to move a GSS or GSSM to a different network of GSS devices.
|
interface ethernet {0 | 1}{autosense | duplex {auto | full | half} | ip address {ip-address netmask} | no | gss-communications | gss-tcp-keepalives | shutdown | speed {mbits | auto}
|
The duplex option replaces the fullduplex and halfduplex options to configure an interface for duplex operation.
The speed option replaces the bandwidth option to set the bandwidth on Fast Ethernet interfaces only.
|
reset-gui-admin-password [password text]
|
The new reset-gui-admin-password command enables you to restore the default administration password used to log in to the primary GSSM GUI, or to change the administration password.
|
rotate-logs [delete-rotated-logs]
|
The delete-rotated-logs option of the rotate-logs command instructs the GSS device to save archive copies of all existing log files in the $STATE directory and subdirectories and replace them with current log files. The GSS does not delete active logs.
|
setup
|
The new setup command initiates a special setup script to guide you through the basic process of configuring the GSS. Use this command when the GSS boots without a startup-configuration file.
|
show disk
|
The new show disk command displays information about the GSS hard disk, including the available user space on the disk and the size of the database.
|
show statistics {boomerang {domain domain_name | global} | dns {answer {list | answer_name} | answer-group {list | group_name [verbose]} | domain {list | domain_name} | domain-list{list | domain_list_name [verbose]}| global | rule {list | rule_name} | source-address {list | sa_name} | source-address-list {list | sa_list_name [verbose]} | keepalive {cra {ip_address | all | list} | global | http-head {ip_address | all | list} | icmp {ip_address | all | list} | kalap {ip_address | all | list} | ns {ip_address all | list} | tcp {ip_address | all | list}}}
|
There were a number of option changes to the show statistics command, including:
•The addition of the dns {answer {list | answer_name} options
•The renaming of the domain-group option (from GSS version 1.0) to domain-list
•The addition of the source-address {list | sa_name} options
•The renaming of the source-address-group option (from GSS version 1.0) to source-address-list
•The addition of the tcp option to the keepalive options
With GSS software version 1.1(0), you can now individually monitor the GSS answer, host domain, source-address, and source-address-group statistics over a one minute, five minute, 30 minute or 4 hour time interval.
|
show tech-support {config | core}
|
The config option of the show tech-support command exports the output of all configured fields from the primary GSSM GUI (intended for use by a Cisco technical support representative).
The core option displays a listing of all core files that may be useful to the Cisco Technical Assistance Center.
|
show version [verbose]
|
The verbose option of the show version command allows you to view detailed GSS software version information.
In addition, the show version command output now displays three digits for builds posted to CCO, such as 1.1(0) . GSS Maintenance release builds will be in parentheses, such as 1.1(1).
|
snmp {community-string | contact | enable | location}
|
The community string, contact, and location options of the snmp command allow you to specify the following SNMP parameters:
•community string—Specifies the SNMP community name for a GSS device
•contact—Specifies the name of the contact person for a GSS device
•location—Specifies the physical location of a GSS device
|
speed
|
The speed command replaces the bandwidth command to set the bandwidth on Fast Ethernet interfaces only.
|
telnet [enable] [hostname | ip-address] [port_number]
|
The port_number variable for the telnet command allows you to change the port number for the Telnet session to a port other than 23 (the Telnet port).
|
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
