-
Cisco GSS Command Reference (Software Version 3.0)
-
CLI Command Summary by Mode
-
Preface
-
Using the Command-Line Interface
-
Cisco Global Site Selector CLI Commands
-
Global Configuration Mode Commands
-
DDoS Module Configuration Mode Commands
-
DRP Agent Configuration Mode Commands
-
Interface Configuration Mode Commands
-
Global Server Load-Balancing Configuration Mode Commands
-
Proximity Properties Configuration Mode Commands
-
Rule Configuration Mode Commands
-
Sticky Properties Configuration Mode Commands
-
Table Of Contents
DDoS Module Configuration Mode Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
DDoS Module Configuration Mode Commands
This section describes the commands in the Distributed Denial of Service (DDoS) module configuration mode. The DDoS configuration mode commands allow you to configure DDoS detection and mitigation functions on the GSS.
To access the DDoS configuration mode, use the ddos command in global configuration mode. The CLI prompt then changes to the DDoS module configuration mode as follows:
gssm1.example.com(config)# ddosgssm1.example.com(config-ddos)#ddos [disable-as | dproxy {spoofed ipaddress | trusted ipaddress} | enable | global-domain domain-name |
max-database-entries number | mitigation-rule {response | request} enable | peacetime database file | rate-limit {ipaddress | global | unknown} rate-limit | scaling-factor d-proxy value | script play-config filename]
disable-as
See the (config-ddos) disable-as command for a detailed syntax description.
dproxy [spoofed ipaddress | trusted ipaddress]
See the (config-ddos) dproxy command for a detailed syntax description.
enable
See the (config-ddos) enable command for a detailed syntax description.
global-domain domain-name
See the (config-ddos) global-domain command for a detailed syntax description.
max-database-entries number
See the (config-ddos) max-database-entries command for a detailed syntax description.
mitigation-rule {response | request} enable
See the (config-ddos) mitigation-rule command for a detailed syntax description.
peacetime database file
See the (config-ddos) peacetime database command for a detailed syntax description.
rate-limit {ipaddress | global | unknown} rate-limit
See the (config-ddos) rate-limit command for a detailed syntax description.
scaling-factor d-proxy value
See the (config-ddos) scaling-factor command for a detailed syntax description.
script play-config filename
See the (config-ddos) script play-config command for a detailed syntax description.
(config-ddos) disable-as
To disable anti-spoofing (AS), use the disable-as configuration command. When you disable AS, the unknown rate limit is also disabled; however, the individual rate limit per D-proxy will work as expected. To enable AS, use the no form of the command.
disable-as
no disable-as
Syntax Description
This command has no keywords or arguments.
Command Modes
DDoS configuration.
Usage Guidelines
The DDoS function performs AS by redirecting a DNS request over TCP. You can disable AS to allow the DDoS function to provide protection through rate limiting, even when TCP traffic cannot reach the GSS.
When you disable AS, the DDoS function performs as follows:
•
Ignores the configured "Unknown Rate Limit."
•
•
•
•
gss1.example.com# show ddos-dproxyAnti-Spoofing is turned off currently. DDoS anti-spoofing values cannot be shown.To view the current operating state of the AS function, use the following command:
show ddos-config | grep disable-as
If the AS function is enabled, the CLI displays nothing. If the AS function is disabled, the operating state displays as shown in the following example:
gss1.example.com(config)# show ddos-config | grep disable-asddosdisable-asExamples
The following example shows how to disable AS on the GSS:
gssm1.example.com(config-ddos)# disable-asgssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) dproxy
To configure trusted or spoofed D-proxies, use the dproxy command. To remove entries added using the CLI since these entries will not time out, use the no form of this command.
dproxy {spoofed ipaddress | trusted ipaddress}
no dproxy {spoofed ipaddress | trusted ipaddress}
Syntax Description
spoofed
Sets the D-proxy as spoofed.
trusted
Sets the D-proxy to trusted.
ipaddress
IP address of the trusted or spoofed D-proxy.
Command Modes
DDoS configuration.
Usage Guidelines
No anti-spoofing checks are done for entries that you mark as trusted or spoofed. If you configure a D-proxy as trusted, the GSS does not perform the anti-spoofing test on DNS packets from that IP address. If you configure a D-proxy as spoofed, DNS packets from that IP address will be dropped. These commands will override the learned and default values.
Examples
The following example shows how to configure trusted or spoofed D-proxies:
gssm1.example.com(config-ddos)# dproxy trusted 10.1.1.1gssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) enable
To enable the Distributed Denial of Service (DDoS) detection and mitigation module in the GSS, use the enable command in DDoS configuration mode. To disable DDoS detection in the GSS, use the no form of this command.
enable
no enable
Syntax Description
This command has no keywords or arguments.
Command Modes
DDoS configuration
Examples
The following example shows how to enable DDoS detection and mitigation in the GSS:
gssm1.example.com(config)# ddosgssm1.example.com(config-ddos)# enablegssm1.example.com(config-ddos)# exitgssm1.example.com(config)#The following example shows how to disable DDoS detection and mitigation in the GSS:
gssm1.example.com(config)# ddosgssm1.example.com(config-ddos)# no enablegssm1.example.com(config-ddos# exitgssm1.example.com(config)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) global-domain
To configure a global domain name, use the global-domain command.
global-domain domain-name
Syntax Description
Command Modes
DDoS configuration
Usage Guidelines
You can configure the GSS to process requests for only a particular domain. If the GSS receives requests for domains outside the configured domain name, the requests are dropped.
The global domain check applies to UDP queries only. You may configure only one global domain at a time. Use this command when the GSS is expected to service queries for only one domain (including its subdomains).
Examples
The following example shows how to configure a global domain name:
gssm1.example.com(config-ddos)# global-domain cisco.comgssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) max-database-entries
To configure the maximum number of entries stored in the Distributed Denial of Service (DDoS) database, use the max-database-entries command. To disable the configuration of the maximum number of database entries, use the no form of this command.
max-database-entries number
no max-database-entries number
Syntax Description
number
Maximum number of entries that you want to store in the GSS database from 65536 to 1048576 with a default of 65536. You can increase or decrease this number.
Command Modes
DDoS configuration
Usage Guidelines
Use the max-database-entries command only if you want to clear your current DDoS database and reallocate more or less memory for the DDoS module. After entering this command and executing a gss stop, start, or reload, check the DDoS module status by entering show ddos status.
If the command fails and the "Error opening device file" message appears, check the syslog-messages log to determine if a memory allocation failure has occurred. If so, the syslog-messages.log reports the following log message: "Unable to allocate sufficient memory for DDoS kernel module. Module insertion failed." In such cases, you should run max-database-entries once more to set a lower value, ignore any error messages that appear, and reboot the GSS.
Examples
The following example shows how to configure the maximum number of entries stored in the DDoS database:
gssm1.example.com(config-ddos)# max-database-entries 1037300This command will clear the current DDoS database and create a new database with support for 1037300 entries.This command will take effect only after the next gss stop and start. Do you want to continue? (y/n):yRelated Commands
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) mitigation-rule
To enable mitigation rule checks in the GSS, use the mitigation-rule command. To disable mitigation rule checks, use the no form of this command. By default, mitigation rule checks are enabled.
mitigation-rule {response | request} enable
no mitigation-rule {response | request} enable
Syntax Description
Command Modes
DDoS configuration
Examples
The following example shows how to enable mitigation rule checks in the GSS:
gssm1.example.com(config-ddos)# mitigation-rule response enablegssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) peacetime database
To set the location or file that the peacetime file uses in a ddos peacetime apply operation, use the peacetime database command. To not configure this command or cause the peacetime database in memory to be used, use the no form of this command.
peacetime database file
no peacetime database file
Syntax Description
Command Modes
DDoS configuration
Examples
The following example shows how to set the location or file that the peacetime file uses in a ddos peacetime apply operation:
gssm1.example.com(config-ddos)# peacetime database samplefilegssm1.example.com(config-drp)#Related Commands
(config-ddos) max-database-entries
(config-ddos) script play-config
(config-ddos) rate-limit
To configure or modify the rate limit for a particular D-proxy, to set a global rate limit, or to limit the number of anti-spoofing tests to be performed by the GSS in a minute, use the rate-limit command. To turn off the rate limits, use the no form of this command.
rate-limit {ipaddress | global | unknown} rate-limit
no rate-limit {ipaddress | global | unknown} rate-limit
Syntax Description
Command Modes
DDoS configuration
Usage Guidelines
A time window exists when specifying a rate limit. If the rate limit for a particular D-proxy is set to 40, the rate limit will drop DNS packets if the limit is exceeded within 1 minute (60 seconds) from the beginning of the first request.
By configuring the unknown rate limit, you enable the GSS to handle random spoofed attacks in which there is a flood of unknown D-proxies.
When the GSS is under random spoofed attack, new valid D-proxies compete against spoofed D-proxies. If the total number of new D-proxies (spoofed and valid) exceeds the unknown rate limit, some valid D-proxies are dropped. However, the service to known D-proxies is not affected.
Once the unknown limit is reached, the GSS drops DNS packets from new sources during that minute. By default, the GSS performs spoof tests for 1000 new D-proxies per minute.
Examples
The following example shows how to set a global rate limit:
gssm1.example.com(config-ddos)# rate-limit 10.1.1.1 global 1000gssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) scaling-factor
To configure the final rate limits per D-proxy and for all D-proxies, use the scaling-factor command. To turn off the scaling factor for rate limits, use the no form of this command.
scaling-factor d-proxy value
no scaling-factor dproxy value
Syntax Description
d-proxy
Specifies the D-proxy scaling factor.
value
Tolerance scaling factor for rate limiting.
Note
Command Modes
DDoS configuration
Usage Guidelines
The final rate limits per D-proxy are determined by multiplying the rate limits learned during peacetime with a scaling factor.
Examples
The following example shows how to change the current rate limit of 10000 to 5000 or 50 percent of its current value:
gssm1.example.com(config-ddos)# scaling-factor d-proxy 50The following example shows how to change that rate limit to 15000 or 150 percent of its current value:
gssm1.example.com(config-ddos)# scaling-factor d-proxy 150Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) script play-config
(config-ddos) script play-config
To execute a saved Distributed Denial of Service (DDoS) configuration file, use the script play-config command in DDoS configuration mode. To disable DDoS configuration file execution, use the no form of this command.
script play-config filename
no script play-config filename
Syntax Description
Command Modes
DDoS configuration
Examples
The following example shows how to execute the saved ddos_config.txt configuration file:
gssm1.example.com (config-ddos)# script play-config ddos_config.txtgssm1.example.com(config-ddos)#Related Commands
(config-ddos) max-database-entries
(config-ddos) peacetime database
(config-ddos) show
To display Distributed Denial of Service (DDoS) parameters, use the show command and its variations.
show [attacks | dproxy [ipaddress | trusted | spoofed] | failed-dns [failed-domains | global-domain-rules | gslb-rules] | rate-limit [ipaddress | global] | ddos-config | statistics [attacks | global] | status]
attacks
See the show attacks command for a detailed syntax description.
dproxy [ipaddress | trusted | spoofed]
See the show dproxy command for a detailed syntax description.
failed-dns {failed-domains | global-domain-rules | gslb-rules}
See the show failed-dns command for a detailed syntax description.
rate-limit [ipaddress | global]
See the show rate-limit command for a detailed syntax description.
ddos-config
See the show ddos-config command for a detailed syntax description.
statistics [attacks | global]
See the show statistics command for a detailed syntax description.
status
See the show status command for a detailed syntax description.
show attacks
To display Domain Name System (DNS) attacks detected by the GSS, use the show ddos attacks command.
show attacks
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Usage Guidelines
For information about the fields in the show attacks command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show dproxy
To show spoofed and nonspoofed D-proxies on the GSS, use the show dproxy command.
show dproxy [ipaddress | trusted | spoofed]
Syntax Description
ipaddress
(Optional) D-proxy IP address.
trusted
(Optional) Specifies the trusted D-proxies.
spoofed
(Optional) Specifies the spoofed D-proxies.
Command Modes
Privileged EXEC
Usage Guidelines
For information about the fields in the show dproxy command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show failed-dns
To show the last x number of domain names that caused the failed Domain Name System (DNS) queries at the GSS or the number of failed DNS queries per D-proxy, use the show failed-dns command.
show failed-dns {failed-domains | global-domain-rules | gslb-rules}
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
Note
For information about the fields in the show failed-dns command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show rate-limit
To show the rate limits per D-proxy and the number of packets dropped per source, use the show rate-limit command.
show rate-limit [ipaddress | global | unknown]
Syntax Description
ipaddress
(Optional) IP address of the D-proxy.
global
(Optional) Specifies the global rate limit on the GSS.
unknown
(Optional) Specifies the unknown D-proxy rate limit.
Usage Guidelines
For information about the fields in the show rate-limit command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show ddos-config
To display the contents of the Distributed Denial of Service (DDoS) running configuration file, use the show ddos-config command.
show ddos-config
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Usage Guidelines
For information about the fields in the show ddos-config command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show statistics
To display Distributed Denial of Service (DDoS) global or attack statistics, use the show statistics command.
show statistics [attacks | global]
Syntax Description
attacks
(Optional) Displays DDoS attack statistics.
global
(Optional) Displays DDoS global statistics.
Command Modes
Privileged EXEC
Usage Guidelines
For information about the fields in the show statistics command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
show status
To display the status of the Distributed Denial of Service (DDoS) detection and mitigation module on the GSS, use the show status command.
show status
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Usage Guidelines
For information about the fields in the show status command output, see the Cisco Global Site Selector CLI-Based Global Server Load Balancing Configuration Guide.
Related Commands
