Configuring the Service Engine
This section walks you through the different configuration pages available for a Service Engine. The main configuration groups are described as follows:
-
Service Control—Settings for access control by way of client request filtering, URL signing, and Authorization Server settings; additionally, transaction logs are configured to monitor traffic
-
Application Control—Settings for bandwidth management of delivery services and protocol engines (Web, Windows Media, Movie Streamer, Flash Media Streaming, and RTSP advanced settings)
-
General Settings—Settings for access control of the device, maintenance, network connectivity, and monitoring
The first two pages, Device Activation and Assignment, cover activating an SE in the Internet Streaming CDSM and assigning it to a location, and assigning device groups to the SE.
Activating a Service Engine
Activating a device (Service Engine, Service Router, or stamdby CDSM) can be done through the Devices home page initially, or through the Device Activation page.
To activate a device from the Device Activation page, do the following:
Step 1
Choose
Devices > Devices
. The Devices Table page is displayed (Figure 4-5).
Figure 4-5 Devices Table Page
Step 2
Click the
Edit
icon next to the device you want to configure. The Devices home page is displayed.
Step 3
Click
Show All
to display the top-level menu options, and click
Device Activation
. The Device Activation page is displayed (Figure 4-6).
Figure 4-6 Device Activation Page
Step 4
Enter the settings as appropriate. See
Table 4-6
for a description of the fields.
Table 4-6 Device Activation Fields
|
|
Name
|
Name of the device.
|
Activate
|
To activate or deactivate the device, check or uncheck the
Activate
check box. Alternatively, you can click the
Deactivate Device
icon in the task bar.
When you uncheck the
Activate
check box and click
Submit
, the
Replaceable
check box is displayed. Check the
Replaceable
check box when you need to replace the device or recover lost registration information. For more information, see the “Recovering CDS Network Device Registration Information” section.
|
Server Offload
|
To offload this device for maintenance or a software upgrade, check the
Server Offload
check box. When checked, the Service Router stops sending requests to this device.
Note If a client paused a program at that moment Server Offload is enabled, most likely resuming the program will fail.
To monitor the current streams on an SE during the Server Offload state, use the
show interface
command. If the packets received or packets sent is increasing then the SE is streaming. The number of packets received is high if there is an incoming stream.
Note We recommend separating the management traffic from the streaming traffic by using the port channel configuration, see the “Configuring Port Channel” section for more information.
-
If management and streaming traffic are separated, the
show interface
command for the streaming port channel displays information on active sessions.
-
If management and streaming traffic are not separated, the
show interface
command shows very low traffic; the packets received and packets sent are lower than a client streaming session.
Once the SE has finished streaming, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the “Upgrading the Software” section.
The Status field on the Device Activation page and the Devices Table page displays “offloading” when
Server Offload
is checked.
Once the software upgrade or maintenance is complete, you need to uncheck the
Server Offload
check box so that the device can again participate in the system.
Note If the Server Offload option is set on an SE that is acting as the Content Acquirer for a delivery service for dynamic ingest or live stream splitting, a new SE is chosen as the Location Leader for the delivery service. However, if the Content Acquirer is up and communicating with the CDSM, it continues to perform content ingest and content distribution. |
Content Cache
|
Informational only. The content cache size is the total disk space on the CDS network file system (CDNFS) on the SE that is designated for cache. The Content Cache represents the unused cache space. The used cache space is the disk space allotted for all the delivery services to which the SE is assigned. To view the used cache space, choose
Services > Service Definition > Delivery Services > Assign Service Engines
.
|
Set Default Coverage Zone File
|
When checked, which is the default setting, a default Coverage Zone file is generated with the SE serving the local subnet it resides on. The coverage zone is a CDS network-wide mapping of client IP addresses to SE IP addresses that should respond to client requests. For more information, see the “Coverage Zone File Registration” section.
The default coverage zone can be disabled and you can create and assign custom coverage zones using the Coverage Zone file import or upload.
Uncheck the
Set Default Coverage Zone File
check box to use a user-defined Coverage Zone file that was imported or uploaded.
|
Location
|
Lists all the locations configured for the CDS.
|
Use SE’s primary IP address
|
Enables the CDSM to use the IP address on the primary interface of the SE for management communications.
Note If the Use SE’s primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SE’s primary IP address for communication. Note Do not check the Use SE’s primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent. |
Management Communication Address
|
Manually configures a management IP address for the CDSM to communicate with the SE.
Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the “Configuring Port Channel and Load Balancing Settings” section and the “Configuring Port Channel” section.
|
Management Communication Port
|
Port number to enable communication between the CDSM and the SE.
|
Comments
|
Information about the settings.
|
Step 5
Click
Submit
to save the settings.
Assigning Devices to Device Groups
You can assign devices to device groups in three ways:
-
Through the Device Group Assignment page
-
Through the device Assignment page
-
Through the Devices home page, if the device group is a baseline group
To assign devices to device groups through the Assignment page, do the following:
Step 1
Choose
Devices > Devices
, and click the
Edit
icon next to the device you want to assign.
Step 2
Click
Show All
, and then choose
Assignments > Device Groups
. The Device Group Table page is displayed with all of the configured device groups listed
(Figure 4-7).
Note From this point forward, the beginning steps in the procedures are combined into one step using notation similar to the following: Devices > Devices Assignments > Device Groups.
Figure 4-7 Assignment Page
Step 3
Click the
Assign
icon (blue cross mark) next to the device group you want to assign to this SE. Alternatively, click the
Assign All Device Groups
icon in the task bar.
A green arrow wrapped around the blue X indicates an SE assignment is ready to be submitted. To unassign an SE, click this icon. The SE assignment states are described in Figure 4-8.
Figure 4-8 SE Assignment State
Step 4
Click
Submit
to save the settings.
A green circle with a check mark indicates a device group is assigned to this SE. To unassign the device group, click this icon, or click the
Remove All Device Groups
icon in the task bar. Click
Submit
to save the changes.
Additionally, the
Filter Table
icon and
View All Device Groups
icon allow you to first filter a table and then view all device groups again.
Configuring Bandwidth for Replication and Ingest
The bandwidth used for replication and ingest is determined by the settings in the Default Bandwidth and the Scheduled Bandwidth pages. The replication configuration pages consist of the following:
Table 4-7
describes the icons on the replication bandwidth configuration pages.
Table 4-7 Replication Bandwidth Configuration Icons
|
|
|
Refreshes the table or page.
|
|
Displays a graph.
|
|
Applies the default settings to the device.
|
|
Creates a new item.
|
|
Creates a filtered table. Filter the scheduled bandwidth by start time, end time, days of the week, and bandwidth type.
|
|
Views all scheduled bandwidth. Click this icon to view all schedule bandwidths after you have created a filtered table.
|
|
Prints the current window.
|
|
Edits a scheduled bandwidth. Click this icon next to one of the scheduled bandwidths to edit the settings.
|
|
Deletes a scheduled bandwidth. To delete a scheduled bandwidth, click the
Edit
icon and then click this icon.
|
Default Bandwidth
The default bandwidth settings can be configured for acquisition (ingest) and distribution (replication) of content. The default settings are used unless a scheduled bandwidth is configured for a specified time period.
To set the default bandwidth for replication, do the following:
Step 1
Choose
Devices > Devices > Replication > Default Bandwidth
. The Replication Default Bandwidth page is displayed (Figure 4-9).
Figure 4-9 Replication Default Bandwidth Page
Step 2
Enter the settings as appropriate. See
Table 4-8
for a description of the fields.
Table 4-8 Replication Default Bandwidth Fields
|
|
Acquisition-in Bandwidth
|
Bandwidth used for ingesting content when this SE is acting as the Content Acquirer.
The default is 1,000,000 kbps (kilobits per second).
|
Distribution-in Bandwidth
|
Bandwidth used for incoming content that is sent by a forwarding SE as part of the distribution process.
The default is 1,000,000 kbps.
|
Distribution-out Bandwidth
|
Bandwidth used for outgoing content that is sent to a downstream SE as part of the distribution process.
The default is 500,000 kbps.
|
Step 3
Click
Submit
to save the settings.
For information on the task bar icons, see
Table 4-7
.
Bandwidth Graph
To view a graphical representation of the bandwidth settings, click the
Display Graph
icon in the task bar. The Acquisition and Distribution Bandwidth graph is displayed in a new window.
The vertical axis of the graph represents the amount of bandwidth in Kbps (kilobits per second) and the horizontal axis represents the days of the week. The scale shown on the vertical axis is determined dynamically based on the bandwidth rate for a particular type of bandwidth and is incremented appropriately. The scale shown on the horizontal axis for each day is incremented for each hour. Each type of bandwidth is represented by a unique color. A legend at the bottom of the graph maps the colors to the corresponding bandwidths.
You can change the graph view by choosing the different options, as described in
Table 4-9
.
Table 4-9 Acquisition and Distribution Bandwidth Graph—Viewing Options
|
|
Distribution In
|
Bandwidth settings for incoming content distribution traffic. The default is 1,000,000.
|
Distribution Out
|
Bandwidth settings for outgoing content distribution traffic. The default is 500,000.
|
Acquisition In
|
Bandwidth settings for incoming content acquisition traffic. The default is 1,000,000.
|
All Servers
|
A consolidated view of all configured bandwidth types. This is the default.
|
Show Detailed Bandwidth/Show Effective Bandwidth
|
Toggles between the two options:
Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification.
Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.
|
Show Aggregate View/Show Non-Aggregate View
|
Toggles between the two options:
Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups.
Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.
|
Sun, Mon, Tues, Wed, Thurs, Fri, Sat
|
Displays the bandwidth settings for the corresponding day of the week.
|
Full Week
|
Displays the bandwidth settings for the entire week This is the default view and is combined with the All Servers view.
|
Scheduled Bandwidth
Scheduled Bandwidth settings take precedence over Default Bandwidth settings.
To configure a bandwidth schedule, do the following:
Step 1
Choose
Devices > Devices > Replication > Scheduled Bandwidth
. The Replication Scheduled Bandwidth Table page is displayed (Figure 4-10).
The table is sortable by clicking the column headings.
Figure 4-10 Replication Scheduled Bandwidth Table Page
For information about Aggregate Settings, see the “Aggregate Settings” section
Note Configuring Replication Bandwidth Scheduling is only supported on a per SE-basis; Device Group configuration of Replication Bandwidth Scheduling is not supported.
Step 2
Click the
Create New
icon in the task bar. The Replication Scheduled Bandwidth page is displayed (Figure 4-11).
To edit a scheduled bandwidth, click the
Edit
icon next to the scheduled bandwidth you want to edit.
Figure 4-11 Replication Scheduled Bandwidth Page
Step 3
Enter the settings as appropriate. See
Table 4-10
for a description of the fields.
Table 4-10 Replication Scheduled Bandwidth Fields
|
|
Bandwidth Type
|
Distribution-in—For incoming content distribution traffic from SEs.
Distribution-out—For outgoing content distribution traffic to SEs.
Acquisition-in—For incoming content acquisition traffic from origin servers.
|
Bandwidth Rate
|
Maximum amount of bandwidth that you want to allow (in kbps).
|
Start Time
|
Time of day for the bandwidth setting to begin, using a 24-hour clock in local time (hh:mm).
|
End Time
|
Time of day for the bandwidth setting to end (hh:mm).
|
Day Selection
|
Days on which bandwidth settings apply.
-
Full Week—Specifies that the allowable bandwidth settings are applied for an entire week.
-
Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specifies individual days of the week on which the allowable bandwidth settings take effect.
|
Step 4
Click
Submit
to save the settings.
For information on the task bar icons, see
Table 4-7
.
Service Control
The Service Control pages provide settings for client request filtering, URL signing, and Authorization Server settings. Additionally, transaction logs that monitor traffic are configured under the Service Control. Configuring service control consists of the following procedures:
Table 4-11
describes the icons for the Service Control pages.
Table 4-11 Service Control Icons
|
|
|
Refreshes the table or page.
|
|
Applies the default settings to the device.
|
|
Creates a new item.
|
|
Creates a filtered table.
|
|
Views all data. Click this icon to view all data after you have created a filtered table.
|
|
Prints the current window.
|
|
Edits an item.
|
|
Deletes an item. To delete an item, click the
Edit
icon and then click this icon.
|
Configuring Service Rules
Note This is a licensed feature. Please ensure that you have purchased a Service Rule license for this advanced feature.
The Rules Template licensed feature provides a flexible mechanism to specify configurable caching requests by allowing these requests to be matched against an arbitrary number of parameters, with an arbitrary number of policies applied against the matches. You can specify a set of rules, each clearly identified by an action and a pattern. Subsequently, for every incoming request, if a pattern for a rule matches the given request, the corresponding action for that rule is taken.
Note The processing time on the SE is directly related to the number of service rules configured. Processing times increase with an increase in the total number of rules configured. If the SE processing time is greater than twice the datafeed poll rate, then the device goes offline until the processing is completed. You can avoid this by configuring a higher datafeed poll rate. The recommended datafeed poll rate for 750 service rules is 300 seconds. To configure the datafeed poll rate, see the “Configuring System Settings” section.
Configuring a service rule consists of the following tasks:
-
Enabling the service rules. (Only needs to be performed once.)
-
Configuring a pattern list and adding a pattern to it.
-
Associating an action with an existing pattern list.
There are three cases for service rules:
1.
If allow rules are configured, then it is an implicit deny.
2.
If deny rules are configured, then it is an implicit allow.
3.
If both allow and deny rules are configured, then it is an implicit allow.
For example, if all URL requests that match HTML are blocked implicitly, all requests that match other URL requests are allowed.
If all URL requests that match WMV are allowed implicitly, all request that match other URL requests are blocked.
If both of the above rules are configured, then HTML URL requests are blocked, and all other URL requests are allowed.
To configure or edit service rule settings, do the following:
Step 1
Choose Devices > Dev
ices > Service Control > Enable Rules
. The Enable Service Rules page is displayed.
Step 2
Check the Enable check box to enable the use of rule settings.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
Step 4
Choose
Devices > Devices > Service Control > Service Rules
. The Service Rules Table page is displayed.
The table is sortable by clicking the column headings.
For information about Aggregate Settings, see the “Aggregate Settings” section
Step 5
Click the
Create New
icon in the task bar. The Service Rules page is displayed (Figure 4-12).
To edit a service rule, click the
Edit
icon next to the service rule you want to edit.
Figure 4-12 Service Rules Page
Step 6
Create a pattern list and add a pattern to it.
a.
From the
Rule Type
drop-down list, choose
pattern-list
.
b.
In the
Rule Parameters
field, configure the pattern list number and the pattern type, following the rules usage guidelines shown on the Service Rules page. See
Table 4-12
for a description of pattern types. The rule patterns are not case-sensitive.
For example, to create pattern list number 72 with the pattern type
domain
and the yahoo.com domain as the domain to be acted on, enter
72 domain yahoo.com
in the
Rule Parameters
field.
Table 4-12 Service Rules Pattern Types
|
|
|
domain
|
Matches the domain name in the URL or the host header against a regular expression. For example, “.*ibm.*” matches any domain name that contains the “ibm” substring. “\.foo\.com$” matches any domain name that ends with the “.foo.com” substring.
In regular expression syntax, the dollar sign ($) metacharacter directs that a match is made only when the pattern is found at the end of a line.
|
rule pattern-list
list_num
domain
dn_regexp
|
group-type
|
Patterns can be combined by using the AND or OR function with the group-type pattern (for example,
rule pattern-list 1group-type and
). The default is OR.
|
rule pattern-list list-num group-type {and | or}
|
header-field
|
Request header field pattern.
Request header field patterns referer, request-line, and user-agent are supported for the allow, block, and redirect actions. The referer pattern is matched against the Referer header in the request, the request-line pattern is matched against the first line of the request, and the user-agent pattern is matched against the User-Agent header in the request. The user-agent pattern is not case sensitive.
Note Flash Media Streaming supports the referer header field pattern for the allow and block actions. |
rule pattern-list
list_num
header-field
{
referer
ref_regexp
|
request-line
req_regexp
|
user-agent
ua_regexp
}
|
scr-ip
|
Matches the source IP address and netmask of the request.
|
rule pattern-list
list_num
src-ip
s_ipaddress
s_subnet
|
url-regex
|
Matches the URL against a regular expression. The match is not case sensitive.
|
rule pattern-list
list_num
url-regex
url_regexp
|
url-regsub
|
For the rewrite and redirect actions, matches the URL against a regular expression to form a new URL in accordance with the pattern substitution specification. The match is not case sensitive. The valid substitution index range is from 1 to 9.
Note For HTTP client requests for Windows Media Streaming live programs, an ASX file is created automatically; therefore, if you use the url-regsub pattern list to rewrite the filename from an .asf file extension to an .asx file extension, the SE is not able to find the file and returns a 404 error message. Note Only one url-regsub pattern list is supported. Multiple substitutions for the same pattern list are not supported. |
rule pattern-list
list_num
url-regsub
url_regexp
url_sub
|
Note A domain pattern list matching an SE IP address is not supported when IP-based redirection is enabled on the Service Router. See the “Configuring the Service Router” section for more information about IP-based redirection. Flash Media Streaming bypasses the rules configuration if the request is from another SE.
Step 7
Click
Submit
to save the settings.
The maximum number of pattern lists allowed is 128.
Step 8
Associate an action with an existing pattern list.
a.
Choose an action type from the Rule Type drop-down list. See
Table 4-13
for a description of rule actions.
b.
In the Rule Parameters field, enter the list number of the pattern list that you want to associate with this action.
For example, if you want to block access by any protocol to yahoo.com, then choose
block
from the Rule Type drop-down list, and enter
pattern-list 72 protocol all
in the Rule Parameters field.
Note For the Web Engine and Flash Media Streaming, the Service Rule file must be used if service rules are to be configured. See the Appendix F, “Creating Service Rule Files” for more information.
Note Windows Media Streaming supports all service rule actions listed in Table 4-13. Movie Streamer supports the following service rule actions: allow, block, redirect, rewrite, and validate-url-signature.
Table 4-13 Service Rule Actions
|
|
|
allow
|
Allows incoming requests that match the pattern list.
This rule action can be used in combination with block actions to allow selective types of requests. The allow action does not carry any meaning as a standalone action.
|
rule action allow pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
block
|
Blocks this request and allows all others.
|
rule action block pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
generate-url-
signature
|
Generates the URL signatures in the Windows Media metafile response associated with prefetched content, based on the SE configuration for the URL signature and this rule action.
|
rule action generate-url-signature
[
include-client-src-ip
]
key-id-owner
owner_num
key-id-number
id_num
pattern-list
list_num
[
protocol
{
all
|
http
}]
|
no-cache
|
Does not cache this object.
|
rule action no-cache pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
redirect
|
Redirects the original request to a specified URL. Redirect is relevant to the RADIUS server only if the RADIUS server has been configured for redirect.
|
rule action redirect
url
pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
refresh
|
For a cache hit, forces an object freshness check with the server.
|
rule action refresh pattern-list
list_num
[
protocol
{
all
|
http
}]
|
replace
|
Replace the text string in the object.
|
rule action replace
string_to_find string_to_replace
pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
rewrite
|
Rewrites the original request as a specified URL.
|
rule action rewrite pattern-list
list_num
[
protocol
{
all
|
http
|
rtmp
|
rtsp
}]
|
validate-url-
signature
|
Validates the URL signature for a request using the configuration on your SE for the URL signature and allows the request processing to proceed for this request.
The
error-redirect-url
keyword redirects requests that failed validation to a specified URL. The
error-redirect-url
keyword is only supported for Web Engine HTTP URLs.
The
exclude
keyword excludes the client IP address, the content expiry time, domain, or both the client IP address and expiry time from the URL signature validation, and redirects requests that failed validation to a specified URL.
The
exclude client-ip
keywords instruct the SE to ignore the client’s IP address when processing the validation of the signed URL. The command could be configured as r
ule action validate-url-signature exclude client-ip error-redirect-url aa pattern-list 1 protocol all
.
The
exclude expiry-time
keywords instruct the SE to ignore the expiry time that normally limits access to the content when the expiry time has occurred. The command could be configured as
rule action validate-url-signature exclude expiry-time error-redirect-url pattern-list 1 protocol all
.
The
exclude domain-name
keyword
instructs the SEs to ignore the domain in the URL when processing the validation of the signed URL. The command could be configured as
rule action validate-url-signature exclude domain-name error-redirect-url pattern-list 1 protocol all
.
The
exclude all
keywords instruct the SE to ignore both the client IP address and the content expiration time when processing the validation of the signed URL. The command could be configured as
rule action validate-url-signature exclude all error-redirect-url aa pattern-list 1 protocol all
.
|
rule action validate-url-signature
{
error-redirect-url
url
| exclude
{
all error-redirect-url
url
| client-ip error-redirect-url
url
| expiry-time error-redirect-url
url
| domain-name error-redirect-url
url
}
pattern-list
list_num
[
protocol
{
all
|
http
}]}
|
Step 9
Click
Submit
to save the settings.
Note When configuring service rules, you must configure the same service rules on all SEs participating in a delivery service in order for the service rules to be fully implemented. The rule action must be common for all client requests because the SR may redirect a client request to any SE in a delivery service depending on threshold conditions.
Execution Order of Rule Actions
The order in which the rule actions are implemented for Windows Media Streaming and Movie Streamer is the order in which they were configured, except for the validate-url-signature action. If the rule pattern associated with the validate-url-signature action is matched, regardless of the configuration order of the rules, the validate-url-signature action is performed before any other action.
1.
validate-url-signature
2.
block or allow
Note The allow and block actions carry the same precedence. The order of implementation depends on the order of configuration between allow and block actions. Other actions always take precedence over allow.
3.
redirect (before cache lookup)
4.
rewrite (before cache lookup)
Note For the Web Engine and Flash Media Streaming, the Service Rule file must be used if service rules are to be configured. See the Appendix F, “Creating Service Rule Files” for more information.
Configuring URL Signing
URL signature keys are word values that ensure URL-level security. The URL signature key is a shared secret between the device that assigns the key and the device that decrypts the key. Based on your network settings, either the SE itself or some other external device can assign the signature key to the URL, but the SE decrypts the URL signature key.
The CDS uses a combination of key owners, key ID numbers, and a word value to generate URL signature keys. You can have a maximum of 32 key owners. Each key owner can have up to 16 key ID numbers.
To create request-specific URL signature keys, you can choose to append the IP address of the client that has made the request to the URL signature key.
To create a URL signature key, do the following:
Step 1
Choose
Devices > Devices > Service Control > URL Signing.
The URL Signing Table page is displayed.
The table is sortable by clicking the column headings.
For information about Aggregate Settings, see the “Aggregate Settings” section
Step 2
Click the
Create New
icon in the task bar. The URL Signing page is displayed.
To edit the URL signature, click the
Edit
icon next to the URL Signature Key ID owner you want to edit.
Step 3
Enter the settings as appropriate. See
Table 4-14
for a description of the fields.
Table 4-14 URL Signature Key Settings
|
|
Cryptographic Algorithm
|
Choose either
Symmetric Key
or
Asymmetric Key
. For more information, see the “URL Signing and Validating” section.
|
Key ID Owner
|
Specify the ID number for the owner of this encryption key. Valid entries are from 1 to 32.
|
Key ID
|
Specify the encryption key ID number. Valid entries are from 1 to 16.
|
Key
|
Field for
Symmetric Key
only. Enter a unique URL signature key with up to 16 characters (excluding double quotes at the beginning and end of the string). This field accepts only 7-bit printable ASCII characters (alphabetic, numerics, and others) and does not support a space or the following special characters: pipe (|), question mark (?), double quotes ("), and apostrophe (’). The following special characters are allowed: {}!#$%&()*+,-./;:<=>@\~^[]_
Quoted and unquoted strings are allowed. Double quotes (") are allowed at the beginning and end of the string only. If you do not surround the key string with double quotes, quotes are added when you click
Submit
.
|
Public Key URL
|
Field for
Asymmetric Key
only. The location of the public key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.
|
Private Key URL
|
Field for
Asymmetric Key
only. The location of the private key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.
|
Symmetric Key
|
Field for
Asymmetric Key
only. A 16-byte American Encryption Standard (AES) key used for AES encryption of the signed URL.
|
Step 4
Click
Submit
to save the settings.
For information on the URL signing mechanism, see
Appendix H, “URL Signing and Validation.”
Configuring the Authorization Service
When Authorization Service is enabled, client requests are blocked if the request is for an unknown server or if the client’s IP address or geographic location is not allowed to request content. The Authorization Service is enabled by default and includes both types of blocking.
The Authorization Service verifies that all client requests have a service routing fully-qualified domain name (RFQDN) or origin server FQDN (OFQDN) that is recognized as part of a delivery service. For more information about RFQDNs and origin server, see the “Content Origins” section. If you want to allow client requests for unknown hosts, check the
Enable Unknown-Server Requests
check box.
Note The string “.se.” cannot be used in the RFQDN and OFQDN.
To block client requests based on geographical location, the SE communicates with a Geo-Location server, which maps IP addresses to a geographic locations. The Geo-Location server, which is the same Geo-Location server used for location-based routing on the SR, identifies the geographic location of a client request by the country, state, and city of the client. See the “Configuring Request Routing Settings” section. For more information about the Geo-Location servers, see the “Geo-Location Servers” section.
Each delivery service participating in the Authorization Service has a Geo/IP file that contains information on the allowed client IP addresses and geographic locations, and denied client IP addresses and geographic locations. The Authorization Service blocks client requests based on the Geo/IP file uploaded for the delivery service.
The SE that receives the client request compares the client’s information, as well as the URL string pattern, with the information configured for the delivery service and allows or denies the request. If the Authorization Service denies the request, the protocol engine receives the denied message and sends a request denied message to the client. For more information, see the“Authorization Plugins” section
To enable the Authorization Service, do the following:
Step 1
Choose
Devices > Devices > Service Control > Authorization Service
. The Authorization Service page is displayed.
Step 2
To enable the Authorization Service, check the
Enable Authorization
check box.
The Authorization Service is enabled by default.
Step 3
In the
Primary Address
and associated
Port
fields, enter the IP address and port number of the primary Geo-Location Server.
Step 4
In the
Secondary Address
and associated
Port
fields, enter the IP address and port number of the primary Geo-Location Server.
Step 5
To allow client requests for unknown hosts, while at the same time keeping the Authorization Service enabled, check the
Enable Unknown-Server Requests
check box.
Step 6
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
Note If the primary Geo-Location server is shut down and a secondary Geo-location server is configured and is up, requests are sent to the secondary Geo-Location server in a failover-type scenario. If the primary Geo-Location server is brought back up and is online, requests are still routed to the secondary Geo-Location server as long as the secondary Geo-Location server is up. Only if the secondary Geo-Location server goes down and the primary Geo-Location server is up will a fallback occur and requests once again will be routed to the primary Geo-Location server.
Configuring Transaction Logs
Transaction logs allow administrators to view the traffic that has passed through the SE. Typical fields in the transaction log are the date and time when a request was made, the URL that was requested, whether it was a cache hit or a cache miss, the type of request, the number of bytes transferred, and the source IP address. For more information about transaction logs and their formats, see the “Transaction Logs” section.
To enable transaction logging, do the following:
Step 1
Choose
Devices > Devices > Service Control > Transaction Logging
. The Transaction Log Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-15
for a description of the fields.
Table 4-15 Transaction Log Settings Fields
|
|
|
Transaction Log Enable
|
Enables transaction logging.
|
Log Windows Domain
|
If NTLM authentication is configured, you can record the Windows domain name and username in the “authenticated username
”
field of the transaction log by checking this check box. For more information, see the “Transaction Logging and NTLM Authentication” section.
|
Compress Files before Export
|
When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers
|
Log File Format
Log Format Custom
|
Log file format choices are
extended-squid
or
apache
. The default is
apache
. For more information, see the “Transaction Log Formats for Web Engine” section.
Or, choose
Log Format Custom
and enter a custom format string. For more information, see the “Custom Format” section.
|
|
Max size of Archive File
|
Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1000 to 2000000. The default is 500000.
|
Max number of files to be archived
|
Maximum number of files to be maintained on the local disk. The range is from 1 to 10000. The default is 10.
|
Archive occurs
|
How often the working log is archived and the data is cleared from the working log. Choose one of the following:
-
Choose
every
to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800.
-
Choose
every hour
to archive using intervals of one hour or less, and choose one of the following:
–
at
—Specifies the minute in which each hourly archive occurs
–
every
—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)
-
Choose
every day
to archive using intervals of one day or less, and choose one of the following:
–
at
—Specifies the hour in which each daily archive occurs
–
every
—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)
-
Choose
every week on
to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.
|
|
Enable Export
|
Enables exporting of the transaction log to an FTP server.
|
Export occurs
|
How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following:
-
Choose
every
to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 10080.
-
Choose
every hour
to export using intervals of one hour or less, and choose one of the following:
–
at
—Specifies the minute in which each hourly export occurs
–
every
—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)
-
Choose
every day
to export using intervals of one day or less, and choose one of the following:
–
at
—Specifies the hour in which each daily export occurs
–
every
—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)
-
Choose
every week on
to export using intervals of one or more times a week, choose the days of the week, and what time each day.
|
FTP Export Server
|
IP address or hostname of the FTP server.
|
Name
|
Name of the user.
|
Password
|
Password for the user.
|
Confirm Password
|
Confirms the password for the user.
|
Directory
|
Name of the directory used to store the transaction logs on the FTP server.
|
SFTP
|
Check the
SFTP
check box, if you are using an SFTP server.
|
|
Enable Windows Media Settings
|
Enables Windows Media transaction logging.
|
Log File Format
|
Sets Windows Media Streaming Engine to generate transaction logs in the following formats:
|
|
Uses the standard Windows Media Services 4.1 format to generate the transaction log and includes the following three additional fields in the transaction log:
-
SE_action (cache hit or cache miss)
-
SE-bytes (number of bytes sent from the SE for a cache hit)
-
username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)
|
|
Uses the standard Windows Media Services 9 format to generate the transaction log and includes the following three additional fields in the transaction log:
-
SE_action (cache hit or cache miss)
-
SE-bytes (number of bytes sent from the SE for a cache hit)
-
username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)
|
|
Standard Windows Media Services 4.1 format
|
|
Standard Windows Media Services 9 format
|
The default is
wms-41
. For more information, see the “Windows Media Transaction Logging” section.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
Application Control
The Application Control pages provide settings for bandwidth management of delivery services and protocol engines. Configuring application control consists of the following procedures:
Configuring Default and Maximum Bandwidth
The bandwidth used for delivering content is determined by the settings in the Default and Maximum Bandwidth page, and the Scheduled Bandwidth page. The default settings are used unless a scheduled bandwidth is configured for a specified time period. For Flash Media Streaming bandwidth limits, see the “Configuring Flash Media Streaming—General Settings” section and the “Configuring Flash Media Streaming—Service Monitoring” section.
Note The bandwidth used for delivering content is always the minimum bandwidth configured of the following configurations: default bandwidth, maximum bandwidth, and scheduled bandwidth. When the bandwidth limit is reached, new client requests are dropped and a syslog entry is written. The client receives an error message “453: Not enough bandwidth.”
To configure the default and maximum bandwidth settings, do the following:
Step 1
Choose
Devices > Devices > Application Control > Default and Maximum Bandwidth
. The Default and Maximum Bandwidth page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-16
for a description of the fields.
Table 4-16 Application Control Default and Maximum Bandwidth Fields
|
|
Windows Media Incoming
|
Default Bandwidth
|
Default bandwidth allowed for incoming Windows Media traffic from client devices.
|
Maximum Bandwidth
|
Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting.
The default is 200 Mbps.
|
Windows Media Outgoing
|
Default Bandwidth
|
Default bandwidth allowed for outgoing Windows Media traffic from the SE.
|
Maximum Bandwidth
|
Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting.
The default is 200 Mbps.
1
|
Movie Streamer Incoming
|
Default Bandwidth
|
Default bandwidth allowed for incoming Movie Streamer traffic from client devices.
|
Maximum Bandwidth
|
Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions.
The default is 200 Mbps.
1
|
Movie Streamer Outgoing
|
Default Bandwidth
|
Default bandwidth allowed for outgoing Movie Streamer traffic from the SE.
|
Maximum Bandwidth
|
Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions.
The default is 200 Mbps.
1
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Bandwidth Schedules
Bandwidth Schedule settings take precedence over Default Bandwidth settings.
To configure a Bandwidth Schedule, do the following:
Step 1
Choose
Devices > Devices > Application Control > Bandwidth Schedules
. The Application Control Bandwidth Schedule Table page is displayed.
The table is sortable by clicking the column headings.
For information about Aggregate Settings, see the “Aggregate Settings” section
Step 2
Click
Create New
in the task bar. The Scheduled Bandwidth page is displayed.
To edit a bandwidth schedule, click the
Edit
icon next to the scheduled bandwidth you want to edit.
Step 3
Enter the settings as appropriate. See
Table 4-17
for a description of the fields.
Table 4-17 Application Control Bandwidth Schedule Fields
|
|
Bandwidth Type
|
Windows Media Incoming—Incoming Windows Media streaming content requests from end users.
Windows Media Outgoing—Outgoing Windows Media content from SEs.
|
|
Movie Streamer Incoming—Incoming Movie Streamer content requests from SEs or origin servers.
Movie Streamer Outgoing—Outgoing Movie Streamer content in response to RTSP requests from end users.
|
Bandwidth Rate
|
Maximum amount of bandwidth you want to allow (in kilobits per second).
|
Start Time
|
Time of day for the bandwidth rate setting to start, using a 24-hour clock in local time (hh:mm).
|
End Time
|
Time of day for the bandwidth rate setting to end (hh:mm).
|
Use Specific Days
|
Days of the week on which configured bandwidth settings apply.
-
Full Week—Bandwidth settings are applied to the entire week.
-
Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specific days of the week on which configured bandwidth settings apply.
|
Specific Day Range
|
Range of days of the week on which configured bandwidth settings apply.
-
Start day—Day of the week to start for allowable bandwidth.
-
End day—Day of the week to end for allowable bandwidth.
|
Step 4
Click
Submit
to save the settings.
To delete a bandwidth schedule, click the
Edit
icon for the group, then click the
Delete
icon in the task bar.
Bandwidth Graph
To view a graphical representation of the bandwidth settings, click the
Display Graph
icon in the task bar. The Application Bandwidth graph is displayed in a new window.
The vertical axis of the graph represents the amount of bandwidth in kilobits per second (kb/s) , and the horizontal axis represents the days of the week. The units shown on the vertical axis are determined dynamically based on the bandwidth rate for a particular bandwidth type. The units shown on the horizontal axis represent 24 hours per each day of the week. Each type of bandwidth is represented by a different color. A legend at the bottom of the graph maps colors to the corresponding bandwidth type.
To view the graph by bandwidth type, detailed or composite view, or days of the week, click a view option in the text at the top of the window.
Table 4-18
describes the view options.
Table 4-18 Viewing Options for Content Services Bandwidth Graph
|
|
Windows Media In
|
Displays the bandwidth settings for incoming Windows Media traffic.
|
Windows Media Out
|
Displays the bandwidth settings for outgoing Windows Media traffic.
|
Movie Streamer In
|
Displays the bandwidth settings for incoming Movie Streamer traffic.
|
Movie Streamer Out
|
Displays the bandwidth settings for outgoing Movie Streamer traffic.
|
All Servers
|
Displays a consolidated view of all configured bandwidth types. This is the default view and is combined with the Full Week view.
|
Show Detailed Bandwidth/Show Effective Bandwidth
|
Toggles between the two options:
Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification.
Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.
|
Show Aggregate View/Show Non-Aggregate View
|
Toggles between the two options:
Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups.
Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.
|
Sun, Mon, Tues, Wed, Thurs, Fri, Sat
|
Displays the bandwidth settings for the corresponding day of the week.
|
Full Week
|
Displays the bandwidth settings for the entire week. This is the default view and is combined with the All Servers view.
|
Configuring Windows Media Streaming—General Settings
To configure the General Settings for Windows Media Streaming, do the following:
Step 1
Choose
Devices > Devices > Application Control > Windows Media Streaming > General Settings
. The Windows Media Streaming General Settings page is displayed (
Figure 4-13).
Figure 4-13 Windows Media Streaming Page—General Settings
Step 2
Enter the settings as appropriate. See
Table 4-19
for a description of the fields.
Table 4-19 Windows Media Streaming General Settings Fields
|
|
Enable Windows Media Services
|
When checked, Windows Media Services is enabled. To disable services, uncheck the check box.
|
Windows Media Proxy Settings
|
Enable Outgoing HTTP Proxy
|
When enabled, allows an outgoing HTTP proxy server for streaming media in MMS format (MMS-over-HTTP). The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.
|
Outgoing HTTP Proxy Host Name and Port
|
Hostname, or IP address, and port of the outgoing HTTP proxy. Valid port numbers range from 1 to 65535.
|
Enable Outgoing RTSP Proxy
|
When enabled, allows an outgoing RTSP proxy server for streaming media using RTSP. The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.
|
Outgoing RTSP Proxy Host Name and Port
|
Hostname, or IP address, and port of the outgoing RTSP proxy. Valid port numbers range from 1 to 65535.
|
Enable Accelerate Proxy Cache Performance
|
When enabled, caching performance improvements are applied to the Windows Media proxy.
|
Windows Media General Settings
|
Disable HTTP Windows Media Traffic
|
To disallow streaming over HTTP, check the check box.
|
Disable RTSPT WMT Traffic
|
To disallow streaming over RTSPT (RTSP using TCP), check the check box.
|
Disable RTSPU WMT Traffic
|
To disallow streaming over RTSPU (RTSP using UDP), check the check box.
|
Maximum Concurrent Connections: Override Default and Custom Value
|
To override the default maximum number of concurrent sessions, check the check box and enter a value in the
Custom Value
field.
The default is 200 sessions. The range is from 1 to 40000.
|
Enforce Maximum Outgoing Bitrate
|
Enforces the maximum stream bit rate for serving content when checked.
|
Maximum Outgoing Bitrate
|
The maximum streaming bit rate that can be served in kilobits per second (kbps). The range is from 1 to 2,147,483,647. The default is 0, which means no bitrate limit.
|
Enforce Maximum Incoming Bitrate
|
Enforces the maximum incoming bit rate for receiving content when checked.
|
Maximum Incoming Bitrate
|
The maximum streaming bit rate (kbps) that can be received. The range is from 1 to 2,147,483,647. The default is 0, which means no bitrate limit.
|
Enable Accelerate Live-Split Performance
|
Enables performance improvements in live splitting for the Windows Media proxy.
|
Enable Accelerate VOD Performance
|
Enables performance improvements in Video On Demand for the Windows Media proxy.
|
Restrict HTTP Allowed Extensions
|
Allows you to add or remove permitted extensions.
|
HTTP Allowed Extensions
|
List of allowable extensions for HTTP.
You can add or delete filename extensions from this list with the following restrictions:
-
Each extension must be alphanumeric, with the first character in the extension being an alphabetic character.
-
You cannot have more than 10 characters in a filename extension.
-
You cannot add more than 6filename extensions to the allowed list.
|
Enable Fast Start Feature
|
Enables Fast Start for MMS-over-HTTP or RTSP.
|
Fast Start Max Bandwidth
|
Maximum bandwidth (kbps) allowed per Windows Media Player when Fast Start is used to serve packets to this player. The default is 3500. The range is from 1 to 65535.
|
Enable Fast Cache
|
Enables Fast Cache for MMS-over-HTTP or RTSP.
|
Fast Cache Max Delivery Rate
|
Maximum delivery rate (kbps) allowed per Windows Media Player when Fast Cache is used to deliver packets to this player. The default is 5. The range is from 1 to 65535.
|
Windows Media Multicast Settings
|
Number of hops to live
|
Number of hops to live for multicast Windows Media packets. The default is 5. The range is from 0 to 255.
|
Windows Media Advanced Client Settings
|
Idle Timeout
|
Number of seconds to timeout when the client connection is idle. The default is 60 The range is from 30 to 300.
|
Maximum Data Packet Size
|
Maximum packet size (in bytes) allowed. The default is 1500. The range is from 576 to 16,000.
|
Windows Media Advanced Server Settings
|
Enable Log Forwarding
|
Enables log forwarding to an upstream SE or Windows Media server.
|
Inactive Timeout
|
Number of seconds to timeout when the upstream SE or Windows Media server connection is idle. The default is 65535. The range is from 60 to 65535.
|
Windows Media Cache Settings
|
Enable
|
When checked, Windows Media cache settings are enabled.
|
Max Object Size
|
The maximum content object size (in megabytes) the SE can cache. The default is 25600. The range is from 1 to 1000000.
|
Age Multiplier
|
The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.
|
Maximum TTL
|
The maximum time-to-live for objects in the cache. The value ranges are the following:
1 to 157680000 seconds
1 to 2628000 minutes
1 to 43800 hours
1 to 1825 days
The default is 1 day.
|
Minimum TTL
|
The minimum time-to-live (in minutes) for objects in the cache. The default is 60. The range is from 0 to 86400.
|
Enable Re-evaluate Request
|
When checked, the cache is validated with the origin server instead of validating the cache using heuristics. When Enable Re-evaluate Request is checked, the cached content freshness is revalidated every time the content is requested, which limits the effectiveness of the other cache settings and increases the time to start streaming the content.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Windows Media Streaming—Bypass List
Incoming bandwidth refers to the bandwidth between a local SE and the origin server. When the SE is configured for Windows Media proxy services, incoming bandwidth usage for Video On Demand (VOD) content is unpredictable. This unpredictability is because the consumption of incoming bandwidth for VOD content can be triggered arbitrarily by an end user requesting the content. If the VOD content is not found in the SE cache, a cache miss occurs, and the Windows Media proxy must fetch the content from the origin server. The SE administrator cannot predict the incoming bandwidth usage for such events, so a large number of cache-miss VOD requests can consume all of the incoming bandwidth.
The Windows Media incoming bandwidth bypass configuration allows the administrator to configure a list of hosts that bypasses the incoming bandwidth limitation.
To configure the list of hosts for bypassing incoming bandwidth limits, do the following:
Step 1
Choose Devices > Devices > Application Control > Windows Media Streaming > Bypass List. The Bypass List page is displayed.
Step 2
In the
Windows Media BW Incoming Bypass List
field, enter up to four IP addresses or hostnames of hosts you want to bypass the incoming bandwidth check. Separate each entry with a space.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Movie Streamer—General Settings
The Movie Streamer is an open-source, standards-based, streaming server that delivers hinted MPEG-4, hinted 3GPP, and hinted MOV files to clients over the Internet and mobile networks using the industry-standard RTP and RTSP.
To configure the general settings for Movie Streamer, do the following:
Step 1
Choose
Devices > Devices > Application Control > Movie Streamer > General Settings
. The Movie Streamer General Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-20
for a description of the fields.
Table 4-20 Movie Streamer General Settings Fields
|
|
Enable Movie Streamer Services
|
When checked, Movie Streamer Services is enabled. To disable services, uncheck the check box.
|
Movie Streamer Proxy Settings
|
Host Name
|
Hostname or IP address of the proxy server for Movie Streamer.
|
Port
|
Port of the proxy server for Movie Streamer. Valid port numbers range from 1 to 65535. The default is 554.
|
Movie Streamer General Settings
|
Maximum Concurrent Connections: Override Default and Custom Value
|
To override the default maximum number of concurrent sessions, check the check box and enter a value in the
Custom Value
field.
The default is 200 sessions. The range is from 1 to 40,000.
|
Enforce Maximum Outgoing Bitrate
|
Enforces the maximum stream bit rate for serving content when checked.
|
Maximum Outgoing Bitrate
|
The maximum streaming bit rate that can be served in kilobytes per second (Kbps). The range is from 1 to 2147483647, depending on the hardware model.
|
Enforce Maximum Incoming Bitrate
|
Enforces the maximum incoming bit rate for receiving content when checked.
|
Maximum Incoming Bitrate
|
The maximum streaming bit rate (Kbps) that can be received. The range is from 1 to 2147483647, depending on the hardware model.
|
Enable Accelerate VOD Performance
|
Enables performance improvements in Video On Demand for the Movie Streamer proxy.
|
Movie Streamer Advanced Client Settings
|
Idle Timeout
RTP Timeout
|
The
Idle Timeout
field and the
RTP Timeout
field, are only intended for performance testing when using certain testing tools that do not have full support of the RTCP receiver report. Setting these timeouts to high values causes inefficient tear-down of client connections when the streaming sessions have ended.
The
Idle Timeout
field has a range from 0 to 300, whereas the
RTP Timeout
field has a range from 30-180. This is by design.
For typical deployments, it is preferable to leave these parameters set to their defaults. The default is 300 for the
Idle Timeout
field and 180 for the
RTP Timeout
field.
|
Movie Streamer Cache Settings
|
Enable
|
When checked, Movie Streamer caches content on the SE and the cache settings are enabled.
|
Age Multiplier
|
The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.
|
Maximum TTL
|
The maximum time-to-live for objects in the cache. The value ranges are the following:
1 to 157680000 seconds
1 to 2628000 minutes
1 to 43800 hours
1 to 1825 days
The default is 1 day.
|
Enable Re-evaluate Request
|
When checked, the cache is validated with the origin server instead of validating the cache using heuristics.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring RTSP Advanced Settings
To configure RTSP advanced settings for Movie Streamer and Windows Media Streaming, do the following:
Step 1
Choose
Devices > Devices > Application Control > RTSP Advanced Settings
. The RTSP Advanced Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-21
for a description of the fields.
Table 4-21 RTSP Advanced Settings Fields
|
|
Maximum Initial Setup Delay
|
Maximum delay allowed (in seconds) between TCP accept and the first RTSP message from the client. The default is 10 seconds.
|
Maximum Request Rate
|
Maximum number of incoming requests per second that the RTSP gateway allows. The default is 40 requests per second.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Flash Media Streaming—General Settings
The Flash Media Streaming engine delivers Adobe Flash applications and video files, as well as MP3 audio files using HTTP and an Adobe proprietary protocol, RTMP. For more information, see the “Flash Media Streaming Engine” section.
Note Flash Media Streaming uses port 1935 for RTMP and RTMPE streaming. Flash Media Streaming also supports RTMPT and RTMPTE over port 80.
To enable Flash Media Streaming, do the following:
Step 1
Choose
Devices > Devices > Application Control > Flash Media Streaming > General Settings
. The Flash Media Streaming General Settings page is displayed.
Step 2
Check the
Enable Flash Media Streaming
check box.
Step 3
Enter the settings as appropriate. See
Table 4-22
for a description of the fields.
Table 4-22 Flash Media Streaming Fields
|
|
Restricted Maximum Bandwidth
|
Maximum bandwidth allowed for Flash Media Streaming. The range is from 1000 to 8000000 Kbps. The default is 200000.
|
Restricted Maximum Sessions
|
Maximum concurrent sessions the Flash Media Streaming engine supports. The range is from 1 to 15000. The default is 200.
|
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Flash Media Streaming—FMS Administrator
To enable servers to send Flash Media Server (FMS) Administration API calls to this device, do the following:
Step 1
Choose
Devices > Devices > Application Control > Flash Media Streaming > FMS Admin Allow Hosts
. The FMS Admin Allow Hosts page is displayed.
Step 2
Check the
Enable
check box.
Step 3
In the
FMS Admin Allow Hosts
field, enter the IP addresses (space delimited) of the servers that are allowed to send Flash Media Server Administration API calls to this device.
The Adobe Flash Media Server Administration APIs and the Administration Console that was built using the Administration APIs are supported. These APIs can be used to monitor and manage the Adobe Flash Media Server running on a Cisco CDS Service Engine.
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Flash Media Streaming—Service Monitoring
To enable Flash Media Streaming Service Monitoring, do the following:
Step 1
Choose
Devices > Devices > Application Control > Flash Media Streaming > Service Monitoring
. The Service Monitoring page is displayed.
Step 2
Check the
Enable Service Monitoring
check box.
Service Monitoring monitors the Flash Media Streaming engine memory usage. If the memory usage reaches the 1.5 GB limit for either the Flash Media Streaming core process or the Flash Media Streaming edge process, an alarm is raised and the Service Router does not redirect any new Flash Media Streaming requests to this SE.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Web Engine HTTP Cache Freshness
To configure the web engine HTTP cache freshness, do the following:
Step 1
Choose
Devices > Devices > Application Control > Web > HTTP > HTTP Cache Freshness
. The HTTP Cache Freshness page is displayed (
Figure 4-14).
Figure 4-14 HTTP Cache Freshness Page
Step 2
Enter the settings as appropriate. See
Table 4-23
for a description of the fields.
Table 4-23 HTTP Cache Freshness Fields
|
|
Enable
|
When checked, HTTP cache freshness is enabled.
|
Object Age Multiplier
|
The age multiplier value (as a percentage) enables the SE to guess the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The range is from 0 to 100. The default value is 30.
|
Max TTL Scale
|
The scale (seconds, hours, minutes, or days) to use for the Max Object TTL.
The time-to-live (TTL) sets a ceiling on estimated expiration dates. If an object has an explicit expiration date, this takes precedence over the configured TTL. The default is days.
|
Max Object TTL
|
The maximum time-to-live (TTL) for objects in cache. The ranges are as follows:
1 to 1825 days
1 to 43800 hours
1 to 2628000 minutes
1 to 157680000 seconds
The default is 61 day.
|
Minimum TTL
|
The minimum time-to-live (in minutes) for objects in the cache. The range is from 0 to 86400. The default value is 60.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
General Settings
The General Settings pages provide settings for access control of the device, maintenance, network connectivity, and monitoring. The configuring of general settings consists of the following procedures:
Configuring Content Management
To configure the maximum number of entries for cache content, do the following:
Step 1
Choose
Devices > Devices > General Settings > Content Management
. The Content Management page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-24
for a description of the fields.
Table 4-24 Content Management Fields
|
|
Max Cache Content Entries
|
Enter the value for the maximum entries of cached content allowed. The range is from 1 to 20,000,000. The default is 20,000,000.
|
Cache content eviction preferred size
|
By default, Content Manager prefers to keep small content objects over large content objects, because the overhead of fetching a small object is higher than larger objects.
The
Cache content eviction preferred size
default is large, which means the large size files are evicted before small files.
|
Enable Eviction Protection
|
Check the
Enable Eviction Protection
check box to enable eviction protection.
For more information, see the “Eviction Protection” section.
|
Minimum cache entry size to protect
|
From the
Minimum cache entry size to protect
drop-down list, select the minimum cache entry size (100 MB, 500 MB, 1 GB, and 4 GB) to protect from deletion.
|
Minimum duration to protect the content from eviction
|
From the M
inimum duration to protect the content from eviction
drop-down list, select the age (1–4 hours for 100 MB size, 1, 4, 8, or 24 hours for all other sizes) of the content object to be protected from deletion.
|
Hit Count Decay Half Life
|
Enter the half-life decay period (in days) at which to decay hit-count by half. The range is 1 to 30. The default is 14 days.
The decay mechanism reduces the hit count by half and is applied for the content object every two weeks by default.
|
Threshold of Disk Failures Per Bucket
|
Enter the threshold, as a percentage, for disk failures in a bucket. The disks in each bucket are monitored, and if the threshold is exceeded, a minor alarm is raised. The default is 30. The range is 1 to 100.
For more information, see the “Bucket Allocation” section.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Login Access Control
Login authentication and authorization are used to control user access and configuration rights to CDSMs, SEs, and SRs. Login authentication is the process by which the devices verify whether the person who is attempting to log in to the device has a valid username and password. The person logging in must have a user account registered with the device. User account information serves to authorize the user for login and configuration privileges. The user account information is stored in an authentication, authorization, and accounting (AAA) database, and the devices must be configured to access the particular authentication server (or servers) where the AAA database is kept.
In a CDS network, user accounts can be created for access to the CDSM and, independently, for access to the SEs and SRs that are registered to the CDSM. For user accounts that access the CDSM, see the “Configuring AAA” section.
Login Authentication
Login authentication provides the configuration for independent logins; in other words, login access to the device only.
Login authentication can also be used to log in to the CDSM GUI. When logging in to the CDSM GUI with an external user account (RADIUS or TACACS+), the user is authenticated by the external database. After the external user is authenticated, its role depends on the privilege configured in the external database (zero [0] means a normal user and 15 means a super user). The privilege level of 0 or 15 is mapped to the read-only or admin user role in the CDSM GUI. No CDSM local user is created in the CDSM database for the external user that logs in, so the external user cannot be managed by the CDSM GUI.
Note If you plan to use a RADIUS server or a TACACS+ server for authentication, you must configure the server settings before you configure and submit these settings. See the “Configuring RADlUS Server Settings” section and the “Configuring TACACS+ Server Settings” section for more information.
When the primary login server and the primary enable server are set to local, usernames and passwords are local to each device. Local authentication and authorization uses locally configured login and passwords to authenticate login attempts.
Note If the Enable Failover Server Unreachable option is enabled, it applies to both the login authorization methods and the exec authentication methods.
If you are going to use different servers for login authentication and enable authentication (for example, local for login authentication and RADIUS for the enable authentication), then the username and password must be the same for both servers.
By default, local login authentication is enabled. You can disable local login authentication only after enabling one or more of the other login authentication servers. However, when local login authentication is disabled, if you disable all other login authentication methods, a warning message is displayed stating “At least one authentication method is required to select for login.”
Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the device.
To configure the login authentication and enable authentication schemes for the device, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Login Authentication
. The Login Authentication page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-25
for a description of the fields.
Table 4-25 Login Authentication Fields
|
|
Login Authentication Settings
|
Enable Failover Server Unreachable
|
If
Enable Failover Server Unreachable
is enabled, the following applies:
-
Only two login authentication schemes (a primary and secondary scheme) are allowed on the device.
-
Device fails over from the primary authentication scheme to the secondary authentication scheme only if all specified authentication servers of the primary authentication scheme are unreachable.
Conversely, if the
Enable Failover Server Unreachable
option is disabled, the device contacts the secondary authentication database, regardless of the reason the authentication failed with the primary authentication database.
Note To use this option, you must set TACACS+ or RADIUS as the primary authentication method and local as the secondary authentication method. |
Authentication Login Servers
|
When enabled, login authentication servers are used to authenticate user logins and whether the user has access permissions to the device.
Check this option and set one or more Login servers for login authentication. By unchecking this option, local authentication is used by default. Three servers can be configured.
Note If local is selected for any of the Login servers, the password in the username is used to authenticate the user. See the “Creating, Editing, and Deleting Users—Usernames” section |
Primary Login Server
|
Choose local, RADIUS, or TACACS+.
|
Secondary Login Server
|
Choose local, RADIUS, or TACACS+.
|
Tertiary Login Server
|
Choose local, RADIUS, or TACACS+.
|
Enable Authentication Settings
|
Primary Enable Server
|
The enable server is used to allow normal users to enter the privileged EXEC mode.Choose local, RADIUS, or TACACS+.
|
Secondary Enable Server
|
Choose local, RADIUS, or TACACS+.
|
Tertiary Enable Server
|
Choose local, RADIUS, or TACACS+.
|
Local Enable Password
|
Set the local enable password for normal users to log in to the Enable server and have privileged EXEC mode.
If multiple authorization methods are configured, the SE tries to authenticate the enable password by way of each configured method until one of them is successful.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Exec Authorization
Exec authorization provides the configuration for determining the services allowed for each user that logs in to the device.
Exec authorization can also be used to determine the services the user has for the CDSM GUI. When logging in to the CDSM GUI with an external user account (RADIUS or TACACS+), the user is authenticated by the external database. After the external user is authenticated, its role depends on the privilege configured in the external database (zero [0] means a normal user and 15 means a super user). The privilege level of 0 or 15 is mapped to the read-only or admin user role in the CDSM GUI. No CDSM local user is created in the CDSM database for the external user that logs in, so the external user cannot be managed by the CDSM GUI.
Note If you plan to use a TACACS+ server for authorization, you must configure the server settings before you configure and submit these settings. See the “Configuring RADlUS Server Settings” section and the “Configuring TACACS+ Server Settings” section for more information.
When the primary authorization server is set to local, usernames and passwords are local to each device. Local authorization uses locally configured login and passwords to authorize services for the user.
Note If the Enable Failover Server Unreachable option is enabled, it applies to both the login authorization methods and the exec authentication methods.
If you are going to use different servers for login authentication and enable authentication (for example, local for login authentication and RADIUS for the enable authentication), then the username and password must be the same for both servers.
Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the device.
To configure the exec authorization schemes for the device, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Exec Authorization
. The Exec Authorization page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-26
for a description of the fields.
Table 4-26 Exec Authorization Fields
|
|
Authorization Exec Servers
|
When enabled, authorization exec servers are used to authorize services for logged in users.
Check this option and set one or more servers for exec authorization. By unchecking this option, local authentication is used by default. Three servers can be configured.
Note If a user encounters failure during EXEC shell) startup authorization, the user fails to log in to the SE even if the user passed the login authentication. |
Primary Exec Server
|
Choose local, RADIUS, or TACACS+.
|
Secondary Exec Server
|
Choose local, RADIUS, or TACACS+.
|
Tertiary Exec Server
|
Choose local, RADIUS, or TACACS+.
|
Primary Enable Server
|
The enable server determines if the normal user can enter the privileged EXEC mode. Choose local, RADIUS, or TACACS+.
|
Normal User Commands
|
Choose
Enable
or
Enable if Authenticated
.
The
Enable
if Authenticated option turns off authorization on the TACACS+ server and authorization is granted to any Normal user who is authenticated.
|
Super User Commands
|
Choose
Enable
or
Enable if Authenticated
.
The
Enable
if Authenticated option turns off authorization on the TACACS+ server and authorization is granted to any Super user who is authenticated.
|
Enable Config Commands
|
Check the
Enable Config Commands
check box to enable authorization of the configuration mode commands.
By default, this option is disabled, which means all configuration commands issued are allowed.
|
Enable Console Config
|
Check the
Enable Console Commands
check box to enable authorization of all commands issued on a console TTY connection.
By default, this option is disabled, which means commands issued through a console TTY connection always succeed.
|
Note The following commands bypass authorization and accounting: CTRL+C, CTRL+Z, exit, end, and all of configuration commands for entering submode (for example, interface GigabitEthernet 1/0).
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring SSH
Secure Shell (SSH) consists of a server and a client program. Like Telnet, you can use the client program to remotely log in to a machine that is running the SSH server. However, unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.
The SSH page allows you to specify the key length and login grace time.
To enable the SSH daemon, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Login Access Control > SSH
. The SSH page is displayed.
Step 2
Check
Enable
to enable the SSH feature. SSH enables login access to the device through a secure and encrypted channel.
Step 3
In the
Length of Key
field, specify the number of bits needed to create an SSH key. The default is 2048.
Step 4
In the
Login Grace Time
field, specify the number of seconds the server waits for the user to successfully log in before it ends the connection. The authentication procedure must be completed within this time limit. The default is 300 seconds.
Note When changing the Login Grace Time, you need to first uncheck the Enable check box and click Submit. Enter the new Login Grace Time, check Enable, and click Submit.
Step 5
Select the SSH version.
a.
To allow clients to connect using SSH protocol version 1, check the
Enable SSHv1
check box.
b.
To allow clients to connect using SSH protocol version 2, check the
Enable SSHv2
check box.
Note You can enable both SSHv1 and SSHv2, or you can enable one version and not the other. You cannot disable both versions of SSH unless you disable the SSH feature by unchecking the Enable check box.
Step 6
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Enabling Telnet
To enable the Telnet service, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Telnet
. The Telnet page is displayed.
Step 2
Check
Telnet Enable
to enable the terminal emulation protocol for remote terminal connections.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Setting the Message of the Day
The Message of the Day (MOTD) feature enables you to provide information bits to the users when they log in to a device. There are three types of messages that you can set up:
-
MOTD banner
-
EXEC process creation banner
-
Login banner
To configure the Message of the Day settings, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Message of the Day
. The MOTD page is displayed.
Step 2
Check
Enable
to enable the MOTD settings. The Message of the Day (MOTD) banner, EXEC process creation banner, and Login banner fields become enabled.
Step 3
In the
Message of the Day (MOTD) Banner
field, enter a string that you want to display as the MOTD banner when a user attempts to log in to the device.
Note In the Message of the Day (MOTD) Banner, EXEC Process Creation Banner, and Login Banner fields, you can enter a maximum of 980 characters. A new line character (or Enter) is counted as two characters, as it is interpreted as \n by the system. You cannot use special characters such as `, % ,^ , and " in the MOTD text.
Step 4
In the
EXEC Process Creation Banner
field, enter a string to be displayed as the EXEC process creation banner when a user enters into the EXEC shell of the device.
Step 5
In the
Login Banner
field, enter a string to be displayed after the MOTD banner when a user attempts to log in to the device.
Step 6
Click Submit to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Changing the CLI Session Time
To change the CLI session time, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > CLI Session Time
. The CLI Session Time page is displayed.
Step 2
In the
CLI Session Time
field, enter the time (in minutes) that the device waits for a response before ending the session.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Changing Users—Admin Password
Every device (CDSM, SE, and SR) has a built-in user account. The username is
admin
and the default password is
default
. This account allows access to all services and entities in the CDS. Any user that can access the Admin Password page in the CDSM can configure a new password for the administrator user account on individual SEs and SRs.
To change the Admin password, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Users > Admin Password
. The Admin Password page is displayed.
Step 2
In the
Password
field, enter a new password.
The following characters are not allowed: ?./;[]{}"@=|
Step 3
In the
Confirm Password
field, re-enter the password.
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Creating, Editing, and Deleting Users—Usernames
You can create, edit, and delete user accounts for login access to individual devices or device groups. A privilege profile must be assigned to each new user account. The Usernames page uses privilege profiles to determine which tasks a user can perform and the level of access provided. Users with administrative privileges can add, delete, or modify user accounts through the CDSM or the device CLI.
To create, edit, or delete a user account, do the following:
Step 1
Choose
Devices > Devices > General Settings > Login Access Control > Users > Usernames
. The User Table page is displayed.
The table is sortable by clicking the column headings.
For information about Aggregate Settings, see the “Aggregate Settings” section
Step 2
Click the
Create New
icon in the task bar. The Local User page is displayed.
To edit a local user, click the
Edit
icon next to the name you want to edit.
Step 3
Enter the settings as appropriate. See
Table 4-27
for a description of the fields.
Table 4-27 Local User Fields
|
|
Username
|
Name of user.
|
Password
|
User password.
|
Confirm Password
|
Re-enter user password.
|
Privilege
|
There are two types of predefined privilege profiles:
-
Normal user—User has read access and can see some of the SE, SR, or CDSM settings.
-
Superuser—User has administrative privileges such as creating new users and modifying the SE, SR, or CDSM settings.
|
Step 4
Click
Submit
to save the settings.
To delete a user, click the
Edit
icon for the user, then click the
Delete
icon in the task bar.
Authentication
User authentication and authorization (configuration rights) data can be maintained in any combination of these three databases:
-
Local database (located on the device)
-
RADIUS server (external database)
-
TACACS+ server (external database)
The Login Authentication page allows you to choose an external access server or the internal (local) device-based authentication, authorization, and accounting (AAA) system for user access management. You can choose one method or a combination of the three methods. The default is to use the local database for authentication.
Configuring RADlUS Server Settings
Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Remote Authentication Dial In User Service (RADIUS) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.
To configure the RADIUS server settings, do the following:
Step 1
Choose
Devices > Devices > General Settings > Authentication > RADIUS Server
. The RADIUS Server Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-28
for a description of the fields.
Table 4-28 RADIUS Server Settings Fields
|
|
Enable Radius Authentication
|
Enables RADIUS authentication.
|
Time to wait
|
Number of seconds to wait for a response before timing out on a connection to a RADIUS server. The range is from 1 to 20. The default is 5.
|
Number of retransmits
|
Number of attempts allowed to connect to a RADIUS server. The default is 2.
|
Enable redirect
|
Redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails.
|
Redirect Message [1-3]
|
Message sent to the user if redirection occurs.
Note If the redirect message has a space, it must be in quotes (" "). |
Location [1-3]
|
Sets an HTML page location. This is the URL destination of the redirect message that is sent when authentication fails.
|
Shared Encryption Key
|
Encryption key shared with the RADIUS server. The maximum number of characters allowed is 15.
|
Server Name [1-5]
|
IP address or hostname of the RADIUS server.
|
Server Port [1-5]
|
Port number on which the RADIUS server is listening. The default is 1645.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
To use RADIUS for login authentication and authorization, see the “Login Authentication” section.
Configuring TACACS+ Server Settings
Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Terminal Access Controller Access Control System Plus (TACACS+) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.
To configure the TACACS+ server settings, do the following:
Step 1
Choose
Devices > Devices > General Settings > Authentication > TACACS+ Server
. The TACACS+ Server Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-29
for a description of the fields.
Table 4-29 TACACS+ Server Settings Fields
|
|
Enable TACACS+ Servers
|
Enables TACACS+ authentication.
|
Use ASCII Password Authentication
|
Changes the default password type from Password Authentication Protocol (PAP) to ASCII clear text format.
|
Time to wait
|
Number of seconds to wait for a response before timing out on a connection to a TACACS+ server. The range is from 1 to 20. The default is 5.
|
Number of retransmits
|
Number of attempts allowed to connect to a TACACS+ server. The default is 2.
|
Security Word
|
Encryption key shared with the TACACS+ server. The range is from 1 to 99. An empty string is the default.
|
Primary Server
|
IP address or hostname of the primary TACACS+ server.
|
Secondary Server
Tertiary Server
|
IP address or hostname of the backup TACACS+ server. Up to two backup servers are allowed.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
To use TACACS+ for login authentication and authorization, see the “Login Authentication” section.
Configuring AAA Accounting
Accounting tracks all user actions and when the action occurred. It can be used for an audit trail or for billing for connection time or resources used (bytes transferred).
The CDS accounting feature uses TACACS+ server logging. Accounting information is sent to the TACACS+ server only, not to the console or any other device. The syslog file on the SE logs accounting events locally. The format of events stored in the syslog is different from the format of accounting messages.
The TACACS+ protocol allows effective communication of AAA information between SEs and a central TACACS+ server. It uses TCP for reliable connections between clients and servers. SEs send authentication and authorization requests, as well as accounting information to the TACACS+ server.
Note Before you can configure the AAA accounting settings for a device, you must first configure a TACACS+ server for the device. See the “Configuring TACACS+ Server Settings” section.
Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Terminal Access Controller Access Control System Plus (TACACS+) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.
To configure the AAA accounting settings, do the following:
Step 1
Choose
Devices > Devices > General Settings > Authentication > AAA Accounting.
The AAA Accounting Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-29
for a description of the fields.
Table 4-30 AAA Accounting Settings Fields
|
|
System Events
|
Enables accounting records on the TACACS+ server about system events; such as system reboot, interface up or down states, and accounting configuration enabled or disabled.
From the
System Events
drop-down list choose
start-stop
or
stop-only.
The
start-stop
option records events when they start and when they stop. The
stop-only
option records events when they stop.
|
Exec Shell Events
|
Enables accounting records on the TACACS+ server about user EXEC terminal sessions, including username, date, and start and stop times.
From the
Exec Shell Events
drop-down list choose
start-stop
or
stop-only.
The
start-stop
option records events when they start and when they stop. The
stop-only
option records events when they stop.
|
Normal User Commands
|
Enables accounting records on the TACACS+ server for Normal users using commands in the EXEC mode.
From the
Normal User Commands
drop-down list choose
start-stop
or
stop-only.
The
start-stop
option records events when they start and when they stop. The
stop-only
option records events when they stop.
|
Super User Commands
|
Enables accounting records on the TACACS+ server for Super users using commands in the EXEC mode.
From the
Super User Commands
drop-down list choose
start-stop
or
stop-only.
The
start-stop
option records events when they start and when they stop. The
stop-only
option records events when they stop.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring an Access Control List
To configure an access control list (ACL) for group authorization, do the following:
Step 1
Choose
Devices > Devices > General Settings > Authentication > Access Control List > Configure Access Control List
. The Access Control List Table page is displayed.
The table is sortable by clicking the column headings.
Step 2
Click the
Create New
icon in the task bar. The Configure Access Control List page is displayed.
To edit a group, click the
Edit
icon next to the name you want to edit.
Step 3
Enter the settings as appropriate. See
Table 4-31
for a description of the fields.
Table 4-31 Access Control List Fields
|
|
Action
|
Whether to permit or deny access for this group.
|
Group Name
|
If this action is for all groups, choose
Any Group Name
.
If this action is for a specific group, choose
Enter Group Name
and enter the group name in the field.
|
Change Position
|
To change the order of this group in the access control list, which is displayed in the Access Control List Table page, click
Change Position
.
|
Step 4
Click
Submit
to save the settings.
To delete a group, click the
Edit
icon for the group, then click the
Delete
icon in the task bar.
Step 5
From the left-panel menu, choose
Enable Access Control List
. The Enable Access Control List page is displayed.
Step 6
Check the
Enable Access Control List
check box and click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
To move a group up or down in the Access Control List table, click the Up arrow or Down arrow in the Move column.
The ACL can be applied from the device or from a device group. The source of the currently applied settings is shown in the Access Control List Table page.
Scheduling Database Maintenance
The database maintenance runs at the scheduled time only when the following three conditions are satisfied:
-
Last vacuum process happened more than 30 minutes in the past.
-
Percent increase in disk space usage is greater than 10 percent.
-
Available free disk space is greater than 10 percent of the total disk space.
If any of these conditions are not satisfied, the database maintenance does not run at the scheduled time.
To schedule a database cleaning or reindexing, do the following:
Step 1
Choose
Devices > Devices > General Settings > Database Maintenance
. The Database Maintenance Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-32
for a description of the fields.
Table 4-32 Database Maintenance Settings Fields
|
|
Full Database Maintenance Settings
|
Enable
|
When enabled, a full database maintenance routine is performed on the device.
|
Every Day
Sun-Sat
|
The days of the week when the maintenance is performed
When Every Day is enabled, all days of the week are also enabled.
|
At (time)
|
Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 04:00.
|
Regular Database Maintenance Settings
|
Enable
|
When enabled, a re-indexing routine is performed on the device.
|
Every Day
Sun-Sat
|
The days of the week when the maintenance is performed.
When Every Day is enabled, all days of the week are also enabled.
|
At (time)
|
Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 02:00.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Setting Storage Handling
The Storage option offers disk error-handling settings.
Enabling Disk Error Handling
The Disk Error Handling page allows you to configure how disk errors are handled, and to define disk error-handling thresholds for bad sectors and disk errors.
The
Threshold for Bad Sectors
and the
Threshold for Disk Errors counts only apply to bad sectors and disk errors detected since the last reboot of the device. These counts do not persist across a device reboot (reload).
If the
Enable Disk Error Handling Reload
option is enabled and the disk drive is marked bad because the disk error-handling threshold (bad sectors or disk errors) was reached, the device is automatically reloaded. Following the device reload, the bad sector and disk error threshold counts are reset, and a syslog message and an SNMP trap are generated.
If a critical disk drive is marked bad, the redundancy of the system disks for this device is affected. Critical disks are disks with SYSTEM partitions. However, drives with SYSTEM partitions use RAID1. With the RAID system, if the critical primary disk fails, the other mirrored disk (mirroring only occurs for SYSTEM partitions) seamlessly continues operation. There is a separate alarm for bad RAID. The SMART statistics that are returned by the
show disks SMART-info detail
command include sector errors directly reported by the drive itself.
For more information about the SMART sector errors, latent sector handling, and the
disk repair
command, see the “Disk Maintenance” section.
Note We do not recommend enabling the Enable Disk Error Handling Reload option, because the software state may be lost when the device is reloaded.
To configure a disk error-handling method, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Storage > Disk Error Handling
. The Disk Error Handling Settings page is displayed.
Step 2
Check the
Enable
check box.
Step 3
Check the
Enable Disk Error Handling Reload
check box if you want the device to reload the disk when a disk has problems.
Step 4
Check the
Enable Disk Error Handling Threshold
check box if you want to set the number of disk errors allowed before the disk is marked bad, and enter the following:
a.
In the
Threshold for Bad Sectors
field, enter the number of allowed bad sectors before marking the disk bad. This threshold only applies to bad sectors detected since the last reboot of the device. The range is 0 to 100. The default threshold is 15.
b.
In the
Threshold for Disk Errors
field, enter the number of allowed disk errors before marking the disk bad. This threshold only applies to disk and sector errors detected since the last reboot of the device. The range is from 0 to 100,000. The default is 500.
Note When both Threshold for Bad Sectors and Threshold for Disk Errors are set to 0, it means never mark the disk bad when it detects bad sectors or disk errors, and the disk_failure alarm is not raised. A disk with SYSTEM partitions uses RAID1. There is a separate alarm for bad RAID.
Step 5
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
The
Disk Failure Percentage Threshold
field on the Service Monitor page sets the overall percentage of CDNFS disk failures. When the percentage of failed disks (default is 75) exceeds this threshold, no further requests are sent to this device. The
Disk Failure Threshold
setting is only for the CDNFS disks. For more information, see the “Setting Service Monitor Thresholds” section.
Network Settings
The Network pages provide settings for network connectivity. Configuring network settings consist of the following procedures:
Enabling FTP Services
To enable FTP services to listen for connection requests, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > FTP
. The FTP Settings page is displayed.
Step 2
Check the
Enable FTP Services
check box.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Enabling DNS
DNS Settings are required on all SEs, SRs, and CDSMs. The SEs need to be able to resolve the content origin server host name, the SRs need to be able to communicate with the DNS servers, and the CDSMs need to resolve host names.
To configure Domain Name System (DNS) servers, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > DNS
. The DNS Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-33
for a description of the fields.
Table 4-33 DNS Settings Fields
|
|
Enable
|
Enables Domain Name System (DNS) on the device.
|
List of DNS Servers
|
Space-delimited list of IP addresses for up to eight name servers for name and address resolution.
|
Domain Names
|
A space-delimited list of up to three default domain names. A default domain name allows the system to resolve any unqualified hostnames. Any IP hostname that does not contain a domain name will have the configured domain name appended to it. This appended name is resolved by the DNS server and then added to the host table. A DNS server must be configured on the system for hostname resolution to work correctly. To do this, use the List of DNS Servers field.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Enabling RCP
Remote Copy Protocol (RCP) lets you download, upload, and copy configuration files between remote hosts and a switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection oriented. This service listens for requests on TCP port 514.
To enable RCP services, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > RCP
. The RCP page is displayed.
Step 2
Check the
RCP Enable
check box to have the RCP services listen
for RCP requests.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring NTP
To configure the device to synchronize its clock with an NTP server, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > NTP
. The NTP page is displayed.
Step 2
Check
Enable
to enable NTP.
Step 3
In the
NTP Server
field, enter the IP address or hostname of up to four NTP servers. Use a space to separate the entries.
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Setting the Time Zone
If you have an outside source on your network that provides time services, such as an NTP server, you do not need to set the system clock manually. When manually setting the clock, enter the local time. The device calculates Coordinated Universal Time (UTC) based on the time zone set.
Note Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at startup to initialize the software clock.
Caution We highly recommend that you use NTP servers to synchronize the devices in your CDS network. If you change the local time on the device, you must change the BIOS clock time as well; otherwise, the timestamps on the error logs are not synchronized. Changing the BIOS clock is required because the kernel does not handle time zones.
To manually configure the time zone, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > Time Zone
. The Time Zone page is displayed with the default settings of UTC (offset = 0) and no daylight savings time configured.
Step 2
To configure a standard time zone, do the following:
a.
Click the
Standard Time Zone
radio button.
The standard convention for time zones uses a Location/Area format in which Location is a continent or a geographic region of the world and Area is a time zone region within that location. For a list of standard time zones that can be configured and their UTC offsets, see Table 4-34.
b.
From the
Standard Time Zone
drop-down list, choose a location for the time zone. The page refreshes, displaying all area time zones for the chosen location in the second drop-down list.
c.
Choose an area for the time zone.
The UTC offset (hours and minutes ahead or behind UTC) for the corresponding time zone is displayed. During summer time savings, the offset may differ and is displayed accordingly.
Note Some of the standard time zones (mostly time zones within the United States) have daylight savings time zones configured automatically.
Step 3
To configure a customized time zone, do the following:
a.
Click the
Customized Time Zone
radio button.
b.
In the
Customized Time Zone
field, enter a name to for the time zone. The time zone entry is case sensitive and can contain up to 40 characters. Spaces are not allowed. If you specify any of the standard time zone names, an error message is displayed when you click
Submit
.
c.
For UTC offset, choose
+
or
–
from the
UTC Offset
drop-down list to indicate whether the configured time zone is ahead or behind UTC. Also, choose the number of hours (0 to 23) and minutes (0 to 59) offset from UTC for the customized time zone. The range for the UTC offset is from –23:59 to 23:59, and the default is 0:0.
Step 4
To configure customized summer time savings, do the following:
Note Customized summer time can be specified for both standard and customized time zones.
The start and end dates for summer time can be configured in two ways: absolute dates or recurring dates. Absolute dates apply once and must be reset every year. Recurring dates apply every year.
a.
Click the
Absolute Dates
radio button to configure summer settings once.
b.
In the
Start Date
and
End Date
fields, specify the month, day, and year that the summer time savings starts and ends in mm/dd/yyyy format.
Alternatively, click the
Calendar
icon and select a date. The chosen date is highlighted in blue. Click
Apply
.
c.
Click the
Recurring Dates
radio button to configure a recurring summer setting.
d.
Using the drop-down lists, choose the start day, week, and month when the summer time savings starts. For example, if the summer time savings begins the first Sunday in March, you would select Sunday, 1st, March from the drop-down lists.
e.
Using the drop-down lists, choose the start day, week, and month when the summer time savings ends.
Step 5
Using the
Start Time
drop-down lists and the
End Time
drop-down lists, choose the hour (0 to 23) and minute (0 to 59) at which daylight savings time starts and ends.
Start Time and End Time fields for summer time are the times of the day when the clock is changed to reflect summer time. By default, both start and end times are set at 00:00.
Step 6
In the Offset field, specify the minutes offset from UTC (0 to 1439). (See Table 4-34.)
The summer time offset specifies the number of minutes that the system clock moves forward at the specified start time and backward at the end time.
Step 7
To not specify a summer or daylight savings time for the corresponding time zone, click the
No Customized Summer Time Configured
radio button.
Step 8
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Table 4-34
lists the UTC offsets for the different locations around the world.
Table 4-34 Time Zone—Offset from UTC
|
Offset from UTC (in hours)
|
|
Offset from UTC (in hours)
|
Africa/Algiers
|
+1
|
Asia/Vladivostok
|
+10
|
Africa/Cairo
|
+2
|
Asia/Yekaterinburg
|
+5
|
Africa/Casablanca
|
0
|
Asia/Yakutsk
|
+9
|
Africa/Harare
|
+2
|
Australia/Adelaide
|
+9.30
|
Africa/Johannesburg
|
+2
|
Australia/Brisbane
|
+10
|
Africa/Nairobi
|
+3
|
Australia/Darwin
|
+9.30
|
America/Buenos_Aires
|
–3
|
Australia/Hobart
|
+10
|
America/Caracas
|
–4
|
Australia/Perth
|
+8
|
America/Mexico_City
|
–6
|
Australia/Sydney
|
+10
|
America/Lima
|
–5
|
Canada/Atlantic
|
–4
|
America/Santiago
|
–4
|
Canada/Newfoundland
|
–3.30
|
Atlantic/Azores
|
–1
|
Canada/Saskatchewan
|
–6
|
Atlantic/Cape_Verde
|
–1
|
Europe/Athens
|
+2
|
Asia/Almaty
|
+6
|
Europe/Berlin
|
+1
|
Asia/Baghdad
|
+3
|
Europe/Bucharest
|
+2
|
Asia/Baku
|
+4
|
Europe/Helsinki
|
+2
|
Asia/Bangkok
|
+7
|
Europe/London
|
0
|
Asia/Colombo
|
+6
|
Europe/Moscow
|
+3
|
Asia/Dacca
|
+6
|
Europe/Paris
|
+1
|
Asia/Hong_Kong
|
+8
|
Europe/Prague
|
+1
|
Asia/Irkutsk
|
+8
|
Europe/Warsaw
|
+1
|
Asia/Jerusalem
|
+2
|
Japan
|
+9
|
Asia/Kabul
|
+4.30
|
Pacific/Auckland
|
+12
|
Asia/Karachi
|
+5
|
Pacific/Fiji
|
+12
|
Asia/Katmandu
|
+5.45
|
Pacific/Guam
|
+10
|
Asia/Krasnoyarsk
|
+7
|
Pacific/Kwajalein
|
–12
|
Asia/Magadan
|
+11
|
Pacific/Samoa
|
–11
|
Asia/Muscat
|
+4
|
US/Alaska
|
–9
|
Asia/New Delhi
|
+5.30
|
US/Central
|
–6
|
Asia/Rangoon
|
+6.30
|
US/Eastern
|
–5
|
Asia/Riyadh
|
+3
|
US/East–Indiana
|
–5
|
Asia/Seoul
|
+9
|
US/Hawaii
|
–10
|
Asia/Singapore
|
+8
|
US/Mountain
|
–7
|
Asia/Taipei
|
+8
|
US/Pacific
|
–8
|
Asia/Tehran
|
+3.30
|
|
|
The offset time (number of hours ahead or behind UTC) as displayed in the table is in effect during winter time. During summer time or daylight savings time, the offset may be different from the values in the table and is calculated and displayed accordingly by the system clock.
Viewing Network Interfaces
The Network Interfaces page is informational only. To view this information, choose
Devices > Devices > General Settings > Network > Network Interfaces
. Information about the network interfaces configured for the device is displayed.
Configuring External IP Addresses
The External IP page allows you to configure up to eight Network Address Translation (NAT) IP addresses. This allows a router to translate up to eight internal addresses to registered unique addresses and translate external registered addresses to addresses that are unique to the private network.
To configure NAT IP addresses, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > External IP
. The External IP Settings page is displayed.
Step 2
Check the
Enable
check box.
Step 3
In the External IP Address fields (1–8), enter up to eight IP addresses.
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Port Channel and Load Balancing Settings
For information about configuring port channels using the CLI, see the “Redundant Dedicated Management Ports” section.
To configure load balancing on port channels, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > Port Channel Settings
. The Port Channel Settings page is displayed.
Step 2
From the
Load Balancing Method
drop-down list, choose one of the following load balancing methods:
-
dst-ip
—Destination IP address
-
dst-mac
—Destination MAC address
-
dst-mixed-ip-port
—Destination IP address and TCP/UDP port
-
dst-port
—Destination port
-
round robin
—Each interface in the channel group
-
src-dst-ip
—Source and destination IP address
-
src-dst-mac
—Source and destination MAC address
-
src-dst-mixed-ip-port
—Source destination IP address and source destination port
-
src-dst-port
—Source and destination port
-
src-mixed-ip-port
—Source IP address and source destination port
Round robin allows traffic to be distributed evenly among all interfaces in the channel group. The other balancing options give you the flexibility to choose specific interfaces (by IP address, MAC address, port) when sending an Ethernet frame.
The source and destination options mean that while calculating the outgoing interface, take into account both the source and destination (MAC address or port).
Note Round-robin load-balancing mode is not supported when Link Aggregation Control Protocol (LACP) is enabled on the port channel.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring IP General Settings
The Path Maximum Transmission Unit (MTU) Discovery discovers the largest IP packet size allowable between the various links along the forwarding path and automatically sets the correct value for the packet size. By using the largest MTU the links can support, the sending device can minimize the number of packets it must send.
Note The Path MTU Discovery is a process initiated by the sending device. If a server does not support IP Path MTU Discovery, the receiving device has no mechanism available to avoid fragmenting datagrams generated by the server.
To enable Path MTU Discovery, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > IP General Settings
. The IP General Settings page is displayed.
Step 2
Check
Enable Path MTU Discovery
.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring IP ACL
Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Packet filtering helps to control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices.
You can also apply ACLs to management services such as SNMP, SSH, HTTPS, Telnet, and FTP. ACLs can be used to control the traffic that these applications provide by restricting the type of traffic that the applications handle.
In a managed CDS network environment, administrators need to be able to prevent unauthorized access to various devices and services. CDS supports standard and extended ACLs that allow administrators to restrict access to or through a CDS network device, such as the SE. Administrators can use ACLs to reduce the infiltration of hackers, worms, and viruses that can harm the network.
ACLs provide controls that allow various services to be tied to a particular interface. For example, the administrator can use IP ACLs to define a public interface on the Service Engine for content serving and a private interface for management services (for example, Telnet, SSH, SNMP, HTTPS, and software upgrades). A device attempting to access one of the services must be on a list of trusted devices before it is allowed access. The implementation of ACLs for incoming traffic on certain ports for a particular protocol type is similar to the ACL support for the Cisco Global Site Selector and Cisco routers.
To use ACLs, the system administrator must first configure ACLs and then apply them to specific services. The following are some examples of how IP ACLs can be used in various enterprise deployments:
-
Application layer proxy firewall with a hardened outside interface has no ports exposed. (
Hardened
means that the interface carefully restricts which ports are available for access primarily for security reasons. Because the interface is outside, many types of attacks are possible.) The device’s outside address is globally accessible from the Internet, while its inside address is private. The inside interface has an ACL to limit Telnet, SSH, and CDSM traffic.
-
Device is deployed anywhere within the enterprise. Like routers and switches, the administrator wants to limit Telnet, SSH, and CDSM access to the IT source subnets.
-
Device is deployed as a reverse proxy in an untrusted environment, and the administrator wishes to allow only port 80 inbound traffic on the outside interface and outbound connections on the back-end interface.
Note IP ACLs are defined for individual devices only. IP ACLs cannot be managed through device groups.
When you create an IP ACL, you should note the following constraints:
-
IP ACL names must be unique within the device.
-
IP ACL names must be limited to 30 characters and contain no spaces or special characters.
-
CDSM can manage up to 50 IP ACLs and a total of 500 conditions per device.
-
When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers 100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain nonnumeric characters.
-
Extended IP ACLs cannot be used with SNMP applications.
Creating a New IP ACL
To create a new IP ACL, do the following:
Step 1
Choose
Devices > Devices > General Settings > Network > IP ACL
. The IP ACL Table page is displayed.
The table is sortable by clicking the column headings.
Step 2
Click the
Create New
icon in the task bar. The IP ACL page is displayed.
To edit an ACL, click the
Edit
icon next to the name you want to edit.
Step 3
In the
Name
field, enter a name, observing the naming rules for IP ACLs.
Step 4
From the
ACL Type
drop-down list, choose an IP ACL type (
Standard
or
Extended)
. The default is
Standard
.
Step 5
Click
Submit
. The page refreshes and the Modifying IP ACL page for a newly created IP ACL is displayed.
Note Clicking Submit at this point merely saves the IP ACL; IP ACLs without any conditions defined do not appear on the individual devices.
Adding Conditions to an IP ACL
To add conditions to an IP ACL, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Network > IP ACL
. The IP ACL Table page is displayed.
Step 2
Click the
Edit
icon next to the name of the IP ACL you want to add a condition to. The Modifying IP ACL page is displayed.
Step 3
Click the
Create New
icon in the task bar. The Condition page is displayed.
To edit a condition, click the
Edit
icon next to the name you want to edit.
Note The number of available fields for creating IP ACL conditions depends on the whether the IP ACL type is standard or extended.
Step 4
Enter values for the properties that are enabled for the type of IP ACL that you are creating.
-
To create a standard IP ACL, go to Step 5.
-
To create an extended IP ACL, go to Step 6.
Step 5
To set up conditions for a standard IP ACL, do the following:
a.
From the
Purpose
drop-down list, choose a purpose (
Permit
or
Deny
).
b.
In the
Source IP
field, enter the source IP address.
c.
In the
Source IP Wildcard
field, enter a source IP wildcard address.
d.
Click
Submit
. The Modifying IP ACL page is displayed showing the new condition and its configuration.
e.
To add another condition to the IP ACL, repeat the steps.
f.
To reorder your list of conditions in the Modifying IP ACL page, use the Up arrow or Down arrow in the
Order
column, or click a column heading to sort by any configured parameter.
Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.
g.
When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries and the order in which the conditions are listed, click
Submit
in the Modifying IP ACL page to commit the IP ACL to the device database.
A green “Change submitted” indicator appears in the lower right corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.
Table 4-35
describes the fields in a standard IP ACL.
Table 4-35 Standard IP ACL Conditions
|
|
|
Purpose
|
Permit
|
Specifies whether a packet is to be passed (
Permit
) or dropped (
Deny
).
|
Source IP
1
|
0.0.0.0
|
IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
|
Source IP
1
Wildcard
|
255.255.255.255
|
Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.
|
Step 6
To set up conditions for an extended IP ACL, do the following:
a.
From the
Purpose
drop-down list, choose a purpose (
Permit
or
Deny
).
b.
From the
Extended Type
drop-down list, choose
Generic
,
TCP
,
UDP
, or
ICMP
.
After you choose a type of extended IP ACL, various options become available depending on what type you choose.
c.
Enter the settings as appropriate. See
Table 4-36
for descriptions of the extended IP ACL fields.
d.
Click
Submit
. The Modifying IP ACL page is displayed showing the new condition and its configuration.
e.
To add another condition to the IP ACL, repeat the steps.
f.
To reorder your list of conditions from the Modifying IP ACL page, use the Up arrow or Down arrow in the
Order
column, or click a column heading to sort by any configured parameter.
Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.
g.
When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries and the order in which the conditions are listed, click
Submit
in the Modifying IP ACL page to commit the IP ACL to the device database.
A green “Change submitted” indicator appears in the lower-left corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.
Table 4-36 Extended IP ACL Conditions
|
|
|
|
Purpose
|
Permit
|
Specifies whether a packet is to be passed (
Permit
) or dropped (
Deny
).
|
Generic, TCP, UDP, ICMP
|
Protocol
|
ip
|
Internet protocol (
gre
,
icmp
,
ip
,
tcp
, or
udp)
. To match any Internet protocol, use the
ip
keyword.
|
Generic
|
Established
|
Unchecked (false)
|
When checked, a match with the ACL condition occurs if the TCP datagram has the ACK or RST bits set, indicating an established connection. Initial TCP datagrams used to form a connection are not matched.
|
TCP
|
Source IP
1
|
0.0.0.0
|
IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
|
Generic, TCP, UDP, ICMP
|
Source IP Wildcard
1
|
255.255.255.255
|
Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.
|
Generic, TCP, UDP, ICMP
|
Source Port 1
|
0
|
Decimal number or name of a port. Valid port numbers are 0 to 65535. See
Table 4-37
and
Table 4-38
for port name descriptions and associated port numbers.
|
TCP, UDP
|
Valid TCP port names are as follows:
-
domain
-
exec
-
ftp
-
ftp-data
-
https
-
nfs
-
rtsp
-
ssh
-
telnet
-
www
|
Valid UDP port names are as follows:
-
bootpc
-
bootps
-
domain
-
netbios-dgm
-
netbios-ns
-
netbios-ss
-
nfs
-
ntp
-
snmp
-
snmptrap
|
Source Operator
|
range
|
Specifies how to compare the source ports against incoming packets. Choices are
<
,
>
,
==
,
!=
, or
range
.
|
TCP, UDP
|
Source Port 2
|
65535
|
Decimal number or name of a port. See Source Port 1.
|
TCP, UDP
|
Destination IP
|
0.0.0.0
|
IP address of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
|
Generic, TCP, UDP, ICMP
|
Destination IP Wildcard
|
255.255.255.255
|
Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.
|
Generic, TCP, UDP, ICMP
|
Destination Port 1
|
0
|
Decimal number or name of a port. Valid port numbers are 0 to 65535. See
Table 4-37
and
Table 4-38
for port name descriptions and associated port numbers.
|
TCP, UDP
|
Valid TCP port names are as follows:
-
domain
-
exec
-
ftp
-
ftp-data
-
https
-
nfs
-
rtsp
-
ssh
-
telnet
-
www
|
Valid UDP port names are as follows:
-
bootpc
-
bootps
-
domain
-
netbios-dgm
-
netbios-ns
-
netbios-ss
-
nfs
-
ntp
-
snmp
-
snmptrap
|
Destination Operator
|
range
|
Specifies how to compare the destination ports against incoming packets. Choices are
<
,
>
,
==
,
!=
, or
range
.
|
TCP, UDP
|
Destination Port 2
|
65535
|
Decimal number or name of a port. See Destination Port 1.
|
TCP, UDP
|
ICMP Param Type
1
|
None
|
Choices are
None
,
Type/Code
, or
Msg
.
-
None
—Disables the ICMP Type, Code, and Message fields.
-
Type/Code
—Allows ICMP messages to be filtered by ICMP message type and code. Also enables the ability to set an ICMP message code number.
-
Msg
—Allows a combination of type and code to be specified using a keyword. Activates the ICMP Message drop-down list. Disables the ICMP Type field.
|
ICMP
|
ICMP Message
1
|
administratively-
prohibited
|
Allows a combination of ICMP type and code to be specified using a keyword chosen from the drop-down list.
See
Table 4-39
for descriptions of the ICMP messages.
|
ICMP
|
ICMP Type
1
|
0
|
Number from 0 to 255. This field is enabled when you choose
Type/Code
.
|
ICMP
|
Use ICMP Code
1
|
Unchecked
|
When checked, enables the ICMP Code field.
|
ICMP
|
ICMP Code
1
|
0
|
Number from 0 to 255. Message code option that allows ICMP messages of a particular type to be further filtered by an ICMP message code.
|
ICMP
|
Table 4-37
lists the UDP keywords that you can use with extended access control lists.
Table 4-37 UDP Keywords and Port Numbers
|
|
|
bootpc
|
Bootstrap Protocol (BOOTP) client service
|
68
|
bootps
|
Bootstrap Protocol (BOOTP) server service
|
67
|
domain
|
Domain Name System (DNS) service
|
53
|
netbios-dgm
|
NetBIOS datagram service
|
138
|
netbios-ns
|
NetBIOS name resolution service
|
137
|
netbios-ss
|
NetBIOS session service
|
139
|
nfs
|
Network File System service
|
2049
|
ntp
|
Network Time Protocol settings
|
123
|
snmp
|
Simple Network Management Protocol service
|
161
|
snmptrap
|
SNMP traps
|
162
|
Table 4-38
lists the TCP keywords that you can use with extended access control lists.
Table 4-38 TCP Keywords and Port Numbers
|
|
|
domain
|
Domain Name System service
|
53
|
exec
|
Remote process execution
|
512
|
ftp
|
File Transfer Protocol service
|
21
|
ftp-data
|
FTP data connections (used infrequently)
|
20
|
https
|
Secure HTTP service
|
443
|
nfs
|
Network File System service applications
|
2049
|
rtsp
|
Real-Time Streaming Protocol applications
|
554
|
ssh
|
Secure Shell login
|
22
|
telnet
|
Remote login using Telnet
|
23
|
www
|
World Wide Web (HTTP) service
|
80
|
Table 4-39
lists the keywords that you can use to match specific ICMP message types and codes.
Table 4-39 Keywords for ICMP Message Type and Code
|
|
administratively-prohibited
|
Messages that are administratively prohibited from being allowed access.
|
alternate-address
|
Messages that specify alternate IP addresses.
|
conversion-error
|
Messages that denote a datagram conversion error.
|
dod-host-prohibited
|
Messages that signify a Department of Defense (DoD) protocol Internet host denial.
|
dod-net-prohibited
|
Messages that specify a DoD protocol network denial.
|
echo
|
Messages that are used to send echo packets to test basic network connectivity.
|
echo-reply
|
Messages that are used to send echo reply packets.
|
general-parameter-problem
|
Messages that report general parameter problems.
|
host-isolated
|
Messages that indicate that the host is isolated.
|
host-precedence-unreachable
|
Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable). This is the most common response. Large numbers of this datagram type on the network are indicative of network difficulties or may be indicative of hostile actions.
|
host-redirect
|
Messages that specify redirection to a host.
|
host-tos-redirect
|
Messages that specify redirection to a host for type of service-based (ToS) routing.
|
host-tos-unreachable
|
Messages that denote that the host is unreachable for ToS-based routing.
|
host-unknown
|
Messages that specify that the host or source is unknown.
|
host-unreachable
|
Messages that specify that the host is unreachable.
|
information-reply
|
Messages that contain domain name replies.
|
information-request
|
Messages that contain domain name requests.
|
mask-reply
|
Messages that contain subnet mask replies.
|
mask-request
|
Messages that contain subnet mask requests.
|
mobile-redirect
|
Messages that specify redirection to a mobile host.
|
net-redirect
|
Messages that are used for redirection to a different network.
|
net-tos-redirect
|
Messages that are used for redirection to a different network for ToS-based routing.
|
net-tos-unreachable
|
Messages that specify that the network is unreachable for the ToS-based routing.
|
net-unreachable
|
Messages that specify that the network is unreachable.
|
network-unknown
|
Messages that denote that the network is unknown.
|
no-room-for-option
|
Messages that specify the requirement of a parameter, but that no room is available for it.
|
option-missing
|
Messages that specify the requirement of a parameter, but that parameter is not available.
|
packet-too-big
|
Messages that specify that the ICMP packet requires fragmentation but the Do Not Fragment (DF) bit is set.
|
parameter-problem
|
Messages that signify parameter-related problems.
|
port-unreachable
|
Messages that specify that the port is unreachable.
|
precedence-unreachable
|
Messages that specify that host precedence is not available.
|
protocol-unreachable
|
Messages that specify that the protocol is unreachable.
|
reassembly-timeout
|
Messages that specify a timeout during reassembling of packets.
|
redirect
|
Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect). ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.
|
router-advertisement
|
Messages that contain ICMP router discovery messages called router advertisements.
|
router-solicitation
|
Messages that are multicast to ask for immediate updates on neighboring router interface states.
|
source-quench
|
Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). This datagram may be used in network management to provide congestion control. A source quench packet is issued when a router is beginning to lose packets due to the transmission rate of a source. The source quench is a request to the source to reduce the rate of a datagram transmission.
|
source-route-failed
|
Messages that specify the failure of a source route.
|
time-exceeded
|
Messages that specify information about all instances when specified times were exceeded.
|
timestamp-reply
|
Messages that contain timestamp replies.
|
timestamp-request
|
Messages that contain timestamp requests.
|
traceroute
|
Messages that specify the entire route to a network host from the source.
|
ttl-exceeded
|
Messages that specify that ICMP packets have exceeded the time-to-live configuration.
|
unreachable
|
Messages that are sent when packets are denied by an access control list; these packets are not dropped in the hardware but generate the ICMP-unreachable message.
|
Applying an IP ACL to an Interface
The IP ACLs can be applied to a particular interface (such as management services to a private IP address) so that the device can have one interface in a public IP address space that serves content and another interface in a private IP address space that the administrator uses for management purposes. This feature ensures that clients can access the Service Engine only in the public IP address space for serving content and not access it for management purposes. A device attempting to access one of these applications that is associated with an IP ACL must be on the list of trusted devices to be allowed access.
To apply an IP ACL to an interface from the CLI, use the following interface configuration command:
interface
{
FastEthernet
|
GigabitEthernet
}
slot/port
ip access-group
{
accesslistnumber
|
accesslistname
} {
in
|
out
}
Deleting an IP ACL
You can delete an IP ACL, including all conditions and associations with network interfaces, or you can delete only the IP ACL conditions. Deleting all conditions allows you to change the IP ACL type if you choose to do so. The IP ACL entry continues to appear in the IP ACL listing; however, it is in effect nonexistent.
To delete an IP ACL, do the following:
Step 1
Choose
Devices > Devices
. >
General Settings > Network > IP ACL
. The IP ACL Table page is displayed.
Step 2
Click the
Edit
icon next to the name of the IP ACL that you want to delete. The Modifying IP ACL page is displayed. If you created conditions for the IP ACL, you have three options for deletion:
-
Delete ACL
—This option removes the IP ACL, including all conditions and associations with network interfaces and applications.
-
Delete All Conditions
—This option removes all the conditions, while preserving the IP ACL name.
-
Delete IP ACL Condition
—This option removes one condition from the ACL.
Step 3
To delete the entire IP ACL, click
Delete ACL
in the task bar. You are prompted to confirm your action. Click
OK
. The record is deleted.
Step 4
To delete only the conditions, click
Delete All Conditions
in the task bar. You are prompted to confirm your action. Click
OK
. The window refreshes, conditions are deleted, and the ACL Type field becomes available.
Step 5
To delete one condition, do the following:
a.
Click the
Edit
icon next to the condition. The condition settings are displayed.
b.
Click the
Delete IP ACL Condition
icon in the task bar. The IP ACL table is displayed.
c.
Click
Submit
to save the IP ACL table to the database.
Configuring Static IP Routes
The Static IP Routes page allows you to configure a static route for a network or host. Any IP packet designated for the specified destination uses the configured route.
To configure a static IP route, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Network > IP Routes
. The IP Route Table page is displayed.
The table is sortable by clicking the column headings.
Step 2
Click the
Create New
icon in the task bar. The IP Route page is displayed.
To edit a static route, click the
Edit
icon next to the name you want to edit.
Step 3
In the
Destination Network Address
field, enter the destination network IP address.
Step 4
In the
Netmask
field, enter the destination host netmask.
Step 5
In the
Gateway’s IP Address
field, enter the IP address of the gateway interface.
Step 6
Click
Submit
to save the settings.
To delete a route, click the
Edit
icon for the route, then click the
Delete
icon in the task bar.
Configuring DSR VIP
The CDS supports Virtual IP (VIP) configuration for Direct Server Return (DSR) when working with networks that use load balancers. DSR bypasses the load balancer for all server responses to client requests by using MAC Address Translation (MAT).
The CDS allows for the configuration of up to four VIPs (on loopback interfaces).
Client requests are sent to the load balancer and the load balancer sends the requests on to the Service Router. If DSR VIP is configured on the CDS (and supported on the load balancer), all CDS responses to the client are sent directly to the client, bypassing the load balancer.
Note If DSR VIP is configured on an SE, the DSR VIP IP address cannot be the same as the Origin Server FQDN (OFQDN).
To configure a DSR VIP, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Network > DSR VIP
. The DSR VIP page is displayed.
Step 2
In the
Direct Server Return VIP 1
field, enter the IP address of the Direct Server Return VIP.
Step 3
Enter any additional DSR VIPs in the remaining fields (Direct Server Return VIP 2 to 4).
Step 4
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Notification and Tracking
The Notification and Tracking pages provide settings for alarms, thresholds, SNMP connectivity, and device monitoring. Configuring notification and tracking consists of the following procedures:
Alarm Settings
The Alarm Settings page covers the following configuration settings;
Enabling Alarm Overload Detection
The device tracks the rate of incoming alarms from the Node Health Manager. If the rate of incoming alarms exceeds the high-water mark (HWM) threshold, the device enters an alarm overload state. This condition occurs when multiple applications raise alarms at the same time. When a device is in an alarm overload state, the following events occur:
-
Traps for the raise alarm-overload alarm and clear alarm-overload alarm are sent. SNMP traps for subsequent alarm raise-and-clear operations are suspended.
-
Traps for alarm operations that occur between the raise-alarm-overload alarm and the clear-alarm-overload alarm operations are suspended, but individual device alarm information is still collected and available using the CLI.
-
Device remains in an alarm overload state until the rate of incoming alarms decreases to less than the low-water mark (LWM).
-
If the incoming alarm rate falls below the LWM, the device comes out of the alarm overload state and begins to report the alarm counts to the SNMP servers and the CDSM.
Alarms that have been raised on a device can be listed by using the CLI commands shown in
Table 4-40
. These CLI commands allow you to systematically drill down to the source of an alarm.
Table 4-40 Viewing Device Alarms
|
|
|
show alarms
|
|
Displays a list of all currently raised alarms (critical, major, and minor alarms) on the device.
|
|
show alarms critical
|
Displays a list of only currently raised critical alarms on the device.
|
|
show alarms major
|
Displays a list of only currently raised major alarms on the device.
|
|
show alarms minor
|
Displays a list of only currently raised minor alarms on the device.
|
|
show alarms detail
|
Displays detailed information about the currently raised alarms.
|
|
show alarms history
|
Displays a history of alarms that have been raised and cleared on the device. The CLI retains the last 100 alarm raise and clear events only.
|
|
show alarms status
|
Displays the counts for the currently raised alarms on the device. Also lists the alarm-overload state and the alarm-overload settings.
|
To configure the alarm overload detection, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > Alarm Settings
. The Alarm Settings page is displayed.
Step 2
Uncheck the
Enable Alarm Overload Detection
check box if you do not want to configure the device to suspend alarm raise and clear operations when multiple applications report error conditions. Alarm overload detection is enabled by default.
Step 3
In the
Alarm Overload Low Water Mark
field, enter the number of alarms per second for the clear alarm overload threshold. The low water mark is the level to which the number of alarms must drop below before alarm traps can be sent. The default value is 1.
Step 4
In the
Alarm Overload High Water Mark
field, enter the number of alarms per second for the raise alarm-overload threshold. The high-water mark is the level the number of alarms must exceed before alarms are suspended. The default value is 10.
Step 5
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Alarms for Admin Shutdown Interface
When the
Alarms for Admin Shutdown Interface
check box is checked, the interface alarm is shutdown. If there is already an alarm raised when the setting is submitted, unchecking the option and submitting the change does not clear the outstanding alarm. There are two ways to avoid this situation:
1.
Clear the outstanding alarm first before disabling this option.
2.
Disable this option and reboot. The alarm is cleared during reboot.
Note The Alarms for Admin Shutdown Interface option should be enabled before any of the above for the alarm to take affect.
To enable the
Alarms for Admin Shutdown Interface option, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > Alarm Settings
. The Alarm Settings page is displayed.
Step 2
Check the
Alarms for Admin Shutdown Interface
check box to enable this option.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Setting Service Monitor Thresholds
The Service Monitor page is where you configure workload thresholds for the device. In load-based routing, these thresholds are used to determine the best device to serve requested content. For more information about load-based routing, see the “Configuring the Service Router” section.
Note Threshold monitoring is performed on each device in the CDS. The protocol engine and NIC bandwidth thresholds are only monitored on the SE. They are not monitored on the SR and CDSM.
Note The base license limit is set to 200 sessions and 200 Mbps bandwidth.
-
The burst count, which indicates the number of days after which a major alarm is raised, is configurable. On the Service Engine, use the
service-router service-monitor threshold burstcnt
command to configure the burst count. The default setting is one (1), which means all the minor alarms that occur in a single day (24-hour interval) are counted as one single alarm. If the
service-router service-monitor threshold burstcnt
command is set to two, all minor alarms that occur in two days (48-hour interval) are counted as a single alarm.
-
A universal license is similar to a regular license, except it has a higher bandwidth and applies to all protocol engines (except Web Engine). When a universal license is purchased and configured, the alarm data for all protocol engines are cleared. Thereafter, the monitoring of the protocol engines continues as usual for any future alarms.
-
On the Service Engine, use the
service-router service-monitor license-universal
enable
command to enable the universal license. The
service-router service-monitor license-universal
command is disabled by default.
To configure workload thresholds, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > Service Monitor
. The Service Monitor page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-41
for a description of the fields.
Table 4-41 Service Monitor Fields
|
|
|
Enable
|
Allows the SR to collect CPU load information from the device.
|
Threshold
|
Value (as a percentage) that determines when the device is overloaded. The threshold determines the extent of CPU usage allowed. The range is from 1 to 100. The default is 80.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The sample period is the time during which the device and the SR exchange keep-alive messages that contain the device load information. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Enable
|
Allows the SR to collect disk transaction information from the device.
|
Threshold
|
The threshold, as a percentage, determines the extent of disk usage allowed. The range is from 1 to 100. The default is 80.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Enable
|
Allows the SR to collect memory usage information from the device.
|
Threshold
|
The threshold (in percent) determines the extent of memory usage allowed. The range is from 1 to 100. The default is 80.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Enable
|
Allows the SR to collect kernel memory usage information from the device.
|
Threshold
|
The threshold (in percent) determines the extent of kernel memory usage allowed. The range is from 1 to 100. The default is 50.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Enable
|
Allows the SR to collect Windows Media Streaming stream count information from the SE.
|
Threshold
|
Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Enable
|
Allows the SR to collect Flash Media Streaming stream count information from the SE.
|
Threshold
|
Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
Movie Streamer Settings
1
,
|
Enable
|
Allows the SR to collect stream count information from the SE.
|
Threshold
|
Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
|
|
Enable
|
Allows the SR to collect NIC bandwidth information from the SE.
|
Threshold
|
The threshold, as a percentage, determines the extent of NIC bandwidth usage allowed. The range is from 1 to 100. The default is 90.
|
Sample Period
|
Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 3.
|
Number of Samples
|
Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
|
|
Threshold
|
Overall percentage of CDNFS disk failures. The range is from 1 to 100. The default is 75.
When the percentage failed disks exceeds this threshold, no further requests are sent to this device. The Disk Failure Threshold is only for the CDNFS disks.
Note When an alarm is received for a SYSTEM disk, it is immediately marked as a failed disk. It is not checked against the Disk Failure Threshold. The SR continues redirecting to the SE, unless all SYSTEM disks on the SE are marked as failed disks. If disks have both SYSTEM and CDNFS partitions, they are treated as only system disks, which means they are not included in the accounting of the CDNFS disk calculation. |
|
Enable
|
Enables augmentation alarms. For more information, see the “Augmentation Alarms” section.
|
Threshold
|
The augmentation alarms threshold is a percentage, that applies to the CPU, memory, kernel memory, disk, disk fail count, NIC, and protocol engine usages. By default it is set to 80 percent. The threshold value range is 1–100.
As an example of an augmentation alarm, if the threshold configured for CPU usage is 80 percent, and the augmentation threshold is set to 80 percent, then the augmentation alarm for CPU usage is raised when the CPU usage crosses 64 percent.
If “A” represents the Service Monitor threshold configured, and “B” represents the augmentation threshold configured, then the threshold for raising an augmentation alarm = (A * B) / 100 percent. For more information, see the “Augmentation Alarm Example” section.
|
|
Enable
|
Enables Service Monitoring transaction logging. For more information, see the “Service Monitor Transaction Logs” section.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Augmentation Alarms
Augmentation alarms are soft alarms that send alerts before the threshold is reached. These alarms are applicable to all devices—Service Engines, Service Routers and CDSMs. Augmentation thresholds apply to device and protocol engine parameters.
A different augmentation alarm is supported for each of the device-level thresholds. Based on the device parameters monitored by Service Monitor, the following minor alarms could be raised for device-level thresholds:
-
CpuAugThreshold—Service Monitor CPU augmentation alarm.
-
MemAugThreshold—Service Monitor memory augmentation alarm.
-
KmemAugThreshold—Service Monitor kernel memory augmentation alarm.
-
DiskAugThreshold—Service Monitor disk augmentation alarm.
-
DiskFailCntAugThreshold—Service Monitor disk failure count augmentation alarm.
-
NicAugThreshold—Service Monitor NIC augmentation alarm.
Check the augmentation threshold, device-level threshold, and average load for the above alarm instance. Add more devices if necessary. A useful command is the
show service-router service-monitor
command. The augmentation alarms raised are displayed in the
show alarms detail
command. The alarms are cleared when the load goes below the augmentation threshold.
Note For system disks (disks that contain SYSTEM partitions), only when all system disks are bad is the diskfailure augmentation and threshold alarms raised. The diskfailcnt threshold does not apply to system disks. The threshold only applies to CDNFS disks, which is also the case for the augmentation thresholds. This is because the system disks use RAID1. There is a separate alarm for bad RAID. With the RAID system, if the critical primary disk fails, the other mirrored disk (mirroring only occurs for SYSTEM partitions) seamlessly continues operation. However, if the disk drive that is marked bad is a critical disk drive, the redundancy of the system disks for this device is affected. For more information on disk error handling and threshold recommendations, see the “Enabling Disk Error Handling” section.
As the show disk details command output reports, if disks have both SYSTEM and CDNFS partitions, they are treated as only system disks, which means they are not included in the accounting of the CDNFS disk calculation.
Note The NIC augmentation alarm is only applicable if the device is an SE.
Different augmentation alarm s are supported for each of the protocol engines, which only apply if the device is an SE. The following minor alarms could be raised for protocol-engine thresholds:
-
rtspgaugmentexceeded— RTSP gateway TPS has reached augmentation threshold limits
-
aug_memory_exceeded—Web Engine augmentation memory threshold exceeded
-
aug_session_exceeded—Web Engine has reached augmentation threshold for concurrent session
-
wmtaugmentexceeded—Windows Media Streaming has reached augmentation threshold limits
-
msaugmentexceeded—Movie Streamer has reached augmentation threshold limits
-
FmsAugThreshold—Flash Media Streaming has reached augmentation threshold limits
-
WebCalLookupAugThreshold—Web Engine has reached augmentation threshold for storage lookup
-
WebCalDiskWriteAugThreshold—Web Engine has reached augmentation threshold for storage disk write
Augmentation Alarm Example
Maximum concurrent connections have a default value of 200 and maximum bandwidth has a default value of 200 Mbps. The augmentation alarm is enabled through the Service Monitor and the augmentation threshold is configured at 80 percent (default). The default service threshold for Flash Media Streaming is 90 percent.
In this case, the augmentation alarm is raised for Flash Media Streaming when 0.8 * 0.9 * 200 = 144 connections or 144 Mbps of bandwidth is exceeded. The Service Router still redirects requests to this Service Engine. The alarm is cleared when the traffic falls below either of the thresholds; that is, 144 connections or 144 Mbps in this example.
Configuring SNMP
The Cisco CDS supports the following versions of SNMP:
-
Version 1 (SNMPv1)—A network management protocol that provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
-
Version 2 (SNMPv2c)—The second version of SNMP, it supports centralized and distributed network management strategies, and includes improvements in the Structure of Management Information (SMI), protocol operations, management architecture, and security.
-
Version 3 (SNMPv3)—An interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are:
–
Message integrity—Ensuring that a packet has not been tampered with in-transit.
–
Authentication—Determining the message is from a valid source.
–
Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.
Table 4-42
identifies what the combinations of security models and levels mean.
Table 4-42 SNMP Security Models and Levels
|
|
|
|
|
v1
|
noAuthNoPriv
|
Community String
|
No
|
Uses a community string match for authentication.
|
v2c
|
noAuthNoPriv
|
Community String
|
No
|
Uses a community string match for authentication.
|
v3
|
noAuthNoPriv
|
Username
|
No
|
Uses a username match for authentication.
|
v3
|
authNoPriv
|
MD5 or SHA
|
No
|
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
|
v3
|
authPriv
|
MD5 or SHA
|
DES
|
Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard.
|
The SNMPv3 agent can be used in the following modes:
-
noAuthNoPriv mode (that is, no security mechanisms turned on for packets)
-
AuthNoPriv mode (for packets that do not need to be encrypted using the privacy algorithm [DES 56])
-
AuthPriv mode (for packets that must be encrypted; privacy requires that authentication be performed on the packet)
Using SNMPv3, users can securely collect management information from their SNMP agents without worrying that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a Content Engine’s configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges.
Note the following about SNMPv3 objects:
-
Each user belongs to a group.
-
Group defines the access policy for a set of users.
-
Access policy is what SNMP objects can be accessed for reading, writing, and creating.
-
Group determines the list of notifications its users can receive.
-
Group also defines the security model and security level for its users.
To configure the SNMP settings, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > SNMP > General Settings
. The SNMP General Settings page is displayed.
Step 2
Enable the settings as appropriate. See
Table 4-43
for a description of the fields.
Table 4-43 SNMP General Settings Fields
|
|
Traps
|
Enable SNMP Settings
|
Enables the SNMP agent to transmit traps to the SNMP server.
|
Service Engine
|
Enables the Disk Fail trap, which is the disk failure error trap.
|
SNMP
|
Enables SNMP-specific traps:
-
Authentication—Enables authentication trap.
-
Cold Start—Enables cold start trap.
|
SE Alarm
|
Enables alarm traps:
-
Raise Critical—Enables raise-critical alarm trap.
-
Clear Critical—Enables clear-critical alarm trap.
-
Raise Major—Enables raise-major alarm trap.
-
Clear Major—Enables clear-major alarm trap.
-
Raise Minor—Enables raise-minor alarm trap.
-
Clear Minor—Enables clear-minor alarm trap.
|
Entity
|
Enables SNMP entity traps.
|
Config
|
Enables CiscoConfigManEvent error traps.
|
Miscellaneous Settings
|
Notify Inform
|
Enables the SNMP notify inform request.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Step 4
From the left-panel menu, click
Community
. The SNMP Community Table page is displayed.
The table is sortable by clicking the column headings. The maximum number of community strings that can be created is ten.
Step 5
Click the
Create New
icon in the task bar. The SNMP Community page is displayed.
Click the
Edit
icon next to the community name to edit a community setting.
Note Each community is associated with a group. Each group has a view and users are assigned to a group. If the group does not have a view associated with it, then users associated that group cannot access any MIB entry.
Step 6
Enter the settings as appropriate. See
Table 4-44
for a description of the fields.
Table 4-44 SNMP Community Fields
|
|
Community
|
Community string used as a password for authentication when you access the SNMP agent of the device using SNMPv1 or SNMPv2. The “Community Name” field of any SNMP message sent to the device must match the community string defined here to be authenticated. You can enter a maximum of 64 characters in this field.
|
Group name/rw
|
Group to which the community string belongs. The
Read/Write
option allows a read or write group to be associated with this community string. The
Read/Write
option permits access to only a portion of the MIB subtree. Choose one of the following three options from the drop-down list:
-
None
—Choose this option if you do not want to specify a group name to be associated with the community string.
-
Read/Write
—Choose this option if you want to allow read-write access to the group associated with this community string.
-
Group
—Choose this option if you want to specify a group name.
|
Group Name
|
Name of the group to which the community string belongs. You can enter a maximum of 64 characters in this field. This field is available only if you have chosen the
Group
option in the Group name/rw field.
|
Step 7
Click
Submit
to save the settings.
To delete an SNMP community, click the
Edit
icon for the community, then click the
Delete
icon in the task bar.
Step 8
From the left-panel menu, click
Group
. The SNMP Group Table page is displayed.
The table is sortable by clicking the column headings. The maximum number of groups that can be created is ten.
Step 9
Click the
Create New
icon in the task bar. The SNMP Group page is displayed.
Click the
Edit
icon next to the Group Name to edit a group.
Step 10
Enter the settings as appropriate. See
Table 4-45
for a description of the fields.
Table 4-45 SNMP Group Fields
|
|
Name
|
Name of the SNMP group. You can enter a maximum of 256 characters.
A group defines a set of users belonging to a particular security model. A group defines the access rights for all the users belonging to it. Access rights define what SNMP objects can be read, written to, or created. In addition, the group defines what notifications a user is allowed to receive.
An SNMP group is a collection of SNMP users that belong to a common SNMP list that defines an access policy, in which object identification numbers (OIDs) are both read-accessible and write-accessible. Users belonging to a particular SNMP group inherit all of the attributes defined by the group.
|
Sec Model
|
Security model for the group. Choose one of the following options from the drop-down list:
-
v1
—Version 1 security model (SNMP Version 1 [noAuthNoPriv]).
-
v2c
—Version 2c security model (SNMP Version 2 [noAuthNoPriv]).
-
v3-auth
—User security level SNMP Version 3 (AuthNoPriv).
-
v3-noauth
—User security level SNMP Version 3 (noAuthNoPriv).
-
v3-priv
— User security level SNMP Version 3 (AuthPriv).
The
Sec Model
you choose determines which of the following three security algorithms is used on each SNMP packet:
-
noAuthNoPriv—Authenticates a packet by a string match of the username.
-
AuthNoPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms.
-
AuthPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm.
|
Read View
|
Name of the view (a maximum of 64 characters) that enables you only to view the contents of the agent. By default, no view is defined. To provide read access to users of the group, a view must be specified.
A read view defines the list of object identifiers (OIDs) that are accessible for reading by users belonging to the group.
|
Write View
|
Name of the view (a maximum of 64 characters) that enables you to enter data and configure the contents of the agent. By default, no view is defined.
A write view defines the list of object identifiers (OIDs) that are able to be created or modified by users of the group.
|
Notify View
|
Name of the view (a maximum of 64 characters) that enables you to specify a notify, inform, or trap. By default, no view is defined.
A notify view defines the list of notifications that can be sent to each user in the group.
|
Step 11
Click
Submit
to save the settings.
To delete an SNMP group, click the
Edit
icon for the group, then click the
Delete
icon in the task bar.
Step 12
From the left-panel menu, click
User
. The SNMP User Table page is displayed.
The table is sortable by clicking the column headings. The maximum number of users that can be created is ten.
Step 13
Click the
Create New
icon in the task bar. The SNMP User page is displayed.
Click the
Edit
icon next to the username to edit a user.
Step 14
Enter the settings as appropriate. See
Table 4-46
for a description of the fields.
Table 4-46 SNMP User Fields
|
|
Name
|
String representing the name of the user (256 characters maximum) who can access the device.
An SNMP user is a person for which an SNMP management operation is performed.
|
Group
|
Name of the group (256 characters maximum) to which the user belongs.
|
Remote SNMP ID
|
Globally unique identifier for a remote SNMP entity. To send an SNMPv3 message to the device, at least one user with a remote SNMP ID must be configured on the device. The SNMP ID must be entered in octet string format. For example, if the IP address of a remote SNMP entity is 192.147.142.129, then the octet string would be 00:00:63:00:00:00:a1:c0:93:8e:81.
|
Authentication Algorithm
|
Authentication algorithm that ensures the integrity of SNMP packets during transmission. Choose one of the following three options from the drop-down list:
-
No-auth
—Requires no security mechanism to be turned on for SNMP packets.
-
MD5
—Provides authentication based on the hash-based Message Authentication Code Message Digest 5 (HMAC-MD5) algorithm.
-
SHA
—Provides authentication based on the hash-based Message Authentication Code Secure Hash (HMAC-SHA) algorithm.
|
Authentication Password
|
String (256 characters maximum) that configures the user authentication (HMAC-MD5 or HMAC-SHA) password. The number of characters is adjusted to fit the display area if it exceeds the limit for display.
This field is optional if the
no-auth
option is chosen for the authentication algorithm. Otherwise, this field must contain a value.
|
Confirmation Password
|
Authentication password for confirmation. The re-entered password must be the same as the one entered in the Authentication Password field.
|
Private Password
|
String (256 characters maximum) that configures the authentication (HMAC-MD5 or HMAC-SHA) parameters to enable the SNMP agent to receive packets from the SNMP host. The number of characters is adjusted to fit the display area if it exceeds the limit for display.
|
Confirmation Password
|
Private password for confirmation. The re-entered password must be the same as the one entered in the Private Password field.
|
Step 15
Click
Submit
to save the settings.
To delete an SNMP user, click the
Edit
icon for the user, then click the
Delete
icon in the task bar.
Step 16
To define a SNMPv2 MIB view, click
View
from the left-panel menu. The SNMP View Table page is displayed.
The table is sortable by clicking the column headings. The maximum number of SNMPv2 views that can be created is ten.
SNMP view—A mapping between SNMP objects and the access rights available for those objects. An object can have different access rights in each view. Access rights indicate whether the object is accessible by either a community string or a user.
Step 17
Click the
Create New
icon in the task bar. The SNMP View page is displayed.
Click the
Edit
icon next to the username to edit a view.
Step 18
Enter the settings as appropriate. See
Table 4-47
for a description of the fields.
Table 4-47 SNMP View Fields
|
|
Name
|
String representing the name of this family of view subtrees (256 characters maximum). The family name must be a valid MIB name such as ENTITY-MIB.
|
Family
|
Object identifier (256 characters maximum) that identifies a subtree of the MIB.
|
View Type
|
View option that determines the inclusion or exclusion of the MIB family from the view. Choose one of the following two options from the drop-down list:
-
Included
—The MIB family is included in the view.
-
Excluded
—The MIB family is excluded from the view.
Note When configuring an SNMP View with Excluded, the specified MIB that is excluded is not accessible for the community associated with the group that has that view. |
Step 19
Click
Submit
to save the settings.
To delete an SNMP view, click the
Edit
icon for the view, then click the
Delete
icon in the task bar.
Step 20
From the left-panel menu, click
Host
. The SNMP Host Table page is displayed.
The table is sortable by clicking the column headings. The maximum number of hosts that can be created is four.
Step 21
Click the
Create New
icon in the task bar. The SNMP Host page is displayed.
Click the
Edit
icon next to the hostname to edit a host.
Step 22
Enter the settings as appropriate. See
Table 4-48
for a description of the fields.
Table 4-48 SNMP Host Fields
|
|
Trap Host
|
Hostname or IP address an SNMP entity to which notifications (traps and informs) are to be sent.
|
Community/User
|
Name of the SNMP community or user (256 characters maximum) that is sent in SNMP trap messages from the device.
|
Authentication
|
Security model to use for sending notification to the recipient of an SNMP trap operation. Choose one of the following options from the drop-down list:
-
No-auth
—Sends notification without any security mechanism.
-
v2c
—Sends notification using Version 2c security.
-
Model v3-auth
—Sends notification using SNMP Version 3 (AuthNoPriv).
-
Security Level v3-noauth
—Sends notification using SNMP Version 3 (NoAuthNoPriv security).
-
Level v3-priv
—Sends notification using SNMP Version 3 (AuthPriv security).
|
Retry
|
Number of retries (1 to 10) allowed for the inform request. The default is 2.
|
Timeout
|
Timeout for the inform request in seconds (1 to 1000). The default is 15.
|
Step 23
Click
Submit
to save the settings.
To delete an SNMP host, click the
Edit
icon for the host, then click the
Delete
icon in the task bar.
Step 24
From the left-panel menu, click
Asset Tag
. The SNMP Asset Tag page is displayed.
Step 25
In the
Asset Tag Name
field, enter a name for the asset tag and click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Step 26
From the left-panel menu, click
Contact
. The SNMP Contact page is displayed.
Step 27
In the
Contact
field, enter a name of the contact person for this device.
Step 28
In the
Location
field, enter a location of the contact person for this device.
Step 29
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Supported MIBs
The SNMP agent supports the following MIBs:
-
ENTITY-MIB (RFC 2037 Revision 199610310000Z))
-
MIB-II (RFC 1213)
-
HOST-RESOURCES-MIB (RFC 2790, hrSWInstalled and hrPrinterTable subgroups are not supported)
-
CISCO-ENTITY-ASSET-MIB
-
CISCO-CONFIG-MAN-MIB (Revision 9511280000Z)
-
CISCO-SERVICE-ENGINE-MIB (supports streaming media-related MIB objects)
ENTITY-MIB, MIB-II, and HOST-RESOURCES-MIB are public-available MIBs.
To download a copy of the CISCO-SERVICE-ENGINE-MIB, do the following:
Step 1
Choose
System
> CDS-IS Files > SNMP MIB.
The CISCO_SERVICE-ENGINE-MIB.my is listed
.
Step 2
Click one of the following links;
-
CISCO_SERVICE-ENGINE-MIB.my
-
CISCO_CDS_SERVICE_ROUTING_MIB.my
Your browser program displays a dialog box asking if you want to open or save the file.
Step 3
Choose the appropriate option; either open or save the file.
The CISCO-SERVICE-ENGINE-MIB is extended to incorporate MIB objects related to streaming. The WMT and Movie Streamer groups incorporate statistics about the WMT server or proxy, and Movie Streamer. The Flash Media Streaming group incorporates statistics about the Flash Media Streaming protocol engine. For each 64-bit counter MIB object, a 32-bit counter MIB object is implemented so that SNMP clients using SNMPv1 can retrieve data associated with 64-bit counter MIB objects. The MIB objects of each of these groups are read-only.
-
WMT MIB group provides statistics about WMT proxy and server performance. Twenty-eight MIB objects are implemented in this group. Six of these MIB objects are implemented as 64-bit counters.
-
Movie Streamer MIB group provides statistics about RTSP streaming engine performance. Seven MIB objects are implemented in this group. Two of these MIB objects are implemented as 64-bit counters.
-
Flash Media Streaming MIB group provides statistics about HTTP and RTMP streaming engine performance.
The CISCO_CDS_SERVICE_ROUTING_MIB.my provides some object identifiers (OIDs) for Service Router statistics. All the OIDs in the MIB are only for querying purposes; no traps have been added to this MIB. The Service Router MIB provides two groups, cdssrStatsGroup and cdssrServiceMonitorGroup, which contain OIDs for the statistics from the s
how statistics service-router summary/dns/history/se/content-origin
command and the
show service-router service-monitor
command.
Use the following link to access the CISCO-ENTITY-ASSET-MIB and the CISCO-CONFIG-MAN-MIB:
ftp://ftp.cisco.com/pub/mibs/v2/
Note If your browser is located behind a firewall or you are connecting to the Internet with a DSL modem and you are unable to access this file folder, you must change your web browser compatibility settings. In the Internet Explorer (IE) web browser, choose Tools > Internet Options > Advanced, and check the Use Passive FTP check box.
Enabling System Logs
Use the System Logs page to set specific parameters for the system log file (syslog). This file contains authentication entries, privilege level settings, and administrative details. System logging is always enabled. By default, the system log file is stored as /local1/syslog.txt.
To enable system logging, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > System
Logs
. The System
Log Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-49
for a description of the fields.
Table 4-49 System Logs Settings Fields
|
|
|
Enable
|
Enables system logs.
|
Facility
|
Facility where the system log is sent.
|
|
Enable
|
Enable sending the system log to the console.
|
Priority
|
Severity level of the message that should be sent to the specified remote syslog host. The default priority is warning. The priorities are:
Emergency—System is unusable.
Alert—Immediate action needed.
Critical—Critical condition.
Error—Error conditions.
Warning—Warning conditions.
Notice—Normal but significant conditions.
Information—Informational messages.
Debug—Debugging messages.
|
|
Enable
|
Enables saving the system logs to disk.
|
File Name
|
Path and filename where the system log file is stored on the disk. The default is /local1/syslog.txt.
|
Priority
|
Severity level of the message that should be sent to the specified remote syslog host.
|
Recycle
|
The maximum size of the system log file before it is recycled. The default is 10000000 bytes.
|
|
Enable
|
Enables sending the system log file to a host. You can configure up to four hosts.
|
Hostname
|
A hostname or IP address of a remote syslog host.
|
Priority
|
Severity level of the message that should be sent to the specified remote syslog host.
|
Port
|
The destination port on the remote host. The default is 514.
|
Rate Limit
|
The message rate per second. To limit bandwidth and other resource consumption, messages can be rate limited. If this limit is exceeded, the remote host drops the messages. There is no default rate limit, and by default all system log messages are sent to all syslog hosts.
|
Step 3
Click
Submit
to save the settings.
Multiple Hosts for System Logging
Each syslog host can receive different priority levels of syslog messages. Therefore, you can configure different syslog hosts with a different syslog message priority code to enable the device to send varying levels of syslog messages to the four external syslog hosts.
However, if you want to achieve syslog host redundancy or failover to a different syslog host, you must configure multiple syslog hosts on the device and assign the same priority code to each configured syslog host.
Configuring Troubleshooting
The Kernel Debugger troubleshooting page allows you to enable or disable access to the kernel debugger. Once enabled, the kernel debugger is automatically activated when kernel problems occur.
Note The “hardware watchdog” is enabled by default and automatically reboots a device that has stopped responding for over ten minutes. Enabling the kernel debugger disables the “hardware watchdog.”
If the device runs out of memory and kernel debugger (KDB) is enabled, the KDB is activated and dump information. If the KDB is disabled and the device runs out of memory, the syslog reports only dump information and reboots the device.
Enabling the Kernel Debugger
To enable the kernel debugger, do the following:
Step 1
Choose
Devices > Devices
>
General Settings > Troubleshooting > Kernel Debugger
. The Kernel Debugger window appears.
Step 2
To enable the kernel debugger, check the
Enable
check box, and click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
For information about monitoring the SEs, see the “Device Monitoring” section.
Configuring Service Router Settings
The keep-alive interval is used by the SE to send keep-alive messages to the SR. If the SE is configured with more than one streaming interface (multi-port support on a CDE220-2S3i), the keepalives are sent for each streaming interface.
To configure the keep-alive interval the SE uses for messages to this SR, do the following:
Step 1
Choose
Devices > Devices > General Settings > Service Routing Settings
. The Service Routing Settings page is displayed.
Step 2
In the
Keepalive-Interval
field, enter the number of seconds the messages from the SR should be kept alive on this SE. The range is from 1 to 120. The default is 2.
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring the Service Router
Configuring a Service Router (SR) consists of the following procedures:
For information on configuring the general settings, except last-resort routing and transaction logging, see the “General Settings” section.
Activating a Service Router
Activating an SR can be done through the Devices home page initially, or through the Device Activation page.
To activate an SR from the Device Activation page, do the following:
Step 1
Choose
Devices > Devices
. The Devices Table page is displayed.
Step 2
Click the
Edit
icon next to the SR you want to configure. The Devices home page is displayed.
Step 3
Click
Show All
to display the top-level menu options, and choose
Device Activation
. The Device Activation page is displayed.
Step 4
Enter the settings as appropriate. See
Table 4-50
for a description of the fields.
Table 4-50 Service Router Activation Fields
|
|
Name
|
Name of the device.
|
Location
|
The Location drop-down list lists all the location configured for the CDS.
|
Activate
|
To activate or deactivate the device, check or uncheck the
Activate
check box. Alternatively, you can click the
Deactivate Device
icon in the task bar.
When you uncheck the
Activate
check box and click
Submit
, the
Replaceable
check box is displayed. Check the
Replaceable
check box when you need to replace the device or recover lost registration information. For more information, see the “Recovering CDS Network Device Registration Information” section.
|
Server Offload
|
To offload this device for maintenance or a software upgrade, check the
Server Offload
check box. When checked, the Service Router stops processing client requests.
When the SR is marked as inactive or is marked with server offload on the CDSM it stops responding to DNS queries. Instead, the SR sends a SERVFAIL error as the DNS response, and for RTSP/HTTP requests, the SR sends a 503 Service Unavailable message.
To monitor the current activity on an SR during the Server Offload state, use the
show interface
command. If the packets received or packets sent is increasing then the SR is processing client requests.
Note We recommend separating the management traffic from the client request traffic by using the port channel configuration, see the “Configuring Port Channel” section for more information.
-
If management and client request traffic are separated, the
show interface
command for the client request port channel displays information on active sessions.
-
If management and streaming traffic are not separated, the
show interface
command shows very low traffic; the packets received and packets sent are lower than a client request session.
Once the SR has finished processing client requests, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the “Upgrading the Software” section.
The Status field on the Device Activation page and the Devices Table page displays “offloading” when
Server Offload
is checked.
Once the software upgrade or maintenance is complete, you need to uncheck the
Server Offload
check box so that the device can again participate in the system.
|
Work Type
|
From the
Work Type
drop-down list, choose
SR & Proximity Engine
if you want to enable the Proximity Engine; otherwise, choose
Service Router only
. For more information, see the “Configuring the Proximity Server Settings” section.
|
Coverage Zone File
|
To have a local Coverage Zone file overwrite the CDS network-wide Coverage Zone file, choose a file from the
Coverage Zone
drop-down list. See the “Coverage Zone File Registration” section for information about creating and registering a Coverage Zone file. Otherwise, choose
None
.
|
Enable CDN Selector
|
To enable CDN Selector, check the
Enable CDN Selector
check box.
Note CDN Selector is an early field trial (EFT) feature. |
CDN Selector File
|
The
CDN Selector File
drop-down list is populated with the CDN Selector files that are registered to the CDSM. See the “CDN Selector File Registration” section for information on registering a CDN Selector file.
The CDN Selector must be enabled on the SR.
See
Appendix E, “Creating CDN Selector Files”
for information on creating a CDN Selector file.
Note CDN Selector is an EFT feature. |
Use SR’s primary IP address
|
Enables the CDSM to use the IP address on the primary interface of the SR for management communications.
Note If the Use SR’s primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SR’s primary IP address for communication. Note Do not check the Use SR’s primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent. |
Management Communication Address
|
Manually configures a management IP address for the CDSM to communicate with the SR.
Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the “Configuring Port Channel and Load Balancing Settings” section and the “Configuring Port Channel” section.
|
Management Communication Port
|
Port number to enable communication between the CDSM and the SR.
|
Comments
|
Information about the settings.
|
Step 5
Click
Submit
to save the settings.
Configuring Routing Settings
The Routing Settings pages provide settings for the Request Routing Engine and the Proximity Engine. Configuring the Service Router engines consists of the following procedures:
The Service Router has two engines, the Request Routing Engine and the Proximity Engine.
The Proximity Engine contains the functionality of the Proximity Servers used for proximity-based routing. For more information, see the “Service Router” section.
Configuring Request Routing Settings
To configure the Request Routing Settings, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Request Routing Settings > General Settings
. The Request Routing Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-51
for a description of the fields.
Table 4-51 Request Routing Settings—General Settings Fields
|
|
Enable Location Based Routing
|
When location-based routing is enabled, the Service Router first looks up the client’s IP address in the Coverage Zone file. If there is no subnet in the Coverage Zone file that matches the client’s IP address, the client’s geographical location is compared to the geographical location of the Service Engines listed in the Coverage Zone file, and the closest and least-loaded Service Engine is selected. Geographically locating a client is used when users roam outside of their home networks.
|
Location Cache Timeout
|
Enter the timeout interval (in seconds) that a response from the Geo-Location server is stored in the SR cache.
The SR caches information from the Geo-Location server during the first request so that further requests can be served from cache instead of contacting the Geo-Location server.
The default is 691200. The range is 0 to 864000. If the
Location Cache Timeout
is 0, the response from the Geo-Location server is not cached in the SR.
|
Primary Geo-Location Server IP Address and Port
|
The IP address and port number of the primary Geo-Location Server for location-based routing and CDN Selector. For more information, see the “Geo-Location Servers” section.
|
Secondary Geo-Location Server IP Address and Port
|
The IP address and port number of the secondary Geo-Location Server.
|
Enable Content Based Routing
|
When enabled, the SR redirects requests based on the URI. Requests for the same URI are redirected to the same SE, provided the SE’s thresholds have not been exceeded. This optimizes disk usage in the CDS by storing only one copy of the content on one SE, instead of multiple copies on several SEs. For more information about content-based routing, see the “Content-Based Routing” section.
|
Number of Redundant Copies
|
Number of copies of a content to keep among SEs in a delivery service. The range is from 1 to 4. The default is 1. If redundancy is configured with more than one copy, multiple Service Engines are picked for a request with the same URI hash.
|
Enable Proximity Based Routing
|
When enabled, the SR contacts the Proximity Server with the client IP address and a list of SEs. The Proximity Server returns a list of SEs ordered by distance or metric, and provides a client subnet mask. The SR caches this information for this client. The SR redirects the client request to the SE selected, which is based on load, availability, and delivery service subscription.
To configure a standalone Proximity Engine, see the
Cisco Internet Streamer CDS 2.6 Command Reference
.
To configure a collocated Proximity Engine, see the “Configuring the Proximity Server Settings” section
For more information, see the “Proximity-Based Routing” section.
|
Proximity Cache Timeout
|
The maximum number of seconds the proximity response from the Proximity Server is valid for a client subnet. After the Proximity Cache Timeout period has elapsed, any new request from the same client subnet causes the SR to query the Proximity server for a new proximity response. The proximity range is from 1 to 86400. The default is 1800.
Proximity ratings for overlapping subnets are not cached.
|
Hostname [1-8]
|
The IP address of the Proximity Server. If you are using the collocated Proximity Engine as one of the Proximity Servers, enter 127.0.0.1 as the IP address.
The selection of the Proximity Server is based on the lowest IP address. If there is only one Proximity Server, the SR uses that server. If another Proximity Server is configured with an IP address lower than the first one, the SR sends a request to the newly configured Proximity Server, and if it responds, the SR uses the new Proximity Server with the lower IP address.
For more information on configuring the Proximity Engine, see the “Configuring the Proximity Server Settings” section
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Geo-Location Servers
The Geo-Location servers work with the following Internet Streamer CDS features:
-
Location-based routing
-
CDN Selector
-
Authorization Service
For location-based routing, the Geo-Location servers identifies the latitude and longitude of a client based on the IP address of the client. The Request Routing Engine compares the latitude and longitude of each Service Engine, which is defined in the Coverage Zone file, with the latitude and longitude of the client to assign a Service Engine that is geographically closest to the client. For more information on location-based routing, see the “Location-Based Routing” section and
Appendix C, “Creating Coverage Zone Files.”
For CDN Selector, the Geo-Location server identifies the country of a client by the IP address of the client. The CDN Selector compares the client’s country with the countries defined in the CDN Selector file. If the client’s country matches a country specified in the CDN Selector file, then the translated URL associated with that CDN is used. If a match is not found, the default CDN and translated URL is used. The Service Router then sends a 307 redirect to the client with the translated URL for the selected third-party streaming service. For more information about CDN Selector, see
Appendix E, “Creating CDN Selector Files.”
For Authorization Service, the Geo-Location servers identify the city, state, and country of the client based on the IP address of the client. The Authorization Service on the Service Engine compares the city, state, and country of the client with city, state, and country defined in the Authorization Service file. If a match is found, the client is either allowed or denied based on what is specified in the Authorization Service file. For more information about configuring the Authorization Service, see the “Configuring the Authorization Service” section.
Caching Geo-Location Server Information
The SR or SE caches the Geo-Location information returned from the Geo-Location servers and the device (SE or SR) queries their own cache first before contacting the Geo-Location servers. If the IP address of the client is found in the cache on the device, the look-up is performed using that information and the Geo-Location servers are not contacted.
For location-based routing, the SR caches up to 10,000 IP addresses. The IP addresses are discrete, which means they do not describe subnets. By default, the cached information expires after 8 days (691200 seconds). The time interval that the cache expires is configurable by setting the
Location Cache Timeout
field. If the cache is full, the entries are replaced according to the least recently used (LRU) mechanism.
For CDN Selector, the SR caches information on the country, state, and city of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to LRU mechanism.
For Authorization Service, the SE caches information on the country of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to the LRU mechanism.
Note Currently, there is no command to clear the Geo-location cache on the device.
Redundant Geo-Location Servers
The CDS offers the ability to configure primary and secondary Geo-Location servers. In the possible event that the primary server is not reachable, the secondary Geo-Location server is contacted. The secondary Geo-Location server is then used unless it becomes unreachable, in which case the primary Geo-Location server is contacted. The Geo-Location server configuration determines the time to wait before failing over to the other server. The default is 245 milliseconds.
For all features, location-based routing, CDN Selector, and Authorization Service, the cached client information on the CDS device is checked first before querying the Geo-Location servers.
For location-based routing, if both primary and secondary Geo-Location servers are down, the CDS uses the default route configured through the zero-IP based configuration in the Coverage Zone file. For more information, see the “Zero-IP Based Configuration” section.
For CDN Selector, if both primary and secondary Geo-Location servers are down, the CDS uses the default CDN configured in the CDN Selector file.
For Authorization Service, if both the primary and secondary Geo-Location servers are down, a request denied message is returned to the client. The type of message that is returned depends on the protocol engine (for example, the Flash Media Streaming engine sends “Denied by auth server”). However, the client receives the same denied message from the protocol engine whether the client is denied based on the Authorization Service configuration, or based on the Geo-Location servers being down and the client information not being available in the SE cache.
Communicating with the Geo-Location Servers
The CDS communicates with the Geo-Location servers by using a proprietary version of TCP. The port number used for communication is 7000 by default, but it can be changed as long as the Geo-Location servers and the Internet Streamer CDS devices are configured with the same port number.
Configuring IP-Based Redirection
IP-based redirection uses IP addresses to route client requests to the SR and on to the SE. For more information, see the “IP-Based Redirection” section.
Note The Web Engine does not support IP-based redirection.
To enable IP-based redirection, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Request Routing Settings > IP-based Redirection
. The IP-based Redirection page is displayed.
Step 2
Check the
Enable IP-based Redirection
check box and click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring the Proximity Server Settings
The Proximity Server Settings are available when you choose the
SR & Proximity Engine
as the
Work Type
in the Device Activation page for the SR. See the “Activating a Service Router” section for more information. The Proximity Server Settings pages are only for a Proximity Engine that is collocated with the SR. To configure a standalone Proximity Engine, see the
Cisco Internet Streamer CDS 2.6 Command Reference
.
To include the Proximity Engine on the SR as one of the Proximity Servers, you must enable proximity-based routing and add 127.0.0.1 as one of the Proximity Servers. See the “Configuring Request Routing Settings” section for more information.
Note The Proximity Engine is only supported on the CDE205 platform.
For more information on the Proximity Engine, see the “Proximity Engine” section
The Proximity Server Settings for the Proximity Engine consists of the following pages:
-
General Settings—Enables the BGP proximity algorithms
-
IS-IS—Configures IS-IS adjacencies
-
OSPF—Configures the OSPF adjacencies
-
BGP—Configures the location community for the BGP community-based proximity
-
SRP—Configures Service Routing Protocol (SRP)
IGP and BGP protocol peering with the network routers are the basic building blocks for the proximity calculation. The peering with the routers is to learn the network topology and compute the best path for each prefix. Prefixes are deposited to the routing information base (RIB).
Note Although the Proximity Engine participates in both IGP and BGP with the routers, the routes that the Proximity Engine learns are purely for proximity computation only. Proximity Engine is not a router.
In order for the proximity function to work, at least one of the following is required:
-
Enabled link-state protocol, such as OSPF or IS-IS for IGP proximity, which is required if the Proximity Engine is going to peer with IGP routers.
-
Enabled policy routing protocol, such as BGP for best-path proximity and location-community proximity, which is required if the Proximity Engine is going to peer with BGP routers.
Note All BGP routes must resolve to IGP next hops or directly connected routes.
Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.
Enabling the BGP Proximity Algorithms
See the “BGP Proximity Algorithms” section for more information.
To enable the BGP community-based proximity, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Proximity Server Settings > General Settings
. The Proximity Routing General Settings page is displayed.
Step 2
To enable the BGP best-path proximity, check the
Enable proximity algorithm BGP best-path
check box.
Note The BGP best-path proximity algorithm requires the configuration of the BGP proximity settings. See the “Configuring the BGP Community-based Proximity Settings” section.
Step 3
To enable the BGP community-based proximity, check the
Enable proximity algorithm BGP location-community
check box, and from the
Match mode
drop-down list, select either
Normal
or
Strict
.
The
Strict
option instructs the Proximity Engine to return UINT-MAX as the proximity rating for PTAs that are not associated with the PSA by way of any location-community attribute. This setting is global and applies to all proximity requests. If PSA is BGP and has no community attributes, then all PTAs get UINT_MAX rating. If the PSA is IGP, then this setting does not apply and other proximity algorithms, BGP best-path and IGP metric, are used to rate the PTAs in the proximity request.
The
Normal
option retains the normal functioning of the BGP proximity algorithm.
Step 4
To enable the BGP redirect proximity, check the
Enable proximity algorithm BGP redirect
check box.
Note The redirect proximity algorithm requires the configuration of the BGP and the SRP proximity settings. See the “Configuring the BGP Community-based Proximity Settings” section and the “Configuring SRP” section for more information.
Step 5
Click
Submit
.
To remove the settings, click the
Delete
icon.
To restore the default settings, click the
default settings
icon.
Configuring the IS-IS Adjacencies
The Proximity IS-IS page allows the Proximity Engine to establish an adjacency with its directly connected neighbor and to receive the whole LSDB content. Protocol parameters, such as IS-type and IS network entity title (NET), vary according to network topology and deployment.
IS-IS is a link-state routing protocol for IGP. Its protocol stack runs directly on Layer 2. The main characteristic of the link-state protocols is that every node in the network contains an exact view of the routing topology. It has faster convergence than vector distance protocols. Each node in the network generates a Link State Packet (LSP) to describe its neighbors. The LSP is flooded throughout the network to every node. Reliability of the flooding is obtained by Complete Sequence Number Packet (CSNP) which is sent by the Designator Router (DR) periodically in the LAN. CSNP describes all the LSPs that the DR contains. The receiver of the CSNP can compare what it has against what is listed in the CSNP and requests the missing LSPs from the DR. Each node uses Dijkstra’s algorithm (shortest path first [SPF]) to compute the routes from the LSPs. Routes are then added into the routing information base (RIB).
Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.
To configure the IS-IS adjacencies, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > General Settings
. The Proximity IS-IS page is displayed.
Step 2
To enable ISIS adjacencies, check the
Enable
check box and click
Submit
. The Create new Proximity IS-IS interface icon displays.
Step 3
Enter the settings as appropriate. See
Table 4-52
for a description of the fields.
Table 4-52 Proximity IS-IS Fields
|
|
Network Entity
|
Enter the Network Entity (network entity title [NET]) for a Connectionless Network Service (CLNS). Under most circumstances, one and only one NET must be configured. A NET is a network service access point (NSAP) where the last byte is always zero and the length can be 8 to 20 bytes. The last byte is always the n-selector and must be zero.
The six bytes directly in front of the n-selector are the system ID. The system ID length is a fixed size and cannot be changed. The system ID must be unique throughout each area (Level 1) and throughout the backbone (Level 2). All bytes in front of the system ID are the area ID. The area ID must match the area ID of the IS-IS router that the Proximity Engine is peering with.
A NET must be configured to define the system ID and area ID.
|
Enable log-adjacency-changes
|
Check the
Enable log-adjacency-changes
check box to enable logging of changes to adjacency. When enabled, syslog messages are sent whenever an IS-IS neighbor goes up or down.
|
LSP MTU
|
Set the maximum transmission unit (MTU) size, in bytes, for link state packets (LSPs). The LSP MTU size describes the amount of information that can be recorded in a single LSP. The LSP MTU range is from 128 to 4352. If the LSP MTU is not configured, the default is used. The default is 1492.
|
IS-Type
|
From the
IS-Type
drop-down list, choose one of the following routing algorithms:
-
level-1
—Level 1 is intra-area. The Proximity Engine learns only about destinations inside its area.
-
level-1-2
—The Proximity Engine runs both Level 1 and Level two routing algorithms.
For Level 1, it has one link state packet database (LSDB) for destinations inside the area (Level 1) and runs a shortest path first (SPF) calculation to discover the area topology.
For Level 2, it also has another LSDB with link-state packets (LSPs) of all other backbone (Level 2) routers, and runs another SPF calculation to discover the topology of the backbone, and the existence of all other areas.
-
level-2
—The Proximity Engine communicates with Level 2 (inter-area) routers only. The Proximity Engine is part of the backbone and does not communicate with Level 1-only routers in its own area.
The default is
level-1-2
.
|
Authentication Type [Level-1 or Level-2]
|
From the
Authentication Type Level-1
drop-down list or the
Authentication Type Level-2
drop-down list, choose one of the following authentication types for the corresponding level:
-
None
—Do not use MD-5 authentication
-
cleartext
—Do not encrypt the key
-
md5
—Encrypt the key
|
Enable Authentication Check
[Level-1 or Level-2]
|
To enable authentication check for Level 1, check the
Enable Authentication Check Level-1
check box. To enable authentication check for Level 2, check the
Enable Authentication Check Level-2
check box.
When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.
|
Authentication KeyChain
[Level 1 or Level-2]
|
Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.
|
Step 4
Click
Submit
. The
Create new Proximity IS-IS Interface
icon displays.
To delete the IS-IS configuration, click the
Delete
icon.
Step 5
To configure the proximity IS-IS interface, click the
Create new Proximity IS-IS Interface
icon. The Proximity IS-IS Interface page is displayed.
Step 6
From the
Name
drop-down list, choose an interface to configure for IS-IS. The number of available interfaces depends on the CDE.
Step 7
Enter the settings as appropriate. See
Table 4-53
for a description of the fields.
Table 4-53 Proximity IS-IS Interface Fields
|
|
Enable IP IS-IS router
|
Check the
Enable IP IS-IS router
check box to enable IS-IS routing protocol on this interface.
|
IS-IS Priority for level-1
|
Enter the priority of this interface for IS-IS Level 1(intra-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 1 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The
IS-IS Priority for level-1
range is from 0 to 127. The default is 64.
|
IS-IS Priority for level-2
|
Enter the priority of this interface for IS-IS Level 2 (inter-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 2 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The
IS-IS Priority for level-2
range is from 0 to 127. The default is 64.
|
IS-IS Circuit Type
|
From the
IS-IS Circuit Type
drop-down list, choose one of the following adjacency levels:
-
level-1
—For Level 1 adjacency
-
level-1-2
—For Level 1 and Level 2 adjacency.
-
level-2
—For Level 2 adjacency.
The default is
level-1-2
.
|
IS-IS Authentication Type [Level-1 or Level-2]
|
From the
Authentication Type Level-1
drop-down list or the
Authentication Type Level-2
drop-down list, choose one of the following authentication types for the corresponding level:
-
None
—Do not use MD-5 authentication
-
cleartext
—Do not encrypt the key
-
md5
—Encrypt the key
|
Enable IS-IS Authentication Check
[Level-1 or Level-2]
|
To enable authentication check for Level 1, check the
Enable Authentication Check Level-1
check box. To enable authentication check for Level 2, check the
Enable Authentication Check Level-2
check box.
When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.
|
IS-IS Authentication KeyChain
[Level 1 or Level-2]
|
Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.
|
Step 8
Click
Submit
.
To delete an IS-IS interface configuration, click the
Edit
icon for the interface, then click the
Delete
icon in the task bar.
Step 9
Repeat Step 5 through Step 8 for each IS-IS interface.
Step 10
To configure the MD-5 key chains for IS-IS, choose
Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > MD5 Settings
. The IS-IS Keychain page is displayed.
Step 11
Click the
Create new KeyChain
icon. The Creating New KeyChain page is displayed.
Step 12
In the
Key ID
field, enter the identifier for the keychain and click
Submit
. The page refreshes.
The Key ID is identifier for the multiple key IDs that can be configured for the key chain.
Step 13
Click the
Create New KeyChain Key
icon. The KeyChain Key page is displayed.
Step 14
In the
Key ID
field, enter the key ID. The range is from 0 to 65535.
Step 15
In the
Key String
field, enter the key string to be used for authentication. The key string can be up to 64 alphanumeric characters, except a space, single (‘) and double quotes (“), and the “|” symbol.
Configuring the OSPF Adjacencies
The Proximity OSPF page allows the Proximity Engine to establish an adjacency with its directly connected neighbor (router) to receive the whole LSDB content. Other OSPF settings depend on network topology, deployment and configuration of neighbor nodes.
OSPF is a link-state routing protocol for IGP. It runs on top of the IP protocol stack. Each node describes its neighbors in the link state advertisement (LSA) packets. The LSAs are flooded throughout the OSPF nodes. Each node uses shortest path first (SPF) to compute routes from the LSAs. The routes are then deposited into RIB.
Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.
To configure the OSPF adjacencies, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Proximity Server Settings > OSPF
. The Proximity OSPF page is displayed.
Step 2
To enable OSPF adjacencies, check the
Enable
check box and click
Submit
. The Create new icons for Proximity OSPF Network, Proximity OSPF Area, and Proximity OSPF Interface icons display.
To delete the OSPF configuration, click the
Delete
icon.
Step 3
Check the
Enable log-adjacency-changes
check box to enable logging changes to the adjacency and click
Submit
.
To delete the OSPF configuration, click the
Delete
icon.
Step 4
To configure the proximity OSPF network, click the
Create new Proximity OSPF Network
icon. The Proximity OSPF Network page is displayed.
Step 5
Enter the settings as appropriate. See
Table 4-54
for a description of the fields.
Table 4-54 Proximity OSPF Network Fields
|
|
IP Prefix
|
IP address that is used in combination with the
Network Mask
to produce the IP prefix. The IP prefix is used to define the OSPF area and consists of a combination of the IP address and netmask.
|
Wildcard Mask
|
Network mask is used with the
IP Prefix
to define the area on this network. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, for example, 0.0.255.255 indicates a match in the first two bytes of the network number.
|
Area ID
|
Identifier of the area for which IP prefix defines. The identifier can be specified as either a decimal value or an IP address. Valid entries are from 0 to 4294967295 or an IP address (A.B.C.D) can be used if you intend to associate areas with IP subnets.
Each area is interface specific. For OSPF to operate on the OSPF interface, the primary address of the interface must be covered by the network area. The Proximity Engine sequentially evaluates the
IP Prefix/ Network Mask
pair for each interface as follows:
1. The
Network Mask
is logically ORed with the OSPF interface IP address.
2. The
Network Mask
is logically ORed with the
IP Prefix
.
3. The software compares the two resulting values. If they match, OSPF is enabled on the associated interface and the associated OSPF interface is attached to the OSPF area specified.
There is no limit to the number of network areas that can be configured.
Note An interface can only be associated to a single area. If the address ranges specified for different areas overlap, the software adopts the first area in the list and ignores the subsequent overlapping portions. In general, we recommend that you configure address ranges that do not overlap to avoid inadvertent conflicts.
When a smaller OSPF network area is removed, the OSPF interfaces belonging to that network area are retained and remain active if a larger network area that encompasses those interfaces still exists. Interfaces that are part of a larger area are removed and become part of another area only if the other area is a smaller area (subset) of the larger area.
|
Step 6
Click
Submit
.
To delete an OSPF network configuration, click the
Edit
icon for the network, then click the
Delete
icon in the task bar.
Step 7
Repeat Step 4 through Step 6 for each OSPF network.
To delete an OSPF network, click the OSPF network to display the settings and click the
Delete
icon.
Step 8
To configure the proximity OSPF area, click the
Create new Proximity OSPF Area
icon. The Proximity OSPF Area page is displayed.
Step 9
Enter the settings as appropriate. See
Table 4-55
for a description of the fields.
Table 4-55 Proximity OSPF Area Fields
|
|
Area ID
|
Enter an Area ID that was defined in the Proximity OSPF Network page.
|
Type
|
Choose one of the following area types:
-
NSSA (not-so-stubby area)—For areas that include an autonomous system boundary router (ASBR) that generates type 7 LSAs and an area border router (ABR) that translates them into type 5 LSAs. .
-
Stub—An area with only one OSPF router that does not contain an ASBR.
|
Step 10
Click
Submit
.
To delete an OSPF area configuration, click the
Edit
icon for the area, then click the
Delete
icon in the task bar.
Step 11
Repeat Step 8 through Step 10 for each OSPF area.
To delete an OSPF area, click the OSPF area to display the settings and click the
Delete
icon.
Step 12
To configure the proximity OSPF network, click the
Create new Proximity OSPF Interface
icon. The Proximity OSPF Interface page is displayed.
Step 13
From the
Name
drop-down list, choose an interface to configure for OSPF. The number of available interfaces depends on the CDE.
Step 14
In the
OSPF Priority
field, enter the OSPF priority. The range is 0 to 255. The default is 1.
The highest OSPF priority on a segment becomes the designated router (DR) for that segment. A priority value of zero indicates an interface which is not to be elected as DR or backup designated router (BDR).
Step 15
Click
Submit
.
To delete an OSPF interface configuration, click the
Edit
icon for the interface, then click the
Delete
icon in the task bar.
Step 16
Repeat Step 12 through Step 15 for each OSPF interface.
Configuring the BGP Community-based Proximity Settings
A BGP community is a group of prefixes that share some common property and can be configured with the BGP community attribute. The BGP community attribute is an optional transitive attribute of variable length. The attribute consists of a set of four octet values that specify a community. The community attribute values are encoded with an autonomous system (AS) number in the first two octets, with the remaining two octets defined by the AS. A prefix can have more than one community attribute. A BGP speaker that sees multiple community attributes in a prefix can act based on one, some, or all the attributes.
See the “BGP Proximity Algorithms” section for more information.
To configure the BGP community-based proximity settings, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Proximity Server Settings > BGP
. The Proximity BGP page is displayed.
Step 2
In the
Local AS Number
field, enter the autonomous system
(AS) number that identifies the Proximity Engine and tags the routing information that is passed along.
AS numbers are globally unique numbers that are used to identify ASes, and which enable an AS to exchange exterior routing information between neighboring ASes. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy.
There are a limited number of available AS numbers. Therefore, it is important to determine which sites require unique AS numbers and which do not. Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use, which are in the range from 64512 to 65535.
Step 3
Check the
Enable Log Neighbor Changes
check box to enable logging of status changes (up, down, or resets) to BGP neighbors.
Use the
show ip bgp neighbors
command to view the status changes.
Step 4
Click
Submit
. The Create new icons for Location Community for BGP and Neighbor for BGP icons display.
To delete the BGP configuration, click the
Delete
icon.
Step 5
To configure a BGP location community, click the
Create new Location Community for BGP
. The BGP Location Community page is displayed.
Note The maximum number of location communities allowed for each SE is 128. The show running-config command displays the location communities in ascending order.
Step 6
In the
Location Community
field, enter the location community for the AS in one of the following formats:
<AS1>:<POP1>-<AS2>:<POP2>
The location community numbers are used within the network to locate prefix origination points. The configuration includes all community values that represent a location. The
Location Community
field entry could be in the form of a list of community numbers, for example, 100:3535, 100:4566, 100:5678, 100:5678, 100:6789. Or, the community numbers can be expressed as intervals, such as 100:3000-100:4000, 100:5000-100:6000, and so on.
Step 7
In the optional
Target Community
field, enter the target community you want to associate with the Location Community.
If
Target Community
field is left blank, it is the same as the Location Community. So, if the target community is not specified, the PSA and PTA must have a common community for the PTA to be considered in the preference and ranking.
In certain deployments it is advantageous to include certain PTAs even though the PTAs do not share any community attributes with the PSA. A common example is an SE in a city close to the client PC; in such case, the SE might not share any community attributes with the client PC, but should be preferred over another SE in a far-away city. The
Target Community
field provides a way to associate PSA and PTA community attributes with each other and to assign a preference level (
Weight
) to that association.
The
Target Community
values have the same format and restrictions as the
Location Community
field, which are the following:
-
Must match the pattern: <AS1>:<POP1>[-<AS2>:<POP2>]
-
AS1 and AS2 must be in the range 1–65535.
-
POP1 and POP2 must be in the range 0–65535.
-
AS2 should be greater than AS1, or POP2 should be greater than POP1 if AS2 equals to AS1.
-
New BGP community setting should make sure that target community and local community pair is unique and not existent.
Note Source community ranges are not allowed to overlap. A maximum of 240 unique specific source or range source community configurations can be entered. Each unique specific source or range source community can be associated with a maximum of 240 unique specific target or range target communities.
Step 8
In the optional
Weight
field, enter the weight to assigned to the location community. The default is 1. The range is from 1 to 7 with 7 being the best association (most preferred). An association weight of 0 implicitly means no association (least preferred)
The weight is considered in the proximity ranking algorithm. If PTA1 and PTA2 have at least one community in common as the PSA, then the weight assigned to the location community is considered. The larger the number, the more weight the community has. If PTA1 has a weight of 5 and PTA2 has a weight of 2, PTA1 is preferred over PTA2.
Step 9
Click
Submit
.
Step 10
To configure a BGP neighbor, click the
Create new Neighbor for BGP
. The BGP Neighbor page is displayed.
Step 11
Enter the settings as appropriate. See
Table 4-56
for a description of the fields.
Table 4-56 BGP Neighbor Fields
|
|
IP Address
|
IP address of the neighbor.
|
Remote AS Number
|
AS number to which the neighbor belongs. The range is from 1 to 65535).
|
EBGP multihop TTL
|
Time-to-live value for the external BGP (eBGP) multihop scenarios. The range is from 2 to 255. The default is 1.
|
Keep Alive Interval
|
The keepalive interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 60.
|
Hold Timer
|
The hold timer interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 180.
|
Password
|
Enter the password to enable Message Digest 5 (MD-5) authentication on a TCP connection between the Proximity Engine and the BGP neighbor.
The password is case sensitive and can be up to 79 characters. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces. You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.
|
To delete an BGP neighbor configuration, click the
Edit
icon for the neighbor, then click the
Delete
icon in the task bar.
Step 12
Click
Submit
.
Step 13
Repeat Step 10 through Step 12 for each BGP neighbor.
To delete a BGP neighbor, click the BGP neighbor to display the settings and click the
Delete
icon.
Configuring SRP
Th
e Service Routing Protocol (SRP) uses distributed hash table (DHT) technology to form a distributed network of Proximity Engines. For more information, see the “Service Routing Protocol” section.
Note SRP is required if the Redirect proximity algorithm is enabled. SRP is used to gather and store information about all the Proximity Engines that are available for redirection. See the “Configuring the BGP Community-based Proximity Settings” section for more information.
To configure SRP, do the following:
Step 1
Choose
Devices > Devices > Routing Settings > Proximity Server Settings > SRP
. The SRP page is displayed.
Step 2
To enable SRP, check the
Enable
check box and click
Submit
. The Create new Bootstrap for SRP icon displays.
Step 3
In the
Domain
field, enter a number that identifies the domain. The range is from 0 to 4294967295. The default is 0.
All Proximity Engines running SRP routing with the same domain ID form a single network if the nodes are found through a bootstrap node. By changing a Proximity Engine’s domain, the Proximity Engine leaves its current network.
We recommend that a domain ID value be configured for your DHT network so that all Proximity Engines that join this network share the same domain ID.
Step 4
In the
Flooding Threshold
field, enter the maximum number of subscribers to flood or send messages to. The range is from 0 to 65535. The default is 50.
SRP uses flooding to send multicast messages for a multicast group if the number of subscribers in the group is equal to or more than the value specified in
Flooding Threshold
. An effective threshold value may improve protocol message overhead. The threshold value depends on the number of nodes in your DHT network. In general, the threshold value should be greater than half and smaller than 3/4 of the total number of DHT nodes in the network.
Step 5
Click
Submit
.
To delete the SRP configuration, click the
Delete
icon.
Step 6
To configure a SRP bootstrap, click the
Create new Bootstrap for SRP
. The Bootstrap SRP page is displayed.
Step 7
In the
Bootstrap IP address
field, enter the IP address of the bootstrap node.
An IP address of a bootstrap node must be configured for each Proximity Engine before the Proximity Engine can join the network with others under the same domain ID. The first Proximity Engine in the network, which acts as the bootstrap node for others, does not need to configure its self as the bootstrap node; this is the only exception to configuring a bootstrap node. All other nodes must have the bootstrap node configured before they can join a DHT network. A maximum 25 bootstrap nodes are allowed per Proximity Engine. The port number for a bootstrap node is 9000.
Step 8
Click
Submit
.
Step 9
Repeat Step 6 through Step 8 for each bootstrap node.
To delete a bootstrap node, click the edit icon next to the IP address of the bootstrap node to display the settings and click the
Delete
icon.
Configuring Application Control
The Application Control pages allow you to enable Flash Media Streaming, to enable HTTP proxy on an SR, and to enable HTTP 302 redirection for Windows Media Technology files with an .asx extension.
To configure the application control for the SR, do the following:
Step 1
Choose
Devices > Devices
. The Devices Table page is displayed.
Step 2
Click the
Edit
icon next to the SR you want to configure. The Devices home page is displayed.
Step 3
Click
Show All
to display the top-level menu options, and choose
Application Control
.
Step 4
To enable Flash Media Streaming on the SR, choose
Flash Media Streaming > General Settings
. The Flash Media Streaming Settings page is displayed.
a.
Check the
Enable Flash Media Streaming
check box.
b.
Click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Step 5
To enable service monitoring for Flash Media Streaming on the SR, choose
Flash Media Streaming > Service Monitoring
. The Service Monitoring Settings page is displayed.
a.
Check the
Enable Service Monitoring
check box.
b.
Click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Step 6
To enable the HTTP 302 redirection for Windows Media Technology files with an .asx extension, do the following:
a.
Choose
Web > HTTP > HTTP Redirect
. The HTTP Redirect Settings page is displayed.
b.
Check the
Enable HTTP 302 for .asx File
check box.
c.
Click
Submit
.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.
Configuring Last-Resort Routing
For information on configuring all general settings, except last-resort routing, see the “General Settings” section.
Note When DNS-based redirection is used, for application-level requests, last-resort redirection is supported. However, on the DNS plane, an A record with the last-resort domain name or IP address is not returned.
Last-resort routing is useful when all Service Engines have exceeded their thresholds or all Service Engines in the domain are offline, or the client is unknown. If last-resort routing is configured, the Service Router redirects requests to a configurable alternate domain when all Service Engines serving a client network region are unavailable, or the client is unknown. A client is considered unknown if the client’s IP address is not part of a subnet range listed in the Coverage Zone file or part of a defined geographical area (for location-based routing) listed in the Coverage Zone file.
For more information, see the “Last-Resort Routing” section.
Note If the last-resort domain is not configured and the Service Engine thresholds are exceeded, known client requests are redirected to the origin server and unknown clients either receive an error URL (if the Error Domain and Error Filename fields are configured), or a 404 “not found” message.
Unknown clients are only redirected to the alternate domain (last-resort domain) when the Allow Redirect All Client Request check box is checked or the equivalent service-router last-resort domain <RFQDN> allow all command is entered.
To configure last-resort routing, do the following:
Step 1
Choose
Devices > Devices
. The Devices Table page is displayed.
Step 2
Click the
Edit
icon next to the SR you want to configure. The Devices home page is displayed.
Step 3
Click
Show All
to display the top-level menu options, and choose
General Settings > Last Resort
. The Last Resort Table page is displayed.
The table is sortable by clicking the column headings.
Step 4
Click the
Create New
icon.
Click the
Edit
icon next to the domain name to edit a table entry.
Step 5
Enter the settings as appropriate. See
Table 4-57
for a description of the fields.
Table 4-57 Service Router Last Resort Fields
|
|
Domain Name
|
The service routing fully-qualified domain name (RFQDN) (for example, srfqdn.cisco.com).
|
Allow Redirect All Client Request
|
Check the
Allow Redirect All Client Request
check box to redirect all unknown clients to the alternate domain or content origin.
If the
Allow Redirect All Client Request
check box is not checked, unknown clients (clients’ subnets are not included in the Coverage Zone file) receive a 404 message if the error URL is not configured. If the error URL is configured, client requests are redirected to the Error URL.
If the
Allow Redirect All Client Request
check box is checked, unknown client requests are redirected to the alternate domain; otherwise, they are redirected to the origin server.
|
Alternate Domain Name
|
The domain (for example, www.cisco.com) used to route requests to when the SEs are unavailable, or the client is unknown. A client is considered unknown if the client’s IP address is not part of a subnet range listed in the Coverage Zone file.
If an Alternate Domain Name is not specified, requests for the domain entered in the Domain Name are routed to the origin server.
The Alternate Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.
|
Error Domain Name
|
To redirect the request to an error URL for any unknown clients or when all SEs in the delivery service are unavailable, enter the domain name of the URL.
The Error Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.
|
Error File Name
|
The filename of the error URL (for example, error.html or error/errorfile.flv).
The error URL is made using the Error Domain Name plus the Error File Name. The Error File Name could be a filename with an extension (for example, error.html or errorfile.flv), or a directory and filename (for example, error/errorfile.flv or reroute/reroute.avi), or a filename without an extension. If no extension is specified, the extension is determined by the protocol used in the request.
If a filename has a specific extension, and the request comes from a protocol that does not support the configured extension, the filename extension is automatically changed to an extension that is supported by the protocol.
Note For Flash Media Streaming, an external FMS server must exist that hosts an application for error handling. The SR redirects Flash Media Streaming requests to an application on the external FMS server. An example of a Flash Media Streaming error URL is rtmp://errordomain.com/<application>, where the application name is any application hosted on that server. The Error File Name, in the case of Flash Media Streaming, is the name of the application. |
Step 6
Click
Submit
to save the settings. The entry is added to the Last Resort Table.
To delete a last-resort configuration, click the
Edit
icon for the configuration, then click the
Delete
icon in the task bar.
As an example configuration for an error URL to redirect unknown clients to or to redirect clients to when all SEs in the delivery service are unavailable follows:
-
Domain Name—wmt.cdsordis.com
-
Error Domain Name—ssftorig.ssft.com
-
Error File Name—testMessage
This configuration states that for any request where the domain name is wmt.cdsordis.com, if the client IP address is not included in the Coverage Zone file (or the client is not part of a defined geographical area if location-based routing is enabled) or there are no available SEs assigned to the delivery service, redirect the request to ssforig.ssft.com/testMessage.<
original_extension
>.
To be more specific, if the client request was http://wmt.cdsordis.com/vod/video.wmv and the service rule conditions were met, the client would receive a 302 redirect to http://ssftorig.ssft.com/testMessage.wmv.
If you want the Error File Name to reside in a different directory, you can configure that as well. If the error message file was located in the “vod” directory, then the Error File Name would be configured as vod/testMessage.
Creating ASX Error Message Files for Windows Media Live Programs
There is one thing to remember when redirecting a client request for live Windows Media Streaming programs. Because live programs deliver an ASX file to the client, the error message must have the same format. If you try to use an HTML or JPEG instead of an ASX file, the redirect will not work because the Windows Media player is trying to parse the ASX file.
To satisfy the requirements of the Windows Media player, create an ASX file for the error message file and put the URL to the error message file inside the ASX file. For example, below is a simple ASX file.
<ASX VERSION="3.0"> <Entry> <REF HREF="http://<IP-Address-of-Server/path/filename"/>
If you wanted the error file to be a GIF file on server 3.1.1.1 called testMessage.gif under the directory vod then this file would look like:
<ASX VERSION="3.0"> <Entry> <REF HREF="http://3.1.1.1/vod/testMessage.gif"/>
There are other ways to use an ASX file to display information. Below is an example of an approach to have the Windows Media player display an HTML web page with PARM HTMLView.
<ASX version="3.0"> <PARAM name="HTMLView" value="http://111.254.21.99/playlist/error.htm"/> <REPEAT> <ENTRY> <REF href="http://3.1.1.1/vod/testMessage.gif"/> </ENTRY> </REPEAT> </ASX>
There are many ways to format and structure ASX files to display whatever error message you want, in whatever format you want.
Configuring Domain Subscription
The Domain Subscription page allows you to subscribe the SR to specific domains. By default, the SR takes all the domains specified in the CDSM. By specifying the domains in the Domain Subscription page, the SR only subscribes to the assigned Content Origins.
Step 1
Choose
Devices > Devices > General Settings > Domain Subscription
. The Domain Subscription page displays all defined Content Origins of the CDS.
Step 2
Click the
Assign
icon (blue cross mark) next to the Content Origin you want to assign to this SE. Alternatively, click the
Assign All Content Origins
icon in the task bar.
A green arrow wrapped around the blue X indicates a Content Origin assignment is ready to be submitted. To unassign a Content Origin, click this icon. The Content Origin assignment states are described in Figure 4-15.
Figure 4-15 Content Origin Assignment State
Step 3
Click
Submit
to save the settings.
A green circle with a check mark indicates a Content Origin is assigned to this SR. To unassign the Content Origin, click this icon, or click the
Remove All Content Origins
icon in the task bar. Click
Submit
to save the changes.
Additionally, the
Filter Table
icon and
View All Content Origins
icon allow you to first filter a table and then view all content origins again.
Configuring Transaction Logs for the Service Router
Transaction logs allow administrators to view the traffic that has passed through the SR. The fields in the transaction log are the client’s IP address, the date and time when a request was made, the URL that was requested, the SE selected to serve the content, the protocol, and the status of the redirect. The SR transaction log file uses the W3C Common Log file format. For more information about transaction logs and their formats, see the “Service Router Transaction Log Fields” section.
To enable transaction logging for the SR, do the following:
Step 1
Choose
Devices > Devices > General Settings > Notification and Tracking > Transaction Logging
. The Transaction Log Settings page is displayed.
Step 2
Enter the settings as appropriate. See
Table 4-58
for a description of the fields.
Table 4-58 Transaction Log Settings Fields
|
|
|
Transaction Log Enable
|
Enables transaction logging.
|
Compress Files before Export
|
When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers
|
|
Max size of Archive File
|
Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1,000 to 2,000,000. The default is 500,000.
|
Max number of files to be archived
|
Maximum number of files to be maintained on the local disk. The range is from 1 to 10,000. The default is 10.
|
Archive occurs
|
How often the working log is archived and the data is cleared from the working log. Choose one of the following:
-
Choose
every
to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800.
-
Choose
every hour
to archive using intervals of one hour or less, and choose one of the following:
–
at
—Specifies the minute in which each hourly archive occurs
–
every
—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)
-
Choose
every day
to archive using intervals of one day or less, and choose one of the following:
–
at
—Specifies the hour in which each daily archive occurs
–
every
—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)
-
Choose
every week on
to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.
|
|
Enable Export
|
Enables exporting of the transaction log to an FTP server.
|
Export occurs
|
How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following:
-
Choose
every
to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 100800.
-
Choose
every hour
to export using intervals of one hour or less, and choose one of the following:
–
at
—Specifies the minute in which each hourly export occurs
–
every
—Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30)
-
Choose
every day
to export using intervals of one day or less, and choose one of the following:
–
at
—Specifies the hour in which each daily export occurs
–
every
—Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24)
-
Choose
every week on
to export using intervals of one or more times a week, choose the days of the week, and what time each day.
|
FTP Export Server
|
IP address or hostname of the FTP server.
|
Name
|
Name of the user.
|
Password
|
Password for the user.
|
Confirm Password
|
Confirms the password for the user.
|
Directory
|
Name of the directory used to store the transaction logs on the FTP server.
|
SFTP
|
Check the
SFTP
check box, if you are using an SFTP server.
|
Step 3
Click
Submit
to save the settings.
To apply the factory default settings for the device, click the
Apply Defaults
icon in the task bar.
To remove the settings from the device, click the
Remove Settings
icon in the task bar.