Cisco Internet Streamer CDS 2.6 Software Configuration Guide

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

Cisco Internet Streamer CDS 2.6 Software Configuration Guide

Chapter Title

Configuring Devices

PDF - Complete Book (6.22 MB) PDF - This Chapter (1.31 MB)
View with Adobe Reader on a variety of devices

Results

Updated:: May 29, 2014

Chapter: Configuring Devices

Configuring Locations
Configuring Device Groups
- Working with Device Groups
  - Aggregate Settings
  - Device Group Overlap
Configuring the Service Engine
Configuring the Service Router
Configuring the CDSM

Configuring Devices

This chapter discusses configuring locations and device groups for devices, and detailed instructions on configuring the different types of devices–CDSMs, SEs, and, SRs. This chapter presents the following major topics:

Configuring Locations

Locations are set up in the Internet Streaming CDSM to organize and group SEs into virtual networks for distribution of content through delivery services. For more information about locations, see the “Cisco CDS Topology” section.

Locations need to be configured before you can activate SEs and SRs and bring them online in the CDS network. Table 4-1 describes the icons for the Locations Table page.

Table 4-1 Location Icons
Icon	Function
	Create a new location.
	Create a filtered table.
	View all locations.
	Refresh the table.
	Print the current window.
	Edit a location.

To create a new location or edit an existing one, do the following:

Step 1 Choose Devices > Locations . The Locations Table page is displayed (Figure 4-1).

The table is sortable by clicking the column headings.

Figure 4-1 Locations Table Page

Step 2 In the task bar, click the Create New Location icon. The Creating New Location page is displayed (Figure 4-2).

To edit a location, click the Edit icon next to the location name.

Figure 4-2 Creating New Location Page

Step 3 Enter the settings as appropriate. See Table 4-2 for a description of the fields.

Table 4-2 Location Fields
Field	Description
Name	Name of the location.
Parent Location	Choose a location from the drop-down list. A location with no parent, None, is level 1. The location level is displayed after you choose a parent location.
Comments	Enter any information about the location.

Step 4 Click Submit to save the settings.

To delete a location, from the Locations Table page, click the Edit icon next to the location you want to delete, and click the Delete icon in the task bar.

To view the location tree, click the Location Trees icon in the task bar. The location tree represents the network topology you configured when you assigned a parent to each location.

Configuring Device Groups

The Internet Streaming CDSM allows you to configure SEs into device groups so that the entire group of SEs is configured at one time. Device groups and SEs share the same configuration features and options.

Table 4-3 describes the icons for the Device Groups Table page.

Table 4-3 Device Group Table Icons
Icon	Function
	Creates a new device group.
	Creates a filtered table.
	Views all device groups.
	Refreshes the table.
	Prints the current window.
	Edits a device group.

This section covers creating, editing, and deleting device groups. All other configuration pages for a device group are covered in the “Configuring the Service Engine” section.

To create or edit a device group, do the following:

Step 1

Choose Devices > Device Groups . The Device Groups Table page is displayed (Figure 4-3).

The table is sortable by clicking the column headings.

Figure 4-3 Device Groups Table Page

Step 2 In the task bar, click the Create New Device Group icon. The Creating New Device Group page is displayed (Figure 4-4).

To edit a device group, click the Edit icon next to the device group name.

Figure 4-4 Creating New Device Group Page

Step 3 In the Name field, enter the name of the device group. The name must be unique and should be a name that is useful in distinguishing the device group from the others in the CDS.

Step 4 Check the Automatically assign all newly activated devices to this group check box if applicable.

Step 5 Choose Regular Group to indicate this group is not used as a baseline for all SEs or choose Baseline Group and select the baseline type to define this group as a baseline for all SEs.

For information about baseline groups, see the “Baseline Groups” section.

Step 6 To customize the left panel menu for this device group, click the Select pages to hide from the menu for this device group arrow, and check the pages you want to hide. To collapse these settings, click the arrow again.

Use this feature to remove from view any configuration pages that you do not need for the device group.

Step 7 In the Comments field, enter any information about the device group.

Step 8 Click Submit to save the settings.

If you are editing this device group, you can view a list of all settings configured for this device group by clicking the Pages configured for this device group arrow. To collapse this information list, click the arrow again.

To delete a device group, click the Delete icon in the task bar.

Step 9 To assign SEs to the device group, choose Assignments > Devices . The Assignment table is displayed listing all SEs in the CDS.

Note From this point forward, the steps to get to a configuration page are combined into one step using notation similar to the following: Device Group > Assignments > Devices.

Step 10 Click the Assign icon (blue cross mark) next to each SE name you want to assign to this group.

To assign all SEs, click Assign all Service Engines in the task bar.

Step 11 Click Submit to add the selected SEs to the device group.

To remove an SE from the device group, click the Unassign icon (green check mark) next to the name of the SE, and click Submit .

To remove all SEs from the device group, click the Unassign all Service Engines icon in the task bar, and click Submit .

Working with Device Groups

When you first create a device group, all settings you configure for the device group are automatically propagated to all the SEs assigned to that group.

Note All SE settings in the “Configuring the Service Engine” section, except those listed below, can also be configured for a device group. The following pages are not available for device group configuration:

Devices > Application Control > Windows Media Streaming > Bypass List . See the “Configuring Windows Media Streaming—Bypass List” section for more information.
Devices > General Settings > Network > Network Interfaces . See the “Viewing Network Interfaces” section for more information.
Devices > General Settings > Network > External IP . See the “Configuring External IP Addresses” section for more information.
Devices > General Settings > Network > IP ACL . See the “Configuring IP ACL” section for more information.

After configuring the device group settings, the task bar for the corresponding configuration page for an individual SE that is part of that device group displays the Override Group Settings icon and the Device Group drop-down list with the device group name displayed.

When an SE is associated with one or many device groups, the name of the device group whose settings were applied last are displayed.

To configure individual settings for an SE in a device group, click the Override Group Settings icon in the task bar. You can then edit the fields on the page and click Submit . The Device Group drop-down list displays “Select a Device Group.”

To reapply the settings for the device group, select the device group from the Device Group drop-down list and click Submit . Alternatively, you can go to the corresponding device group configuration page and click the Force Settings on SEs in Group . The Force Settings on SEs in Group only displays for a device group configuration page when an SE’s individual settings override the group settings.

Note The individual SE configuration page does not display the Override Group Settings icon and Device Group drop-down list in the task bar if the settings have not been configured for the corresponding device group configuration page.

Note When adding an SE to an existing device group, the new SE does not automatically inherit the device group settings. Use the Force Group Settings option for the device group to force the group settings to all SEs in the group.

Alternatively, you can go to each device group configuration page and click the Force Settings on SEs in Group. A dialog box lists all the SEs that have different configuration settings than the device group settings. The Force Settings on SEs in Group only displays for a device group configuration page when an SE’s individual settings override the group settings.

To force all device group settings to all assigned SEs, go to the Device Group Home page and click the Force Group Settings icon in the task bar.

Note The last configuration submitted for the device, whether it is the device group configuration or the individual device configuration, is the configuration the device uses.

Table 4-4 describes the icons for the Device Groups configuration pages.

Table 4-4 Device Group Configuration Icons
Icon	Function
	Deletes a device group.
	Updates application statistics.
	Forces full database update.
	Reboots all devices in device group.
	Forces the group settings. Forces the complete set of configurations made for a device group to all devices associated with that group.
	Forces settings on SEs in a device group. Forces the configuration of the displayed page to all SEs in the device group.
	Overrides the group settings on the device.
	Prints the current window.

Aggregate Settings

The following device and device group configuration pages have aggregate settings:

Replication > Scheduled Bandwidth . See the “Scheduled Bandwidth” section for more information.
Service Control > Service Rules . See the “Configuring Service Rules” section for more information.
Service Control > URL Signing . See the “Configuring URL Signing” section for more information.
Application Control > Bandwidth Schedules . See the “Configuring Bandwidth Schedules” section for more information.
General Settings > Login Access Control > Users > Usernames . See the “Creating, Editing, and Deleting Users—Usernames” section for more information.

To access these pages, first choose Devices > Devices or Devices > Device Groups , followed by the Edit icon next to the device or device group you want to configure.

Aggregate Settings is set to Yes by default. When Aggregate Settings is set to Yes , the settings for the device group are aggregated with the settings for the SE. This means you can configure settings for all SEs in a device group, then configure individual settings for each SE, and the combined settings for the device group and individual SE are apply to the SE. Any settings for the device group are listed with the View icon and any settings for the individual SE are listed with the Edit icon on the individual SE configuration page.

If Aggregate Settings is set to No , only the individual SE settings are applied to the SE and the device group settings do not apply to the SE.

To edit the device group settings, or configure new settings for the device group, you must go to the device group corresponding configuration page.

If you remove all device group settings, all device settings displayed with Aggregate Settings enabled are removed as well.

Note The last configuration submitted for the device, whether it is the device group configuration or the individual device configuration, is the configuration the device uses.

Table 4-5 describes the icons for the configuration pages that have aggregate settings.

Table 4-5 Aggregate Settings Icons
Icon	Function
	Creates a new entry.
	Edits an entry.
	Deletes an entry.
	Views read-only entry.
	Creates a filtered table. Filter the table based on the field values.
	Views all table entries. Click this icon to view all entries after you have created a filtered table.
	Refreshes the table.
	Prints the current window.

Device Group Overlap

If you want the ability to assign a device to more than one device group, you must enable device group overlap. Device group overlap is enabled by default.

To enable or disable device group overlap, do the following:

Step 1

Choose System > Configuration . The Config Properties page is displayed.

Step 2 Click the Edit icon next to the DeviceGroup.overlap property. The Modifying Config Property page is displayed.

Step 3 To enable device group overlap, choose true from the Value drop-down list.

To disable device group overlap, choose false from the Value drop-down list.

Step 4 Click Submit to save the settings.

You cannot disable device group overlap after you have assigned devices to multiple device groups.

Tip To force the complete configuration set of a device group to all devices in that group, click the Force Group Settings icon in the task bar.

Configuring the Service Engine

This section walks you through the different configuration pages available for a Service Engine. The main configuration groups are described as follows:

Service Control—Settings for access control by way of client request filtering, URL signing, and Authorization Server settings; additionally, transaction logs are configured to monitor traffic
Application Control—Settings for bandwidth management of delivery services and protocol engines (Web, Windows Media, Movie Streamer, Flash Media Streaming, and RTSP advanced settings)
General Settings—Settings for access control of the device, maintenance, network connectivity, and monitoring

The first two pages, Device Activation and Assignment, cover activating an SE in the Internet Streaming CDSM and assigning it to a location, and assigning device groups to the SE.

Activating a Service Engine

Activating a device (Service Engine, Service Router, or stamdby CDSM) can be done through the Devices home page initially, or through the Device Activation page.

To activate a device from the Device Activation page, do the following:

Step 1 Choose Devices > Devices . The Devices Table page is displayed (Figure 4-5).

Figure 4-5 Devices Table Page

Step 2 Click the Edit icon next to the device you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and click Device Activation . The Device Activation page is displayed (Figure 4-6).

Figure 4-6 Device Activation Page

Step 4 Enter the settings as appropriate. See Table 4-6 for a description of the fields.

Table 4-6 Device Activation Fields
Field	Description
Name	Name of the device.
Activate	To activate or deactivate the device, check or uncheck the Activate check box. Alternatively, you can click the Deactivate Device icon in the task bar. When you uncheck the Activate check box and click Submit , the Replaceable check box is displayed. Check the Replaceable check box when you need to replace the device or recover lost registration information. For more information, see the “Recovering CDS Network Device Registration Information” section.
Server Offload	To offload this device for maintenance or a software upgrade, check the Server Offload check box. When checked, the Service Router stops sending requests to this device. Note If a client paused a program at that moment Server Offload is enabled, most likely resuming the program will fail. To monitor the current streams on an SE during the Server Offload state, use the show interface command. If the packets received or packets sent is increasing then the SE is streaming. The number of packets received is high if there is an incoming stream. Note We recommend separating the management traffic from the streaming traffic by using the port channel configuration, see the “Configuring Port Channel” section for more information. If management and streaming traffic are separated, the show interface command for the streaming port channel displays information on active sessions. If management and streaming traffic are not separated, the show interface command shows very low traffic; the packets received and packets sent are lower than a client streaming session. Once the SE has finished streaming, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the “Upgrading the Software” section. The Status field on the Device Activation page and the Devices Table page displays “offloading” when Server Offload is checked. Once the software upgrade or maintenance is complete, you need to uncheck the Server Offload check box so that the device can again participate in the system. Note If the Server Offload option is set on an SE that is acting as the Content Acquirer for a delivery service for dynamic ingest or live stream splitting, a new SE is chosen as the Location Leader for the delivery service. However, if the Content Acquirer is up and communicating with the CDSM, it continues to perform content ingest and content distribution.
Content Cache	Informational only. The content cache size is the total disk space on the CDS network file system (CDNFS) on the SE that is designated for cache. The Content Cache represents the unused cache space. The used cache space is the disk space allotted for all the delivery services to which the SE is assigned. To view the used cache space, choose Services > Service Definition > Delivery Services > Assign Service Engines .
Set Default Coverage Zone File	When checked, which is the default setting, a default Coverage Zone file is generated with the SE serving the local subnet it resides on. The coverage zone is a CDS network-wide mapping of client IP addresses to SE IP addresses that should respond to client requests. For more information, see the “Coverage Zone File Registration” section. The default coverage zone can be disabled and you can create and assign custom coverage zones using the Coverage Zone file import or upload. Uncheck the Set Default Coverage Zone File check box to use a user-defined Coverage Zone file that was imported or uploaded.
Location	Lists all the locations configured for the CDS.
Use SE’s primary IP address	Enables the CDSM to use the IP address on the primary interface of the SE for management communications. Note If the Use SE’s primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SE’s primary IP address for communication. Note Do not check the Use SE’s primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent.
Management Communication Address	Manually configures a management IP address for the CDSM to communicate with the SE. Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the “Configuring Port Channel and Load Balancing Settings” section and the “Configuring Port Channel” section.
Management Communication Port	Port number to enable communication between the CDSM and the SE.
Comments	Information about the settings.

Step 5 Click Submit to save the settings.

Assigning Devices to Device Groups

You can assign devices to device groups in three ways:

Through the Device Group Assignment page
Through the device Assignment page
Through the Devices home page, if the device group is a baseline group

To assign devices to device groups through the Assignment page, do the following:

Step 1 Choose Devices > Devices , and click the Edit icon next to the device you want to assign.

Step 2 Click Show All , and then choose Assignments > Device Groups . The Device Group Table page is displayed with all of the configured device groups listed (Figure 4-7).

Note From this point forward, the beginning steps in the procedures are combined into one step using notation similar to the following: Devices > Devices Assignments > Device Groups.

Figure 4-7 Assignment Page

Step 3 Click the Assign icon (blue cross mark) next to the device group you want to assign to this SE. Alternatively, click the Assign All Device Groups icon in the task bar.

A green arrow wrapped around the blue X indicates an SE assignment is ready to be submitted. To unassign an SE, click this icon. The SE assignment states are described in Figure 4-8.

Figure 4-8 SE Assignment State

Step 4 Click Submit to save the settings.

A green circle with a check mark indicates a device group is assigned to this SE. To unassign the device group, click this icon, or click the Remove All Device Groups icon in the task bar. Click Submit to save the changes.

Additionally, the Filter Table icon and View All Device Groups icon allow you to first filter a table and then view all device groups again.

Configuring Bandwidth for Replication and Ingest

The bandwidth used for replication and ingest is determined by the settings in the Default Bandwidth and the Scheduled Bandwidth pages. The replication configuration pages consist of the following:

Table 4-7 describes the icons on the replication bandwidth configuration pages.

Table 4-7 Replication Bandwidth Configuration Icons
Icon	Function
	Refreshes the table or page.
	Displays a graph.
	Applies the default settings to the device.
	Creates a new item.
	Creates a filtered table. Filter the scheduled bandwidth by start time, end time, days of the week, and bandwidth type.
	Views all scheduled bandwidth. Click this icon to view all schedule bandwidths after you have created a filtered table.
	Prints the current window.
	Edits a scheduled bandwidth. Click this icon next to one of the scheduled bandwidths to edit the settings.
	Deletes a scheduled bandwidth. To delete a scheduled bandwidth, click the Edit icon and then click this icon.

Default Bandwidth

The default bandwidth settings can be configured for acquisition (ingest) and distribution (replication) of content. The default settings are used unless a scheduled bandwidth is configured for a specified time period.

To set the default bandwidth for replication, do the following:

Step 1 Choose Devices > Devices > Replication > Default Bandwidth . The Replication Default Bandwidth page is displayed (Figure 4-9).

Figure 4-9 Replication Default Bandwidth Page

Step 2 Enter the settings as appropriate. See Table 4-8 for a description of the fields.

Table 4-8 Replication Default Bandwidth Fields
Field	Description
Acquisition-in Bandwidth	Bandwidth used for ingesting content when this SE is acting as the Content Acquirer. The default is 1,000,000 kbps (kilobits per second).
Distribution-in Bandwidth	Bandwidth used for incoming content that is sent by a forwarding SE as part of the distribution process. The default is 1,000,000 kbps.
Distribution-out Bandwidth	Bandwidth used for outgoing content that is sent to a downstream SE as part of the distribution process. The default is 500,000 kbps.

Step 3 Click Submit to save the settings.

For information on the task bar icons, see Table 4-7 .

Bandwidth Graph

To view a graphical representation of the bandwidth settings, click the Display Graph icon in the task bar. The Acquisition and Distribution Bandwidth graph is displayed in a new window.

The vertical axis of the graph represents the amount of bandwidth in Kbps (kilobits per second) and the horizontal axis represents the days of the week. The scale shown on the vertical axis is determined dynamically based on the bandwidth rate for a particular type of bandwidth and is incremented appropriately. The scale shown on the horizontal axis for each day is incremented for each hour. Each type of bandwidth is represented by a unique color. A legend at the bottom of the graph maps the colors to the corresponding bandwidths.

You can change the graph view by choosing the different options, as described in Table 4-9 .

Table 4-9 Acquisition and Distribution Bandwidth Graph—Viewing Options
Option	Description
Distribution In	Bandwidth settings for incoming content distribution traffic. The default is 1,000,000.
Distribution Out	Bandwidth settings for outgoing content distribution traffic. The default is 500,000.
Acquisition In	Bandwidth settings for incoming content acquisition traffic. The default is 1,000,000.
All Servers	A consolidated view of all configured bandwidth types. This is the default.
Show Detailed Bandwidth/Show Effective Bandwidth	Toggles between the two options: Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification. Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.
Show Aggregate View/Show Non-Aggregate View	Toggles between the two options: Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups. Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.
Sun, Mon, Tues, Wed, Thurs, Fri, Sat	Displays the bandwidth settings for the corresponding day of the week.
Full Week	Displays the bandwidth settings for the entire week This is the default view and is combined with the All Servers view.

Scheduled Bandwidth

Scheduled Bandwidth settings take precedence over Default Bandwidth settings.

To configure a bandwidth schedule, do the following:

Step 1 Choose Devices > Devices > Replication > Scheduled Bandwidth . The Replication Scheduled Bandwidth Table page is displayed (Figure 4-10).

The table is sortable by clicking the column headings.

Figure 4-10 Replication Scheduled Bandwidth Table Page

For information about Aggregate Settings, see the “Aggregate Settings” section

Note Configuring Replication Bandwidth Scheduling is only supported on a per SE-basis; Device Group configuration of Replication Bandwidth Scheduling is not supported.

Step 2 Click the Create New icon in the task bar. The Replication Scheduled Bandwidth page is displayed (Figure 4-11).

To edit a scheduled bandwidth, click the Edit icon next to the scheduled bandwidth you want to edit.

Figure 4-11 Replication Scheduled Bandwidth Page

Step 3 Enter the settings as appropriate. See Table 4-10 for a description of the fields.

Table 4-10 Replication Scheduled Bandwidth Fields
Field	Description
Bandwidth Type	Distribution-in—For incoming content distribution traffic from SEs. Distribution-out—For outgoing content distribution traffic to SEs. Acquisition-in—For incoming content acquisition traffic from origin servers.
Bandwidth Rate	Maximum amount of bandwidth that you want to allow (in kbps).
Start Time	Time of day for the bandwidth setting to begin, using a 24-hour clock in local time (hh:mm).
End Time	Time of day for the bandwidth setting to end (hh:mm).
Day Selection	Days on which bandwidth settings apply. Full Week—Specifies that the allowable bandwidth settings are applied for an entire week. Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specifies individual days of the week on which the allowable bandwidth settings take effect.

Step 4 Click Submit to save the settings.

For information on the task bar icons, see Table 4-7 .

Service Control

The Service Control pages provide settings for client request filtering, URL signing, and Authorization Server settings. Additionally, transaction logs that monitor traffic are configured under the Service Control. Configuring service control consists of the following procedures:

Table 4-11 describes the icons for the Service Control pages.

Table 4-11 Service Control Icons
Icon	Function
	Refreshes the table or page.
	Applies the default settings to the device.
	Creates a new item.
	Creates a filtered table.
	Views all data. Click this icon to view all data after you have created a filtered table.
	Prints the current window.
	Edits an item.
	Deletes an item. To delete an item, click the Edit icon and then click this icon.

Configuring Service Rules

Note This is a licensed feature. Please ensure that you have purchased a Service Rule license for this advanced feature.

The Rules Template licensed feature provides a flexible mechanism to specify configurable caching requests by allowing these requests to be matched against an arbitrary number of parameters, with an arbitrary number of policies applied against the matches. You can specify a set of rules, each clearly identified by an action and a pattern. Subsequently, for every incoming request, if a pattern for a rule matches the given request, the corresponding action for that rule is taken.

Note The processing time on the SE is directly related to the number of service rules configured. Processing times increase with an increase in the total number of rules configured. If the SE processing time is greater than twice the datafeed poll rate, then the device goes offline until the processing is completed. You can avoid this by configuring a higher datafeed poll rate. The recommended datafeed poll rate for 750 service rules is 300 seconds. To configure the datafeed poll rate, see the “Configuring System Settings” section.

Configuring a service rule consists of the following tasks:

Enabling the service rules. (Only needs to be performed once.)
Configuring a pattern list and adding a pattern to it.
Associating an action with an existing pattern list.

There are three cases for service rules:

1. If allow rules are configured, then it is an implicit deny.

2. If deny rules are configured, then it is an implicit allow.

3. If both allow and deny rules are configured, then it is an implicit allow.

For example, if all URL requests that match HTML are blocked implicitly, all requests that match other URL requests are allowed.

If all URL requests that match WMV are allowed implicitly, all request that match other URL requests are blocked.

If both of the above rules are configured, then HTML URL requests are blocked, and all other URL requests are allowed.

To configure or edit service rule settings, do the following:

Step 1 Choose Devices > Dev ices > Service Control > Enable Rules . The Enable Service Rules page is displayed.

Step 2 Check the Enable check box to enable the use of rule settings.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

Step 4 Choose Devices > Devices > Service Control > Service Rules . The Service Rules Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the “Aggregate Settings” section

Step 5 Click the Create New icon in the task bar. The Service Rules page is displayed (Figure 4-12).

To edit a service rule, click the Edit icon next to the service rule you want to edit.

Figure 4-12 Service Rules Page

Step 6 Create a pattern list and add a pattern to it.

a. From the Rule Type drop-down list, choose pattern-list .

b. In the Rule Parameters field, configure the pattern list number and the pattern type, following the rules usage guidelines shown on the Service Rules page. See Table 4-12 for a description of pattern types. The rule patterns are not case-sensitive.

For example, to create pattern list number 72 with the pattern type domain and the yahoo.com domain as the domain to be acted on, enter 72 domain yahoo.com in the Rule Parameters field.

Table 4-12 Service Rules Pattern Types
Pattern Type	Description	Syntax
domain	Matches the domain name in the URL or the host header against a regular expression. For example, “.ibm.” matches any domain name that contains the “ibm” substring. “\.foo\.com$” matches any domain name that ends with the “.foo.com” substring. In regular expression syntax, the dollar sign ($) metacharacter directs that a match is made only when the pattern is found at the end of a line.	rule pattern-list list_num domain dn_regexp
group-type	Patterns can be combined by using the AND or OR function with the group-type pattern (for example, rule pattern-list 1group-type and ). The default is OR.	rule pattern-list list-num group-type {and \| or}
header-field	Request header field pattern. Request header field patterns referer, request-line, and user-agent are supported for the allow, block, and redirect actions. The referer pattern is matched against the Referer header in the request, the request-line pattern is matched against the first line of the request, and the user-agent pattern is matched against the User-Agent header in the request. The user-agent pattern is not case sensitive. Note Flash Media Streaming supports the referer header field pattern for the allow and block actions.	rule pattern-list list_num header-field { referer ref_regexp \| request-line req_regexp \| user-agent ua_regexp }
scr-ip	Matches the source IP address and netmask of the request.	rule pattern-list list_num src-ip s_ipaddress s_subnet
url-regex	Matches the URL against a regular expression. The match is not case sensitive.	rule pattern-list list_num url-regex url_regexp
url-regsub	For the rewrite and redirect actions, matches the URL against a regular expression to form a new URL in accordance with the pattern substitution specification. The match is not case sensitive. The valid substitution index range is from 1 to 9. Note For HTTP client requests for Windows Media Streaming live programs, an ASX file is created automatically; therefore, if you use the url-regsub pattern list to rewrite the filename from an .asf file extension to an .asx file extension, the SE is not able to find the file and returns a 404 error message. Note Only one url-regsub pattern list is supported. Multiple substitutions for the same pattern list are not supported.	rule pattern-list list_num url-regsub url_regexp url_sub

Note A domain pattern list matching an SE IP address is not supported when IP-based redirection is enabled on the Service Router. See the “Configuring the Service Router” section for more information about IP-based redirection. Flash Media Streaming bypasses the rules configuration if the request is from another SE.

Step 7 Click Submit to save the settings.

The maximum number of pattern lists allowed is 128.

Step 8 Associate an action with an existing pattern list.

a. Choose an action type from the Rule Type drop-down list. See Table 4-13 for a description of rule actions.

b. In the Rule Parameters field, enter the list number of the pattern list that you want to associate with this action.

For example, if you want to block access by any protocol to yahoo.com, then choose block from the Rule Type drop-down list, and enter pattern-list 72 protocol all in the Rule Parameters field.

Note For the Web Engine and Flash Media Streaming, the Service Rule file must be used if service rules are to be configured. See the Appendix F, “Creating Service Rule Files” for more information.

Note Windows Media Streaming supports all service rule actions listed in Table 4-13. Movie Streamer supports the following service rule actions: allow, block, redirect, rewrite, and validate-url-signature.

Table 4-13 Service Rule Actions
Action Type	Description	Syntax
allow	Allows incoming requests that match the pattern list. This rule action can be used in combination with block actions to allow selective types of requests. The allow action does not carry any meaning as a standalone action.	rule action allow pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
block	Blocks this request and allows all others.	rule action block pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
generate-url- signature	Generates the URL signatures in the Windows Media metafile response associated with prefetched content, based on the SE configuration for the URL signature and this rule action.	rule action generate-url-signature [ include-client-src-ip ] key-id-owner owner_num key-id-number id_num pattern-list list_num [ protocol { all \| http }]
no-cache	Does not cache this object.	rule action no-cache pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
redirect	Redirects the original request to a specified URL. Redirect is relevant to the RADIUS server only if the RADIUS server has been configured for redirect.	rule action redirect url pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
refresh	For a cache hit, forces an object freshness check with the server.	rule action refresh pattern-list list_num [ protocol { all \| http }]
replace	Replace the text string in the object.	rule action replace string_to_find string_to_replace pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
rewrite	Rewrites the original request as a specified URL.	rule action rewrite pattern-list list_num [ protocol { all \| http \| rtmp \| rtsp }]
validate-url- signature	Validates the URL signature for a request using the configuration on your SE for the URL signature and allows the request processing to proceed for this request. The error-redirect-url keyword redirects requests that failed validation to a specified URL. The error-redirect-url keyword is only supported for Web Engine HTTP URLs. The exclude keyword excludes the client IP address, the content expiry time, domain, or both the client IP address and expiry time from the URL signature validation, and redirects requests that failed validation to a specified URL. The exclude client-ip keywords instruct the SE to ignore the client’s IP address when processing the validation of the signed URL. The command could be configured as r ule action validate-url-signature exclude client-ip error-redirect-url aa pattern-list 1 protocol all . The exclude expiry-time keywords instruct the SE to ignore the expiry time that normally limits access to the content when the expiry time has occurred. The command could be configured as rule action validate-url-signature exclude expiry-time error-redirect-url pattern-list 1 protocol all . The exclude domain-name keyword instructs the SEs to ignore the domain in the URL when processing the validation of the signed URL. The command could be configured as rule action validate-url-signature exclude domain-name error-redirect-url pattern-list 1 protocol all . The exclude all keywords instruct the SE to ignore both the client IP address and the content expiration time when processing the validation of the signed URL. The command could be configured as rule action validate-url-signature exclude all error-redirect-url aa pattern-list 1 protocol all .	rule action validate-url-signature { error-redirect-url url \| exclude { all error-redirect-url url \| client-ip error-redirect-url url \| expiry-time error-redirect-url url \| domain-name error-redirect-url url } pattern-list list_num [ protocol { all \| http }]}

Step 9 Click Submit to save the settings.

Note When configuring service rules, you must configure the same service rules on all SEs participating in a delivery service in order for the service rules to be fully implemented. The rule action must be common for all client requests because the SR may redirect a client request to any SE in a delivery service depending on threshold conditions.

Execution Order of Rule Actions

The order in which the rule actions are implemented for Windows Media Streaming and Movie Streamer is the order in which they were configured, except for the validate-url-signature action. If the rule pattern associated with the validate-url-signature action is matched, regardless of the configuration order of the rules, the validate-url-signature action is performed before any other action.

1. validate-url-signature

2. block or allow

Note The allow and block actions carry the same precedence. The order of implementation depends on the order of configuration between allow and block actions. Other actions always take precedence over allow.

3. redirect (before cache lookup)

4. rewrite (before cache lookup)

Configuring URL Signing

URL signature keys are word values that ensure URL-level security. The URL signature key is a shared secret between the device that assigns the key and the device that decrypts the key. Based on your network settings, either the SE itself or some other external device can assign the signature key to the URL, but the SE decrypts the URL signature key.

The CDS uses a combination of key owners, key ID numbers, and a word value to generate URL signature keys. You can have a maximum of 32 key owners. Each key owner can have up to 16 key ID numbers.

To create request-specific URL signature keys, you can choose to append the IP address of the client that has made the request to the URL signature key.

To create a URL signature key, do the following:

Step 1

Choose Devices > Devices > Service Control > URL Signing. The URL Signing Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the “Aggregate Settings” section

Step 2 Click the Create New icon in the task bar. The URL Signing page is displayed.

To edit the URL signature, click the Edit icon next to the URL Signature Key ID owner you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-14 for a description of the fields.

Table 4-14 URL Signature Key Settings
Field	Description
Cryptographic Algorithm	Choose either Symmetric Key or Asymmetric Key . For more information, see the “URL Signing and Validating” section.
Key ID Owner	Specify the ID number for the owner of this encryption key. Valid entries are from 1 to 32.
Key ID	Specify the encryption key ID number. Valid entries are from 1 to 16.
Key	Field for Symmetric Key only. Enter a unique URL signature key with up to 16 characters (excluding double quotes at the beginning and end of the string). This field accepts only 7-bit printable ASCII characters (alphabetic, numerics, and others) and does not support a space or the following special characters: pipe (\|), question mark (?), double quotes ("), and apostrophe (’). The following special characters are allowed: {}!#$%&()+,-./;:<=>@\~^[]_ Quoted and unquoted strings are allowed. Double quotes (") are allowed at the beginning and end of the string only. If you do not surround the key string with double quotes, quotes are added when you click Submit* .
Public Key URL	Field for Asymmetric Key only. The location of the public key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.
Private Key URL	Field for Asymmetric Key only. The location of the private key file. Only HTTP, HTTPS, or FTP addresses are supported. The public/private key pair is stored in Privacy Enhanced Mail (PEM) format.
Symmetric Key	Field for Asymmetric Key only. A 16-byte American Encryption Standard (AES) key used for AES encryption of the signed URL.

Step 4 Click Submit to save the settings.

For information on the URL signing mechanism, see Appendix H, “URL Signing and Validation.”

Configuring the Authorization Service

When Authorization Service is enabled, client requests are blocked if the request is for an unknown server or if the client’s IP address or geographic location is not allowed to request content. The Authorization Service is enabled by default and includes both types of blocking.

The Authorization Service verifies that all client requests have a service routing fully-qualified domain name (RFQDN) or origin server FQDN (OFQDN) that is recognized as part of a delivery service. For more information about RFQDNs and origin server, see the “Content Origins” section. If you want to allow client requests for unknown hosts, check the Enable Unknown-Server Requests check box.

Note The string “.se.” cannot be used in the RFQDN and OFQDN.

To block client requests based on geographical location, the SE communicates with a Geo-Location server, which maps IP addresses to a geographic locations. The Geo-Location server, which is the same Geo-Location server used for location-based routing on the SR, identifies the geographic location of a client request by the country, state, and city of the client. See the “Configuring Request Routing Settings” section. For more information about the Geo-Location servers, see the “Geo-Location Servers” section.

Each delivery service participating in the Authorization Service has a Geo/IP file that contains information on the allowed client IP addresses and geographic locations, and denied client IP addresses and geographic locations. The Authorization Service blocks client requests based on the Geo/IP file uploaded for the delivery service.

The SE that receives the client request compares the client’s information, as well as the URL string pattern, with the information configured for the delivery service and allows or denies the request. If the Authorization Service denies the request, the protocol engine receives the denied message and sends a request denied message to the client. For more information, see the“Authorization Plugins” section

To enable the Authorization Service, do the following:

Step 1 Choose Devices > Devices > Service Control > Authorization Service . The Authorization Service page is displayed.

Step 2 To enable the Authorization Service, check the Enable Authorization check box.

The Authorization Service is enabled by default.

Step 3 In the Primary Address and associated Port fields, enter the IP address and port number of the primary Geo-Location Server.

Step 4 In the Secondary Address and associated Port fields, enter the IP address and port number of the primary Geo-Location Server.

Step 5 To allow client requests for unknown hosts, while at the same time keeping the Authorization Service enabled, check the Enable Unknown-Server Requests check box.

Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

Note If the primary Geo-Location server is shut down and a secondary Geo-location server is configured and is up, requests are sent to the secondary Geo-Location server in a failover-type scenario. If the primary Geo-Location server is brought back up and is online, requests are still routed to the secondary Geo-Location server as long as the secondary Geo-Location server is up. Only if the secondary Geo-Location server goes down and the primary Geo-Location server is up will a fallback occur and requests once again will be routed to the primary Geo-Location server.

Configuring Transaction Logs

Transaction logs allow administrators to view the traffic that has passed through the SE. Typical fields in the transaction log are the date and time when a request was made, the URL that was requested, whether it was a cache hit or a cache miss, the type of request, the number of bytes transferred, and the source IP address. For more information about transaction logs and their formats, see the “Transaction Logs” section.

To enable transaction logging, do the following:

Step 1 Choose Devices > Devices > Service Control > Transaction Logging . The Transaction Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-15 for a description of the fields.

Table 4-15 Transaction Log Settings Fields
Field	Description
General Settings
Transaction Log Enable	Enables transaction logging.
Log Windows Domain	If NTLM authentication is configured, you can record the Windows domain name and username in the “authenticated username ” field of the transaction log by checking this check box. For more information, see the “Transaction Logging and NTLM Authentication” section.
Compress Files before Export	When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers
Log File Format Log Format Custom	Log file format choices are extended-squid or apache . The default is apache . For more information, see the “Transaction Log Formats for Web Engine” section. Or, choose Log Format Custom and enter a custom format string. For more information, see the “Custom Format” section.
Archive Settings
Max size of Archive File	Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1000 to 2000000. The default is 500000.
Max number of files to be archived	Maximum number of files to be maintained on the local disk. The range is from 1 to 10000. The default is 10.
Archive occurs	How often the working log is archived and the data is cleared from the working log. Choose one of the following: Choose every to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800. Choose every hour to archive using intervals of one hour or less, and choose one of the following: – at —Specifies the minute in which each hourly archive occurs – every —Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30) Choose every day to archive using intervals of one day or less, and choose one of the following: – at —Specifies the hour in which each daily archive occurs – every —Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24) Choose every week on to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.
Export Settings
Enable Export	Enables exporting of the transaction log to an FTP server.
Export occurs	How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following: Choose every to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 10080. Choose every hour to export using intervals of one hour or less, and choose one of the following: – at —Specifies the minute in which each hourly export occurs – every —Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30) Choose every day to export using intervals of one day or less, and choose one of the following: – at —Specifies the hour in which each daily export occurs – every —Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24) Choose every week on to export using intervals of one or more times a week, choose the days of the week, and what time each day.
FTP Export Server	IP address or hostname of the FTP server.
Name	Name of the user.
Password	Password for the user.
Confirm Password	Confirms the password for the user.
Directory	Name of the directory used to store the transaction logs on the FTP server.
SFTP	Check the SFTP check box, if you are using an SFTP server.
Windows Media Settings
Enable Windows Media Settings	Enables Windows Media transaction logging.
Log File Format	Sets Windows Media Streaming Engine to generate transaction logs in the following formats:
	extended wms-41	Uses the standard Windows Media Services 4.1 format to generate the transaction log and includes the following three additional fields in the transaction log: SE_action (cache hit or cache miss) SE-bytes (number of bytes sent from the SE for a cache hit) username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)
	extended wms-90	Uses the standard Windows Media Services 9 format to generate the transaction log and includes the following three additional fields in the transaction log: SE_action (cache hit or cache miss) SE-bytes (number of bytes sent from the SE for a cache hit) username (username of the Windows Media request when NTLM, Negotiate, Digest, or basic authentication is used)
	wms-41	Standard Windows Media Services 4.1 format
	wms-90	Standard Windows Media Services 9 format
	The default is wms-41 . For more information, see the “Windows Media Transaction Logging” section.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

Application Control

The Application Control pages provide settings for bandwidth management of delivery services and protocol engines. Configuring application control consists of the following procedures:

Configuring Default and Maximum Bandwidth

The bandwidth used for delivering content is determined by the settings in the Default and Maximum Bandwidth page, and the Scheduled Bandwidth page. The default settings are used unless a scheduled bandwidth is configured for a specified time period. For Flash Media Streaming bandwidth limits, see the “Configuring Flash Media Streaming—General Settings” section and the “Configuring Flash Media Streaming—Service Monitoring” section.

Note The bandwidth used for delivering content is always the minimum bandwidth configured of the following configurations: default bandwidth, maximum bandwidth, and scheduled bandwidth. When the bandwidth limit is reached, new client requests are dropped and a syslog entry is written. The client receives an error message “453: Not enough bandwidth.”

To configure the default and maximum bandwidth settings, do the following:

Step 1 Choose Devices > Devices > Application Control > Default and Maximum Bandwidth . The Default and Maximum Bandwidth page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-16 for a description of the fields.

Table 4-16 Application Control Default and Maximum Bandwidth Fields
Field		Description
Windows Media Incoming	Default Bandwidth	Default bandwidth allowed for incoming Windows Media traffic from client devices.
Windows Media Incoming	Maximum Bandwidth	Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting. The default is 200 Mbps.1
Windows Media Outgoing	Default Bandwidth	Default bandwidth allowed for outgoing Windows Media traffic from the SE.
Windows Media Outgoing	Maximum Bandwidth	Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Windows Media streams enforces the aggregate bandwidth of all concurrent Windows Media streaming sessions, which includes RTSP-using-UDP, RTSP-using-TCP, MMS-over-HTTP, and live stream splitting. The default is 200 Mbps.¹
Movie Streamer Incoming	Default Bandwidth	Default bandwidth allowed for incoming Movie Streamer traffic from client devices.
Movie Streamer Incoming	Maximum Bandwidth	Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions. The default is 200 Mbps.¹
Movie Streamer Outgoing	Default Bandwidth	Default bandwidth allowed for outgoing Movie Streamer traffic from the SE.
Movie Streamer Outgoing	Maximum Bandwidth	Maximum bandwidth permitted by system license. The maximum bandwidth for concurrent Movie Streamer streams enforces the aggregate bandwidth of all concurrent Movie Streamer sessions. The default is 200 Mbps.¹

^1.The maximum allowed is 8 Gbps on a CDE220-2G2, 12 Gbps on a CDE220-2S3i, and 44 Gbps on a CDE250.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Bandwidth Schedules

Bandwidth Schedule settings take precedence over Default Bandwidth settings.

To configure a Bandwidth Schedule, do the following:

Step 1 Choose Devices > Devices > Application Control > Bandwidth Schedules . The Application Control Bandwidth Schedule Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the “Aggregate Settings” section

Step 2 Click Create New in the task bar. The Scheduled Bandwidth page is displayed.

To edit a bandwidth schedule, click the Edit icon next to the scheduled bandwidth you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-17 for a description of the fields.

Table 4-17 Application Control Bandwidth Schedule Fields
Field	Description
Bandwidth Type	Windows Media Incoming—Incoming Windows Media streaming content requests from end users. Windows Media Outgoing—Outgoing Windows Media content from SEs.
	Movie Streamer Incoming—Incoming Movie Streamer content requests from SEs or origin servers. Movie Streamer Outgoing—Outgoing Movie Streamer content in response to RTSP requests from end users.
Bandwidth Rate	Maximum amount of bandwidth you want to allow (in kilobits per second).
Start Time	Time of day for the bandwidth rate setting to start, using a 24-hour clock in local time (hh:mm).
End Time	Time of day for the bandwidth rate setting to end (hh:mm).
Use Specific Days	Days of the week on which configured bandwidth settings apply. Full Week—Bandwidth settings are applied to the entire week. Sun, Mon, Tue, Wed, Thu, Fri, and Sat—Specific days of the week on which configured bandwidth settings apply.
Specific Day Range	Range of days of the week on which configured bandwidth settings apply. Start day—Day of the week to start for allowable bandwidth. End day—Day of the week to end for allowable bandwidth.

Step 4 Click Submit to save the settings.

To delete a bandwidth schedule, click the Edit icon for the group, then click the Delete icon in the task bar.

Bandwidth Graph

To view a graphical representation of the bandwidth settings, click the Display Graph icon in the task bar. The Application Bandwidth graph is displayed in a new window.

The vertical axis of the graph represents the amount of bandwidth in kilobits per second (kb/s) , and the horizontal axis represents the days of the week. The units shown on the vertical axis are determined dynamically based on the bandwidth rate for a particular bandwidth type. The units shown on the horizontal axis represent 24 hours per each day of the week. Each type of bandwidth is represented by a different color. A legend at the bottom of the graph maps colors to the corresponding bandwidth type.

To view the graph by bandwidth type, detailed or composite view, or days of the week, click a view option in the text at the top of the window. Table 4-18 describes the view options.

Table 4-18 Viewing Options for Content Services Bandwidth Graph
Option	Description
Windows Media In	Displays the bandwidth settings for incoming Windows Media traffic.
Windows Media Out	Displays the bandwidth settings for outgoing Windows Media traffic.
Movie Streamer In	Displays the bandwidth settings for incoming Movie Streamer traffic.
Movie Streamer Out	Displays the bandwidth settings for outgoing Movie Streamer traffic.
All Servers	Displays a consolidated view of all configured bandwidth types. This is the default view and is combined with the Full Week view.
Show Detailed Bandwidth/Show Effective Bandwidth	Toggles between the two options: Show Detailed Bandwidth—Displays detailed bandwidth settings for the SE and its associated device groups. The bandwidth settings of the device and device groups are shown in different colors for easy identification. Show Effective Bandwidth—Displays the composite (aggregate) bandwidth settings for the SE and its associated device groups.
Show Aggregate View/Show Non-Aggregate View	Toggles between the two options: Show Aggregate View—Displays the bandwidth settings configured for the corresponding device groups. Show Non-Aggregate View—Displays the bandwidth settings configured for the SE.
Sun, Mon, Tues, Wed, Thurs, Fri, Sat	Displays the bandwidth settings for the corresponding day of the week.
Full Week	Displays the bandwidth settings for the entire week. This is the default view and is combined with the All Servers view.

Configuring Windows Media Streaming—General Settings

To configure the General Settings for Windows Media Streaming, do the following:

Step 1

Choose Devices > Devices > Application Control > Windows Media Streaming > General Settings . The Windows Media Streaming General Settings page is displayed (Figure 4-13).

Figure 4-13 Windows Media Streaming Page—General Settings

Step 2 Enter the settings as appropriate. See Table 4-19 for a description of the fields.

Table 4-19 Windows Media Streaming General Settings Fields
Field	Description
Enable Windows Media Services	When checked, Windows Media Services is enabled. To disable services, uncheck the check box.
Windows Media Proxy Settings
Enable Outgoing HTTP Proxy	When enabled, allows an outgoing HTTP proxy server for streaming media in MMS format (MMS-over-HTTP). The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.
Outgoing HTTP Proxy Host Name and Port	Hostname, or IP address, and port of the outgoing HTTP proxy. Valid port numbers range from 1 to 65535.
Enable Outgoing RTSP Proxy	When enabled, allows an outgoing RTSP proxy server for streaming media using RTSP. The Outgoing Proxy feature only works on the Content Acquirer in a delivery service.
Outgoing RTSP Proxy Host Name and Port	Hostname, or IP address, and port of the outgoing RTSP proxy. Valid port numbers range from 1 to 65535.
Enable Accelerate Proxy Cache Performance	When enabled, caching performance improvements are applied to the Windows Media proxy.
Windows Media General Settings
Disable HTTP Windows Media Traffic	To disallow streaming over HTTP, check the check box.
Disable RTSPT WMT Traffic	To disallow streaming over RTSPT (RTSP using TCP), check the check box.
Disable RTSPU WMT Traffic	To disallow streaming over RTSPU (RTSP using UDP), check the check box.
Maximum Concurrent Connections: Override Default and Custom Value	To override the default maximum number of concurrent sessions, check the check box and enter a value in the Custom Value field. The default is 200 sessions. The range is from 1 to 40000.
Enforce Maximum Outgoing Bitrate	Enforces the maximum stream bit rate for serving content when checked.
Maximum Outgoing Bitrate	The maximum streaming bit rate that can be served in kilobits per second (kbps). The range is from 1 to 2,147,483,647. The default is 0, which means no bitrate limit.
Enforce Maximum Incoming Bitrate	Enforces the maximum incoming bit rate for receiving content when checked.
Maximum Incoming Bitrate	The maximum streaming bit rate (kbps) that can be received. The range is from 1 to 2,147,483,647. The default is 0, which means no bitrate limit.
Enable Accelerate Live-Split Performance	Enables performance improvements in live splitting for the Windows Media proxy.
Enable Accelerate VOD Performance	Enables performance improvements in Video On Demand for the Windows Media proxy.
Restrict HTTP Allowed Extensions	Allows you to add or remove permitted extensions.
HTTP Allowed Extensions	List of allowable extensions for HTTP. You can add or delete filename extensions from this list with the following restrictions: Each extension must be alphanumeric, with the first character in the extension being an alphabetic character. You cannot have more than 10 characters in a filename extension. You cannot add more than 6filename extensions to the allowed list.
Enable Fast Start Feature	Enables Fast Start for MMS-over-HTTP or RTSP.
Fast Start Max Bandwidth	Maximum bandwidth (kbps) allowed per Windows Media Player when Fast Start is used to serve packets to this player. The default is 3500. The range is from 1 to 65535.
Enable Fast Cache	Enables Fast Cache for MMS-over-HTTP or RTSP.
Fast Cache Max Delivery Rate	Maximum delivery rate (kbps) allowed per Windows Media Player when Fast Cache is used to deliver packets to this player. The default is 5. The range is from 1 to 65535.
Windows Media Multicast Settings
Number of hops to live	Number of hops to live for multicast Windows Media packets. The default is 5. The range is from 0 to 255.
Windows Media Advanced Client Settings
Idle Timeout	Number of seconds to timeout when the client connection is idle. The default is 60 The range is from 30 to 300.
Maximum Data Packet Size	Maximum packet size (in bytes) allowed. The default is 1500. The range is from 576 to 16,000.
Windows Media Advanced Server Settings
Enable Log Forwarding	Enables log forwarding to an upstream SE or Windows Media server.
Inactive Timeout	Number of seconds to timeout when the upstream SE or Windows Media server connection is idle. The default is 65535. The range is from 60 to 65535.
Windows Media Cache Settings
Enable	When checked, Windows Media cache settings are enabled.
Max Object Size	The maximum content object size (in megabytes) the SE can cache. The default is 25600. The range is from 1 to 1000000.
Age Multiplier	The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.
Maximum TTL	The maximum time-to-live for objects in the cache. The value ranges are the following: 1 to 157680000 seconds 1 to 2628000 minutes 1 to 43800 hours 1 to 1825 days The default is 1 day.
Minimum TTL	The minimum time-to-live (in minutes) for objects in the cache. The default is 60. The range is from 0 to 86400.
Enable Re-evaluate Request	When checked, the cache is validated with the origin server instead of validating the cache using heuristics. When Enable Re-evaluate Request is checked, the cached content freshness is revalidated every time the content is requested, which limits the effectiveness of the other cache settings and increases the time to start streaming the content.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Windows Media Streaming—Bypass List

Incoming bandwidth refers to the bandwidth between a local SE and the origin server. When the SE is configured for Windows Media proxy services, incoming bandwidth usage for Video On Demand (VOD) content is unpredictable. This unpredictability is because the consumption of incoming bandwidth for VOD content can be triggered arbitrarily by an end user requesting the content. If the VOD content is not found in the SE cache, a cache miss occurs, and the Windows Media proxy must fetch the content from the origin server. The SE administrator cannot predict the incoming bandwidth usage for such events, so a large number of cache-miss VOD requests can consume all of the incoming bandwidth.

The Windows Media incoming bandwidth bypass configuration allows the administrator to configure a list of hosts that bypasses the incoming bandwidth limitation.

To configure the list of hosts for bypassing incoming bandwidth limits, do the following:

Step 1 Choose Devices > Devices > Application Control > Windows Media Streaming > Bypass List. The Bypass List page is displayed.

Step 2 In the Windows Media BW Incoming Bypass List field, enter up to four IP addresses or hostnames of hosts you want to bypass the incoming bandwidth check. Separate each entry with a space.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Movie Streamer—General Settings

The Movie Streamer is an open-source, standards-based, streaming server that delivers hinted MPEG-4, hinted 3GPP, and hinted MOV files to clients over the Internet and mobile networks using the industry-standard RTP and RTSP.

To configure the general settings for Movie Streamer, do the following:

Step 1 Choose Devices > Devices > Application Control > Movie Streamer > General Settings . The Movie Streamer General Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-20 for a description of the fields.

Table 4-20 Movie Streamer General Settings Fields
Field	Description
Enable Movie Streamer Services	When checked, Movie Streamer Services is enabled. To disable services, uncheck the check box.
Movie Streamer Proxy Settings
Host Name	Hostname or IP address of the proxy server for Movie Streamer.
Port	Port of the proxy server for Movie Streamer. Valid port numbers range from 1 to 65535. The default is 554.
Movie Streamer General Settings
Maximum Concurrent Connections: Override Default and Custom Value	To override the default maximum number of concurrent sessions, check the check box and enter a value in the Custom Value field. The default is 200 sessions. The range is from 1 to 40,000.
Enforce Maximum Outgoing Bitrate	Enforces the maximum stream bit rate for serving content when checked.
Maximum Outgoing Bitrate	The maximum streaming bit rate that can be served in kilobytes per second (Kbps). The range is from 1 to 2147483647, depending on the hardware model.
Enforce Maximum Incoming Bitrate	Enforces the maximum incoming bit rate for receiving content when checked.
Maximum Incoming Bitrate	The maximum streaming bit rate (Kbps) that can be received. The range is from 1 to 2147483647, depending on the hardware model.
Enable Accelerate VOD Performance	Enables performance improvements in Video On Demand for the Movie Streamer proxy.
Movie Streamer Advanced Client Settings
Idle Timeout RTP Timeout	The Idle Timeout field and the RTP Timeout field, are only intended for performance testing when using certain testing tools that do not have full support of the RTCP receiver report. Setting these timeouts to high values causes inefficient tear-down of client connections when the streaming sessions have ended. The Idle Timeout field has a range from 0 to 300, whereas the RTP Timeout field has a range from 30-180. This is by design. For typical deployments, it is preferable to leave these parameters set to their defaults. The default is 300 for the Idle Timeout field and 180 for the RTP Timeout field.
Movie Streamer Cache Settings
Enable	When checked, Movie Streamer caches content on the SE and the cache settings are enabled.
Age Multiplier	The age multiplier value (as a percentage) enables the SE to estimate the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The default value is 30. The range is from 0 to 100.
Maximum TTL	The maximum time-to-live for objects in the cache. The value ranges are the following: 1 to 157680000 seconds 1 to 2628000 minutes 1 to 43800 hours 1 to 1825 days The default is 1 day.
Enable Re-evaluate Request	When checked, the cache is validated with the origin server instead of validating the cache using heuristics.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring RTSP Advanced Settings

To configure RTSP advanced settings for Movie Streamer and Windows Media Streaming, do the following:

Step 1

Choose Devices > Devices > Application Control > RTSP Advanced Settings . The RTSP Advanced Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-21 for a description of the fields.

Table 4-21 RTSP Advanced Settings Fields
Field	Description
Maximum Initial Setup Delay	Maximum delay allowed (in seconds) between TCP accept and the first RTSP message from the client. The default is 10 seconds.
Maximum Request Rate	Maximum number of incoming requests per second that the RTSP gateway allows. The default is 40 requests per second.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Flash Media Streaming—General Settings

The Flash Media Streaming engine delivers Adobe Flash applications and video files, as well as MP3 audio files using HTTP and an Adobe proprietary protocol, RTMP. For more information, see the “Flash Media Streaming Engine” section.

Note Flash Media Streaming uses port 1935 for RTMP and RTMPE streaming. Flash Media Streaming also supports RTMPT and RTMPTE over port 80.

To enable Flash Media Streaming, do the following:

Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > General Settings . The Flash Media Streaming General Settings page is displayed.

Step 2 Check the Enable Flash Media Streaming check box.

Step 3 Enter the settings as appropriate. See Table 4-22 for a description of the fields.

Table 4-22 Flash Media Streaming Fields
Field	Description
Restricted Maximum Bandwidth	Maximum bandwidth allowed for Flash Media Streaming. The range is from 1000 to 8000000 Kbps. The default is 200000.
Restricted Maximum Sessions	Maximum concurrent sessions the Flash Media Streaming engine supports. The range is from 1 to 15000. The default is 200.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Flash Media Streaming—FMS Administrator

To enable servers to send Flash Media Server (FMS) Administration API calls to this device, do the following:

Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > FMS Admin Allow Hosts . The FMS Admin Allow Hosts page is displayed.

Step 2 Check the Enable check box.

Step 3 In the FMS Admin Allow Hosts field, enter the IP addresses (space delimited) of the servers that are allowed to send Flash Media Server Administration API calls to this device.

The Adobe Flash Media Server Administration APIs and the Administration Console that was built using the Administration APIs are supported. These APIs can be used to monitor and manage the Adobe Flash Media Server running on a Cisco CDS Service Engine.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Flash Media Streaming—Service Monitoring

To enable Flash Media Streaming Service Monitoring, do the following:

Step 1 Choose Devices > Devices > Application Control > Flash Media Streaming > Service Monitoring . The Service Monitoring page is displayed.

Step 2 Check the Enable Service Monitoring check box.

Service Monitoring monitors the Flash Media Streaming engine memory usage. If the memory usage reaches the 1.5 GB limit for either the Flash Media Streaming core process or the Flash Media Streaming edge process, an alarm is raised and the Service Router does not redirect any new Flash Media Streaming requests to this SE.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Web Engine HTTP Cache Freshness

To configure the web engine HTTP cache freshness, do the following:

Step 1

Choose Devices > Devices > Application Control > Web > HTTP > HTTP Cache Freshness . The HTTP Cache Freshness page is displayed (Figure 4-14).

Figure 4-14 HTTP Cache Freshness Page

Step 2 Enter the settings as appropriate. See Table 4-23 for a description of the fields.

Table 4-23 HTTP Cache Freshness Fields
Field	Description
Enable	When checked, HTTP cache freshness is enabled.
Object Age Multiplier	The age multiplier value (as a percentage) enables the SE to guess the life of an object by multiplying the time since the object was last modified by a percentage to obtain an approximate expiration date. After this date, the object is considered stale, and subsequent results cause a fresh retrieval by the SE. The range is from 0 to 100. The default value is 30.
Max TTL Scale	The scale (seconds, hours, minutes, or days) to use for the Max Object TTL. The time-to-live (TTL) sets a ceiling on estimated expiration dates. If an object has an explicit expiration date, this takes precedence over the configured TTL. The default is days.
Max Object TTL	The maximum time-to-live (TTL) for objects in cache. The ranges are as follows: 1 to 1825 days 1 to 43800 hours 1 to 2628000 minutes 1 to 157680000 seconds The default is 61 day.
Minimum TTL	The minimum time-to-live (in minutes) for objects in the cache. The range is from 0 to 86400. The default value is 60.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

General Settings

The General Settings pages provide settings for access control of the device, maintenance, network connectivity, and monitoring. The configuring of general settings consists of the following procedures:

Configuring Content Management

To configure the maximum number of entries for cache content, do the following:

Step 1

Choose Devices > Devices > General Settings > Content Management . The Content Management page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-24 for a description of the fields.

Table 4-24 Content Management Fields
Field	Description
Max Cache Content Entries	Enter the value for the maximum entries of cached content allowed. The range is from 1 to 20,000,000. The default is 20,000,000.
Cache content eviction preferred size	By default, Content Manager prefers to keep small content objects over large content objects, because the overhead of fetching a small object is higher than larger objects. The Cache content eviction preferred size default is large, which means the large size files are evicted before small files.
Enable Eviction Protection	Check the Enable Eviction Protection check box to enable eviction protection. For more information, see the “Eviction Protection” section.
Minimum cache entry size to protect	From the Minimum cache entry size to protect drop-down list, select the minimum cache entry size (100 MB, 500 MB, 1 GB, and 4 GB) to protect from deletion.
Minimum duration to protect the content from eviction	From the M inimum duration to protect the content from eviction drop-down list, select the age (1–4 hours for 100 MB size, 1, 4, 8, or 24 hours for all other sizes) of the content object to be protected from deletion.
Hit Count Decay Half Life	Enter the half-life decay period (in days) at which to decay hit-count by half. The range is 1 to 30. The default is 14 days. The decay mechanism reduces the hit count by half and is applied for the content object every two weeks by default.
Threshold of Disk Failures Per Bucket	Enter the threshold, as a percentage, for disk failures in a bucket. The disks in each bucket are monitored, and if the threshold is exceeded, a minor alarm is raised. The default is 30. The range is 1 to 100. For more information, see the “Bucket Allocation” section.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Login Access Control

Login authentication and authorization are used to control user access and configuration rights to CDSMs, SEs, and SRs. Login authentication is the process by which the devices verify whether the person who is attempting to log in to the device has a valid username and password. The person logging in must have a user account registered with the device. User account information serves to authorize the user for login and configuration privileges. The user account information is stored in an authentication, authorization, and accounting (AAA) database, and the devices must be configured to access the particular authentication server (or servers) where the AAA database is kept.

In a CDS network, user accounts can be created for access to the CDSM and, independently, for access to the SEs and SRs that are registered to the CDSM. For user accounts that access the CDSM, see the “Configuring AAA” section.

Login Authentication

Login authentication can also be used to log in to the CDSM GUI. When logging in to the CDSM GUI with an external user account (RADIUS or TACACS+), the user is authenticated by the external database. After the external user is authenticated, its role depends on the privilege configured in the external database (zero [0] means a normal user and 15 means a super user). The privilege level of 0 or 15 is mapped to the read-only or admin user role in the CDSM GUI. No CDSM local user is created in the CDSM database for the external user that logs in, so the external user cannot be managed by the CDSM GUI.

Note If you plan to use a RADIUS server or a TACACS+ server for authentication, you must configure the server settings before you configure and submit these settings. See the “Configuring RADlUS Server Settings” section and the “Configuring TACACS+ Server Settings” section for more information.

When the primary login server and the primary enable server are set to local, usernames and passwords are local to each device. Local authentication and authorization uses locally configured login and passwords to authenticate login attempts.

Note If the Enable Failover Server Unreachable option is enabled, it applies to both the login authorization methods and the exec authentication methods.

If you are going to use different servers for login authentication and enable authentication (for example, local for login authentication and RADIUS for the enable authentication), then the username and password must be the same for both servers.

By default, local login authentication is enabled. You can disable local login authentication only after enabling one or more of the other login authentication servers. However, when local login authentication is disabled, if you disable all other login authentication methods, a warning message is displayed stating “At least one authentication method is required to select for login.”

Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local authentication and authorization. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you may be unable to log in to the device.

To configure the login authentication and enable authentication schemes for the device, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Login Authentication . The Login Authentication page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-25 for a description of the fields.

Table 4-25 Login Authentication Fields
Field	Description
Login Authentication Settings
Enable Failover Server Unreachable	If Enable Failover Server Unreachable is enabled, the following applies: Only two login authentication schemes (a primary and secondary scheme) are allowed on the device. Device fails over from the primary authentication scheme to the secondary authentication scheme only if all specified authentication servers of the primary authentication scheme are unreachable. Conversely, if the Enable Failover Server Unreachable option is disabled, the device contacts the secondary authentication database, regardless of the reason the authentication failed with the primary authentication database. Note To use this option, you must set TACACS+ or RADIUS as the primary authentication method and local as the secondary authentication method.
Authentication Login Servers	When enabled, login authentication servers are used to authenticate user logins and whether the user has access permissions to the device. Check this option and set one or more Login servers for login authentication. By unchecking this option, local authentication is used by default. Three servers can be configured. Note If local is selected for any of the Login servers, the password in the username is used to authenticate the user. See the “Creating, Editing, and Deleting Users—Usernames” section
Primary Login Server	Choose local, RADIUS, or TACACS+.
Secondary Login Server	Choose local, RADIUS, or TACACS+.
Tertiary Login Server	Choose local, RADIUS, or TACACS+.
Enable Authentication Settings
Primary Enable Server	The enable server is used to allow normal users to enter the privileged EXEC mode.Choose local, RADIUS, or TACACS+.
Secondary Enable Server	Choose local, RADIUS, or TACACS+.
Tertiary Enable Server	Choose local, RADIUS, or TACACS+.
Local Enable Password	Set the local enable password for normal users to log in to the Enable server and have privileged EXEC mode. If multiple authorization methods are configured, the SE tries to authenticate the enable password by way of each configured method until one of them is successful.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Exec Authorization

Exec authorization provides the configuration for determining the services allowed for each user that logs in to the device.

Exec authorization can also be used to determine the services the user has for the CDSM GUI. When logging in to the CDSM GUI with an external user account (RADIUS or TACACS+), the user is authenticated by the external database. After the external user is authenticated, its role depends on the privilege configured in the external database (zero [0] means a normal user and 15 means a super user). The privilege level of 0 or 15 is mapped to the read-only or admin user role in the CDSM GUI. No CDSM local user is created in the CDSM database for the external user that logs in, so the external user cannot be managed by the CDSM GUI.

Note If you plan to use a TACACS+ server for authorization, you must configure the server settings before you configure and submit these settings. See the “Configuring RADlUS Server Settings” section and the “Configuring TACACS+ Server Settings” section for more information.

When the primary authorization server is set to local, usernames and passwords are local to each device. Local authorization uses locally configured login and passwords to authorize services for the user.

To configure the exec authorization schemes for the device, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Exec Authorization . The Exec Authorization page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-26 for a description of the fields.

Table 4-26 Exec Authorization Fields
Field	Description
Authorization Exec Servers	When enabled, authorization exec servers are used to authorize services for logged in users. Check this option and set one or more servers for exec authorization. By unchecking this option, local authentication is used by default. Three servers can be configured. Note If a user encounters failure during EXEC shell) startup authorization, the user fails to log in to the SE even if the user passed the login authentication.
Primary Exec Server	Choose local, RADIUS, or TACACS+.
Secondary Exec Server	Choose local, RADIUS, or TACACS+.
Tertiary Exec Server	Choose local, RADIUS, or TACACS+.
Primary Enable Server	The enable server determines if the normal user can enter the privileged EXEC mode. Choose local, RADIUS, or TACACS+.
Normal User Commands	Choose Enable or Enable if Authenticated . The Enable if Authenticated option turns off authorization on the TACACS+ server and authorization is granted to any Normal user who is authenticated.
Super User Commands	Choose Enable or Enable if Authenticated . The Enable if Authenticated option turns off authorization on the TACACS+ server and authorization is granted to any Super user who is authenticated.
Enable Config Commands	Check the Enable Config Commands check box to enable authorization of the configuration mode commands. By default, this option is disabled, which means all configuration commands issued are allowed.
Enable Console Config	Check the Enable Console Commands check box to enable authorization of all commands issued on a console TTY connection. By default, this option is disabled, which means commands issued through a console TTY connection always succeed.

Note The following commands bypass authorization and accounting: CTRL+C, CTRL+Z, exit, end, and all of configuration commands for entering submode (for example, interface GigabitEthernet 1/0).

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring SSH

Secure Shell (SSH) consists of a server and a client program. Like Telnet, you can use the client program to remotely log in to a machine that is running the SSH server. However, unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.

The SSH page allows you to specify the key length and login grace time.

To enable the SSH daemon, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > SSH . The SSH page is displayed.

Step 2 Check Enable to enable the SSH feature. SSH enables login access to the device through a secure and encrypted channel.

Step 3 In the Length of Key field, specify the number of bits needed to create an SSH key. The default is 2048.

Step 4 In the Login Grace Time field, specify the number of seconds the server waits for the user to successfully log in before it ends the connection. The authentication procedure must be completed within this time limit. The default is 300 seconds.

Note When changing the Login Grace Time, you need to first uncheck the Enable check box and click Submit. Enter the new Login Grace Time, check Enable, and click Submit.

Step 5 Select the SSH version.

a. To allow clients to connect using SSH protocol version 1, check the Enable SSHv1 check box.

b. To allow clients to connect using SSH protocol version 2, check the Enable SSHv2 check box.

Note You can enable both SSHv1 and SSHv2, or you can enable one version and not the other. You cannot disable both versions of SSH unless you disable the SSH feature by unchecking the Enable check box.

Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Enabling Telnet

To enable the Telnet service, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Telnet . The Telnet page is displayed.

Step 2 Check Telnet Enable to enable the terminal emulation protocol for remote terminal connections.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Setting the Message of the Day

The Message of the Day (MOTD) feature enables you to provide information bits to the users when they log in to a device. There are three types of messages that you can set up:

MOTD banner
EXEC process creation banner
Login banner

To configure the Message of the Day settings, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Message of the Day . The MOTD page is displayed.

Step 2 Check Enable to enable the MOTD settings. The Message of the Day (MOTD) banner, EXEC process creation banner, and Login banner fields become enabled.

Step 3 In the Message of the Day (MOTD) Banner field, enter a string that you want to display as the MOTD banner when a user attempts to log in to the device.

Note In the Message of the Day (MOTD) Banner, EXEC Process Creation Banner, and Login Banner fields, you can enter a maximum of 980 characters. A new line character (or Enter) is counted as two characters, as it is interpreted as \n by the system. You cannot use special characters such as `, % ,^ , and " in the MOTD text.

Step 4 In the EXEC Process Creation Banner field, enter a string to be displayed as the EXEC process creation banner when a user enters into the EXEC shell of the device.

Step 5 In the Login Banner field, enter a string to be displayed after the MOTD banner when a user attempts to log in to the device.

Step 6 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Changing the CLI Session Time

To change the CLI session time, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > CLI Session Time . The CLI Session Time page is displayed.

Step 2 In the CLI Session Time field, enter the time (in minutes) that the device waits for a response before ending the session.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Changing Users—Admin Password

Every device (CDSM, SE, and SR) has a built-in user account. The username is admin and the default password is default . This account allows access to all services and entities in the CDS. Any user that can access the Admin Password page in the CDSM can configure a new password for the administrator user account on individual SEs and SRs.

To change the Admin password, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Users > Admin Password . The Admin Password page is displayed.

Step 2 In the Password field, enter a new password.

The following characters are not allowed: ?./;[]{}"@=|

Step 3 In the Confirm Password field, re-enter the password.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Creating, Editing, and Deleting Users—Usernames

You can create, edit, and delete user accounts for login access to individual devices or device groups. A privilege profile must be assigned to each new user account. The Usernames page uses privilege profiles to determine which tasks a user can perform and the level of access provided. Users with administrative privileges can add, delete, or modify user accounts through the CDSM or the device CLI.

To create, edit, or delete a user account, do the following:

Step 1 Choose Devices > Devices > General Settings > Login Access Control > Users > Usernames . The User Table page is displayed.

The table is sortable by clicking the column headings.

For information about Aggregate Settings, see the “Aggregate Settings” section

Step 2 Click the Create New icon in the task bar. The Local User page is displayed.

To edit a local user, click the Edit icon next to the name you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-27 for a description of the fields.

Table 4-27 Local User Fields
Field	Description
Username	Name of user.
Password	User password.
Confirm Password	Re-enter user password.
Privilege	There are two types of predefined privilege profiles: Normal user—User has read access and can see some of the SE, SR, or CDSM settings. Superuser—User has administrative privileges such as creating new users and modifying the SE, SR, or CDSM settings.

Step 4 Click Submit to save the settings.

To delete a user, click the Edit icon for the user, then click the Delete icon in the task bar.

Authentication

User authentication and authorization (configuration rights) data can be maintained in any combination of these three databases:

Local database (located on the device)
RADIUS server (external database)
TACACS+ server (external database)

The Login Authentication page allows you to choose an external access server or the internal (local) device-based authentication, authorization, and accounting (AAA) system for user access management. You can choose one method or a combination of the three methods. The default is to use the local database for authentication.

Configuring RADlUS Server Settings

Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Remote Authentication Dial In User Service (RADIUS) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.

To configure the RADIUS server settings, do the following:

Step 1 Choose Devices > Devices > General Settings > Authentication > RADIUS Server . The RADIUS Server Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-28 for a description of the fields.

Table 4-28 RADIUS Server Settings Fields
Field	Description
Enable Radius Authentication	Enables RADIUS authentication.
Time to wait	Number of seconds to wait for a response before timing out on a connection to a RADIUS server. The range is from 1 to 20. The default is 5.
Number of retransmits	Number of attempts allowed to connect to a RADIUS server. The default is 2.
Enable redirect	Redirects an authentication response to a different authentication server if an authentication request using the RADIUS server fails.
Redirect Message [1-3]	Message sent to the user if redirection occurs. Note If the redirect message has a space, it must be in quotes (" ").
Location [1-3]	Sets an HTML page location. This is the URL destination of the redirect message that is sent when authentication fails.
Shared Encryption Key	Encryption key shared with the RADIUS server. The maximum number of characters allowed is 15.
Server Name [1-5]	IP address or hostname of the RADIUS server.
Server Port [1-5]	Port number on which the RADIUS server is listening. The default is 1645.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

To use RADIUS for login authentication and authorization, see the “Login Authentication” section.

Configuring TACACS+ Server Settings

Note The CDSM does not cache user authentication information. Therefore, the user is reauthenticated against the Terminal Access Controller Access Control System Plus (TACACS+) server for every request. To prevent performance degradation caused by many authentication requests, install the CDSM in the same location as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as quickly as possible.

To configure the TACACS+ server settings, do the following:

Step 1 Choose Devices > Devices > General Settings > Authentication > TACACS+ Server . The TACACS+ Server Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-29 for a description of the fields.

Table 4-29 TACACS+ Server Settings Fields
Field	Description
Enable TACACS+ Servers	Enables TACACS+ authentication.
Use ASCII Password Authentication	Changes the default password type from Password Authentication Protocol (PAP) to ASCII clear text format.
Time to wait	Number of seconds to wait for a response before timing out on a connection to a TACACS+ server. The range is from 1 to 20. The default is 5.
Number of retransmits	Number of attempts allowed to connect to a TACACS+ server. The default is 2.
Security Word	Encryption key shared with the TACACS+ server. The range is from 1 to 99. An empty string is the default.
Primary Server	IP address or hostname of the primary TACACS+ server.
Secondary Server Tertiary Server	IP address or hostname of the backup TACACS+ server. Up to two backup servers are allowed.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

To use TACACS+ for login authentication and authorization, see the “Login Authentication” section.

Configuring AAA Accounting

Accounting tracks all user actions and when the action occurred. It can be used for an audit trail or for billing for connection time or resources used (bytes transferred).

The CDS accounting feature uses TACACS+ server logging. Accounting information is sent to the TACACS+ server only, not to the console or any other device. The syslog file on the SE logs accounting events locally. The format of events stored in the syslog is different from the format of accounting messages.

The TACACS+ protocol allows effective communication of AAA information between SEs and a central TACACS+ server. It uses TCP for reliable connections between clients and servers. SEs send authentication and authorization requests, as well as accounting information to the TACACS+ server.

Note Before you can configure the AAA accounting settings for a device, you must first configure a TACACS+ server for the device. See the “Configuring TACACS+ Server Settings” section.

To configure the AAA accounting settings, do the following:

Step 1 Choose Devices > Devices > General Settings > Authentication > AAA Accounting. The AAA Accounting Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-29 for a description of the fields.

Table 4-30 AAA Accounting Settings Fields
Field	Description
System Events	Enables accounting records on the TACACS+ server about system events; such as system reboot, interface up or down states, and accounting configuration enabled or disabled. From the System Events drop-down list choose start-stop or stop-only. The start-stop option records events when they start and when they stop. The stop-only option records events when they stop.
Exec Shell Events	Enables accounting records on the TACACS+ server about user EXEC terminal sessions, including username, date, and start and stop times. From the Exec Shell Events drop-down list choose start-stop or stop-only. The start-stop option records events when they start and when they stop. The stop-only option records events when they stop.
Normal User Commands	Enables accounting records on the TACACS+ server for Normal users using commands in the EXEC mode. From the Normal User Commands drop-down list choose start-stop or stop-only. The start-stop option records events when they start and when they stop. The stop-only option records events when they stop.
Super User Commands	Enables accounting records on the TACACS+ server for Super users using commands in the EXEC mode. From the Super User Commands drop-down list choose start-stop or stop-only. The start-stop option records events when they start and when they stop. The stop-only option records events when they stop.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring an Access Control List

To configure an access control list (ACL) for group authorization, do the following:

Step 1 Choose Devices > Devices > General Settings > Authentication > Access Control List > Configure Access Control List . The Access Control List Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The Configure Access Control List page is displayed.

To edit a group, click the Edit icon next to the name you want to edit.

Step 3 Enter the settings as appropriate. See Table 4-31 for a description of the fields.

Table 4-31 Access Control List Fields
Field	Description
Action	Whether to permit or deny access for this group.
Group Name	If this action is for all groups, choose Any Group Name . If this action is for a specific group, choose Enter Group Name and enter the group name in the field.
Change Position	To change the order of this group in the access control list, which is displayed in the Access Control List Table page, click Change Position .

Step 4 Click Submit to save the settings.

To delete a group, click the Edit icon for the group, then click the Delete icon in the task bar.

Step 5 From the left-panel menu, choose Enable Access Control List . The Enable Access Control List page is displayed.

Step 6 Check the Enable Access Control List check box and click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

To move a group up or down in the Access Control List table, click the Up arrow or Down arrow in the Move column.

The ACL can be applied from the device or from a device group. The source of the currently applied settings is shown in the Access Control List Table page.

Scheduling Database Maintenance

The database maintenance runs at the scheduled time only when the following three conditions are satisfied:

Last vacuum process happened more than 30 minutes in the past.
Percent increase in disk space usage is greater than 10 percent.
Available free disk space is greater than 10 percent of the total disk space.

If any of these conditions are not satisfied, the database maintenance does not run at the scheduled time.

To schedule a database cleaning or reindexing, do the following:

Step 1 Choose Devices > Devices > General Settings > Database Maintenance . The Database Maintenance Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-32 for a description of the fields.

Table 4-32 Database Maintenance Settings Fields
Field	Description
Full Database Maintenance Settings
Enable	When enabled, a full database maintenance routine is performed on the device.
Every Day Sun-Sat	The days of the week when the maintenance is performed When Every Day is enabled, all days of the week are also enabled.
At (time)	Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 04:00.
Regular Database Maintenance Settings
Enable	When enabled, a re-indexing routine is performed on the device.
Every Day Sun-Sat	The days of the week when the maintenance is performed. When Every Day is enabled, all days of the week are also enabled.
At (time)	Time of day the maintenance is performed. Time is entered in 24-hour format as hh:mm. The default is 02:00.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Setting Storage Handling

The Storage option offers disk error-handling settings.

Enabling Disk Error Handling

The Disk Error Handling page allows you to configure how disk errors are handled, and to define disk error-handling thresholds for bad sectors and disk errors.

The Threshold for Bad Sectors and the Threshold for Disk Errors counts only apply to bad sectors and disk errors detected since the last reboot of the device. These counts do not persist across a device reboot (reload).

If the Enable Disk Error Handling Reload option is enabled and the disk drive is marked bad because the disk error-handling threshold (bad sectors or disk errors) was reached, the device is automatically reloaded. Following the device reload, the bad sector and disk error threshold counts are reset, and a syslog message and an SNMP trap are generated.

If a critical disk drive is marked bad, the redundancy of the system disks for this device is affected. Critical disks are disks with SYSTEM partitions. However, drives with SYSTEM partitions use RAID1. With the RAID system, if the critical primary disk fails, the other mirrored disk (mirroring only occurs for SYSTEM partitions) seamlessly continues operation. There is a separate alarm for bad RAID. The SMART statistics that are returned by the show disks SMART-info detail command include sector errors directly reported by the drive itself.

For more information about the SMART sector errors, latent sector handling, and the disk repair command, see the “Disk Maintenance” section.

Note We do not recommend enabling the Enable Disk Error Handling Reload option, because the software state may be lost when the device is reloaded.

To configure a disk error-handling method, do the following:

Step 1

Choose Devices > Devices > General Settings > Storage > Disk Error Handling . The Disk Error Handling Settings page is displayed.

Step 2 Check the Enable check box.

Step 3 Check the Enable Disk Error Handling Reload check box if you want the device to reload the disk when a disk has problems.

Step 4 Check the Enable Disk Error Handling Threshold check box if you want to set the number of disk errors allowed before the disk is marked bad, and enter the following:

a. In the Threshold for Bad Sectors field, enter the number of allowed bad sectors before marking the disk bad. This threshold only applies to bad sectors detected since the last reboot of the device. The range is 0 to 100. The default threshold is 15.

b. In the Threshold for Disk Errors field, enter the number of allowed disk errors before marking the disk bad. This threshold only applies to disk and sector errors detected since the last reboot of the device. The range is from 0 to 100,000. The default is 500.

Note When both Threshold for Bad Sectors and Threshold for Disk Errors are set to 0, it means never mark the disk bad when it detects bad sectors or disk errors, and the disk_failure alarm is not raised. A disk with SYSTEM partitions uses RAID1. There is a separate alarm for bad RAID.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

The Disk Failure Percentage Threshold field on the Service Monitor page sets the overall percentage of CDNFS disk failures. When the percentage of failed disks (default is 75) exceeds this threshold, no further requests are sent to this device. The Disk Failure Threshold setting is only for the CDNFS disks. For more information, see the “Setting Service Monitor Thresholds” section.

Network Settings

The Network pages provide settings for network connectivity. Configuring network settings consist of the following procedures:

Enabling FTP Services

To enable FTP services to listen for connection requests, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > FTP . The FTP Settings page is displayed.

Step 2 Check the Enable FTP Services check box.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Enabling DNS

DNS Settings are required on all SEs, SRs, and CDSMs. The SEs need to be able to resolve the content origin server host name, the SRs need to be able to communicate with the DNS servers, and the CDSMs need to resolve host names.

To configure Domain Name System (DNS) servers, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > DNS . The DNS Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-33 for a description of the fields.

Table 4-33 DNS Settings Fields
Field	Description
Enable	Enables Domain Name System (DNS) on the device.
List of DNS Servers	Space-delimited list of IP addresses for up to eight name servers for name and address resolution.
Domain Names	A space-delimited list of up to three default domain names. A default domain name allows the system to resolve any unqualified hostnames. Any IP hostname that does not contain a domain name will have the configured domain name appended to it. This appended name is resolved by the DNS server and then added to the host table. A DNS server must be configured on the system for hostname resolution to work correctly. To do this, use the List of DNS Servers field.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Enabling RCP

Remote Copy Protocol (RCP) lets you download, upload, and copy configuration files between remote hosts and a switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection oriented. This service listens for requests on TCP port 514.

To enable RCP services, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > RCP . The RCP page is displayed.

Step 2 Check the RCP Enable check box to have the RCP services listen for RCP requests.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring NTP

To configure the device to synchronize its clock with an NTP server, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > NTP . The NTP page is displayed.

Step 2 Check Enable to enable NTP.

Step 3 In the NTP Server field, enter the IP address or hostname of up to four NTP servers. Use a space to separate the entries.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Setting the Time Zone

If you have an outside source on your network that provides time services, such as an NTP server, you do not need to set the system clock manually. When manually setting the clock, enter the local time. The device calculates Coordinated Universal Time (UTC) based on the time zone set.

Note Two clocks exist in the system: the software clock and the hardware clock. The software uses the software clock. The hardware clock is used only at startup to initialize the software clock.

Caution We highly recommend that you use NTP servers to synchronize the devices in your CDS network. If you change the local time on the device, you must change the BIOS clock time as well; otherwise, the timestamps on the error logs are not synchronized. Changing the BIOS clock is required because the kernel does not handle time zones.

To manually configure the time zone, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > Time Zone . The Time Zone page is displayed with the default settings of UTC (offset = 0) and no daylight savings time configured.

Step 2 To configure a standard time zone, do the following:

a. Click the Standard Time Zone radio button.

The standard convention for time zones uses a Location/Area format in which Location is a continent or a geographic region of the world and Area is a time zone region within that location. For a list of standard time zones that can be configured and their UTC offsets, see Table 4-34.

b. From the Standard Time Zone drop-down list, choose a location for the time zone. The page refreshes, displaying all area time zones for the chosen location in the second drop-down list.

c. Choose an area for the time zone.

The UTC offset (hours and minutes ahead or behind UTC) for the corresponding time zone is displayed. During summer time savings, the offset may differ and is displayed accordingly.

Note Some of the standard time zones (mostly time zones within the United States) have daylight savings time zones configured automatically.

Step 3 To configure a customized time zone, do the following:

a. Click the Customized Time Zone radio button.

b. In the Customized Time Zone field, enter a name to for the time zone. The time zone entry is case sensitive and can contain up to 40 characters. Spaces are not allowed. If you specify any of the standard time zone names, an error message is displayed when you click Submit .

c. For UTC offset, choose + or – from the UTC Offset drop-down list to indicate whether the configured time zone is ahead or behind UTC. Also, choose the number of hours (0 to 23) and minutes (0 to 59) offset from UTC for the customized time zone. The range for the UTC offset is from –23:59 to 23:59, and the default is 0:0.

Step 4 To configure customized summer time savings, do the following:

Note Customized summer time can be specified for both standard and customized time zones.

The start and end dates for summer time can be configured in two ways: absolute dates or recurring dates. Absolute dates apply once and must be reset every year. Recurring dates apply every year.

a. Click the Absolute Dates radio button to configure summer settings once.

b. In the Start Date and End Date fields, specify the month, day, and year that the summer time savings starts and ends in mm/dd/yyyy format.

Alternatively, click the Calendar icon and select a date. The chosen date is highlighted in blue. Click Apply .

c. Click the Recurring Dates radio button to configure a recurring summer setting.

d. Using the drop-down lists, choose the start day, week, and month when the summer time savings starts. For example, if the summer time savings begins the first Sunday in March, you would select Sunday, 1st, March from the drop-down lists.

e. Using the drop-down lists, choose the start day, week, and month when the summer time savings ends.

Step 5 Using the Start Time drop-down lists and the End Time drop-down lists, choose the hour (0 to 23) and minute (0 to 59) at which daylight savings time starts and ends.

Start Time and End Time fields for summer time are the times of the day when the clock is changed to reflect summer time. By default, both start and end times are set at 00:00.

Step 6 In the Offset field, specify the minutes offset from UTC (0 to 1439). (See Table 4-34.)

The summer time offset specifies the number of minutes that the system clock moves forward at the specified start time and backward at the end time.

Step 7 To not specify a summer or daylight savings time for the corresponding time zone, click the No Customized Summer Time Configured radio button.

Step 8 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Table 4-34 lists the UTC offsets for the different locations around the world.

Table 4-34 Time Zone—Offset from UTC
Time Zone	Offset from UTC (in hours)	Time Zone	Offset from UTC (in hours)
Africa/Algiers	+1	Asia/Vladivostok	+10
Africa/Cairo	+2	Asia/Yekaterinburg	+5
Africa/Casablanca	0	Asia/Yakutsk	+9
Africa/Harare	+2	Australia/Adelaide	+9.30
Africa/Johannesburg	+2	Australia/Brisbane	+10
Africa/Nairobi	+3	Australia/Darwin	+9.30
America/Buenos_Aires	–3	Australia/Hobart	+10
America/Caracas	–4	Australia/Perth	+8
America/Mexico_City	–6	Australia/Sydney	+10
America/Lima	–5	Canada/Atlantic	–4
America/Santiago	–4	Canada/Newfoundland	–3.30
Atlantic/Azores	–1	Canada/Saskatchewan	–6
Atlantic/Cape_Verde	–1	Europe/Athens	+2
Asia/Almaty	+6	Europe/Berlin	+1
Asia/Baghdad	+3	Europe/Bucharest	+2
Asia/Baku	+4	Europe/Helsinki	+2
Asia/Bangkok	+7	Europe/London	0
Asia/Colombo	+6	Europe/Moscow	+3
Asia/Dacca	+6	Europe/Paris	+1
Asia/Hong_Kong	+8	Europe/Prague	+1
Asia/Irkutsk	+8	Europe/Warsaw	+1
Asia/Jerusalem	+2	Japan	+9
Asia/Kabul	+4.30	Pacific/Auckland	+12
Asia/Karachi	+5	Pacific/Fiji	+12
Asia/Katmandu	+5.45	Pacific/Guam	+10
Asia/Krasnoyarsk	+7	Pacific/Kwajalein	–12
Asia/Magadan	+11	Pacific/Samoa	–11
Asia/Muscat	+4	US/Alaska	–9
Asia/New Delhi	+5.30	US/Central	–6
Asia/Rangoon	+6.30	US/Eastern	–5
Asia/Riyadh	+3	US/East–Indiana	–5
Asia/Seoul	+9	US/Hawaii	–10
Asia/Singapore	+8	US/Mountain	–7
Asia/Taipei	+8	US/Pacific	–8
Asia/Tehran	+3.30

The offset time (number of hours ahead or behind UTC) as displayed in the table is in effect during winter time. During summer time or daylight savings time, the offset may be different from the values in the table and is calculated and displayed accordingly by the system clock.

Viewing Network Interfaces

The Network Interfaces page is informational only. To view this information, choose Devices > Devices > General Settings > Network > Network Interfaces . Information about the network interfaces configured for the device is displayed.

Configuring External IP Addresses

The External IP page allows you to configure up to eight Network Address Translation (NAT) IP addresses. This allows a router to translate up to eight internal addresses to registered unique addresses and translate external registered addresses to addresses that are unique to the private network.

To configure NAT IP addresses, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > External IP . The External IP Settings page is displayed.

Step 2 Check the Enable check box.

Step 3 In the External IP Address fields (1–8), enter up to eight IP addresses.

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Port Channel and Load Balancing Settings

For information about configuring port channels using the CLI, see the “Redundant Dedicated Management Ports” section.

To configure load balancing on port channels, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > Port Channel Settings . The Port Channel Settings page is displayed.

Step 2 From the Load Balancing Method drop-down list, choose one of the following load balancing methods:

dst-ip —Destination IP address
dst-mac —Destination MAC address

dst-mixed-ip-port —Destination IP address and TCP/UDP port

dst-port —Destination port
round robin —Each interface in the channel group
src-dst-ip —Source and destination IP address
src-dst-mac —Source and destination MAC address

src-dst-mixed-ip-port —Source destination IP address and source destination port

src-dst-port —Source and destination port

src-mixed-ip-port —Source IP address and source destination port

src-port —Source port

Round robin allows traffic to be distributed evenly among all interfaces in the channel group. The other balancing options give you the flexibility to choose specific interfaces (by IP address, MAC address, port) when sending an Ethernet frame.

The source and destination options mean that while calculating the outgoing interface, take into account both the source and destination (MAC address or port).

Note Round-robin load-balancing mode is not supported when Link Aggregation Control Protocol (LACP) is enabled on the port channel.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring IP General Settings

The Path Maximum Transmission Unit (MTU) Discovery discovers the largest IP packet size allowable between the various links along the forwarding path and automatically sets the correct value for the packet size. By using the largest MTU the links can support, the sending device can minimize the number of packets it must send.

Note The Path MTU Discovery is a process initiated by the sending device. If a server does not support IP Path MTU Discovery, the receiving device has no mechanism available to avoid fragmenting datagrams generated by the server.

To enable Path MTU Discovery, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > IP General Settings . The IP General Settings page is displayed.

Step 2 Check Enable Path MTU Discovery .

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring IP ACL

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP packets from crossing specified interfaces. Packet filtering helps to control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices.

You can also apply ACLs to management services such as SNMP, SSH, HTTPS, Telnet, and FTP. ACLs can be used to control the traffic that these applications provide by restricting the type of traffic that the applications handle.

In a managed CDS network environment, administrators need to be able to prevent unauthorized access to various devices and services. CDS supports standard and extended ACLs that allow administrators to restrict access to or through a CDS network device, such as the SE. Administrators can use ACLs to reduce the infiltration of hackers, worms, and viruses that can harm the network.

ACLs provide controls that allow various services to be tied to a particular interface. For example, the administrator can use IP ACLs to define a public interface on the Service Engine for content serving and a private interface for management services (for example, Telnet, SSH, SNMP, HTTPS, and software upgrades). A device attempting to access one of the services must be on a list of trusted devices before it is allowed access. The implementation of ACLs for incoming traffic on certain ports for a particular protocol type is similar to the ACL support for the Cisco Global Site Selector and Cisco routers.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific services. The following are some examples of how IP ACLs can be used in various enterprise deployments:

Application layer proxy firewall with a hardened outside interface has no ports exposed. ( Hardened means that the interface carefully restricts which ports are available for access primarily for security reasons. Because the interface is outside, many types of attacks are possible.) The device’s outside address is globally accessible from the Internet, while its inside address is private. The inside interface has an ACL to limit Telnet, SSH, and CDSM traffic.
Device is deployed anywhere within the enterprise. Like routers and switches, the administrator wants to limit Telnet, SSH, and CDSM access to the IT source subnets.
Device is deployed as a reverse proxy in an untrusted environment, and the administrator wishes to allow only port 80 inbound traffic on the outside interface and outbound connections on the back-end interface.

Note IP ACLs are defined for individual devices only. IP ACLs cannot be managed through device groups.

When you create an IP ACL, you should note the following constraints:

IP ACL names must be unique within the device.
IP ACL names must be limited to 30 characters and contain no spaces or special characters.
CDSM can manage up to 50 IP ACLs and a total of 500 conditions per device.
When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers 100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain nonnumeric characters.
Extended IP ACLs cannot be used with SNMP applications.

Creating a New IP ACL

To create a new IP ACL, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > IP ACL . The IP ACL Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The IP ACL page is displayed.

To edit an ACL, click the Edit icon next to the name you want to edit.

Step 3 In the Name field, enter a name, observing the naming rules for IP ACLs.

Step 4 From the ACL Type drop-down list, choose an IP ACL type ( Standard or Extended) . The default is Standard .

Step 5 Click Submit . The page refreshes and the Modifying IP ACL page for a newly created IP ACL is displayed.

Note Clicking Submit at this point merely saves the IP ACL; IP ACLs without any conditions defined do not appear on the individual devices.

Adding Conditions to an IP ACL

To add conditions to an IP ACL, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > IP ACL . The IP ACL Table page is displayed.

Step 2 Click the Edit icon next to the name of the IP ACL you want to add a condition to. The Modifying IP ACL page is displayed.

Step 3 Click the Create New icon in the task bar. The Condition page is displayed.

To edit a condition, click the Edit icon next to the name you want to edit.

Note The number of available fields for creating IP ACL conditions depends on the whether the IP ACL type is standard or extended.

Step 4 Enter values for the properties that are enabled for the type of IP ACL that you are creating.

To create a standard IP ACL, go to Step 5.
To create an extended IP ACL, go to Step 6.

Step 5 To set up conditions for a standard IP ACL, do the following:

a. From the Purpose drop-down list, choose a purpose ( Permit or Deny ).

b. In the Source IP field, enter the source IP address.

c. In the Source IP Wildcard field, enter a source IP wildcard address.

d. Click Submit . The Modifying IP ACL page is displayed showing the new condition and its configuration.

e. To add another condition to the IP ACL, repeat the steps.

f. To reorder your list of conditions in the Modifying IP ACL page, use the Up arrow or Down arrow in the Order column, or click a column heading to sort by any configured parameter.

Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.

g. When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries and the order in which the conditions are listed, click Submit in the Modifying IP ACL page to commit the IP ACL to the device database.

A green “Change submitted” indicator appears in the lower right corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.

Table 4-35 describes the fields in a standard IP ACL.

Table 4-35 Standard IP ACL Conditions
Field	Default Value	Description
Purpose2	Permit	Specifies whether a packet is to be passed ( Permit ) or dropped ( Deny ).
Source IP¹	0.0.0.0	IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
Source IP¹ Wildcard	255.255.255.255	Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.

^2.Required field.

Step 6 To set up conditions for an extended IP ACL, do the following:

a. From the Purpose drop-down list, choose a purpose ( Permit or Deny ).

b. From the Extended Type drop-down list, choose Generic , TCP , UDP , or ICMP .

After you choose a type of extended IP ACL, various options become available depending on what type you choose.

c. Enter the settings as appropriate. See Table 4-36 for descriptions of the extended IP ACL fields.

d. Click Submit . The Modifying IP ACL page is displayed showing the new condition and its configuration.

e. To add another condition to the IP ACL, repeat the steps.

f. To reorder your list of conditions from the Modifying IP ACL page, use the Up arrow or Down arrow in the Order column, or click a column heading to sort by any configured parameter.

Note The order of the conditions listed becomes the order in which IP ACLs are applied to the device.

A green “Change submitted” indicator appears in the lower-left corner of the Modifying IP ACL page to indicate that the IP ACL is being submitted to the device database.

Table 4-36 Extended IP ACL Conditions
Field	Default Value	Description		Extended Type
Purpose3	Permit	Specifies whether a packet is to be passed ( Permit ) or dropped ( Deny ).		Generic, TCP, UDP, ICMP
Protocol	ip	Internet protocol ( gre , icmp , ip , tcp , or udp) . To match any Internet protocol, use the ip keyword.		Generic
Established	Unchecked (false)	When checked, a match with the ACL condition occurs if the TCP datagram has the ACK or RST bits set, indicating an established connection. Initial TCP datagrams used to form a connection are not matched.		TCP
Source IP¹	0.0.0.0	IP address of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.		Generic, TCP, UDP, ICMP
Source IP Wildcard¹	255.255.255.255	Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.		Generic, TCP, UDP, ICMP
Source Port 1	0	Decimal number or name of a port. Valid port numbers are 0 to 65535. See Table 4-37 and Table 4-38 for port name descriptions and associated port numbers.		TCP, UDP
Source Port 1	0	Valid TCP port names are as follows: domain exec ftp ftp-data https nfs rtsp ssh telnet www	Valid UDP port names are as follows: bootpc bootps domain netbios-dgm netbios-ns netbios-ss nfs ntp snmp snmptrap	TCP, UDP
Source Operator	range	Specifies how to compare the source ports against incoming packets. Choices are < , > , == , != , or range .		TCP, UDP
Source Port 2	65535	Decimal number or name of a port. See Source Port 1.		TCP, UDP
Destination IP	0.0.0.0	IP address of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.		Generic, TCP, UDP, ICMP
Destination IP Wildcard	255.255.255.255	Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.		Generic, TCP, UDP, ICMP
Destination Port 1	0	Decimal number or name of a port. Valid port numbers are 0 to 65535. See Table 4-37 and Table 4-38 for port name descriptions and associated port numbers.		TCP, UDP
Destination Port 1	0	Valid TCP port names are as follows: domain exec ftp ftp-data https nfs rtsp ssh telnet www	Valid UDP port names are as follows: bootpc bootps domain netbios-dgm netbios-ns netbios-ss nfs ntp snmp snmptrap	TCP, UDP
Destination Operator	range	Specifies how to compare the destination ports against incoming packets. Choices are < , > , == , != , or range .		TCP, UDP
Destination Port 2	65535	Decimal number or name of a port. See Destination Port 1.		TCP, UDP
ICMP Param Type¹	None	Choices are None , Type/Code , or Msg . None —Disables the ICMP Type, Code, and Message fields. Type/Code —Allows ICMP messages to be filtered by ICMP message type and code. Also enables the ability to set an ICMP message code number. Msg —Allows a combination of type and code to be specified using a keyword. Activates the ICMP Message drop-down list. Disables the ICMP Type field.		ICMP
ICMP Message¹	administratively- prohibited	Allows a combination of ICMP type and code to be specified using a keyword chosen from the drop-down list. See Table 4-39 for descriptions of the ICMP messages.		ICMP
ICMP Type¹	0	Number from 0 to 255. This field is enabled when you choose Type/Code .		ICMP
Use ICMP Code¹	Unchecked	When checked, enables the ICMP Code field.		ICMP
ICMP Code¹	0	Number from 0 to 255. Message code option that allows ICMP messages of a particular type to be further filtered by an ICMP message code.		ICMP

^3.Required field.

Table 4-37 lists the UDP keywords that you can use with extended access control lists.

Table 4-37 UDP Keywords and Port Numbers
Port Name	Description	UDP Port Number
bootpc	Bootstrap Protocol (BOOTP) client service	68
bootps	Bootstrap Protocol (BOOTP) server service	67
domain	Domain Name System (DNS) service	53
netbios-dgm	NetBIOS datagram service	138
netbios-ns	NetBIOS name resolution service	137
netbios-ss	NetBIOS session service	139
nfs	Network File System service	2049
ntp	Network Time Protocol settings	123
snmp	Simple Network Management Protocol service	161
snmptrap	SNMP traps	162

Table 4-38 lists the TCP keywords that you can use with extended access control lists.

Table 4-38 TCP Keywords and Port Numbers
Port Name	Description	TCP Port Number
domain	Domain Name System service	53
exec	Remote process execution	512
ftp	File Transfer Protocol service	21
ftp-data	FTP data connections (used infrequently)	20
https	Secure HTTP service	443
nfs	Network File System service applications	2049
rtsp	Real-Time Streaming Protocol applications	554
ssh	Secure Shell login	22
telnet	Remote login using Telnet	23
www	World Wide Web (HTTP) service	80

Table 4-39 lists the keywords that you can use to match specific ICMP message types and codes.

Table 4-39 Keywords for ICMP Message Type and Code
Message	Description
administratively-prohibited	Messages that are administratively prohibited from being allowed access.
alternate-address	Messages that specify alternate IP addresses.
conversion-error	Messages that denote a datagram conversion error.
dod-host-prohibited	Messages that signify a Department of Defense (DoD) protocol Internet host denial.
dod-net-prohibited	Messages that specify a DoD protocol network denial.
echo	Messages that are used to send echo packets to test basic network connectivity.
echo-reply	Messages that are used to send echo reply packets.
general-parameter-problem	Messages that report general parameter problems.
host-isolated	Messages that indicate that the host is isolated.
host-precedence-unreachable	Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable). This is the most common response. Large numbers of this datagram type on the network are indicative of network difficulties or may be indicative of hostile actions.
host-redirect	Messages that specify redirection to a host.
host-tos-redirect	Messages that specify redirection to a host for type of service-based (ToS) routing.
host-tos-unreachable	Messages that denote that the host is unreachable for ToS-based routing.
host-unknown	Messages that specify that the host or source is unknown.
host-unreachable	Messages that specify that the host is unreachable.
information-reply	Messages that contain domain name replies.
information-request	Messages that contain domain name requests.
mask-reply	Messages that contain subnet mask replies.
mask-request	Messages that contain subnet mask requests.
mobile-redirect	Messages that specify redirection to a mobile host.
net-redirect	Messages that are used for redirection to a different network.
net-tos-redirect	Messages that are used for redirection to a different network for ToS-based routing.
net-tos-unreachable	Messages that specify that the network is unreachable for the ToS-based routing.
net-unreachable	Messages that specify that the network is unreachable.
network-unknown	Messages that denote that the network is unknown.
no-room-for-option	Messages that specify the requirement of a parameter, but that no room is available for it.
option-missing	Messages that specify the requirement of a parameter, but that parameter is not available.
packet-too-big	Messages that specify that the ICMP packet requires fragmentation but the Do Not Fragment (DF) bit is set.
parameter-problem	Messages that signify parameter-related problems.
port-unreachable	Messages that specify that the port is unreachable.
precedence-unreachable	Messages that specify that host precedence is not available.
protocol-unreachable	Messages that specify that the protocol is unreachable.
reassembly-timeout	Messages that specify a timeout during reassembling of packets.
redirect	Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect). ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.
router-advertisement	Messages that contain ICMP router discovery messages called router advertisements.
router-solicitation	Messages that are multicast to ask for immediate updates on neighboring router interface states.
source-quench	Messages that have been received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). This datagram may be used in network management to provide congestion control. A source quench packet is issued when a router is beginning to lose packets due to the transmission rate of a source. The source quench is a request to the source to reduce the rate of a datagram transmission.
source-route-failed	Messages that specify the failure of a source route.
time-exceeded	Messages that specify information about all instances when specified times were exceeded.
timestamp-reply	Messages that contain timestamp replies.
timestamp-request	Messages that contain timestamp requests.
traceroute	Messages that specify the entire route to a network host from the source.
ttl-exceeded	Messages that specify that ICMP packets have exceeded the time-to-live configuration.
unreachable	Messages that are sent when packets are denied by an access control list; these packets are not dropped in the hardware but generate the ICMP-unreachable message.

Applying an IP ACL to an Interface

The IP ACLs can be applied to a particular interface (such as management services to a private IP address) so that the device can have one interface in a public IP address space that serves content and another interface in a private IP address space that the administrator uses for management purposes. This feature ensures that clients can access the Service Engine only in the public IP address space for serving content and not access it for management purposes. A device attempting to access one of these applications that is associated with an IP ACL must be on the list of trusted devices to be allowed access.

To apply an IP ACL to an interface from the CLI, use the following interface configuration command:

interface { FastEthernet | GigabitEthernet } slot/port ip access-group { accesslistnumber | accesslistname } { in | out }

Deleting an IP ACL

You can delete an IP ACL, including all conditions and associations with network interfaces, or you can delete only the IP ACL conditions. Deleting all conditions allows you to change the IP ACL type if you choose to do so. The IP ACL entry continues to appear in the IP ACL listing; however, it is in effect nonexistent.

To delete an IP ACL, do the following:

Step 1 Choose Devices > Devices . > General Settings > Network > IP ACL . The IP ACL Table page is displayed.

Step 2 Click the Edit icon next to the name of the IP ACL that you want to delete. The Modifying IP ACL page is displayed. If you created conditions for the IP ACL, you have three options for deletion:

Delete ACL —This option removes the IP ACL, including all conditions and associations with network interfaces and applications.
Delete All Conditions —This option removes all the conditions, while preserving the IP ACL name.
Delete IP ACL Condition —This option removes one condition from the ACL.

Step 3 To delete the entire IP ACL, click Delete ACL in the task bar. You are prompted to confirm your action. Click OK . The record is deleted.

Step 4 To delete only the conditions, click Delete All Conditions in the task bar. You are prompted to confirm your action. Click OK . The window refreshes, conditions are deleted, and the ACL Type field becomes available.

Step 5 To delete one condition, do the following:

a. Click the Edit icon next to the condition. The condition settings are displayed.

b. Click the Delete IP ACL Condition icon in the task bar. The IP ACL table is displayed.

c. Click Submit to save the IP ACL table to the database.

Configuring Static IP Routes

The Static IP Routes page allows you to configure a static route for a network or host. Any IP packet designated for the specified destination uses the configured route.

To configure a static IP route, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > IP Routes . The IP Route Table page is displayed.

The table is sortable by clicking the column headings.

Step 2 Click the Create New icon in the task bar. The IP Route page is displayed.

To edit a static route, click the Edit icon next to the name you want to edit.

Step 3 In the Destination Network Address field, enter the destination network IP address.

Step 4 In the Netmask field, enter the destination host netmask.

Step 5 In the Gateway’s IP Address field, enter the IP address of the gateway interface.

Step 6 Click Submit to save the settings.

To delete a route, click the Edit icon for the route, then click the Delete icon in the task bar.

Configuring DSR VIP

The CDS supports Virtual IP (VIP) configuration for Direct Server Return (DSR) when working with networks that use load balancers. DSR bypasses the load balancer for all server responses to client requests by using MAC Address Translation (MAT).

The CDS allows for the configuration of up to four VIPs (on loopback interfaces).

Client requests are sent to the load balancer and the load balancer sends the requests on to the Service Router. If DSR VIP is configured on the CDS (and supported on the load balancer), all CDS responses to the client are sent directly to the client, bypassing the load balancer.

Note If DSR VIP is configured on an SE, the DSR VIP IP address cannot be the same as the Origin Server FQDN (OFQDN).

To configure a DSR VIP, do the following:

Step 1 Choose Devices > Devices > General Settings > Network > DSR VIP . The DSR VIP page is displayed.

Step 2 In the Direct Server Return VIP 1 field, enter the IP address of the Direct Server Return VIP.

Step 3 Enter any additional DSR VIPs in the remaining fields (Direct Server Return VIP 2 to 4).

Step 4 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Notification and Tracking

The Notification and Tracking pages provide settings for alarms, thresholds, SNMP connectivity, and device monitoring. Configuring notification and tracking consists of the following procedures:

Alarm Settings

The Alarm Settings page covers the following configuration settings;

Enabling Alarm Overload Detection

The device tracks the rate of incoming alarms from the Node Health Manager. If the rate of incoming alarms exceeds the high-water mark (HWM) threshold, the device enters an alarm overload state. This condition occurs when multiple applications raise alarms at the same time. When a device is in an alarm overload state, the following events occur:

Traps for the raise alarm-overload alarm and clear alarm-overload alarm are sent. SNMP traps for subsequent alarm raise-and-clear operations are suspended.
Traps for alarm operations that occur between the raise-alarm-overload alarm and the clear-alarm-overload alarm operations are suspended, but individual device alarm information is still collected and available using the CLI.
Device remains in an alarm overload state until the rate of incoming alarms decreases to less than the low-water mark (LWM).
If the incoming alarm rate falls below the LWM, the device comes out of the alarm overload state and begins to report the alarm counts to the SNMP servers and the CDSM.

Alarms that have been raised on a device can be listed by using the CLI commands shown in Table 4-40 . These CLI commands allow you to systematically drill down to the source of an alarm.

Table 4-40 Viewing Device Alarms
Command	Syntax	Description
show alarms		Displays a list of all currently raised alarms (critical, major, and minor alarms) on the device.
	show alarms critical	Displays a list of only currently raised critical alarms on the device.
	show alarms major	Displays a list of only currently raised major alarms on the device.
	show alarms minor	Displays a list of only currently raised minor alarms on the device.
	show alarms detail	Displays detailed information about the currently raised alarms.
	show alarms history	Displays a history of alarms that have been raised and cleared on the device. The CLI retains the last 100 alarm raise and clear events only.
	show alarms status	Displays the counts for the currently raised alarms on the device. Also lists the alarm-overload state and the alarm-overload settings.

To configure the alarm overload detection, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Alarm Settings . The Alarm Settings page is displayed.

Step 2 Uncheck the Enable Alarm Overload Detection check box if you do not want to configure the device to suspend alarm raise and clear operations when multiple applications report error conditions. Alarm overload detection is enabled by default.

Step 3 In the Alarm Overload Low Water Mark field, enter the number of alarms per second for the clear alarm overload threshold. The low water mark is the level to which the number of alarms must drop below before alarm traps can be sent. The default value is 1.

Step 4 In the Alarm Overload High Water Mark field, enter the number of alarms per second for the raise alarm-overload threshold. The high-water mark is the level the number of alarms must exceed before alarms are suspended. The default value is 10.

Step 5 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Alarms for Admin Shutdown Interface

When the Alarms for Admin Shutdown Interface check box is checked, the interface alarm is shutdown. If there is already an alarm raised when the setting is submitted, unchecking the option and submitting the change does not clear the outstanding alarm. There are two ways to avoid this situation:

1. Clear the outstanding alarm first before disabling this option.

2. Disable this option and reboot. The alarm is cleared during reboot.

Note The Alarms for Admin Shutdown Interface option should be enabled before any of the above for the alarm to take affect.

To enable the Alarms for Admin Shutdown Interface option, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Alarm Settings . The Alarm Settings page is displayed.

Step 2 Check the Alarms for Admin Shutdown Interface check box to enable this option.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Setting Service Monitor Thresholds

The Service Monitor page is where you configure workload thresholds for the device. In load-based routing, these thresholds are used to determine the best device to serve requested content. For more information about load-based routing, see the “Configuring the Service Router” section.

Note Threshold monitoring is performed on each device in the CDS. The protocol engine and NIC bandwidth thresholds are only monitored on the SE. They are not monitored on the SR and CDSM.

Note The base license limit is set to 200 sessions and 200 Mbps bandwidth.

The burst count, which indicates the number of days after which a major alarm is raised, is configurable. On the Service Engine, use the service-router service-monitor threshold burstcnt command to configure the burst count. The default setting is one (1), which means all the minor alarms that occur in a single day (24-hour interval) are counted as one single alarm. If the service-router service-monitor threshold burstcnt command is set to two, all minor alarms that occur in two days (48-hour interval) are counted as a single alarm.
A universal license is similar to a regular license, except it has a higher bandwidth and applies to all protocol engines (except Web Engine). When a universal license is purchased and configured, the alarm data for all protocol engines are cleared. Thereafter, the monitoring of the protocol engines continues as usual for any future alarms.
On the Service Engine, use the service-router service-monitor license-universal enable command to enable the universal license. The service-router service-monitor license-universal command is disabled by default.

To configure workload thresholds, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Service Monitor . The Service Monitor page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-41 for a description of the fields.

Table 4-41 Service Monitor Fields
Field	Description
CPU Settings
Enable	Allows the SR to collect CPU load information from the device.
Threshold	Value (as a percentage) that determines when the device is overloaded. The threshold determines the extent of CPU usage allowed. The range is from 1 to 100. The default is 80.
Sample Period	Time interval (in seconds) between two consecutive samples. The sample period is the time during which the device and the SR exchange keep-alive messages that contain the device load information. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
Disk Settings
Enable	Allows the SR to collect disk transaction information from the device.
Threshold	The threshold, as a percentage, determines the extent of disk usage allowed. The range is from 1 to 100. The default is 80.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
Memory Settings
Enable	Allows the SR to collect memory usage information from the device.
Threshold	The threshold (in percent) determines the extent of memory usage allowed. The range is from 1 to 100. The default is 80.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
KMemory Settings
Enable	Allows the SR to collect kernel memory usage information from the device.
Threshold	The threshold (in percent) determines the extent of kernel memory usage allowed. The range is from 1 to 100. The default is 50.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
WMT Settings4
Enable	Allows the SR to collect Windows Media Streaming stream count information from the SE.
Threshold	Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
FMS Settings¹
Enable	Allows the SR to collect Flash Media Streaming stream count information from the SE.
Threshold	Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 1.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
Movie Streamer Settings¹ , 5
Enable	Allows the SR to collect stream count information from the SE.
Threshold	Percentage of streams for which the SE has been either configured or licensed. The range is from 1 to 100. The default is 90.
NIC Bandwidth Settings¹
Enable	Allows the SR to collect NIC bandwidth information from the SE.
Threshold	The threshold, as a percentage, determines the extent of NIC bandwidth usage allowed. The range is from 1 to 100. The default is 90.
Sample Period	Time interval (in seconds) between two consecutive samples. The range is from 1 to 60. The default is 3.
Number of Samples	Number of most recently sampled values used when calculating the average. The range is from 1 to 120. The default is 2.
Disk Failure Percentage
Threshold	Overall percentage of CDNFS disk failures. The range is from 1 to 100. The default is 75. When the percentage failed disks exceeds this threshold, no further requests are sent to this device. The Disk Failure Threshold is only for the CDNFS disks. Note When an alarm is received for a SYSTEM disk, it is immediately marked as a failed disk. It is not checked against the Disk Failure Threshold. The SR continues redirecting to the SE, unless all SYSTEM disks on the SE are marked as failed disks. If disks have both SYSTEM and CDNFS partitions, they are treated as only system disks, which means they are not included in the accounting of the CDNFS disk calculation.
Augmentation Alarms
Enable	Enables augmentation alarms. For more information, see the “Augmentation Alarms” section.
Threshold	The augmentation alarms threshold is a percentage, that applies to the CPU, memory, kernel memory, disk, disk fail count, NIC, and protocol engine usages. By default it is set to 80 percent. The threshold value range is 1–100. As an example of an augmentation alarm, if the threshold configured for CPU usage is 80 percent, and the augmentation threshold is set to 80 percent, then the augmentation alarm for CPU usage is raised when the CPU usage crosses 64 percent. If “A” represents the Service Monitor threshold configured, and “B” represents the augmentation threshold configured, then the threshold for raising an augmentation alarm = (A * B) / 100 percent. For more information, see the “Augmentation Alarm Example” section.
Transaction Logging
Enable	Enables Service Monitoring transaction logging. For more information, see the “Service Monitor Transaction Logs” section.

^4.Protocol engines and NIC bandwidth are only monitored on the SE. They are not monitored on the CDSM and SR.

^5.Sample period and number of samples are not required for Movie Streamer and Web Engine because these protocol engines do not support bandwidth-based threshold monitoring.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Augmentation Alarms

Augmentation alarms are soft alarms that send alerts before the threshold is reached. These alarms are applicable to all devices—Service Engines, Service Routers and CDSMs. Augmentation thresholds apply to device and protocol engine parameters.

A different augmentation alarm is supported for each of the device-level thresholds. Based on the device parameters monitored by Service Monitor, the following minor alarms could be raised for device-level thresholds:

CpuAugThreshold—Service Monitor CPU augmentation alarm.
MemAugThreshold—Service Monitor memory augmentation alarm.
KmemAugThreshold—Service Monitor kernel memory augmentation alarm.
DiskAugThreshold—Service Monitor disk augmentation alarm.
DiskFailCntAugThreshold—Service Monitor disk failure count augmentation alarm.
NicAugThreshold—Service Monitor NIC augmentation alarm.

Check the augmentation threshold, device-level threshold, and average load for the above alarm instance. Add more devices if necessary. A useful command is the show service-router service-monitor command. The augmentation alarms raised are displayed in the show alarms detail command. The alarms are cleared when the load goes below the augmentation threshold.

Note For system disks (disks that contain SYSTEM partitions), only when all system disks are bad is the diskfailure augmentation and threshold alarms raised. The diskfailcnt threshold does not apply to system disks. The threshold only applies to CDNFS disks, which is also the case for the augmentation thresholds. This is because the system disks use RAID1. There is a separate alarm for bad RAID. With the RAID system, if the critical primary disk fails, the other mirrored disk (mirroring only occurs for SYSTEM partitions) seamlessly continues operation. However, if the disk drive that is marked bad is a critical disk drive, the redundancy of the system disks for this device is affected. For more information on disk error handling and threshold recommendations, see the “Enabling Disk Error Handling” section.

As the show disk details command output reports, if disks have both SYSTEM and CDNFS partitions, they are treated as only system disks, which means they are not included in the accounting of the CDNFS disk calculation.

Note The NIC augmentation alarm is only applicable if the device is an SE.

Different augmentation alarm s are supported for each of the protocol engines, which only apply if the device is an SE. The following minor alarms could be raised for protocol-engine thresholds:

rtspgaugmentexceeded— RTSP gateway TPS has reached augmentation threshold limits
aug_memory_exceeded—Web Engine augmentation memory threshold exceeded
aug_session_exceeded—Web Engine has reached augmentation threshold for concurrent session
wmtaugmentexceeded—Windows Media Streaming has reached augmentation threshold limits
msaugmentexceeded—Movie Streamer has reached augmentation threshold limits
FmsAugThreshold—Flash Media Streaming has reached augmentation threshold limits
WebCalLookupAugThreshold—Web Engine has reached augmentation threshold for storage lookup
WebCalDiskWriteAugThreshold—Web Engine has reached augmentation threshold for storage disk write

Augmentation Alarm Example

Maximum concurrent connections have a default value of 200 and maximum bandwidth has a default value of 200 Mbps. The augmentation alarm is enabled through the Service Monitor and the augmentation threshold is configured at 80 percent (default). The default service threshold for Flash Media Streaming is 90 percent.

In this case, the augmentation alarm is raised for Flash Media Streaming when 0.8 * 0.9 * 200 = 144 connections or 144 Mbps of bandwidth is exceeded. The Service Router still redirects requests to this Service Engine. The alarm is cleared when the traffic falls below either of the thresholds; that is, 144 connections or 144 Mbps in this example.

Configuring SNMP

The Cisco CDS supports the following versions of SNMP:

Version 1 (SNMPv1)—A network management protocol that provides a means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
Version 2 (SNMPv2c)—The second version of SNMP, it supports centralized and distributed network management strategies, and includes improvements in the Structure of Management Information (SMI), protocol operations, management architecture, and security.
Version 3 (SNMPv3)—An interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are:

– Message integrity—Ensuring that a packet has not been tampered with in-transit.

– Authentication—Determining the message is from a valid source.

– Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.

Table 4-42 identifies what the combinations of security models and levels mean.

Table 4-42 SNMP Security Models and Levels
Model	Level	Authentication	Encryption	Process
v1	noAuthNoPriv	Community String	No	Uses a community string match for authentication.
v2c	noAuthNoPriv	Community String	No	Uses a community string match for authentication.
v3	noAuthNoPriv	Username	No	Uses a username match for authentication.
v3	authNoPriv	MD5 or SHA	No	Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
v3	authPriv	MD5 or SHA	DES	Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard.

The SNMPv3 agent can be used in the following modes:

noAuthNoPriv mode (that is, no security mechanisms turned on for packets)
AuthNoPriv mode (for packets that do not need to be encrypted using the privacy algorithm [DES 56])
AuthPriv mode (for packets that must be encrypted; privacy requires that authentication be performed on the packet)

Using SNMPv3, users can securely collect management information from their SNMP agents without worrying that the data has been tampered with. Also, confidential information, such as SNMP set packets that change a Content Engine’s configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges.

Note the following about SNMPv3 objects:

Each user belongs to a group.
Group defines the access policy for a set of users.
Access policy is what SNMP objects can be accessed for reading, writing, and creating.
Group determines the list of notifications its users can receive.
Group also defines the security model and security level for its users.

To configure the SNMP settings, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > SNMP > General Settings . The SNMP General Settings page is displayed.

Step 2 Enable the settings as appropriate. See Table 4-43 for a description of the fields.

Table 4-43 SNMP General Settings Fields
Field	Description
Traps
Enable SNMP Settings	Enables the SNMP agent to transmit traps to the SNMP server.
Service Engine	Enables the Disk Fail trap, which is the disk failure error trap.
SNMP	Enables SNMP-specific traps: Authentication—Enables authentication trap. Cold Start—Enables cold start trap.
SE Alarm	Enables alarm traps: Raise Critical—Enables raise-critical alarm trap. Clear Critical—Enables clear-critical alarm trap. Raise Major—Enables raise-major alarm trap. Clear Major—Enables clear-major alarm trap. Raise Minor—Enables raise-minor alarm trap. Clear Minor—Enables clear-minor alarm trap.
Entity	Enables SNMP entity traps.
Config	Enables CiscoConfigManEvent error traps.
Miscellaneous Settings
Notify Inform	Enables the SNMP notify inform request.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 4 From the left-panel menu, click Community . The SNMP Community Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of community strings that can be created is ten.

Step 5 Click the Create New icon in the task bar. The SNMP Community page is displayed.

Click the Edit icon next to the community name to edit a community setting.

Note Each community is associated with a group. Each group has a view and users are assigned to a group. If the group does not have a view associated with it, then users associated that group cannot access any MIB entry.

Step 6 Enter the settings as appropriate. See Table 4-44 for a description of the fields.

Table 4-44 SNMP Community Fields
Field	Description
Community	Community string used as a password for authentication when you access the SNMP agent of the device using SNMPv1 or SNMPv2. The “Community Name” field of any SNMP message sent to the device must match the community string defined here to be authenticated. You can enter a maximum of 64 characters in this field.
Group name/rw	Group to which the community string belongs. The Read/Write option allows a read or write group to be associated with this community string. The Read/Write option permits access to only a portion of the MIB subtree. Choose one of the following three options from the drop-down list: None —Choose this option if you do not want to specify a group name to be associated with the community string. Read/Write —Choose this option if you want to allow read-write access to the group associated with this community string. Group —Choose this option if you want to specify a group name.
Group Name	Name of the group to which the community string belongs. You can enter a maximum of 64 characters in this field. This field is available only if you have chosen the Group option in the Group name/rw field.

Step 7 Click Submit to save the settings.

To delete an SNMP community, click the Edit icon for the community, then click the Delete icon in the task bar.

Step 8 From the left-panel menu, click Group . The SNMP Group Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of groups that can be created is ten.

Step 9 Click the Create New icon in the task bar. The SNMP Group page is displayed.

Click the Edit icon next to the Group Name to edit a group.

Step 10 Enter the settings as appropriate. See Table 4-45 for a description of the fields.

Table 4-45 SNMP Group Fields
Field	Description
Name	Name of the SNMP group. You can enter a maximum of 256 characters. A group defines a set of users belonging to a particular security model. A group defines the access rights for all the users belonging to it. Access rights define what SNMP objects can be read, written to, or created. In addition, the group defines what notifications a user is allowed to receive. An SNMP group is a collection of SNMP users that belong to a common SNMP list that defines an access policy, in which object identification numbers (OIDs) are both read-accessible and write-accessible. Users belonging to a particular SNMP group inherit all of the attributes defined by the group.
Sec Model	Security model for the group. Choose one of the following options from the drop-down list: v1 —Version 1 security model (SNMP Version 1 [noAuthNoPriv]). v2c —Version 2c security model (SNMP Version 2 [noAuthNoPriv]). v3-auth —User security level SNMP Version 3 (AuthNoPriv). v3-noauth —User security level SNMP Version 3 (noAuthNoPriv). v3-priv — User security level SNMP Version 3 (AuthPriv). The Sec Model you choose determines which of the following three security algorithms is used on each SNMP packet: noAuthNoPriv—Authenticates a packet by a string match of the username. AuthNoPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms. AuthPriv—Authenticates a packet by using either the HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm.
Read View	Name of the view (a maximum of 64 characters) that enables you only to view the contents of the agent. By default, no view is defined. To provide read access to users of the group, a view must be specified. A read view defines the list of object identifiers (OIDs) that are accessible for reading by users belonging to the group.
Write View	Name of the view (a maximum of 64 characters) that enables you to enter data and configure the contents of the agent. By default, no view is defined. A write view defines the list of object identifiers (OIDs) that are able to be created or modified by users of the group.
Notify View	Name of the view (a maximum of 64 characters) that enables you to specify a notify, inform, or trap. By default, no view is defined. A notify view defines the list of notifications that can be sent to each user in the group.

Step 11 Click Submit to save the settings.

To delete an SNMP group, click the Edit icon for the group, then click the Delete icon in the task bar.

Step 12 From the left-panel menu, click User . The SNMP User Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of users that can be created is ten.

Step 13 Click the Create New icon in the task bar. The SNMP User page is displayed.

Click the Edit icon next to the username to edit a user.

Step 14 Enter the settings as appropriate. See Table 4-46 for a description of the fields.

Table 4-46 SNMP User Fields
Field	Description
Name	String representing the name of the user (256 characters maximum) who can access the device. An SNMP user is a person for which an SNMP management operation is performed.
Group	Name of the group (256 characters maximum) to which the user belongs.
Remote SNMP ID	Globally unique identifier for a remote SNMP entity. To send an SNMPv3 message to the device, at least one user with a remote SNMP ID must be configured on the device. The SNMP ID must be entered in octet string format. For example, if the IP address of a remote SNMP entity is 192.147.142.129, then the octet string would be 00:00:63:00:00:00:a1:c0:93:8e:81.
Authentication Algorithm	Authentication algorithm that ensures the integrity of SNMP packets during transmission. Choose one of the following three options from the drop-down list: No-auth —Requires no security mechanism to be turned on for SNMP packets. MD5 —Provides authentication based on the hash-based Message Authentication Code Message Digest 5 (HMAC-MD5) algorithm. SHA —Provides authentication based on the hash-based Message Authentication Code Secure Hash (HMAC-SHA) algorithm.
Authentication Password	String (256 characters maximum) that configures the user authentication (HMAC-MD5 or HMAC-SHA) password. The number of characters is adjusted to fit the display area if it exceeds the limit for display. This field is optional if the no-auth option is chosen for the authentication algorithm. Otherwise, this field must contain a value.
Confirmation Password	Authentication password for confirmation. The re-entered password must be the same as the one entered in the Authentication Password field.
Private Password	String (256 characters maximum) that configures the authentication (HMAC-MD5 or HMAC-SHA) parameters to enable the SNMP agent to receive packets from the SNMP host. The number of characters is adjusted to fit the display area if it exceeds the limit for display.
Confirmation Password	Private password for confirmation. The re-entered password must be the same as the one entered in the Private Password field.

Step 15 Click Submit to save the settings.

To delete an SNMP user, click the Edit icon for the user, then click the Delete icon in the task bar.

Step 16 To define a SNMPv2 MIB view, click View from the left-panel menu. The SNMP View Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of SNMPv2 views that can be created is ten.

SNMP view—A mapping between SNMP objects and the access rights available for those objects. An object can have different access rights in each view. Access rights indicate whether the object is accessible by either a community string or a user.

Step 17 Click the Create New icon in the task bar. The SNMP View page is displayed.

Click the Edit icon next to the username to edit a view.

Step 18 Enter the settings as appropriate. See Table 4-47 for a description of the fields.

Table 4-47 SNMP View Fields
Field	Description
Name	String representing the name of this family of view subtrees (256 characters maximum). The family name must be a valid MIB name such as ENTITY-MIB.
Family	Object identifier (256 characters maximum) that identifies a subtree of the MIB.
View Type	View option that determines the inclusion or exclusion of the MIB family from the view. Choose one of the following two options from the drop-down list: Included —The MIB family is included in the view. Excluded —The MIB family is excluded from the view. Note When configuring an SNMP View with Excluded, the specified MIB that is excluded is not accessible for the community associated with the group that has that view.

Step 19 Click Submit to save the settings.

To delete an SNMP view, click the Edit icon for the view, then click the Delete icon in the task bar.

Step 20 From the left-panel menu, click Host . The SNMP Host Table page is displayed.

The table is sortable by clicking the column headings. The maximum number of hosts that can be created is four.

Step 21 Click the Create New icon in the task bar. The SNMP Host page is displayed.

Click the Edit icon next to the hostname to edit a host.

Step 22 Enter the settings as appropriate. See Table 4-48 for a description of the fields.

Table 4-48 SNMP Host Fields
Field	Description
Trap Host	Hostname or IP address an SNMP entity to which notifications (traps and informs) are to be sent.
Community/User	Name of the SNMP community or user (256 characters maximum) that is sent in SNMP trap messages from the device.
Authentication	Security model to use for sending notification to the recipient of an SNMP trap operation. Choose one of the following options from the drop-down list: No-auth —Sends notification without any security mechanism. v2c —Sends notification using Version 2c security. Model v3-auth —Sends notification using SNMP Version 3 (AuthNoPriv). Security Level v3-noauth —Sends notification using SNMP Version 3 (NoAuthNoPriv security). Level v3-priv —Sends notification using SNMP Version 3 (AuthPriv security).
Retry	Number of retries (1 to 10) allowed for the inform request. The default is 2.
Timeout	Timeout for the inform request in seconds (1 to 1000). The default is 15.

Step 23 Click Submit to save the settings.

To delete an SNMP host, click the Edit icon for the host, then click the Delete icon in the task bar.

Step 24 From the left-panel menu, click Asset Tag . The SNMP Asset Tag page is displayed.

Step 25 In the Asset Tag Name field, enter a name for the asset tag and click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 26 From the left-panel menu, click Contact . The SNMP Contact page is displayed.

Step 27 In the Contact field, enter a name of the contact person for this device.

Step 28 In the Location field, enter a location of the contact person for this device.

Step 29 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Supported MIBs

The SNMP agent supports the following MIBs:

ENTITY-MIB (RFC 2037 Revision 199610310000Z))
MIB-II (RFC 1213)
HOST-RESOURCES-MIB (RFC 2790, hrSWInstalled and hrPrinterTable subgroups are not supported)
CISCO-ENTITY-ASSET-MIB
CISCO-CONFIG-MAN-MIB (Revision 9511280000Z)
CISCO-SERVICE-ENGINE-MIB (supports streaming media-related MIB objects)

ENTITY-MIB, MIB-II, and HOST-RESOURCES-MIB are public-available MIBs.

To download a copy of the CISCO-SERVICE-ENGINE-MIB, do the following:

Step 1 Choose System > CDS-IS Files > SNMP MIB. The CISCO_SERVICE-ENGINE-MIB.my is listed.

Step 2 Click one of the following links;

CISCO_SERVICE-ENGINE-MIB.my
CISCO_CDS_SERVICE_ROUTING_MIB.my

Your browser program displays a dialog box asking if you want to open or save the file.

Step 3 Choose the appropriate option; either open or save the file.

The CISCO-SERVICE-ENGINE-MIB is extended to incorporate MIB objects related to streaming. The WMT and Movie Streamer groups incorporate statistics about the WMT server or proxy, and Movie Streamer. The Flash Media Streaming group incorporates statistics about the Flash Media Streaming protocol engine. For each 64-bit counter MIB object, a 32-bit counter MIB object is implemented so that SNMP clients using SNMPv1 can retrieve data associated with 64-bit counter MIB objects. The MIB objects of each of these groups are read-only.

WMT MIB group provides statistics about WMT proxy and server performance. Twenty-eight MIB objects are implemented in this group. Six of these MIB objects are implemented as 64-bit counters.
Movie Streamer MIB group provides statistics about RTSP streaming engine performance. Seven MIB objects are implemented in this group. Two of these MIB objects are implemented as 64-bit counters.
Flash Media Streaming MIB group provides statistics about HTTP and RTMP streaming engine performance.

The CISCO_CDS_SERVICE_ROUTING_MIB.my provides some object identifiers (OIDs) for Service Router statistics. All the OIDs in the MIB are only for querying purposes; no traps have been added to this MIB. The Service Router MIB provides two groups, cdssrStatsGroup and cdssrServiceMonitorGroup, which contain OIDs for the statistics from the s how statistics service-router summary/dns/history/se/content-origin command and the show service-router service-monitor command.

Use the following link to access the CISCO-ENTITY-ASSET-MIB and the CISCO-CONFIG-MAN-MIB:

ftp://ftp.cisco.com/pub/mibs/v2/

Note If your browser is located behind a firewall or you are connecting to the Internet with a DSL modem and you are unable to access this file folder, you must change your web browser compatibility settings. In the Internet Explorer (IE) web browser, choose Tools > Internet Options > Advanced, and check the Use Passive FTP check box.

Enabling System Logs

Use the System Logs page to set specific parameters for the system log file (syslog). This file contains authentication entries, privilege level settings, and administrative details. System logging is always enabled. By default, the system log file is stored as /local1/syslog.txt.

To enable system logging, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > System Logs . The System Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-49 for a description of the fields.

Table 4-49 System Logs Settings Fields
Field	Description
System Logs
Enable	Enables system logs.
Facility	Facility where the system log is sent.
Console Settings
Enable	Enable sending the system log to the console.
Priority	Severity level of the message that should be sent to the specified remote syslog host. The default priority is warning. The priorities are: Emergency—System is unusable. Alert—Immediate action needed. Critical—Critical condition. Error—Error conditions. Warning—Warning conditions. Notice—Normal but significant conditions. Information—Informational messages. Debug—Debugging messages.
Disk Settings
Enable	Enables saving the system logs to disk.
File Name	Path and filename where the system log file is stored on the disk. The default is /local1/syslog.txt.
Priority	Severity level of the message that should be sent to the specified remote syslog host.
Recycle	The maximum size of the system log file before it is recycled. The default is 10000000 bytes.
Host Settings
Enable	Enables sending the system log file to a host. You can configure up to four hosts.
Hostname	A hostname or IP address of a remote syslog host.
Priority	Severity level of the message that should be sent to the specified remote syslog host.
Port	The destination port on the remote host. The default is 514.
Rate Limit	The message rate per second. To limit bandwidth and other resource consumption, messages can be rate limited. If this limit is exceeded, the remote host drops the messages. There is no default rate limit, and by default all system log messages are sent to all syslog hosts.

Step 3 Click Submit to save the settings.

Multiple Hosts for System Logging

Each syslog host can receive different priority levels of syslog messages. Therefore, you can configure different syslog hosts with a different syslog message priority code to enable the device to send varying levels of syslog messages to the four external syslog hosts.

However, if you want to achieve syslog host redundancy or failover to a different syslog host, you must configure multiple syslog hosts on the device and assign the same priority code to each configured syslog host.

Configuring Troubleshooting

The Kernel Debugger troubleshooting page allows you to enable or disable access to the kernel debugger. Once enabled, the kernel debugger is automatically activated when kernel problems occur.

Note The “hardware watchdog” is enabled by default and automatically reboots a device that has stopped responding for over ten minutes. Enabling the kernel debugger disables the “hardware watchdog.”

If the device runs out of memory and kernel debugger (KDB) is enabled, the KDB is activated and dump information. If the KDB is disabled and the device runs out of memory, the syslog reports only dump information and reboots the device.

Enabling the Kernel Debugger

To enable the kernel debugger, do the following:

Step 1 Choose Devices > Devices > General Settings > Troubleshooting > Kernel Debugger . The Kernel Debugger window appears.

Step 2 To enable the kernel debugger, check the Enable check box, and click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

For information about monitoring the SEs, see the “Device Monitoring” section.

Configuring Service Router Settings

The keep-alive interval is used by the SE to send keep-alive messages to the SR. If the SE is configured with more than one streaming interface (multi-port support on a CDE220-2S3i), the keepalives are sent for each streaming interface.

To configure the keep-alive interval the SE uses for messages to this SR, do the following:

Step 1 Choose Devices > Devices > General Settings > Service Routing Settings . The Service Routing Settings page is displayed.

Step 2 In the Keepalive-Interval field, enter the number of seconds the messages from the SR should be kept alive on this SE. The range is from 1 to 120. The default is 2.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring the Service Router

Configuring a Service Router (SR) consists of the following procedures:

For information on configuring the general settings, except last-resort routing and transaction logging, see the “General Settings” section.

Activating a Service Router

Activating an SR can be done through the Devices home page initially, or through the Device Activation page.

To activate an SR from the Device Activation page, do the following:

Step 1 Choose Devices > Devices . The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose Device Activation . The Device Activation page is displayed.

Step 4 Enter the settings as appropriate. See Table 4-50 for a description of the fields.

Table 4-50 Service Router Activation Fields
Field	Description
Name	Name of the device.
Location	The Location drop-down list lists all the location configured for the CDS.
Activate	To activate or deactivate the device, check or uncheck the Activate check box. Alternatively, you can click the Deactivate Device icon in the task bar. When you uncheck the Activate check box and click Submit , the Replaceable check box is displayed. Check the Replaceable check box when you need to replace the device or recover lost registration information. For more information, see the “Recovering CDS Network Device Registration Information” section.
Server Offload	To offload this device for maintenance or a software upgrade, check the Server Offload check box. When checked, the Service Router stops processing client requests. When the SR is marked as inactive or is marked with server offload on the CDSM it stops responding to DNS queries. Instead, the SR sends a SERVFAIL error as the DNS response, and for RTSP/HTTP requests, the SR sends a 503 Service Unavailable message. To monitor the current activity on an SR during the Server Offload state, use the show interface command. If the packets received or packets sent is increasing then the SR is processing client requests. Note We recommend separating the management traffic from the client request traffic by using the port channel configuration, see the “Configuring Port Channel” section for more information. If management and client request traffic are separated, the show interface command for the client request port channel displays information on active sessions. If management and streaming traffic are not separated, the show interface command shows very low traffic; the packets received and packets sent are lower than a client request session. Once the SR has finished processing client requests, you can perform maintenance or upgrade the software on the device. For information about upgrading the software, see the “Upgrading the Software” section. The Status field on the Device Activation page and the Devices Table page displays “offloading” when Server Offload is checked. Once the software upgrade or maintenance is complete, you need to uncheck the Server Offload check box so that the device can again participate in the system.
Work Type	From the Work Type drop-down list, choose SR & Proximity Engine if you want to enable the Proximity Engine; otherwise, choose Service Router only . For more information, see the “Configuring the Proximity Server Settings” section.
Coverage Zone File	To have a local Coverage Zone file overwrite the CDS network-wide Coverage Zone file, choose a file from the Coverage Zone drop-down list. See the “Coverage Zone File Registration” section for information about creating and registering a Coverage Zone file. Otherwise, choose None .
Enable CDN Selector	To enable CDN Selector, check the Enable CDN Selector check box. Note CDN Selector is an early field trial (EFT) feature.
CDN Selector File	The CDN Selector File drop-down list is populated with the CDN Selector files that are registered to the CDSM. See the “CDN Selector File Registration” section for information on registering a CDN Selector file. The CDN Selector must be enabled on the SR. See Appendix E, “Creating CDN Selector Files” for information on creating a CDN Selector file. Note CDN Selector is an EFT feature.
Use SR’s primary IP address	Enables the CDSM to use the IP address on the primary interface of the SR for management communications. Note If the Use SR’s primary IP Address for Management Communication check box is checked and the Management Communication Address and Port are configured, the CDSM uses the SR’s primary IP address for communication. Note Do not check the Use SR’s primary IP Address for Management Communication check box if you want to separate management and streaming traffic. Instead, use the Management Communication Address and Port fields to specify where management traffic should be sent.
Management Communication Address	Manually configures a management IP address for the CDSM to communicate with the SR. Manual configuration of the management IP address and port are used when using port channel configuration to separate management and streaming traffic. For more information about port channel configuration see the “Configuring Port Channel and Load Balancing Settings” section and the “Configuring Port Channel” section.
Management Communication Port	Port number to enable communication between the CDSM and the SR.
Comments	Information about the settings.

Step 5 Click Submit to save the settings.

Configuring Routing Settings

The Routing Settings pages provide settings for the Request Routing Engine and the Proximity Engine. Configuring the Service Router engines consists of the following procedures:

The Service Router has two engines, the Request Routing Engine and the Proximity Engine.

The Proximity Engine contains the functionality of the Proximity Servers used for proximity-based routing. For more information, see the “Service Router” section.

Configuring Request Routing Settings

To configure the Request Routing Settings, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Request Routing Settings > General Settings . The Request Routing Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-51 for a description of the fields.

Table 4-51 Request Routing Settings—General Settings Fields
Field	Description
Enable Location Based Routing	When location-based routing is enabled, the Service Router first looks up the client’s IP address in the Coverage Zone file. If there is no subnet in the Coverage Zone file that matches the client’s IP address, the client’s geographical location is compared to the geographical location of the Service Engines listed in the Coverage Zone file, and the closest and least-loaded Service Engine is selected. Geographically locating a client is used when users roam outside of their home networks.
Location Cache Timeout	Enter the timeout interval (in seconds) that a response from the Geo-Location server is stored in the SR cache. The SR caches information from the Geo-Location server during the first request so that further requests can be served from cache instead of contacting the Geo-Location server. The default is 691200. The range is 0 to 864000. If the Location Cache Timeout is 0, the response from the Geo-Location server is not cached in the SR.
Primary Geo-Location Server IP Address and Port	The IP address and port number of the primary Geo-Location Server for location-based routing and CDN Selector. For more information, see the “Geo-Location Servers” section.
Secondary Geo-Location Server IP Address and Port	The IP address and port number of the secondary Geo-Location Server.
Enable Content Based Routing	When enabled, the SR redirects requests based on the URI. Requests for the same URI are redirected to the same SE, provided the SE’s thresholds have not been exceeded. This optimizes disk usage in the CDS by storing only one copy of the content on one SE, instead of multiple copies on several SEs. For more information about content-based routing, see the “Content-Based Routing” section.
Number of Redundant Copies	Number of copies of a content to keep among SEs in a delivery service. The range is from 1 to 4. The default is 1. If redundancy is configured with more than one copy, multiple Service Engines are picked for a request with the same URI hash.
Enable Proximity Based Routing	When enabled, the SR contacts the Proximity Server with the client IP address and a list of SEs. The Proximity Server returns a list of SEs ordered by distance or metric, and provides a client subnet mask. The SR caches this information for this client. The SR redirects the client request to the SE selected, which is based on load, availability, and delivery service subscription. To configure a standalone Proximity Engine, see the Cisco Internet Streamer CDS 2.6 Command Reference . To configure a collocated Proximity Engine, see the “Configuring the Proximity Server Settings” section For more information, see the “Proximity-Based Routing” section.
Proximity Cache Timeout	The maximum number of seconds the proximity response from the Proximity Server is valid for a client subnet. After the Proximity Cache Timeout period has elapsed, any new request from the same client subnet causes the SR to query the Proximity server for a new proximity response. The proximity range is from 1 to 86400. The default is 1800. Proximity ratings for overlapping subnets are not cached.
Hostname [1-8]	The IP address of the Proximity Server. If you are using the collocated Proximity Engine as one of the Proximity Servers, enter 127.0.0.1 as the IP address. The selection of the Proximity Server is based on the lowest IP address. If there is only one Proximity Server, the SR uses that server. If another Proximity Server is configured with an IP address lower than the first one, the SR sends a request to the newly configured Proximity Server, and if it responds, the SR uses the new Proximity Server with the lower IP address. For more information on configuring the Proximity Engine, see the “Configuring the Proximity Server Settings” section

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Geo-Location Servers

The Geo-Location servers work with the following Internet Streamer CDS features:

Location-based routing
CDN Selector
Authorization Service

For location-based routing, the Geo-Location servers identifies the latitude and longitude of a client based on the IP address of the client. The Request Routing Engine compares the latitude and longitude of each Service Engine, which is defined in the Coverage Zone file, with the latitude and longitude of the client to assign a Service Engine that is geographically closest to the client. For more information on location-based routing, see the “Location-Based Routing” section and Appendix C, “Creating Coverage Zone Files.”

For CDN Selector, the Geo-Location server identifies the country of a client by the IP address of the client. The CDN Selector compares the client’s country with the countries defined in the CDN Selector file. If the client’s country matches a country specified in the CDN Selector file, then the translated URL associated with that CDN is used. If a match is not found, the default CDN and translated URL is used. The Service Router then sends a 307 redirect to the client with the translated URL for the selected third-party streaming service. For more information about CDN Selector, see Appendix E, “Creating CDN Selector Files.”

For Authorization Service, the Geo-Location servers identify the city, state, and country of the client based on the IP address of the client. The Authorization Service on the Service Engine compares the city, state, and country of the client with city, state, and country defined in the Authorization Service file. If a match is found, the client is either allowed or denied based on what is specified in the Authorization Service file. For more information about configuring the Authorization Service, see the “Configuring the Authorization Service” section.

Caching Geo-Location Server Information

The SR or SE caches the Geo-Location information returned from the Geo-Location servers and the device (SE or SR) queries their own cache first before contacting the Geo-Location servers. If the IP address of the client is found in the cache on the device, the look-up is performed using that information and the Geo-Location servers are not contacted.

For location-based routing, the SR caches up to 10,000 IP addresses. The IP addresses are discrete, which means they do not describe subnets. By default, the cached information expires after 8 days (691200 seconds). The time interval that the cache expires is configurable by setting the Location Cache Timeout field. If the cache is full, the entries are replaced according to the least recently used (LRU) mechanism.

For CDN Selector, the SR caches information on the country, state, and city of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to LRU mechanism.

For Authorization Service, the SE caches information on the country of 10,000 clients. The cached information expires after 8 days. If the cache is full, the entries are replaced according to the LRU mechanism.

Note Currently, there is no command to clear the Geo-location cache on the device.

Redundant Geo-Location Servers

The CDS offers the ability to configure primary and secondary Geo-Location servers. In the possible event that the primary server is not reachable, the secondary Geo-Location server is contacted. The secondary Geo-Location server is then used unless it becomes unreachable, in which case the primary Geo-Location server is contacted. The Geo-Location server configuration determines the time to wait before failing over to the other server. The default is 245 milliseconds.

For all features, location-based routing, CDN Selector, and Authorization Service, the cached client information on the CDS device is checked first before querying the Geo-Location servers.

For location-based routing, if both primary and secondary Geo-Location servers are down, the CDS uses the default route configured through the zero-IP based configuration in the Coverage Zone file. For more information, see the “Zero-IP Based Configuration” section.

For CDN Selector, if both primary and secondary Geo-Location servers are down, the CDS uses the default CDN configured in the CDN Selector file.

For Authorization Service, if both the primary and secondary Geo-Location servers are down, a request denied message is returned to the client. The type of message that is returned depends on the protocol engine (for example, the Flash Media Streaming engine sends “Denied by auth server”). However, the client receives the same denied message from the protocol engine whether the client is denied based on the Authorization Service configuration, or based on the Geo-Location servers being down and the client information not being available in the SE cache.

Communicating with the Geo-Location Servers

The CDS communicates with the Geo-Location servers by using a proprietary version of TCP. The port number used for communication is 7000 by default, but it can be changed as long as the Geo-Location servers and the Internet Streamer CDS devices are configured with the same port number.

Configuring IP-Based Redirection

IP-based redirection uses IP addresses to route client requests to the SR and on to the SE. For more information, see the “IP-Based Redirection” section.

Note The Web Engine does not support IP-based redirection.

To enable IP-based redirection, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Request Routing Settings > IP-based Redirection . The IP-based Redirection page is displayed.

Step 2 Check the Enable IP-based Redirection check box and click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring the Proximity Server Settings

The Proximity Server Settings are available when you choose the SR & Proximity Engine as the Work Type in the Device Activation page for the SR. See the “Activating a Service Router” section for more information. The Proximity Server Settings pages are only for a Proximity Engine that is collocated with the SR. To configure a standalone Proximity Engine, see the Cisco Internet Streamer CDS 2.6 Command Reference .

To include the Proximity Engine on the SR as one of the Proximity Servers, you must enable proximity-based routing and add 127.0.0.1 as one of the Proximity Servers. See the “Configuring Request Routing Settings” section for more information.

Note The Proximity Engine is only supported on the CDE205 platform.

For more information on the Proximity Engine, see the “Proximity Engine” section

The Proximity Server Settings for the Proximity Engine consists of the following pages:

General Settings—Enables the BGP proximity algorithms
IS-IS—Configures IS-IS adjacencies
OSPF—Configures the OSPF adjacencies
BGP—Configures the location community for the BGP community-based proximity
SRP—Configures Service Routing Protocol (SRP)

IGP and BGP protocol peering with the network routers are the basic building blocks for the proximity calculation. The peering with the routers is to learn the network topology and compute the best path for each prefix. Prefixes are deposited to the routing information base (RIB).

Note Although the Proximity Engine participates in both IGP and BGP with the routers, the routes that the Proximity Engine learns are purely for proximity computation only. Proximity Engine is not a router.

In order for the proximity function to work, at least one of the following is required:

Enabled link-state protocol, such as OSPF or IS-IS for IGP proximity, which is required if the Proximity Engine is going to peer with IGP routers.
Enabled policy routing protocol, such as BGP for best-path proximity and location-community proximity, which is required if the Proximity Engine is going to peer with BGP routers.

Note All BGP routes must resolve to IGP next hops or directly connected routes.

Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.

Enabling the BGP Proximity Algorithms

See the “BGP Proximity Algorithms” section for more information.

To enable the BGP community-based proximity, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > General Settings . The Proximity Routing General Settings page is displayed.

Step 2 To enable the BGP best-path proximity, check the Enable proximity algorithm BGP best-path check box.

Note The BGP best-path proximity algorithm requires the configuration of the BGP proximity settings. See the “Configuring the BGP Community-based Proximity Settings” section.

Step 3 To enable the BGP community-based proximity, check the Enable proximity algorithm BGP location-community check box, and from the Match mode drop-down list, select either Normal or Strict .

The Strict option instructs the Proximity Engine to return UINT-MAX as the proximity rating for PTAs that are not associated with the PSA by way of any location-community attribute. This setting is global and applies to all proximity requests. If PSA is BGP and has no community attributes, then all PTAs get UINT_MAX rating. If the PSA is IGP, then this setting does not apply and other proximity algorithms, BGP best-path and IGP metric, are used to rate the PTAs in the proximity request.

The Normal option retains the normal functioning of the BGP proximity algorithm.

Step 4 To enable the BGP redirect proximity, check the Enable proximity algorithm BGP redirect check box.

Note The redirect proximity algorithm requires the configuration of the BGP and the SRP proximity settings. See the “Configuring the BGP Community-based Proximity Settings” section and the “Configuring SRP” section for more information.

Step 5 Click Submit .

To remove the settings, click the Delete icon.

To restore the default settings, click the default settings icon.

Configuring the IS-IS Adjacencies

The Proximity IS-IS page allows the Proximity Engine to establish an adjacency with its directly connected neighbor and to receive the whole LSDB content. Protocol parameters, such as IS-type and IS network entity title (NET), vary according to network topology and deployment.

IS-IS is a link-state routing protocol for IGP. Its protocol stack runs directly on Layer 2. The main characteristic of the link-state protocols is that every node in the network contains an exact view of the routing topology. It has faster convergence than vector distance protocols. Each node in the network generates a Link State Packet (LSP) to describe its neighbors. The LSP is flooded throughout the network to every node. Reliability of the flooding is obtained by Complete Sequence Number Packet (CSNP) which is sent by the Designator Router (DR) periodically in the LAN. CSNP describes all the LSPs that the DR contains. The receiver of the CSNP can compare what it has against what is listed in the CSNP and requests the missing LSPs from the DR. Each node uses Dijkstra’s algorithm (shortest path first [SPF]) to compute the routes from the LSPs. Routes are then added into the routing information base (RIB).

Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.

To configure the IS-IS adjacencies, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > General Settings . The Proximity IS-IS page is displayed.

Step 2 To enable ISIS adjacencies, check the Enable check box and click Submit . The Create new Proximity IS-IS interface icon displays.

Step 3 Enter the settings as appropriate. See Table 4-52 for a description of the fields.

Table 4-52 Proximity IS-IS Fields
Field	Description
Network Entity	Enter the Network Entity (network entity title [NET]) for a Connectionless Network Service (CLNS). Under most circumstances, one and only one NET must be configured. A NET is a network service access point (NSAP) where the last byte is always zero and the length can be 8 to 20 bytes. The last byte is always the n-selector and must be zero. The six bytes directly in front of the n-selector are the system ID. The system ID length is a fixed size and cannot be changed. The system ID must be unique throughout each area (Level 1) and throughout the backbone (Level 2). All bytes in front of the system ID are the area ID. The area ID must match the area ID of the IS-IS router that the Proximity Engine is peering with. A NET must be configured to define the system ID and area ID.
Enable log-adjacency-changes	Check the Enable log-adjacency-changes check box to enable logging of changes to adjacency. When enabled, syslog messages are sent whenever an IS-IS neighbor goes up or down.
LSP MTU	Set the maximum transmission unit (MTU) size, in bytes, for link state packets (LSPs). The LSP MTU size describes the amount of information that can be recorded in a single LSP. The LSP MTU range is from 128 to 4352. If the LSP MTU is not configured, the default is used. The default is 1492.
IS-Type	From the IS-Type drop-down list, choose one of the following routing algorithms: level-1 —Level 1 is intra-area. The Proximity Engine learns only about destinations inside its area. level-1-2 —The Proximity Engine runs both Level 1 and Level two routing algorithms. For Level 1, it has one link state packet database (LSDB) for destinations inside the area (Level 1) and runs a shortest path first (SPF) calculation to discover the area topology. For Level 2, it also has another LSDB with link-state packets (LSPs) of all other backbone (Level 2) routers, and runs another SPF calculation to discover the topology of the backbone, and the existence of all other areas. level-2 —The Proximity Engine communicates with Level 2 (inter-area) routers only. The Proximity Engine is part of the backbone and does not communicate with Level 1-only routers in its own area. The default is level-1-2 .
Authentication Type [Level-1 or Level-2]	From the Authentication Type Level-1 drop-down list or the Authentication Type Level-2 drop-down list, choose one of the following authentication types for the corresponding level: None —Do not use MD-5 authentication cleartext —Do not encrypt the key md5 —Encrypt the key
Enable Authentication Check [Level-1 or Level-2]	To enable authentication check for Level 1, check the Enable Authentication Check Level-1 check box. To enable authentication check for Level 2, check the Enable Authentication Check Level-2 check box. When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.
Authentication KeyChain [Level 1 or Level-2]	Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.

Step 4 Click Submit . The Create new Proximity IS-IS Interface icon displays.

To delete the IS-IS configuration, click the Delete icon.

Step 5 To configure the proximity IS-IS interface, click the Create new Proximity IS-IS Interface icon. The Proximity IS-IS Interface page is displayed.

Step 6 From the Name drop-down list, choose an interface to configure for IS-IS. The number of available interfaces depends on the CDE.

Step 7 Enter the settings as appropriate. See Table 4-53 for a description of the fields.

Table 4-53 Proximity IS-IS Interface Fields
Field	Description
Enable IP IS-IS router	Check the Enable IP IS-IS router check box to enable IS-IS routing protocol on this interface.
IS-IS Priority for level-1	Enter the priority of this interface for IS-IS Level 1(intra-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 1 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The IS-IS Priority for level-1 range is from 0 to 127. The default is 64.
IS-IS Priority for level-2	Enter the priority of this interface for IS-IS Level 2 (inter-area) priority. The higher the priority value, the more likely a router becomes the designated router (DR) in the Level 2 area; therefore, because the Proximity Engine is not a router, make sure the priority level is such that it will not interfere with the election of the DR. The IS-IS Priority for level-2 range is from 0 to 127. The default is 64.
IS-IS Circuit Type	From the IS-IS Circuit Type drop-down list, choose one of the following adjacency levels: level-1 —For Level 1 adjacency level-1-2 —For Level 1 and Level 2 adjacency. level-2 —For Level 2 adjacency. The default is level-1-2 .
IS-IS Authentication Type [Level-1 or Level-2]	From the Authentication Type Level-1 drop-down list or the Authentication Type Level-2 drop-down list, choose one of the following authentication types for the corresponding level: None —Do not use MD-5 authentication cleartext —Do not encrypt the key md5 —Encrypt the key
Enable IS-IS Authentication Check [Level-1 or Level-2]	To enable authentication check for Level 1, check the Enable Authentication Check Level-1 check box. To enable authentication check for Level 2, check the Enable Authentication Check Level-2 check box. When enabled, packets that do not have the proper authentication are discarded. When disabled, IS-IS adds authentication to the outgoing packets, but does not check authentication on incoming packets, which allows for enabling authentication without disrupting the network operation.
IS-IS Authentication KeyChain [Level 1 or Level-2]	Specify the key chain to be used for the authentication for corresponding level. The key chain can be up to 64 alphanumeric characters.

Step 8 Click Submit .

To delete an IS-IS interface configuration, click the Edit icon for the interface, then click the Delete icon in the task bar.

Step 9 Repeat Step 5 through Step 8 for each IS-IS interface.

Step 10 To configure the MD-5 key chains for IS-IS, choose Devices > Devices > Routing Settings > Proximity Server Settings > IS-IS > MD5 Settings . The IS-IS Keychain page is displayed.

Step 11 Click the Create new KeyChain icon. The Creating New KeyChain page is displayed.

Step 12 In the Key ID field, enter the identifier for the keychain and click Submit . The page refreshes.

The Key ID is identifier for the multiple key IDs that can be configured for the key chain.

Step 13 Click the Create New KeyChain Key icon. The KeyChain Key page is displayed.

Step 14 In the Key ID field, enter the key ID. The range is from 0 to 65535.

Step 15 In the Key String field, enter the key string to be used for authentication. The key string can be up to 64 alphanumeric characters, except a space, single (‘) and double quotes (“), and the “|” symbol.

Configuring the OSPF Adjacencies

The Proximity OSPF page allows the Proximity Engine to establish an adjacency with its directly connected neighbor (router) to receive the whole LSDB content. Other OSPF settings depend on network topology, deployment and configuration of neighbor nodes.

OSPF is a link-state routing protocol for IGP. It runs on top of the IP protocol stack. Each node describes its neighbors in the link state advertisement (LSA) packets. The LSAs are flooded throughout the OSPF nodes. Each node uses shortest path first (SPF) to compute routes from the LSAs. The routes are then deposited into RIB.

Note Only one IGP (IS-IS or OSPF) is supported for the Proximity Engine.

To configure the OSPF adjacencies, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > OSPF . The Proximity OSPF page is displayed.

Step 2 To enable OSPF adjacencies, check the Enable check box and click Submit . The Create new icons for Proximity OSPF Network, Proximity OSPF Area, and Proximity OSPF Interface icons display.

To delete the OSPF configuration, click the Delete icon.

Step 3 Check the Enable log-adjacency-changes check box to enable logging changes to the adjacency and click Submit .

To delete the OSPF configuration, click the Delete icon.

Step 4 To configure the proximity OSPF network, click the Create new Proximity OSPF Network icon. The Proximity OSPF Network page is displayed.

Step 5 Enter the settings as appropriate. See Table 4-54 for a description of the fields.

Table 4-54 Proximity OSPF Network Fields
Field	Description
IP Prefix	IP address that is used in combination with the Network Mask to produce the IP prefix. The IP prefix is used to define the OSPF area and consists of a combination of the IP address and netmask.
Wildcard Mask	Network mask is used with the IP Prefix to define the area on this network. The mask contains wild card bits where 0 is a match and 1 is a "do not care" bit, for example, 0.0.255.255 indicates a match in the first two bytes of the network number.
Area ID	Identifier of the area for which IP prefix defines. The identifier can be specified as either a decimal value or an IP address. Valid entries are from 0 to 4294967295 or an IP address (A.B.C.D) can be used if you intend to associate areas with IP subnets. Each area is interface specific. For OSPF to operate on the OSPF interface, the primary address of the interface must be covered by the network area. The Proximity Engine sequentially evaluates the IP Prefix/ Network Mask pair for each interface as follows: 1. The Network Mask is logically ORed with the OSPF interface IP address. 2. The Network Mask is logically ORed with the IP Prefix . 3. The software compares the two resulting values. If they match, OSPF is enabled on the associated interface and the associated OSPF interface is attached to the OSPF area specified. There is no limit to the number of network areas that can be configured. Note An interface can only be associated to a single area. If the address ranges specified for different areas overlap, the software adopts the first area in the list and ignores the subsequent overlapping portions. In general, we recommend that you configure address ranges that do not overlap to avoid inadvertent conflicts. When a smaller OSPF network area is removed, the OSPF interfaces belonging to that network area are retained and remain active if a larger network area that encompasses those interfaces still exists. Interfaces that are part of a larger area are removed and become part of another area only if the other area is a smaller area (subset) of the larger area.

Step 6 Click Submit .

To delete an OSPF network configuration, click the Edit icon for the network, then click the Delete icon in the task bar.

Step 7 Repeat Step 4 through Step 6 for each OSPF network.

To delete an OSPF network, click the OSPF network to display the settings and click the Delete icon.

Step 8 To configure the proximity OSPF area, click the Create new Proximity OSPF Area icon. The Proximity OSPF Area page is displayed.

Step 9 Enter the settings as appropriate. See Table 4-55 for a description of the fields.

Table 4-55 Proximity OSPF Area Fields
Field	Description
Area ID	Enter an Area ID that was defined in the Proximity OSPF Network page.
Type	Choose one of the following area types: NSSA (not-so-stubby area)—For areas that include an autonomous system boundary router (ASBR) that generates type 7 LSAs and an area border router (ABR) that translates them into type 5 LSAs. . Stub—An area with only one OSPF router that does not contain an ASBR.

Step 10 Click Submit .

To delete an OSPF area configuration, click the Edit icon for the area, then click the Delete icon in the task bar.

Step 11 Repeat Step 8 through Step 10 for each OSPF area.

To delete an OSPF area, click the OSPF area to display the settings and click the Delete icon.

Step 12 To configure the proximity OSPF network, click the Create new Proximity OSPF Interface icon. The Proximity OSPF Interface page is displayed.

Step 13 From the Name drop-down list, choose an interface to configure for OSPF. The number of available interfaces depends on the CDE.

Step 14 In the OSPF Priority field, enter the OSPF priority. The range is 0 to 255. The default is 1.

The highest OSPF priority on a segment becomes the designated router (DR) for that segment. A priority value of zero indicates an interface which is not to be elected as DR or backup designated router (BDR).

Step 15 Click Submit .

To delete an OSPF interface configuration, click the Edit icon for the interface, then click the Delete icon in the task bar.

Step 16 Repeat Step 12 through Step 15 for each OSPF interface.

Configuring the BGP Community-based Proximity Settings

A BGP community is a group of prefixes that share some common property and can be configured with the BGP community attribute. The BGP community attribute is an optional transitive attribute of variable length. The attribute consists of a set of four octet values that specify a community. The community attribute values are encoded with an autonomous system (AS) number in the first two octets, with the remaining two octets defined by the AS. A prefix can have more than one community attribute. A BGP speaker that sees multiple community attributes in a prefix can act based on one, some, or all the attributes.

See the “BGP Proximity Algorithms” section for more information.

To configure the BGP community-based proximity settings, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > BGP . The Proximity BGP page is displayed.

Step 2 In the Local AS Number field, enter the autonomous system (AS) number that identifies the Proximity Engine and tags the routing information that is passed along.

AS numbers are globally unique numbers that are used to identify ASes, and which enable an AS to exchange exterior routing information between neighboring ASes. An AS is a connected group of IP networks that adhere to a single and clearly defined routing policy.

There are a limited number of available AS numbers. Therefore, it is important to determine which sites require unique AS numbers and which do not. Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use, which are in the range from 64512 to 65535.

Step 3 Check the Enable Log Neighbor Changes check box to enable logging of status changes (up, down, or resets) to BGP neighbors.

Use the show ip bgp neighbors command to view the status changes.

Step 4 Click Submit . The Create new icons for Location Community for BGP and Neighbor for BGP icons display.

To delete the BGP configuration, click the Delete icon.

Step 5 To configure a BGP location community, click the Create new Location Community for BGP . The BGP Location Community page is displayed.

Note The maximum number of location communities allowed for each SE is 128. The show running-config command displays the location communities in ascending order.

Step 6 In the Location Community field, enter the location community for the AS in one of the following formats:

The location community numbers are used within the network to locate prefix origination points. The configuration includes all community values that represent a location. The Location Community field entry could be in the form of a list of community numbers, for example, 100:3535, 100:4566, 100:5678, 100:5678, 100:6789. Or, the community numbers can be expressed as intervals, such as 100:3000-100:4000, 100:5000-100:6000, and so on.

Step 7 In the optional Target Community field, enter the target community you want to associate with the Location Community.

If Target Community field is left blank, it is the same as the Location Community. So, if the target community is not specified, the PSA and PTA must have a common community for the PTA to be considered in the preference and ranking.

In certain deployments it is advantageous to include certain PTAs even though the PTAs do not share any community attributes with the PSA. A common example is an SE in a city close to the client PC; in such case, the SE might not share any community attributes with the client PC, but should be preferred over another SE in a far-away city. The Target Community field provides a way to associate PSA and PTA community attributes with each other and to assign a preference level ( Weight ) to that association.

The Target Community values have the same format and restrictions as the Location Community field, which are the following:

Must match the pattern: <AS1>:<POP1>[-<AS2>:<POP2>]
AS1 and AS2 must be in the range 1–65535.
POP1 and POP2 must be in the range 0–65535.
AS2 should be greater than AS1, or POP2 should be greater than POP1 if AS2 equals to AS1.
New BGP community setting should make sure that target community and local community pair is unique and not existent.

Note Source community ranges are not allowed to overlap. A maximum of 240 unique specific source or range source community configurations can be entered. Each unique specific source or range source community can be associated with a maximum of 240 unique specific target or range target communities.

Step 8 In the optional Weight field, enter the weight to assigned to the location community. The default is 1. The range is from 1 to 7 with 7 being the best association (most preferred). An association weight of 0 implicitly means no association (least preferred)

The weight is considered in the proximity ranking algorithm. If PTA1 and PTA2 have at least one community in common as the PSA, then the weight assigned to the location community is considered. The larger the number, the more weight the community has. If PTA1 has a weight of 5 and PTA2 has a weight of 2, PTA1 is preferred over PTA2.

Step 9 Click Submit .

Step 10 To configure a BGP neighbor, click the Create new Neighbor for BGP . The BGP Neighbor page is displayed.

Step 11 Enter the settings as appropriate. See Table 4-56 for a description of the fields.

Table 4-56 BGP Neighbor Fields
Field	Description
IP Address	IP address of the neighbor.
Remote AS Number	AS number to which the neighbor belongs. The range is from 1 to 65535).
EBGP multihop TTL	Time-to-live value for the external BGP (eBGP) multihop scenarios. The range is from 2 to 255. The default is 1.
Keep Alive Interval	The keepalive interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 60.
Hold Timer	The hold timer interval, in seconds, for a BGP peer. The range is from 0 to 3600. The default is 180.
Password	Enter the password to enable Message Digest 5 (MD-5) authentication on a TCP connection between the Proximity Engine and the BGP neighbor. The password is case sensitive and can be up to 79 characters. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces. You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.

To delete an BGP neighbor configuration, click the Edit icon for the neighbor, then click the Delete icon in the task bar.

Step 12 Click Submit .

Step 13 Repeat Step 10 through Step 12 for each BGP neighbor.

To delete a BGP neighbor, click the BGP neighbor to display the settings and click the Delete icon.

Configuring SRP

Th e Service Routing Protocol (SRP) uses distributed hash table (DHT) technology to form a distributed network of Proximity Engines. For more information, see the “Service Routing Protocol” section.

Note SRP is required if the Redirect proximity algorithm is enabled. SRP is used to gather and store information about all the Proximity Engines that are available for redirection. See the “Configuring the BGP Community-based Proximity Settings” section for more information.

To configure SRP, do the following:

Step 1 Choose Devices > Devices > Routing Settings > Proximity Server Settings > SRP . The SRP page is displayed.

Step 2 To enable SRP, check the Enable check box and click Submit . The Create new Bootstrap for SRP icon displays.

Step 3 In the Domain field, enter a number that identifies the domain. The range is from 0 to 4294967295. The default is 0.

All Proximity Engines running SRP routing with the same domain ID form a single network if the nodes are found through a bootstrap node. By changing a Proximity Engine’s domain, the Proximity Engine leaves its current network.

We recommend that a domain ID value be configured for your DHT network so that all Proximity Engines that join this network share the same domain ID.

Step 4 In the Flooding Threshold field, enter the maximum number of subscribers to flood or send messages to. The range is from 0 to 65535. The default is 50.

SRP uses flooding to send multicast messages for a multicast group if the number of subscribers in the group is equal to or more than the value specified in Flooding Threshold . An effective threshold value may improve protocol message overhead. The threshold value depends on the number of nodes in your DHT network. In general, the threshold value should be greater than half and smaller than 3/4 of the total number of DHT nodes in the network.

Step 5 Click Submit .

To delete the SRP configuration, click the Delete icon.

Step 6 To configure a SRP bootstrap, click the Create new Bootstrap for SRP . The Bootstrap SRP page is displayed.

Step 7 In the Bootstrap IP address field, enter the IP address of the bootstrap node.

An IP address of a bootstrap node must be configured for each Proximity Engine before the Proximity Engine can join the network with others under the same domain ID. The first Proximity Engine in the network, which acts as the bootstrap node for others, does not need to configure its self as the bootstrap node; this is the only exception to configuring a bootstrap node. All other nodes must have the bootstrap node configured before they can join a DHT network. A maximum 25 bootstrap nodes are allowed per Proximity Engine. The port number for a bootstrap node is 9000.

Step 8 Click Submit .

Step 9 Repeat Step 6 through Step 8 for each bootstrap node.

To delete a bootstrap node, click the edit icon next to the IP address of the bootstrap node to display the settings and click the Delete icon.

Configuring Application Control

The Application Control pages allow you to enable Flash Media Streaming, to enable HTTP proxy on an SR, and to enable HTTP 302 redirection for Windows Media Technology files with an .asx extension.

To configure the application control for the SR, do the following:

Step 1

Choose Devices > Devices . The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose Application Control .

Step 4 To enable Flash Media Streaming on the SR, choose Flash Media Streaming > General Settings . The Flash Media Streaming Settings page is displayed.

a. Check the Enable Flash Media Streaming check box.

b. Click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 5 To enable service monitoring for Flash Media Streaming on the SR, choose Flash Media Streaming > Service Monitoring . The Service Monitoring Settings page is displayed.

a. Check the Enable Service Monitoring check box.

b. Click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Step 6 To enable the HTTP 302 redirection for Windows Media Technology files with an .asx extension, do the following:

a. Choose Web > HTTP > HTTP Redirect . The HTTP Redirect Settings page is displayed.

b. Check the Enable HTTP 302 for .asx File check box.

c. Click Submit .

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring Last-Resort Routing

For information on configuring all general settings, except last-resort routing, see the “General Settings” section.

Note When DNS-based redirection is used, for application-level requests, last-resort redirection is supported. However, on the DNS plane, an A record with the last-resort domain name or IP address is not returned.

Last-resort routing is useful when all Service Engines have exceeded their thresholds or all Service Engines in the domain are offline, or the client is unknown. If last-resort routing is configured, the Service Router redirects requests to a configurable alternate domain when all Service Engines serving a client network region are unavailable, or the client is unknown. A client is considered unknown if the client’s IP address is not part of a subnet range listed in the Coverage Zone file or part of a defined geographical area (for location-based routing) listed in the Coverage Zone file.

For more information, see the “Last-Resort Routing” section.

Note If the last-resort domain is not configured and the Service Engine thresholds are exceeded, known client requests are redirected to the origin server and unknown clients either receive an error URL (if the Error Domain and Error Filename fields are configured), or a 404 “not found” message.

Unknown clients are only redirected to the alternate domain (last-resort domain) when the Allow Redirect All Client Request check box is checked or the equivalent service-router last-resort domain <RFQDN> allow all command is entered.

To configure last-resort routing, do the following:

Step 1

Choose Devices > Devices . The Devices Table page is displayed.

Step 2 Click the Edit icon next to the SR you want to configure. The Devices home page is displayed.

Step 3 Click Show All to display the top-level menu options, and choose General Settings > Last Resort . The Last Resort Table page is displayed.

The table is sortable by clicking the column headings.

Step 4 Click the Create New icon.

Click the Edit icon next to the domain name to edit a table entry.

Step 5 Enter the settings as appropriate. See Table 4-57 for a description of the fields.

Table 4-57 Service Router Last Resort Fields
Field	Description
Domain Name	The service routing fully-qualified domain name (RFQDN) (for example, srfqdn.cisco.com).
Allow Redirect All Client Request	Check the Allow Redirect All Client Request check box to redirect all unknown clients to the alternate domain or content origin. If the Allow Redirect All Client Request check box is not checked, unknown clients (clients’ subnets are not included in the Coverage Zone file) receive a 404 message if the error URL is not configured. If the error URL is configured, client requests are redirected to the Error URL. If the Allow Redirect All Client Request check box is checked, unknown client requests are redirected to the alternate domain; otherwise, they are redirected to the origin server.
Alternate Domain Name	The domain (for example, www.cisco.com) used to route requests to when the SEs are unavailable, or the client is unknown. A client is considered unknown if the client’s IP address is not part of a subnet range listed in the Coverage Zone file. If an Alternate Domain Name is not specified, requests for the domain entered in the Domain Name are routed to the origin server. The Alternate Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.
Error Domain Name	To redirect the request to an error URL for any unknown clients or when all SEs in the delivery service are unavailable, enter the domain name of the URL. The Error Domain Name could be a domain outside the CDS. It could be a third-party CDN or external server. No DNS lookup is performed by the SR to check the liveness of this domain.
Error File Name	The filename of the error URL (for example, error.html or error/errorfile.flv). The error URL is made using the Error Domain Name plus the Error File Name. The Error File Name could be a filename with an extension (for example, error.html or errorfile.flv), or a directory and filename (for example, error/errorfile.flv or reroute/reroute.avi), or a filename without an extension. If no extension is specified, the extension is determined by the protocol used in the request. If a filename has a specific extension, and the request comes from a protocol that does not support the configured extension, the filename extension is automatically changed to an extension that is supported by the protocol. Note For Flash Media Streaming, an external FMS server must exist that hosts an application for error handling. The SR redirects Flash Media Streaming requests to an application on the external FMS server. An example of a Flash Media Streaming error URL is rtmp://errordomain.com/<application>, where the application name is any application hosted on that server. The Error File Name, in the case of Flash Media Streaming, is the name of the application.

Step 6 Click Submit to save the settings. The entry is added to the Last Resort Table.

To delete a last-resort configuration, click the Edit icon for the configuration, then click the Delete icon in the task bar.

As an example configuration for an error URL to redirect unknown clients to or to redirect clients to when all SEs in the delivery service are unavailable follows:

Domain Name—wmt.cdsordis.com
Error Domain Name—ssftorig.ssft.com
Error File Name—testMessage

This configuration states that for any request where the domain name is wmt.cdsordis.com, if the client IP address is not included in the Coverage Zone file (or the client is not part of a defined geographical area if location-based routing is enabled) or there are no available SEs assigned to the delivery service, redirect the request to ssforig.ssft.com/testMessage.< original_extension >.

To be more specific, if the client request was http://wmt.cdsordis.com/vod/video.wmv and the service rule conditions were met, the client would receive a 302 redirect to http://ssftorig.ssft.com/testMessage.wmv.

If you want the Error File Name to reside in a different directory, you can configure that as well. If the error message file was located in the “vod” directory, then the Error File Name would be configured as vod/testMessage.

Creating ASX Error Message Files for Windows Media Live Programs

There is one thing to remember when redirecting a client request for live Windows Media Streaming programs. Because live programs deliver an ASX file to the client, the error message must have the same format. If you try to use an HTML or JPEG instead of an ASX file, the redirect will not work because the Windows Media player is trying to parse the ASX file.

To satisfy the requirements of the Windows Media player, create an ASX file for the error message file and put the URL to the error message file inside the ASX file. For example, below is a simple ASX file.

</Entry> </ASX>

If you wanted the error file to be a GIF file on server 3.1.1.1 called testMessage.gif under the directory vod then this file would look like:

</Entry> </ASX>

There are other ways to use an ASX file to display information. Below is an example of an approach to have the Windows Media player display an HTML web page with PARM HTMLView.

</ENTRY> </REPEAT> </ASX>

There are many ways to format and structure ASX files to display whatever error message you want, in whatever format you want.

Configuring Domain Subscription

The Domain Subscription page allows you to subscribe the SR to specific domains. By default, the SR takes all the domains specified in the CDSM. By specifying the domains in the Domain Subscription page, the SR only subscribes to the assigned Content Origins.

Step 1

Choose Devices > Devices > General Settings > Domain Subscription . The Domain Subscription page displays all defined Content Origins of the CDS.

Step 2 Click the Assign icon (blue cross mark) next to the Content Origin you want to assign to this SE. Alternatively, click the Assign All Content Origins icon in the task bar.

A green arrow wrapped around the blue X indicates a Content Origin assignment is ready to be submitted. To unassign a Content Origin, click this icon. The Content Origin assignment states are described in Figure 4-15.

Figure 4-15 Content Origin Assignment State

Step 3 Click Submit to save the settings.

A green circle with a check mark indicates a Content Origin is assigned to this SR. To unassign the Content Origin, click this icon, or click the Remove All Content Origins icon in the task bar. Click Submit to save the changes.

Additionally, the Filter Table icon and View All Content Origins icon allow you to first filter a table and then view all content origins again.

Configuring Transaction Logs for the Service Router

Transaction logs allow administrators to view the traffic that has passed through the SR. The fields in the transaction log are the client’s IP address, the date and time when a request was made, the URL that was requested, the SE selected to serve the content, the protocol, and the status of the redirect. The SR transaction log file uses the W3C Common Log file format. For more information about transaction logs and their formats, see the “Service Router Transaction Log Fields” section.

To enable transaction logging for the SR, do the following:

Step 1 Choose Devices > Devices > General Settings > Notification and Tracking > Transaction Logging . The Transaction Log Settings page is displayed.

Step 2 Enter the settings as appropriate. See Table 4-58 for a description of the fields.

Table 4-58 Transaction Log Settings Fields
Field	Description
General Settings
Transaction Log Enable	Enables transaction logging.
Compress Files before Export	When this check box is checked, archived log files are compressed into gzip format before being exported to external FTP servers
Archive Settings
Max size of Archive File	Maximum size (in kilobytes) of the archive file to be maintained on the local disk. The range is from 1,000 to 2,000,000. The default is 500,000.
Max number of files to be archived	Maximum number of files to be maintained on the local disk. The range is from 1 to 10,000. The default is 10.
Archive occurs	How often the working log is archived and the data is cleared from the working log. Choose one of the following: Choose every to archive every so many seconds, and enter the number of seconds for the interval. The range is from 120 to 604800. Choose every hour to archive using intervals of one hour or less, and choose one of the following: – at —Specifies the minute in which each hourly archive occurs – every —Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30) Choose every day to archive using intervals of one day or less, and choose one of the following: – at —Specifies the hour in which each daily archive occurs – every —Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24) Choose every week on to archive at intervals of one or more times a week, choose the days of the week, and choose what time each day.
Export Settings
Enable Export	Enables exporting of the transaction log to an FTP server.
Export occurs	How often the working log is sent to the FTP server and the data is cleared from the working log. Choose one of the following: Choose every to export every so many minutes, and enter the number of minutes for the interval. The range is from 1 to 100800. Choose every hour to export using intervals of one hour or less, and choose one of the following: – at —Specifies the minute in which each hourly export occurs – every —Specifies the number of minutes for the interval (2, 5, 10, 15, 20, or 30) Choose every day to export using intervals of one day or less, and choose one of the following: – at —Specifies the hour in which each daily export occurs – every —Specifies the number of hours for the interval (1, 2, 3, 4, 6, 8, 12, 24) Choose every week on to export using intervals of one or more times a week, choose the days of the week, and what time each day.
FTP Export Server	IP address or hostname of the FTP server.
Name	Name of the user.
Password	Password for the user.
Confirm Password	Confirms the password for the user.
Directory	Name of the directory used to store the transaction logs on the FTP server.
SFTP	Check the SFTP check box, if you are using an SFTP server.

Step 3 Click Submit to save the settings.

To apply the factory default settings for the device, click the Apply Defaults icon in the task bar.

To remove the settings from the device, click the Remove Settings icon in the task bar.

Configuring the CDSM

Configuring a CDSM consists of the General Settings menu items. For information on configuring general settings, see the “General Settings” section.

Device activation is accomplished during installation and initialization of the CDS devices. See Cisco Content Delivery Engine 205/220/250/420 Hardware Installation Guide for more information.

The Device Activation page for the CDSM displays information about the management IP address and the role of the CDSM. To change the name of the CDSM, enter a new name in the Name field and click Submit .

For information about primary and standby CDSMs, see the “Configuring Primary and Standby CDSMs” section.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)