Cisco CSS Basic Configuration Guide

Cisco Content Services Switch
Basic Configuration Guide

Software Version 5.00
June, 2001
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: 78-11424-03

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE
INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU
ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A
COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCDE, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo,
Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare,
GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the
Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and
WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and
Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,
CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems
logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing,
Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its
affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0105R)
Cisco Content Services Switch Basic Configuration Guide

Copyright © 2001, Cisco Systems, Inc.
All rights reserved.
C O N T E N T S
About This Guide xxix

Audience xxx
How to Use This Guide xxx
Related Documentation xxxii
Symbols and Conventions xxxiii
CHAPTER 1 Logging in and Getting Started 1-1

Configuration Quick Start 1-3
Logging into the CSS 1-6
Changing the Administrative Username and Password 1-6
Restricting Modifications to the CSS User Database 1-7
Configuring Usernames and Passwords 1-8
Configuring an IP Address and Subnet Mask for the Ethernet Management
Port 1-11
Configuring an IP Address 1-11
Configuring a Subnet Mask 1-12
Configuring an IP Route 1-12
Configuring Date, Time, and Time Zone 1-14
Configuring European Date 1-17
Synchronizing the CSS with an SNTP Server 1-17
Configuring the SNTP Server 1-18
Configuring the SNTP Poll-Interval 1-18
Showing SNTP Configuration Information 1-19

78-11424-03 iii
Contents
Configuring an FTP Record 1-20

Copying Files from an FTP Server 1-21
Rebooting the CSS 1-22
Shutting Down the CSS 1-22
Using the Offline Diagnostic Monitor Menu 1-22
Accessing the Offline Diagnostic Monitor Main Menu 1-23
Using the Boot Configuration Menu 1-25
Setting Primary Boot Configuration 1-27
Setting Secondary Boot Configuration 1-32
Setting IP Address, and Subnet Mask 1-37
Showing the Boot Configuration 1-38
Using the Advanced Options 1-39
Deleting a Software Version 1-39
Using the Security Options 1-40
Using the Disk Options 1-42
Enabling and Disabling Core Dumps 1-48
Showing Core Dumps 1-49
CSS Software Overview 1-50
Using the Running-Config and Startup-Config 1-53
Clearing the Running-Config and the Startup-Config 1-54
Showing the Running-Config 1-54
Showing the Startup-Config 1-57
Creating a Running-Config or Startup-Config Using a Text Editor 1-58
Archiving Files to the Archive Directory 1-59
Archiving a Log File 1-59
Archiving the Running-Config 1-60
Archiving Scripts 1-60

iv 78-11424-03
Contents
Archiving the Startup-Config 1-60

Clearing the Archive Directory 1-60
Restoring Files from the Archive Directory 1-61
Restoring an Archived Log File 1-61
Restoring an Archived Script File 1-62
Restoring an Archived Startup-Config 1-62
Copying Core Dumps to an FTP or TFTP Server 1-63
Copying Core Dumps to an FTP Server 1-63
Copying Core Dumps to a TFTP Server 1-64
Displaying CSS Configurations 1-64
Displaying Software Information 1-65
Displaying Hardware Information 1-65
Showing System Resources 1-68
Showing User Information 1-69
Showing Current Logins 1-70
Where to Go Next 1-71
CHAPTER 2 Configuring User Profiles and CSS Parameters 2-1

Configuring User Profiles 2-2
Configuring User Terminal Parameters 2-3
Configuring Terminal Idle 2-4
Configuring Terminal Length 2-4
Configuring Terminal More 2-5
Configuring Terminal Netmask-Format 2-5
Configuring Terminal Timeout 2-5
Using Expert Mode 2-6
Changing the CLI Prompt 2-7

78-11424-03 v
Contents
Modifying the History Buffer 2-7

Displaying the History Buffer 2-7
Copying and Saving User Profiles 2-8
Copying the Running Profile to the Default-Profile 2-8
Copying the Running Profile to a User Profile 2-9
Copying the Running Profile to an FTP Server 2-9
Copying the Running Profile to a TFTP Server 2-9
Boot Configuration Mode Commands 2-10
Unpacking an ArrowPoint Distribution Image (ADI) 2-11
Removing an ArrowPoint Distribution Image (ADI) 2-11
Specifying the Primary BOOT Configuration 2-11
Configuring the Primary Boot-File 2-12
Configuring the Primary Boot-Type 2-12
Configuring the Primary Config-Path 2-13
Specifying the Secondary Boot Configuration 2-14
Specifying the Secondary Boot-File 2-14
Specifying the Secondary Boot-Type 2-15
Specifying the Secondary Config-Path 2-15
Configuring a Boot Configuration Record for the Passive SCM 2-16
Configuring the Passive SCM IP Address 2-17
Configuring the Passive SCM Primary Boot File 2-18
Configuring the Passive SCM Primary Boot Type 2-18
Configuring the Passive SCM Primary Configuration Path 2-19
Configuring the Passive SCM Secondary Boot File 2-19
Configuring the Passive SCM Secondary Boot Type 2-20
Configuring the Passive SCM Secondary Configuration Path 2-20
Configuring the Passive SCM Subnet Mask 2-21

vi 78-11424-03
Contents
Copying the Boot Configuration Record from the Active SCM to the
Passive SCM 2-21
Showing the BOOT Configuration 2-22
Booting the CSS from a Network Drive 2-22
Configuring Network Boot for a Primary SCM 2-23
Configuring Network Boot for a Passive SCM 2-24
Showing Network Boot Configurations 2-25
Configuring Host Name 2-26
Configuring Idle Timeout 2-26
Configuring the CSS as a Client of a RADIUS Server 2-27
Configuring the CSS as a RADIUS Client 2-28
Specifying a Primary RADIUS Server 2-29
Specifying a Secondary RADIUS Server 2-30
Configuring the RADIUS Server Timeouts 2-31
Configuring the RADIUS Server Retransmits 2-31
Configuring the RADIUS Server Dead-Time 2-32
Showing RADIUS Server Configuration Information 2-32
Controlling Remote Access to the CSS 2-35
Restricting Console, FTP, SNMP, Telnet, XML, and Web Management Access to
the CSS 2-37
Finding an IP Address 2-38
Configuring Flow Parameters 2-39
Configuring Permanent Connections for TCP Ports 2-39
Resetting Fast Ethernet and Gigabit Ethernet Ports 2-40
Reclaiming Reserved Telnet and FTP Control Ports 2-40
Showing Flow Statistics 2-41
Configuring Content API 2-42

78-11424-03 vii
Contents
Creating XML Code 2-42

XML Document Example 2-44
Controlling Access to the CSS HTTP Server 2-45
Parsing the XML Code 2-45
Publishing the XML Code to the CSS 2-45
Testing the Output of the XML Code 2-46
Configuring the Command Scheduler 2-47
Showing Configured Command Scheduler Records 2-49
CHAPTER 3 Configuring CSS Network Protocols 3-1

Configuring Domain Name Service 3-2
Specifying a Primary DNS Server 3-2
Using DNS Resolve 3-3
Specifying a Secondary DNS Server 3-3
Specifying a DNS Suffix 3-4
Specifying UDP Traffic on the DNS Server Port 3-4
Configuring Address Resolution Protocol 3-5
Configuring ARP 3-5
Configuring ARP Timeout 3-6
Configuring ARP Wait 3-7
Updating ARP Parameters 3-7
Clearing ARP Parameters 3-7
Showing ARP Information 3-8
Configuring Routing Information Protocol 3-10
Configuring RIP Advertise 3-10
Configuring RIP Redistribute 3-11
Configuring RIP Equal-Cost 3-11
viii 78-11424-03
Contents
Showing RIP Configurations 3-12

Configuring Internet Protocol 3-14
Configuring IP Record-Route 3-14
Configuring IP Redundancy 3-15
Configuring IP ECMP 3-15
Configuring an IP Route 3-16
Configuring IP Source-Route 3-19
Disabling an Implicit Service for Static Route Next Hop 3-19
Configuring IP Subnet-Broadcast 3-20
Showing IP Information 3-21
Showing IP Config 3-21
Showing IP Interfaces 3-22
Showing IP Routes 3-23
Showing IP Statistics 3-25
Showing IP Summary 3-28
Configuring Bridging for the CSS 3-29
Configuring Bridge Aging-Time 3-29
Configuring Bridge Forward-Time 3-29
Configuring Bridge Hello-Time 3-30
Configuring Bridge Max-Age 3-30
Configuring Bridge Priority for the CSS 3-31
Enabling and Disabling Bridge Spanning-Tree 3-31
Showing Bridge Configurations 3-32
Configuring Secure Shell Daemon 3-34
Configuring SSHD Keepalive 3-35
Configuring SSHD Port 3-35
Configuring SSHD Server-Keybits 3-36

78-11424-03 ix
Contents
Disabling and Enabling Telnet Access when using SSHD 3-36

Showing SSHD Configurations 3-37
Configuring Opportunistic Layer 3 Forwarding 3-37
CHAPTER 4 Configuring Interfaces and Circuits 4-1

Interface and Circuit Overview 4-1
Interface and Circuit Configuration Quick Start 4-4
Configuring Interfaces 4-6
Configuring an Interface 4-6
Entering a Description for the Interface 4-7
Configuring Interface Duplex and Speed 4-7
Setting the Interface Maximum Idle Time 4-9
Showing Interface Duplex and Speed 4-9
Bridging an Interface to a VLAN 4-10
Configuring Bridge Pathcost 4-11
Configuring Bridge Priority 4-11
Configuring Bridge State 4-12
Specifying VLAN Trunking to an Interface 4-12
Selecting a Default VLAN in a Trunk 4-14

Configuring Bridge Pathcost for a Trunked Interface/VLAN Pair 4-14
Configuring Bridge Priority for a Trunked Interface/VLAN Pair 4-15
Configuring Bridge State for a Trunked Interface/VLAN Pair 4-15
Configuring the Low-Water Mark of Flow Control Blocks on an Interface 4-15
Smoothing Bursty Network Traffic on the CSS 11800 Gigabit Ethernet
Module 4-16
Showing Bridge Configurations 4-17

x 78-11424-03
Contents
Showing Trunking Configurations 4-19

Showing Interfaces 4-19
Showing Interface Statistics 4-20
Showing Ethernet Interface Errors 4-23
Shutting Down an Interface 4-25
Restarting the Interface 4-25
Shutting Down All Interfaces 4-25
Restarting All Interfaces 4-26
Configuring Circuits 4-26
Configuring Router-Discovery Lifetime 4-27
Configuring Router-Discovery Limited-Broadcast 4-27
Configuring Router-Discovery Max-Advertisement-Interval 4-28
Configuring Router-Discovery Min-Advertisement-Interval 4-28
Showing Circuits 4-28
Configuring a Circuit IP Interface 4-30
Configuring a Circuit IP Address 4-30
Configuring a Circuit-IP Broadcast Address 4-31
Configuring Circuit-IP Redirects 4-31
Configuring Circuit-IP Unreachables 4-32
Enabling Router-Discovery 4-32
Configuring Router-Discovery Preference 4-32
Enabling a Circuit IP 4-33
Disabling a Circuit IP 4-33
Showing IP Interfaces 4-33
Configuring RIP for an IP Interface 4-35
Configuring RIP Default-Route 4-35
Configuring RIP Receive 4-36

78-11424-03 xi
Contents
Configuring RIP Send 4-36

Configuring RIP Packet Logging 4-37
Showing RIP Configurations 4-37
CHAPTER 5 Configuring Services 5-1

Service, Owner, and Content Rule Overview 5-2
Service Configuration Quick Start 5-4
Service Load Overview 5-5
Using ArrowPoint Content Awareness Based on Server Load and Weight 5-7
Using ACA Based on Server Load 5-7
Using ACA Based on Server Weight and Load 5-8
Configuring Load for Services 5-9
Configuring Global Load Step 5-9
Configuring Global Load Threshold 5-10
Configuring Global Load Reporting 5-11
Configuring Load Tear Down Timer 5-11
Configuring Load Ageout Timer 5-12
Showing Global Service Loads 5-13
Global Keepalive Mode 5-15
Creating a Global Keepalive 5-16
Activating a Global Keepalive Active 5-17
Configuring a Global Keepalive Description 5-17
Configuring a Global Keepalive Frequency 5-17
Configuring a Global Keepalive IP Address 5-18
Configuring a Global Keepalive Max Failure 5-18
Configuring a Global Keepalive Method 5-19

xii 78-11424-03
Contents
Configuring a Global Keepalive Port 5-19

Configuring a Global Keepalive Retryperiod 5-20
Deactivating a Global Keepalive 5-20
Configuring a Global Keepalive Type 5-21
Configuring a Global Keepalive URI 5-22
Associating a Service with a Global Keepalive 5-22
Configuring Global Keepalive Hash 5-23
Showing Global Keepalive Configurations 5-24
Script Keepalives 5-27
Script Keepalive Considerations 5-28
Configuring Script Keepalives 5-29
Viewing a Script Keepalive in a Service 5-30
Script Keepalive Status Codes 5-31
Script Keepalives and Upgrading WebNS Software 5-31
Creating Services 5-32
Configuring Services 5-33
Assigning an IP Address to the Service 5-34
Specifying a Port 5-35
Specifying a Protocol 5-35
Specifying a Domain Name 5-36
Configuring an Advanced Load Balancing String 5-37
Configuring a Service HTTP Cookie 5-37
Configuring Weight 5-38
Specifying a Service Type 5-39
How the CSS Accesses Server Types 5-40
Configuring Service Access 5-41
Configuring Service Cache Bypass 5-41

78-11424-03 xiii
Contents
Configuring Network Address Translation for Transparent Caches 5-42

Configuring a Service to Bypass a Cache Farm 5-43
Configuring Keepalives for a Service 5-43
Configuring Keepalive Frequency 5-45
Configuring Keepalive Maxfailure 5-46
Configuring Keepalive Method 5-46
Configuring Keepalive Port 5-47
Configuring Keepalive Retryperiod 5-47
Configuring Keepalive Type 5-47
Configuring Keepalive URI 5-49
Configuring Keepalive Hash 5-49
Showing Keepalive Configurations 5-51
Configuring Maximum TCP Connections 5-52
Activating a Service 5-52
Suspending a Service 5-52
Removing a Service 5-53
Removing a Service From a Content Rule 5-53
Removing a Service From a Source Group 5-53
Showing Service Configurations 5-54
CHAPTER 6 Configuring Owners 6-1

Owner Configuration Quick Start 6-2
Creating an Owner 6-2
Configuring an Owner DNS Balance Type 6-3
Specifying Owner Address 6-4
Specifying Owner Billing Information 6-4

xiv 78-11424-03
Contents
Specifying Case 6-5

Specifying Owner DNS Type 6-5
Specifying Owner Email Address 6-6
Removing an Owner 6-6
Showing Owner Information 6-6
Showing Owner Summary 6-7
CHAPTER 7 Configuring Content Rules 7-1

Service, Owner, and Content Rule Overview 7-2
Content Rule Configuration Quick Start 7-5
Naming and Assigning a Content Rule to an Owner 7-6
Configuring a Virtual IP Address 7-7
Configuring a Domain Name Content Rule 7-10
Disabling a Domain Name System in a Content Rule 7-11
Matching Content Rules on Multiple Domain Names 7-12
Configuring a Content Rule using a Domain Name and a Virtual IP
Address 7-13
Using Wildcards in Domain Name Content Rules 7-15
General Guidelines for Domain Name Wildcards in Content Rules 7-16
Adding Services to a Content Rule 7-17
Adding a Service to a Content Rule 7-18
Specifying a Service Weight 7-18
Adding a Primary Sorry Server to a Content Rule 7-19
Adding a Secondary Sorry Server to a Content Rule 7-20
Adding a Domain Name System to a Content Rule 7-20
Activating a Content Rule 7-21

78-11424-03 xv
Contents
Suspending a Content Rule 7-21

Removing a Content Rule 7-22
Removing a Service from a Content Rule 7-22
Configuring a Protocol 7-23
Configuring Port Information 7-23
Configuring Load Balancing 7-24
Configuring a DNS Balance Type 7-26
Configuring Hotlists 7-27
Configuring a Domain Hotlist 7-29
Specifying a Uniform Resource Locator 7-30
Specifying an Extension Qualifier List in a Uniform Resource Locator 7-32
Specifying a Load Threshold 7-33
Redirecting Requests for Content 7-33
Configuring Persistence, Remapping, and Redirection 7-34
Content Rule Persistence 7-35
Configuring Bypass Persistence 7-36
Configuring HTTP Redirection and Service Remapping 7-37
Specifying an HTTP Redirect String 7-38
Using Show Remap 7-40
Defining Failover 7-41
Specifying an Application Type 7-44
Enabling Content Requests to Bypass Transparent Caches 7-46
Showing Content 7-47
Showing Content Rules 7-48
CHAPTER 8 Using the CSS Logging Features 8-1

Logging Overview 8-2

xvi 78-11424-03
Contents
Logging Quick Start Table 8-4

Specifying Logging Buffer Size 8-6
Specifying Log File Destination 8-6
Specifying Disk for a Log File Destination 8-6
Disabling Logging to Disk 8-7
Specifying Host for a Log File Destination 8-7
Specifying a Line for a Log File Destination 8-8
Enabling Logging on a Subsystem 8-8
Disabling Logging for a Subsystem 8-11
Configuring a Log Message for a Subsystem at a Logging Level 8-11
Logging ACL Activity 8-13
Sending Log Messages to an Email Address 8-14
Logging CLI Commands 8-14
Showing Log Files 8-15
Showing Log Activity 8-15
Showing Log Lists 8-17
Showing Log State 8-17
Copying Log Files to an FTP or TFTP Server 8-19
Copying Log Files to an FTP Server 8-19
Copying Log Files to a TFTP Server 8-20
CHAPTER 9 Configuring Simple Network Management Protocol (SNMP) 9-1

SNMP Overview 9-2
Managers and Agents 9-3
Manager/Agent Communication 9-3
Management Information Base (MIB) 9-5
MIB Variables 9-5

78-11424-03 xvii
Contents
MIB Extensions (Enterprise MIBs) 9-7

SNMP Communities 9-7
Configuring SNMP on the CSS 9-8
Controlling SNMP Access to the CSS 9-8
Planning Your SNMP Configuration 9-9
Defining the CSS as an SNMP Agent 9-10
Configuring an SNMP Community 9-12
Configuring an SNMP Contact 9-12
Configuring an SNMP Location 9-13
Configuring an SNMP Name 9-13
Configuring SNMP Generic Traps 9-14
Configuring an SNMP Trap-Host 9-14
Configuring SNMP Auth-Traps 9-15
Configuring SNMP Enterprise Traps 9-15
Configuring SNMP Reload-Enable 9-16
Configuring Denial of Service (DoS) 9-17
Defining a DoS SNMP Trap-Type 9-18
Displaying the SNMP Configuration 9-21
Managing SNMP on the CSS 9-22
Enabling SNMP Manager Access to the CSS 9-22
Using the CSS to Look Up MIB Objects 9-22
Useful MIB Statistics 9-24
Reading Logs 9-25
Setting Alarms 9-25
CSS MIBs 9-26

xviii 78-11424-03
Contents
CHAPTER 10 Configuring Remote Monitoring (RMON) 10-1

RMON Overview 10-2
RMON Configuration Considerations 10-3
Configuring an RMON Event 10-4
Creating a Configuration Identifier for an RMON Event 10-5
Modifying the Attributes for an Existing RMON Event Configuration
Identifier 10-6
Deleting an RMON Event Configuration Identifier 10-6
Setting the RMON Event Attributes 10-7
Defining an Event Community 10-7
Describing an Event 10-7
Assigning an Owner 10-8
Defining the Notification of an Event 10-8
Activating the Event 10-9
Configuring an RMON Alarm 10-9
RMON Alarm Configuration Quick Start 10-11
Creating a Configuration Identifier for an RMON Alarm 10-12
Modifying Attributes for an Existing RMON Alarm Configuration
Identifier 10-13
Deleting an RMON Alarm Configuration Identifier 10-13
Setting the RMON Alarm Attributes 10-14
Finding and Defining a Sample Variable 10-15
Defining an Absolute or Delta Sampling 10-16
Defining a Rising Threshold and Index 10-16
Defining a Falling Threshold and Index 10-17
Defining a Startup Alarm 10-18

78-11424-03 xix
Contents
Defining the Sampling Interval 10-18

Activating an Alarm 10-19
Configuring an RMON History 10-19
Creating a Configuration Identifier for an RMON History 10-20
Modifying the Attributes for an Existing RMON History Configuration
Identifier 10-21
Deleting an RMON History Configuration Identifier 10-22
Setting the RMON History Attributes 10-22
Defining the Data Object 10-23
Defining the Bucket Count 10-23
Defining the Bucket Interval 10-24
Activating an RMON History Entry 10-24
Viewing RMON Information 10-25
Viewing Statistics 10-25
Clearing RMON Statistics 10-29
Viewing History 10-30
Viewing Events in a Log File 10-32
Viewing a Traplog File 10-32
Viewing a CSS Disk Log File 10-33
RMON Configuration in a Startup-Config File 10-34
APPENDIX A Upgrading Your CSS Software A-1

Before You Begin A-1
Copying the New CSS Software A-1
Configuring an FTP Server Record on the CSS A-2
Upgrading your CSS A-3
Using the Upgrade Script A-3

xx 78-11424-03
Contents
Automatically Running the Upgrade Script A-3

Interactively Using the Upgrade Script A-5
Manually Upgrading the CSS A-8
Copying Custom Scripts A-10
INDEX

78-11424-03 xxi
Contents

xxii 78-11424-03
F I G U R E S
Figure 1-1 CSS Directory Access Privileges 1-10
Figure 1-2 Boot Configuration Flowchart 1-25
Figure 3-1 Opportunistic Layer 3 Forwarding Example 3-38
Figure 4-1 Content Services Switch Interfaces and Circuits 4-3
Figure 4-2 Interface Trunking Between VLANs 4-3
Figure 5-1 Services, Owners, and Content Rules Concepts 5-3
Figure 5-2 Load Calculation Example with Three Servers 5-6
Figure 7-1 Services, Owners, and Content Rules Concepts 7-4
Figure 7-2 Example of Configuring a Virtual IP Address 7-10
Figure 7-3 ServerB Configured for Failover Next 7-42
Figure 7-4 ServerC Configured for Failover Next 7-43
Figure 7-5 Suspended or Failed Service Configured for Failover Linear 7-43
Figure 7-6 Removing a Service Configured for Failover Linear 7-44
Figure 9-1 SNMP Manager/Agent Interaction 9-4

Figure 9-2 Top of the MIB Tree 9-6
Figure 10-1 Supported RMON Functions on the CSS 10-2

Figure 10-2 Example of Absolute Sampling 10-10
Figure 10-3 Example of Delta Sampling 10-10

78-11424-03 xxiii
Figures

xxiv 78-11424-03
T A B L E S
Table 1-1 Configuration Quick Start 1-3
Table 1-2 Field Descriptions for the show clock Command 1-16
Table 1-3 Field Descriptions for the show sntp global Command 1-19
Table 1-4 Offline Diagnostic Monitor Menu Options 1-24
Table 1-5 Boot Configuration Options 1-26
Table 1-6 Field Descriptions for the show disk Command 1-52
Table 1-7 Field Descriptions for the show chassis Command 1-66
Table 1-8 Field Descriptions for the show system-resources Command 1-68
Table 1-9 Field Descriptions for the show user-database Command 1-69
Table 1-10 Field Descriptions for the show lines Command 1-71
Table 2-1 Field Descriptions for the show radius config Command 2-33
Table 2-2 Field Descriptions for the show radius stat Command 2-34
Table 2-3 Field Descriptions for the show cmd-sched Command 2-49
Table 3-1 Field Descriptions for the show arp Command 3-8
Table 3-2 Field Descriptions for the show arp config Command 3-9
Table 3-3 Field Descriptions for the show rip Command 3-12
Table 3-4 Field Descriptions for the show rip globals Command 3-13
Table 3-5 Field Descriptions for the show rip statistics Command 3-13
Table 3-6 Field Descriptions for the show ip config Command 3-21
Table 3-7 Field Descriptions for the show ip interfaces Command 3-22
Table 3-8 Field Descriptions for the show ip routes Command 3-24
Table 3-9 Field Descriptions for the show ip statistics Command 3-25
Table 3-10 Field Descriptions for the show ip summary Command 3-28

78-11424-03 xxv
Tables
Table 3-11 Field Descriptions for the show bridge forwarding Command 3-32
Table 3-12 Field Descriptions for the show bridge status Command 3-32
Table 3-13 Field Descriptions for the show sshd config Command 3-37
Table 4-1 Interface and Circuit Configuration Quick Start 4-4
Table 4-2 Field Descriptions for the show phy Command 4-9
Table 4-3 Field Descriptions for the show bridge forwarding Command 4-17
Table 4-4 Field Descriptions for the show bridge status Command 4-18
Table 4-5 Field Description for the show trunk Command 4-19
Table 4-6 Field Descriptions for the show interface Command 4-20
Table 4-7 Field Descriptions for the show mibii Command 4-21
Table 4-8 Field Descriptions for the show ether-errors Command 4-23
Table 4-9 Field Descriptions for the show circuits Command 4-29
Table 4-10 Field Descriptions for the show ip interfaces Command 4-34
Table 4-11 Field Descriptions for the show rip Command 4-38
Table 4-12 Field Descriptions for the show rip globals Command 4-39
Table 4-13 Field Descriptions for the show rip statistics Command 4-39
Table 5-1 Service Configuration Quick Start 5-4
Table 5-2 Field Descriptions for the show load Command 5-13
Table 5-3 Field Descriptions for the show keepalive Command 5-26
Table 5-4 Field Descriptions for the show service Command 5-55
Table 6-1 Owner Configuration Quick Start 6-2
Table 6-2 Field Descriptions for the show owner Command 6-6
Table 6-3 Field Descriptions for the show summary Command 6-8
Table 7-1 Content Rule Configuration Quick Start 7-5
Table 7-2 Field Descriptions for the show domain hotlist Command 7-28
Table 7-3 Field Descriptions for the show remap Command 7-40
Table 7-4 Field Descriptions for the show content Command 7-48

xxvi 78-11424-03
Tables
Table 7-5 Field Descriptions for the show rule Command 7-49
Table 8-1 CSS Log File Descriptions 8-2
Table 8-2 Configuring and Enabling Logging 8-4
Table 8-3 Logging Subsystems 8-9
Table 8-4 Subsystem Logging Levels 8-10
Table 8-5 Field Descriptions for the show log-state Command 8-17
Table 9-1 Quick Start for Defining the CSS as an SNMP Agent 9-10
Table 9-2 Denial of Service Configuration Quick Start 9-17
Table 9-3 Field Descriptions for the show dos Command 9-20
Table 9-4 CSS MIB Statistics 9-24
Table 9-5 MIB Branches Under the CSS Enterprise MIB 9-26
Table 10-1 RMON Event Configuration Quick Start 10-4
Table 10-2 RMON Alarm Configuration Quick Start 10-11
Table 10-3 RMON History Configuration Quick Start 10-20
Table 10-4 Field Descriptions for the show rmon Command 10-26
Table 10-5 Field Descriptions for the show rmon-history Command 10-31

78-11424-03 xxvii
Tables

xxviii 78-11424-03
About This Guide
This guide provides instructions for the basic configuration of the CSS 11050,
CSS 11150, and CSS 11800 Content Service Switches (hereinafter referred to as
the CSS) Information in this guide applies to all CSS models except where noted.
For configuration information on advanced features, refer to the Content Services
Switch Advanced Configuration Guide.
The CSS software is available in a Standard or Enhanced feature set. The
Enhanced feature set contains all of the Standard feature set and also includes
Network Address Translation (NAT) Peering, Domain Name Service (DNS),
Demand-Based Content Replication (Dynamic Hot Content Overflow), Content
Staging and Replication, and Network Proximity DNS. Proximity Database and
SSH are optional features.
Note Access to the Standard and Enhanced feature sets or Proximity

Database requires that you enter a software license key when you
boot the CSS for the first time. For details, refer to the Content
Services Switch Getting Started Guide, Chapter 4, Booting the CSS.

78-11424-03 xxix
About This Guide
Audience
Note If you are upgrading from the Standard to the Enhanced feature set
or want to activate a CSS software option (for example, SSH Server)
that you purchased, refer to the Content Services Switch Getting
Started Guide, Chapter 4, Booting the CSS.
If you configure your CSS for Proximity Database, you cannot use
the CSS for flow control. For details on Proximity Database, refer to
the Content Services Switch Advanced Configuration Guide.
Audience
This guide is intended for the following trained and qualified service personnel
who are responsible for configuring the CSS:
• Web master
• System administrator
• System operator
How to Use This Guide

This section describes the chapters and contents in this guide.
Chapter Description
Chapter 1, Logging in Log into the CSS and configure the CSS for operation.
and Getting Started This chapter contains an overview of the CSS system
software. It also contains information on using the
Offline Diagnostic Monitor (Offline DM) menu.
Chapter 2, Configuring Configure user profile and CSS parameters. This
User Profiles and CSS chapter also contains information on using the Content
Parameters API and Command Scheduler features.
Chapter 3, Configuring Configure the CSS DNS, ARP, RIP, IP, and bridging
CSS Network features.
Protocols

xxx 78-11424-03
About This Guide
How to Use This Guide
Chapter Description
Chapter 4, Configuring Configure the CSS management ports, interfaces, and
Interfaces and Circuits circuits for operation.
Chapter 5, Configuring Configure services.
Services
Chapter 6, Configuring Create and configure owners.
Owners
Chapter 7, Configuring Create and configure content rules.
Content Rules
Chapter 8, Using the Enable logging, set up the log buffer, and determine
CSS Logging Features where to send the activity information.
Chapter 9, Configure SNMP on the CSS (including a summary of
Configuring Simple all CSS Enterprise MIB objects).
Network Management
Protocol (SNMP)
Chapter 10, Configure RMON on the CSS.
Configuring Remote
Monitoring (RMON)
Appendix A, Upgrade your CSS software manually or use the
Upgrading Your CSS upgrade script.
Software

78-11424-03 xxxi
About This Guide
Related Documentation
Related Documentation
In addition to this document, the Content Services Switch documentation set
includes the following:
Document Title Description

Cisco Content Services Provides information on operating considerations,
Switch Release Note known issues, and CLI commands for a CSS
software version.
Content Services Switch Provides information for installing, cabling, and
Getting Started Guide booting the CSS. In addition, this guide provides
information about CSS specifications, cable
pinouts, troubleshooting, and log messages.
Content Services Switch Describes how to configure advanced CSS
Advanced Configuration features, including:
Guide
• Sticky parameters
• HTTP header load balancing
• Source groups, Access Control Lists (ACLs),
Extension Qualifier Lists (EQLs), Uniform
Resource Locator Qualifier Lists (URQLs),
Network Qualifier Lists (NQLs), and Domain
Qualifier Lists (DQLs)
• VIP and CSS redundancy
• Caching
• Domain Name Service (DNS)
• Demand-Based Content Replication and
content staging and replication
• Firewall Load Balancing
• OSPF routing protocol
• Network Proximity
• CSS scripting language

xxxii 78-11424-03
About This Guide
Symbols and Conventions
Document Title Description

Content Services Switch Provides an alphabetical list of all CSS Command
Command Reference Line Interface commands including syntax,
options, and related commands.
WebNS Device Provides an overview on using the WebNS Device
Management User Management user interface, an HTML-based Web
Interface Quick Start application that you use to configure and manage a
Guide CSS.

This guide uses the following symbols and conventions to identify different types
of information.
Caution A caution means that a specific action you take could cause a loss of
data or adversely impact use of the equipment.
Warning A warning describes an action that could cause you physical harm
or damage the equipment.
Note A note provides important related information, reminders, and

recommendations.

78-11424-03 xxxiii
About This Guide
Bold text indicates a command in a paragraph.

Courier text indicates text that appears on a command line, including the CLI
prompt.
Courier bold text indicates commands and text you enter in a command line.
Italics text indicates the first occurrence of a new term, book title, and emphasized
text.
1. A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is
important.
• A bulleted list indicates that the order of the list topics is unimportant.
– An indented list indicates that the order of the list subtopics is
unimportant.

xxxiv 78-11424-03
C H A P T E R 1
Logging in and Getting Started
This chapter describes how to log into the CSS and configure an IP address,
subnet mask, and default route. Included in this chapter is a description of the
system software. It also contains information on using the Offline Diagnostic
Monitor (Offline DM) menu. Information in this chapter applies to all CSS
models except where noted.
CSS software is available in a Standard or Enhanced feature set. The Enhanced
feature set contains all of the Standard feature set and also includes Network
Address Translation (NAT) Peering, Domain Name Service (DNS),
Demand-Based Content Replication (Dynamic Hot Content Overflow), Content
Staging and Replication, and Network Proximity DNS. Proximity Database and
SSH are optional features.
Note When you boot the CSS for the first time, the software prompts you
to enter a valid license key for the Standard or Enhanced feature set,
or for Proximity Database, depending on your intended use for the
CSS. For details, refer to the Content Services Switch Getting
Started Guide, Chapter 4, Booting the CSS.
If you are upgrading from the Standard to the Enhanced feature set
or want to activate another optional feature that you purchased, refer
to the Content Services Switch Getting Started Guide, Chapter 4,
Booting the CSS.
If you configure your CSS for Proximity Database, you cannot use
the CSS for flow control. For details on Proximity Database, refer to

78-11424-03 1-1
Chapter 1 Logging in and Getting Started
This chapter contains the following sections:

• Configuration Quick Start
• Logging into the CSS
• Configuring an IP Address and Subnet Mask for the Ethernet Management
Port
• Configuring an IP Route
• Configuring Date, Time, and Time Zone
• Synchronizing the CSS with an SNTP Server
• Configuring an FTP Record
• Rebooting the CSS
• Shutting Down the CSS
• Using the Offline Diagnostic Monitor Menu
• Enabling and Disabling Core Dumps
• CSS Software Overview
• Using the Running-Config and Startup-Config
• Archiving Files to the Archive Directory
• Restoring Files from the Archive Directory
• Displaying CSS Configurations

1-2 78-11424-03
Configuration Quick Start

Table 1-1 is a Quick Start configuration table designed to help you configure the
CSS quickly and easily. This table provides steps to:
• Log in and access config mode so you can configure the CSS for operation
• Access boot mode to configure an IP address for the Ethernet Management
port
• Configure a subnet mask from boot mode
• Configure a default IP route
• Enter the date, time, and time zone (optional)
• Specify an SNTP server (optional)
• Configure an FTP record (optional)
• Save your configuration from the running-config to the startup-config
Following Table 1-1 is an overview of the CSS system software and commands
for saving, archiving, and restoring system configuration files.
Once you configure the Ethernet Management port IP address, you can continue
to use the Console port or you can use the Ethernet Management port to Telnet
into the CSS and configure it remotely.
Table 1-1 Configuration Quick Start
Task and Command Example

1. Log into the CSS using the default administrative username admin and
password system or the username and password you assigned during the
boot process.
2. Access config mode.
# config
(config)#
3. Access boot mode to configure an IP address for the Ethernet Management
port. This IP address must be on a different subnet than any other CSS
VLAN circuit IP subnet or you will not be able to access the port. You must
reboot the CSS for the new IP address to take effect.
(config)# boot
(config-boot)# ip address 172.3.6.58

78-11424-03 1-3
Table 1-1 Configuration Quick Start (continued)

4. Configure a subnet mask in boot mode.
(config-boot)# subnet mask 255.255.255.0
5. Exit from boot mode to config mode to configure a default route as required.
(config-boot)# exit
(config)# ip route 0.0.0.0/0 192.168.3.123
6. Exit from config mode to configure a date. The clock date command does
not allow backspacing. If you enter a wrong date, reenter the command with
the new information.
Enter the date in the format mm-dd-yy.
# clock date
Enter date: [03-11-00] 03-12-00
Use the date european-date command to enable the clock date command
to accept date input in the format of day, month, and year.
# date european-date 12/03/00
7. Configure the time using the clock time command. The clock time
command does not allow backspacing. If you enter the wrong time, reenter
the command with the new information.
Enter the time in the format hh:mm:ss.
# clock time
Enter time: [15:17:33] 16:17:33
8. If you are using an SNTP server to synchronize the system clock of the CSS,
specify the time zone and Universal Time Coordinated (UTC) offset.
# clock timezone EST hours 3 before-UTC
9. If you are using an SNTP server to synchronize the system clock of the CSS,
access the config mode and specify the SNTP server and the polling
frequency.
# config
(config)# sntp server 192.168.19.21 version 2
(config)# sntp poll-interval 90

1-4 78-11424-03
Table 1-1 Configuration Quick Start (continued)

10. Configure a File Transfer Protocol (FTP) record file to use when accessing
an FTP server from the CSS. This step is optional.
# ftp-record arrowrecord 192.168.19.21 bobo password "secret"
/outgoing
11. Save your configuration changes (recommended). Configuration changes
reside in a virtual file called the running-configuration. To save your current
configuration, use the copy running-config startup-config command. If
you do not save the running-config, all configuration changes are lost upon
reboot.
# copy running-config startup-config

78-11424-03 1-5
Logging into the CSS

To log into the CSS, use the default administrative username admin and default
password system, or use the administrative username and password you
configured during the boot process. The default username admin enables you to
log in with SuperUser status.
If you have not changed the default administrative username and password, it is
recommended that you change them immediately to safeguard the CSS against
unauthorized logins.
Note When you power up the CSS (after initial start-up), the boot process
provides access to the Offline Diagnostic Monitor (Offline DM)
menu. The Offline DM Main menu allows you to set the boot
configuration, show the boot configuration, select Advanced
Options, or reboot the system. For details on using the Offline DM
Main menu, refer to “Using the Offline Diagnostic Monitor Menu”
in this chapter.
Changing the Administrative Username and Password

The administrative username and password are stored in non-volatile RAM
(NVRAM). Each time you reboot the CSS, it reads them from NVRAM and
reinserts them into the user database. You can change the administrative username
and password, but because the information is stored in NVRAM, you cannot
delete them permanently. If you delete the administrative username using the no
username command, the CSS deletes the username from the running-config, but
restores it from NVRAM when you reboot.
SuperUser status is assigned to the administrative username by default.

1-6 78-11424-03
To change the administrative username or password, you may either:

• Access the Offline Diagnostic Monitor (Offline DM) menu during the boot
process. For information on the Offline DM Main menu see “Using the
Offline Diagnostic Monitor Menu” in this chapter.
• Use the username-offdm name password text command.
The following example uses the CLI command to change the default
administrative username and password.
(config)# username-offdm bobo password secret
Restricting Modifications to the CSS User Database

By default, access to the CSS user database is not restricted. Nonrestricted access
means any user with SuperUser privileges (local user, administrator, or
technician) can:
• Create, modify, or delete usernames (user database entries)
• Clear the CSS running-config file
You can use the restrict user-database command to restrict the CSS user
database to CSS users who are identified as either an administrator or a
technician.
To restrict modification of the CSS user database, enter:
(config)# restrict user-database
To remove restrictions for modifying the CSS user database, enter:

(config)# no restrict user-database

78-11424-03 1-7
Configuring Usernames and Passwords

The CSS supports a maximum of 32 usernames, including an administrator
username and a technician username. You can assign each user that logs into the
CSS with SuperUser or User status.
• User - Allows access to a limited set of commands that enable you to monitor
and display CSS parameters, but not change them. A User prompt ends with
the > symbol. To view the commands available in User mode, at the User
prompt, enter ?.
By default, new users have only user-level status unless you configure them
to have SuperUser status.
• SuperUser - Allows access to the full set of CLI commands, including those
in User mode, that enable you to configure the CSS. A SuperUser prompt
ends with the # symbol.
From SuperUser mode, you can enter global configuration mode and its
subordinate configuration modes.
Use the username command to create usernames and passwords to log in to the
CSS. The syntax for this global configuration mode command is:
username name [des-password|password] password {superuser}

{dir-access access}
Note Any user with SuperUser status can create CSS usernames. To allow
only administrator or technician users to create usernames, use the
restrict user-database command (see “Restricting Modifications to
the CSS User Database” in this section).
The options and variables are as follows:

• name - Sets the username you want to assign or change. Enter an unquoted
text string with no spaces and a maximum of 16 characters. To see a list of
existing usernames, enter username ?.
• des-password - Specifies that the password you enter is the Data Encryption
Standard (DES) form of the password. Use this option only when you are
creating a script or a startup configuration file. Enter a DES-encrypted,
case-sensitive, unquoted text string with no spaces from 6 to 64 characters.

1-8 78-11424-03
Note If you specify the des-password option, you must know the
encrypted form of the password to successfully log in to the
CSS. You can find the CSS encrypted password in the
Global section of the running-config. To display the
running-config, use the show running-config command.
• password - Specifies that the password is not encrypted onyour display as

you enter it. However, the CSS DES-encrypts the password in the
running-config for extra security. Use this option when you use the CLI to
create users. Enter a case-sensitive, unquoted text string with no spaces from
6 to 16 characters.
• password - The text string that you enter. The CSS allows all special
characters in a password except for the percent sign (%).
• superuser - (Optional) Specifies SuperUser privileges to allow a user to
access SuperUser mode. If you do not enter this option, the user can only
access User mode.
• dir-access access - (Optional) Defines the CSS directory access privileges for
the username. There are access privileges assigned to the seven CSS
directories; Script, Log, Root (installed CSS software), Archive, Release
Root (configuration files), Core, and MIBs. By default, users have both read-
and write-access privileges (B) to all seven directories. Changing the access
level also affects the use of the CLI commands associated with directories.
Enter one of the following access privilege codes for the CSS Script, Log,
Root, Archive, Release Root, Core, and MIB directories, in this order:
– R - Read-only access to the CSS directory
– W - Write-only access to the CSS directory
– B - Both read- and write-access privileges to the CSS directory
– N - No access privileges to the CSS directory
The following example creates a SuperUser named picard with a password of
captain.
(config)# username picard password “captain” superuser

78-11424-03 1-9
Figure 1-1 shows how the access privilege settings corresponds to the CSS
directories.
Figure 1-1 CSS Directory Access Privileges
NWBNNNR
MIBs directory, set to read-only access
Core directory, set to None (no directory access)
Release Root directory, set to None (no directory access)
Archive directory, set to None (no directory access)
Root directory, set to both read and write-access
Log directory, set to write-only access
59110
Script directory, set to None (no directory access)
For example, to define directory access for username picard, enter:

(config)# username picard password “captain” superuser NWBNNNR
To display a list of existing usernames, enter:

(config)# username ?
To remove an existing username, enter:

(config)# no username picard
To change a user password, reenter the username command and specify the new
password. Remember to include SuperUser privileges if required. For example:
(config)# username picard password “flute” superuser
Caution The no username command removes a user permanently. Make sure you want to
perform this action because you cannot undo this command.

1-10 78-11424-03
Configuring an IP Address and Subnet Mask for the Ethernet Management Port
Configuring an IP Address and Subnet Mask for the

Ethernet Management Port
To communicate with the CSS and issue Command Line Interface (CLI)
commands using out-of-band management, you must assign an IP address to the
Ethernet Management port. You may also want to configure a subnet mask that
the CSS uses upon boot.
The Ethernet Management port is located on the:
• CSS 11050 and CSS 11150 rear panels
• CSS 11800 SCM front panel
The CSS enables you to configure an IP address and a subnet mask:
• At the prompts during the boot process
• Using the Offline Diagnostic Monitor (Offline DM) menu
• Using CLI commands
For information on configuring an IP address and subnet mask during the boot
routine or using the Offline DM Main menu, refer to “Using the Offline
Diagnostic Monitor Menu” in this chapter. For information on configuring an IP
address and subnet mask using CLI commands, refer to the following sections.
Note You must reboot the CSS for the IP address to take effect.
Configuring an IP Address
To configure an IP address for the CSS Ethernet Management port, use the
ip address option in boot mode. This command does not have a no version. To
change the IP address, reissue the ip address command and enter the new
IP address. The CSS does not accept an all zero IP address.
For example:
(config)# boot
(config-boot)# ip address 172.3.6.58
Note You must reboot the CSS for the new IP address to take effect.

78-11424-03 1-11
Configuring an IP Route
Caution The Ethernet Management port IP address must be a different subnet

than any other CSS VLAN circuit IP subnet. If you do not make the
Ethernet Management port IP address unique, you will not be able
to access the port.
Configuring a Subnet Mask

To configure the CSS subnet mask, use the subnet mask option in boot mode. For
example, enter:
(config)# boot
(config-boot)# subnet mask 255.255.255.0
To remove the configured subnet mask, enter:

(config-boot)# no subnet mask
In order to establish IP connectivity to the CSS, a static IP route is required to
connect the CSS to next hop router. A static route consists of a destination
network address and mask and the next hop to reach the destination. You can also
specify a default static route (using 0.0.0.0 as the destination network address and
a valid next hop address) to direct frames for which no other destination is listed
in the routing table. Default static routes are useful for forwarding otherwise
unrouteable packets by the CSS.
When you configure a static IP route, the CSS periodically polls the next hop
router with an internal ICMP keepalive service to ensure the router is functioning
properly. If the router fails, the CSS removes any entries from the routing table
that point to the failed router and stops sending traffic to the failed router. When
the router recovers, the CSS:
• Becomes aware of the router
• Re-enters applicable routes into the routing table

1-12 78-11424-03
To configure an IP route, use the ip route command and specify either an:
• IP address and a subnet mask prefix - For example, 192.168.1.0/24
or
• IP address and a subnet mask - For example, 192.168.1.0 255.255.255.0
The syntax for the ip route command to configure a default IP route is:
ip route IP address subnet mask IP address2
For example, enter:
(config)# ip route 0.0.0.0/0 192.168.3.123
The variables are:
• ip_address - The destination network address. Enter the IP address in
dotted-decimal notation (for example, 192.168.11.1).
• subnet_mask - The IP subnet mask. Enter the mask as either:
– A prefix length in CIDR bitcount notation (for example, /24). Do not
enter a space to separate the IP address from the prefix length.
– An IP address in dotted-decimal notation (for example, 255.255.255.0).
• ip_address2 - The next hop address for the route. Enter the IP address in
For complete information on configuring IP routes, refer to Chapter 3,
Configuring CSS Network Protocols.

78-11424-03 1-13
Configuring Date, Time, and Time Zone

To set the date, time, or time zone, use clock command. When you enter this
command, the CSS displays the current date and time.
Note The clock command does not allow backspacing. If you enter the
wrong date, time, or time zone, reenter the command with the new
information.
To set the date, enter the clock date command. When you enter this command, a
prompt appears and shows the current date in the format you must use to enter the
new date. Enter the month, day, and year as integers with dash characters
separating them. For example, enter June 15th 2001 as 06-15-2001.
Enter the new information in the format mm-dd-yy as shown:
# clock date
Enter date: [10-03-00] 10-04-00
To set the time, enter the clock time command. This command sets the time in
military-time (24-hour) format. When you enter this command, a prompt appears
and shows the current time in the format you must use to enter the new time. Enter
the hour, minutes, and seconds as integers, separated by colons.
Enter the new time in the format hh:mm:ss as shown:
# clock time
Enter time: [15:12:38] 16:12:38
To specify a time zone for the CSS, which synchronizes the CSS system clock
with an SNTP server, enter the clock timezone command. The time stored in the
CSS is the local time. The Universal Time Coordinated (UTC, also know as
Greenwich Mean Time) time is calculated by offsetting the time zone from the
local time. You can apply a negative offset to the UTC (for example, –05:-23:+00)
or a positive offset to the UTC (for example, +12:+00:+00).
Use the no form of the clock timezone command to reset the time zone
information to 00:00:00, and also sets the clock to the new time without the time
zone offset.

1-14 78-11424-03
Note The use of the clock timezone command assumes that you are using
the CSS with an SNTP server to synchronize the CSS system UTC
time to that of a designated SNTP server. Without a configured
SNTP server, the time zone information is not used. Refer to
“Synchronizing the CSS with an SNTP Server” later in this chapter
for details.
The syntax for the clock timezone command is:
clock timezone name hours hours {before-UTC|after-UTC} {minute

minutes {before-UTC|after-UTC}
The options and variables are:

• timezone name - The name of the time zone. Enter a name with a maximum
of 32 characters and no spaces.
• hours hours - Sets the hours offset for the time zone. Enter a number from
0 to 12. This option is used in conjunction with the before-UTC option or
after-UTC option to set the offset to either a positive or negative number.
• before-UTC - Sets the offset for Universal Time Coordinated (UTC) as a
negative number. For example, if the hour offset is 12, before-UTC sets it to
–12.
• after-UTC - Sets the offset for UTC as a positive number. This is the default
offset.
• minute minutes - Sets the minutes offset for the time zone. Enter a number
from 0 to 59. This option is used in conjunction with the before-UTC option
or after-UTC option to set the offset to either a positive or negative number.
For example, to enter the new time zone for Eastern Standard Time (EST) with
a –3 hour offset:
# clock timezone EST hours 3 before-UTC
To set the time zone offset back to 00:00:00 (and also set the clock to the new time
without the time zone offset):
# no clock timezone

78-11424-03 1-15
To display the current date and time, enter the show clock command:
# show clock
Table 1-2 describes the fields in the show clock output.
Table 1-2 Field Descriptions for the show clock Command
Field Description
Date The configured date in the format of month, day, and
year. For example, 06-15-2001 is June 15th 2001.
If you use the date european-date command, the format
is day, month, and year. For example, the date June 15th
2001 is displayed as 15-06-2001.
Time The configured time in the format of hour, minute, and
second, for example 16:23:45.
Note If you configure an SNTP server, the show clock

command displays the time adjusted with the
time zone offset. The show clock command
displays the UTC time from the SNTP server. If
you configure a timezone, the show clock
command displays the time adjusted with the
timezone offset. For example, if the UTC time from
the server is 16:30:43 and you configure a
timezone negative offset of 5 hours and 30 minutes
(–05:-30:+00), the displayed time becomes
11:00:43.
Timezone The configured time zone offset from an SNTP server.

All zeros (00:00:00) indicate that no offset was
configured for the time zone. A negative symbol (–)
indicates a negative offset to the UTC (for example,
-05:-23:+00). A positive symbol (+) indicates a positive
offset to the UTC (for example, +12:+00:+00).

1-16 78-11424-03
Synchronizing the CSS with an SNTP Server
Configuring European Date

Use the date european-date command to enable the clock date command to
accept date input in the format of day, month, and year.
For example,
# date european-date 10/4/00
To reset the format for the clock date command to its default of month, day and
year, enter:
# no date european-date

Use the sntp command to configure the SNTP (Simple Network Time Protocol)
on the CSS. Use SNTP when you need to synchronize computer system clocks on
the Internet to that of a designated SNTP server. SNTP is a simplified, client-only
version of the Network Time Protocol (NTP) that enables the CSS time-of-day to
be synchronized with any SNTP server.
Accurate time-of-day is provided by synchronizing to the Universal Time
Coordinated (UTC) (also know as Greenwich Mean Time), which provides time
within 100 milliseconds of the accurate time. You can configure information
about the local time zone so the time is displayed correctly relative to the local
time zone. The CSS can only receive the time from a single SNTP server (in
unicast mode), and it cannot be used to provide time services to other devices.
Note Before you synchronize the CSS with an SNTP server, make sure you
configure the proper time zone for the CSS (for example, to EST). Also
make sure that the time difference between the CSS internal clock and the
SNTP server clock is less than 24 hours. Otherwise, the CSS will not
synchronize its clock with the SNTP server. To configure the time on the
CSS, see “Configuring Date, Time, and Time Zone” earlier in this
chapter for details.
For detailed information on configuring the SNTP server, consult the

documentation provided with the server.

78-11424-03 1-17
The options for this global configuration mode command are:

• sntp server - Specify the SNTP server.
• sntp poll-interval - Specify the poll interval for SNTP request messages.
Configuring the SNTP Server

Use the sntp server command to specify the SNTP server. The syntax for this
command is:
sntp server ip_address {version number}
• server ip_address - The IP address for the SNTP server. Enter an IP address
in dotted-decimal notation (for example, 192.168.1.0).
• version number - The version number of the SNTP server. Enter a version
number between 1 and 4. The default is 1.
For example, to configure an SNTP server (running version number 3), enter:
(config)# sntp server 192.168.19.21 version 3
To remove the specified SNTP server, enter:

(config)# no sntp server
Configuring the SNTP Poll-Interval

Use the sntp poll-interval command to specify the poll interval for SNTP request
messages. The poll interval is the time (in seconds) between successive SNTP
request messages to the server. Continuous polling is critical for the CSS to obtain
time from the SNTP server and ensure that the local time stays adjusted with the
“real time” of the server. The valid entries are 16 to 16284 seconds. The default
is 64 seconds.
For example, to specify an SNTP poll-interval of 90 seconds, enter:
(config)# sntp poll-interval 90
To return the SNTP poll-interval to its default setting of 64 seconds, enter:

(config)# no sntp poll-interval

1-18 78-11424-03
Showing SNTP Configuration Information

To display the Simple Network Time Protocol (SNTP) configuration information
on the CSS, enter the show sntp global command:
(config)# show sntp global
Table 1-3 describes the fields in the show sntp global output.
Table 1-3 Field Descriptions for the show sntp global Command
Field Description
Server Address The IP address for the SNTP server.
Version The version number of the server. The default is 1.
Poll Interval The time in seconds between SNTP request messages.
The range is 16 to 16284. The default is 64.
TimeSinceLastUpdate The time in seconds since the last server reply.
Server Status The operating status of the SNTP server, UP or
DOWN.

78-11424-03 1-19
Configuring an FTP Record

Use the ftp-record command to create a File Transfer Protocol (FTP) record file
to use when accessing an FTP server from the CSS. The syntax for this global
configuration mode command is:
ftp-record ftp_record ipaddress_or_hostname username
[“password|des-password des_password|encrypted-password
encrypted_password] {base_directory}
The variables are:

• ftp_record - The name for the FTP record file. Enter an unquoted text string
with no spaces and a maximum length of 16 characters.
• ip_address or hostname - The IP address or host name of the FTP server you
want to access. Enter an IP address in dotted-decimal notation (for example,
192.168.11.1) or a mnemonic host name (for example,
myhost.mydomain.com).
• username - A valid login username on the FTP server. Enter a case-sensitive
unquoted text string with no spaces and a maximum length 16 characters.
• password - The password for the valid login username on the FTP server.
Enter a case-sensitive quoted text string with no spaces and a maximum
length of 16 characters.
• des_password - The Data Encryption Standard (DES) encrypted password for
the valid login username on the FTP server. Enter a case-sensitive unquoted
text string with no spaces and a maximum length of 64 characters.
• encrypted_password - The encrypted password for the valid login username
on the FTP server. Enter a case-sensitive unquoted text string with no spaces
and a maximum length of 16 characters.
• base_directory - An optional base directory when using this record. Enter the
base directory name as a case-sensitive unquoted text string with no spaces
The config-path and base directory path in the ftp-record associated with a
network boot must not contain a pathname that collides with a non-network
driver name (for example, c: or host:).

1-20 78-11424-03
For example (using an encrypted password):

# ftp-record arrowrecord 192.168.19.21 bobo password “secret”
/outgoing
To delete the FTP record arrowrecord from the CSS, enter:

# no ftp-record arrowrecord
Copying Files from an FTP Server

Use the copy ftp command to copy files from an FTP server to the CSS. Before
using this command, you must use the (config) ftp-record command to create an
FTP record file containing the FTP server IP address, username, and password.
The options for this command are:
• copy ftp ftp_record filename boot-image - Copy a file from an FTP server to
the CSS for use as the ArrowPoint Distribution Image (ADI). The file you
copy to the CSS must be an ADI. Otherwise, the CSS rejects it.
• copy ftp ftp_record filename script script_filename - Copy a file from an
FTP server to the script directory.
• copy ftp ftp_record filename startup-config - Copy a file from an FTP server
to the startup configuration.

78-11424-03 1-21
Rebooting the CSS
Rebooting the CSS

Use the reboot command to reboot the CSS. The syntax and option for this boot
mode command are:
• reboot - Reboots the CSS
• reboot diags - Reboots the CSS and runs diagnostics
For example, to reboot the CSS and run diagnostics, enter:
(config-boot)# reboot diags
Shutting Down the CSS

Use the shutdown command in boot mode to shut down the CSS. This command
shuts down all CSS processes so that you can power cycle the unit safely. For
example:
(config)# boot
(config-boot)# shutdown
Using the Offline Diagnostic Monitor Menu

During the boot process, the CSS enables you to access the Offline Diagnostic
Monitor (Offline DM) menu. The Offline DM Main menu allows you to:
• Set the boot configuration:
– Configure a primary and secondary location from which the CSS
accesses the boot image
– Configure an IP address for the CSS
– Configure a subnet mask
• Show the boot configuration

1-22 78-11424-03
• Select Advanced Options to:

– Delete a software version from the disk
– Set a password for the Offline DM Main menu
– Set an administrative username and password
– Reformat the disk and perform a check disk
• Reboot the system
Accessing the Offline Diagnostic Monitor Main Menu

The CSS pauses the boot process for 5 seconds to enable you to press any
character after the prompt and display the Offline Diagnostic Monitor Main menu.
To access the Offline Diagnostic Monitor Main menu:
1. Connect and configure a console to the CSS 11800 SCM console port, or the
CSS 11050 or CSS 11150 front panel. Configure the console to the following
default values: 9600 baud, no parity, 8 data bits, 1 stop bit, and flow control
set to None.
2. Power on the CSS. After the CSS begins to boot (approximately 15 seconds),
it displays the following message:
Press any key to access the Offline Diagnostic Monitor menu
At this point in the boot sequence, you may either:

• Take no action and let the CSS continue booting automatically with the
default boot configuration
• Press any key to halt the boot process and display the Offline DM Main
menu
3. If you choose to access the Offline DM Main menu, press any key before the
5-second window elapses.

78-11424-03 1-23
The Offline DM Main menu is displayed as shown below. If 5 seconds elapse

before you press a key, power down the CSS and then power it up again.
CSSxxx00 Offline Diagnostic Monitor, Version x.x
MAIN MENU
Enter the number of a menu selection:
1* Set Boot Configuration

2. Show Boot Configuration
3* Advanced Options
4. Reboot System
An asterisk (*) next to a menu option indicates that the option contains a submenu.
Table 1-4 describes each menu item.
Table 1-4 Offline Diagnostic Monitor Menu Options
Menu Option Enables you to....

1* Set Boot Configuration 1. Set Primary Boot Configuration
2. Set Secondary Boot Configuration
3. Set IP Address, and Subnet Mask
r. Return to previous menu
2. Show Boot Configuration Display boot configurations (including primary
and secondary boot configurations, records, and
IP information).
3* Advanced Options 1. Delete a software version
2. Security Options
3. Disk Options
4. Reboot System Reboot the CSS. The CSS displays the following
message before rebooting:
Are you sure you want to reboot? (Y/N)
Enter:
• Y to reboot the CSS
• N to continue using the Offline DM Main
menu

1-24 78-11424-03
Using the Boot Configuration Menu

The flowchart in Figure 1-2 illustrates how the CSS uses the Boot Configuration
information to complete the boot process.
Figure 1-2 Boot Configuration Flowchart
CSS Begins Boot Process
No Is Primary Boot
Record Configured?
Yes
Attempt Primary
Boot Record
Primary Boot Yes

Succeed? Done
No
No Is Secondary Boot
No configuration Record Configured?
Attempt Secondary
Boot Record
Boot No Secondary Boot Yes

Done
49382
Failed Succeed?

78-11424-03 1-25
The Boot Configuration menu enables you to perform the following tasks as
described in Table 1-5.
Table 1-5 Boot Configuration Options
Menu Option Enables you to....

1. Set Primary Boot Specify the primary location (Network, FTP, Disk, or
Configuration Clear) from which the CSS accesses the boot image.
The default location is Disk.
2. Set Secondary Boot Specify the secondary location (Network, FTP, Disk,
Configuration or Clear) from which the CSS accesses the boot image.
The default location is Clear.
3. Set IP Address and Configure an IP address for the Ethernet Management
subnet mask port, and configure a subnet mask.
r. Return to previous Display the Offline DM main menu.
menu
The Boot Configuration menu is displayed as shown below.
BOOT CONFIGURATION MENU
1. Set Primary Boot Configuration

2. Set Secondary Boot Configuration
3. Set IP Address and Subnet Mask
r Return to previous menu

1-26 78-11424-03
Setting Primary Boot Configuration

The information you provide for the Primary Boot Configuration specifies the
location from which the CSS accesses the primary boot image upon system reboot
or when you download new software. When you select Set Primary Boot
Configuration from the Boot Configuration menu, the CSS displays the
following information. If you have previously entered information, the CSS
displays the existing information and default values in [square brackets].
Configuring PRIMARY Boot Record
Boot via [N]etwork, [F]TP, [D]isk, or [C]lear: [D]
• Boot via Network allows you to boot the CSS via FTP from CSS software on
a network-mounted file system on a remote system
• Boot via FTP allows you to download an ADI file containing CSS software
that you want to install on the CSS drive
• Boot via Disk allows you to boot the CSS from software currently on the CSS
drive
• Boot via Clear instructs the CSS to boot the CSS from the secondary boot
record
Refer to the following sections for a description of each Primary Boot Record
option:
• Specifying a Network-Mounted File System as the Primary Boot Record
• Specifying FTP as the Primary Boot Record
• Specifying Disk as the Primary Boot Record
• Specifying Clear as the Primary Boot Record

78-11424-03 1-27
Specifying a Network-Mounted File System as the Primary Boot Record
Set the Primary Boot Record to Network when you want to boot the system from
a network-mounted file system on a remote system (such as a PC or UNIX
workstation) via FTP. Instead of the CSS disk, the network file system contains
the CSS software. The CSS boots from this file system and loads the configuration
into memory. Perform a network boot when:
• You want multiple CSSs to use the same boot image while keeping their own
configuration information. You provide an alternate path for the location of
the configuration information. However this information must exist on the
same network file system with the boot image.
Note When using an alternate configuration path, make sure that

the path leads to a directory containing the script, log, and
info subdirectories. These subdirectories must contain the
files in the corresponding subdirectories in the boot image.
Create these subdirectories. Then copy the files from the
boot image.
• The CSS has a disk failure. A network boot allows the CSS to boot
independently from its disk and to load the configuration into memory.
Before the CSS can boot from the network:
• Locate the remote system on the network where you will copy the CSS
software.
– Make sure that the CSS can access the system via FTP.
– Copy the CSS software zip file from the CSS CD onto the system disk.
– Create a directory and unzip the file into it. This directory will contain
all of the boot files and directories.
• On the CSS, create an FTP record to the directory containing the CSS
software on the network drive.
• Make sure that you cable the following port on the CSS to the network:
– CSS 11800 SCM 10/100 Mbps-Ethernet Management port
– CSS 11050 or CSS 11150 rear panel 10/100-Mbps Ethernet Management
port

1-28 78-11424-03
• Be aware of the following network boot restrictions:

– A network boot is not supported on UNIX workstations.
– The War-FTP daemon is not supported for network-booting the system
software.
When you select Network, the CSS prompts you for the FTP kernel information.
1. Enter the FTP kernel path information. This path is the FTP daemon
addressable location where the boot image has been unpacked. You must also
include its IP address, and the username and password to access it. For
example:
Enter the FTP Kernel path:[] k:/ap0500002
Enter FTP Server IP address:[] 10.3.6.58
Enter FTP Server authentication username:[] mandy
Enter FTP Server authentication password:[] fred
2. If the configuration information is not in the same directory as the boot

image, enter an alternate path to the configuration files, including the
startup-config and script files.
Note The CSS must be able to access the configuration path

through the previously configured FTP server IP address,
login username, and password.
For example:
Enter the FTP Config Path? [] k:/atlanta-config/
Press <Enter> to continue...
3. Press Enter to display the Boot Configuration menu.

4. Enter r to display the Offline DM Main menu.
5. Select Reboot the System to reboot the CSS.
When the CSS completes the current boot process, it:
• Accesses the network file system containing the boot image
• Boots the CSS using the boot image you specified

78-11424-03 1-29
Specifying FTP as the Primary Boot Record
Set the Primary Boot Record to FTP when you want to upgrade the CSS software
on the CSS disk. The CSS accesses the ADI or GZIP file containing the CSS
software from an FTP server, copies it to the IDM, and unpacks it. Then the CSS
boots from the hard drive.
Make sure that you cable the following port on the CSS to the network:
• CSS 11800 SCM 10/100 Mbps-Ethernet Management port
• CSS 11050 or 11150 rear panel 10/100-Mbps Ethernet Management port
When you select FTP, the CSS prompts you for the boot image filename and FTP
information.
1. If required, enter a valid FTP pathname. For example:
Enter the boot image filename: /ftpimages/ap0500002
Enter FTP Server IP address: 10.3.6.58
Enter FTP Server authentication user name: mandy
Enter FTP Server authentication password: fred
The CSS queries if you want to access the boot image directly from the disk
at the next reboot (that is, the next time you reboot the CSS after completing
this current boot process).
Boot from Disk at next reboot? y/n
2. Enter either:
• y to copy the boot image from the FTP server to the disk. The CSS
accesses the boot image directly from the disk at next reboot. The CSS
also changes the information in the Primary Boot Record to Disk.
• n to FTP the boot image from the FTP server at next reboot.
• Accesses the ADI file from the FTP server and unpacks (uncompresses) it

1-30 78-11424-03
Specifying Disk as the Primary Boot Record
When you select Disk as the Primary Boot Record, the CSS displays all boot
image versions that reside on the disk. For example:
ap0401003
ap0410008
ap0500002
1. At the prompt, enter the boot image filename you wish to use.
Enter the boot image filename: ap0500002

3. Press r to display the Offline DM Main menu.

4. Select Reboot the System to reboot the CSS. Upon reboot, the CSS boots up
using the boot image you specified.
Specifying Clear as the Primary Boot Record
To use the Secondary Boot Record information instead of the Primary Boot
Record to boot the CSS:
1. Select Clear as the Primary Boot Record.
3. Press r to display the Offline DM Main menu.
4. Select Reboot the System to reboot the CSS. Upon reboot, the CSS uses the
Secondary Boot Record.

78-11424-03 1-31
Setting Secondary Boot Configuration

The information you provide for the Secondary Boot Configuration specifies the
location from which the CSS accesses the boot image if you specified Clear as a
Primary Boot Record or the Primary Boot Record fails.
Once you select Set Secondary Boot Configuration from the Boot Configuration
menu, the CSS displays the following information. If you have previously entered
information, the CSS displays the existing information and default values in
[square brackets].
Configuring SECONDARY Boot Record
• Boot via Network allows you to boot the CSS via FTP from CSS software on
a network-mounted file system on a remote system
• Boot via FTP allows you to download an ADI file containing CSS software
that you want to install on the CSS disk
• Boot via Disk allows you to boot the CSS from software currently on the CSS
disk
• Boot via Clear instructs the CSS to boot the CSS from the primary boot record
Refer to the following sections for a description of each Primary Boot Record
option:
• Specifying a Network-Mounted File System as the Secondary Boot Record
• Specifying FTP as the Secondary Boot Record
• Specifying Disk as the Secondary Boot Record
• Specifying Clear as the Secondary Boot Record

1-32 78-11424-03
Specifying a Network-Mounted File System as the Secondary Boot Record
Set the Secondary Boot Record to Network when you want to boot the system
from a network-mounted file system on a remote system via FTP. Instead of the
CSS disk, the network file system contains the CSS software. The CSS boots from
this file system and loads the configuration into memory. Perform a network boot
when:
configuration information. You provide an alternate path for the location of
the configuration information. However this information must exist on the
same network file system with the boot image.

the path leads to a directory containing the script, log, and
Create these subdirectories. Then copy the files from the
boot image.
• The CSS has a disk failure. A network boot allows the CSS to boot
independently from its disk and to load the configuration into memory.
Before the CSS can boot from the network:
• Locate the remote system (such as a PC or UNIX workstation) on the network
where you will copy the CSS software.
– Make sure that the CSS can access the system via FTP.
– Copy the CSS software zip file from the CSS CD onto the system disk.
– Create a directory and unzip the file into it. This directory will contain
all of the boot files and directories.
• On the CSS, create an FTP record to the directory containing the CSS
software on the network drive.
• Make sure that you cable the following port on the CSS to the network:
– CSS 11800 SCM 10/100 Mbps-Ethernet Management port
– CSS 11050 or CSS 11150 rear panel 10/100-Mbps Ethernet Management
port

78-11424-03 1-33
• Be aware of the following network boot restrictions:

– A network boot is not supported on UNIX workstations.
– The War-FTP daemon is not supported for network-booting the system
software.
When you select Network, the CSS prompts you for the FTP kernel information.
1. Enter the FTP kernel path information. This path is the FTP daemon
addressable location where the boot image has been unpacked. You must also
include its IP address, and the username and password to access it. For
example:
Enter the FTP Kernel path:[] k:/ap0500002
Enter FTP Server IP address:[] 10.3.6.58
Enter FTP Server authentication username:[] mandy
Enter FTP Server authentication password:[] fred
2. If the configuration information is not in the same directory as the boot

image, enter an alternate path to the configuration files, including the
startup-config and script files.
Note The CSS must be able to access the configuration path through the
previously configured FTP server IP address, login username, and
password.
For example:
Enter the FTP Config Path? [] k:/atlanta-config/

• Accesses the network file system containing the boot image

1-34 78-11424-03
Specifying FTP as the Secondary Boot Record
Set the Secondary Boot Record value to FTP when you want to upgrade the CSS
software on the CSS disk. The CSS accesses the ADI or GZIP file containing the
CSS software from an FTP server, copies it to the IDM, and unpacks it. Then the
CSS boots from the hard drive.
Make sure that you cable the following port on the CSS to the network:
• CSS 11800 SCM 10/100 Mbps-Ethernet Management port
• CSS 11050 or CSS 11150 rear panel 10/100-Mbps Ethernet Management port
When you select FTP, the CSS prompts you for the boot image filename and FTP
information.
1. If required, enter a valid FTP pathname. For example:
Enter the boot image filename: /ftpimages/ap0500002
Enter FTP Server IP address: 10.3.6.58
Enter FTP Server authentication user name: mandy
Enter FTP Server authentication password: fred
The CSS queries if you want to access the boot image directly from the disk
at the next reboot (that is, the next time you reboot the CSS after completing
this current boot process).
Boot from Disk at next reboot? y/n
2. Enter either:
• y to copy the boot image from the FTP server to the disk. The CSS
accesses the boot image directly from the disk at next reboot. The CSS
also changes the information in the Secondary Boot Record to Disk.
• n to FTP the boot image from the FTP server at next reboot.

When the CSS uses the Secondary Boot Record on reboot, it:
• Accesses the ADI file from the FTP server and unpacks (uncompresses)
the file

78-11424-03 1-35
Specifying Disk as the Secondary Boot Record
When you select Disk as the Secondary Boot Record, the CSS displays all boot
image versions that reside on the disk and prompts you to enter a boot image.
1. Enter a boot image filename.
ap0401003
ap0410008
ap0500002
Enter the boot image filename: ap0410008


4. Select Reboot the System to reboot the CSS. Upon reboot, the CSS boots up
using the boot image you specified.
Specifying Clear as the Secondary Boot Record
If you do not wish to specify a Secondary Boot Record:

1. Select Clear as the Secondary Boot Record.
4. Select Reboot the System to reboot the CSS. Upon reboot, the CSS uses the
Primary Boot Record.

1-36 78-11424-03
Setting IP Address, and Subnet Mask

When you select Set IP Address and Subnet Mask from the Boot Configuration
menu, the CSS prompts you to:
1. Enter an IP address for the Ethernet Management port. The CSS does not
accept an all zero IP address. If you enter an all zero IP address, the CSS
repeats the prompt until you enter an IP address.
Note The Ethernet Management port IP address must be a

different subnet than any other CSS VLAN circuit IP subnet.
If you do not make the Ethernet Management port IP address
unique, you will not be able to access the port.
Enter IP Address: [0.0.0.0] 10.3.6.58
2. Enter a subnet mask.

Enter Subnet Mask: [0.0.0.0] 255.0.0.0



78-11424-03 1-37
Showing the Boot Configuration

When you select Show Boot Configuration from the Offline DM Main menu, the
CSS displays the following boot information. Note that the Miscellaneous
information only displays if you set password-protection on the Offline DM Main
menu.
***************** Miscellaneous ********************
Offline Diagnostic Monitor menu is password-protected
***************** IP/MAC Information ***************
IP Address: 10.3.6.58
Subnet Mask: 255.0.0.0
MAC Address 00-10-58-00-12-ca
***************** PRIMARY **************************
Boot Type: DISK
Boot File: ap0500002
***************** SECONDARY ************************
Boot Type: DISK
1. Press Enter to display the Offline DM Main menu.

2. Enter option 3 to reboot the system. The following reboot confirmation is

displayed:
Are you sure you want to reboot? (y/n)
3. Enter either:
• y to reboot
• n to continue using the Offline DM Main menu

1-38 78-11424-03
Using the Advanced Options

The CSS hard disk enables you to store four versions of software (including the
version you are currently running) and the flash disk allows you to store two
versions of software. If you are storing the maximum number of software versions
and wish to download a new version to the disk, you must delete a version before
the CSS allows the download to begin.
When you select Advanced Options from the Offline DM Main menu, the CSS
displays the Advanced Options menu:
A D V A N C E D O P T I O N S
1. Delete a Software Version

2* Security Options
3* Disk Options
Deleting a Software Version

To delete a software version from the disk:
1. Enter option 1 to display the software versions currently stored on the disk.
The CSS prompts you to enter the software version to delete. For example:
ap0401003
ap0410008
ap0500002
Enter the software version to delete: ap0410008
2. Press Enter to redisplay the Advanced Options menu.

3. Enter r to display the Offline DM main menu.


78-11424-03 1-39
Using the Security Options

The Security Options menu enables you to:
• Set Password Protection on the Offline Diagnostic Monitor menu
• Set Administrative Username and Password
The Security Options menu is shown below:
S E C U R I T Y O P T I O N S
1. Set Password Protection for Offline Diagnostic Monitor menu

2. Set Administrative Username and Password
Setting Password Protection
The CSS enables you to password-protect the Offline DM Main menu to protect
it against unauthorized access. The default is disabled; no password is required to
access the Offline DM Main menu.
Caution Use care when password-protecting the Offline DM Main menu and
ensure that you write down the new password. If you lose the new
password, it cannot be recovered and you will be unable to access
the Offline DM Main menu. The only solution, at that point, would
be to contact the Cisco Technical Assistance Center (TAC) at
1-800-553-2447 or 1-408-526-7209. You can also email TAC at
tac@cisco.com.

1-40 78-11424-03
To access the Offline DM Main menu password protection option:

1. Enter option 1 from the Security Options menu.
Password protect Offline Diagnostic Monitor menu (yes,no):
The administrative username and password are required to access
the Offline Diagnostic Monitor menu.
• When you enter yes, the CSS prompts you to enter a username and
password when you access the Offline DM Main menu.
• When you enter no, the CSS does not prompt for a username and
password when you access the Offline DM Main menu.
2. Press Enter to redisplay the Security Options menu.
3. Enter r to return to the Advanced Options menu.

4. Enter r to return to the Offline DM Main menu.
5. Enter either:
• Option 4 to reboot the CSS
• Another option to continue using the Offline DM Main menu
Setting an Administrative Username and Password
For security reasons, you can change the administrative username and password
through either the Offline DM Main menu or the username-offdm command.
Unlike other usernames and passwords, the CSS saves the administrative
username and password in nonvolatile RAM (NVRAM). Anytime you reboot the
CSS, it reads them from NVRAM and reinserts them into the user database.
Note You cannot permanently delete an administrative username and

password. If you delete them by using the no username command,
they are removed from use until you reboot the CSS. When you
reboot the CSS, it restores the username and password from
NVRAM.

78-11424-03 1-41
To configure an administrative username and password through the Offline DM

Main menu:
1. Enter option 2 from the Security Options menu.
2. Enter a username. The CSS prompts for this username when you log in. The
CSS also prompts for this username and password if you set
password-protection on the Offline DM Main menu.
Enter [administrator] username (minimum 4 characters):
3. Enter a password. Note that the CSS does not display passwords.
Enter [administrator] password:
4. Re-enter the password for confirmation.

Confirm [administrator] password:
The CSS redisplays the Security Options menu.

7. Enter either:
• Option 4 to reboot the CSS
• Another option to continue using the Offline DM Main menu
Using the Disk Options

The Disk Options menu enables you to:
• Format disk - Enables you to reformat the disk. This option permanently
erases all data on the disk. If you wish to retain the startup-config, ensure that
you move it off the CSS before reformatting the disk. Also make sure that you
have a copy of the CSS software ADI file to reinstall on the CSS.
• Check disk - Enables you to run a quick check disk or a complete check disk.
• Check disk disable - Allows you to disable running check disk at boot time
or enable it again. By default, check disk is enabled.

1-42 78-11424-03
The Disk Options menu is shown below:

D I S K O P T I O N S
1. Format Disk
2. Check Disk
3. Check Disk Disable
Reformatting the Disk
If the CSS detects unrecoverable errors when performing a check disk, you must
reformat the disk. Reformatting the disk erases all data from the disk permanently.
To reformat the disk:
1. Enter option 1 from the Disk Options menu.
Formatting the disk results in all disk data being permanently
erased.
Are you sure you want to continue? (yes,no):
Enter either:
• yes to reformat the disk.
• no to abort the reformat function. If the disk has unrecoverable errors and
you do not reformat it, be aware that the file system may be corrupt and
functionality is compromised.
2. The CSS queries whether you want to perform a quick format or a complete
format.
Enter either:
• yes to reformat the disk using the quick format (does not perform cluster
verification). Only use the quick format when you are certain of the disk
integrity.
• no to reformat the disk including cluster verification.
Quick format? (yes,no):
After the CSS reformats the disk, it displays:

Operation completed successfully.

78-11424-03 1-43

Because the disk is empty, you must configure a primary boot record to
instruct the CSS where to locate the new ADI file containing the CSS
software.
5. Enter option 1 to set the primary boot configuration. Refer to “Setting
Primary Boot Configuration” in this chapter.
If you do not set the primary boot configuration before booting the CSS, the
boot process halts at the prompt:
Press any key to access the Offline Diagnostic Monitor menu...
You must enter the Offline DM Main menu to set the primary boot
configuration.
Performing a Check Disk
When the CSS boots up, it checks the results of the previous shutdown. If the
CSS:
• Does not detect errors, it reports a status of OK and continues the boot
process
Reading configuration records...OK
Checking previous shutdown...OK
Initializing the disk...OK
• Detects errors, it returns a status of DIRTY

Reading configuration records...OK
Checking previous shutdown...DIRTY
Initializing the disk...OK
If the CSS reports that the disk is dirty, it has discovered errors on the disk. In this
case, the CSS automatically perform a check disk to recover from the errors and
maintain the integrity of the disk.

1-44 78-11424-03
During a check disk, the CSS:

• Detects and recovers from the following error conditions:
– File Allocation Tables (FATs) are out of synchronization
– Sector write truncation revitalization (may occur from a power loss at the
time the CSS is writing to the disk)
– Bad cluster identification and mapping in the FAT when reformatting the
disk
– Crosslinked FAT entries
– Disk entry validation, name, size, cluster assignment, cluster chaining
– Recovery of lost clusters
• Cannot recover from sector failures within the first 754 sectors (for example,
boot, primary/secondary FAT, root directory entries).
The amount of time the CSS requires to perform a check disk is proportional to
the number of installed software releases and directories on the disk. The greater
the number of installed software releases and directories, the longer it takes to
complete the check disk.
To perform a check disk:
Choose whether or not you want the CSS to correct errors it detects. Enter
either:
• yes to enable the CSS to correct recoverable errors it detects. When the
CSS completes check disk, it displays a summary of what was fixed.
• no to prevent the CSS from correcting recoverable errors it detects. The
CSS displays a summary of what would have fixed if you had run check
disk.
Correct errors if discovered (yes,no):

78-11424-03 1-45
2. Choose whether you want the CSS to perform a quick check disk or a
complete check disk. Enter either:
• yes to instruct the CSS to perform a quick check disk (does not include
cluster verification
• no to instruct the CSS to perform a complete check disk (includes cluster
verification)
The CSS performs check disk. When completed, it displays:
Operation completed successfully.

5. Enter option 4 to reboot the CSS.
Disabling or Enabling Check Disk
By default, the CSS performs a check disk when it boots. The Disk Options menu
provides an option that allows you to disable the running of check disk or reenable
it. When you select this option, it toggles to disable check disk if it is currently
enabled, or to enable check disk if it is currently disabled.
For example, if check disk is currently enabled, to disable it:
4. Enter option 2 to display the boot configuration.

1-46 78-11424-03
When check disk is disabled, it displays the following:

****************** Miscellaneous **********************
Check Disk is disabled
MAC Address: 00-10-58-00-12-ca
***************** PRIMARY **************************
Boot Type: DISK
***************** SECONDARY ************************
Boot Type: DISK
If check disk is currently disabled, to reenable it:

4. Enter option 2 to display the boot configuration.
When check disk is enabled, no state information appears in the
Miscellaneous field of the boot configuration:
MAC Address: 00-10-58-00-12-ca
***************** PRIMARY **************************
Boot Type: DISK
***************** SECONDARY ************************
Boot Type: DISK

78-11424-03 1-47
Enabling and Disabling Core Dumps

A core dump occurs when the CSS experiences a fatal error. The CSS allows you
to enable or disable core dumps. Core dumps are enabled by default.
When the CSS experiences a fatal error and core dumps are enabled, the CSS:
• Writes information about the fatal error to the Core directory of the volume
root (for example, c:\core) on either the:
– Hard disk, which can store up to 30 sequentially numbered dump files
– Flash disk, which stores one compressed dump file of 70 MB
• Reboots automatically
Note For a flash disk-based system, if the core dump file is older than 15
minutes, it may be overwritten. If you want to save the core dump
file for later examination, archive it to another directory or disk
before it is overwritten. For details on using the archive log
command, refer to “Archiving a Log File” later in this chapter.
When the CSS experiences a fatal error and core dumps are disabled, the CSS
reboots automatically. The CSS does not write information to the hard disk or the
flash disk.
Note Core dump information is for Customer Support use only.
To disable core dumps, enter:

(config)# dump disable
To reenable core dumps (the default setting), enter:

(config)# dump enable
To show the CSS dump state, enter:

(config)# show dump-status
Dump mode is enabled

1-48 78-11424-03
Showing Core Dumps

Use the show core command to display the core dump files stored in the Core
directory of the volume root (for example, c:\core) on the hard disk or flash disk.
This command is available only in SuperUser mode.
For example:
(config)# show core
css150_3.50_6.1 JUN 30 10:45:24 130024448

css150_3.50_6.0 JUN 30 17:14:00 130024448

78-11424-03 1-49
CSS Software Overview

The CSS software contains the files to run the CSS including boot files,
directories for archiving and logging files, and MIB information. This software is
pre-installed on the CSS conventional hard disk drive or an optional flash disk, a
flash memory-based storage device (CSS 11150 and CSS 11800, only).
You can also install the CSS software on a network drive which the CSS can
access through FTP. The Content Services Switch Documentation and System
Software CD contains the CSS software for the network drive. This software is in
ZIP format and must be copied and uncompressed on a network drive. For more
information on booting the CSS from a network boot drive, refer to Chapter 2,
Configuring User Profiles and CSS Parameters.
The CSS software is approximately 20 MB in size. If you have a hard disk-based
system, you can install a maximum of four software versions on your CSS. If you
have a flash disk-based system (CSS 11150 or CSS 11800), you can install a
maximum of two software versions on your CSS.
To display the maximum number of versions allowed on your CSS, use the show
installed-software version-limit command. To view all versions installed on the
CSS, use the show installed-software command.
The software version format is defined as follows:
ap 00 00 000
Build number
Minor version
Major version
59200
Build prefix
From an FTP server, you can view the following directories on the hard disk or
flash disk:
• The log directory contains the following log files:
– boot.log - ASCII log of boot process
– boot.bak - Backup of the previous boot log
– sys.log - ASCII log of system events (logging to disk is enabled by
default to subsystem all and level info)
– sys.log.prev - Backup of the previous system log file (if any)
• The scripts directory contains default, profile, and sample scripts.

1-50 78-11424-03
• The core directory contains any core dumps created by the CSS. For
information on copying core dumps to an FTP or TFTP server, refer to
“Copying Core Dumps to an FTP or TFTP Server” later in this chapter.
• The MIB directory contains MIB files that you can load into SNTP-compliant
network management software applications.
Note When you view the CSS software directories installed on a network
drive, more directories are listed than those you can view on the hard
disk or flash disk. These additional directories are reserved for
internal use. Do not manipulate the files in these directories.
The software directory also contains the startup-config file. This is an ASCII file
containing commands the CSS executes at startup. This file is created when you:
• Finish using the configuration script.
• Issue the copy running-config startup-config or write memory command.
Both commands save configuration changes to the startup-config during a
CSS session. The write memory command also archives the startup
configuration file to the archive directory on the CSS (similar to the archive
startup-config command, as described in “Archiving Files to the Archive
Directory” in this chapter).
• Use File Transfer Protocol (FTP) to copy a startup-config file to the CSS.
The archive directory contains the files that you archive from the current software
by using the archive command. These files include running-config,
startup-config, log files, profile scripts, and scripts you create. You can view a list
of archived files by using the show archive ? command.
To restore any archived files to the CSS, use the restore command. For more
information on the archive and restore commands, refer to the “Archiving Files
to the Archive Directory” and “Restoring Files from the Archive Directory” in
this chapter.

78-11424-03 1-51
To view general information about the CSS disk, use the show disk command.
Table 1-6 describes the fields in the show disk output.
Table 1-6 Field Descriptions for the show disk Command
Field Description
Disk Size The total size of the disk in megabytes.
Note The CSS flash disk has a disk size of 350 MB,
however 130 MB is reserved for the generation of
dump files. This dump partition is not available to
the CSS file system, and is not included in the
Disk Size field. The CSS hard disk is allocated a
similar but larger dump partition.
Disk Free The available disk space in megabytes.

Bad Cluster Count The number of bad clusters on the disk.
File Count The number of files on the disk.
Directory Count The number of directories on the disk.

1-52 78-11424-03
Using the Running-Config and Startup-Config

When you make configuration changes to the CSS, the changes are placed in a
virtual running-configuration file (running-config). Before you log out or reboot
the CSS, you must copy the running-config to the startup-config to save
configuration changes and have the CSS use this configuration on subsequent
reboots.
To save the running-config to the CSS disk, use one of the following commands:
• copy running-config startup-config - Copies the running-config to the
startup-config. The CSS uses the startup-config upon reboot. If you do not
copy the running-config to the startup-config before you reboot, changes to
the running-config are lost.
• write memory - Copies the running-config to the startup-config (similar to
the copy running-config startup-config command). In addition, the write
memory command also archives the startup configuration file to the archive
directory on the CSS (similar to the archive startup-config command, as
described in “Archiving Files to the Archive Directory” in this chapter).
• copy startup-config running-config - Copies the startup-config to the
running-config and merges with the running-config.
The copy running-config command can also copy the running configuration to
an FTP or TFTP server. The options for this command are:
• copy running-config ftp ftp_record filename - Copy the running
configuration to an FTP server.
• copy running-config tftp IP address - Copy the running configuration to a
TFTP server using the TFTP server IP address.
• copy running-config tftp hostname - Copy the running configuration to a
TFTP server using the TFTP server hostname.
The copy startup-config command can copy the startup configuration to an FTP
or TFTP server. The options for this command are:
• copy startup-config ftp ftp_record filename - Copy the startup configuration
to an FTP server.
• copy startup-config tftp IP address - Copy the startup configuration to a
TFTP server using the TFTP server IP address.
• copy startup-config tftp hostname - Copy the startup configuration to a
TFTP server using the TFTP server hostname.

78-11424-03 1-53
Clearing the Running-Config and the Startup-Config

To reset the running-config to the default configuration, use the clear
running-config command in SuperUser mode. This command takes effect
immediately. Note that the clear running-config command resets all
configurations to their defaults.
Caution The execution of the clear running-config command is restricted to

CSS users who are identified as either an administrator or a
technician.
For example:
# clear running-config
To reset the startup-config to the default configuration, use the clear

startup-config command in SuperUser mode. This command takes effect upon
the next reboot. For example:
# clear startup-config
Showing the Running-Config

To display the CSS running configuration, use the show running-config
command. The CSS does not display default configurations in the running-config.
The syntax and options for this command are:
• show running-config - Display all components of the running-config.
• show running-config acl {index number} - Display Access Control List
(ACL) information of the running-config. For information about a specific
ACL, include its index number.
• show running-config circuit {circuit name} - Display the circuit
components of one or all circuits in the running-config.
• show running-config global - Display the global components of the
running-config.
• show running-config group {group name} - Display the valid existing group
components of the running-config. For information about a specific group,
enter the group name as a case-sensitive unquoted text string.

1-54 78-11424-03
• show running-config header-field-group {name} - Display the valid

existing header-field group components of the running-config. For
information about a specific group, enter name as a case-sensitive unquoted
text string with a maximum length of 16 characters. To see a list of
header-field groups, enter show running-config header-field-group ?.
• show running-config interface interface name - Display a specific interface
component of the running-config.
– For a CSS 11050 or CSS 11150, enter the interface name in interface-port
format (for example, e2)
– For a CSS 11800, enter the interface name in slot/port format (for
example, 3/1)
• show running-config interfaces - Display all the interface components of
the running-config.
• show running-config keepalive {keepalive name} - Display the existing
keepalive components of the running configuration. For information about a
specific keepalive, enter keepalive_name as a case-sensitive unquoted text
string and a maximum length of 32 characters. To see a list of keepalives,
enter show keepalive-summary.
• show running-config owner {owner name} - Display the valid existing
owner components of the running-config. For information about a specific
owner, enter the owner name as a case-sensitive unquoted text string.
• show running-config service {service name} - Display the components of
the running-config for a valid existing service. For information about a
specific service, enter the service name as a case-sensitive unquoted text
string.
• show running-config urql {urql name} - Display the components of the
running-config for existing Uniform Resource Locator Qualifier Lists
(URQL). For information about a specific URQL, enter the URQL name as a
case-sensitive unquoted text string.
• show running-config dql {dql name} - Display Domain Qualifier List
(DQL) information of the running-config. For information about a specific
DQL, enter the DQL name as a case-sensitive unquoted text string.
• show running-config eql {eql name} - Display Extension Qualifier List
(EQL) information of the running-config. For information about a specific
EQL, enter the EQL name as a case-sensitive unquoted text string.

78-11424-03 1-55
• show running-config nql {name} - Display Network Qualifier List (NQL)

information of the running configuration. For information about a specific
NQL, enter the NQL name as a case-sensitive unquoted text string.
• show running-config rmon-alarm - Display RMON alarm information of
the running configuration.
• show running-config rmon-event - Display RMON event information of the
running configuration.
• show running-config rmon-history - Display RMON history information of
the running configuration.
An example of a running-config is shown below. Comments are preceded by an
exclamation point (!). Note that the CSS does not display default values in the
running- or startup-config even if you enter the values manually.
# show running-config
!************************ GLOBAL **********************

ip route 0.0.0.0/0 158.3.7.2
!********************** INTERFACE *********************
interface e1
bridge vlan 2
interface e2
bridge vlan 2
!*********************** CIRCUIT **********************
circuit VLAN1
ip address 10.3.6.58 255.255.255.0
circuit VLAN2
ip address 158.3.7.58 255.255.255.0
!*********************** SERVICE **********************
service serv1
ip address 10.3.6.1
active
service serv2
ip address 10.3.6.2
active
!************************ OWNER ***********************
owner arrowpoint.com
content rule1
ip address 158.3.7.43
protocol tcp
port 80
add service Serv1
add service Serv2
active

1-56 78-11424-03
Showing the Startup-Config

Once you copy the running-config to the startup-config, use the show
startup-config command to display the startup-config. The CSS does not display
default configurations in the startup-config.
The show startup-config command has two options:
• show startup-config - Display the startup-config
• show startup-config line-numbers - Display the startup-config with line
numbers
An example of a startup-config is shown below. Comments are preceded by an
exclamation point (!).
# show startup-config line-numbers
1. !Generated MAR 6 18:56:11

2. configure
3. !********************** CIRCUIT **********************
4. circuit VLAN1
5. ip address 192.168.2.170 255.255.255.0
6. ip address 192.168.1.108 255.255.255.0
7. !********************** SERVICE **********************
8. service s1
9. ip address 192.168.2.4
10. keepalive type none
11. active
12. !*********************** OWNER ***********************
13. owner rose
14. content rule-L3
15. vip address 192.168.128.108
16. add service s1
17. active
18. content rule-L5
19. add service s1
20. vip address 192.168.128.108
21. url "/*"
22. active

78-11424-03 1-57
Creating a Running-Config or Startup-Config Using a Text Editor

If you create a running- or startup-config using a text editor, you must arrange the
configuration information in the same order as an automatically created running-
or startup-config. The CSS arranges configuration information in the following
categories within the running-config and startup-config files:
• Global - Contains configuration information relating to the CSS (for
example, default route IP address)
• Interface - Contains physical port and VLAN associations
• Circuit - Contains circuit VLAN IP addresses and subnet masks
• Keepalive - Contains the global keepalive configuration
• Service - Contains service names, IP addresses, and all service configuration
information
• EQL - Contains Extension Qualifier List (EQL) configuration
• Owner - Contains owner name, content rule name, and content rules
• Group - Contains source group configurations
• RMON Event - Contains RMON event configurations
• RMON Alarm - Contains RMON alarm configurations
• RMON History - Contains RMON history configurations
• ACL - Contains ArrowPoint Control List (ACL) configurations
• URQL - Contains Uniform Resource Locator Qualifier List configurations
(URQL)
Though the CSS organizes configuration information automatically, the order in
which you configure the CSS is important because of interdependencies within
CSS functionality. Enter configuration commands for features in the same
sequence as they appear in the startup-config.

1-58 78-11424-03
Archiving Files to the Archive Directory

Use the archive command and options to archive files. Archiving is useful when
you update software and want to save a script, log, or startup-config file from a
previous release of software. The archive directory on the CSS disk stores the
archive files. This command is available only in SuperUser mode.
To display the contents of the archive directory, enter show archive ?. Archive
files include running- and startup-config files, scripts, and user profiles. This
command is available only in SuperUser mode.
Note You must archive your startup-config and scripts before you upgrade
the CSS software or these files will be overwritten during the
upgrade. Once the upgrade is complete and the CSS has rebooted,
use the restore command to copy these files from the archive
directory to be used as current startup-config and scripts.

• archive log - Archive a log file
• archive running-config - Archive a running configuration
• archive script - Archive a script file
• archive startup-config - Archive the startup configuration file
Archiving a Log File

Use the archive log command to archive a log file. The syntax for this command
is:
archive log log_filename {archive_filename}
The variables are:
• log_filename - The filename of the log to archive. To see a list of log files,
enter archive log ?.
• archive_filename - An optional name you want to assign to the archive file.
Enter an unquoted text string with a maximum length of 32 characters.

78-11424-03 1-59
Archiving the Running-Config

Use the archive running-config command to archive the running-config. Enter
the archive_filename as the name you want to assign to the archive file. The
archive_filename is an unquoted text string with a maximum length of
32 characters. The syntax for this command is:
archive running-config archive_filename
Archiving Scripts
Use the archive script command to archive a script file. The syntax for this
command is:
archive script script_filename {archive_filename}
The variables are:
• script_filename - The filename of the script to archive. To see a list of scripts,
enter archive script ?.
• archive_filename - An optional name you want to assign to the archive file.
Archiving the Startup-Config

Use the archive startup-config command to archive the startup configuration
file. Enter the archive_filename as an optional name you want to assign to the
archive file. Enter an unquoted text string with a maximum length of
32 characters. The syntax for this command is:
archive startup-config {archive_filename}
Clearing the Archive Directory

Use the clear archive command to clear a file in the archive directory. Enter the
archive_filename as the name of the archive file to clear. To list the archive files,
enter clear archive ?. The syntax for this command is:
clear archive archive_filename

1-60 78-11424-03
Restoring Files from the Archive Directory

Use the restore command to restore files previously archived in the CSS archive
directory. The archive directory on the CSS disk stores log, script, and
startup-config files. This command is available in SuperUser mode. The options
for this command are:
• restore archive_filename log - Restore an archived log file to the log
subdirectory
• restore archive_filename script - Restore an archived script file to the script
subdirectory
• restore archive_filename startup-config - Restore an archived
startup-config file to the startup configuration
Note The archive directory resides on the CSS hard drive. If you booted
your CSS from a network-mounted system and your hard drive is not
working, archive- and restore-related functions are suspended.
For more information on these options and associated variables, refer to the
following sections.
Restoring an Archived Log File

Use the restore log command to restore an archived log file to the log
subdirectory. The syntax for this command is:
restore archive_filename log {log_filename}
The variables are:
• archive_filename - The name of the archived log file. Enter an unquoted text
string. To see a list of archived files, enter restore ?.
• log_filename - An optional name you want to assign to the restored log file.
The following example restores the log file arrowlog to the log subdirectory and
renames it to arrowpointlog.
# restore arrowlog log arrowpointlog

78-11424-03 1-61
Restoring an Archived Script File

Use the restore archive_filename script command to restore an archived script
file to the script subdirectory. The syntax is:
restore archive_filename script {script_filename}
The variables are:
• archive_filename - The name of the archived file. Enter an unquoted text
string. To see a list of archived files, enter restore ?.
• script_filename - An optional name you want to assign to the script file. Enter
an unquoted text string with a maximum length of 32 characters.
The following example restores the script arrowscript to the script subdirectory.
# restore arrowscript script
Restoring an Archived Startup-Config

Use the restore archive_filename startup-config command to restore an archived
file to the startup configuration. Enter the archived startup-config filename as an
unquoted text string. To see a list of archived files, enter restore ?.
Caution The restored file overwrites the startup configuration.
The syntax is:

restore archive_filename startup-config
The following example restores the archived startup-config arrowstart as the
current startup-config.
# restore arrowstart startup-config

1-62 78-11424-03
Copying Core Dumps to an FTP or TFTP Server

To copy core dumps from the CSS to a File Transfer Protocol (FTP) or Trivial File
Transfer Protocol (TFTP) server, use the copy core command. The copy core
command is available at the SuperUser prompt.
• copy core coredump_filename ftp
• copy core coredump_filename tftp
To see a list of core dumps, enter the copy core ? command.
Copying Core Dumps to an FTP Server

To copy a core dump to an FTP server, use the copy core ftp command. Before
you copy a core dump from the CSS to an FTP server, you must create an FTP
record file containing the FTP server IP address, username, and password. For
information on configuring an FTP record, refer to “Configuring an FTP Record”
in this chapter.
The syntax is:
# copy core coredump_filename ftp ftp_record filename
For example:
# copy core dumpfile ftp ftpserv1 starlogthurs
The variables are:

• coredump_filename - The name of the core dump on the CSS. Enter an
unquoted text string with no spaces and a maximum length of 32 characters.
• ftp_record - The name of the FTP record file that contains the FTP server
IP address, username, and password. Enter an unquoted text string with no
spaces and a maximum length of 32 characters.
• filename - The name you want to assign to the file on the FTP server. Include
the full path to the file. Enter an unquoted text string with no spaces and a
maximum length of 32 characters.

78-11424-03 1-63
Displaying CSS Configurations
Copying Core Dumps to a TFTP Server

To copy a core dump to an TFTP server, use the copy core tftp command.
The syntax is:
copy core coredump_filename tftp ip_address or hostname filename
The variables are:
• coredump_filename - The name of the core dump on the CSS. Enter an
• ip_address or hostname - The IP address or host name of the TFTP server to
receive the file. Enter an IP address in dotted-decimal notation (for example,
192.168.11.1) or in mnemonic host-name format (for example,
myhost.mydomain.com). If you wish to use a hostname, you must first set up
a host table using the (config) host command.
• filename - The name you want to assign to the file on the TFTP server.
Include the full path to the file. Enter an unquoted text string with no spaces

The CSS Command Line Interface (CLI) provides a comprehensive set of show
commands that display CSS configurations. The show commands are
mode-independent; that is, they are available in each mode.
Note The CSS does not show configuration default values in the show
displays. This applies even when you enter a command to configure
a default value.
To display the list of show commands, enter:

(config)# show ?

1-64 78-11424-03
Displaying Software Information

Use the version command in SuperUser mode to display the version of software
currently running on the CSS. This display also shows the version of flash,
whether the software is set to primary or secondary, and your license number.
For example:
# version
Version: ap0500002 (5.00 Build 02)

Network Path: e:/adi_directory/
Config Path: e:/adi_directory/
Flash (Locked): 4.01 Build 3
Flash (Operational):4.10 Build 8
Type: PRIMARY
License Cmd Set: Standard Feature Set
Enhanced Feature Set
SSH Server
Displaying Hardware Information

Use the show chassis command to display a chassis configuration. The syntax and
options for this command are:
• show chassis - Display a summary of the chassis configuration.
• show chassis flash - Display the operational and locked flash version for the
CSS 11150 and the CSS 11800 System Control Module (SCM) and Switch
Fabric Module (SFM). An asterisk (*) character before a flash version and
build number indicates it is the active flash.
• show chassis inventory - Display the physical configuration of the CSS
including their part and serial numbers.
• show chassis slot number - Display the operational parameters for a slot in a
11800 CSS. Enter an integer value. To see a list of slots, enter show chassis
slot ?.
• show chassis verbose - Display detailed information about the chassis
configuration.
To view a summary of the chassis configuration, enter:
# show chassis

78-11424-03 1-65
Note In the CSS 11050 and the CSS 11150, the Switch Control Module
(SCM) and Switch Fabric Module (SFM) are combined on one
integrated circuit card called the Switch Control Fabric Module
(SCFM).
To view the chassis flash, enter:

# show chassis flash
To display the physical configuration of the CSS, enter:

# show chassis inventory
Table 1-7 describes the fields in the show chassis output.
Table 1-7 Field Descriptions for the show chassis Command
Field Description
Name The model number of the CSS.
SW Version The currently running software version on the CSS.
HW Major Version The major version of the hardware.
HW Minor Version The minor version associated with the hardware major
version.
Serial Number The serial number of the chassis flash.
Base MAC Address The MAC address for the chassis.
Module Number The slot number for the module.
Module Name The name of the module.
Status The status of the module. The possible states are:
• primary
• backup
• powered-off
• powered-on
• bad
• unknown

1-66 78-11424-03
Table 1-7 Field Descriptions for the show chassis Command (continued)
Field Description
Port Number The number of the Ethernet port.
Port Name The name of the port.
Status The status of the port. The possible states are:
• online
• offline-ok
• offline-bad
• bad
• going-online
• going-offline
• inserted
• post
• post-ok
• post-fail
• post-bad-comm
• any
• unknown-state
Operational Active flash on the CSS.
Locked The inactive flash version available on the CSS.
Chassis/Board The hardware part comprising the CSS.
PN The part number of the hardware.
Rev The revision of the part.

78-11424-03 1-67
Showing System Resources

Use the show system-resource command to display information about the size of
the installed and free memory available on the:
• CSS 11050 and CSS 11150.
• CSS 11800 SCM and SFM modules. The CSS displays system resources for
the primary SCM and SFM.
Table 1-8 describes the fields in the show system-resources output.
Table 1-8 Field Descriptions for the show system-resources Command
Field Description
Installed Memory The total memory size in the CSS
Free Memory The amount of free memory available
CPU The utilized percentage of the CPU
Buffer Statistics
Buffer Pool The buffer pool index
Size The size in bytes of each buffer in the buffer pool
Total The total number of buffers in the buffer pool
Available The current number of available buffers in the buffer
pool
Failures The number of failures to obtain a buffer from the
buffer pool
Low Buffer Count The lowest recorded number of available buffers

1-68 78-11424-03
Showing User Information

To display all users currently defined in the CSS, enter:
(config)# show user-database
To display information for a specific user, enter:

(config)# show user-database picard
Table 1-9 describes the fields in the show user-database output.
Table 1-9 Field Descriptions for the show user-database Command
Field Description
Virtual Authentication Whether or not users must enter a username and
password to log into the CSS.
Console Authentication Whether or not console port authentication of
locally-defined usernames and passwords logging
into the CSS in enabled.
Username The username.
Privilege Level The privilege level of the user.
Type The type of user. Types are:
• administrator (administrative username, created
using the username-offdm command)
• technician (technician username, created using
the username-technician command)
If the field is blank, the user is neither an
administrator or technician.
Note The username-offdm command is for use by

system administrative personnel only. The
username-technician command is for use by
technical personnel only.

78-11424-03 1-69
Table 1-9 Field Descriptions for the show user-database Command (continued)
Field Description
Directory Access The directory access privileges for the listed
usernames (as specified through the dir-access
option of the username command). There are a
series of access privilege codes assigned to the seven
CSS directories, in the following order: Script, Log,
Root (installed CSS software), Archive, Release
Root (configuration files), Core, and MIBs
directories. By default, users have both read- and
write-access privileges (B) to all seven directories.
The levels for each of the CSS directories can be one
of the following access privilege codes:
• R - Read-only access to the CSS directory
• W - Write-only access to the CSS directory
• B - Both read- and write-access privileges to the
CSS directory (default for all users)
• N - No access privileges to the CSS directory
For example, BBNBNBB indicates that the user has
no access to the root and release root directories, but
has read and write access to the script, log, archive,
core, and MIB directories.
Showing Current Logins

To display currently connected lines or sessions, use the show lines command. A
connected line is a console or Telnet session. This command is available in all
modes.
For example, to display currently connected lines or sessions, enter:
(config)# show lines

1-70 78-11424-03
Table 1-10 describes the fields in the show lines output.
Table 1-10 Field Descriptions for the show lines Command
Field Description
Line The type of session. The * indicates your current session.
User The login name of the user.
Login The amount of time that the user has been logged on the CSS.
Idle The amount of time that the session has been idle.
Location The location where the session is occurring.
Where to Go Next
Chapter 2, Configuring User Profiles and CSS Parameters, provides information
on how to configure user profiles and CSS parameters. This chapter also contains
information on using the Content API and Command Scheduler features.

78-11424-03 1-71

1-72 78-11424-03
C H A P T E R 2
Configuring User Profiles and CSS
Parameters
This chapter describes how to configure user profiles and CSS parameters. This
chapter also contains information on using the Content API and Command
Scheduler features. Information in this chapter applies to all models of the CSS
except where noted.
• Configuring User Profiles
• Boot Configuration Mode Commands
• Configuring Host Name
• Configuring Idle Timeout
• Configuring the CSS as a Client of a RADIUS Server
• Controlling Remote Access to the CSS
• Restricting Console, FTP, SNMP, Telnet, XML, and Web Management
Access to the CSS
• Configuring Flow Parameters
• Finding an IP Address
• Configuring Content API
• Configuring the Command Scheduler

78-11424-03 2-1
Chapter 2 Configuring User Profiles and CSS Parameters
Configuring User Profiles

The CSS contains a default-profile that resides in the scripts directory on the
Internal Disk Module (IDM). This file contains settings that are user-specific; that
is, they apply uniquely to each user when the user logs in.
You can customize the following settings for each user:
• CLI prompt
• Expert mode
• History buffer
• Terminal parameters, including idle time, length, more, netmask format, and
timeout
Though the settings are user-specific, each default setting applies to all users until
the user saves the default-profile to a username-profile (where username is the
current login username). You may choose to continue using the default-profile so
that all users logging into a CSS use the same settings. Refer to “Copying and
Saving User Profiles” in this chapter for information on saving the default-profile.
If you change a user setting and want to save it in the scripts directory of the
current ADI, use a copy profile command. If you do not, the CSS stores the
setting temporarily in a running-profile. If you attempt to log out of the CSS
without saving profile changes, the CSS prompts you that profile changes have
been made and allows you to save or discard the changes.
When you upgrade the ADI, user profiles, which are saved in the current ADI
directory, are deleted. If you wish to save user profiles permanently, use the
save_profile command. This command saves the profiles in both the scripts and
archive directories in the current ADI. The archive directory is not overwritten
during a software upgrade.
To access the CSS IDM, FTP into the CSS. Use the appropriate commands to
access the scripts directory and list the contents of the default-profile. When
logged into the CSS, use the show profile command to display either the
default-profile or your username-profile.

2-2 78-11424-03
For example:
# show profile
@prompt CSS11150
@no expert
alias all reboot "@configure;boot;rebo"
alias all shutdown "@configure;boot;shutd"
alias all logon "@configure;logging line \${LINE};exit"
alias all logoff "@configure;no logging line \${LINE};exit"
alias all aca-load "@script play service-load"
alias all dnslookup "@script play dnslookup"
alias super save_config "copy running-config startup-config;archive
startup-config"
alias super setup "script play setup"
alias super upgrade "script play upgrade"
alias super monitor "script play monitor"
alias super save_profile "copy profile user-profile;archive script
admin-profile
"
set CHECK_STARTUP_ERRORS "1" session
This section contains information on:

• Configuring User Terminal Parameters
• Using Expert Mode
• Changing the CLI Prompt
• Modifying the History Buffer
• Copying and Saving User Profiles
Configuring User Terminal Parameters

To configure terminal parameters, use the terminal command. These parameters
control output to the system terminal screen. Terminal parameters are
user-specific; that is, they apply uniquely to each CSS user.
Use the copy profile user-profile command to add terminal command parameters
to your user profile so that the parameters are used each time you log in.
Otherwise you must reenter the commands for the parameters to take effect each
time you log in.

78-11424-03 2-3

• terminal idle - Set the session idle timer.
• terminal length - Set the terminal screen output length.
• terminal more - Enable terminal more support. The default is enabled.
• terminal netmask-format - Control subnet mask display.
• terminal timeout - Set the session maximum login time.
Configuring Terminal Idle

To set the time a session can be idle before the CSS terminates a console or Telnet
session, use the terminal idle command. The default value is 0 (disabled). This
command is available at the User and SuperUser prompts. Enter an idle time
between 0 and 65535 minutes.
To set a terminal idle time, enter:
# terminal idle 15
To revert the terminal idle time to its default of disabled, enter:

# no terminal idle
Configuring Terminal Length

To set the number of output lines the CLI displays on the terminal screen, use the
terminal length command. This command is available at the User and SuperUser
prompts. Enter the number of lines you want the CLI to display from 2 to 65535.
The default is 25 lines.
To set the line number to 35, enter:
# terminal length 35
To set the number of lines to the default of 25 lines, enter:

# no terminal length

2-4 78-11424-03
Configuring Terminal More

To enable support for more terminal functions, use the terminal more command.
This command is available at the User and SuperUser prompts. You can also
toggle the more function on and off within a session by using the ESC-M key
sequence.
To enable more terminal functions, enter:
# terminal more
To disable support for more terminal functions, enter:

# no terminal more
Configuring Terminal Netmask-Format

To determine how the CSS displays subnet masks in show screens, use the
terminal netmask-format command. This command is available at the User and
SuperUser prompts. The options for this command are:
• terminal netmask-format bitcount - Displays masks in bitcount (for
example, /24).
• terminal netmask-format decimal - Displays masks in dotted-decimal
format (for example, 255.255.255.0). This is the default format.
• terminal netmask-format hexadecimal - Displays masks in hexadecimal
format (for example, OXFFFFFFOO).
To display subnet masks in bitcount format, enter:
# terminal netmask-format bitcount
To revert to the default display format (decimal), enter:

# no terminal netmask format
Configuring Terminal Timeout

To set the total amount of time a session can be logged in before the CSS
terminates a console or Telnet session, use the terminal timeout command. The
default value is 0 (disabled). This command is available at the User and
SuperUser prompts. Enter a timeout value between 0 and 65535 minutes.

78-11424-03 2-5
To set a terminal timeout value, enter:

# terminal timeout 30
To revert the terminal timeout value to its default (disabled), enter:

# no terminal timeout
Using Expert Mode

Expert mode allows you to turn the CSS confirmation capability on or off. Expert
mode is available at the SuperUser prompt and is off by default. When expert
mode is off, the CSS prompts you for confirmation when you:
• Execute commands that could delete or change operating parameters
• Exit a terminal session (console or Telnet) without copying the
running-config to startup-config
• Create services, owners, and content rules
Turning expert mode on prevents the CSS from prompting you for confirmation
when you make configuration changes. To prevent the CSS from prompting you
for confirmation when you make configuration changes, enter:
# expert
To allow the CSS to prompt you for confirmation when you make configuration
changes, enter:
# no expert
For example, when you issue the command to create an owner and expert mode is
off, the CSS prompts you to verify the command, enter:
(config)# owner arrowpoint.com
Create owner <arrowpoint.com>, [y/n]:y
(config-owner[arrowpoint.com])#

2-6 78-11424-03
Changing the CLI Prompt

The CLI default prompt displays as the product model number followed by the
# symbol. The CSS adds a # sign to the prompt automatically to indicate
SuperUser mode. To change the default prompt, enter the prompt command as
shown in the following example (maximum of 15 alphanumeric characters):
CSS11800# prompt CSS1-lab
CSS1-lab#
To save the new prompt, add it to user or default profiles. To restore the prompt
to its default, use the no prompt command.
Modifying the History Buffer

Use the history command to modify the history buffer length. The command line
history buffer stores the most recent CLI commands that you enter. Enter the
number of lines you want in the history buffer as an integer from 0 to 256. The
default is 20. This command is available in SuperUser mode.
To set the history buffer to 80 lines, enter:
# history length 80
To disable the history function (setting of 0), enter:

# history length 0
To restore the history buffer to the default of 20 lines, enter:

# no history length
Displaying the History Buffer

Use the show history command to display the history buffer. The history buffer
is cleared automatically upon reboot.

78-11424-03 2-7
For example:
# show history
history
show history
show ip routes
show ip summary
show ip stat
clock
clock date
clock time
show history
Copying and Saving User Profiles

Use the copy profile command to copy the running profile from the CSS to the
default-profile, an FTP server, a TFTP server, or your user-profile. The options
are:
• copy profile default-profile - Copy the running profile to the default profile
• copy profile user-profile - Copy the running profile to your user profile
• copy profile ftp - Copy the running profile to an FTP server
• copy profile tftp - Copy the running profile to a TFTP server
Note If you exit the CSS without copying changes in the running profile
to your username-profile or default-profile, the CSS prompts you
that the profile has changed and queries whether or not you want to
save your changes. If you respond with y, the CSS copies the running
profile to your username-profile or the default-profile.
Refer to the following sections for information on these options.
Copying the Running Profile to the Default-Profile

Use the copy profile default-profile command to copy the running profile to the
default profile. This command is available at the SuperUser prompt.

2-8 78-11424-03
For example, enter:

# copy profile default-profile
Copying the Running Profile to a User Profile

Use the copy profile user-profile command to proactively copy the changes
made to the running profile to the user profile. This command creates a file
username-profile if one does not exist (where username is the current username).
For example, enter:
# copy profile user-profile
Copying the Running Profile to an FTP Server

Use the copy profile ftp command to copy the running profile to an FTP server.
The syntax is:
copy profile ftp ftp_record filename
The variables are:

• ftp_record - The name of the FTP record file that contains the server
IP address, username, and password. Enter an unquoted text string with no
spaces and a maximum length of 32 characters.
• filename - The name you want to assign to the file on the server. Include the
full path to the file. Enter an unquoted text string with no spaces.
For example, enter:
# copy profile ftp arrowrecord \records\arrowftprecord
Copying the Running Profile to a TFTP Server

Use the copy profile tftp command to copy the running profile to a TFTP server.
The syntax is:
copy profile tftp ip_or_host filename

78-11424-03 2-9
Boot Configuration Mode Commands
The variables are:

• ip_address or host - The IP address or host name of the server to receive the
file. Enter an IP address in dotted-decimal notation (for example,
• filename - The name you want to assign to the file on the server. Include the
full path to the file. Enter an unquoted text string with no spaces and a
For example, enter:
# copy profile tftp 192.168.3.6 \home\bobo\bobo-profile

Boot configuration mode contains all of the commands necessary to manage
booting the CSS and to maintain the software revision. To access this mode, use
the boot command from global configuration mode. The prompt changes to
(config-boot).
To access boot mode, enter:
(config)# boot
The CSS enters into boot mode.

(config-boot)#
For information about commands available in boot mode, refer to the following
sections:
• Unpacking an ArrowPoint Distribution Image (ADI)
• Removing an ArrowPoint Distribution Image (ADI)
• Specifying the Primary BOOT Configuration
• Specifying the Secondary Boot Configuration
• Configuring a Boot Configuration Record for the Passive SCM
• Showing the BOOT Configuration
• Booting the CSS from a Network Drive

2-10 78-11424-03
Unpacking an ArrowPoint Distribution Image (ADI)

Use the unpack command to unpack the ArrowPoint Distribution Image (ADI)
on the CSS disk. Enter the ADI filename as an unquoted text string with a
maximum length of 32 characters. For example, enter:
(config-boot)# unpack ap0500002.adi
Note Before unpacking the ADI, you must first copy the ADI to the CSS
disk. Use the copy ftp ftp_record filename boot-image command
to copy the ADI to the CSS disk.
Removing an ArrowPoint Distribution Image (ADI)

Use the remove command to remove an ArrowPoint Distribution Image (ADI)
that is not currently running on the CSS. To display a list of ADIs installed on your
CSS, enter remove ?. To display the ADI you are currently running, use the
version command.
Enter the ADI filename as an unquoted text string with a maximum length of 32
characters.
For example, to remove an ADI, enter:
(config-boot)# remove ap0410008
Specifying the Primary BOOT Configuration

Use the primary command to specify the primary boot configuration. The options
for this boot mode command are:
• primary boot-file - Specify the primary boot file
• primary boot-type - Specify the primary boot method, local disk, using FTP,
or a network-mounted file system using FTP
• primary config-path - Specify the path to a network CSS configuration
Refer to the following sections for more information on these options and
associated variables.

78-11424-03 2-11
Configuring the Primary Boot-File

Use the primary boot-file command to specify the primary boot file. Enter the
primary boot file as an unquoted text string with no spaces and a maximum length
of 64 characters.
To specify the primary boot filename, enter:
(config-boot)# primary boot-file ap0500002
To display a list of boot filenames, enter:

(config-boot)# primary boot-file ?
To remove the primary boot file, enter:

(config-boot)# no primary boot-file
Configuring the Primary Boot-Type

Use the primary boot-type command to specify the primary boot method, either
from the local disk or using FTP. The syntax and options for this boot mode
command are:
• primary boot-type boot-via-disk - Boot the CSS from software currently on
the IDM.
• primary boot-type boot-via-ftp ftp_record - Download an ADI file
containing CSS software that you want to install on the IDM. The CSS
accesses the ADI or GZIP file containing the CSS software from an FTP
server, copies it to the IDM, and unpacks it.
• primary boot-type boot-via-network ftp_record - Use FTP to boot the CSS
from software located on a network-mounted file system on a remote system
(such as a PC or UNIX workstation). The CSS boots independently from the
IDM and loads the configuration into memory. Instead of the CSS disk, the
network file system contains the CSS software.
Enter the ftp_record as the name of the FTP record file that contains the FTP
server IP address, username, and password. Enter an unquoted text string with no
spaces.
For example, to configure the primary boot-type to boot-via-disk, enter:
(config-boot)# primary boot-type boot-via-disk

2-12 78-11424-03
To remove the primary boot type, enter:

(config-boot)# no primary boot-type
Configuring the Primary Config-Path

Use the primary config-path command to specify the alternate path to a network
configuration for the network boot method. An alternate configuration path
allows multiple CSSs to use the same boot image while keeping their
configuration information in separate directories. The CSS must be able to access
the configuration path through an FTP server (such as a PC or UNIX workstation)
as defined in the FTP record for the network boot method.
When using an alternate configuration path, make sure that the path leads to a
directory containing the script, log, and info subdirectories and the startup-config
file. These subdirectories must contain the files in the corresponding
subdirectories of the unzipped boot image. First, create these subdirectories, then
copy the files from the boot image to the subdirectories.
Enter the configuration pathname as an unquoted text string with no spaces and a
To configure the primary config path, enter:
(config-boot)# primary config-path f:/bootdir/
To remove the primary network configuration path, enter:

(config-boot)# no primary config-path

78-11424-03 2-13
Specifying the Secondary Boot Configuration

Use the secondary command to specify the secondary boot configuration. The
secondary boot configuration is used when the primary configuration fails. The
options for this boot mode command are:
• secondary boot-file - Specify the secondary boot file
• secondary boot-type - Specify the boot method, local disk or FTP
• secondary config-path - Specify the path to a network configuration using
FTP
following sections.
Specifying the Secondary Boot-File

Use the secondary boot-file command to specify the secondary boot file that the
CSS uses when the primary boot configuration fails. Enter the boot file as an
To specify the secondary boot filename, enter:
(config-boot)# secondary boot-file ap0410008
To display a list of secondary boot filenames, enter:

(config-boot)# secondary boot-file ?
To remove the secondary boot file, enter:

(config-boot)# no secondary boot-file

2-14 78-11424-03
Specifying the Secondary Boot-Type

Use the secondary boot-type command to boot the system using the local disk,
FTP, or a network-mounted file system. The FTP record contains the IP address,
username, and password for the FTP server. Enter the ftp_record as an unquoted
text string with no spaces.
The syntax and options for this boot mode command are:
• secondary boot-type boot-via-disk - Boot the system from local disk.
• secondary boot-type boot-via-ftp ftp_record - Download an ADI file
server, copies it to the IDM, and unpacks it.
• secondary boot-type boot-via-network ftp_record - Use FTP to boot the
CSS from software located on a network-mounted file system on a remote
system (such as a PC or UNIX workstation). The CSS boots independently
from the IDM and loads the configuration into memory. Instead of the CSS
disk, the network file system contains the CSS software.
For example, to specify the secondary boot type as boot-via-disk, enter:
(config-boot)# secondary boot-type boot-via-disk
To remove the secondary boot type, enter:

(config-boot)# no secondary boot-type
Specifying the Secondary Config-Path

Use the secondary config-path command to specify the alternate path to a
network configuration for the network boot method. An alternate configuration
path allows multiple CSSs to use the same boot image while keeping their
configuration information in separate directories. The CSS must be able to access
the configuration path through an FTP server (such as a PC or UNIX workstation)
as defined through the FTP record for the network boot method.
directory containing the script, log, and info subdirectories and the startup-config
subdirectories of the unzipped boot image. First, create these subdirectories, then

78-11424-03 2-15
Enter the configuration pathname as an unquoted text string with no spaces and a
To configure the secondary config path, enter:
(config-boot)# secondary config-path f:/bootdir/
To remove the secondary network configuration path, enter:

(config-boot)# no secondary config-path
Configuring a Boot Configuration Record for the Passive SCM

Use the passive command to configure the boot configuration record for the
current passive SCM installed in a CSS 11800. The boot configuration record
consists of the IP address, subnet mask, boot method, and boot file.
With the sync option for this command, you can copy the boot configuration
record from the active SCM to the passive SCM. In most CSS configurations, the
active and passive SCMs will have the same boot record.
This command also allows you to configure the individual components of the boot
configuration record on the passive SCM. For example, you can configure a boot
record on the passive SCM that has a software version that differs from the active
SCM. This allows you run a new software version on the active SCM with the
security of having an older software version on the passive SCM.
You can also configure a different IP address on the passive SCM to track an
active-to-passive state transition between the SCMs. You can accomplish this
through a network management station where you can receive SNMP host traps.
Note The passive command and its options only affect the current passive
SCM. When you configure the passive SCM, the set values are
loaded into its nonvolatile RAM. If the passive SCM transitions to
the active state, it continues to retain these values but is no longer
affected by these commands; boot commands are not saved in the
running-config.

2-16 78-11424-03
The options for this boot mode command are:

• passive ip address - Configure the system boot IP address for the passive
SCM.
• passive primary boot-file - Specify the primary boot file for the passive
SCM.
• passive primary boot-type - Specify the primary boot method, local disk,
FTP, or network-mounted file system using FTP, for the passive SCM.
• passive primary config-path - Specify the primary alternate path to a
network CSS configuration for the passive SCM.
• passive secondary boot-file - Specify the secondary boot file for the passive
SCM.
• passive secondary boot-type - Specify the secondary boot method, local
disk, FTP, or network-mounted file system via FTP, for the passive SCM.
• passive secondary config-path - Specify the secondary alternate path to a
network CSS configuration for the passive SCM.
• passive subnet mask - Configure the system boot subnet mask for the
passive SCM.
• passive sync - Copy the boot configuration record from the active SCM to the
passive SCM.
following sections.
Configuring the Passive SCM IP Address

Use the passive ip address command to configure the system boot IP address for
the passive SCM. Enter the IP address for the passive SCM that will be used on
boot up. Do not enter an all zero IP address.
For example, enter:
(config-boot)# passive ip address 172.16.3.6
To change the passive SCM boot IP address, reissue the passive ip address
command.

78-11424-03 2-17
Configuring the Passive SCM Primary Boot File

Use the passive primary boot-file command to specify the primary boot image
for the passive SCM. Enter the filename of the primary boot image for the passive
SCM as an unquoted text string with no spaces and a maximum length of
64 characters. To display a list of filenames, enter passive primary boot-file ?.
For example, enter:
(config-boot)# passive primary boot-file ap0500002
To remove the primary boot file from the passive SCM, enter:
(config-boot)# no passive primary boot-file
Configuring the Passive SCM Primary Boot Type

Use the passive primary boot-type command to specify the primary boot
method, the local disk, FTP, or a network-mounted file system for the passive
SCM. The syntax and options for this boot mode command are:
• passive primary boot-type boot-via-disk - Boot the system from local disk.
• passive primary boot-type boot-via-ftp ftp_record - Download an ADI file
server, copies it to the passive SCM, and unpacks it.
• passive primary boot-type boot-via-network ftp_record - Use FTP to boot
the CSS from software located on a network-mounted file system on a remote
system (such as a PC or UNIX workstation). The CSS boots independently
from the passive SCM and loads the configuration into memory. Instead of
the CSS disk, the network file system contains the CSS software.
spaces.
For example, enter:
(config-boot)# passive primary boot-type boot-via-ftp arecord
To remove the primary boot type from the passive SCM, enter:
(config-boot)# no passive primary boot-type

2-18 78-11424-03
Configuring the Passive SCM Primary Configuration Path

Use the passive primary config-path command to specify the alternate path to a
network configuration for the network boot method for the passive SCM. An
alternate configuration path allows multiple CSSs to use the same boot image
while keeping their configuration information in separate directories. The CSS
must be able to access the configuration path through an FTP server (such as a PC
or UNIX workstation) as defined through the FTP record for the network boot
method.
directory containing the script, log and info subdirectories, and the startup-config
subdirectories in the unZipped boot image. First, create these subdirectories. Then
Enter the configuration path for network configuration. Enter an unquoted text
string with no spaces and a maximum length of 64 characters. For example, enter:
(config-boot)# passive primary config-path c:/bootdir/

(config-boot)# no passive primary config-path
Configuring the Passive SCM Secondary Boot File

Use the passive secondary boot-file command to specify the secondary boot
image for the passive SCM. Enter the boot file name for the primary boot image
as an unquoted text string with no spaces and a maximum length of 64 characters.
To display a list of boot filenames, enter passive secondary boot-file ?. For
example:
(config-boot)# passive secondary boot-file ap0410008
To remove the secondary boot file from the passive SCM, enter:
(config-boot)# no passive secondary boot-file

78-11424-03 2-19
Configuring the Passive SCM Secondary Boot Type

Use the passive secondary boot-type command to boot the system using the local
disk, FTP, or a network-mounted file system for the passive SCM. The syntax and
options for this boot mode command are:
• passive secondary boot-type boot-via-disk - Boot the system from local
disk.
• passive secondary boot-type boot-via-ftp ftp_record - Download an ADI
file containing CSS software that you want to install on the passive SCM. The
CSS accesses the ADI or GZIP file containing the CSS software from an FTP
server, and unpacks it.
• passive secondary boot-type boot-via-network ftp_record - Use FTP to
boot the CSS from software located on a network-mounted file system on a
remote system (such as a PC or UNIX workstation). The CSS boots
independently from the passive SCM and loads the configuration into
memory. Instead of the CSS disk, the network file system contains the CSS
software.
spaces.
For example, enter:
(config-boot)# passive secondary boot-type boot-via-disk
To remove the secondary boot type from the passive SCM, enter:
(config-boot)# no passive secondary boot-type
Configuring the Passive SCM Secondary Configuration Path

Use the passive secondary config-path command to specify the secondary
alternate path to a network configuration for the network boot method for the
passive SCM. An alternate configuration path allows multiple CSSs to use the
same boot image while keeping their configuration information in separate
directories. The CSS must be able to access the configuration path through an FTP
server (such as a PC or UNIX workstation) as defined through the FTP record for
the network boot method.

2-20 78-11424-03
directory containing the script, log and info subdirectories and the startup-config
subdirectories of the unzipped boot image. First, create these subdirectories. Then
Enter the configuration path as an unquoted text string with no spaces and a
For example, enter:
(config-boot)# passive secondary config-path c:/bootdir/

(config-boot)# no passive secondary config-path
Configuring the Passive SCM Subnet Mask

Use the passive subnet mask command to configure the system boot subnet mask
for the passive SCM.
For example, enter:
(config-boot)# passive subnet mask 255.255.0.0
Copying the Boot Configuration Record from the Active SCM to the Passive SCM
Use the passive sync command to copy the primary and secondary boot
configuration record from the nonvolatile RAM (NVRAM) of the active SCM to
its passive SCM backup. This command is available in boot mode.
For example, enter:
(config-boot)# passive sync

78-11424-03 2-21
Showing the BOOT Configuration

Use the show boot-config command to display your boot configuration. For
example:
(config-boot)# show boot-config
!*********************** BOOT CONFIG ***********************

primary boot-file ap0500002
primary boot-type boot-via-disk
subnet mask 255.0.0.0
ip address 172.16.36.58
Booting the CSS from a Network Drive

The network booting feature enables you to boot the CSS from a network drive
using the .zip file included on your Documentation and System Software compact
disc. When you configure the CSS for network boot, the Internal Disk Module
(IDM) is not required. To avoid affecting network bandwidth consumption, do not
configure logging to disk when booting the CSS from a network drive.
Note Network boot does not support core dumps.
Perform a network boot if:

configuration information. Provide an alternate path for the location of the
configuration information. This information must exist on the same network
file system as the boot image.

the path leads to a directory containing the script, log and
Create these subdirectories, then copy the files from the boot
image.
• The CSS has a hard drive failure. A network boot allows the CSS to boot
independently from its hard drive and to load the configuration into memory.

2-22 78-11424-03
You can configure network boot for CSS 11800:

• Primary SCMs
• Passive SCMs
Configuring Network Boot for a Primary SCM

To configure network boot for a primary SCM:
1. Ensure the SCM management port has access to the network drive from
which you are booting the CSS. The SCM will mount the drive, and read and
write to it.
2. FTP the software .zip file to the network drive base directory specified in the
FTP record. This must be the same directory from which you are booting the
CSS.
3. Unzip the file. You must use the .zip distribution format for network loading.
4. Configure the FTP record (refer to the section entitled “Configuring an FTP
Record” in Chapter 1, Logging in and Getting Started). Note that the
config-path and the base directory path in the ftp-record associated with the
network boot must not contain a pathname that collides with a non-network
driver name (for example, c: or host:). For example, enter:
# ftp-record bootrecord 192.168.19.21 bobo encrypted-password
“secret” e:/adi_directory/
This directory must contain the unzipped files.

5. Configure the CSS to boot from a network drive. For example, enter:
(config-boot)# primary boot-type boot-via-network bootrecord
6. Optionally, configure a primary configuration path to allow multiple CSSs to

use the same boot image while keeping their configuration information in
separate directories. The CSS must be able to access the configuration path
through the FTP server as defined in the FTP record. For example, enter:
(config-boot)# primary config-path e:/adi_directory/

78-11424-03 2-23
Configuring Network Boot for a Passive SCM

To configure network boot for a CSS 11800 passive SCM:
1. Configure an FTP record for the passive SCM, if not already configured.
Refer to “Configuring a Boot Configuration Record for the Passive SCM” in
this chapter.
2. Ensure the passive SCM management port has access to the network drive
from which you are booting the CSS. If the primary SCM fails, the passive
SCM will connect to the remote disk and load the software configuration.
3. Configure the CSS to boot from a network drive. For example, enter:
(config-boot)# passive primary boot-type boot-via-network
bootrecord
To display a list of configured ftp records, reenter the command and use a “?”.
For example, enter:
(config-boot)# passive primary boot-type boot-via-network
bootrecord ?
4. Optionally, configure a primary configuration path to allow multiple CSSs to

use the same boot image while keeping their configuration information in
separate directories. Your FTP daemon must support the drive mapping. Also,
the CSS must be able to access the configuration path through the FTP server
as defined in the FTP record. For example, enter:
(config-boot)# primary config-path e:/adi_directory/

2-24 78-11424-03
Showing Network Boot Configurations

To display the network boot configuration, use the version command. For
example:
(config)# version
Version: ap0500002 (5.00 Build 02)

Network Path: e:/adi_directory/
Config Path: e:/adi_directory/
Flash (Locked): 4.10 Build 8
Flash (Operational):4.01 Build 3
Type: PRIMARY
License Cmd Set: Standard Feature Set
Enhanced Feature Set
SSH Server
You can also use the show boot-config command to display network boot
configuration information. For example:
(config)# show boot-config
!*********************** BOOT CONFIG ***********************

secondary config-path e:/adi_directory/
secondary boot-type boot-via-network Secondary-Boot
primary boot-file ap0500002
primary boot-type boot-via-network
subnet mask 255.0.0.0
ip address 192.168.4.226

78-11424-03 2-25
Configuring Host Name
Configuring Host Name

Use the host command to manage entries in the Host table. The Host table is the
static mapping of mnemonic host names to IP address, analogous to the ARP
table. The syntax for this global configuration mode command is:
host host_name ip_address
• host_name - The name of the host. Enter an unquoted text string with no
spaces and a length of 1 to 16 characters.
• ip_address - The address associated with the host name. Enter the IP address
in dotted-decimal notation (for example, 192.168.11.1).
For example, enter:
(config)# host CSS11150-LML 192.168.3.6
Note To add a host to the Host table, the host name must not already exist.
To change a current host address, remove it and then add it again.
To remove an existing host from the Host table, enter:

(config)# no host CSS11150-LML
To display a list of host names, enter:

(config)# show running-config global
Configuring Idle Timeout

To globally set the total amount of time all sessions can be active before the CSS
terminates a console or Telnet session, use the idle timeout command. Enter a
timeout value between 0 and 65535 minutes. The default value is enabled for
5 minutes.
Note To override the idle timeout value for a specific session, configure
the terminal timeout command. Terminal commands are
user-specific; that is, they apply uniquely for each CSS user.

2-26 78-11424-03
Configuring the CSS as a Client of a RADIUS Server
It is recommended that you configure the idle timeout to at least 30 minutes.

Setting this value to 30 minutes:
• Cleans up idle Telnet sessions
• Helps prevent busy conditions due to a high number of active Telnet sessions
To set an idle timeout value, enter:
(config)# idle timeout 15
To revert the terminal timeout value to its default of enabled for 5 minutes, enter:
(config)# no idle timeout

The Remote Authentication Dial-In User Server (RADIUS) protocol is a
distributed client/server protocol that protects networks against unauthorized
access. It uses the User Datagram Protocol (UDP) to exchange authentication and
configuration information between the CSS authentication client and the active
authentication server that contains all user authentication and network service
access information. The RADIUS host is normally a multiuser system running
RADIUS server software.
Use the radius-server command to configure the CSS as a client of a RADIUS
server for authentication requests by remote or local users who require
authorization to access network resources.
When a user remotely logs into a CSS operating as a RADIUS client, the CSS
sends an authentication request (including user name, encrypted password, client
IP address, and port ID) to the central RADIUS server. The RADIUS server is
responsible for receiving user connection requests, authenticating users, and
returning all configuration information necessary for the client to deliver services
to the users. Transactions between the RADIUS client and the RADIUS server are
authenticated through the use of a shared secret.
Once the RADIUS server receives the authentication request, it validates the
sending client and consults a database of users to match the login request. After
the RADIUS server performs user authentication, it transmits one of the following
authentication responses back to the RADIUS client:
• Accept - The user is authenticated (all conditions are met).
• Reject - The user is not authenticated and is prompted to reenter the username
and password, or access is denied (the username does not exist in the server’s
database).

78-11424-03 2-27
If no response is returned by the RADIUS server within a period of time, the

authentication request is retransmitted a predefined number of times (both options
are specified in the radius-server command). The RADIUS client can forward
requests to an alternate secondary RADIUS server in the event that the primary
server is down or is unreachable.
In a configuration where both a primary RADIUS server and a secondary
RADIUS server are specified, and one or both of the RADIUS servers become
unreachable, the CSS automatically transmits a keepalive authentication request
to query the server(s). The CSS transmits the username “query” and the password
“areyouup” to the RADIUS server (encrypted with the RADIUS server’s key) to
determine its state. The CSS continues to send this keepalive authentication
request until the RADIUS server indicates that it is available.
Configuring the CSS as a RADIUS Client
Note This section assumes that you have properly configured your
RADIUS server implementation. Cisco Systems does not provide
RADIUS server software, and it is beyond the scope of this
document to cover the different RADIUS server configurations.
Use the radius-server command and its options to specify the RADIUS server
host (primary RADIUS server, and, optionally, a secondary RADIUS Server),
communication time interval settings, and a shared secret text string. This
command is available in configuration mode. The options for this command are:
• radius-server primary ip_address secret string {auth-port port_number}-
Specify the primary RADIUS server.
• radius-server secondary ip_address secret string {auth-port port_number}
- Specify the secondary RADIUS server. Configuration of a secondary
RADIUS server is optional.
• radius-server dead-time seconds - Set the time interval (in seconds) that the
CSS probes an inactive RADIUS server (primary and secondary) to
determine if it is back online.

2-28 78-11424-03
• radius-server retransmit number - Set the number of retransmissions for an

authentication request to the RADIUS server.
• radius-server timeout seconds - Set the time interval the CSS waits before
retransmitting an authentication request.
Note After configuring the RADIUS server, enable RADIUS

authentication for console and virtual logins (if the user and
password pair is not in the local user database) through the virtual
authentication and console authentication commands. Refer to
“Controlling Remote Access to the CSS” later in this chapter for
details.
Specifying a Primary RADIUS Server

Use the radius-server primary command to specify a primary RADIUS server
to authenticate user information from the CSS RADIUS client (console or virtual
authentication). The syntax for this global configuration mode command is:
radius-server primary ip_address secret string {auth-port port_number}
Options and variables include:
• primary ip_address - The IP address or host name for the primary RADIUS
server. Enter the address in either dotted-decimal IP notation (for example,
192.168.11.1) or mnemonic host-name format (for example,
• secret string - The shared secret text string between the primary RADIUS
server and the CSS RADIUS client. The shared secret allows authentication
transactions between the client and primary RADIUS server to occur. Enter
the shared secret as a case-sensitive string with no spaces (16 characters
maximum).
• auth-port port_number - Optional. The UDP port on the primary RADIUS
server allocated to receive authentication packets from the RADIUS client.
Valid entries are 0 to 65535. The default is 1645.
To specify a primary RADIUS server, enter:
(config)# radius-server primary 172.27.56.76 secret Hello
auth-port 30658

78-11424-03 2-29
To remove a primary RADIUS server, enter:

(config)# no radius-server primary
Specifying a Secondary RADIUS Server

Use the radius-server secondary command to specify a secondary RADIUS
server to authenticate user information from the CSS RADIUS client (console or
virtual authentication). The CSS directs authentication requests to the secondary
RADIUS server when the specified RADIUS primary server is unavailable. The
syntax for this global configuration mode command is:
radius-server secondary ip_address secret string {auth-port port_number}
Note Configuration of a secondary RADIUS server is optional.
Options and variables include:

• secondary ip_address - The IP address or host name for the secondary
RADIUS server. Enter the address in either dotted-decimal IP notation (for
example, 192.168.11.1) or mnemonic host-name format (for example,
• secret string - The shared secret text string between the secondary RADIUS
server and the CSS RADIUS client. The shared secret allows authentication
transactions between the client and secondary RADIUS server to occur. Enter
the shared secret as a case-sensitive string with no spaces (16 characters
maximum).
• auth-port port_number - Optional. The UDP port on the primary RADIUS
server allocated to receive authentication packets from the RADIUS client.
Valid entries are 0 to 65535. The default is 1645.

2-30 78-11424-03
To specify a secondary RADIUS server, enter:

(config)# radius-server secondary 172.27.56.79 secret Hello
auth-port 30658
To remove a secondary RADIUS server, enter:

(config)# no radius-server secondary
Configuring the RADIUS Server Timeouts

Use the radius-server timeout command to specify the time interval that the CSS
is to wait for the RADIUS server (primary or secondary) to reply to an
authentication request before retransmitting requests to the RADIUS server. You
configure the number of retransmitted requests to the server through the
radius-server retransmit command. Valid entries are 1 to 255 seconds. The
default is 10 seconds.
To configure the configure the RADIUS server timeout interval to 1 minute
(60 seconds), enter:
(config)# radius-server timeout 60
To set the RADIUS server retransmit request back to the default of 10 seconds,
enter:
(config)# no radius-server timeout
Configuring the RADIUS Server Retransmits

Use the radius-server retransmit command to specify the number of times the
CSS is to retransmit an authentication request to a timed-out RADIUS server
before considering the server dead and stop transmitting. If a secondary RADIUS
server has been identified, that server is selected as the active server. Valid entries
are 1 to 30 retries. The default is 3.
If the RADIUS server does not respond to the CSS retransmitted requests, the
CSS considers the server as dead, stops transmitting to the server, and starts the
dead timer as defined through the radius-server dead-time command. If a
secondary server is configured, the CSS transmits the requests to the secondary
server. If the secondary server does not respond to the request, the CSS considers
it dead and starts the dead timer. If there is no active server, the CSS stops
transmitting requests until the primary RADIUS server becomes alive.

78-11424-03 2-31
To configure the number of RADIUS server retransmits to 5, enter:

(config)# radius-server retransmit 5
To set the RADIUS server retransmit request back to the default of 3 retries, enter:
(config)# no radius-server retransmit
Configuring the RADIUS Server Dead-Time

Use the radius-server dead-time command to set the time interval in which the
CSS verifies whether a non-functional server is operational. During the set time
interval, the CSS sends probe access-request packets to verify that the RADIUS
server (primary or secondary) is available and can receive authentication requests.
The dead-time interval starts when the server does not respond to the number of
authentication request transmissions configured through the radius-server
retransmit command. When the server responds to a probe access-request packet,
the CSS transmits the authentication request to the server. Valid entries are 1 to
255 seconds. The default is 5 seconds.
To configure the RADIUS server dead-time to 15 seconds, with probe
access-requests enabled, enter:
(config)# radius-server dead-time 15
To set the RADIUS server dead-time request back to the default of 5 seconds,
enter:
(config)# no radius-server dead-time
Showing RADIUS Server Configuration Information

Use the show radius command to display information and statistics about the
RADIUS server configuration. The syntax and options are:
• show radius config [primary|secondary|all] - Display RADIUS
configuration information for a specific server or all servers, identified by
type.
• show radius stat [primary|secondary|all] - Display RADIUS authentication
statistics for a specific server or all servers, identified by type.

2-32 78-11424-03
To view the configuration for a RADIUS primary server, enter:

(config)# show radius config primary
To view the authentication statistics for a RADIUS secondary server, enter:

(config)# show radius stats secondary
Table 2-1 describes the fields in the show radius config output.
Table 2-1 Field Descriptions for the show radius config Command
Field Description
Server IP The IP address or host name for the specified RADIUS
Address server.
Secret The shared secret text string between the specified RADIUS
server and the CSS RADIUS client.
Port The UDP port on the specified RADIUS server allocated to
receive authentication packets from the CSS RADIUS client.
The default port number is 1645.
State The operational stats of the RADIUS server (ALIVE,
DOWN, UNKNOWN).
Dead Timer The time interval (in seconds) that the CSS probes a
RADIUS server (primary or secondary), which is not
responding, to determine if it is operational and can receive
authentication requests.
Timeout The interval (in seconds) the CSS RADIUS client waits for
the RADIUS server to reply to an authentication request
before retransmitting requests to the RADIUS server.
Retransmit Limit The number of times the CSS RADIUS client retransmits an
authentication request a timed out RADIUS server before
stopping transmission to that server.
Probes The packets that the CSS RADIUS client automatically
transmits to determine if the RADIUS server is still available
and can receive authentication requests.

78-11424-03 2-33
Table 2-2 describes the fields in the show radius stat output.
Table 2-2 Field Descriptions for the show radius stat Command
Field Description
Server IP address The IP address or host name of the specified RADIUS server
Accepts The number of times the RADIUS server accepts an
authentication request from the CSS RADIUS client
Requests The number of times the CSS RADIUS client issues an
authentication request to the RADIUS server
Retransmits The number of times the CSS RADIUS client retransmits an
authentication request to the active RADIUS server after a
timeout occurred
Rejects The number of times the CSS RADIUS client receives a
reject notification from the RADIUS server while trying to
establish an authentication request
Bad Responses The number of times the CSS RADIUS client receives a bad
transmission from the RADIUS server
Bad The number of times the RADIUS server denies an
Authenticators authentication request from the CSS RADIUS client
Pending The number of pending authentication requests to the
Requests RADIUS server
Timeouts The number of times the CSS RADIUS client reached the
specified timeout interval while waiting for the RADIUS
server to reply to an authentication request
Discarded The number of authentication requests that were discarded
Authentication while the primary or secondary RADIUS server was down
Requests

2-34 78-11424-03
Controlling Remote Access to the CSS

To control remote access to the CSS, use the virtual command or the console
command. By using virtual commands, you allow users to log into the CSS
remotely with or without requiring a username and password, or you can deny all
remote access to users. Telnet, FTP, SSHD, and the Device Management user
interface are examples of remote access. By using console commands, you
specify whether console port authentication of locally-defined usernames and
passwords logging into the CSS is enabled.
Note Before you can use RADIUS as either the virtual authentication
method or the console authentication method, you must enable
communication with the RADIUS security server using the
radius-server command (refer to “Configuring the CSS as a Client
of a RADIUS Server” earlier in this chapter for details).
The virtual command provides the following options:

• virtual authentication - Requires users to enter a login name and password
to log into the CSS and perform a virtual access (default). The local database
is checked in this option.
• virtual authentication disallowed - Prevents additional virtual users from
logging into the CSS. This selection does not terminate existing connections.
Note To remove users already logged into the CSS, use the
admin-shutdown command.
• virtual authentication local-radius - Checks the local username database

for authentication. If local authentication is unsuccessful, the CSS performs
a RADIUS server authentication to verify username and password.
• virtual authentication radius - Performs a RADIUS server authentication to
verify username and password.

78-11424-03 2-35
• virtual authentication radius-local - Performs a RADIUS server

authentication to verify username and password. If the RADIUS server
authentication is unsuccessful, the CSS checks the local username database
for authentication.
• no virtual authentication - Does not require users to enter a login name and
password to log into the CSS (disables virtual authentication).
The console command provides the following options:
• console authentication - Requires users to enter a login name and password
to log into the CSS console port (default). The local database is checked in
this option.
• console authentication local-radius - Checks the local username database
for authentication. If local authentication is unsuccessful, the CSS performs
a RADIUS server authentication to verify username and password.
• console authentication radius - Performs a RADIUS server authentication
to verify username and password.
• console authentication radius-local - Performs a RADIUS server
authentication to verify username and password. If the RADIUS server
authentication is unsuccessful, the CSS checks the local username database
for authentication.
• no console authentication - Does not require users to enter a login name and
password to log into the CSS console port (disables console authentication).
For example, if an unauthorized user gained access to the CSS:
1. Prevent users from establishing new connections to the CSS by using the
virtual authentication disallowed command.
(config)# virtual authentication disallowed
2. Terminate all connections using the admin-shutdown command.

(config)# admin-shutdown
To display virtual and console authentication settings, use the show

user-database command (refer to “Showing User Information” in Chapter 1,
Logging in and Getting Started).

2-36 78-11424-03
Restricting Console, FTP, SNMP, Telnet, XML, and Web Management Access to the CSS
Restricting Console, FTP, SNMP, Telnet, XML, and

Web Management Access to the CSS
Use the restrict command to enable or disable console, FTP, SNMP, Telnet, XML,
and Web management access to the CSS. Access through a console, FTP, SNMP,
and Telnet is enabled by default.
Note Disable Telnet access when you want to use the Secure Shell Host
(SSH) server. For information on configuring SSHD, refer to
“Configuring Secure Shell Daemon” in Chapter 3, Configuring CSS
Network Protocols.
The syntax and options for this global configuration mode command are:
• restrict console - Disable console access to the CSS
• restrict ftp - Disable FTP access to the CSS
• restrict snmp - Disable SNMP access to the CSS
• restrict telnet - Disable Telnet access to the CSS
• restrict XML - Disable XML access to the CSS
• restrict web-mgmt - Disable Web management access to the CSS
To enable access to the CSS:
• no restrict console - Enable console access to the CSS
• no restrict ftp - Enable FTP access to the CSS
• no restrict snmp - Enable SNMP access to the CSS
• no restrict telnet - Enable Telnet access to the CSS
• no restrict xml - Enable XML access to the CSS
• no restrict web-mgmt - Enable Web management access to the CSS
For example, enter:
(config)# restrict telnet

78-11424-03 2-37
Finding an IP Address
Finding an IP Address
Use the find ip address command to search the CSS configuration for the
specified IP address. You can include a netmask for subnet (wildcard) searches.
This search can help you avoid IP address conflicts when you configure the CSS.
When you use this command, it checks services, source groups, content rules,
ACLs, the management port, syslog, APP sessions, and local interfaces for the
specified IP address. If the address is found, the locations of its use are displayed.
If no addresses are found, the CSS returns you to the command prompt.
This command is available in all modes. The syntax is:
find ip address ip_or_host {subnet_mask|range number}
Enter the:
• IP address in dotted-decimal notation (for example, 192.168.11.1) or enter
the host name in mnemonic host-name format (for example,
host.domain.com).
• Optional subnet mask as either:
– A prefix length in CIDR bitcount notation (for example, /24). Do not
enter a space to separate the IP address from the prefix length.
– An IP address in dotted-decimal notation (for example, 255.255.255.0).
If you enter a mask of 0.0.0.0, the CSS finds all addresses.
• range number to define how many IP addresses you want to find, starting
with the ip_or_host address. Enter a number from 1 to 65535. The default
range is 1.
For example, if you enter an IP address of 203.1.1.1 with a range of 10, the
CSS tries to find the addresses from 203.1.1.1 through 203.1.1.10.
For example, enter:
(config)# find ip address 192.168.0.0
Users of IP address 192.168.0.0

Content Rule - 192.168.12.1, layer 3, owner: lml, state:Active
Content Rule - 192.168.12.1, layer 5, owner: lml, state:Active
Service - 192.168.3.6, serv1, state:Active
Service - 192.168.3.7, serv3, state:Active
Interface - 192.168.1.117. VLAN1
Interface - 192.168.2.117. VLAN1

2-38 78-11424-03
Configuring Flow Parameters

The CSS enables you to configure the following flow parameters using the flow
command:
• flow permanent - Permanent TCP ports that are not reclaimed
• flow port-reset - Resets Fast Ethernet and Gigabit Ethernet ports
automatically when the CSS detects that they are not responding
• flow reserve-clean - Interval flows with port numbers less than or equal to
23 are reclaimed
Configuring Permanent Connections for TCP Ports

The CSS allows you to configure a maximum of ten TCP ports that will have
permanent connections and will not be reclaimed by the CSS when the ports are
inactive. To configure a TCP port as a permanent connection, use the flow
permanent command. This command is typically used when load-balancing
long-lived connections or you observe the CSS dropping long-lived idle TCP
connections.
• flow permanent port1 portnumber
Enter a port number from 0 to 65535. The default is 0.

78-11424-03 2-39
For example, to configure port 1520 as a permanent connection, enter:

(config) flow permanent port1 1520
To reset a permanent connection to its default port number of 0, use the no flow
permanent command. For example, to reset the port number for port1 to 0, enter:
(config) no flow permanent port1
Resetting Fast Ethernet and Gigabit Ethernet Ports

You can program the CSS to reset its associated Fast Ethernet and Gigabit
Ethernet ports automatically when it detects that they are not responding during
operation. Use the flow port-reset command to enable this function. By default,
port resetting is enabled on the CSS.
Caution Do not disable port-resets without guidance from Cisco support

personnel.
For example, enter:

(config)# flow port-reset
To disable port resets on the CSS, enter:

(config)# no flow port-reset
Reclaiming Reserved Telnet and FTP Control Ports

Use the flow reserve-clean command in global configuration mode to define how
often the CSS scans flows from reserved Telnet and FTP control ports to reclaim
them. Control ports have port numbers less than or equal to 23. When the CSS
determines that one of these ports has a flow with asymmetrical routing, it
reclaims the port.
Enter the flow reserve-clean time in seconds as the interval the CSS uses to scan
flows. Enter an integer from 0 to 100. The default is 10. To disable the flow
reclaiming process, enter a flow reserve-clean value of 0.

2-40 78-11424-03
For example, enter:

(config)# flow reserve-clean 36
To disable flow cleanup on Telnet and FTP control ports, enter:

(config)# no flow reserve-clean
Showing Flow Statistics

Use the flow statistics command to display statistics on currently allocated flows.
For example:
(config)# flow statistics
Flow Manager Statistics:
Current High Avg

UDP Flows per second 0 0 0
TCP Flows per second 0 4 0
Total Flows per second 0 4 0
Hits per second 0 0 0
-------------------------------------------------------------
Port Active Total TCP UDP
-------------------------------------------------------------
1 13 43339169 13 0
2 16 43337519 16 0
5 18 3167362 18 0
6 9 33483528 9 0

78-11424-03 2-41
Configuring Content API

The CSS Content Application Program Interface (API) feature allows you to use
a network management workstation to make Web-based configuration changes to
the CSS using Extensible Markup Language (XML) documents. XML is a
powerful tool that can be used to automatically configure a CSS using all of the
CLI commands included in the CSS software, such as to specify server weight and
load, to configure load balancing across a group of servers, or to configure content
rules to restrict access to a group of directories or files on the servers.
XML code loads a series of CLI commands into the CSS without the need to
respond to the prompts, similar to operating in expert mode. As the CSS
administrator, plan which type of changes you want to implement and the
consequences of these changes as they are performed.
After you create the XML document, you publish (upload) the XML file to the
Hypertext Transfer Protocol (HTTP) server embedded in the CSS using a HTTP
PUT method.
Creating XML Code

When developing XML code for Content API to issue CLI commands, adhere to
the following guidelines. You can use any text editor for creating the XML code.
1. Include the following line as the first line in the XML file:
<?xml version="1.0" standalone="yes"?>
2. Enclose the CLI commands within the <action></action> tag set. For
example:
<action>add service MyServiceName</action>
<action>vip address 10.2.3.4</action>
Note A nested script play command (to execute a script line by

line from the CLI) is not allowed in an XML file. This
restriction is enforced because the actual execution of the
XML tag set is performed within a script play command

2-42 78-11424-03
3. Pay attention to mode hierarchy of the CLI commands in the XML file. Each
mode has its own set of commands. Many of the modes have commands
allowing you to access other related modes. If you enter a series of commands
in the improper mode hierarchy, this will result in an XML file that fails to
execute properly.
As an example, the following commands configure an access list (ACL):
<?xml version="1.0" standalone="yes" ?>
<config>
<action>acl 98</action>
<action>clause 10 permit any any dest any</action>
<action>apply circuit-(VLAN3)</action>
</config>
In another example, the following commands configure a CSS Ethernet

interface:
<?xml version="1.0" standalone="yes" ?>
<config>
<action>interface ethernet-6</action>
<action>bridge vlan 3</action>
<action>circuit VLAN3</action>
<action>ip address 10.10.104.1/16</action>
</config>
4. Pay attention to the allowable CLI command conventions for syntax and
variable argument in the XML file. If you enter an invalid or incomplete
command, this will result in an XML file that fails to execute properly.
Note For overview information on the CLI commands you can use
in global configuration mode and its subordinate modes, refer
to the Content Services Switch Command Reference,
Chapter 2, CLI Commands.

78-11424-03 2-43
XML Document Example

The following example is a complete XML document. The XML document
creates three services, an owner, and a content rule, and assigns one of the newly
created services to the content rule.
<?xml version="1.0" standalone="yes"?>
<config>
<service name="router">
<ip_address>10.0.3.1</ip_address>
<action>active</action>
</service>
<service name="sname2">
<weight>4</weight>
</service>
<service name="sname3">
<weight>5</weight>
<protocol>udp</protocol>
<action>suspend</action>
</service>
<service name="nick">
</service>
<owner name="test">
<content name="rule">
<vip_address>10.0.3.100</vip_address>
<protocol>udp</protocol>
<port>8080</port>
<add_service>nick</add_service>
</content>
</owner>
</config>

2-44 78-11424-03
Controlling Access to the CSS HTTP Server

To control access to the HTTP server running on the CSS, use the restrict xml
and no restrict xml commands. Clients can send XML documents to this server
to configure the CSS. The options for this global configuration mode command
are:
• no restrict xml - Allow client access to the HTTP server on the CSS.
• restrict xml - Deny client access to the HTTP server on the CSS.
Note The web-mgmt state enable command (for CSS software version
3.x) performs the same function as the (config) no restrict xml
command (for CSS software version 4.x) and the web-mgmt state
disable command performs the same function as the (config)
restrict xml command. When you use the web-mgmt state enable
command, it does not appear in the configuration file. Instead, the
(config) no restrict xml command appears in the configuration file.
Parsing the XML Code

After you complete the XML file, parse the code to ensure that it is syntactically
correct. The easiest way to parse XML code is to open the XML file directly from
Microsoft® Internet Explorer. Syntax errors are flagged automatically when the
file is loaded. If an error occurs, review your XML code and correct all syntax
errors.
Publishing the XML Code to the CSS

The completed XML file is remotely published (uploaded) to the HTTP server in
the CSS from the external network management workstation by using a HTTP
PUT method. The HTTP PUT method uses the IP address of the CSS as the
destination URL where you want to publish the XML file.
Note When XML is enabled, the CSS listens for XML connections on
port 80.

78-11424-03 2-45
Note Ensure that the CLI commands in the XML document do not have
an impact on the interface configuration through which the XML file
transfer process is to occur (for example, including the command no
ip addr 10.1.2.3, which identifies the IP address of the CSS
receiving the XML file). If this occurs, you will disconnect the
workstation performing the XML file transfer.
Software is available to simplify the process of publishing XML files to the CSS
HTTP server. These software packages offer a simple method to publish files to a
Web server. This software uses the HTTP protocol to publish files and require no
special software on the Web server side of the connection.
Note An error code in the publishing process usually means that

no restrict xml (for CSS software version 4.x) or the
webmgmt-state enable (for CSS software version 3.x) commands
have not been issued on the CSS prior to publishing the XML file.
See the “Controlling Access to the CSS HTTP Server”section for
details.
Testing the Output of the XML Code

Test the output of the XML code by reviewing the running configuration of the
CSS. After the XML has been successfully published to the CSS, Telnet to the
switch and issue the show running-config command to verify that the XML
changes have properly occurred. If the XML changes are incorrect or missing,
republish the XML code to the CSS as described in the “Publishing the XML
Code to the CSS” section.

2-46 78-11424-03
Configuring the Command Scheduler

Use the cmd-sched command to configure the scheduled execution of any CLI
commands, including playing scripts. The commands that will be executed are
referred to as the command string. To schedule commands, you must create a
configuration record, which includes a provision as to when to execute the
commands, and the command string.
For example, you can use this command to schedule periodic content replication,
the gathering of statistics, and scheduled configuration changes. At the specified
time, the command scheduler executes a command string by creating a
pseudo-login shell where each string is executed. A cmd-sched record is only
scheduled for execution upon completion of its shell. Use the show lines
command to display information about active pseudo shells (refer to “Showing
Current Logins” in Chapter 1, Logging in and Getting Started).
Note To terminate the execution of a command string, use the disconnect

command.
The syntax and options for this global configuration mode command are:
• cmd-sched - Enable command scheduling.
• cmd-sched record name minute hour day month weekday “commands...”
{logfile_name} - Create a configuration record for the scheduled execution
of any CLI commands, including the playing of scripts.
The variables are listed below. When entering minute, hour, day, month, and
weekday variables, you may enter a single integer, a wildcard (*), a list separated
by commas, or a range separated by a dash (-).
• name - The name of the configuration record. Enter an unquoted text string
up to 16 characters.
• minutes - The minute of the hour to execute this command. Valid numbers are
from 0 to 59.
• hour - The hour of the day. Valid numbers are from 0 to 23.
• day - The day of the month. Valid numbers are from 0 to 31.
• month - The month of the year. Valid numbers are from 1 to 12.
• weekday - The day of the week. Valid numbers are from 1 to 7. Sunday is 1.

78-11424-03 2-47
• command - The commands you want to execute. Enter a quoted text string up
to 255 characters. Separate multiple commands with a semicolon (;)
character. If the command string includes quoted characters, use a single
quote character; any single quoted characters not preceded by a backslash (\)
character is converted to double quotes when the command string is executed.
• logfile_name, as an optional variable that defines the name of the log file.
Enter a text string up to 32 characters.
Any of the time variables can contain one or some combination of the following
values:
• A single number to define a single or exact value for the specified time
variable
• A wildcard (*) character matching any valid number for the specified time
variable
• A list of numbers separated by commas, up to 40 characters, to define
multiple values for a time variable
• Two numbers separated by a dash (-) character indicating a range of values
for a time variable
For example, enter:
(config)# cmd-sched record periodic_shows 30 21 3 6 1 "show
history;show service;show rule;show system-resources"
To enable command scheduler, enter:

(config)# cmd-sched
To disable command scheduling, enter:

(config)# no cmd-sched
To delete a configuration record, enter:

(config)# no cmd-sched periodic_shows

2-48 78-11424-03
Showing Configured Command Scheduler Records

Use the show cmd-sched command to display the state of the command scheduler
and information about the records for the scheduled CLI commands. The syntax
and options are:
• show cmd-sched - Lists the state of the command scheduler and all scheduled
CLI command records
• show cmd-sched name record_name - Lists information about the specified
scheduled CLI command record
For example, to view the command scheduler state and all scheduled CLI
command records, enter:
(config)# show cmd-sched
Cmd Scheduler: Enabled1 record currently configured.
Sched Rec: suspendRule id: 8265b980 Next exec: APR 14 10:46:00

executions:1145
minList: 0
hourList: 12
dayList: *
monthList: *
weekdayList: 2,3,4,5,6
cmd: config;owner owner1;content content1;suspend
Table 2-3 describes the fields in the show cmd-sched output.
Table 2-3 Field Descriptions for the show cmd-sched Command
Field Description
Cmd Scheduler State of the command scheduler (enabled or disabled) and
the number of configured records.
Sched Rec The name of the configuration record.
id The ID for the record.
next exec The day and time when the record will be executed.
executions How many times the record has executed.
minList The configured minute of the hour to execute the command.
hourList The configured hour of the day to execute the command.

78-11424-03 2-49
Table 2-3 Field Descriptions for the show cmd-sched Command (continued)
Field Description
dayList The configured day of the month to execute the command.
monthList The configured month of the year to execute the command.
weekdayList The configured day of the week to execute the command.
Sunday is 1.
cmd The commands you want to execute. Separate multiple
commands with a ; character.
Where to Go Next
Chapter 3, Configuring CSS Network Protocols, describes how to configure the
CSS DNS, ARP, RIP, IP, routing, bridging, SSH, and opportunistic Layer 3
forwarding.

2-50 78-11424-03
C H A P T E R 3
Configuring CSS Network Protocols
This chapter describes how to configure the CSS DNS, ARP, RIP, IP, routing,
bridging, SSH, and opportunistic Layer 3 forwarding functions. Information in
this chapter applies to all CSS models except where noted.
This chapter includes the following sections:
• Configuring Domain Name Service
• Configuring Address Resolution Protocol
• Configuring Routing Information Protocol
• Configuring Internet Protocol
• Configuring an IP Route
• Configuring IP Source-Route
• Disabling an Implicit Service for Static Route Next Hop
• Configuring IP Subnet-Broadcast
• Showing IP Information
• Configuring Bridging for the CSS
• Configuring Secure Shell Daemon
• Configuring Opportunistic Layer 3 Forwarding

78-11424-03 3-1
Chapter 3 Configuring CSS Network Protocols
Configuring Domain Name Service

Use the dns command to enter commands that control Domain Name Service
(DNS), the facility that translates host names such as myhost.mydomain.com to IP
(Internet Protocol) addresses such as 192.168.11.1. The options for this global
configuration mode command are:
• dns primary - Specify the primary DNS server
• dns resolve - Query DNS to resolve a hostname
• dns secondary - Specify the secondary DNS server
• dns suffix - Specify the default suffix to use when querying DNS
• dnsflow - Set up UDP traffic to DNS server port 53 as a CSS flow or forwards
the traffic
Use the show running-config global command to display DNS configurations
(refer to “Using the Running-Config and Startup-Config” in Chapter 1, Logging
in and Getting Started).
Specifying a Primary DNS Server

To specify the primary DNS server, use the dns primary command followed by
the IP address of the DNS server you wish to specify as the primary DNS server.
Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).
For example:
(config)# dns primary 192.168.11.1
To remove the primary DNS server, enter:

(config)# no dns primary

3-2 78-11424-03
Using DNS Resolve

To resolve a hostname by querying the DNS server, use the dns resolve command
followed by the host name you want to resolve. Enter the host name in mnemonic
host-name format (for example, myhost.mydomain.com).
For example:
(config)# dns resolve fred.arrowpoint.com
Specifying a Secondary DNS Server

When a primary DNS server fails, the CSS uses the secondary DNS server to
resolve host names to IP addresses. To specify a secondary DNS server, use the
dns secondary command followed by the IP address of the secondary DNS
server. Enter the IP address in dotted-decimal notation (for example,
192.168.11.1).
(config)# dns secondary 192.158.3.6
Note You can specify a maximum of two secondary servers. To specify

each additional server, repeat the dns secondary command. The
order in which you enter the IP addresses is the order in which they
are used.
To remove a secondary DNS server, enter the no version of the command

followed by the IP address of the DNS server you wish to remove. For example:
(config)# no dns secondary 192.158.3.6

78-11424-03 3-3
Specifying a DNS Suffix

To specify the default suffix to use when querying the DNS facility, use the dns
suffix command followed by the suffix you wish to use. Enter the default suffix
as an unquoted text string with no spaces and a maximum length of 64 characters.
For example:
(config)# dns suffix arrowpoint.com
To remove the default DNS suffix, enter:

(config)# no dns suffix
Specifying UDP Traffic on the DNS Server Port

For DNS UDP traffic on port 53, use the dnsflow command to determine whether
the CSS uses flow control blocks (FCBs) for DNS requests and responses. This
command provides the following options:
• enable (default) - Causes the CSS to set up flows using FCBs for DNS
requests and responses. Because UDP traffic is connectionless, the DNS
flows remain active until the flow manager reclaims the flow resources.
• disable - Causes the CSS to not use FCBs for the DNS requests and
responses. Use this setting for sites with heavy DNS traffic or sites where the
DNS clients use a source and destination port of 53.
For example:
(config)# dnsflow disable

3-4 78-11424-03
Configuring Address Resolution Protocol

Use the arp command and its options to statically configure the IP to Media
Access Control (MAC) translations necessary for the CSS to send data to network
nodes. The following sections discuss configuring Address Resolution Protocol
(ARP) for the CSS.
• Configuring ARP
• Configuring ARP Timeout
• Configuring ARP Wait
• Updating ARP Parameters
• Clearing ARP Parameters
• Showing ARP Information
Configuring ARP
To define a static ARP mapping, use the arp command. The syntax for this global
• arp ip_address mac_address interface {vlan}
• arp hostname mac_address interface {vlan}
The variables and options are:
• ip_address - The address of the system for static mapping. Enter an IP
address in dotted-decimal notation (for example, 192.168.11.1) or in
mnemonic host-name format (for example, myhost.mydomain.com).
• hostname - The address of the system for static mapping. Enter a hostname in
mnemonic host-name format (for example, myhost.mydomain.com). You
must configure DNS and the hostname must be resolved to an IP address for
hostname to work.
• interface - The CSS interface that you want to configure. For a CSS 11050 or
CSS 11150, enter the interface name in interface port format (for example,
e2). For a CSS 11800, the interface format is slot/port (for example, 3/1).

78-11424-03 3-5
• vlan - The number of the VLAN configured in a trunked interface on which

this ARP address is configured (assuming trunking is enabled for the CSS
Gigabit Interface port, see “Specifying VLAN Trunking to an Interface” in
Chapter 4, Configuring Interfaces and Circuits). This argument is optional.
Enter an integer from 1 to 4094 as the VLAN number.
To show static ARP mapping when you use the show arp command, the IP route
must exist in the routing table.
For example:
(config)# arp 192.168.11.1 00-60-97-d5-26-ab ethernet-2
To remove a static mapping address, use the no arp command. For example:
(config)# no arp 192.168.11.1
The CSS discards ARP requests from hosts that are not on the same network as
the CSS circuit IP address. Thus, if a CSS and a host are within the same VLAN
but configured for different IP networks, the CSS does not respond to ARP
requests from the host.
Configuring ARP Timeout

To set the time in seconds to hold an ARP resolution result, use the arp timeout
command. When you change the timeout value, it only affects new ARP entries.
All previous ARP entries retain the old timeout value. To remove all entries with
the old timeout value, enter the clear arp cache command.
The timeout value is the number of seconds the CSS holds an ARP resolution
result. To set a timeout period, enter an integer from 60 to 86400 (24 hours)
seconds. The default is 14400 seconds (4 hours). If you do not want the ARP
entries to timeout, enter none or 86401.
For example:
(config)# arp timeout 120
To restore the default timeout value of 14400 seconds, enter:

(config)# no arp timeout

3-6 78-11424-03
Configuring ARP Wait

To set the time in seconds to wait for an ARP resolution, use the arp wait
command with a wait time. The wait time is the number of seconds the CSS waits
for an ARP resolution in response to an ARP request to the network. Enter an
integer from 5 to 30 seconds. The default is 5.
For example:
(config)# arp wait 15
To restore the default wait time of 5 seconds, enter:

(config)# no arp wait
Updating ARP Parameters

To update the file containing hosts reachable through ARP, use the update arp
command. This command is available in SuperUser mode. For example:
# update arp file
Clearing ARP Parameters

The CSS enables you to clear ARP parameters for the ARP file or ARP cache. To
clear the file that contains known hosts reachable through ARP, use the clear arp
file command. For example:
clear arp file
To delete dynamic entries from the ARP cache, use the clear arp cache command
with an IP address or hostname. The syntax and options for this command are:
• clear arp cache - Clear the entire ARP cache
• clear arp cache ip_address - Clear a single ARP IP address entry
• clear arp cache hostname - Clear a single ARP hostname entry
For example:
# clear arp cache

78-11424-03 3-7
Showing ARP Information

To display ARP information, use the show arp command. The syntax and options
for the command are:
• show arp - Display the complete ARP resolution table with IP addresses,
MAC addresses, and resolution type.
• show arp config - Display ARP global configuration parameters. The screen
displays the response timeout and the flush timeout in seconds.
• show arp file - Display the hosts reachable using ARP. The screen displays
the IP addresses of the host systems.
• show arp ip_address - Display the resolution for the IP address.
• show arp hostname - Display the resolution for the hostname.
To display the complete ARP resolution table, enter:
# show arp
Table 3-1 describes the fields in the show arp output.
Table 3-1 Field Descriptions for the show arp Command
Field Description
IP Address The IP address of the system for static mapping.
MAC Address The MAC address of the system mapped to the IP address.
Type The resolution type for the entry. Dynamic indicates that
the entry was discovered through the ARP protocol. Static
indicates that the resolution is from a static configuration.
Port The CSS interface configured as the egress logical port.

3-8 78-11424-03
To display the global ARP configuration, enter:

# show arp config
Table 3-2 describes the fields in the show arp config output.
Table 3-2 Field Descriptions for the show arp config Command
Field Description
ARP Response Timeout The time in seconds to wait for an ARP resolution
response before discarding the packet waiting to be
forwarded to an address. The time can be from 5 to 30
seconds. The default is 5 seconds.
ARP Flush Timeout The time in seconds to hold an ARP resolution result
in the ARP cache. The timeout period can be from 60
to 86400 (24 hours). The default is 14400 (4 hours).
An entry of none or 86401 indicates that the ARP
entries will not timeout.
To display the host IP addresses entered at initialization or boot time through

ARP, enter:
# show arp file
To display the resolution for a host IP address, enter:

# show arp 192.50.1.6

78-11424-03 3-9
Configuring Routing Information Protocol

The CSS enables you to configure the following global Routing Information
Protocol (RIP) attributes:
• rip advertise - Advertise a route through RIP on the CSS
• rip redistribute - Advertise routes from other protocols through RIP
• rip equal-cost - Specify how many equal-cost routes RIP can insert into the
routing table
By default, RIP advertises RIP routes and local routes for interfaces running RIP.
The rip command advertises other routes.
Configuring RIP Advertise

To advertise a route through RIP on the CSS, use the rip advertise command. The
syntax for this command is:
rip advertise ip_address subnet_mask metric
• ip_address - The IP address for the route prefix. Enter an IP address in
• subnet_mask - The IP prefix length in CIDR bitcount notation (for example,
/24) or in dot-decimal notation (for example, 255.255.255.0).
• metric - The optional metric to use when advertising this route. Enter a
number from 1 to 15. The default is 1.
For example:
(config)# rip advertise 192.168.1.0/24 9
Note The network does not have to be present in the routing table to be
advertised. The SNTPip advertise command is intended for
advertising Virtual IP addresses (VIPs).
To stop advertising a route through RIP on the CSS, enter:

(config)# no rip advertise 192.168.1.0/24

3-10 78-11424-03
Configuring RIP Redistribute

To advertise routes from other protocols through RIP, use the rip redistribute
command. By default, RIP advertises RIP routes and local routes for interfaces
running RIP. This command instructs RIP to advertise other routes.
You can configure the following options for rip redistribute:
• rip redistribute firewall metric - Advertise firewall routes through RIP
• rip redistribute local metric - Advertise local routes (interfaces not running
RIP)
• rip redistribute static metric - Advertise static routes
• rip redistribute ospf metric - Advertise OSPF routes
You can also enter an optional metric, which is the metric the CSS uses when
advertising this route. Enter a number from 1 to 15. The default is 1.
For example:
(config)# rip redistribute static 3
To stop advertising routes from other protocols through RIP, use either the local,
static, or firewall option.
The following command stops advertising static routes:
(config)# no rip redistribute firewall
(config)# no rip redistribute local
(config)# no rip redistribute static
(config)# no rip redistribute ospf
Configuring RIP Equal-Cost

To set the maximum number of routes RIP can insert into the routing table, use
the rip equal-cost command. Enter a number from 1 to 15. The default is 1. For
example:
(config)# rip equal-cost 4
To reset the number of routes to the default value of 1, enter:

(config)# no rip equal-cost

78-11424-03 3-11
Showing RIP Configurations

To show a RIP configuration for one IP address or all IP addresses configured in
the CSS, use the show rip command. This command provides the following
options:
• show rip - Displays RIP configurations for all interfaces
• show rip ip_address - Displays a single RIP interface entry
• show rip globals - Displays RIP global statistics
• show rip statistics - Displays RIP interface statistics for all interfaces
• show rip statistics ip_address - Displays RIP interface statistics for a
specific interface
Table 3-3 describes the fields in the show rip output.
Table 3-3 Field Descriptions for the show rip Command
Field Description
IP Address The advertised RIP interface address.
State The operational state of the RIP interface.
RIP Send The RIP version that the interface sends. The possible field
values are:
• none, do not send RIP packets
• RIPv1, send RIP version 1 packets only
• RIPv2, send RIP version 2 packets only (default)
RIP Recv The RIP version that the interface receives. The possible
values are:
• both, receiving both version 1 and version 2 (default)
• none, receiving no RIP packets
• Ripv1, receiving RIP version 1 packets only
Default Metric The default metric used when advertising the RIP interface.

3-12 78-11424-03
Table 3-3 Field Descriptions for the show rip Command (continued)
Field Description
Tx Log The setting for the logging of RIP packet transmissions
(enabled or disabled). The default setting is disabled.
Rx Log The setting for the logging of RIP packet received (enabled
or disabled). The default setting is disabled.
To display global RIP statistics, enter:

# show rip globals
Table 3-4 describes the fields in the show rip globals output.
Table 3-4 Field Descriptions for the show rip globals Command
Field Description
RIP Route Changes The global number of route changes made to the IP
route database by RIP
RIP Query Responses The global number of query responses sent to RIP
query from other systems
To display the RIP interface statistics for all RIP interface entries, enter:
# show rip statistics
Table 3-5 describes the fields in the show rip statistics output.
Table 3-5 Field Descriptions for the show rip statistics Command
Field Description
System Route Changes The global number of route changes made to the IP
System Global Query The global number of query responses sent to RIP
Responses query from other systems
IP Address The RIP interface IP address
Triggered Updates Sent The number of triggered RIP updates sent by the
interface

78-11424-03 3-13
Configuring Internet Protocol
Table 3-5 Field Descriptions for the show rip statistics Command (continued)
Field Description
Bad Packets Received The number of bad RIP response packets received
by the interface
Bad Routes Received The number of bad routes in valid RIP packets
received by the interface

To enter Internet Protocol (IP) configuration commands for the CSS, use the
ip command. This command is available in configuration mode. The options for
this command are:
• ip record-route - Enable processing of frames with a record-route option
• ip redundancy - Enable CSS-to-CSS redundancy
• ip ecmp - Set the equal-cost multipath selection algorithm
Configuring IP Record-Route
To enable the CSS to process frames with a record-route option, use the ip
record-route command. For example:
(config)# ip record-route
Caution Enabling ip record-route could pose security risks to your network.

Record-route inserts the IP address of each router along a path into
the IP header.
To disable processing frames with a record-route option (the default behavior),

enter:
(config)# no ip record-route

3-14 78-11424-03
Configuring IP Redundancy
To enable CSS-to-CSS redundancy, use the ip redundancy command. For
example:
(config)# ip redundancy
To disable CSS-to-CSS redundancy, enter:

(config)# no ip redundancy
For information on configuring CSS-to-CSS redundancy, refer to the Content

Services Switch Advanced Configuration Guide, Chapter 5, Configuring
Redundant Content Services Switches.
Configuring IP ECMP
Use the ip ecmp command to set the equal-cost multipath selection algorithm and
the preferred reverse egress path. The syntax and options for this global
configuration mode command are:
• ip ecmp address - Choose among alternate paths based on IP addresses. For
example:
(config)# ip ecmp address
• ip ecmp no-prefer-ingress - Do not prefer the ingress path of a flow for its
reverse egress path. By default, the ingress path for a flow is its preferred
egress path. For example:
(config)# ip ecmp no-prefer-ingress
To reset the ingress path of a flow for its preferred reverse egress path, enter:
(config)# no ip ecmp no-prefer-ingress
• ip ecmp roundrobin - Alternate between equal paths in roundrobin fashion.

For example:
(config)# ip ecmp roundrobin

78-11424-03 3-15
Note The equal-cost multipath selection algorithm for non-TCP/UDP

packets (for example, ICMP) is applied on a packet-by-packet basis.
Multipath selection for TCP and UDP is performed on a per-flow
basis and all packets for a particular flow take the same path.
ECMP cannot recover a failed router unless you configure a content

rule for a router service.
A static route consists of a destination network address and mask, as well as the
next hop to reach the destination. You can also specify a default static route (using
0.0.0.0 as the destination network address and a valid next hop address) to direct
frames for which no other destination is listed in the routing table. Default static
routes are useful for forwarding otherwise unrouteable packets by the CSS.
When you configure a static route, the CSS creates an internal service that
periodically polls the configured next hop address with an ICMP echo (or ping)
keepalive. The internal service is called an implicit service. If the router fails, the
CSS removes any entries from the routing table that point to the failed router and
stops sending network traffic to the failed router. When the router recovers, the
CSS:
• Becomes aware of the router
• Reenters applicable routes into the routing table
The implicit service does not determine if the default or static route appears in the
routing table. This decision is based on the CSS having a viable ARP entry for the
next hop router IP address so the CSS can forward traffic to that destination. The
CSS uses the ICMP keepalive as a means to ensure the next hop router MAC
address is available and current. However, in certain situations, the next hop router
may block ICMP message transmitted by the CSS, which results in a failed ICMP
keepalive (the ICMP keepalive is in the Down state). As long as the CSS has the
ARP entry of the next hop router the static route is still placed in the routing table.

3-16 78-11424-03
Note The CSS allows you to disable the internal ICMP keepalive through the
ip-no-implicit service command. In this case, if the MAC address for the next
hop is not known to the CSS the address will not appear in the routing table.
Use the ip route command to configure an IP route. You can configure a static
route, a default static IP route, a blackhole route (where the CSS drops any
packets addressed to the route), or a firewall IP route. Each ip route command
requires either an:
• IP address and a subnet mask prefix - For example, 192.168.1.0/24
or
• IP address and a subnet mask - For example, 192.168.1.0 255.255.255.0
The ip route options are defined below. Note that the examples use the /subnet
mask prefix option.
• ip route IP address subnet mask blackhole - Instructs the CSS to drop any
packets addressed to the route. For example:
(config)# ip route 192.168.1.0/24 blackhole
• ip route IP address subnet mask IP address2 - Specify the next hop address
for the route. For example:
(config)# ip route 0.0.0.0/0 10.0.1.1
• ip route IP address subnet mask IP address2 distance - Specify the

administrative distance. Enter an integer from 1 to 254. Note that the larger
the administrative distance value (more hops), the less the route is preferred.
For example:
(config)# ip route 0.0.0.0/0 10.0.1.1 40
• ip route IP address subnet mask firewall index distance - Configure a

firewall route. The firewall option instructs the CSS to use firewall load
balancing for this route. You can optionally set the administrative distance.
For example:
(config)# ip route 192.168.1.0/24 firewall 3 2

78-11424-03 3-17
• ip route IP address subnet mask IP address originated-packets - Specifies

that the route is used only by packets that are created using flows or sessions
going to and from the CSS (for example, a Telnet session to the CSS). The
route is not used by flows or sessions that go through the CSS (for example,
between an attached server and a remote client).
The optional originated-packets keyword instructs the CSS to use this route
for flow and session packets going to and from the CSS (for example, a Telnet
session to the CSS). Flows or session packets that go through the CSS (for
example, between an attached server and a remote client) do not use this
route. For example:
(config)# ip route 0.0.0.0/0 10.0.1.1 originated-packets
Note Ping responses and SNMP responses do not use the

originated-response route. Ping requests sent from the CSS use the
originated-response route. Ping responses sent from the CSS do not
use the originated-response route.
The variables are:
• ip_address - The destination network address. Enter the IP address in
• subnet_mask - The IP subnet mask. Enter the mask in either:
– CIDR bitcount notation (for example, /24). Do not enter a space to
separate the IP address from the prefix length.
– Dotted-decimal notation (for example, 255.255.255.0).
• ip_address2 - The next hop address for the route. Enter the IP address in
• distance - The optional administrative distance. Enter an integer from 1 to
254. A smaller number is preferable. The default value is 1.
• index - An existing index number for the firewall route. For information on
configuring a firewall index, refer to the ip firewall command.
To remove a static route, enter:
(config)# no ip route 0.0.0.0/24 10.0.1.1
To disable the dropping of packets to a black-hole route, enter:

(config)# no ip route 192.168.1.0/24 blackhole
To remove a firewall route, enter:

(config)# no ip route 192.168.1.0/24 firewall 3

3-18 78-11424-03
Configuring IP Source-Route
Configuring IP Source-Route
To enable processing of source-routed frames, use the ip source-route command.
For example:
(config)# ip source-route
Caution Enabling ip source-route could pose a major security risk to your

network. Source-route specifies information that overrides the
default routing a packet would normally take. The packet could then
bypass a firewall.
To disable processing of source-routed frames (the default behavior), enter:

(config)# no ip source-route
Disabling an Implicit Service for Static Route Next

Hop
Use the ip no-implicit-service command when you do not want the CSS to start
an implicit service for the next hop of a static route. By default, the CSS
establishes an implicit (or internal) service for the gateway address when a static
route is defined. The ip no-implicit-service command specifies that no implicit
service is established to the next hop of the static route, which disables the
internal service ICMP keepalive. In this case, if the ARP address for the next hop
is not known to the CSS the address will not appear in the routing table.
The purpose of the implicit service to the next hop of a static route is to monitor
the availability of the next hop to forward data traffic. When the ip
no-implicit-service command is in effect, traffic will be forwarded to the next
hop even when the next hop is unavailable. Because of the possibility of data
being lost if the next hop becomes unavailable, use of the ip no-implicit-service
command is strongly discouraged.
Note Static routes can sometimes appear in the CSS routing table even when you have
an implicit service for the next hop address (the default setting) and the internal
keepalive is down. When the CSS detects the ARP mapping for the next hop in the
static route, the CSS continues to list that route in the routing table regardless of the
state of the ICMP service keepalive (Down or Up).

78-11424-03 3-19
Configuring IP Subnet-Broadcast
When you implement the ip no-implicit-service global configuration command,

this action does not affect previously configured static routes. The ip
no-implicit-service command affects only those static routes added after you
enable the command. Cisco Systems recommends you reboot the CSS after you
modify the configuration to ensure all static routes are the same, which is useful
for network monitoring and troubleshooting. If you wish to stop the implicit
service for a previously configured static route, then you must delete and
reconfigure the static route.
For example:
(config)# ip no-implicit-service
To reset the default setting (no implicit service is established to the next hop of
the static route), enter:
(config)# no ip no-implicit-service
Configuring IP Subnet-Broadcast
To enable the CSS to forward subnet broadcast addressed frames, use the
ip subnet-broadcast command.
For example:
(config)# ip subnet-broadcast
To disable forwarding of subnet broadcast addressed frames (the default

behavior), enter:
(config)# no ip subnet-broadcast
Caution Enabling the CSS to forward the subnet broadcast can make the
subnet susceptible to “smurf” attacks; an attacker sends an ICMP
echo request frame using a subnet broadcast address as a destination
and a forged address as the source. If the attack is successful, all the
destination subnet hosts reply to the echo and flood the path back to
the source. By disabling the subnet broadcast forwarding, the
original echo never reaches the hosts.

3-20 78-11424-03
Showing IP Information
Use the show ip command to display Internet Protocol (IP) information for the
CSS. Refer to the following sections to display CSS IP information.
• Showing IP Config - Display IP global configuration parameters
• Showing IP Interfaces - Display configured IP interfaces
• Showing IP Routes - Display IP routing information
• Showing IP Statistics - Display aggregate UDP and TCP statistics for the
unit
• Showing IP Summary - Display a summary of IP global statistics
Showing IP Config
Use the show ip config command to display IP global configuration parameters.
The parameters shows the state (enabled or disabled) of the source route option,
forward IP broadcasts, record route option, and IP route change logging. It also
shows the value for the orphaned route timer.
Table 3-6 describes the fields in the show ip config output.
Table 3-6 Field Descriptions for the show ip config Command
Field Description
Source Route Whether the processing of source-routed frames is enabled
Option or disabled.
Forward IP Whether the forwarding of IP broadcasts is enabled or
Broadcasts disabled.
Orphaned Route The setting for the orphaned route timer.
Timer
Record Route Whether the processing with a record-route option is
Option enabled or disabled.

78-11424-03 3-21
Table 3-6 Field Descriptions for the show ip config Command (continued)
Field Description
Multiple Equal The setting for the equal-cost multipath selection
Cost Path algorithm. The possible settings are:
Algorithm
• Address, choose among alternate paths based on IP
addresses
• roundrobin, alternate between equal paths in
roundrobin fashion
IP Route Change Whether the logging of IP route changes is enabled or
Logging disabled.
Showing IP Interfaces
Use the show ip interfaces command to display configured IP interfaces on the
CSS. The display includes the circuit state, IP address, broadcast address, Internet
Control Message Protocol (ICMP) settings, and Router Discovery Program (RDP)
settings.
Table 3-7 describes the fields in the show ip interfaces output.
Table 3-7 Field Descriptions for the show ip interfaces Command
Field Description
Circuit Name The name of the circuit associated with the IP interface.
State The state of the IP interface. The possible states are:
• active (1), the interface is up
• disabled (2), the interface is disabled
• noCircuit (3), the interface is waiting for an underlying
circuit
IP Address The IP address assigned to the circuit.
Network Mask The network mask of the circuit.

3-22 78-11424-03
Table 3-7 Field Descriptions for the show ip interfaces Command (continued)
Field Description
Broadcast Address The broadcast IP address associated with the IP interface.
If left at zero, the all-ones host is used for numbered
interfaces. 255.255.255.255 is always used for
unnumbered interfaces.
Redundancy Indicates whether the redundancy protocol is running on
the interface. The default state is disable.
ICMP Redirect Whether the transmission of Internet Control Message
Protocol (ICMP) redirect messages is enabled or disabled.
The default state is Enabled.
ICMP Unreachable Whether the transmission of ICMP “destination
unreachable” messages is enabled or disabled. The default
state is Enabled.
RIP Whether the RIP is enabled or disabled.
Showing IP Routes
Use the show ip routes command to display IP routing information. The syntax
and options for this command are:
• show ip routes - Display the entire routing table, including host IP address,
next hop, interface, route type, protocol, age (in seconds), and metric
• show ip routes firewall - Display all firewall routes
• show ip routes local - Display all local routes
• show ip routes ospf - Display all OSPF routes
• show ip routes rip - Display all RIP routes
• show ip routes static - Display all static routes
• show ip routes ip_address or host {to ip_address or host|mask or prefix} -
Display information about a route to a destination, a specific route, or routes
in a range

78-11424-03 3-23
The variables are:

• ip_address or host - The IP address of the host or network prefix. Enter an IP
address in dotted-decimal notation (for example, 192.168.11.1). The IP
address after the keyword is the last IP address in a range.
• mask or prefix - Subnet address of the specific network. Enter the subnet
address in mask or prefix notation (for example, /24).
For example, to show all IP routes in the CSS, enter:
# show ip routes
Prefix/Length Next Hop if Type Proto Age Metric

172.16.0.0/16 172.16.59.12/16 14 mgmt local
0.0.0.0/0 192.168.1.206 15 remote rip 5 2
5.0.0.0/8 192.168.1.205 15 remote rip 3 3
6.0.0.0/8 192.168.1.205 15 remote rip 3 3
10.0.0.0/8 192.168.1.205 15 remote rip 3 2
11.0.0.0/8 11.0.3.204 16 local local 840 0
20.0.0.0/8 192.168.1.205 15 remote rip 3 2
Table 3-8 describes the fields in the show ip routes output.
Table 3-8 Field Descriptions for the show ip routes Command
Field Description
prefix/length The IP address and prefix length for the route.
next hop The IP address for the next hop.
if The ifIndex value that identifies the local interface through
which the next hop of this route should be reached.
type The type of the route entry. The possible types are:
• local, local interface
• remote, remote destination
• mgmt, management interface
proto The protocol for the route.
age The maximum age for the route.
metric The metric cost for the route.

3-24 78-11424-03
Showing IP Statistics
Use the show ip statistics command to display aggregate TCP statistics for the
unit. Table 3-9 describes the fields in the show ip statistics output.
Table 3-9 Field Descriptions for the show ip statistics Command
Field Description
UDP Statistics:
Input Datagrams: The total number of UDP datagrams delivered to UDP
users.
No Port Errors: The total number of received UDP datagrams for
which there was no application at the destination port.
Output Datagrams: The total number of UDP datagrams sent from the
CSS.
Input Errors: The number of received UDP datagrams that could not
be delivered for reasons other than the lack of an
application at the destination port.
TCP Statistics:
Retransmit The algorithm used to determine the timeout value for
Algorithm: retransmitting unacknowledged octets.
Max Retransmit The maximum value permitted by a TCP
Time: implementation for the retransmission timeout,
measured in milliseconds.
Active Opens: The number of times TCP connections have made a
direct transition to the SYN-SENT state from the
CLOSED state.
Failed Attempts: The number of times TCP connections have made a
direct transition to the CLOSED state from either the
SYN-SENT state or the SYN-RCVD state, plus the
number of times TCP connections have made a direct
transition to the LISTEN state from the SYN-RCVD
state.
Established Conns: The number of TCP connections for which the current
state is either ESTABLISHED or CLOSE-WAIT.

78-11424-03 3-25
Table 3-9 Field Descriptions for the show ip statistics Command (continued)
Field Description
Output Segments: The total number of segments sent, including those on
current connections but excluding those containing
only retransmitted octets.
Input Errors: The total number of segments received in error (for
example, bad TCP checksums).
Min Retransmit The minimum value permitted by a TCP
Time: implementation for the retransmission timeout,
measured in milliseconds.
Max TCP The limit on the total number of TCP connections the
Connections: CSS can support.
Passive Opens: The number of times TCP connections have made a
direct transition to the SYN-RCVD state from the
LISTEN state.
Resets: The number of times TCP connections have made a
direct transition to the CLOSED state from either the
ESTABLISHED state or the CLOSE-WAIT state.
Input Segments: The total number of segments received, including
those received in error. This count includes segments
received on currently established connections.
Retransmit The total number of segments retransmitted--that is,
Segments: the number of TCP segments transmitted containing
one or more previously transmitted octets.
Output Resets: The number of TCP segments sent containing the RST
flag.
ICMP Statistics:
Echo Requests In: The number of received ICMP Echo (request)
messages.
VIP Echo The sending Echo request count for the VIP.
Requests:
Unreachable: The number of received ICMP Destination
Unreachable messages.
Redirect: The number of received ICMP Redirect messages.

3-26 78-11424-03
Field Description
Router Solicit: The number of received ICMP router solicitation
packets.
Param Problem: The number of received ICMP Parameter Problem
messages.
Timestamp Reply: The number of sent ICMP Timestamp Reply
messages.
Information Reply: The number of received ICMP reply packets.
Mask Reply: The number of received ICMP Address Mask Reply
messages.
Echo Replies In: The number of received ICMP Echo reply messages.
VIP Echo Replies: The sending Echo replies in response to echoes for the
VIP.
Source Quench: The number of received ICMP Source Quench
messages.
Router Adv: The number of received ICMP router advertisement
packets.
Time Exceeded: The number of received ICMP Time Exceeded
messages.
Timestamp: The number of sent ICMP Timestamp (request)
messages.
Information The number of received ICMP information request
Request: packets.
Mask Request: The number of sent ICMP Address Mask Request
messages.
Invalid: The number of received bad ICMP type packets.
ARP Statistics:
Requests In: The number of received ARP request packets.
Requests Out: The sending ARP request packet count.

78-11424-03 3-27
Field Description
Duplicate Addr: The number of received ARP packets with duplicate
IP address detected count. This can be the local IP
address, VIP, or virtual interface
Invalid: The number of invalid or bad ARP packets.
Replies In: The number of received ARP reply packets.
Replies Out: The sending ARP reply packet count.
In Off Subnet: The number of received ARP packets with sender or
target addresses outside of the subnet range of the
receiving interface.
Unresolved: The number of processed IP frames with unresolved
next hop MAC addresses.
Showing IP Summary
Use the show ip summary command to display a summary of IP global statistics.
The statistics include data on reachable and total routes, reachable and total hosts,
memory in use for each, and total IP routing memory in use.
Table 3-10 describes the fields in the show ip summary output.
Table 3-10 Field Descriptions for the show ip summary Command
Field Description
Reachable Routes The current number of reachable routes.
Total Routes The current number of routes maintained, both reachable
and unreachable.
Reachable Hosts The current number of reachable host entries.
Total Hosts The current number of host entries, both reachable and
unreachable.
Total Memory in The total amount of memory in bytes allocated for the IP
use - IP Routing routing table. When there are no additional free entries in
Memory Pool the memory pool, more memory is allocated to the pool.

3-28 78-11424-03
Configuring Bridging for the CSS

You can configure the following bridge command options for the CSS:
• bridge aging-time - Set the bridge filtering database aging time
• bridge forward-time - Set the bridge forward delay time
• bridge hello-time - Set the bridge hello time interval
• bridge max-age - Set the bridge spanning-tree maximum age
• bridge priority - Set the bridge spanning-tree priority
• bridge spanning-tree - Enable or disable the bridge spanning-tree
Configuring Bridge Aging-Time

To set the bridge filtering database aging time for the CSS, use the bridge
aging-time command. The aging time is the timeout period in seconds for aging
out dynamically learned forwarding information. Enter an integer from 10 to
1000000. The default is 300.
For example, to set the bridge aging time to 600, enter:
(config)# bridge aging-time 600
To restore the default aging time of 300, enter:

(config)# no bridge aging-time
Configuring Bridge Forward-Time

To set the bridge forward delay time, use the bridge forward-time command. The
forward time is the delay time in seconds that all bridges use for forward delay
when this bridge is acting as the root. Enter an integer from 4 to 30. The default
is 4.
Note Make sure that bridge maximum age is less than or equal to 2 x
(bridge forward-time - 1 second) and greater than or equal to 2 x
(bridge hello-time + 1 second).

78-11424-03 3-29
For example, to set the bridge forward time to 9, enter:

(config)# bridge forward-time 9
To restore the default delay time of 4, enter:

(config)# no bridge forward-time
Configuring Bridge Hello-Time

To set the bridge hello time interval, use the bridge hello-time command. The
hello time is the time in seconds that all bridges use when this bridge is acting as
the root. Enter an integer from 1 to 10. The default is 1.
For example, to set the bridge hello time to 9, enter:
(config)# bridge hello-time 9
To restore the default hello time interval of 1, enter:

(config)# no bridge hello-time
Configuring Bridge Max-Age

To set the bridge spanning-tree maximum age, use the bridge max-age command.
The maximum age is the time in seconds that all bridges use when this bridge is
acting as the root. Enter an integer from 6 to 40. The default is 6.
Note Make sure that bridge maximum age is greater than or equal to 2 x
(bridge hello-time + 1 second) and less than or equal to 2 x (bridge
forward-time - 1 second).
For example, to set the bridge maximum age to 21, enter:

(config)# bridge max-age 21
To restore the default maximum age of 6, enter:

(config)# no bridge max-age

3-30 78-11424-03
Configuring Bridge Priority for the CSS

To set the priority that spanning tree uses to choose the root bridge in the network,
use the global bridge priority command. In spanning tree, the 2-octet field is
prepended to the 6-octet MAC address to form an 8-octet bridge identifier. The
device with the lowest bridge identifier is considered the highest priority bridge
and becomes the root bridge. The range for bridge priority is 0 to 65535. The
default is 32768.
For example:
(config)# bridge priority 1700
To restore the bridge priority to its default of 32768, enter:

(config)# no bridge priority
Enabling and Disabling Bridge Spanning-Tree

Bridge spanning-tree is enabled by default. To disable spanning-tree, enter:
(config)# bridge spanning-tree disable
Caution Disabling spanning-tree may make your network susceptible to

packet storms.
Note When spanning-tree is disabled, the CSS drops Bridge Protocol Data
Units (BPDUs).
To reenable bridge spanning-tree, enter:

(config)# bridge spanning-tree enable

78-11424-03 3-31
Showing Bridge Configurations

The CSS enables you to show the bridge forwarding and bridge status
information.
To display bridge forwarding information, use the show bridge forwarding
command. Table 3-11 describes the fields in the show bridge forwarding output.
Table 3-11 Field Descriptions for the show bridge forwarding Command
Field Description
VLAN The bridge interface virtual LAN number
MAC Address The MAC address for the entries
Port Number The port number for the forwarding
To display bridge status information, use the show bridge status command.
Table 3-12 describes the fields in the show bridge status output.
Table 3-12 Field Descriptions for the show bridge status Command
Field Description
STP State The state of the spanning-tree protocol, enabled or disabled.
Root Max Age The timeout period in seconds of the host for timing out root
information.
Root Hello Time The interval in seconds that the root broadcasts its hello
message to other devices.
Root Fwd Delay The delay time in seconds that the root uses for forward
delay.
Designated Root The bridge ID for the designated root.
Bridge ID The bridge ID of this bridge.
Port The port ID.

3-32 78-11424-03
Table 3-12 Field Descriptions for the show bridge status Command (continued)
Field Description
State The state of the port. The possible states are:
• Block, the blocking state. A port enters the blocking
state after switch initialization. The port does not
participate in frame forwarding.
• Listen, the listening state. This state is the first
transitional state a port enters after the blocking state.
The port enters this state when STP determines that the
port should participate in frame forwarding.
• Learn, the learning state. The port enters the learning
state from the listening state. The port in the learning
state prepares to participate in frame forwarding.
• Forward, the forwarding state. The port enters the
forwarding state from the learning state. A port in the
forwarding state forwards frames.
• Disabled, the disabled state. A port in the disabled state
does not participate in frame forwarding or STP. A port
in the disabled state is non operational.
Designated Bridge The bridge ID for the designated bridge.
Root Cost The cost of the root.
Port Cost The cost of the port.
Desg Port Designated port.

78-11424-03 3-33
Configuring Secure Shell Daemon

Secure Shell Daemon (SSHD) is a server program designed to log into another
computer over a network, execute commands in a remote machine, and move files
from one machine to another machine. It provides strong authentication and
secure communications over non-secure channels. SSHD is intended as a
replacement for rlogin, rsh, and rcp.
Note This feature requires an SSHD Server License, which enables SSHD
functionality on both the Standard and Enhanced versions of CSS
software.
SSHD protects against:

• Attacks from machines pretending to be another server, router, or a domain
name server
• IP spoofing, where a remote host sends out packets that pretend to come from
another trusted host
• IP source routing, where a host can pretend that an IP packet comes from
another trusted host
• DNS spoofing, where an attacker forges name server records
• Interception of clear text passwords or data on the network
• Manipulation of data by people in control of intermediate hosts
Note To enhance security when using SSHD, disable Telnet access. To

disable Telnet access, use the telnet-access disable command as
described later in this chapter. Telnet access is enabled by default.
The CSS provides the following SSHD commands:

• sshd keepalive - Enable SSHD keepalive
• sshd port - Set the SSHD port
• sshd server-keybits - Set the number of bits in the server key

3-34 78-11424-03
following sections:
• Configuring SSHD Keepalive
• Configuring SSHD Port
• Configuring SSHD Server-Keybits
• Disabling and Enabling Telnet Access when using SSHD
Configuring SSHD Keepalive

To enable SSHD keepalive, use the sshd keepalive command. SSHD keepalive is
enabled by default.
For example, to enable SSHD keepalive:
(config)# sshd keepalive
To disable the SSHD keepalive, enter:

(config)# no sshd keepalive
Configuring SSHD Port

To set the port number to which the server listens for connections from clients,
use the sshd port command. Enter a port number from 22 to 65535. The default
is 22.
For example, to configure port number 57:
(config)# sshd port 57
To reset the port number to the default of 22, enter:

(config)# no sshd port

78-11424-03 3-35
Configuring SSHD Server-Keybits

To set the number of bits in the server key, use the sshd server keybits command.
Enter the number of bits from 512 to 65535. The default is 768.
For example, to set the number of bits to 919:
(config)# sshd server-keybits 919
To reset the number of bits to the default of 768, enter:

(config)# no sshd server-keybits
Disabling and Enabling Telnet Access when using SSHD

When you use SSHD, you may wish to disable non-secure Telnet access to the
CSS. Use the global restrict telnet command to disable Telnet access to the CSS.
Telnet access is enabled by default.
For example, to disable Telnet access, enter:
(config)# restrict telnet
To reenable Telnet access to the CSS, enter:

(config)# no restrict telnet

3-36 78-11424-03
Configuring Opportunistic Layer 3 Forwarding
Showing SSHD Configurations

To display SSHD configurations, use the show sshd config command. Table 3-13
describes the fields in the show sshd config output.
Table 3-13 Field Descriptions for the show sshd config Command
Field Description
Keepalive Setting Whether or not SSHD keepalive is enabled. SSHD
keepalive is enabled by default.
No. of Server Key Bits The number of bits in the server key. The default is
768. The range is from 512 to 65535.
Listen Port No. The port number that the server listens to connections
from clients. The default is 22. The range is from 22 to
65535.
Telnet Disallowed Whether or not Telnet access to the CSS is allowed.
Telnet access is enabled by default.

The CSS opportunistic Layer 3 forwarding feature allows the CSS to reduce the
number of network device hops for certain packets or flows. The CSS forwards
packets at Layer 3 if the destination MAC address in the Ethernet header is the
CSS’s MAC address. Opportunistic Layer 3 forwarding allows the CSS to make
Layer 3 forwarding decisions even if the layer 2 packet destination MAC address
does not belong to the CSS.
For example, Figure 3-1 shows a CSS connected to VLAN1 and VLAN2. Each
VLAN has an end station and an uplink to Router1. End stations A and B both
point to Router1 as their default router. When end station A transmits a packet to
end station B, it uses its default route to Router1. The packet contains Router1’s
destination MAC address. A traditional layer 2 device would forward the packet
to Router1 and it would forward the packet to end station B on VLAN2.

78-11424-03 3-37
Using opportunistic Layer 3 forwarding, the CSS inspects the IP packet header to
determine the destination IP address. Instead of forwarding the packet to Router1,
the CSS forwards the packet directly to end station B. Because the CSS only
handles the packet once, the router and uplink are not used and network resources
are conserved.
Figure 3-1 Opportunistic Layer 3 Forwarding Example
Internet
Router1
(default)
Subnet
CSS
VLAN1 VLAN2
End Station A End Station B
49383

3-38 78-11424-03
Opportunistic Layer 3 forwarding provides three modes of operation:

• local (default) - Apply opportunistic Layer 3 forwarding if the destination IP
address belongs to a node that resides on one of the subnets directly attached
to the CSS and the CSS knows an ARP resolution for that node. Because the
local option is the default, use the no ip opportunistic command to
reconfigure ip opportunistic to local.
• all - Apply opportunistic Layer 3 forwarding if the destination IP address
matches any routing entry on the CSS. This mode is not recommended if the
topology includes multiple routers and the CSS does not know all of the
routes that the routers know.
• disabled - The CSS does not perform opportunistic Layer 3 forwarding.
Regular Layer 3 forwarding is performed only for packets that contain the
CSS’s destination MAC address.
For example, to configure ip opportunistic Layer 3 forwarding to all, enter:
(config)# ip opportunistic all
To reconfigure ip opportunistic Layer 3 forwarding to the default of local enter:

(config)# no ip opportunistic
When you configure ip opportunistic all, you can use the ip route
originated-packets command to configure routes that the CSS will use to reach
devices, but will not use as opportunistic routes for forwarding traffic. Routes
created using the ip route originated-packets command apply only to packets
that originate on the CSS. Packets and flows forwarded by the CSS will not use
these routes.
For example,
(config)# ip route 0.0.0.0/0 192.168.1.7 originated-packets
Where to Go Next
For information on configuring circuits and interfaces, refer to Chapter 4,
Configuring Interfaces and Circuits.

78-11424-03 3-39

3-40 78-11424-03
C H A P T E R 4
Configuring Interfaces and Circuits
This chapter describes how to configure the CSS interfaces and circuits, and
bridge interfaces to VLANs. Information in this chapter applies to all CSS models
except where noted.
• Interface and Circuit Overview
• Configuring Interfaces
• Configuring Circuits
• Configuring a Circuit IP Interface
• Configuring RIP for an IP Interface
Interface and Circuit Overview

The CSS provides ethernet interfaces (ports) that enable you to connect servers,
PCs, routers, and other devices to the CSS.
Using the bridge command, you bridge (assign) the interfaces to a specific Virtual
LAN (VLAN). Each VLAN circuit requires an IP address. Assigning an IP
address to each VLAN circuit allows the CSS to route Ethernet interfaces from
VLAN to VLAN.

78-11424-03 4-1
Chapter 4 Configuring Interfaces and Circuits
Using the trunk command, you can assign multiple VLANs to a CSS interface
port (Gigabit Ethernet ports only). A trunk is a point-to-point link carrying the
traffic of several VLANs (as illustrated in Figure 4-2). The advantage of a trunk is to
save ports when creating a link between two devices implementing VLANs, typically
two switches. A trunk bundles virtual links over one physical link. The unique
physical link between the two CSSs is able to carry traffic for the specified VLANs.
Note The trunk and vlan commands (and the associated software
functionality) comply with the IEEE 802.1Q Standard for Local and
Metropolitan Area Networks: Virtual Bridged Local Area Networks.
The CSS forwards VLAN circuit traffic to the IP interface. The IP interface passes
the traffic to the IP forwarding function where the CSS compares the destination
of each packet to information contained in the routing table. Once the CSS
resolves the packet addresses, it forwards the packet to the appropriate VLAN and
destination port.
When trunking is enabled, the CSS automatically inserts a tag in every frame
transmitted over the trunk link to identify the originating VLAN. When the
VLAN-aware device receives the frame the device reviews the VLAN-tagged
packet to identify the transmitting VLAN. If the VLAN is recognized, the frame is
routed to the proper port and VLAN destination. If the frame is from a VLAN that is
not assigned to the trunk port, the packet is ignored. By default, the CSS discards
untagged packets.
Note A VLAN-tagged frame is a frame that contains a 4-byte Tag Header

immediately following the Source MAC address field in the frame.
Each VLAN-tagged frame carries an explicit identification of the
VLAN to which it belongs.
Note that on an 802.1Q trunk, you may configure one VLAN (using the optional
default-vlan command) to:
• Accept packets that arrive untagged on the interface
• Transmit untagged packets
By this method, the CSS can determine which VLAN transmitted an untagged
frame. This capability allows VLAN-aware devices and VLAN-unaware devices
to transmit and receive information on the same cable.

4-2 78-11424-03
Figure 4-1 illustrates the interfaces, circuits, and VLANs in a CSS and Figure 4-2
illustrates trunking between VLANs.
Figure 4-1 Content Services Switch Interfaces and Circuits
VLAN1
Interface Port e1
Circuit Bridging Interface Port e2
IP Interface Domain Interface Port e3
for VLAN 1 vlan 1 Interface Port e4
10.3.6.58
VLAN2
Interface Port e5
IP Forwarding
(Layer 3)
10.3.6.59
VLAN3
Interface Port e6
49384
10.3.6.60
Figure 4-2 Interface Trunking Between VLANs
VLAN1 VLAN1
Trunk
51593
VLAN2 VLAN1 and VLAN2 VLAN2

CSS 1 CSS 2

78-11424-03 4-3
Interface and Circuit Configuration Quick Start

Table 4-1 provides a quick overview of the steps required to configure interfaces
and circuits. Each step includes the CLI command required to complete the task.
For a complete description of each feature and all the options associated with the
CLI command, refer to the sections following Table 4-1.
Table 4-1 Interface and Circuit Configuration Quick Start

1. Log into the CSS.
2. Enter into config mode by typing config.
# config
(config)#
3. Enter into the interface mode for the interface you wish to configure.
This set of interface commands applies to the CSS 11050 and CSS 11150.
CSS11150(config)# interface e1
CSS11150(config-if[e1])#
This set of interface commands applies to the CSS 11800.

CSS11800(config)# interface 2/1
CSS11800(config-if[2/1])#
4. Configure the interface duplex and speed if required (default is
auto-negotiate).
CSS11800(config-if[2/1])# phy 1Gbits-FD-no-pause
5. Bridge the interface to a VLAN. All interfaces are assigned to VLAN1 by
default.
CSS11800(config-if[2/1])# bridge vlan 2
6. Enable trunking for a CSS Gigabit Interface (optional).
CSS11800(config-if[2/1])# trunk
CSS11800(config-if[2/1])# vlan 2
Create VLAN<2>, [y/n]:y
CSS11800(config-if-vlan[2/1-2])# vlan 3
CSS11800(config-if-vlan[2/1-3])#

4-4 78-11424-03
Table 4-1 Interface and Circuit Configuration Quick Start (continued)

7. Display all circuit information for circuits that are currently active
(optional).
CSS11800(config-if[2/1])# show circuit all
8. Display the interface configuration (optional).
CSS11800(config-if[2/1])# show interface
CSS11800(config-if[2/1])# exit
9. Configure circuits as required. Assign an IP address and subnet mask to each
circuit.
CSS11800(config)# circuit VLAN1
CSS11800(config-circuit[VLAN1])# ip address 10.3.6.58/24
CSS11800(config)# circuit VLAN3
CSS11800(config-circuit[VLAN3])# ip address 10.3.6.60/24
CSS11800(config-circuit-ip[VLAN3-10.3.6.60])# exit
10. Display the circuit configuration (optional).
CSS11800(config-circuit[VLAN1])# show circuit all
11. Save your configuration changes (recommended). If you do not save the
running-config, all configuration changes are lost upon reboot.
CSS11800(config)# copy running-config startup-config

78-11424-03 4-5
Configuring Interfaces
Interfaces are ports that enable you to connect devices to the CSS and connect the
CSS to the Internet. The commands to configure interfaces on the CSS 11050 and
CSS 11150 differ slightly from the commands to configure interfaces on the
CSS 11800 because the CSS 11800 requires a slot/port designation. The CSS
11050 and CSS 11150 do not use the slot/port designation.
Configuring an interface requires you to:
• Configure an interface and enter into the interface mode
• Add a description of the interface (optional)
• Configure an interface duplex and speed
• Set the maximum idle time for the interface
• Bridge the interface to a VLAN, or specify VLAN trunking to the interface
• Configure the low water mark of flow control blocks (optional)
• Smoothing bursty network traffic on the CSS 11800 Gigabit Ethernet Module
(optional)
Note Only use the gem-traffic-bursty command when it is

necessary to smooth bursty traffic (when traffic bursts over
a rate of 16 Gbps for short intervals) on the CSS 11800
Gigabit Ethernet Modules for applications that are sensitive
to packet loss.
Configuring an Interface
To configure an interface, enter the interface command and a valid interface
name. To use the interface command for a:
• CSS 11050 or CSS 11150, enter the interface name in interface port format
(for example, e2)
• CSS 11800, enter the interface format in slot/port format (for example, 3/1)

4-6 78-11424-03
For example, to configure interface e1 on a CSS 11050 or CSS 11150, access

interface mode for e1 by entering:
(config)# interface e1
The CSS changes from config mode to the specific interface mode.
(config-if[e1])#
Entering a Description for the Interface

To help you to identify the interface, use the description command to describe the
interface. Enter a quoted text string from 1 to 255 characters in length including
spaces.
For example:
(config-if[e1])# description "Connects to server17"
To display an interface description, use the show running-config interface

command. For example:
(config-if[e1])# show running-config interface e11
!************************ INTERFACE ************************

interface e11
description "Connects to server17"
bridge vlan 2
To remove an interface description, enter:

(config-if[e1])# no description
Configuring Interface Duplex and Speed

Use the phy command to configure the speed or flow control (pause) method and
duplex for a CSS Fast Ethernet or Gigabit Ethernet interface (port), respectively.
By default, the port is configured to auto-negotiate. Auto-negotiate enables the
port to detect the speed or pause method, and duplex of incoming signals and
synchronize with them automatically.
For Fast Ethernet modules (FEM), when older equipment cannot transmit the
duplex and speed with its signals, you can configure the speed and duplex on the
port to match the transmitting equipment.

78-11424-03 4-7
For Gigabit Ethernet modules (GEM), if the link does not come up and you need
to force the module and its link partner into a specific mode, you can set the
duplex and flow control (pause) method. The pause methods of communications
between modules determines how the module sends pause frames. The module
sends pause frames when it becomes overwhelmed with data. The CSS module
and its link partner must be configured with the same pause method.
Use the phy command to manually configure the interface (port) duplex and
speed to one of the following settings:
• phy 10Mbits-FD - Set the FEM port to 10 Mbits per second and full-duplex.
• phy 10Mbits-HD - Set the FEM port to 10 Mbits per second and half-duplex.
• phy 100Mbits-FD - Set the FEM port to 100 Mbits per second and
full-duplex.
• phy 100Mbits-HD - Set the FEM port to 100 Mbits per second and
half-duplex.
• phy auto-negotiate - Resets the FEM or GEM port to automatically negotiate
speed or pause method, respectively, and duplex (default).
• phy 1Gbits-FD-asym - Set the GEM port to full duplex mode with
asymmetric pause toward the link partner.
• phy 1Gbits-FD-no pause - Set the GEM port to full duplex mode with no
pause.
• phy 1Gbits-FD-sym - Set the GEM port to full duplex mode with symmetric
pause.
• phy 1Gbits-FD-sym-asym - Set the GEM port to full duplex mode with
asymmetric and symmetric pause toward the local device.
For example, to set interface e1 to 100 Mbps and half-duplex, enter:
(config-if[e1])# phy 100Mbits-HD

4-8 78-11424-03
Setting the Interface Maximum Idle Time

Use the max-idle command as a troubleshooting tool to verify an interface’s
ability to receive traffic. If the interface does not receive traffic within the
configured idle time, the CSS reinitializes it automatically.
Set the idle time to a value greater than the interval over which the interface is not
receiving traffic. For example, if the interface receives traffic every 90 seconds,
set the idle time to a value greater than 90 seconds. If you set the idle time to less
than 90 seconds, the CSS would continuously reinitialize the interface before the
interface was able to receive traffic.
Enter the idle time from 15 to 65535 seconds. The default is 0, which disables the
idle timer. For example, to set the maximum idle time for interface e7 to
180 seconds, enter:
(config-if[e7])# max-idle 180
To reset the idle time for an interface to its default value of 0, enter:
(config-if[e7])# no max-idle
Showing Interface Duplex and Speed

To show duplex and speed values for all interfaces, enter the show phy command.
For example:
(config)# show phy
To show duplex and speed value for a specific interface, enter the show phy
command and the interface name. For example:
(config)# show phy e3
Table 4-2 describes the fields in the show phy output.
Table 4-2 Field Descriptions for the show phy Command
Field Description
Name The name of the physical interface.
Configured Speed The configured speed for the Ethernet interface (port) in
the CSS. Auto indicates that the speed is automatically
negotiated.

78-11424-03 4-9
Table 4-2 Field Descriptions for the show phy Command (continued)
Field Description
Configured Duplex The configured duplex for the Ethernet interface (port) in
the CSS. Auto indicates that the duplex is automatically
negotiated.
Actual Speed The actual speed for the Ethernet interface (port) in the
CSS.
Actual Duplex The configure duplex for the Ethernet interface (port) in
the CSS.
Link The link status, up or down.
Rev Revision number of the chip.
Partner Auto Whether or not auto-negotiation is available on the link
partner.
Bridging an Interface to a VLAN

To bridge a interface to a VLAN, use the bridge vlan command to specify a
virtual local area network (VLAN) and associate it with the specified interface
port. Enter an integer from 1 to 4094 as the VLAN identifier. The default is 1. All
interfaces are assigned to VLAN1 by default.
Note The CSS 11050 and CSS 11150 both support a maximum of 16
VLANs. The CSS 11800 supports a maximum of 128 VLANs.
For example, to configure e1 to VLAN2, enter:

(config-if[e1])# bridge vlan 2
Note When you enter the bridge vlan command, enter the word vlan in
lowercase letters and include a space before the VLAN number (for
example, vlan 2).

4-10 78-11424-03
Note The CSS Gigabit Ethernet interface supports trunking interfaces to

multiple VLANs through the trunk command. The trunk command
would be used for the ethernet interface instead of bridge vlan (and
the other associated bridge CLI commands). Refer to “Specifying
VLAN Trunking to an Interface” for details.
To restore the default VLAN1, enter:

(config-if[e7])# no bridge vlan
To display all interfaces and the VLANs to which they are configured, enter the
show circuit command. Refer to “Showing Circuits” in this chapter for
information about the show circuits command.
In the show circuit display, VLANs appear as VLAN (uppercase, with no space
before the VLAN number).
Configuring Bridge Pathcost

To set the path cost for an interface, use the bridge pathcost command. The cost
is the contribution of the interface to the vast path cost towards spanning-tree root.
Enter an integer from 1 to 65535. The default is dynamically configured based on
the interface speed.
For example, to set a path cost of 9 for e7, enter:
(config-if[e7])# bridge pathcost 9
To restore the default path cost, enter:

(config-if[e7])# no bridge pathcost
Configuring Bridge Priority

To set the bridge priority for a port, use the bridge priority command. Enter an
integer from 0 to 255. The default is 128.
For example, to set a bridge priority of 100 for e7, enter:
(config-if[e7])# bridge priority 100

78-11424-03 4-11
To restore the default priority of 128, enter:

(config-if[e7])# no bridge priority
Configuring Bridge State

To set the bridge state to enable or disable for an interface, use the bridge state
command. An interface is set to bridge state enable by default.
For example, to enable the bridge state for e7, enter:
(config-if[e7])# bridge state enable
To disable the bridge state for e7, enter:

(config-if[e7])# bridge state disable
Specifying VLAN Trunking to an Interface

To activate VLAN trunking for a CSS Gigabit Interface, use the trunk command
and specify all VLANs that are to include the specified port as part of the VLAN.
The trunk command also converts the link into a trunk link. To specify the
number of each VLAN that is to be associated with the Gigabit Interface, use the
vlan command. Enter an integer from 1 to 4094 as the VLAN identifier.
Note The CSS 11050 and CSS 11150 both support a maximum of 16
VLANs. The CSS 11800 supports a maximum of 128 VLANs.
Note The CSS software has a dependency when using the trunk
command. For trunking to be enabled, all VLAN bridging
commands for any active VLAN must first be disabled for the
Gigabit Interface by using the no bridge vlan, no bridge priority,
no bridge state, and no bridge pathcost commands. If you do not
disable VLAN bridging on an interface, the CSS software instructs
you to do so.

4-12 78-11424-03
Note When you enter the trunk command, enter the word vlan in
lowercase letters and include a space before the VLAN number (for
example, vlan 2).
For example, to configure gigabit ethernet port 1 in slot 1 for use in VLAN2,
VLAN3, and VLAN9, enter:
CSS11800(config-if-vlan[1/1-9])#
Every time you enter a vlan command for a new VLAN, the software
automatically prompts you to create the specified VLAN (where y instructs the
software to create the VLAN and n cancels the VLAN creation).
To disable trunking on the specified Gigabit Interface and associated VLANs,
enter:
(config-trunkif[2/3])# no trunk
The no trunk command turns off all trunking, removes all specified vlan
commands associated with the interface, and deletes this information from the
running configuration. The interface is returned to VLAN1 by default.
To display all interfaces and the VLANs to which they are configured, enter the
show circuit command. Refer to Table 4-9 for information about the show
circuits command.
Note In the show circuit display, VLANs appear as VLAN (uppercase,

with no space before the VLAN number). For an interface that has
trunking enabled, a “-n” (where n is the associated VLAN number)
is appended to the prefix. In this example, 1/4-1 indicates slot 1,
port 4, VLAN1.

78-11424-03 4-13
Selecting a Default VLAN in a Trunk

To define a default VLAN that has the capability to accept packets that arrive
untagged on the interface, include the default-vlan command as part of the
trunk/VLAN definition. The command also specifies that the packets transmitted
from this VLAN will be untagged. The default VLAN must be explicitly set if you
want untagged packets to be processed by the CSS. Otherwise these packets will
be discarded.
The default-vlan command can only be specified for a single VLAN. If you
attempt to use this command for another VLAN, the software instructs you to
disable the current default VLAN (using the no default-vlan command).
For example, enter:
CSS11800(config-if-vlan[1/1-3])# default-vlan
To remove the default VLAN selection, enter:

CSS11800(config-if-vlan[1/1-3])# no default-vlan
Configuring Bridge Pathcost for a Trunked Interface/VLAN Pair

To set the spanning-tree port path cost for a given interface/VLAN pair, use the
bridge pathcost command. The cost is the contribution of the given
interface/VLAN pair to the vast path cost towards spanning-tree root. Enter an
integer from 1 to 65535. The default is dynamically configured based on the link
speed.
For example, to set a path cost of 2 for slot 1, port 1, VLAN3, enter:
CSS11800(config-if-vlan[1/1-3])# bridge pathcost 2
To restore the default path cost, enter:

CSS11800(config-if-vlan[1/1-3])# no bridge pathcost

4-14 78-11424-03
Configuring Bridge Priority for a Trunked Interface/VLAN Pair

To set the spanning-tree bridge priority for a given interface/VLAN pair, use the
bridge priority command. Enter an integer from 0 to 255. The default is 128.
For example, to set a bridge priority of 100 for slot 1, port 1, VLAN3, enter:
CSS11800(config-if-vlan[1/1-3])# bridge priority 100
To restore the default priority of 128, enter:

CSS11800(config-if-vlan[1/1-3])# no bridge priority
Configuring Bridge State for a Trunked Interface/VLAN Pair

To set the bridge state to enable or disable for a given interface/VLAN pair, use
the bridge state command. An interface is set to bridge state enable by default.
For example, to enable the bridge state for slot 1, port 1,VLAN3, enter:
CSS11800(config-if-vlan[1/1-3])# bridge state enable
To disable the bridge state for slot 1, port 1, located in VLAN3, enter:
CSS11800(config-if-vlan[1/1-3])# bridge state disable
Configuring the Low-Water Mark of Flow Control Blocks on an

Interface
Use the fcb-lowwater command to configure the low-water mark of flow control
blocks (FCBs) on the interface. The low-water mark is the percentage of the total
number of FCBs available. If the number of FCBs available on a port goes below
the low-water mark, then aggressive flow recovery occurs.
The syntax for this interface mode command is:
fcb-lowwater percentage
Enter the percentage as the total number of available FCBs. Enter a number from
1 to 100. The default is 25%.
To reset the percentage of available FCBs to its default of 25, enter:
(config-if[e7])# no fcb-lowwater

78-11424-03 4-15
Smoothing Bursty Network Traffic on the CSS 11800 Gigabit

Ethernet Module
Use the gem-traffic-bursty global configuration mode command to smooth
bursty traffic on Gigabit Ethernet Modules (GEMs) in the CSS 11800 for
applications sensitive to packet loss. Traffic burstiness is the occurrence of
extreme amounts of traffic for a short period of time (when traffic bursts over a
rate of 16 Gbps for short intervals). During extremely heavy traffic loads, when a
single GEM port has greater than one gigabit per second of incoming network
traffic, substantial packet loss can occur. This condition can easily occur when a
group of servers attached to multiple ports send traffic simultaneously to a single
client uplink port.
If the traffic load at the client uplink port is at a rate close to a gigabit per second
with occasional bursts of greater than one gigabit per second, you can use the
gem-traffic-bursty command to reduce overall packet loss. This command can
greatly reduce packet loss for applications sensitive to this condition, for
example, video and audio streaming applications.
If the traffic load at the client uplink port remains at a constant rate greater than
one gigabit per second, you may need to perform a network reconfiguration, for
example, configure an additional client uplink port. You should not use the
gem-traffic-bursty command to solve the problem.
Note When you issue the gem-traffic-bursty command it applies to all

GEM modules in the CSS 11800 chassis (installed prior to and after
you issue the command).
To smooth bursty traffic on the GEMs in a CSS 11800, enter:

(config)# gem-traffic-bursty
To reset the default traffic handling behavior on the GEM, enter:

(config)# no gem-traffic-bursty

4-16 78-11424-03
Showing Bridge Configurations

The CSS enables you to show bridging information. To display this information,
use the show bridge command.
The syntax for this interface mode command is:
show bridge [forwarding|status] {vlan_number}
• forwarding - Displays the bridge forwarding table including the VLAN
number, the MAC addresses, and port numbers.
• status - Displays the bridge spanning-tree status including the STP state,
designated root, bridge ID, and root maximum age, hello time and forward
delay, and port information including state, VLAN, root and port cost, and
designated root and port number.
• vlan_number - Displays the forwarding table or spanning tree status for the
specified VLAN number. To see a list of VLAN numbers, enter show bridge
[forwarding|status] ?
Table 4-3 describes the fields in the show bridge forwarding output.
Table 4-3 Field Descriptions for the show bridge forwarding Command
Field Description
VLAN The bridge interface virtual LAN number
MAC Address The MAC address for the entries
Port Number The port number for the forwarding
To display bridge status information, use the show bridge status command.
Note To display bridge forwarding or bridge status for a specific VLAN

in the CSS, enter the show bridge forwarding or show bridge
status command with the VLAN number. Typing the show bridge
command with a VLAN number returns a list of available VLANs.

78-11424-03 4-17
Table 4-4 describes the fields in the show bridge status output.
Table 4-4 Field Descriptions for the show bridge status Command
Field Description
STP State The state of the spanning-tree protocol, enabled or disabled.
Root Max Age The timeout period in seconds of the host for timing out root
information.
Root Hello Time The interval in seconds that the root broadcasts its hello
message to other switches.
Root Fwd Delay The delay time in seconds that the root uses for forward
delay.
Bridge ID The bridge ID of this bridge.
Port The port ID.
State The state of the port. The possible states are:
• Block, the blocking state. A port enters the blocking
state after switch initialization. The port does not
participate in frame forwarding.
• Listen, the listening state. This state is the first
transitional state a port enters after the blocking state.
The port enters this state when STP determines that the
port should participate in frame forwarding.
• Learn, the learning state. The port enters the learning
state from the listening state. The port in the learning
state prepares to participate in frame forwarding.
• Forward, the forwarding state. The port enters the
forwarding state from the learning state. A port in the
forwarding state forwards frames.
• Disabled, the disabled state. A port in the disabled state
does not participate in frame forwarding or STP. A port
in the disabled state is non operational.
Designated Bridge The bridge ID for the designated bridge.

4-18 78-11424-03
Table 4-4 Field Descriptions for the show bridge status Command (continued)
Field Description
Root Cost The cost of the root.
Port Cost The cost of the port.
Desg Port Designated port.
Showing Trunking Configurations

The CSS enables you to show VLAN trunk status information for a Gigabit
Ethernet port. To display this information, use the show trunk command.
Table 4-5 describes the fields in the show trunk output.
Table 4-5 Field Description for the show trunk Command
Field Description
Port The CSS port
VLAN The VLAN on the port
Default The configured default VLAN on the port (if there is not
a configured default VLAN, “None” appears in this
field)
Showing Interfaces
To display a list of valid interfaces for the CSS, use the show interface command.
For example:
(config)# show interface
To only display information for a specific interface, enter the show interface
command and the interface name.
(config)# show interface e7

78-11424-03 4-19
Table 4-6 describes the fields in the show interface output.
Table 4-6 Field Descriptions for the show interface Command
Field Description
Name The name of the interface.
ifIndex The ifIndex for the interface.
Type The type of interface. The possible types include:
• fe - Fast Ethernet interface
• ge - Gigabit Ethernet interface
• console - console interface
Oper Operational state, up or down.
Admin Administration state, up or down.
Last Change The date of the last state change.
Showing Interface Statistics

To display the extended 64-bit MIB-II statistics for a specific interface or all
interfaces in the CSS, use the show mibii command. The Enterprise ap64Stats
MIB defines these statistics. To display the RFC1213 32-bit statistics, include the
-32 suffix.
To display extended MIB-II statistics for a specific interface in the CSS, enter the
show mibii command with the interface name. To see a list of interfaces in the
CSS, enter show mibii ?.
Table 4-7 describes the fields in the show mibii output.

4-20 78-11424-03
Table 4-7 Field Descriptions for the show mibii Command
Field Description
MAC The interface's address at the protocol layer immediately
below the network layer in the protocol stack. For interfaces
that do not have such an address (for example, a serial line),
this object should contain an octet string of zero length.
Administrative The desired state of the interface (Enabled, Disabled, or
Testing). The testing state indicates that no operational
packets can be passed.
MTU The size of the largest datagram that can be sent or received
on the interface, specified in octets. For interfaces that are
used for transmitting network datagrams, this is the size of
the largest network datagram that can be sent on the interface.
In Octets The total number of octets received on the interface,
including framing characters.
In Unicast The number of subnetwork-unicast packets delivered to a
higher-layer protocol.
In Multicast The number of non-unicast (for example,
subnetwork-broadcast or subnetwork-multicast) packets
delivered to a higher-layer protocol.
In Errors The number of inbound packets that contained errors
preventing them from being deliverable to a higher-layer
protocol.
In Discards The number of inbound packets that were chosen to be
discarded even though no errors had been detected to prevent
their being deliverable to a higher-layer protocol. One
possible reason for discarding such a packet could be to free
up buffer space.
In Unknown The number of packets received over the interface that were
discarded because of an unknown or unsupported protocol.
Last Change The value of sysUpTime at the time the interface entered its
current operational state. If the state has not changed since
the time the CSS came up, the sysUptime is when the port
was initialized.

78-11424-03 4-21
Table 4-7 Field Descriptions for the show mibii Command (continued)
Field Description
Operational The current operational state of the interface (Up, Down, or
Testing). The Testing state indicates that no operational
packets can be passed.
Speed An estimate of the interface's current bandwidth in bits per
second. For interfaces that do not vary in bandwidth or for
those where no accurate estimation can be made, this object
should contain the nominal bandwidth.
Queue Len The length of the output packet queue (in packets).
Out Octets The total number of octets transmitted out of the interface,
including framing characters.
Out Unicast The total number of packets that higher-level protocols
requested be transmitted to a subnetwork-unicast address,
including those that were discarded or not sent.
Out Multicast The total number of packets that higher-level protocols
requested be transmitted to a non-unicast (for example., a
subnetwork-broadcast or subnetwork-multicast) address,
including those that were discarded or not sent.
Out Errors The number of outbound packets that could not be
transmitted because of errors.
Out Discards The number of outbound packets that were chosen to be
discarded even though no errors had been detected to prevent
their being transmitted. One possible reason for discarding
such a packet could be to free up buffer space.
To clear interface statistics, use the clear statistics command in SuperUser mode.
For example:
# clear statistics

4-22 78-11424-03
Showing Ethernet Interface Errors

To list the errors on an Ethernet interface, use the show ether-errors command
and options. When required, enter the interface name as a case-sensitive unquoted
text string. To see a list of interfaces, enter show ether-errors ?.
The command provides the following options:
• show ether-errors - Display the extended 64-bit statistics for errors on all
Ethernet interfaces in the CSS. The Enterprise ap64Stats MIB defines these
statistics.
• show ether-errors interface name -Display the extended 64-bit statistics for
errors on a specific Ethernet interface in the CSS. The Enterprise ap64Stats
MIB defines these statistics. Enter the interface name as a case-sensitive
unquoted text string.
• show ether-errors zero - Display the Ethernet errors for all Ethernet
interfaces in the CSS and reset the statistics to zero upon retrieval.
• show ether-errors zero interface name - Display the Ethernet errors for the
specified Ethernet interface in the CSS and reset the statistics to zero upon
retrieval. Enter the interface name as a case-sensitive unquoted text string.
• show ether-errors-32 - Display the RFC1398 32-bit statistics, include the
-32 suffix.
• show ether-errors-32 interface name - Display the RFC1398 32-bit
statistics, include the -32 suffix. Enter the interface name as a case-sensitive
unquoted text string.
Table 4-8 describes the fields in the show ether-errors output.
Table 4-8 Field Descriptions for the show ether-errors Command
Field Description
Alignment The number of frames with alignment errors (frames that
do not end with a whole number of octets and have a bad
CRC) received on the interface.
FCS The number of frames received on the interface that are an
integral number of octets in length but do not pass the FCS
check.

78-11424-03 4-23
Table 4-8 Field Descriptions for the show ether-errors Command (continued)
Field Description
Single Collision The number of successfully transmitted frames on the
interface for which transmission is inhibited by exactly one
collision.
Multiple The number of successfully transmitted frames on the
Collisions interface for which transmission is inhibited by more than
one collision.
SQE Test The number of times that the SQE TEST ERROR message
is generated.
Deferred Tx The number of frames for which the first transmission
attempt on the interface is delayed because the medium is
busy.
The count represented by an instance of this object does not
include frames involved in collisions.
Internal RX Errors The number of frames for which reception on the interface
fails due to an internal MAC sublayer receive error.
Frame too Long The number of frames received on the interface that exceed
the maximum permitted frame size.
Carrier Sense The number of times that the carrier sense condition was
Errors lost or never asserted when attempting to transmit a frame
on the interface.
Internal Tx Errors The number of frames for which transmission on the
interface fails due to an internal MAC sublayer transmit
error.
Excessive The number of frames for which transmission on the
Collisions interface fails due to excessive collisions.
Late Collisions The number of times that a collision is detected on the
interface later than 512 bit-times into the transmission of a
packet.

4-24 78-11424-03
Shutting Down an Interface

To shutdown an interface, use the admin-shutdown command in interface mode.
Caution Shutting down an interface terminates all connections to the

interface.
For example, to shut down interface e3, enter:

(config-if[e3]) admin-shutdown physical
Note If you configure the redundancy-phy command on an interface and

then disable the interface using the admin-shutdown command, the
master CSS fails over to the backup CSS. To prevent the CSS from
failing over when you administratively disable the interface, remove
the redundancy-phy command by entering no redundancy-phy
before you enter the admin-shutdown command on that interface.
Restarting the Interface

To restart the interface, enter the no admin-shutdown command. For example, to
restart interface e3, enter:
(config-if[e3])# no admin-shutdown physical
Shutting Down All Interfaces

To shut down all interfaces simultaneously, use the admin-shutdown command
at the SuperUser prompt. This command provides a quick way to shut down all
physical devices in the CSS except the Console and Management ports.
Caution Shutting down an interface terminates all connections to the

interface.
To shut down all interfaces, enter:

# admin-shutdown

78-11424-03 4-25
Configuring Circuits
Note To shutdown one interface, use the admin-shutdown command in

interface mode. Refer to the “Shutting Down an Interface” section
described previously in this chapter.
Restarting All Interfaces

To restart all interfaces, enter:
# no admin-shutdown
A circuit on the CSS is a logical entity that maps IP interfaces to a logical port or
group of logical ports (for example, a VLAN). Each VLAN circuit requires an IP
address. Assigning an IP address to each VLAN circuit allows the CSS to route
Ethernet interfaces from VLAN to VLAN.
To enter a specific circuit configuration mode, enter the circuit command and
VLAN as shown in the following example:
(config)# circuit VLAN7
(config-circuit[VLAN7])#
Note When you use the circuit command, enter the word ‘VLAN’ in
uppercase letters and do not include a space between VLAN and the
VLAN number (for example, VLAN7).
You can configure the following settings for a circuit:

• router-discovery lifetime - Configure router discovery lifetime
• router-discovery limited-broadcast - Transmit router discovery packets
using 224.0.0.1
• router-discovery max-advertisement-interval - Configure router discovery
maximum advertisement interval timer
• router-discovery min-advertisement-interval - Configure router discovery
minimum advertisement interval timer

4-26 78-11424-03
Note The CSS allows you to enable router discovery and define a router
discovery preference for each interface. To enable router discovery
and define a preference per interface, refer to the sections “Enabling
Router-Discovery” and “Configuring Router-Discovery
Preference”, respectively, later in this chapter.
Configuring Router-Discovery Lifetime

To configure the maximum age in seconds that hosts remember router
advertisements, use the router-discovery lifetime command with an integer
between 0 and 9000 seconds. The default is 3 x the max-advertisement-interval.
For example:
(config-circuit[VLAN7])# router-discovery lifetime 600
To reset the time to the default of 3 x the max-advertisement-interval, enter:

(config-circuit[VLAN7)# no router-discovery lifetime
Configuring Router-Discovery Limited-Broadcast

To transmit router discovery packets using the broadcast address
255.255.255.255, use the router-discovery limited-broadcast command. The
default is 224.0.0.1. For example:
(config-circuit[VLAN7])# router-discovery limited-broadcast
To revert to the default of 224.0.0.1, enter:

(config-circuit[VLAN7)# no router-discovery limited-broadcast

78-11424-03 4-27
Configuring Router-Discovery Max-Advertisement-Interval

To configure router discovery maximum advertisement interval, use the
router-discovery max-advertisement-interval command. The maximum value
defines the interval between advertisements in seconds. Enter an integer from 4
to 1800. The default is 600 (10 minutes). For example:
(config-circuit[VLAN7])# router-discovery
max-advertisement-interval 300
To restore router discovery maximum advertisement interval to the default of 600,

enter:
(config-circuit[VLAN7])# no router-discovery
max-advertisement-interval
Configuring Router-Discovery Min-Advertisement-Interval

To configure router discovery minimum advertisement interval timers, use the
router-discovery min-advertisement-interval command. The minimum value
defines the minimum interval between advertisements in seconds. Enter an
integer from 0 to 1800.
The default is 0.75 x the max-advertisement-interval. If this value is greater than
0, it must be less than the maximum value.
For example:
(config-circuit[VLAN7])# router-discovery
min-advertisement-interval 100
To reset the minimum router advertisement interval to the default of 0.75 x the
maximum advertisement value, enter:
(config-circuit[VLAN7])# no router-discovery
min-advertisement-interval
Showing Circuits
To show circuit information, use the show circuits command. A circuit on the
CSS is a logical entity that maps IP interfaces to a logical port or group of logical
ports.

4-28 78-11424-03
This command provides the following options:

• show circuits - Display all circuit information for circuits that are currently
up
• show circuits all - Display all circuit information regardless of circuit state
• show circuit name circuit name - Display circuit information for a specific
circuit regardless of state
To list all circuits and their interfaces in the Up state, enter:
# show circuits
To list all circuits and their interfaces regardless of their state, enter:
# show circuits all
To list an individual circuit, enter:

# show circuits name VLAN5
Table 4-9 describes the fields in the show circuits output.
Table 4-9 Field Descriptions for the show circuits Command
Field Description
Circuit Name The circuit name. Note that in the show circuit output, VLANs
appear as VLAN (uppercase, with no space before the VLAN
number).
Circuit State The state of the circuit. The possible states are:
• active-ipEnabled
• down-ipEnabled
• active-ipDisabled
• down-ipDisabled
IP Address IP interface address.
Interface(s) The interface associated with the circuit.
Operational The operational status of the interface. The possible states are:
Status
• Up
• Down

78-11424-03 4-29
Configuring a Circuit IP Interface

A circuit on the CSS is a logical entity that maps IP interfaces to a logical port or
group of logical ports (for example, a VLAN). Each VLAN circuit requires an IP
address. Assigning an IP address to each VLAN circuit allows the CSS to route
Ethernet interfaces from VLAN to VLAN.
To enter a specific circuit configuration mode, enter the circuit command and
VLAN as shown in the following example:
(config)# circuit VLAN7
(config-circuit[VLAN7])#
Note When you use the circuit command, enter the word ‘VLAN’ in
uppercase letters and do not include a space between VLAN and the
VLAN number (for example, VLAN7).
The following sections describe how to define a a circuit IP address.

• Configuring a Circuit IP Address
• Configuring a Circuit-IP Broadcast Address
• Configuring Circuit-IP Redirects
• Configuring Circuit-IP Unreachables
• Enabling Router-Discovery
• Configuring Router-Discovery Preference
• Enabling a Circuit IP
• Disabling a Circuit IP
• Showing IP Interfaces
Configuring a Circuit IP Address

To assign an IP address to a circuit, use the ip address command from the specific
circuit mode. Enter the IP address and a subnet mask in CIDR bitcount notation
or a mask in dot-decimal notation. The subnet mask range is 8 to 31.
For example, to configure an IP address and subnet mask for VLAN7, enter:
(config-circuit[VLAN7])# ip address 173.3.6.58/8

4-30 78-11424-03
When you specify an IP address, the mode changes to the specific

circuit-ip-VLAN-IP address as shown:
(config-circuit-ip[VLAN7-173.3.6.58])#
To remove a local IP address from a circuit, enter the following command from
the circuit mode:
(config-circuit[VLAN7])# no ip address
Configuring a Circuit-IP Broadcast Address

To change the broadcast address associated with a circuit, use the broadcast
command. If you leave the broadcast address at zero, the all-ones host is used for
numbered interfaces.
The default broadcast address is an all-ones host address (for example, an IP
address 173.3.6.58/24 has a broadcast address of 173.3.6.58/255). This command
is available in IP configuration mode.
For example, to change the broadcast address on circuit VLAN7, enter:
(config-circuit-ip[VLAN7-173.3.6.58])# broadcast 0.0.0.0
To reset the broadcast IP address to the default all-ones host address, enter:
(config-circuit[VLAN7-173.3.6.58])# no broadcast
Configuring Circuit-IP Redirects

To enable the transmission of Internet Control Message Protocol (ICMP) redirect
messages, use the redirects command. The default state is enabled.
For example:
(config-circuit-ip[VLAN7-173.3.6.58])# redirects
To disable the transmission of ICMP redirect messages, enter:

(config-circuit-ip[VLAN7-173.3.6.58])# no redirects

78-11424-03 4-31
Configuring Circuit-IP Unreachables

To enable the transmission of ICMP “destination unreachable” messages, use the
unreachables command. The default state is enabled.
For example:
(config-circuit-ip[VLAN7-173.3.6.58])# unreachables
To disable the transmission of ICMP “destination unreachable” messages, enter:

(config-circuit-ip[VLAN7-173.3.6.58])# no unreachables
Enabling Router-Discovery
To enable router discovery for an interface, use the router-discovery command.
When enabled, router discovery transmits packets with a multicast address of
244.0.0.1. To enable an interface to transmit packets with a multicast address of
255.255.255.255, use the router-discovery limited-broadcast command in
circuit mode (see “Configuring Router-Discovery Limited-Broadcast”, earlier in
this chapter). Router discovery is disabled by default.
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# router-discovery
To disable router discovery, enter:

(config-circuit-ip[VLAN7-192.168.1.58])# no router-discovery
Configuring Router-Discovery Preference

To configure the router discovery preference value, use the router-discovery
preference command and a value to define the router preference value to
advertise. The value is an integer from 0 (default) to 65535. If you use the default
value, you do not need to use this command.
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# router-discovery
preference 100

4-32 78-11424-03
To restore the router discovery preference value to the default of 0, enter:

(config-circuit-ip[VLAN7-192.168.1.58])# no router-discovery
preference
Enabling a Circuit IP
To enable the IP interface on a circuit, use the enable command. The default is
enable.
For example:
(config-circuit-ip[VLAN7-173.3.6.58])# enable
Disabling a Circuit IP
To disable the IP interfaces on a circuit, enter:
(config-circuit-ip[VLAN7-173.3.6.58])# no enable
Showing IP Interfaces
Use the show ip interfaces command to display configured IP interfaces on the
CSS. The display includes the circuit state, IP address, broadcast address, Internet
Control Message Protocol (ICMP) settings, and Router Discovery Program (RDP)
settings.

78-11424-03 4-33
Table 4-10 describes the fields in the show ip interfaces output.
Table 4-10 Field Descriptions for the show ip interfaces Command
Field Description
Circuit Name The name of the circuit associated with the IP interface.
State The state of the IP interface. The possible states are:
• active (1), the interface is up
• disabled (2), the interface is disabled
• noCircuit (3), the interface is waiting for an underlying
circuit
IP Address The IP address assigned to the circuit.
Network Mask The network mask of the circuit.
Broadcast Address The broadcast IP address associated with the IP interface.
If left at zero, the all-ones host is used for numbered
interfaces. 255.255.255.255 is always used for
unnumbered interfaces.
Redundancy Indicates whether or not the redundancy protocol is
running on the interface. The default state is disable.
ICMP Redirect Whether the transmission of Internet Control Message
Protocol (ICMP) redirect messages is enabled or disabled.
The default state is Enabled.
ICMP Unreachable Whether the transmission of ICMP “destination
unreachable” messages is enabled or disabled. The default
state is enabled.
RIP Whether the RIP is enabled or disabled.

4-34 78-11424-03
Configuring RIP for an IP Interface

The CSS enables you to configure Routing Information Protocol (RIP) attributes
on each IP interface. To configure Routing Information Protocol (RIP) parameters
and run RIP on an IP interface, use the following routing commands within the
specific circuit IP mode. The default mode is to send RIP version 2 (v2) and
receive either RIP or RIP2.
You can configure the following routing options for each IP interface:
• rip - Start RIP on the IP interface
• rip default-route - Advertise a default route on this interface
• rip receive - Specify the RIP version that the IP interface receives
• rip send - Specify the RIP version that the IP interface sends
• rip log - Enables the logging of received or transmitted RIP packets
To start running RIP on an IP interface, enter:
(config-circuit-ip[VLAN7-192.168.1.58)# rip
To stop running the RIP on the interface, enter:

(config-circuit-ip[VLAN7-192.168.1.58])# no rip
Configuring RIP Default-Route

To advertise a default route on an IP interface with a specific metric, use the
rip default-route command.
You can also specify an optional metric in the command line. The CSS uses this
metric when advertising a route. Enter a number from 1 to 15. The default is 1.
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# rip
default-route 9

78-11424-03 4-35
Configuring RIP Receive

To specify the RIP version that the interface receives, use the rip receive
command. The rip receive options are:
• rip receive both - Receive both RIP version 1 and RIP version 2 (default)
• rip receive none - Receive no RIP packets
• rip receive v1 - Receive RIP version 1 packets only
• rip receive v2 - Receive RIP version 2 packets only
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# rip receive both
Configuring RIP Send

To specify the RIP version that the interface sends, use the rip send command.
The rip send options are:
• rip send none - Send no RIP packets
• rip send v1 - Send RIP version 1 packets only
• rip send v2 - Send RIP version 2 packets only (default)
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# rip send v1

4-36 78-11424-03
Configuring RIP Packet Logging

To enable the logging of received or transmitted RIP packets on the interface, use
the rip log command. Use the no form of this command to disable logging
(default setting). The rip log options are:
• rip log rx - Specifies that the CSS logs RIP packets received on the interface
• rip log tx - Specifies that the CSS logs RIP packets transmitted on the
interface
For example:
(config-circuit-ip[VLAN7-192.168.1.58])# rip log rx
Showing RIP Configurations

To show a RIP configuration for one IP address or all IP addresses configured in
the CSS, use the show rip command. The command provides the following
options:
• show rip - Displays RIP configurations for all interfaces (including the
logging of RIP packets)
• show rip ip_address - Displays a single RIP interface entry
• show rip globals - Displays RIP global statistics
• show rip statistics - Displays RIP interface statistics for all interfaces
• show rip statistics ip_address - Displays RIP interface statistics for a
specific interface

78-11424-03 4-37
Table 4-11 describes the fields in the show rip output.
Table 4-11 Field Descriptions for the show rip Command
Field Description
IP Address The advertised RIP interface address.
State The operational state of the RIP interface.
RIP Send The RIP version that the interface sends. The possible field
values are:
• none, do not send RIP packets
• RIPv1, send RIP version 1 packets only
• RIPv2, send RIP version 2 packets only (default)
RIP Recv The RIP version that the interface receives. The possible
values are:
• both, receiving both version 1 and version 2 (default)
• none, receiving no RIP packets
Default Metric The default metric used when advertising the RIP interface.
Tx Log The setting for the logging of RIP packet transmissions
(enabled or disabled). The default setting is disabled.
Rx Log The setting for the logging of RIP packet received (enabled
or disabled). The default setting is disabled.
To display global RIP statistics, enter:

# show rip globals

4-38 78-11424-03
Table 4-12 describes the fields in the show rip globals output.
Table 4-12 Field Descriptions for the show rip globals Command
Field Description
RIP Route Changes The global number of route changes made to the IP
RIP Query Responses The global number of query responses sent to RIP
query from other systems
To display the RIP interface statistics for all RIP interface entries, enter:
# show rip statistics
Table 4-13 describes the fields in the show rip statistics output.
Table 4-13 Field Descriptions for the show rip statistics Command
Field Description
System Route Changes The global number of route changes made to the IP
System Global Query The global number of query responses sent to RIP
Responses query from other systems
IP Address The RIP interface IP address
Triggered Updates Sent The number of triggered RIP updates sent by the
interface
Bad Packets Received The number of bad RIP response packets received
by the interface
Bad Routes Received The number of bad routes in valid RIP packets
received by the interface
Where to Go Next
For information on creating and configuring services, refer to Chapter 5,
Configuring Services.

78-11424-03 4-39

4-40 78-11424-03
C H A P T E R 5
Configuring Services
This chapter describes how to configure services. This chapter also contains an
overview on the association between services, owners, and content rules.
Information in this chapter applies to all CSS models except where noted.
• Service, Owner, and Content Rule Overview
• Service Load Overview
• Configuring Load for Services
• Global Keepalive Mode
• Script Keepalives
• Script Keepalives and Upgrading WebNS Software
• Configuring Services
• Showing Service Configurations

78-11424-03 5-1
Chapter 5 Configuring Services
Service, Owner, and Content Rule Overview

The CSS enables you to configure services, owners, and content rules to direct
requests for content to a specific destination service (for example, a server or a
port on a server). By configuring services, owners, and content rules, you
optimize and control how the CSS handles each request for specific content.
• A service is a destination location where a piece of content resides physically
(a local or remote server and port). You add services to content rules. Adding
a service to a content rule includes it in the resource pool that the CSS uses
for load-balancing requests for content. A service may belong to multiple
content rules.
• An owner is generally the person or company who contracts the Web hosting
service to host their Web content and allocate bandwidth as required. Owners
can have multiple content rules.
• A content rule is a hierarchical rule set containing individual rules that
describe which content (for example, .html files) is accessible by visitors to
the Web site, how the content is mirrored, on which server the content resides,
and how the CSS should process requests for the content. Each rule set must
have an owner.
The CSS uses content rules to determine:
– Where the content physically resides, whether local or remote
– Where to direct the request for content (which service or services)
– Which load balancing method to use
When a request for content is made, the CSS:
1. Uses the owner content rule to translate the owner Virtual IP address (VIP)
or domain name using Network Address Translation (NAT) to the
corresponding service IP address and port.
2. Checks for available services that match the content request.
3. Uses content rules to choose which service can best process the request for
content.
4. Applies all content rules to service the request for content (for example, load
balancing method, redirects, failover, stickiness).
Figure 5-1 illustrates the CSS service, owner, and content rule concepts.

5-2 78-11424-03
Figure 5-1 Services, Owners, and Content Rules Concepts
49385

78-11424-03 5-3
Service Configuration Quick Start

Table 5-1 provides a quick overview of the steps required to configure services.
Each step includes the CLI command required to complete the task. For a
complete description of each feature and all the options associated with the CLI
commands, refer to the sections following Table 5-1.
Table 5-1 Service Configuration Quick Start

1. Enter config mode by typing config.
# config
(config)#
2. Create services. When you create a service, the CLI enters that service
mode, as shown in the command response below. To create additional
services, reenter the service command.
(config)# service serv1
(config-service[serv1])#
(config-service[serv1])# service serv2
3. Assign an IP address to each service. The IP address is the actual IP address
of the server.
(config-service[serv2])# ip address 10.3.6.2
4. Activate each service.
(config-service[serv1])# active
(config-service[serv2])# exit
5. Display all service configurations (optional).
(config-service[serv2])# show service summary

5-4 78-11424-03
Service Load Overview

Server load is a mechanism to express the current load experienced by a server.
The CSS calculates load by using the variances in normalized response times from
client to server to determine a server’s load number. A server with a heavier
processing load would be biased toward a more significant, larger, load number.
To configure global load parameters for the eligibility and ineligibility of CSS
services, use the load report, load teardown timer, and load ageout timer
commands (discussed later in this section).
You can adjust load calculations by changing the load step size, which is the
difference in milliseconds between load numbers. The CSS can determine the
load step dynamically, or you can configure the initial load step using the global
load step command.
The load on a service has a range of 2 to 255, with an eligible load of 2 to 254. An
eligible service is an active service that can receive flows. A service with a load
of 255 is offline.
A service becomes ineligible to receive flows when its load number exceeds the
configured load threshold. The CSS uses the configured ageout timer value to
return the service to the eligible state.
For the CSS to consider the server loads as different, response times of the servers
must differ by the configured load step or greater. If the response times differ by
less than the configured load step, the CSS considers the servers to have the same
load.
Note Redirect services have load numbers associated with them, but the
load numbers are either 2 (available) or 255 (unavailable).
Figure 5-2 shows servers A, B, and C with response times of 100 ms, 1100 ms,
and 120 ms, respectively. One group of servers has load step configured to 10 ms.
The second group of servers has load step configured to 100 ms.

78-11424-03 5-5
Figure 5-2 Load Calculation Example with Three Servers
Server Name Normalized Response Time
serverA 100 ms
serverB 1100 ms
serverC 120 ms
Servers with Calculated Servers with Calculated

10 ms load step load number 100 ms load step load number
255 255
254 254
serverB 130 130
102
serverC 4 serverB 12
serverA 2 serverA & serverC 2 49386
For the servers set to the 10 ms load step, the difference in response time between:
• ServerA and serverB is 1000 ms. Because this value is greater than the
configured load step of 10 ms, the CSS considers the server loads different.
• ServerA and serverC is 20 ms. Because this value is greater than the
For the servers set to 100 ms load step, the difference in response time between:
• ServerA and serverB is 1000 ms. Because this value is greater than the
• ServerA and serverC is 20 ms. Because this value is less than the configured
load step of 100 ms, the CSS considers servers A and C to have the same load.

5-6 78-11424-03
Increasing the load step causes the load for servers to be closer to each other.
Decreasing the load step causes the load for servers to be further from each other.
To enable you to configure an accurate load threshold for a server, you can
calculate a load number for a server. To calculate a server load number:
1. Take the difference between the server with the lowest response time and the
server for which you want to determine a load number.
2. Divide the difference by the configured load step.
3. Add this number to the calculated load step of the server with the lowest
response time, which is always 2.
For example, to calculate the load number for serverC with the 10 ms load step:
1. Take the difference in server response time between serverA and serverC
(20 ms).
2. Divide it by the configured load step (10 ms). The result equals 2.
3. Add 2 to serverA’s (server with lowest response time) calculated load (2) to
determine serverC’s calculated load of 4.
Using ArrowPoint Content Awareness Based on Server Load and

Weight
ArrowPoint Content Awareness (ACA) load-balancing algorithm balances traffic
between a group of servers. You can configure the CSS to make ACA
load-balancing decisions based on:
• Server load
• Server weight and load
Using ACA Based on Server Load

ACA determines the best service for each content request based on server load
and size of the content being requested. ACA estimates the file size based on
previous requests for the same content. A service with a lower load receives more
flows than a service with a higher load.

78-11424-03 5-7
Using ACA Based on Server Weight and Load

Server weight is a mechanism to express the processing capabilities of a server.
Weights allow you to configure the CSS to prefer one group of servers over
another. When you configure weights, the number of hits per server is relative to
the weight configured on that server. A higher weight will bias flows toward the
specified server. For example, in Figure 5-2, ServerA with a weight of two is hit
twice as much as ServerB that has a weight of one. ServerC has a weight of 10
and is hit 10 times as much as ServerB. All servers with the same weight are hit
equally in a roundrobin manner.
The CSS can use a server’s weight in tandem with server load to determine server
availability. When you configure ACA on a content rule to use both weight and
load, the CSS calculates the number of requests per weight level based on the
number of servers with that weight. The CSS then balances the requests among
the servers based on their individual loads. The number of requests per weight
level is equal to weight level * number of servers *10. The CSS then increments
the weight level, and uses the same mechanism to balance requests among the
servers in the next weight level.
For information on configuring weight for a service, refer to the section
“Configuring Weight” described later in this chapter. Also see the section
“Specifying a Service Weight” in Chapter 7, Configuring Content Rules.

5-8 78-11424-03
Configuring Load for Services

The options for the global load command are:
• load step msec dynamic|static - Define the load step
• load threshold number - Set the load threshold for a service, determining its
eligibility to receive flows
• load reporting - Enable or disable the CSS from generating teardown reports
and deriving load numbers
• load teardown-timer - Set the maximum amount of time between teardown
reports
• load ageout-timer - Set the time interval in seconds in which the CSS ages
out stale load information for a service
following sections.
Configuring Global Load Step

Use the load step command to set the global load step, which is the difference in
milliseconds between load numbers. Load numbers have a range from 2 to 254.
By default, the CSS starts at a load step of 10 ms and then dynamically calculates
the load step as it accumulates minimum and maximum response times for the
services.
When you configure the load step to reduce the flows to a slower service, consider
the differences in response times between services. For example:
• Increasing the load step causes the load for services to be closer to each other,
thus increasing the number of flows to a slower service.
• Decreasing the load step causes the load for services to be further from each
other, thus decreasing the flows to a slower service.

78-11424-03 5-9
The options and syntax for this global configuration mode command are:
• load step msec dynamic (default) - Set the initial load step. The CSS uses the
default of 10 ms as the initial load step, modifying it after the CSS collects
sufficient response time information.
• load step msec static - Set a constant load step. The CSS uses this load step
value instead of making dynamic calculations. The default is 10 ms.
Enter the load step in milliseconds from 10 to 1000000000. The default is 10 ms.
For example, to set the load step to 100 ms, enter:
(config)# load step 100
To set the load step to the default of 10 ms, enter:

(config)# no load step
Configuring Global Load Threshold

Use the load threshold command to define the global load number which the CSS
uses to determine if a service is eligible to receive flows. If the service load
exceeds the threshold, the service becomes ineligible to receive flows until the
CSS ages the service into the eligible state.
Enter the threshold as a number from 2 to 254. The default is 254, which is the
maximum threshold services can reach before becoming unavailable. To view the
global load on services, enter show load (see Table 5-2 for details).
For example, to set the load threshold to 25, enter:
(config)# load threshold 25
Note If you do not configure a load threshold for the content rule with the
(config-owner-content) load-threshold command, the rule inherits
this global load threshold.
To set the load threshold to the default of 254, enter:

(config)# no load threshold

5-10 78-11424-03
Configuring Global Load Reporting

Use the load reporting command to enable the CSS to generate teardown reports
and derive load numbers. A teardown report is a summary of response times for
services when flows are being torn down. The CSS uses the teardown report to
derive the load number for a service. The default is load reporting enable.
If you are not concerned about load reporting, disable it and it may increase
performance (depending on flows and load reporting already occurring). To
disable load reporting, enter:
(config)# no load reporting
To reenable load reporting, enter:

(config)# load reporting
Configuring Load Tear Down Timer

Use the load teardown-timer command to set the maximum time between
teardown reports. A teardown report is a summary of response times for services
when flows are being torn down. The CSS uses the teardown report to derive the
load number for a service.
When the SFM has sufficient teardown activity for a service, it generates a
teardown report and the teardown timer is reset. If a teardown report is not
triggered at the end of the teardown timer interval due to insufficient activity, the
CSS triggers the SFM to generate a teardown report based on its current activity.
If there is no activity on the SFM, no report is generated and the timer resets.
Note The teardown timer is overridden when a service is reset. After

10 teardown reports are recorded, the timer is reset to its configured
value.
Enter the teardown timer as the number of seconds between teardown reports.
enter an integer from 0 to 1000000000. The default is 20. The value of 0 disables
the timer. For example, to set the teardown timer to 120 seconds, enter:
(config)# load teardown-timer 120

78-11424-03 5-11
To reset the teardown time interval to its default of 20 seconds, enter:

(config)# no load teardown-timer
Configuring Load Ageout Timer

Use the load ageout-timer command to set the time interval in seconds in which
the CSS ages out stale load information for a service. When the ageout timer
interval expires, the CSS erases the information and resets the service load to 2.
Load information is stale when the teardown report number recorded on a service
has not incremented during the ageout time interval because no flows (long or
short) are being torn down on the service.
At the beginning of the time interval, the ageout timer saves the number of the
current teardown report. When the SFM generates a a new teardown report, the
report number in the SFM increments and any services in the report saves this
number. At the end of the ageout time interval, the CSS compares the initial
teardown number, saved at the beginning of the time interval, with the current
teardown number saved by each service. If the number of a service is less than or
equal to the timer number, the load information is stale. The CSS erases it and the
service load is reset to 2.
Enter the ageout timer as the number of seconds to age out load information for a
service. Enter an integer from 0 to 1000000000. The default is 60. The value of
0 disables the timer.
For example:
(config)# load ageout-timer 180
To set the ageout time to the default of 60, enter:

(config)# no load ageout-timer

5-12 78-11424-03
Showing Global Service Loads

Use the show load command to display the global load configuration and service
load information. For example:
(config)# show load
Table 5-2 describes the fields in the show load output.
Table 5-2 Field Descriptions for the show load Command
Field Description
Global load The configured state of load reporting (enabled or
information disabled). Reporting is disabled by default.
Step Size The configured method in which the load step size is
calculated:
• Dynamic indicates that the CSS calculates the step
size.
• Static indicates that the configured step size is
used.
Configured The configured load step. The value is the difference in
milliseconds between load numbers. If the step size
method is dynamic, this is the initial load step. The
CSS modifies the value after it collects sufficient
response time information from the services.
Actual The actual load step. The value is the difference in
milliseconds between load numbers. If the step size
method is configured, the actual value will be the same
as the Configured field.
Threshold The configured global load number that the CSS uses
to determine if a service is eligible to receive flows.
The default is 254 with a range of 2 to 254.

78-11424-03 5-13
Table 5-2 Field Descriptions for the show load Command (continued)
Field Description
Ageout-Timer The configured time interval in seconds in which stale
load information for a service is aged out. When the
ageout timer interval expires, the CSS erases the
information and resets the service load to 2. The
default is 60 with a range of an integer from 0 to
1000000000. The value of 0 disables the timer.
Teardown-timer The maximum time between teardown reports. The
default is 20 with a range from 0 to 1000000000. The
value of 0 disables the timer.
Configured The configured maximum time between teardown
reports. The default is 20 with a range from 0 to
1000000000. The value of 0 disables the timer.
Actual The actual time between teardown reports.
Service Name The name of the service.
Average Load Number The average load number for the service.

5-14 78-11424-03
Global Keepalive Mode

Global keepalive configuration mode allows you to create a global keepalive and
configure its properties. Once you create and configure a keepalive, you can apply
it to any service. Applying a keepalive to multiple services reduces the amount of
configuration required for each service.
Global keepalives are independent of service mode. In service mode, you can also
configure individual keepalive properties for a service. Global keepalives
supersede the individual keepalive parameters configured in service mode.
The CSS supports a maximum of 512 keepalives (which can include a maximum
of 255 script keepalives). The CSS supports a maximum of 256 keepalives of one
type. These keepalives include:
• Global keepalives configured in keepalive configuration mode. The CSS
counts a global keepalive as one keepalive regardless of the number of
services you assign to it through the (config-service) keepalive type named
command.
• ICMP, HTTP, TCP, FTP, and script keepalives configured and assigned to a
service through the (config-service) keepalive command. Each time you
assign one of these keepalives to a service through the (config-service)
keepalive type command, the CSS counts it as one keepalive.
Caution Do not configure more than 256 keepalives of one type. Do not
configure more than 512 total keepalives. Any services assigned to
keepalives over 512 will not be eligible for content rule selection.
Caution You can configure a maximum of 255 script keepalives on a CSS

(out of a maximum of 512 keepalives). Of the 255 script keepalives,
you can configure a maximum of 16 keepalives to use script output.
For details, refer to the “Script Keepalives” section earlier in this
chapter.
To access keepalive configuration mode, use the keepalive command from

circuit, global, interface, and IP configuration modes. The prompt changes to
(config-keepalive [name]). You can also use this command from keepalive mode
to access another keepalive.

78-11424-03 5-15
The following sections describe how to configure global keepalives:

• Creating a Global Keepalive
• Activating a Global Keepalive Active
• Configuring a Global Keepalive Description
• Configuring a Global Keepalive Frequency
• Configuring a Global Keepalive IP Address
• Configuring a Global Keepalive Max Failure
• Configuring a Global Keepalive Method
• Configuring a Global Keepalive Port
• Configuring a Global Keepalive Retryperiod
• Deactivating a Global Keepalive
• Configuring a Global Keepalive Type
• Configuring a Global Keepalive URI
• Associating a Service with a Global Keepalive
• Configuring Global Keepalive Hash
Creating a Global Keepalive

Use the keepalive command to access keepalive configuration mode and
configure global keepalive properties which you can apply to any service. Enter
the name of the new keepalive you want to create or the name of an existing
keepalive. Enter an unquoted text string with no spaces and a length of 1 to 31
characters. To see a list of existing keepalive names, enter keepalive ?.
The following example creates global keepalive keepimages.
(config)# keepalive keepimages
When you access this mode, the prompt changes to (config-keepalive

[keepimages]).
(config-keepalive[keepimages])#
To remove an existing keepalive, enter:

(config)# no keepalive keepimages

5-16 78-11424-03
Activating a Global Keepalive Active

Use the active command to activate the global keepalive. Activating a keepalive
enables the CSS to start sending keepalive messages to the IP address.
For example, to activate the global keepalive keepimages, enter:
(config-keepalive[keepimages])# active
Configuring a Global Keepalive Description

Use the description command to specify the description for a keepalive. Enter the
description as a quoted text string with a maximum of 64 characters, including
spaces.
For example, to enter a description for the global keepalive keepimages, enter:
(config-keepalive[keepimages])# description "This keepalive is for
the image servers"
To delete a description, enter:

(config-keepalive[keepimages])# no description
Configuring a Global Keepalive Frequency

Use the frequency command to specify the time between sending keepalive
messages to the IP address. Enter the frequency time in seconds as an integer from
2 to 255. The default is 5.
Caution If you configure more than 16 script keepalives the CSS

automatically adjusts the keepalive frequency time to a value that
best fits the resource usage. Note that this adjustment also affects the
keepalive retry period value (see “Configuring Keepalive
Retryperiod”) by adjusting that value to a number that is one-half the
adjusted frequency time. If this occurs, you may observe in the
output of the show service command that your previously set
keepalive frequency and retry period times change to a different
value, as determined by the CSS.

78-11424-03 5-17
For example, to set the frequency time to 10 seconds, enter:

(config-keepalive[keepimages])# frequency 10
To reset the frequency to its default value of 5, enter:

(config-keepalive[keepimages])# no frequency
Configuring a Global Keepalive IP Address

Use the ip address command to specify the IP address where the keepalive
messages are sent. Enter the IP address in dotted-decimal notation.
For example, to enter an IP address for keepalive keepimages, enter:
(config-keepalive[keepimages])# ip address 192.168.7.6
Configuring a Global Keepalive Max Failure

Use the maxfailure command to specify the number of times the IP address can
fail to respond to a keepalive message before the CSS considers it down. Enter the
maximum failure as an integer from 1 to 10. The default is 3.
For example, to set the global keepalive maxfailure number to 7, enter:
(config-keepalive[keepimages])# maxfailure 7
To reset the maximum failure number to its default value of 3, enter:

(config-keepalive[keepimages])# no maxfailure

5-18 78-11424-03
Configuring a Global Keepalive Method

Use the method command to specify the HTTP keepalive method assigned to the
global keepalive. The syntax and options for the keepalive mode command are:
• method get - The CSS issues a HTTP GET method to the service, computes
a hash value on the page, and stores the hash value as a reference hash.
Subsequent GETs require a 200 OK status (HTTP command completed OK
response) and the hash value to equal the reference hash value. If the 200 OK
status is not returned, or if the 200 OK status is returned but the hash value is
different from the reference hash value, the CSS considers the service down.
When you specify the content information of an HTTP Uniform Resource
Identifier (URI) for an HTTP keepalive, the CSS calculates a hash value for
the content. If the content information changes, the hash value no longer
matches the original hash value and the CSS assumes that the service is down.
To prevent the CSS from assuming that a service is down due to a hash value
mismatch, specify the keepalive method as head.
• method head (default) - The CSS issues a HTTP HEAD method to the
service and a 200 OK status is required. The CSS does not compute a
reference hash value for this type of keepalive. If the 200 OK status is not
returned, the CSS considers the service down.
For example, to specify the HTTP get keepalive method, enter:
(config-keepalive[keepimages])# method get
Configuring a Global Keepalive Port

Use the port command to specify the port number used for global HTTP
keepalives. Enter the port number associated with the global keepalive as an
integer from 0 to 65535.
If configured, the CSS uses the TCP keepalive port. Otherwise, the CSS bases the
default on the keepalive type. If the keepalive type is:
• HTTP or TCP, the default port number is 80
• FTP, the default port number is 21

78-11424-03 5-19
For example, to set the global keepalive port to 8080, enter:

(config-keepalive[keepimages])# port 8080
To reset the port to the default of 0, enter:

(config-keepalive[keepimages])# no port
Configuring a Global Keepalive Retryperiod

Use the retryperiod command to specify the retry period to send messages to the
keepalive IP address. Enter the retry period as an integer from 2 to 255 seconds.
The default is 5 seconds.
For example, to configure a retry period of 60 seconds, enter:
(config-keepalive[keepimages])# retryperiod 60
To reset the retry period to its default value of 5, enter:

(config-keepalive[keepimages])# no retryperiod
Deactivating a Global Keepalive

Use the suspend command to deactivate the keepalive.
For example:
(config-keepalive[keepimages])# suspend

5-20 78-11424-03
Configuring a Global Keepalive Type

Use the type command to specify the type of keepalive message assigned to a
keepalive. The syntax and options for this keepalive mode command are:
• type ftp ftp_record - Keepalive type that accesses an FTP server by logging
into the server as defined in an FTP record file.
• type http - An HTTP index page request using persistent connections.
• type http non-persistent - An HTTP index page request using non-persistent
connections.
• type icmp (default) - An ICMP echo message.
• type script script_name {"arguments"} {use-output}- Script keepalive to
be used by the service. The script is played each time the keepalive is issued.
By default, the script does not parse the output. For details on script
keepalives, refer to “Script Keepalives” later in this chapter.
Note To preserve CSS system resources, use script keepalives

only when needed. If an ICMP or HTTP keepalive message
is sufficient to validate the service, then use that type of
message instead of a script keepalive.
• type tcp - A TCP session that determines service viability (3-way handshake
and reset (RST)).
For example, to set the global keepalive keepimages to type tcp, enter:
(config-keepalive[keepimages])# type tcp

78-11424-03 5-21
Configuring a Global Keepalive URI

Use the uri command to specify the content information for an HTTP global
keepalive. Enter the content information for a URI as a quoted text string with a
maximum length of 64 characters. Do not include the host information in the
string. The CSS derives the host information from the service IP address and the
keepalive port number.
When you specify the content information for an HTTP keepalive, the CSS
calculates a hash value for the content. If the content information changes, the
hash value no longer matches the original hash value and the CSS assumes that
the service is down. To prevent the CSS from assuming that a service is down due
to a hash value mismatch, specify the keepalive method as head. If you specify
a Web page with changeable content and do not specify the keepalive method as
head, you must suspend and reactivate the service each time the content
information changes.
For example, to specify the content information for the global keepalive, enter:
(config-keepalive[keepimages])# uri "/index.html"
To clear the content information for the URI assigned to this keepalive, enter:
(config-keepalive[keepimages])# no uri
Associating a Service with a Global Keepalive

Use the keepalive type named command to associate a service with a global
keepalive. The service maintains the global keepalive attributes when you add the
service to content rules.
The syntax for this command is keepalive type named name. Specify a global
keepalive name to associate the server with a global keepalive.
For example, to associate imageserver1 with global keepalive keepimages, enter:
(config-service[imageserver1])# keepalive type named keepimages

5-22 78-11424-03
Configuring Global Keepalive Hash

Use the hash command to override the default MD5 hash for a keepalive. The
CSS compares the hash value against the computed hash value of all HTTP GET
responses. A successful comparison results in the keepalive maintaining an
ALIVE state.
To configure the hash value:
1. Configure the global keepalive. For example:
(config-keepalive[keepimages])# method get
(config-keepalive[keepimages])# uri "/testpage.html"
(config-keepalive[keepimages])# hash
“1024b91e516637aaf9ffca21b4b05b8c”
2. Configure the service. For example:

(config)# service imageserver1
(config-service[imageserver1])# ip address 10.0.3.21
(config-service[imageserver1])# keepalive type named keepimages
(config-service[imageserver1])# active
3. Display the hash value using the show keepalive command. For example:
(config-keepalive[keepimages])# show keepalive
Keepalives:
Name: imageserver1
Index: 0 State: ALIVE
Description: Auto generated for service serv1
Address: 10.0.3.21 Port:80
Type: HTTP GET:/testpage.html
Hash: 1024b91e516637aaf9ffca21b4b05b8c
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
4. Use the hash value from the keepalive display to configure the keepalive
hash. Enter the MD5 hash value as a quoted hexadecimal string up to
32 characters. For example:
(config-keepalive[keepimages])# hash
"1024b91e516637aaf9ffca21b4b05b8c"

78-11424-03 5-23
An excerpt of the service configuration from the running-config is shown below.

service imageserver1
keepalive type http
keepalive method get
keepalive uri "/testpage.html"
keepalive hash "1024b91e516637aaf9ffca21b4b05b8c"
active
To clear a hash value and return to the default hash value, enter:
(config-keepalive[keepimages])# no hash
Showing Global Keepalive Configurations

To display global keepalive configurations, use the show keepalive command. To
display a list of existing keepalives, enter show keepalive ?.
This command provides the following options:
• show keepalive - Display information for all keepalives
• show keepalive keepalive_name - Display information for a specific
keepalive
• show keepalive-summary - Display summary information for all keepalives

5-24 78-11424-03
For example:
(config)# show keepalive
Keepalives:
Name: keepimages Index: 1 State: ALIVE ( ICP Check )

Description: This keepalive is for image servers
Address: 172.16.1.7 Port: 80
Type: HTTP:HEAD:/index.html
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services: imageserver1
Name: rualive Index: 2 State: ALIVE

Address: 172.16.1.8 Port: 80
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services: serv2
(config)# show keepalive-summary
Keepalives:
Alive1 DOWN 192.25.1.7
Alive2 ALIVE 192.25.1.8

78-11424-03 5-25
Table 5-3 describes the fields in the show keepalive output.
Table 5-3 Field Descriptions for the show keepalive Command
Field Description
Name The name of the keepalive.
Index The CSS assigned unique index value for each keepalive.
State The state of the keepalive. The possible states are down, alive,
dying, and suspended.
Description The description for the keepalive.
Address The IP address where the keepalive messages are sent.
Port The port number for the keepalive.
Type The type of keepalive message assigned to the keepalive. The
possible types are FTP, HTTP, ICMP, script, TCP, or named.
Frequency The time in seconds between sending keepalive messages to the
IP address. The default is 5. The range is from 2 to 255.
Max Failures The configured number of times the IP address can fail to
respond to a keepalive message before being considered down.
The default is 3. The range is from 1 to 10.
Retry The retry period in seconds to send messages to the keepalive
Frequency IP address. The default is 5. The range is from 2 to 255.
Dependent Services currently configured to use the keepalive. This is
Services mainly used for named keepalive types.

5-26 78-11424-03
Script Keepalives
Script Keepalives
Script keepalives are scripts that you can create to provide custom keepalives for
your specific service requirements. To create the scripts, use the rich CSS
Scripting Language that is included in your CSS software. For details on using the
CSS Scripting Language, including using socket commands and examples of
keepalive scripts, refer to the Content Services Switch Advanced Configuration
Guide.
Currently, a CSS provides keepalives for FTP, HTTP, ICMP, and TCP. For
information on global keepalives, refer to “Global Keepalive Mode” earlier in this
chapter. For information on configuring keepalive messages, refer to
“Configuring Keepalives for a Service” earlier in this chapter.
Using script keepalives allow you to extend the CSS keepalive functionality
beyond the default keepalives. For example, you can develop a script specifically
to connect a CSS to a Post Office Protocol 3 (POP3) mail server.
Once you create a script offline, you can upload it to the CSS and configure the
script keepalive option on a service.
The CSS supports a maximum of 255 script keepalives (out of a maximum of 512
keepalive types). If you specify a script to parse the output for each executed
command, you can configure only 16 keepalives that use script output.
Note You can also configure a script keepalive without having the
corresponding script present on the CSS. In this case, a constant
Down state remains on the service until you upload the appropriate
script to the CSS. This allows you to develop and implement a
configuration before uploading all the scripts to the CSS.

78-11424-03 5-27
Script Keepalives
Script Keepalive Considerations

When you configure a script keepalive, follow the same general guidelines as
those for global keepalive types, with the exceptions noted in these sections. For
details on global keepalives, refer to the “Global Keepalive Mode” section earlier
in this chapter.
The CSS Scripting Language allows you to pass 128 characters in a quoted
argument. Assuming an average of seven characters per argument (plus a space
delimiter), you can potentially use a maximum of 16 arguments in one script.
The CSS executes each line in a script keepalive. If your application requires
numerous script keepalives (for example, greater than 60), keep each script as
short and concise as possible. A smaller script yields much faster script execution
results than a larger size script. To maximize system performance, avoid complex
protocols or extensive scripts (for example, no database queries, not performing
a full login with validation), which can take the CSS longer to execute.
Use the script naming convention of ap-kal-type, so that when you press tab or
“?”, you can easily see the keepalive scripts available for use. For example, an
SMTP script would be named ap-kal-smtp. The script name can have a maximum
of 32 characters. The arguments must be in a quoted text string with a maximum
of 128 characters.
For the configured script keepalive to find the corresponding script, the script
must reside in the /<current running version>/script directory. When you
configure a script keepalive, use only script names. (A CSS does not accept path
names.) If the script is present elsewhere on the CSS, the script keepalive assumes
it does not exist.
Note Because many scripts have a multistep process such as connecting,

sending a request, and waiting for a specific type of response,
configure a higher frequency time value for script keepalives than
for standard keepalives. A time interval of 10 seconds or higher
ensures that the script keepalive has enough time to finish.
Otherwise, state transitions may occur more often than is usual.

5-28 78-11424-03
Script Keepalives
Because a CSS reads an entire script into memory, there is a maximum script
keepalive size of 200 KB (approximately 6,000 lines). If a script exceeds this
limit, it will not load. This should be more than adequate for all applications. For
example, the script keepalives included with your CSS software are
approximately 1 KB. To further conserve CSS memory, services can share a
common script keepalive so that only one instance of the script needs to reside in
memory. However, you must configure the script keepalive for each service where
you want the script to run.
To see a complete list of all scripts available in the /<current running
version>/script directory, press the Tab key or “?”. Optionally, you can type a
script name not found in the list, then you can upload the script later. You can
manipulate scripts using the archive, clear, and copy commands. You can also
upload a script from a local hard drive to the /script directory on the CSS, or
download a script from the /script directory on the CSS to a local hard drive.
Configuring Script Keepalives
Note For a large number of services that use script keepalives, use a
smaller subset of global keepalives to handle the work for them. For
information on global keepalives, refer to “Global Keepalive Mode”
earlier in this chapter.
Use the keepalive type script command to configure script keepalives. The
syntax for this service configuration mode command is:
keepalive type script script_name {“arguments”}{use-output}
The optional use-output keyword allows the script to parse the output for each
executed command. This optional keyword allows the use of grep and file
direction within a script. You can configure a maximum of 16 script keepalives
(out of a maximum of 255 script keepalives) to use script output. By default, the
script does not parse the output.
For example, to configure an httplist keepalive, enter:
(config-service[serv1)# keepalive type script ap-kal-httplist
“10.10.102.105 /default.htm”

78-11424-03 5-29
Script Keepalives
In the previous command example, the keepalive command configures the serv1
service keepalive to be of type script with the script name ap-kal-httplist and the
arguments “10.10.102.105 /default.htm”. The output is not parsed by the script.
To disable a script keepalive on a service, enter:
(config-service[serv1])# keepalive type none
Viewing a Script Keepalive in a Service

When you add a script keepalive to a service, the CSS recognizes that the script
is the keepalive for the service in the show service screen. The script name
appears in the Keepalive field, and any potential arguments appear directly below
in the Script Arguments field. If there are no script arguments, then the Script
Arguments field does not appear.
For example, enter:
(config-service[serv1])# show service
Name: serv1 Index: 1

Type: Local State: Alive
Rule (10.10.102.105 ANY ANY)
Redirect Domain:
Keepalive: (SCRIPT ap-kal-httplist 10 3 5)
Script Arguments: “10.10.102.105 /default.htm”
Script Error: None
Script Run Time: 1 second
Script Using Output Parsing: No
Mtu: 1500 State Transitions: 14
Connections: 0 Max Connections: 0
Total Connections: 0 Total Reused Conns: 0
Weight: 1 Load: 2
Note If a script keepalive terminates with an error, you can use the Script
Error and Script Run Time fields to help troubleshoot the problem.
You can also use the show running-config command to display the script
keepalive and its arguments.

5-30 78-11424-03
Script Keepalives
For example, enter:

(config-service[serv1])# show running-config
service serv1
ip address 10.10.102.105
keepalive frequency 10
keepalive type script ap-kal-httplist “10.10.102.105
/default.htm”
active
The example above shows the script keepalive and arguments that have been
configured on a service. If no arguments are specified in the script, then the
quoted text following the script name will not appear.
Script Keepalive Status Codes

A script can return a status code of zero or non-zero. On a return of non-zero, the
CSS flags the service state as Dying or Down; on a return of zero, the CSS flags
the service state as Alive. For example, enter:
! Connect to the remote host
socket connect host einstein port 25 tcp
! Purposely fail
exit script 1
Because the above script fails when it executes the exit command, the script
returns a non-zero value. By default, the script will fail with a syntax error if the
connect command fails. Be sure to check the logic of your scripts to ensure that
the CSS returns the correct value.
Script Keepalives and Upgrading WebNS Software

When you upgrade the WebNS software in your CSS, the upgrade process creates
a new /<current running version>/script directory. You must copy your custom
scripts (including custom script keepalives) to the new /<current running
version>/script directory so that the CSS can find them.

78-11424-03 5-31
Creating Services
Use the following procedure to ensure that your custom script keepalives operate
properly after upgrading the software.
1. Upgrade the WebNS software in your CSS. See Appendix A, Upgrading Your
CSS Software.
2. Copy the scripts from the old /<current running version>/script directory to
the new /<current running version>/script directory.
3. Reboot the CSS.
Creating Services
A service can be a destination location or entity that contains and provides
Internet content (for example, a server, an application on a server such as FTP, or
streaming audio). A service has a name that is associated with an IP address, and
optionally, a protocol and a port number.
By creating a service, you identify the service and enable the CSS to recognize it.
You can then apply content rules to services that allow the CSS to:
• Direct requests for content to the service
• Deny requests for content from the service
Enter the service name from 1 to 31 characters. For example, to create service
serv1, enter:
The CSS transitions into the newly created service mode.


5-32 78-11424-03
The following sections describe how to configure content services.
• Assigning an IP Address to the Service
• Specifying a Port
• Specifying a Protocol
• Specifying a Domain Name
• Configuring an Advanced Load Balancing String
• Configuring a Service HTTP Cookie
• Configuring Weight
• Specifying a Service Type
• Configuring Service Access
• Configuring Service Cache Bypass
• Configuring Network Address Translation for Transparent Caches
• Configuring a Service to Bypass a Cache Farm
• Configuring Keepalives for a Service
• Showing Keepalive Configurations
• Configuring Maximum TCP Connections
• Activating a Service
• Suspending a Service
• Removing a Service
Note The CSS supports stateless redundancy failover on CSSs operating

in an IP redundancy or a VIP/interface redundancy configuration.
Stateless redundancy failover requires a very specific redundant
CSS configuration, which includes service IP address, number, and
order. For details, refer to the Content Services Switch Advanced
Configuration Guide, Chapter 5, Configuring Redundant Content
Services Switches.

78-11424-03 5-33
Assigning an IP Address to the Service

To enable the CSS to direct requests for content to the appropriate service, you
must assign an IP address or range of IP addresses to a service. Assigning an IP
address to a service identifies the service to the CSS. When the CSS receives a
request for content, it translates the VIP (and potentially, the port) to the service
IP address (or addresses) and port.
For example, to assign an IP address to serv1, enter:
The ip address range command allows you to specify a range of IP addresses

starting with the IP address you specified using the ip address command. Enter a
number from 1 to 65535. The default range is 1. For example, if you enter an IP
address of 172.16.1.1 with a range of 10, the IP addresses range from 172.16.1.1
through 172.16.1.10.
When using the ip address range command, use IP addresses that are within the
subnet you are using. The CSS does not arp for IP addresses that are not on the
circuit subnet. For example, if you configure the circuit for 10.10.10.1/24 and
configure the VIP range as 10.10.10.2 range 400, the CSS will not arp for any IP
addresses beyond 10.10.10.254. Using the same example only with a VIP range
of 200, the CSS will arp for all IP addresses in the range.
For example:
(config-service[serv1])# ip address 172.16.1.1 range 10
To restore a service IP address to the default of 0.0.0.0, enter:

(config-service[serv1])# no ip address
Note The CSS sends keepalives only to the first address in a service range.
If you configure a scripted keepalive, it should contain the first
address in a service range as one of its arguments.
For the CSS to forward requests to a service on any of the addresses

in a range, the CSS must successfully arp for the first address in the
range. This behavior is independent of keepalives.

5-34 78-11424-03
Specifying a Port
Use the port command to specify a service TCP/UDP port number or range of
port numbers. The TCP or UDP destination port number is associated with a
service. Enter the port number as an integer from 0 to 65535. The default is any.
For example:
(config-service[serv1])# port 80
To specify a port to be used for keepalives, refer to the service mode keepalive
port command.
Use the range option to specify a range of port numbers starting with the port
number you specified using the port command. Enter a range number from 1 to
65535. The default range is 1. For example, if you enter a port number of 80 with
a range of 10, the port numbers will range from 80 through 89. You can use the
port range command only on local (default) services.
For example:
(config-service[serv1])# port 80 10
To set the port to the default of any, enter:

(config-service[serv1])# no port
Specifying a Protocol
To specify a service IP protocol, use the protocol command. The default setting
for this command is any, for any IP protocol. The options for this command are:
• protocol tcp - The service uses the TCP protocol suite
• protocol udp - The service uses the UDP protocol suite
For example:
(config-service[serv1])# protocol tcp
To set the protocol to the default of any, enter:

(config-service[serv1])# no protocol

78-11424-03 5-35
Specifying a Domain Name

Use the domain command to specify the domain name to prepend to a requested
piece of content when an HTTP redirect service generates an “object moved”
message for the service. The CSS uses the configured domain name in the redirect
message as the new location for the requested content. The CSS prepends the
domain name to the requested URL. If the domain name is not configured, the
CSS uses the domain in the host-tag field from the original request. If no host tag
is found, the CSS uses the service IP address to generate the redirect.
Note You can only use a service redirect domain on a service type redirect.
You must specify the domain command for a redirect service to
obtain an applicable HTTP redirect.
Note You cannot configure the domain and (config-service)

redirect-string commands simultaneously on the same service.
Note The redirect-string and (config-service) domain commands are

similar. The CSS returns the redirect-string command string as
configured. With the (config-service) domain command, the CSS
prepends the domain to the original requested URL.
Enter the service domain name as an unquoted text string with no spaces and a
Note The CSS automatically prepends the domain name with http://.

5-36 78-11424-03
For example:
(config-service[serv1])# domain www.arrowpoint.com
or
(config-service[serv1])# domain 172.16.3.6
To clear the redirect domain for this service, enter:

(config-service[serv1])# no domain www.arrowpoint.com
or
(config-service[serv1])# no domain 172.16.3.6
Configuring an Advanced Load Balancing String

To specify an advanced load-balancing string for a service, use the string
command. Use this command in conjunction with the advanced load-balancing
methods url, cookie, or cookieurl. For information on advanced load-balancing
methods, refer to the Content Services Switch Advanced Configuration Guide.
Enter a string from 1 to 15 characters. For example:
(config-service[serv1])# string 172.16.3.6
To remove a string from a service, enter:

(config-service[serv1])# no string
Configuring a Service HTTP Cookie

Use the string command to specify the HTTP cookie for the service. The syntax
for this service mode command is:
string cookie_name
Enter the cookie_name as an unquoted text string with no spaces and a maximum
of 15 characters.

78-11424-03 5-37
For example:
(config-service[serv1])# string userid3217
To remove the cookie for a service, enter:

(config-service[serv1])# no string
Configuring Weight
To specify the relative weight of the service, use the weight command in service
mode. The CSS uses this weight when you configure ACA or weighted
roundrobin load balancing on a content rule. By default, all services have a weight
of 1. A higher weight will bias flows towards the specified service. To set the
weight for a service, enter a number from 1 to 10. The default is 1.
For example:
(config-service[serv1])# weight 2
To restore the weight to the default of 1, enter:

(config-service[serv1])# no weight
Note When you add a service to content rules, the service weight as
configured in service mode is applied to each rule as a
server-specific attribute. To define a content rule-specific server
weight, use the add service weight command. This command
overrides the server-specific weight and applies only to the content
rule to which you add the service. For information on the add
service weight command, refer to Chapter 7, “Configuring Content
Rules”.

5-38 78-11424-03
Specifying a Service Type

Use the type command to specify the type for a service. If you do not define a type
for a service, the default service type is local. The syntax and options for this
service mode command are:
• type nci-direct-return - Specify the service is NAT Channel indication for
direct return.
• type nci-info-only - Specify the service is NAT Channel indication for
information only.
• type proxy-cache - Define the service as a proxy cache. This is a
cache-specific option. This option bypasses content rules for requests coming
from the cache server. Bypassing content rules in this case prevents a loop
between the cache and the CSS. For a description of a proxy cache, refer to
• type redirect - Define the service as a remote service to enable the CSS to
redirect content requests to the remote service when a local service is not
available (for example, the local service has exceeded its configured load
threshold). To configure a load threshold for a content rule, use the
load-threshold command in owner-content mode (refer to Chapter 7,
Configuring Content Rules, the section “Specifying a Load Threshold”). If
you have multiple remote services defined as type redirect, the CSS uses the
roundrobin load-balancing method to load balance requests between them.
When you add a type redirect service to a content rule, you must also
configure an URL to match on the content. For example, “/*” or
“/vacations.html”.
• type redundancy-up - Specify the router service in a redundant uplink.
• type rep-cache-redir - Specify the service is a replication cache with
redirect.
• type rep-store - Specify the service is a replication store.
• type rep-store-redir - Specify the service is a replication store with redirect.
No content rules are applied to requests from this service type.
• type transparent-cache - Specify the service as a transparent cache. This is
a cache-specific option. No content rules are applied to requests from this
service type. Bypassing content rules in this case prevents a loop between the
cache and the CSS. For a description of a transparent cache, refer to the
Content Services Switch Advanced Configuration Guide.

78-11424-03 5-39
For example, to enable the CSS to redirect content requests for serv1, specify
redirect in the serv1 content rule:
(config-service[serv1])# type redirect
To restore the service type to the default setting of local, enter:

(config-service[serv1])# no type
How the CSS Accesses Server Types

When you configure a Layer 3 or 4 content rule, the rule hits the local services. If:
• The local services are not active or configured, the rule hits the primary sorry
server.
• The primary sorry server fails, the rule hits the secondary sorry server.
Redirect services and redirect content strings cannot be used with Layer 3 or 4
rules because they use the HTTP protocol.
When you configure a Layer 5 content rule, the CSS directs content requests to
local services. If:
• The local services are not active or configured, the rule sends the HTTP
redirects with the location of the redirect services to the clients.
• The local and redirect services are not active or configured, the rule forwards
the HTTP requests to the primary sorry server.
• All services are down except the secondary sorry server, the rule forwards the
HTTP requests to the secondary sorry server.
For information on adding a service to a content rule or adding primary and
secondary sorry servers, refer to Chapter 7, Configuring Content Rules, the
section “Adding Services to a Content Rule”.

5-40 78-11424-03
Configuring Service Access

Use the access command to associate an access mechanism with a service for use
during publishing, subscribing, and demand-based replication activities. You
must use this command for each service that offers publishing services. This
command is optional for subscriber services; the subscriber service inherits the
access mechanism from the publisher.
When you use this command to associate an FTP access mechanism with a
service, the base directory of an existing FTP record becomes the tree root. To
maintain coherent mapping between WWW daemons and FTP daemons, make the
FTP access base directory equivalent to the WWW daemon root directory as seen
by clients. For information on creating an FTP record, refer to the (config)
ftp-record command in Chapter 1, Logging in and Getting Started, the section
“Configuring an FTP Record”.
Enter the access ftp record as the name of the existing FTP record. Enter an
unquoted text string with no spaces.
For example:
(config-service[serv1])# access ftp arrowrecord
To remove a service access mechanism, enter:

(config-service[serv1])# no access ftp
Configuring Service Cache Bypass

Use the cache-bypass command to prevent the CSS from applying content rules
to requests originating from a proxy or transparent-cache type service when it
processes the requests. By default, no content rules are applied to requests from a
proxy or transparent-cache type service.
Note For a description of proxy and transparent caching, refer to the

Content Services Switch Advanced Configuration Guide, Chapter 6,
Configuring Caching.

78-11424-03 5-41
For example:
(config-service[serv1])# cache-bypass
To allow the CSS to apply content rules to requests from a proxy or

transparent-cache type service, enter:
(config-service[serv1])# no cache-bypass
Configuring Network Address Translation for Transparent

Caches
Use the transparent-hosttag command to enable destination Network Address
Translation (NAT) for the transparent cache service type.
Note Currently, you can use the transparent-hosttag command only with
a CSS operating in a Client Side Accelerator (CSA) environment.
For details on CSA, refer to the Content Service Switch Advanced
Configuration Guide, Chapter 7, Configuring the CSS Domain
Name Service.
Note For a description of a transparent cache, refer to the Content Services

Switch Advanced Configuration Guide, Chapter 6, Configuring
Caching.
For example:
(config-service[serv1])# transparent-hosttag
To disable destination NATing for the transparent cache service type, enter:
(config-service[serv1])# no transparent-hosttag

5-42 78-11424-03
Configuring a Service to Bypass a Cache Farm

Use the bypass-hosttag command to allow the Client Side Accelerator (CSA) on
the CSS to bypass a cache farm and establish a connection with the origin server
to retrieve non-cacheable content. The domain name from the host tag field is
used to look up the origin IP address on the CSA.
Note Currently, you can use the bypass-hosttag command only with a
CSS operating in a CSA environment. For details on CSA, refer to
the Content Services Switch Advanced Configuration Guide,
Chapter 7, Configuring the CSS Domain Name Service.
For example:
(config-service[serv1])# bypass-hosttag
To disable bypassing cache for non-cacheable content, enter:

(config-service[serv1])# no bypass-hosttag
Configuring Keepalives for a Service

Use the keepalive command to configure keepalive message parameters for a
service. With keepalive messages you can determine whether or not a service is
still functioning. When you configure a keepalive for a service), the CSS
periodically sends a message to the service based on the keepalive frequency to
determine the state of the service. See the “Configuring Keepalive Frequency”
section. The CSS considers the service to be alive when a service responds to the
keepalive message.
The CSS transitions the service to the dying state when the service fails to respond
to a keepalive message. The CSS tests whether the failed service is functional by
sending a keepalive message at time intervals based on the retry period. See the
“Configuring Keepalive Retryperiod” section.
The CSS transitions the service to the dead state if the service fails to respond a
maximum number of retries to the keepalive message. See the “Configuring
Keepalive Maxfailure” section. Then the CSS removes the service from the
load-balancing algorithm. The CSS continues to test whether the service is
functional at time intervals based on the retry period.

78-11424-03 5-43
Thus, using the default values of a 5-second keepalive frequency interval, a

5-second retry period interval, and maximum of three failures, a service can
transition from the alive state to the dead state in 20 seconds; a 5-second interval
between a keepalive response and the initial keepalive failure based on the
keepalive frequency, and three failures, each occurring at 5-second intervals based
on the retry period.
Keepalives are a valuable and recommended attribute to set for a service. This
information enables the CSS to take action rapidly when a service fails. The CSS
supports a maximum of 512 keepalives (which can include a maximum of 255
script keepalives). The CSS supports a maximum of 256 keepalives of one type.
These keepalives include:
• Global keepalives configured in keepalive configuration mode. The CSS
counts a global keepalive as one keepalive regardless of the number of
services you assign to it through the (config-service) keepalive type named
command.
• ICMP, HTTP, TCP, FTP, and script keepalives configured and assigned to a
service through the (config-service) keepalive command. Each time you
assign one of these keepalives to a service through the (config-service)
keepalive type command, the CSS counts it as one keepalive.
Caution Do not configure more than 256 keepalives of one type. Do not
configure more than 512 total keepalives. Any services assigned to
keepalives over 512 will not be eligible for content rule selection.
Caution You can configure a maximum of 255 script keepalives on a CSS

(out of a maximum of 512 keepalives). Of the 255 script keepalives,
you can configure a maximum of 16 keepalives to use script output.
For details, refer to the “Script Keepalives” section earlier in this
chapter.
The options for this service mode command are:

• keepalive frequency - Specify the keepalive message frequency
• keepalive maxfailure - Specify the number of times the service can fail to
respond to a keepalive message before it is considered down
• keepalive method - Specify the HTTP method for the service

5-44 78-11424-03
• keepalive port - Specify the port to be used for keepalives

• keepalive retryperiod - Specify the keepalive retry period for the service
• keepalive type - Specify the type of keepalive message for the service
• keepalive uri - Specify the content information of an HTTP keepalive URI
for the service
• keepalive hash - Specify the MD5 hash that is compared for HTTP
keepalives that use the GET method
following sections.
Configuring Keepalive Frequency

Use the keepalive frequency command to specify the time in seconds between
sending keepalives messages to a service. Specify a frequency from 2 to 255
seconds. The default is 5 seconds.
Caution If you configure more than 16 script keepalives, the CSS

automatically adjusts the keepalive frequency time to a value that
best fits the resource usage. Note that this adjustment also affects the
keepalive retry period value (see “Configuring Keepalive
Retryperiod”) by adjusting that value to a number that is one-half the
adjusted frequency time. If this occurs, you may observe in the
output of the show service command that your previously set
keepalive frequency and retry period times change to a different
value, as determined by the CSS.
For example, enter:

(config-service[serv1])# keepalive frequency 15
To reset the frequency to its default value of 5, enter:

(config-service[serv1])# no keepalive frequency

78-11424-03 5-45
Configuring Keepalive Maxfailure

Use the keepalive maxfailure command to specify the number of times a service
can fail to respond to a keepalive message before being considered down. Specify
a maximum failure number from 1 to 10. The default is 3.
For example, enter:
(config-service[serv1])# keepalive maxfailure 5
To reset the maximum failure number to its default value of 3, enter:

(config-service[serv1])# no keepalive maxfailure
Configuring Keepalive Method

Use the keepalive method command to specify the HTTP keepalive method for
a service. The syntax and options for this service mode command are:
• method get - The CSS issues a HTTP GET method to the service, computes
a hash value on the page, and stores the hash value as a reference hash.
Subsequent GETs require a 200 OK status (HTTP command completed OK
response) and the hash value to equal the reference hash value. If the 200 OK
status is not returned, or if the 200 OK status is returned but the hash value is
different from the reference hash value, the CSS considers the service down.
When you specify the content information of an HTTP Uniform Resource
Identifier (URI) for an HTTP keepalive, the CSS calculates a hash value for
the content. If the content information changes, the hash value no longer
matches the original hash value and the CSS assumes that the service is down.
To prevent the CSS from assuming that a service is down due to a hash value
mismatch, specify the keepalive method as head.
• method head (default) - The CSS issues a HTTP HEAD method to the
service and a 200 OK status is required. The CSS does not compute a
reference hash value for this type of keepalive. If the 200 OK status is not
returned, the CSS considers the service down.
For example, enter:
(config-service[serv1])# keepalive method get

5-46 78-11424-03
Configuring Keepalive Port

Use the keepalive port command to specify the port number used for keepalives.
Enter the number as an integer from 0 to 65535. The default setting is based on
the configured service port number. Otherwise, the default setting is based on the
keepalive type. If the keepalive type is:
• HTTP or TCP, the default port number is 80
• FTP, the default port number is 21
Note If you do not configure a keepalive port, the TCP keepalive uses the
service port configured with the (config-service) port command. If
you do not configure either port, the TCP keepalive uses port 80.
For example, to specify port 8080 as the keepalive port for service serv1, enter:
(config-service[serv1])# keepalive port 8080
To reset the TCP keepalive port to its default of 0, enter:

(config-service[serv1])# no keepalive port
Configuring Keepalive Retryperiod

Use the keepalive retryperiod command to specify the keepalive retry period for
a service. When a service has failed to respond to a given keepalive message (the
service has transitioned to the dying state), the retry period specifies how
frequently the CSS tests the service to see if it is functional. Enter the retry period
as an integer from 2 to 255 seconds. The default is 5 seconds.
For example, to configure a retry period of 60 seconds, enter:
(config-service[serv1])# keepalive retryperiod 60
To reset the retry period to its default value of 5, enter:

(config-service[serv1])# no keepalive retryperiod
Configuring Keepalive Type

Use the keepalive type command to specify the type of keepalive message, if any,
appropriate for a service or to associate a service with a global keepalive.

78-11424-03 5-47
The syntax and options for this service mode command are:
• keepalive type ftp ftp_record - Keepalive method that accesses an FTP
server by logging into the server as defined in an FTP record file.
• keepalive type http {non-persistent} - An HTTP index page request. By
default, HTTP keepalives attempt to use persistent connections. To disable
this behavior, include the non-persistent option.
• keepalive type icmp - An ICMP echo message (ping). This is the default
keepalive type.
• keepalive type named name - Specify a global keepalive name to associate
the server with a global keepalive. Before using this command, ensure that
the global keepalive is activated through the (config-keepalive) active
command. Assigning a service to a global keepalive overrides any keepalive
properties you assigned in service mode.
• keepalive type none - Do not send keepalive messages to a service.
• keepalive type script script_name {“arguments”} {use-output} - Script
keepalive to be used by the service. The script is played each time the
keepalive is issued. By default, the script does not parse the output. For
details on using script keepalives, refer to the “Script Keepalives” section
earlier in this chapter.
Note To preserve CSS system resources, use script keepalives

only when needed. If an ICMP or HTTP keepalive message
is sufficient to validate the service, then use that type of
message instead of a script keepalive.
• keepalive type tcp - A TCP session that determines service viability (3-way
handshake and reset (RST)).
For example, to set serv1 keepalive type to ftp, enter:
(config-service[serv1])# keepalive type ftp

5-48 78-11424-03
Configuring Keepalive URI

Use the keepalive uri command to specify the HTTP keepalive content
information for a service. Enter the the content information of the URI as a quoted
text string with a maximum of 64 characters. Do not include the host information
in the string. The CSS derives the host information from the service IP address
and the keepalive port number.
For example, enter:
(config-service[serv1])# keepalive uri "/index.html"
To clear the content information for this keepalive, enter:

(config-service[serv1])# no keepalive uri
When you specify the content information of a URI for an HTTP keepalive, the
CSS calculates a hash value for the content. If the content information changes,
the hash value no longer matches the original hash value and the CSS assumes that
the service is down. To prevent the CSS from assuming that a service is down due
to a hash value mismatch, define keepalive method as head. The CSS does not
compute a hash value for this type of keepalive.
If you specify a Web page with changeable content and do not specify the head
keepalive method, you must suspend and reactivate the service each time the
content changes.
Configuring Keepalive Hash

Use the hash command to override the default MD5 hash for a keepalive. The
CSS compares the hash value against the computed hash value of all HTTP GET
responses. A successful comparison results in the keepalive maintaining an
ALIVE state.

78-11424-03 5-49
To configure the hash value:

1. Configure the keepalive. The example below creates a keepalive GET to a
test page.
(config-service[serv1])# keepalive type http
(config-service[serv1])# keepalive method get
(config-service[serv1])# keepalive uri "/testpage.html"
(config-service[serv1])# keepalive hash
"1024b91e516637aaf9ffca21b4b05b8c"
2. Display the hash value using the show keepalive command. For example,
enter:
(config-service[serv1])# show keepalive
Keepalives:
Name: serv1
Index: 0 State: ALIVE
Address: 10.0.3.21 Port: 80
Type: HTTP:GET:/testpage.html
Hash: 1024b91e516637aaf9ffca21b4b05b8c
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
3. Use the hash value from the keepalive display to configure the keepalive
hash. Enter the MD5 hash as a quoted hexadecimal string up to 32 characters.
For example:
(config-service[serv1])# keepalive hash
"1024b91e516637aaf9ffca21b4b05b8c"
An excerpt of the service configuration from the running-config is shown below.

service serv1
keepalive type http
keepalive method get
keepalive uri "/testpage.html"
keepalive hash "1024b91e516637aaf9ffca21b4b05b8c"
active

5-50 78-11424-03
To clear a hash value and return to the default hash value, enter:
(config-service[serv1])# no keepalive hash
Showing Keepalive Configurations

To display global keepalive configurations, use the show keepalive command. To
display a list of existing keepalives, enter show keepalive ?. This command
provides the following options:
• show keepalive - Displays information for all keepalives
• show keepalive-summary - Display summary information for all keepalives
For example, enter:
(config)# show keepalive
Keepalives:
Name: keepimages Index: 1 State: ALIVE ( ICP Check )
Description: Auto generated for service imageserver1
Address: 172.16.1.7 Port: 80
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services: imageserver1
Name: rualive Index: 2 State: ALIVE
Address: 172.16.1.8 Port: 80
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services: serv2
(config)# show keepalive-summary
Keepalives:
keepimagesALIVE172.16.1.7
rualiveALIVE172.16.1.8

78-11424-03 5-51
Configuring Maximum TCP Connections

To define the maximum number of TCP connections on a service, use the max
connections command. Enter the maximum number of connections from 0 to
65535. The default is 0, which indicates that there is no limit on the number of
connections.
(config-service[serv1])# max connections 7
To set the maximum TCP connections to the default of 0, enter:

(config-service[serv1])# no max connections
Note Do not use service max connections on UDP content rules. The service connection
counters do not increment and remain at 0 because UDP is a connectionless
protocol.
Activating a Service
Once you configure a service, you must activate it to enable the CSS to access it
for content requests. Activating a service puts it into the resource pool for
load-balancing content requests and starts the keepalive function.
The following command activates service serv1:
Suspending a Service
Suspending a service removes it from the pool for future load-balancing content
requests. Suspending a service does not affect existing content flows, but it
prevents additional connections from accessing the service for its content. You
may want to suspend a service prior to performing maintenance on the service.
The following command suspends service serv1:
(config-service[serv1])# suspend
Note When you suspend a service, the CSS rebalances the remaining
services using the failover setting.

5-52 78-11424-03
Removing a Service
When you remove a service, the CSS:
• Removes the service from all content rules to which the service has been
added.
• Rebalances the remaining services. The CSS does not apply the failover
setting.
Note You cannot retrieve service information once you issue the remove
service command.
Removing a Service From a Content Rule

To display a list of services added to a content rule, enter the remove service ?
command from the specific owner-content mode. For example:
(config-owner-content[arrowpoint-rule1])# remove service ?
server1
server3
To remove service server1 from owner arrowpoint content rule rule1, enter:
(config-owner-content[arrowpoint-rule1])# remove service server1
Removing a Service From a Source Group

To remove a service from a source group, use the remove service command. To
display a list of services added to a source group, enter the remove service ?
command from the specific group mode. For example:
(config-group[ftpgroup])# remove service ?
server7
serviceftp
For example, to remove service serviceftp from source group ftpgroup, enter:
(config-group[ftpgroup])# remove service serviceftp

78-11424-03 5-53
Showing Service Configurations

Before activating a service, you may want to display the service configuration to
ensure that all the parameters are correct. The show service command enables
you to display information for a specific service or all services currently
configured in the CSS, depending on the location from where you issue the
command.
You can issue the following show service commands from any mode:
• show service - Display configurations for each service
• show service service_name - Display service information for a specific
service
• show service summary - Display a summary of each service
From a specific service mode, the show service command displays configuration
information only for that service. When you issue this command from any other
mode, it displays configuration information for all services.
For example:
(config)# show service
Name: s1 Index:
Type: Local State: Alive
Rule: (192.168.101.15 ANY ANY )
Keepalive: (ICMP 5 3 5 )
Mtu: 1500 State Transitions: 14
Connections: 0 Max Connections: 0
Total Connections: 0 Total Reused Conns: 0
Weight: 1 Load: 2

5-54 78-11424-03
The show service summary command displays a summary of all service

currently configured. For example:
(config)# show service summary
Service Name State Conn Weight Avg Long State
Load Load Transitions
serv17 DOWN 0 1 254 254 1
serv18 ALIVE 0 0 254 0 5
NS6 ALIVE 0 0 254 0 3
SL3@192.16.10.25 ALIVE 0 1 212 254 1
To display configuration information for all services, enter:

# show service
To display information for a specific service, enter the show service command
with the service name. For example:
# show service serv86
If you are in service mode, to display the configuration information for the current
service, enter:
(config-service[serv86])# show service
Note The connection counters displayed with the show service command
do not increment and remain at 0 for UDP flows. UDP is a
connectionless protocol.
Table 5-4 describes the fields in the show service output.
Table 5-4 Field Descriptions for the show service Command
Field Description
Name The name of the service.
Index The CSS assigned unique numeric index.

78-11424-03 5-55
Table 5-4 Field Descriptions for the show service Command (continued)
Field Description
Type The type for the service. If you do not define a type for the
service, the default service type is local. The possible types are:
• nci-direct-return - A NAT Channel Indication (NCI)
service for NAT peering.
• nci-info-only - The service is NAT Channel indication for
information only.
• proxy-cache - The service is a proxy cache. This type
bypasses content rules for requests from the cache.
• redirect - The service is not directly accessible and requires
redirection.
• redundancy-up - The service is a redundant uplink.
• rep-cache-redir - The service is a replication cache with
redirect.
• rep-store - The service is a replication store server for hot
content.
• rep-store-redir - The service is a replication store to which
content requests are redirected.
• transparent-cache - The service is a transparent cache. No
content rules are applied to requests from the cache.
State The state of the service. The State field displays reports the
service as either Alive, Dying, Down, or Suspended. The Dying
state reports that a service is failing according to the parameters
configured in the following service mode commands: keepalive
retryperiod, keepalive frequency, and keepalive maxfailure.
When a service enters the Down state, the CSS does not forward
any new connections to it (the service is removed from the load
balancing rotation for the content rule). However, the CSS
keeps all existing connections to the service (connections to that
service are not "torn down").
Rule The address, protocol, and port information for the service.
Redirect The domain name to be used when an HTTP redirect service
Domain generates an “object moved” message for the service.

5-56 78-11424-03
Field Description
Redirect The HTTP redirect string to be used when an HTTP redirect
String service generates an “object moved” message for the service.
Keepalive The keepalive type, frequency, maxfailure, and retryperiod. The
possible keepalive types are:
• ftp - The keepalive method that accesses an FTP server by
logging into an FTP server as defined in an FTP record file.
• http - An HTTP index page request. By default, HTTP
keepalives attempt to use persistent connections.
• icmp - An ICMP echo message (default)
• named - Global keepalive defined in keepalive
configuration mode.
• none - Do not send keepalive messages to the service.
• script - Script keepalive to be used by the service. The
script is played each time the keepalive is issued.
• tcp - TCP connection handshake request.
The keepalive frequency value is the time in seconds between
sending keepalive messages to the service. The default is 5. The
range is from 2 to 255. The keepalive maxfailure value is the
number of times the service can fail to respond to a keepalive
message before being considered down. The default is 3. The
range is from 1 to 10. The keepalive retryperiod value is the time
in seconds between sending retry messages to the service. The
default is 5. The range is from 2 to 255.
Mtu The size of the largest datagram that can be sent or received on
the service.
State The total number of state transitions on the service.
Transitions
Connections The current number of TCP connections on the service.
Max The configured maximum number of TCP connections on the
Connections service. The default is 0. The range is from 0 to 65535.

78-11424-03 5-57
Field Description
Total The total number of connections that have been mapped to the
Connections service.
Total Reused The total number of connections that were reused for multiple
Conns content requests during persistent connections.
Weight The service weight used with load metrics to make load
allocation decisions. The weight is used in ArrowPoint Content
Awareness (ACA) and weighted roundrobin load balancing
decisions. The default is 1. The range is from 1 to 10.
Load/Average The current and average load for the service.
Load
Where to Go Next
For information on creating and configuring owners, refer to Chapter 6,
Configuring Owners.

5-58 78-11424-03
C H A P T E R 6
Configuring Owners
This chapter describes how to create and configure owners. Services, which are
associated with content rules, are discussed in Chapter 5, Configuring Services.
Information in this chapter applies to all CSS models except where noted.
• Owner Configuration Quick Start
• Creating an Owner
• Configuring an Owner DNS Balance Type
• Specifying Owner Address
• Specifying Owner Billing Information
• Specifying Case
• Specifying Owner DNS Type
• Specifying Owner Email Address
• Removing an Owner
• Showing Owner Information

78-11424-03 6-1
Chapter 6 Configuring Owners
Owner Configuration Quick Start
Owner Configuration Quick Start

Table 6-1 provides a quick overview of the steps required to configure owners.
Each step includes the CLI command required to complete the task. For a
complete description of each feature and all the options associated with the CLI
command, refer to the sections following Table 6-1.
Table 6-1 Owner Configuration Quick Start

1. Enter config mode by typing config.
# config
(config)#
2. Create an owner.
(config)# owner arrowpoint
(config-owner[arrowpoint])#
3. Specify the owner email address.
(config-owner[arrowpoint])# email-address bobo@arrowpoint.com
4. Specify the owner mailing address.
(config-owner[arrowpoint])# address "373 grand ave usa"
5. Specify the owner billing information.
(config-owner[arrowpoint])# billing-info "finance"
6. Display owner information (optional).
(config-owner[arrowpoint])# show owner
Creating an Owner
An owner is generally the person or company who contracts the web hosting
service to host their web content and allocate bandwidth as required. Use the
owner command to create an owner for a content rule. When you create an owner,
you enable the CSS to identify the entity (for example, person, company name, or
other meaningful title) that owns content rules. The CSS can contain many owners
and maintain a configurable profile for each owner.

6-2 78-11424-03
Configuring an Owner DNS Balance Type
When creating an owner, you may want to use the owner’s DNS name. Enter the
owner name as an unquoted text string from 1 to 31 characters in length. The
following example creates the owner arrowpoint:
Once you create an owner, the CLI enters into owner mode.
(config-owner[arrowpoint])#
To remove an owner, use the no owner command. When you remove an owner,
you also remove all content rules created for the owner. For example:
(config-owner[arrowpoint])# no owner arrowpoint
Configuring an Owner DNS Balance Type

Use the dnsbalance command to determine where to resolve a request for a
domain name into an IP address. By default, the content rule will use the DNS
load balancing method assigned to the owner. The DNS load balancing method
configured for the owner applies to all of the owner’s content rules. To set a
different method to a specific content rule, use the (config-owner-content)
dnsbalance command.
The syntax and options for this owner mode command are:
• dnsbalance leastloaded - Resolve the request to the least-loaded of all local
or remote domain sites. The CSS first compares load numbers. If the load
number between domain sites is within 50, then the CSS compares their
response times. The site with the faster response time is considered the
least-loaded site.
Note For the leastloaded option to work properly, all domain sites
must be running a minimum of CSS software version 3.01.
• dnsbalance preferlocal - Resolve the request to a local VIP address. If all

local systems exceed their load threshold, the CSS chooses the least-loaded
remote system VIP address as the resolved address for the domain name.

78-11424-03 6-3
Specifying Owner Address
• dnsbalance roundrobin (default) - Resolve the request by evenly

distributing the load to resolve domain names among content domain sites,
local and remote. The CSS does not include sites that exceed their local load
threshold.
For example:
(config-owner[arrowpoint])# dnsbalance preferlocal
To reset the DNS load balancing method to its default setting of roundrobin,
enter:
(config-owner[arrowpoint])# no dnsbalance
Specifying Owner Address

To enter an address for an owner, use the address command in owner mode. Enter
a quoted text string with a maximum of 128 characters.
For example:
(config-owner[arrowpoint])# address "373 granite ave usa"
To delete an owner address, enter:

(config-owner[arrowpoint])# no address
Specifying Owner Billing Information

To enter billing information for an owner, use the billing-info command in owner
mode. Enter the billing information assigned to an owner as a quoted text string
with a maximum length of 128 characters. For example:
(config-owner[arrowpoint])# billing-info "finance"
To delete an owner billing address, enter:

(config-owner[arrowpoint])# no billing-info

6-4 78-11424-03
Specifying Case
Specifying Case
To define whether or not the CSS employs case-sensitivity when matching content
requests to an owner’s content rule, use the case command. The default is case
insensitive.
For example, a client requests content from arrowpoint/index.html. If owner
arrowpoint is configured for:
• case sensitive, the request must match content index.html exactly
• case insensitive, the request can be any combination of uppercase and
lowercase letters (for example, Index.html, INDEX.HTML)
To configure owner arrowpoint content rules to be case-sensitive, enter:
(config-owner[arrowpoint])# case sensitive
To return to the default, enter:

(config-owner[arrowpoint])# case insensitive
Specifying Owner DNS Type

To set the peer name exchange policy for a specific owner, use the dns command.
The default is none, which does not set a peer name exchange policy. For
information on configuring DNS, refer to the Content Services Switch Advanced
Configuration Guide.
The syntax and options for this owner mode command are:
• dns accept - Accept all content rules proposed by the CSS peer
• dns push - Push (send) all content rules onto the CSS peer
• dns both - Accept all content rules proposed by the CSS peer and push all
rules onto the CSS peer
For example:
(config-owner[arrowpoint])# dns push
To remove an owner’s peer name exchange policy, enter:

(config-owner[arrowpoint])# no dns

78-11424-03 6-5
Specifying Owner Email Address
Specifying Owner Email Address

To enter an email address for an owner, use the email-address command in owner
mode. For example:
(config-owner[arrowpoint])# email-address bobo@arrowpoint.com
To remove an owner email address, enter:

(config-owner[arrowpoint])# no email-address
Removing an Owner
To remove an owner, issue the no owner command from config mode as shown
in the following example. To remove an owner, you must first exit from the owner
mode. You cannot be in the owner mode that you wish to remove.
(config)# no owner arrowpoint
Caution Removing an owner also deletes the content rules associated with it.
Showing Owner Information

The show owner command enables you to display owner information for a
specific owner.
Table 6-2 describes the fields in the show owner output.
Table 6-2 Field Descriptions for the show owner Command
Field Description
Name The name of the owner.
Billing Info The billing information about the owner.
Address The postal address for the owner of the Web hosting service.
Email Address The email address for the owner.

6-6 78-11424-03
Table 6-2 Field Descriptions for the show owner Command (continued)
Field Description
DNS Policy The peer DNS exchange policy for the owner. The possible
policies are:
• accept, accepting all content rules proposed by the CSS
peer.
• push, advertising the owner and push all content rules
onto the CSS peer.
• both, advertising the owner and pushing all content rules
onto the CSS peer, and accept all content rules proposed
by the CSS peer.
• none, the default DNS exchange policy for the owner.
The owner is hidden from the CSS peer.
Case Matching Whether the matching of content requests to the owner’s
rules is case sensitive or insensitive.
Showing Owner Summary

The show summary command enables you to display a summary of the following
owner information for all owners or a specific owner:
• Owners
• Content rules
• Services
• Service hits
You can issue the following show summary commands from any mode:
• show summary - Display a summary of all owner information
• show summary owner_name - Display a summary of owner information for
a specific owner

78-11424-03 6-7
For example:
(config)# show summary
Table 6-3 describes the fields in the show summary output.
Table 6-3 Field Descriptions for the show summary Command
Field Description
Global Bypass Counters
No Rule Bypass The number of times that a flow passes through even
Count though it did not match one of the existing content rules.
ACL Bypass The number of times that the ACL immediately sends
Count traffic to its destination, bypassing the content rule.
URL Params The number of times that content requests match on
Bypass Count content rules that have param-bypass set to enable. The
CSS forwards the content requests to the origin server.
Cache Miss The number of times that TCP connections from the
Bypass Count cache servers bypassed content rules so the cache server
could access the origin server for the requested content.
Garbage Bypass The number of times that the CSS examined content
Count requests and deemed them unrecognizable or corrupt. As
a result, the CSS forwards the content request to the
origin server rather than the cache server.
Owner The owner name.
Content Rules The rule associated with the owner.
State The state of the rule (active or suspended).
Services The services associated with the rule.
Service Hits The number of hits on the service.

6-8 78-11424-03
Where to Go Next
Once you create and configure an owner, refer to Chapter 7, Configuring Content
Rules, for information on configuring content rules. Content rules instruct the
CSS on how to handle requests for the owner’s content. You create and configure
a content rule within a specific owner mode. This method ensures that the
configured content rule applies only to a specific owner.

78-11424-03 6-9

6-10 78-11424-03
C H A P T E R 7
Configuring Content Rules
This chapter describes how to create and configure content rules. Services, which
are added to content rules, are discussed in Chapter 5, Configuring Services.
Configuring owners is discussed in Chapter 6, Configuring Owners. Information
in this chapter applies to all CSS models except where noted.
• Service, Owner, and Content Rule Overview
• Naming and Assigning a Content Rule to an Owner
• Configuring a Virtual IP Address
• Configuring a Domain Name Content Rule
• Adding Services to a Content Rule
• Activating a Content Rule
• Suspending a Content Rule
• Removing a Content Rule
• Removing a Service from a Content Rule
• Configuring a Protocol
• Configuring Port Information
• Configuring Load Balancing
• Configuring a DNS Balance Type
• Configuring Hotlists
• Specifying a Uniform Resource Locator

78-11424-03 7-1
Chapter 7 Configuring Content Rules
• Specifying a Load Threshold

• Redirecting Requests for Content
• Configuring Persistence, Remapping, and Redirection
• Defining Failover
• Specifying an Application Type
• Showing Content
• Showing Content Rules

The CSS enables you to configure services, owners, and content rules to direct
requests for content to a specific destination service (for example, a server or a
port on a server). By configuring services, owners, and content rules, you
optimize and control how the CSS handles each request for specific content.
• A service is a destination location where a piece of content physically resides
(a local or remote server and port). You add services to content rules. Adding
a service to a content rule includes it in the resource pool that the CSS uses
for load balancing requests for content. A service may belong to multiple
content rules.
• An owner is generally the person or company who contracts the web hosting
service to host their web content and allocate bandwidth as required.
• A content rule is a hierarchical rule set containing individual rules that
describe which content (for example, .html files) is accessible by visitors to
the web site, how the content is mirrored, on which server the content resides,
and how the CSS should process requests for the content. Each rule set must
have an owner.
When a request for content is made, the CSS:
1. Uses the owner content rule to translate the owner Virtual IP address (VIP)
or domain name using Network Address Translation (NAT) to the
corresponding service IP address and port.
2. Checks for available services that match the content request.
3. Uses content rules to choose which service can best process the request for
content.

7-2 78-11424-03
4. Applies all content rules to service the request for content (for example,
load-balancing method, redirects, failover, stickiness).
The CSS uses content rules to determine:
• Where the content physically resides, whether local or remote.
• Where to direct the request for content (which service or services).
• Which load-balancing method to use.
The type of rule also implies the Layer at which the rule functions.
• A Layer 3 content rule implies a destination IP address of the host or network.
• A Layer 4 content rule implies a combination of destination IP address,
protocol, and port.
• A Layer 5 content rule implies a combination of destination IP address,
protocol, port, and URL that may or may not contain an HTTP cookie or a
domain name.
Note A Layer 5 content rule supports the HTTP CONNECT,

GET, HEAD, POST, PUSH, and PUT methods.
Content rules are hierarchical. If a request for content matches more than one rule,
the characteristics of the most specific rule apply to the flow. The hierarchy is
shown below. The CSS uses this order of precedence to process requests for the
content, with 1 being the highest match and 9 being the lowest match.
1. Domain name, IP address, protocol, port, URL
2. Domain name, protocol, port, URL
3. IP address, protocol, port, URL
4. IP address, protocol, port
5. IP address, protocol
6. IP address
7. Protocol, port, URL
8. Protocol, port
9. Protocol

78-11424-03 7-3
Note The CSS evaluates the content rule hierachary before it evaluates the
Layer 5 rule URL, cookie strings, or HTTP header information.
Figure 7-1 illustrates the CSS service, owner, and content rule concepts.
Figure 7-1 Services, Owners, and Content Rules Concepts

.
49385

7-4 78-11424-03
Content Rule Configuration Quick Start

Table 7-1 provides a quick overview of the steps required to create and configure
a Layer 3 content rule. Each step includes the CLI command required to complete
the task. For a complete description of each feature and all the content rule
configuration options, refer to the sections following Table 7-1.
Ensure that you have already created and configured a service and owner for the
content rules. The command examples in Table 7-1 create a Layer 3 content rule
for owner arrowpoint.
Table 7-1 Content Rule Configuration Quick Start

1. Enter into config mode by typing config.
# config
(config)#
2. Enter into the owner mode for which you wish to create content rules.
3. Create the content rule for the owner.
(config-owner[arrowpoint])# content rule1
The CSS enters into the owner-content rule mode.

(config-owner-content[arrowpoint-rule1]#
4. Configure a Virtual IP address (VIP) or domain name for the owner content.
This example configures a VIP.
(config-owner-content[arrowpoint-rule1]# vip address 192.168.3.6
This example configures a domain name.

(config-owner-content[arrowpoint-rule1]# url
“//www.arrowpoint.com/*”
5. Specify a load balancing type.
(config-owner-content[arrowpoint-rule1]# balance aca
6. Add previously configured services to the content rule.
(config-owner-content[arrowpoint-rule1]# add service serv1
(config-owner-content[arrowpoint-rule1]# add service serv2

78-11424-03 7-5
Naming and Assigning a Content Rule to an Owner
Table 7-1 Content Rule Configuration Quick Start (continued)

7. Activate the content rule.
(config-owner-content[arrowpoint-rule1]# active
8. Display the content rules (optional).
(config-owner-content[arrowpoint-rule1]# show rule
Naming and Assigning a Content Rule to an Owner

To name a content rule and assign it to an owner, use the content command. By
assigning content rules to an owner, you can manage access to the content. Assign
content rules to an owner by creating the content rule in the mode for that owner.
The CSS identifies content rules by the names you assign. Enter a content rule
name from 1 to 31 characters.
The example below assigns:
• The name rule1 to the content rule
• Content rule rule1 to owner arrowpoint
(config-owner[arrowpoint])# content rule1
Once you assign a content rule to an owner, the CLI prompt changes to reflect the
specific owner and content rule mode.
(config-owner-content[arrowpoint-rule1])#
Within owner and content mode, you can configure how the CSS will handle
requests for the content. To remove an existing content rule from an owner, issue
the no content command from owner mode:
(config-owner[arrowpoint])# no content rule1

7-6 78-11424-03
Configuring a Virtual IP Address

CSS configuration, which includes content rule VIP addresses. For
details, refer to the Content Services Switch Advanced Configuration
Guide, Chapter 5, Configuring Redundant Content Services
Switches.
A Virtual IP address (VIP) is an address that an Internet Domain Name System

(DNS) provides when asked to resolve a domain name. For example,
www.arrowpoint.com may be translated to the VIP 192.217.4.15 by a DNS server.
VIPs are generally assigned by Internet Service Providers (ISPs), who request
them from the Internet Assigned Name Authority (IANA).
Assigning a VIP to owner content enables the CSS to translate (using Network
Address Translation [NAT]) the VIP to the IP address of the service where the
content resides.
Note The CSS allows you to configure a domain name instead of a VIP.
See the next section for information on configuring a domain name.
You may configure either a VIP, a domain name, or both in a content
rule.
To enable the CSS to translate an owner’s Internet IP address to the IP address of

the service where the content resides, configure a VIP to the owner content. By
translating a VIP to the service IP address, the CSS enhances network security
because it prevents users from accessing your private network IP addresses.
Caution Ensure that all VIPs are unique IP addresses. Do not configure a VIP
to the same address as an existing IP address on your network or a
static ARP entry.

78-11424-03 7-7
Note When you configure a rule without a VIP, the rule will match on any
VIP that matches the other configured rule attributes (for example,
port and protocol). If you have a configuration that requires this type
of rule (called a wildcard VIP rule), be aware that the client request
will match on this rule when the client request attempts to connect
directly to a server IP address.
The variables and options for the vip address command include:
• ip_address or host - The IP address or name for the content rule. Enter the
address in either dotted-decimal IP notation (for example, 192.168.11.1) or
mnemonic host-name format (for example, myhost.mydomain.com).
• range number - The range option and variable allows you to specify a range
of IP addresses starting with the VIP address. Enter a number from 1 to
65535. The default range is 1. The ip_or_host variable is the first address in
the range. For example, if you enter a VIP of 172.16.3.6 with a range of 10,
the VIP addresses will range from 172.16.3.6 to 172.16.3.15.
Note When you use an FTP content rule with a configured VIP address
range, be sure to configure the corresponding source group with the
same VIP address range (refer to the Content Services Switch
Advanced Configuration Guide, Chapter 3, Configuring Source
Groups, ACLs, EQLs, URQLs, NQLs, and DQLs).
To configure a Virtual IP address (VIP), issue the vip address command and
specify either an IP address or a host name. For example:
(config-owner-content[arrowpoint-rule1])# vip address 192.168.3.6
To configure a Virtual IP address (VIP) with a range of 10, issue the vip address
command with the range option. For example:
range 10

7-8 78-11424-03
When using the vip address range command, use IP addresses that are within the
subnet you are using. The CSS does not arp for IP addresses that are not on the
circuit subnet. For example, if you configure the circuit for 10.10.10.1/24 and
configure the VIP range as 10.10.10.2 range 400, the CSS will not arp for any IP
addresses beyond 10.10.10.254. Using the same example with a VIP range of 200,
the CSS will arp for all IP addresses in the range.
To remove a VIP from a content rule, enter:
(config-owner-content[arrowpoint-rule1])# no vip address
Note When you ping a VIP, the CSS only responds if there is at least one
live service, live sorry server, or redirect string configured for the
VIP. If the services or sorry servers are down and you have not
defined a redirect string for the VIP, the CSS does not respond to the
ping.
Figure 7-2 shows an example of configuring a VIP. In this example, a user

requests content from arrowpoint. The content physically resides on the server
with IP address 10.3.6.1. By configuring VIP 158.37.6.0 to the content, the CSS
translates the VIP to the server IP address where the content actually resides
without exposing internal IP addresses.

78-11424-03 7-9
Configuring a Domain Name Content Rule
Figure 7-2 Example of Configuring a Virtual IP Address
Ethernet-2 Router1
CSS
VLAN2 158.3.7.2
158.3.7.58
Ethernet-4
Serv2
10.3.6.2 Client PC
requesting
content from
Ethernet-3 arrowpoint
49387
(VIP 158.37.6.0)
Owner - arrowpoint
Serv1
Content - rule1
10.3.6.1
VIP 158.37.6.0
VLAN1
10.3.6.58

The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP in a content rule. Using a domain name in a content rule enables you to:
• Enable service provisioning to be independent of IP-to-domain name
mappings
• Provision cache bandwidth as needed based on domain names
Note Domain names in content rules are case-insensitive, regardless of

the case command setting.
To configure a domain name in a content rule, use the url command and place two
slash characters (//) at the front of the quoted url_name or url_path.

7-10 78-11424-03
For example:
(config-owner-content[arrowpoint-rule1])# url
“//www.arrowpoint.com/*”
Use domain name rules rather than VIP rules when you have several transparent
caches and you want certain domains to use the most powerful cache server. You
want all other domains load balanced among the remaining cache servers. For this
configuration, set up a domain name rule for the specific domains you want
directed to the powerful cache server. Then configure a wildcard VIP rule (specify
port 80 and no VIP) to balance all other HTTP traffic among the remaining
caches.
You may use a single VIP in front of a server that is hosting many domain names.
Over time, some of the domain names may receive more traffic and could benefit
from having their content on a separate server. To segregate the traffic, configure
the domain names you want directed to specific services. You do not need to
configure additional VIPs for the domain names because the CSS will use the
domain names as the matching criteria in the content rules.
Disabling a Domain Name System in a Content Rule

To disable DNS in a content rule, use the dns-disable-local command. The CSS
informs other CSSs through APP that the services related to the content rule are
not available for DNS activities. However, the services remain active for other
functions.
For example to disable DNS for a specific content rule, enter:
(config-owner-content[arrowpoint-rule1])# dns-disable-local
To enable DNS in the content rule, use the no dns-disable-local command. For
example:
(config-owner-content[arrowpoint-rule1])# no dns-disable-local

78-11424-03 7-11
Matching Content Rules on Multiple Domain Names

When you have a requirement for a content rule to match on multiple domain
names, you can associate a Domain Qualifier List (DQL) to the rule. A DQL is a
list of domain names that you configure. You can use a DQL on a rule to specify
that content requests for each domain in the list will match on the rule.
You can determine the order that the domain names are listed in the DQL. You can
arrange the names in a DQL by assigning an index number as you add the name
to the list.
DQLs exist independently of any range mapping. You can use them as matching
criteria to balance across servers that do not have IP addresses or port ranges. If
you want to use range mapping when using a service range, you need to consider
the index of any domain name in the DQL. If you are not using service ranges with
DQLs, you do not need to configure any index and the default index is 1.
For example, you could configure a DQL named Woodworker.
(config)# dql Woodworker
The domain names you could add as part of the DQL include www.wood.com,
www.woodworker.com, www.maple.com, www.oak.com. You could configure
www.wood.com and www.woodworker.com to have the same mapping index. You
can enter indexes from 1 to 1000 and provide an optional quoted description for
each index.
For example:
(config-dql[Woodworker]# domain www.wood.com index 1 “This is the
same as the woodworker domain”
(config-dql[Woodworker]# domain www.woodworker.com index 1
(config-dql[Woodworker]# domain www.maple.com index 2
(config-dql[Woodworker]# domain www.oak.com index 3
If you specify a DQL as a matching criteria for content rule WoodSites, and there
are two services, S1 and S2, associated with the rule, the CSS checks the services
at mapping time for ranges. To add a DQL to a content rule, use the url command
as shown:
(config-owner-content[WoodSites])# url “/*“ dql Woodworker

7-12 78-11424-03
For example, if the CSS receives a request for www.oak.com along with other
criteria, a match on the WoodSites rule occurs on DQL index 3. If the rule has the
roundrobin load balancing method, the CSS examines a service (S2 for this
example) to determine the backend connection mapping parameters. If you
configured S2 with a VIP address of 10.0.0.1 with a range of 5, the addresses
include 10.0.0.1 through 10.0.0.5. Because this service has a range of addresses
and any as its port, the DQL index of 3 matches the service VIP range index of 3,
which is address 10.0.0.3.
To delete a DQL, use the no dql command. For example:
(config)# no dql Woodworker
Note You cannot delete a DQL currently in use by a content rule.
For a complete description of DQLs, refer to the Content Services Switch

Advanced Configuration Guide.
Configuring a Content Rule using a Domain Name and a Virtual IP

Address
Use a domain name and a virtual IP address (VIP) in a content rule when you want
the CSS to match content requests going to a specific domain at a specific VIP. If
the CSS is serving more than one VIP at the domain name, configure two domain
name content rules and specify the different VIPs.

78-11424-03 7-13
This configuration is shown in the sample running-config below. Note that

because the IP addresses in the example below are contiguous, you could use the
vip address range command to specify a VIP range of 2.
content domainRule1
vip address 192.168.1.1
protocol tcp
port 80
url “//www.domain.com/*”
add service Serv1
activate
content domainRule2
protocol tcp
port 80
add service Serv1
activate
If your network topology does not require that the CSS ARP-reply for VIPs, you
do not need to configure separate content rules for the domain name and VIP. In
this situation, a domain name content rule without a VIP is sufficient because it
will match on all content requests going to the domain regardless of the VIP.
An example of a topology where ARP-replying is not required is when an
upstream router has the CSS statically configured as the next hop router for the
VIPs. A domain name content rule is shown below.
content domainRule3
protocol tcp
port 80
add service Serv1
active

7-14 78-11424-03
Using Wildcards in Domain Name Content Rules

You can use wildcards in domain names as part of the matching criteria for a
content rule. Domain name wildcards work within the content rule hierarchy. That
is, if a request for content matches more than one rule (including a wildcard
domain name), the characteristics of the most specific rule determine how the
CSS sets up the flow.
Note You cannot use wildcards with either a Domain Qualifier List (DQL)
or a Uniform Resource Locator Qualifier List (URQL).
For example, the following content rule criteria have the highest precedence
because, as a set, they provide the greatest specificity in matching content:
Domain name, IP address, protocol, port, URL
If you want to create a content rule using all these criteria, such as the
configuration shown below, then the content rule matches only on the JPEG files
that are found in the domain whose name starts with “arr”, as well as the other
criteria, including VIP address, protocol, and port number.
(config-owner-content[arrowpoint-rule1])# protocol tcp
(config-owner-content[arrowpoint-rule1])# port 80
(config-owner-content[arrowpoint-rule1])# url “//arr*.com/*.jpg”
When the CSS encounters a content rule with a wildcard domain name and
matches according to the content rule hierarchy, it stops the search at that point.
This behavior is consistent with the way that the CSS manages content rules in
general.
For example, if the content request matches on the rule with VIP address
192.168.3.6 and URL /*, the CSS does not continue the search to match on a
second rule with a wildcard VIP address (no address specified) and an URL of
/*.jpg. The specific address match makes the first rule more specific than the
second rule.
To further clarify, if the match occurs on a rule with //arrowpoint*.com/*, the
search stops at that point and does not continue to match on a rule with
//arr*.com/*.gif, because the first rule is a more specific match. Also note that a
fully-specified domain name rule (arrowpoint.com) is more specific than a
wildcard domain name rule (arr*.com).

78-11424-03 7-15
For example, to have the content rule match on all instances of the text string
“arr” in the domain name portion of the content rule, issue the following
command:
(config-owner-content[arrowpoint-rule1])# url “//www.arr*.com/*”
General Guidelines for Domain Name Wildcards in Content Rules

A domain name is made up of text strings called “words” and word separators
called “dots” (.). The CSS parses the domain name from right word to left word.
The CSS allows wildcards to be used as part of the domain name in one word or
more than one word, but the wildcard cannot start the word.
For example, the CSS supports the following domain names:
• www.arr*.com
• arr*.com
• *.arr*.com
• arr*.home.com
Notice that the wildcard character either appears by itself as a domain word, or
appears to the right of any characters that start a domain word. However, a
wildcard character cannot start a domain name word.
For example, point.com:
• *point.com
• *.*point.com
• *point.home.com
Note You cannot use wildcards on the rightmost portion (for example,
.com, .org, .gov) of the domain name. For this reason, the wildcard
domain name syntax f* is not supported. You can use wildcards in
any other words that make up the domain name.

7-16 78-11424-03
Adding Services to a Content Rule

To add an existing service to a content rule, use the add command. Adding a
service to a content rule includes it in the resource pool that the CSS uses for load
balancing requests for content. The maximum number of services that you can add
into a single content rule is 64. Note that a service may belong to multiple content
rules. To see a list of services you can add to a content rule, enter add service ?.
Note You can only add local services to a content rule that contains either
a Domain Qualifier List (DQL) or a service port range.
The add service command enables you to add the following types of services to
a content rule:
• Service
• Primary Sorry Server
• Secondary Sorry Server
When you configure a Layer 3 or 4 content rule, the rule hits the local services. If:
• The local services are not active or configured, the rule hits the primary sorry
server.
• The primary sorry server fails, the rule hits the secondary sorry server.
Redirect services and redirect content strings cannot be used with Layer 3 or 4
rules because they use the HTTP protocol.

78-11424-03 7-17
When you configure a Layer 5 content rule, the CSS directs content requests to
local services. If:
• The local services are not active or configured, the rule sends the HTTP
redirects with the location of the redirect services to the clients.
• The local and redirect services are not active or configured, the rule forwards
the HTTP requests to the primary sorry server.
• All services are down except the secondary sorry server, the rule forwards the
HTTP requests to the secondary sorry server.
For information on configuring service types, refer to “Specifying a Service
Type” in Chapter 5, Configuring Services.
Adding a Service to a Content Rule

Use the add service command to add a service to a content rule. The maximum
number of services that you can add into a single content rule is 64.
For example:
(config-owner-content[arrowpoint-rule1])# add service serv2
Specifying a Service Weight

When you add a service to a content rule, you can assign a weight for the service
using the add service weight option. The CSS uses this weight when you
configure weighted roundrobin load balancing on the content rule. When you
assign a higher weight to the service, the CSS redirects more requests to the
service.
To set the weight for a service, enter a number from 1 to 10. The default is the
weight configured for this service through the (config-service) weight command.
By default, all services have a weight of 1.

7-18 78-11424-03
For example:
(config-owner-content[arrowpoint-rule1])# add service serv2 weight 3
Note When you add a service to content rules, the service weight as
configured in service mode is applied to each rule as a
server-specific attribute. Use the add service weight command to
define a content rule-specific server weight. This command
overrides the server-specific weight and applies only to the content
rule to which you add the service. For information on the
(config-service)# weight command, refer to Chapter 5,
Adding a Primary Sorry Server to a Content Rule

Use the primarySorryServer command to configure the primary sorry service
for a content rule. The CSS directs content requests to the primary sorry server
when all other services are unavailable. You can configure this service to contain
content, or to provide a drop or redirect message. This service is not used in load
balancing.
Note Once the CSS directs requests to a primary sorry server, it will
continue to use the primary sorry server even when the original
server becomes functional again. To force the connection back to the
original server you must either suspend the primary sorry server or
wait until the connection is dropped or times out. When a new
session is initiated by the CSS it should go back to the original
server.
Enter the server name as a case-sensitive unquoted text string with no spaces.
Note You can only add a primary sorry server to a rule if its range for the IP address or
port is equal to the range for the IP address or port of each service on the rule. For
example, if the rule has two services each with a range of three addresses, the
primary sorry server must have a range of three addresses.

78-11424-03 7-19
For example:
(config-owner-content[arrowpoint-rule1])# primarySorryServer
slowserver
To remove a primary sorry service, enter:

(config-owner-content[arrowpoint-rule1])# no primarySorryServer
Adding a Secondary Sorry Server to a Content Rule

Use the secondarySorryServer command to configure the secondary sorry
service for a content rule. A secondary sorry service is a backup service the CSS
uses when the primary sorry service is unavailable. You can configure this service
to contain content, or to provide a drop or redirect message. This service is not
used in load balancing.
Enter the server name as a case-sensitive unquoted text string with no spaces.
Note You can only add a secondary sorry server to a rule if its range for the IP address
or port is equal to the range for the IP address or port of each service on the rule.
For example, if the rule has two services each with a range of three addresses, the
secondary sorry server must have a range of three addresses.
For example:
(config-owner-content[arrowpoint-rule1])# secondarySorryServer
slowestserver
To remove a secondary sorry service, enter:

(config-owner-content[arrowpoint-rule1])# no secondarySorryServer
Adding a Domain Name System to a Content Rule

To specify a DNS name that maps to a content rule, use the add dns command.
• add dns dns_name - The DNS name mapped to the content rule. Enter the
name as a case-sensitive unquoted text string with no spaces and a length of
1 to 31 characters.

7-20 78-11424-03
Activating a Content Rule
• add dns dns_name ttl_value - The DNS name mapped to the content rule with
the optional Time to Live (TTL) value in seconds. This value sets how long
the DNS client remembers the IP address response to the query. Enter a value
from 0 to 255. The default is 0.
For example:
(config-owner-content[arrowpoint-rule1])# add dns arrowpoint 120
To remove a DNS name mapped to the content rule, enter:

(config-owner-content[arrowpoint-rule1])# remove dns arrowpoint
Note To configure DNS server functionality on the CSS, use the (config)
dns-server command.
Activating a Content Rule

Activating content enables the CSS to provide access to the content. To activate
content, use the active command in the content mode to activate specific content.
For example:
(config-owner-content[arrowpoint-rule1])# active
Suspending a Content Rule

Suspending a content rule deactivates it. Suspending a content rule:
• Prevents the CSS from providing access to the content
• Does not affect existing flows to the content
To suspend a content rule, use the suspend command in content mode. For
example:
(config-owner-content[arrowpoint-rule1])# suspend

78-11424-03 7-21
Removing a Content Rule
Removing a Content Rule

To remove an existing content rule, issue the no content command from owner
mode:
(config-owner[arrowpoint])# no content rule1
Removing a Service from a Content Rule

To remove an existing service from a content rule, use the remove command from
owner-content mode. Removing a service removes it from the resource pool that
the CSS uses for balancing the load of requests for content governed by a rule.
When you remove a service, the remaining services are rebalanced.
For example:
(config-owner-content[arrowpoint-rule1])# remove service serv1

7-22 78-11424-03
Configuring a Protocol
Configuring a Protocol
Specifying a protocol in a content rule enables the CSS to direct requests for
content associated with the content rule to use a specific protocol.
You may specify the following protocols for content:
• any (default, meaning the rule will match on a tcp or udp port)
• tcp
• udp
To configure the TCP protocol for content, enter:
(config-owner-content[arrowpoint-rule1])# protocol tcp
To reset the protocol to the default of any, enter:

(config-owner-content[arrowpoint-rule1])# no protocol
Configuring Port Information

Specifying a port enables the CSS to associate a content rule with a specific
TCP/UDP port number. Specify a port number ranging from 0 to 65535.
To configure a port for content, enter:
(config-owner-content[arrowpoint-rule1])# port 80
To reset the port number to the default of 0, enter:

(config-owner-content[arrowpoint-rule1])# no port

78-11424-03 7-23
Configuring Load Balancing

CSS configuration. In regards to load-balancing, balance srcip is
the only supported load-balancing method. For details on
configuring stateless redundancy failover, refer to the Content
Services Switch Advanced Configuration Guide, Chapter 5,
Configuring Redundant Content Services Switches.
To specify the load-balancing algorithm for a content rule, use the balance
command available in content configuration mode. The options are:
• balance aca - ArrowPoint Content Awareness algorithm. The CSS uses the
normalized response time from client to server to determine the load on each
service. ACA balances the traffic over the services based on load.
• balance destip - Destination IP address division algorithm. The CSS directs
all client requests with the same destination IP address to the same service.
This option is typically used in a caching environment.
• balance domain - Domain name division algorithm. The CSS divides the
alphabet evenly across the number of caches. It parses the host tag for the first
four letters following the first dot and then uses these characters of the
domain name to determine to which server it should forward the request. This
option is typically used in a caching environment.
• balance domainhash - Internal CSS hash algorithm based on the domain
string. The CSS parses the host tag and does an exclusive XOR hash across
the entire host name. It then uses the XOR hash value to determine to which
server to forward the request. This method guarantees that all requests with
the same host tag will be sent to the same server in order to increase the
probability of a cache hit. This option is typically used in a caching
environment.

7-24 78-11424-03
• balance leastconn - Least connection algorithm. This balance method

chooses a running service that has the least number of connections.
We do not recommend that you use UDP content rules with the leastconn
load-balancing algorithm. The service connection counters do not increment
and remain at 0 because UDP is a connectionless protocol. Because the
counters remain at 0, the CSS will give inconsistent results.
• balance roundrobin - Roundrobin algorithm (default). The CSS resolves the
request by evenly distributing the load to resolve domain names among local
and remote content domain sites.
• balance srcip - Source IP address division algorithm. The CSS directs all
client requests coming from the same source IP address to the same service.
This option is generally used in a caching configuration.
• balance url - URL division algorithm. The CSS divides the alphabet evenly
across the number of caches. It then parses the URL for the first four
characters located after the portion of the URL matched on by the rule. For
example, if the URL in a content rule is configured for "/news/*", the CSS
will balance on the first four characters following "/news/". This option is
typically used in a caching environment.
• balance weightedrr - Weighted roundrobin algorithm. The CSS uses
roundrobin but weighs some services more heavily than others depending on
the server’s configured weight. All servers have a default weight of 1. To set
a server weight, use the add service weight command in owner-content
mode.
• balance urlhash - Internal CSS hash algorithm based on the URL string. The
CSS parses the URL and performs an XOR hash across the URL. It then uses
the XOR hash value to determine to which server to forward the request. This
method guarantees that all requests for the same URL will be sent to the same
server in order to increase the probability of a cache hit. This option is
typically used in a caching environment.
For example, to specify weightedrr load balancing, enter:
(config-owner-content[arrowpoint-rule1])# balance weightedrr
To revert the balance type to the default of roundrobin, enter:

(config-owner-content[arrowpoint-rule1])# no balance

78-11424-03 7-25
Configuring a DNS Balance Type
Configuring a DNS Balance Type

Use the dnsbalance command to determine where to resolve a request for a
domain name into an IP address. The syntax and options for this content mode
command are:
• dnsbalance preferlocal - Resolve the request to a local VIP address. If all
local systems exceed their load threshold, the CSS chooses the least loaded
remote system VIP address as the resolved address for the domain name.
• dnsbalance roundrobin - Resolve the request by evenly distributing the load
to resolve domain names among local and remote content domain sites. The
CSS does not include sites that exceed their local load threshold.
• dnsbalance leastloaded - Resolve the request to the least-loaded of all local
or remote domain sites. The CSS first compares load numbers. If the load
number between domain sites is within 50, then the CSS compares their
response times. The site with the faster response time is considered the
least-loaded site.
• dnsbalance useownerdnsbalance - Resolve the request by using the DNS
load balancing method assigned to the owner. This is the default method for
the content rule. If you do not configure an owner method, the CSS uses the
default owner DNS load-balancing method of roundrobin. To configure a
DNS balancing method for an owner, refer to “Configuring an Owner DNS
Balance Type” in Chapter 6, Configuring Owners.
For example:
(config-owner-content[arrowpoint-rule1])# dnsbalance roundrobin
To restore the DNS balance type to the default setting of using the owner’s
method, enter:
(config-owner-content[arrowpoint-rule1])# no dnsbalance

7-26 78-11424-03
Configuring Hotlists
Use the hotlist command to define a hotlist that lists the content most requested
(hot content) during a user-defined period of time. The CSS enables you to
configure hotlist attributes for content rules. Defining hotlist attributes for a
content rule enables you to determine which content is heavily accessed. With this
information, you can accurately determine which content should be replicated.
Note You must configure and enable a hotlist for replication-store and
replication-cache to work.
You can configure the following attributes for hotlists for specific content from
config-owner-content mode:
• hotlist - Enable the hotlist. To enable a hotlist for a specific content rule, enter
the hotlist command from the corresponding owner-content mode. For
example:
(config-owner-content[arrowpoint-rule1])# hotlist
To disable a hotlist, enter:

(config-owner-content[arrowpoint-rule1])# no hotlist
• hotlist interval - Set the hotlist refresh interval. Enter the interval time in
minutes from 1 to 60. The default is 1. For example:
(config-owner-content[arrowpoint-rule1])# hotlist interval 10
To restore the hotlist interval to the default of 1, enter:

(config-owner-content[arrowpoint-rule1])# no hotlist interval
• hotlist size - Set the size of the hotlist. Enter the total number of entries
maintained for this rule from 1 to 100. The default is 10. For example:
(config-owner-content[arrowpoint-rule1])# hotlist size 10
To restore the hotlist size to the default of 10, enter:

(config-owner-content[arrowpoint-rule1])# no hotlist size

78-11424-03 7-27
• hotlist threshold - Set the hotlist threshold. Enter an integer from 0 to 65535
to specify the threshold above which a piece of content is considered hot. The
default is 0. For example:
(config-owner-content[arrowpoint-rule1])# hotlist threshold 9
To restore the hotlist threshold default of 0, enter:

(config-owner-content[arrowpoint-rule1])# no hotlist threshold
• hitCount - Set the hotlist type to hit count, how may times the content was
accessed. For example:
(config-owner-content[arrowpoint-rule1])# hotlist type hitcount
To restore the hotlist type to the default setting hitCount, enter:

(config-owner-content[arrowpoint-rule1])# no hotlist type
To display hotlist information, use the show domain hotlist command. Table 7-2
describes the fields in the show domain hotlist output.
Table 7-2 Field Descriptions for the show domain hotlist Command
Field Description
Hotlist Enable the domain hotlist. The domain hotlist is disabled
Enabled/Disabled by default.
Size The configured maximum number of domain entries
contained in the hotlist. The default is 10. The number can
be from 1 to 100.
Interval The configured interval, in minutes, to refresh the domain
hotlist and start a new list. The default is 1. The interval
can be from 1 to 60.
Threshold The configured number of domain hits per interval, which
must be exceeded for a domain to be considered hot and
added to the list. The default is 0 which indicates that the
threshold is disabled. The threshold can be from 0 to
65535.
# Hot Domains The total number of hot domains.
Hits The number of hits for a hot domain.
Domain The name of the hot domain associated with the Hits field.

7-28 78-11424-03
Configuring a Domain Hotlist

Use the domain command to enable the domain hotlist and configure domain
hotlist parameters. A domain hotlist lists the most accessed domains on a CSS
during a user-defined period of time. The syntax and options are:
• domain hotlist - Enable the domain hotlist. The domain hotlist is disabled by
default.
• domain hotlist interval minutes - Configure the interval to refresh the
domain hotlist and start a new list. Enter the interval from 1 to 60 minutes.
The default is 1 minute.
• domain hotlist size max_entries - Configure the maximum number of
domain entries contained in the hotlist. Enter the maximum number of entries
from 1 to 100. The default is 10 entries.
• domain hotlist threshold number - Configure the threshold, which is the
number of domain hits per interval that must be exceeded for a domain to be
considered hot and added to the list. Enter the threshold from 0 to 65535. The
default is 0, which disables the threshold.
To enable a domain hotlist, enter:
(config)# domain hotlist
To disable the domain hotlist, enter:

(config)# no domain hotlist
To display the domain hotlist and its configuration, use the show domain hotlist
command (see Table 7-2).

78-11424-03 7-29
Specifying a Uniform Resource Locator

Use the url command to specify the Uniform Resource Locator (URL) for content
and enable the CSS to access a remote service when a request for content matches
the rule. Enter the URL as a quoted text string with a maximum length of 252
characters. Before you can change the URL for the content rule, you must remove
the current URL first.
Note Do not include the ? or # parameter character in the URL string. The
CSS terminates the URL at these parameter characters.
The syntax and options for this content mode command are:
• url "/url_name" - Specify the URL for the content as a quoted text string
with a maximum length of 252 characters.
• url "/{url_path}/*" eql eql_name - Specify the URL for any content file that
has its file extension defined in the specified Extension Qualifier List (EQL).
• url "/{url_path}/*" dql dql_name {eql_name} - Specify the URL for any
content file that has its domain name defined in the specified Domain
Qualifier List (DQL). You cannot use a DQL in conjunction with a domain
name in a URL. You may optionally include an EQL after the DQL name to
specify file extensions as part of the DQL matching criteria.
• url urql urql_name - Specify a URQL consisting of a group of URLs to this
content rule. Note that you cannot specify both url urql and application ssl
for the same content rule.
The variables are:
• url_name - The URL for the content. Enter a quoted text string with a
maximum length of 252 characters. You must place a slash character (/) at the
beginning of the URL (for example, “/announcements/prize.html”).
To specify a domain name, place two slashes (//) at the beginning of the URl.
For example, “//www.arrowpoint.com/*” allows the rule to match on HTTP
traffic that contains the www.arrowpoint.com domain name in the HTTP host
tag.

7-30 78-11424-03
To use stickiness based on Secure Socket Layer (SSL) session ID, set the
URL to /*. Also, set the port to 443 with the (config-owner-content) port
command and enable stickiness with the (config-owner-content)
advanced-balance ssl command. Then specify an SSL application type.
You can specify certain wildcard operations for wildcard matching. Use a “*”
character to specify a wildcard match. You can specify a maximum of eight
directories. Each directory name can be a maximum of 32 characters with a
total maximum of 252 characters in the URL. You can specify only one
wildcard per URL.
Examples of supported wildcards are:
• /*.html - Matches all requests with the .html extension.
• /announcements/* - Matches all requests for files in the announcements
directory.
• /announcements/*.html - Matches requests for files in the
announcements directory having .html extensions.
• /announcements/new/*.jpg - Matches requests for all files in the
announcements/new directory that contain the .jpg extension.
• url_path - An optional path to any content file that has its file extension
defined in the EQL. Enter a quoted text string. You must place:
– A slash character (/) at the beginning of the quoted path
– /* characters at the end of the quoted path
For example, “/announcements/new/*”.
• eql_name - The name of the EQL. To see a list of EQLs, enter eql ?.
• urql_name - The name of the URQL. You can only assign one URQL per rule.
To see a list of URQLs, enter urql ?.
Note For caching environments, you can configure a domain content rule
by placing two slash characters (//) at the front of the url_name or
url_path. The rule matches HTTP traffic that contains the domain
name in the HTTP host tag.

78-11424-03 7-31
For example, to specify a URL that matches all requests for content in the
announcements directory with .html extensions, enter:
(config-owner-content[arrowpoint-products.html])# url
"/announcements/*.html"
To remove an URL, enter:

(config-owner-content[arrowpoint-products.html])# no url
To remove a URQL from an URL, enter:
(config-owner-content[arrowpoint-products.html])# no url urql
To display a URL for a content rule, enter the show rule command for the content
rule.
Specifying an Extension Qualifier List in a Uniform Resource

Locator
Server selections are based on the Uniform Resource Locator (URL) specified in
the owner content rule. To enable the CSS to access a service when a request for
content matches the extensions contained in a previously defined EQL, specify
the URL and EQL name for the content. For information on creating an EQL, refer
to the Content Services Switch Advanced Configuration Guide.
Specify a URL as a quoted text string with a maximum of 252 characters followed
by eql and the EQL name.
Note Do not specify a file extension in the URL when you use an EQL in
the URL or the CSS will return an error message. For example, the
CSS will return an error message for the command url "/*.txt” eql
Cacheable. The following command is valid; url "/*" eql
Cacheable.
For example:
(config-owner-content[arrowpoint-products.html])# url "/*" eql
graphics

7-32 78-11424-03
Specifying a Load Threshold
The following example enables the CSS to direct all requests to the correct service
for content that matches:
• Pathnames (/customers/products)
• Extensions listed in the EQL (graphics)
(config-owner-content[arrowpoint-products.html])# url
"/customers/products/*" eql graphics
To display a content rule EQL, enter show rule.
Specifying a Load Threshold

Use the load-threshold command to set the normalized load threshold for the
availability of each local service on a content rule. When the service load metric
exceeds this threshold, the local service becomes unavailable and is redirected to
remote services. To define a remote service, use the service mode type redirect
command (refer to “Specifying a Service Type” in Chapter 5, Configuring
Services).
Enter the load threshold as an integer from 2 through 254. The default is 254,
which is the maximum threshold a service can reach before becoming
unavailable. To view the load on services, enter show service. For example:
(config-owner-content[arrowpoint-rule1])# load-threshold 100
To reset the load threshold to its default value of 254, enter:

(config-owner-content[arrowpoint-rule1])# no load-threshold
Redirecting Requests for Content

Use the redirect command to set HTTP status code 302 for a content rule and
specify the alternate location of the content governed by a rule. Use this command
to:
• Make the content unavailable to subsequent requests at its current address.
• Provide an URL to send back to the requestor. You must add an URL to the
content rule for redirect to force the HTTP request. For example, url “/*”.
Enter the URL as a quoted text string with a maximum of 64 characters.

78-11424-03 7-33
Configuring Persistence, Remapping, and Redirection
Note If you also set status code 404 (drop message) for content, code 302
takes priority.
Do not configure a service for a redirect-only content rule.
For example:
(config-owner-content[arrowpoint-rule1])# redirect
"//www.arrowpoint.com/newlocation.html"
To delete the redirect URL, enter:

(config-owner-content[arrowpoint-rule1])# no redirect
Configuring Persistence, Remapping, and

Redirection
During the life of a persistent connection, a CSS must determine if it needs to
move a client connection to a new service based on content rules, load balancing,
and service availability. In some situations, moving the client connection is not
necessary; in other situations, it is mandatory. This section describes how to
configure the CSS to make these decisions using:
• Content rule persistence
• Bypass persistence
• HTTP Redirection
• Service Remapping

7-34 78-11424-03
Content Rule Persistence

When a CSS receives a request for content from a client, the software checks if
the request matches on a content rule to determine the best service to handle the
request. If the request matches on a content rule, the CSS establishes a client
connection to the best service specified by the content rule. By default, the CSS
keeps the client on the same connection for an entire flow session as long as a new
content request:
• Matches on the same content rule that specified the current service.
• Matches on a new content rule that contains the current service, even if a
different best service is specified by the content rule.
This CSS behavior is known as content rule persistence. If you are using
transparent caches (which prefetch content) or mirrored-content servers, this
scheme works well because the same content is available on each service.
Use the persistent command in content configuration mode to maintain a
persistent connection with a server as long as the above criteria are met. By
default, persistence is enabled. Disabling persistence allows the CSS to move a
connection to a better service on the same rule or to use cache bypass functionality
(EQLs or failover bypass).
For example:
(config-owner-content[arrowpoint-rule1])# persistent
Use the no persistent command on a content rule with:

• A balance method of domain or domain hash when using proxy caches
• A balance method of url or urlhash when using transparent caches
• A failover method of bypass when using transparent caches
• An EQL bypass with a transparent cache
• Adding a sorry server to a content rule
To disable persistence:
(config-owner-content[arrowpoint-rule1])# no persistent

78-11424-03 7-35
Note If a request for content on a persistent connection matches on a new

content rule that does not contain the current service, or persistence
is disabled and there is a better service configured in the content
rule, the CSS redirects or remaps the current connection to a new
best service based on the setting of the persistence reset command,
if configured. If you do not configure persistence reset, the CSS
performs an HTTP redirect by default. For details, refer to
“Configuring HTTP Redirection and Service Remapping” later in
this chapter.
Configuring Bypass Persistence

If a CSS bypasses a service (for example, a transparent cache is down and failover
bypass is configured) and the next content request on the same TCP connection
matches on a content rule that contains the transparent cache that was down, the
CSS will continue to bypass the cache, by default, even after the bypassed cache
is back online. In this case, the CSS typically sends the content request to the
origin server. This behavior is called bypass persistence.
You can configure the CSS to redirect or remap a bypassed connection using the
bypass persistence global config command in conjunction with the persistence
reset command.
Use the bypass persistence command to determine if the CSS performs either a
remapping or redirection operation to reset a bypassed service when a content
request matches on a content rule, but a previous request caused the bypass. This
global command affects all flows. By default, bypass persistence is enabled.
For example:
(config)# bypass persistence disable

7-36 78-11424-03
The CSS uses remapping or redirection to reset the connection according to the
setting of the persistence reset method.
(config)# bypass persistence enable
The CSS does not use remapping or redirection to reset the connection and
continues to bypass a service.
Configuring HTTP Redirection and Service Remapping

If you need to place different content on different servers (for example, to
conserve server disk space, for load balancing considerations, or when using
proxy caches), content rule persistence is not useful. In this case, you can disable
persistence by issuing the no persistent command described in “Content Rule
Persistence” earlier in this section.
When the CSS receives a request for content that is not available on the current
service, it must reset the current connection to the service and establish a new
connection to another service (for example, a different proxy cache or the origin
server) that contains the requested content. You can accomplish this in either of
the following ways:
• Redirection - An HTTP technique that resets both the client-to-CSS
(front-end) connection and the CSS-to-service (back-end) connection, then
establishes a new flow to the best service that contains the requested content.
• Service Remapping - A technique that resets only the back-end connection
to the current service and then creates a new back-end connection to the best
service that contains the requested content. This technique is faster and more
efficient than redirection because the CSS does not need to reset and then
reestablish the front-end connection. With Service Remapping, the CSS
strictly manages port mapping to prevent the occurrence of duplicate port
numbers.
Use the persistence reset command with the content rule no persistent command
to cause an HTTP redirection or perform a back-end remapping operation when
resetting a connection to a new back-end service. The global persistence reset
command affects all flow setups that require redirection or remapping.
For example, to enable redirection:
(config)# persistence reset redirect

78-11424-03 7-37
For example, to enable Service Remapping:

(config)# persistence reset remap
Note The CSS does not use remapping when selecting redirect type
services. Refer to “Specifying a Service Type” in Chapter 5,
If your topology consists of a CSS 11800 using ECMP to the servers and server
port NAT configured on the services, to ensure the correct processing of packets
either:
• Enable Service Remapping with the persistence reset remap command.
• Create source groups for the services in the content rule with the add
destination service command.
Specifying an HTTP Redirect String

Use the redirect-string command to specify an HTTP redirect string to be used
when an HTTP redirect service generates an “object moved” message for the
service. The CSS uses the entire configured redirect string as the new location for
the requested content. If no string is configured, the CSS prepends the domain
configured with the (config-service) domain command to the original request. If
neither the redirect string or domain name are configured, the CSS uses the
domain in the host-tag field from the original request combined with the requested
HTTP content. If no host tag is found, the CSS uses the IP address of the service
to generate the redirect.
Note You can only use a redirect string on a service type redirect.

7-38 78-11424-03
Note The redirect-string and (config-service) domain commands are

similar. The CSS returns the redirect-string command string
verbatim as configured. However, the CSS prepends the domain
configured with the (config-service) domain command to the
original requested URL.
Note You cannot configure the redirect-string and (config-service)

domain commands simultaneously on the same service.
The syntax for this service mode command is:

redirect-string string
Enter the HTTP redirect string as an unquoted text string with no spaces and a
For example:
(config-service[serv1])# redirect-string www.arrowpoint.com
To remove the redirect string from the service, enter:

(config-service[serv1])# no redirect-string www.arrowpoint.com

78-11424-03 7-39
Using Show Remap

Use the show remap command to display the configured persistence reset and
bypass persistence settings. This command is available in all modes.
Table 7-3 describes the fields in the show remap output.
Table 7-3 Field Descriptions for the show remap Command
Field Description
Group SFP Port Map This field is currently not used.
Info
Persistence Reset The configured persistence reset method when resetting
Method a connection to a new back-end service. The possible
methods are:
• redirect - Causing an HTTP redirection when
resetting a connection to a new back-end service. An
HTTP redirection resets both sides of the
connection.
• remap - Using a back-end remapping operation
when resetting a connection to a new back-end
service.
Bypass Persistence The configured bypass persistence setting. The possible
settings are:
• disable - The CSS performs either a service
remapping or HTTP redirection operation to reset a
bypassed service when a content request matches on
a content rule, but a previous request caused the
bypass.
• enable - The CSS does not perform remapping or
redirection to reset the connection and continue to
bypass a service. By default, bypass persistence is
enabled.

7-40 78-11424-03
Defining Failover
Defining Failover
CSS configuration, which includes either failover linear or
failover next as the failover method. For details, refer to the Content
Services Switch Advanced Configuration Guide, Chapter 5,
Configuring Redundant Content Services Switches.
To define how the CSS handles content requests when a service fails or is
suspended, use the failover command. For the CSS to use this setting, ensure that
you configure a keepalive for each service; that is, do not set the keepalive type
to none (the keepalive default is ICMP). The CSS uses the keepalive settings to
monitor the services to determine server health and availability.
The failover command applies to the following caching load balancing types:
• balance domain
• balance url
• balance srcip
• balance destip
• balance domainhash
• balance urlhash
Note If you remove a service (using the remove service command), the
CSS rebalances the remaining services. The CSS does not use the
failover setting.

78-11424-03 7-41
Defining Failover
This command supports the following options:

• failover bypass - Bypass all failed services and send the content request
directly to the origin server. This option is used in a proxy or transparent
cache environment when you want to bypass the failed cache and send the
content request directly to the server that contains the content.
• failover linear (default) - Distribute the content request evenly between the
remaining services.
• failover next - Send the content requests to the cache service next to the
failed service. The CSS selects the service to redirect content requests to by
referring to the order in which you configured the services.
For example:
(config-owner-content[arrowpoint-rule1])# failover bypass
To restore the default setting of failover linear, enter:

(config-owner-content[arrowpoint-rule1])# no failover
Figure 7-3 shows three cache services configured for failover next. If ServerB
fails, the CSS sends ServerB content requests to ServerC, which was configured
after ServerB in the content rule.
Figure 7-3 ServerB Configured for Failover Next
ServerA ServerB ServerC

33% 33% 33% + 33%
67866
CSS

7-42 78-11424-03
Defining Failover
As shown in Figure 7-4, if ServerC fails, the CSS sends ServerC content requests
to ServerA because no other services were configured after ServerC.
Figure 7-4 ServerC Configured for Failover Next

33% + 33% 33% 33%
67867
CSS
Figure 7-5 shows three cache services configured for failover linear. If you
suspend ServerB or if it fails, the CSS does not rebalance the services. It evenly
distribute ServerB cache workload between servers A and C.
Note that Figure 7-5 and Figure 7-6 use the alphabet to illustrate division balance.
Figure 7-5 Suspended or Failed Service Configured for Failover Linear

A-H suspended R-Z
+ +
I-M I-Q N-Q
67868
CSS

78-11424-03 7-43
Specifying an Application Type
Figure 7-6 also shows three cache services configured for failover linear, but in
this example, you remove ServerB using the remove service command from
owner-content mode. Because the CSS does not apply the failover setting when
you remove a service, it rebalances the remaining services.
Figure 7-6 Removing a Service Configured for Failover Linear

A-M removed N-Z
67869
CSS

To specify the application type associated with a content rule, use the application
command. The application type enables the CSS to correctly interpret the data
stream to match and parse the content rule. Otherwise, the data stream packets are
rejected. Define an application type for non-standard ports.
When configuring Layer 5 content rules for an application other than HTTP, enter
the appropriate application type to enable the Layer 5 rule to function.
Note A Layer 5 content rule supports the HTTP CONNECT, GET,

HEAD, POST, PUSH, and PUT methods.

7-44 78-11424-03
The application command enables you to specify the following application types:
• bypass - Bypass the matching of a content rule and sends the request directly
to the origin server.
• ftp-control - Process FTP data streams.
• http (default) - Process HTTP data streams.
• realaudio-control - Process RealAudio Control data streams.
• ssl - Process Secure Socket Layer (SSL) protocol data streams. Note that you
cannot specify both url urql and application ssl for the same content rule.
For example, in a content rule that specifies port 21, you may want to configure
the application type as ftp-control. Configuring the content rule to application
type ftp-control instructs the CSS to process only FTP requests coming into
port 21.
(config-owner-content[arrowpoint-rule1])# application type
ftp-control
Note When you configure the CSS to support passive FTP on

non-standard FTP control or data ports, the CSS inspects the PASV
227 server response payload in order to NAT the embedded server
IP address and server TCP port number. If you configure the CSS to
perform this NAT through an ACL clause with a preferred source
group, then you must configure the ACL clause to match on the FTP
control port. The CSS does not perform ACL clause matching based
on the embedded FTP PASV payload IP address or TCP port
number.
For example, the following owner portion of a startup-config shows a content rule
configured for application ftp-control.
!************************** OWNER **************************
owner arrowpoint
content ftprule
protocol tcp
port 21
application ftp-control
add serv1
add serv3
active

78-11424-03 7-45
To remove an application type, enter:

(config-owner-content[arrowpoint-rule1])# no application
Enabling Content Requests to Bypass Transparent Caches

Use the param-bypass command to enable content requests to bypass transparent
caches when the CSS detects special terminators in the requests. These
terminators include "#" and "?" which indicate that the content is dependent on
the arguments that follow the terminators. Because the content returned by the
server is dependent on the content request itself, the returned content is deemed
as not cacheable, and the content request is directed to the origin server.
This command contains the following options:
• param-bypass disable (default) - Content requests with special terminators
do not bypass transparent caches.
• param-bypass enable - Content requests with special terminators bypass
transparent caches and are forwarded to the origin server.
For example, to enable the param-bypass command, enter:
(config-owner-content[arrowpoint-rule1])# param-bypass enable

7-46 78-11424-03
Showing Content
Showing Content
The show content command enables you to display all configured content in the
CSS. You can issue the show content command from any mode.
To display content information, enter:
# show content
Content:
There are 2 pieces of content:
Index: 0 <173.168.128.11> TCP Port 80 Best Effort
Index: 1 <173.168.128.11> TCP Port 80 Best Effort
/index.html
The CSS 11800 provides two additional options to the show content command:
• all
• sfp_number
These options display all content entries in the Switch Fabric Processors (SFP) on
a specific SFP. Each SFM has two SFPs, for a maximum of four SFPs in a
CSS 11800.
For example:
(config)# show content all
Content Database:
Total pieces of content: 22

Pieces of content for SFP 6/1: 3

78-11424-03 7-47
Showing Content Rules
Table 7-4 describes the fields in the show content output.
Table 7-4 Field Descriptions for the show content Command
Field Description
Index CSD unique index for a known piece of content.
<address> The IP address of this known piece of content.
Protocol The IP Protocol of this known piece of content.
Port Protocol port of this known piece of content.
Best Effort The QOS class of this known piece of content. This field is not
used by the CSS at this time.

The show rule command displays content rule information for specific content
rules or all content rules currently configured in the CSS. Issue the following
show rule commands from any mode:
• show rule - Display all owners and content rules currently configured in the
CSS
• show rule-summary - Display a summary of owner content information
• show rule owner_name - Display information identical to the show rule
command, but only for the specified owner’s content
• show rule owner_name content_rule_name - Display information identical
to the show rule command, but only for a specific owner and content
• show rule owner_name content_rule_name acl - Display the ACL attributes
for the specified content rule
• show rule owner_name content_rule_name all - Displays all attributes for
the specified content rule
• show rule owner_name content_rule_name dns - Display the DNS attributes
• show rule owner_name content_rule_name header-field - Display the
header-field attributes for the specified content rule

7-48 78-11424-03
• show rule owner_name content_rule_name hot-list - Display the hotlist

attributes for the specified content rule
• show rule owner_name content_rule_name services - Display the services
• show rule owner_name content_rule_name statistics - Display the statistics
• show rule owner_name content_rule_name sticky - Display the sticky
attributes for the specified content rule
To display all content rule information, enter:
# show rule
To display the summary for all content rules, enter:

# show rule-summary
To display all rule attributes for an owner, enter:

# show rule owner content_rule all
Note The CntRuleName and OwnerName fields display the first 16

characters of the configured data. The Url field displays the first 10
characters of configured data.
Table 7-5 describes the fields in the show rule output.
Table 7-5 Field Descriptions for the show rule Command
Field Description
Name The name of the content rule.
Owner The owner of the rule.
Author The author (Local CSS or remote CSS peer) of the
rule.
Index A CSS assigned unique index for the rule. The
number is based in the order that the rule was
created.
State The state of the rule (active or suspend).

78-11424-03 7-49
Table 7-5 Field Descriptions for the show rule Command (continued)
Field Description
Type The application type associated with the rule. The
possible values are:
• bypass, to bypass the matching of the content
rule and send the request directly to the origin
server.
• http (default), to process HTTP data streams.
• ftp-control, to process FTP data streams.
• realaudio-control, to process RealAudio Control
data streams.
• ssl, to process Secure Socket Layer (SSL)
protocol data streams.
L3 Destination IP address.
L4 Destination protocol and port.
Url The URL for the content.
URQL The name of the associated URL Qualifier list.
EQL The name of the associated EQL.
DQL The name of the associated DQL.
Header Field Group The name of the associated header-field group.
Total Bytes The total bytes to the content rule.
Total Frames The total frames to the content rule.
Total Redirects The total redirects by the content rule.
Total Rejects The total rejects by the content rule.
Overload Rejects Total rejects on the content rule due to overload on
the rule’s available services.

7-50 78-11424-03
Field Description
Balance The load-balancing algorithm for the content rule.
The possible values are:
• ACA - ArrowPoint Content Awareness
algorithm. The CSS correlates content request
frequency with the server’s cache sizes to
improve cache hit rates for that server.
• destip - Destination IP address division. The
CSS directs all client requests with the same
destination IP address to the same service.
• domain - Domain name division. The CSS uses
the domain name in the request URI to direct the
client request to the appropriate service.
• domainhash - Internal CSS hash algorithm
based on the domain string. The CSS uses the
algorithm to hash the entire domain string.
Then, the CSS uses the hash result to choose the
server.

78-11424-03 7-51
Field Description
Balance (continued) • leastconn - Least connections. The CSS
chooses a running service that has the least
number of connections.
• roundrobin - Roundrobin algorithm (default).
• srcip - Source IP address division. The CSS
directs all client requests with the same source
IP address to the same service.
• url - URL division. The CSS uses the URL
(omitting the leading slash) in the redirect URL
to direct the client requests to the appropriate
service.
• urlhash - Internal CSS hash algorithm based on
the URL string. The CSS uses the algorithm to
hash the entire URL string. Then, the CSS uses
the hash result to choose the server.
• weightedrr - Weighted roundrobin algorithm.
The CSS uses the roundrobin algorithm but
weighs some services more heavily than others.
You can configure the weight of a service when
you add it to the rule.

7-52 78-11424-03
Field Description
Advanced Balance The advanced load balancing method for the content
rule, including stickiness. The possible values are:
• arrowpoint-cookie - Enables the content rule to
stick the client to the server based on the unique
service identifier information of the selected
server in the ArrowPoint-generated cookie.
• cookies - Enables the content rule to stick the
client to the server based on the configured
string found in the HTTP cookie header. You
must specify a port in the content rule to use this
option. The CSS will then spoof the connection.
• cookieurl - This is the same as
advanced-balance cookies, but if the CSS
cannot find the cookie header in the HTTP
packet, this type of failover looks up the URL
extensions (that is, the portion after the “?” in
the URL) based on the same string criteria. You
can use this option with any Layer 5 HTTP
content rule.

78-11424-03 7-53
Field Description
Advanced Balance • none - Disables the advanced-balancing method
(continued) for the rule. This is the default setting.
• sticky-srcip - Enables the content rule to stick a
client to a server based on the client IP address,
also known as Layer 3 stickiness. You can use
this option with Layer 3, 4, or 5 content rules.
• sticky-srcip-dstport - Enables the content rule
to stick a client to a server based on both the
client IP address and the server destination port
number, also known as Layer 4 stickiness. You
can use this option with Layer 4 or 5 content
rules.
• ssl - Enables the content rule to stick the client
to the server based on the Secure Socket Layer
(SSL) version 3 session ID assigned by the
server. The application type must be SSL for the
content rule. You must specify a port in the
content rule to use this option. The CSS will
then spoof the connection.
• url - Enables the content rule to stick a client to
a server based on a configured string found in
the URL of the HTTP request. You must specify
a port in the content rule to use this option. The
CSS will then spoof the connection.
Sticky Mask The subnet mask used for stickiness. The default is
255.255.255.255.
Sticky Inactivity timeout The inactivity timeout period on a sticky connection
for a content rule before the CSS removes the sticky
entry from the sticky table. The default value is 0,
which means this feature is disabled. The range is
from 0 to 65535 minutes.

7-54 78-11424-03
Field Description
Sticky No Cookie Found The action the CSS should take for a sticky cookie
Action content rule when it cannot locate the cookie header
or the specified cookie string in the client request.
The possible values are:
• loadbalance - The CSS uses the configured
balanced method when no cookie is found in the
client request. This is the default setting.
• redirect "URL" - The CSS redirect the client
request to a specified URL string when no
cookie found in the client request. When using
this option, you must also specify a redirect
URL. Enter the redirect URL as a quoted text
string from 0 to 64 characters.
• reject - The CSS reject the client request when
no cookie is found in the request.
• service name - The CSS sends the no cookie
client request to the specified service when no
cookie is found in the request.

78-11424-03 7-55
Field Description
Sticky Server Down The action that the CSS should take when a sticky
Failover string is found but the associated service has failed
or is suspended. The possible values are:
• Balance - The failover method uses a service
based on the configured load balancing method
(default).
• Redirect - The failover method uses a service
based on the currently configured redirect
string. If a redirect string is not configured, the
load balancing method is used.
• Reject - The failover method rejects the content
request.
• Sticky-srcip - The failover method uses a
service based on the client IP address. This is
dependent on the sticky configuration.
• Sticky-srcip-dstport - The failover method
uses a service based on the client IP address and
the server destination port. This is dependent on
the sticky configuration.
ArrowPoint Cookie Path The pathname where you want to send the
ArrowPoint cookie. The default path of the cookie is
"/".
ArrowPoint Cookie The expiration time that the CSS compares with the
Expiration time associated with the ArrowPoint cookie. If you
do not set an expiration time, the cookie expires
when the client exits the browser.

7-56 78-11424-03
Field Description
String Match Criteria The string criteria to derive string results and the
method to choose a destination server for the result.
The string result is a sticky string in the cookie
header, URL, or URL extension based on a sticky
type being configured. Refer to the following fields.
String Range The starting and ending byte positions within a
cookie, URL, or URL extension from a client. By
specifying the range of bytes, the CSS processes the
information located only within the range.
• The default starting byte position is 1. The range
is from 1 to 1999.
• The default ending byte position is 100. The
range is from 2 to 2000.
String Prefix The string prefix located in the sticky range. If you
do not configure the string prefix, the string
functions start from the beginning of the cookie,
URL, or URL extension, depending on the sticky
type. If the string prefix is configured but is not
found in the specified sticky range, load balancing
defaults to the round robin method. The default has
no prefix (““).
String Eos-Char The ASCII characters as the delimiters for the sticky
string.
String Whether to enable or disable the ASCII conversion
Ascii-Conversion of escaped special characters within the specified
sticky range before applying any processing to the
string. By default, ACSII conversion is enabled.
String Skip-Len The number of bytes to skip after the end of the
prefix to find the string result. The default is 0. The

78-11424-03 7-57
Field Description
String Process-Len The number of bytes, after the end of the prefix
designated by the string prefix command and
skipping the bytes designated by the string
skip-length command, that the string operation will
use. The default is 0. The range is from 0 to 64.
String Operation The method to choose a destination server for a
string result; derived from the settings of the string
criteria commands. The possible values are:
• match-service-cookie - Choose a server by
matching a service cookie in the sticky string.
This is the default setting. When a match is not
found, the server is chosen by using the
configured balance method (for example,
roundrobin). This is the default method.
• hash-a - Apply a basic hash algorithm on the
hash string to generate the hash key.
• hash-crc32 - Apply the CRC32 algorithm on the
hash string to generate a hash key.
• hash-xor - Exclusive OR (XOR) each byte of
the hash string to derive the final hash key.
Redirect Text used to build an HTTP 302 redirect message
that is sent to the client when the rule is matched.
Persistence Whether or not a persistent connection with a server
is maintained. By default, persistence is enabled.
Param-Bypass Whether or not content requests bypass transparent
caches when the CSS detects special terminators in
the requests. These terminators include "#" and "?"
which indicate that the content is dependent on the
arguments that follow the terminators. Bypass is
disabled by default.

7-58 78-11424-03
Field Description
Services Content rule services to configuration and statistic
information, as follows.
Local Load The normalized load threshold for the availability of
Threshold each local service on the content rule. When the
service load metric exceeds this threshold, the local
service becomes unavailable and is redirected to the
remote services. The default is 254, which is the
maximum load. The range is from 2 through 254. A
load of 255 indicates that the service is down
PrimarySorryServer The primary service to be used when all other
services for the content rule are unavailable.
SecondSorryServer The secondary service to be used when all other
services for the content rule are unavailable.
Name The names of the services.
Hits The number of content hits on the service.
Wgt The weight for the service used when you configure
ACA and weighted roundrobin load balancing on the
content rule. With a higher weight, the CSS redirects
more requests to the service.
State The state of the service.
Ld The service load. The range is from 2 to 255. 255
indicates that the service is unavailable.
KAlive The service keepalive type.
Conn The number of connections currently mapped to the
service.
DNS The number of times that the CSS DNS resolver
chose the service as the answer to a DNS client
query.
DNS Names Domain Name Server names.
DNS TTL The time to Live value in seconds, which determines
how long the DNS client remembers the IP address
response to the query.

78-11424-03 7-59
Field Description
DNS Balance Where the CSS resolves a request for a domain name
into an IP address. The possible values are:
• leastloaded - Resolves the request to the
least-loaded local or remote domain site. The
CSS first compares load numbers. If the load
number between domain sites is within 50, then
the CSS compares their response times. The site
with the faster response time is considered the
least loaded site.
• Preferlocal - Resolves the request to a local VIP
address. If all local systems exceed their load
threshold, the CSS chooses the least-loaded
remote system VIP address as the resolved
address for the domain name.
• roundrobin - Resolves the request by evenly
distributing the load to resolve domain names
amongst content domain sites, local and remote.
The CSS does not include sites that exceed their
local load threshold.
• useownerdnsbalance - Resolves the request by
using the DNS load balancing method assigned
to the owner. This is the default method for the
content rule. If you do not implicitly set an
owner method, the CSS uses the default owner
DNS load balancing method of roundrobin.

7-60 78-11424-03
Field Description
Hotlist Whether or not hotlist is enabled.
Size The total number of hotlist entries that is maintained
for the rule. The default is 10. The range is from 1 to
100.
Type The hotlist type. Currently, the CSS supports only
the hit count hotlist type, which is the default setting.
Hit count is the number of times that the content is
accessed.
Threshold The hit count per interval threshold below which
content is not considered hot. The default is 0. The
Interval The interval, in minutes, for refreshing the hotlist.
The default is 1. The range is from 1 to 60.
Associated ACLs The associated ACLs.

78-11424-03 7-61

7-62 78-11424-03
C H A P T E R 8
Using the CSS Logging Features
This chapter describes how to enable logging, set up the log buffer, and determine
where to send the activity information. Information in this chapter applies to all
CSS models, except where noted.
• Logging Overview
• Specifying Logging Buffer Size
• Specifying Log File Destination
• Enabling Logging on a Subsystem
• Logging CLI Commands
• Showing Log Files
• Copying Log Files to an FTP or TFTP Server
For more detailed information on displaying and interpreting log messages for the
CSS 11050, CSS 11150, and CSS 11800, refer to the Cisco Content Services
Switch Getting Started Guide, Appendix A, Log Messages.

78-11424-03 8-1
Chapter 8 Using the CSS Logging Features
Logging Overview
Logging Overview
The CSS provides logging capabilities for debugging and system monitoring by
generating the log files described in Table 8-1.
Table 8-1 CSS Log File Descriptions
Log File Destination

Default Alternate
Log File Location Location Records
Boot.log Hard disk and None Results of the boot process.
console or
flash disk and
console
Boot.bak Hard disk and None Backup of a boot log file. Each time
console or you reboot the CSS, the software
flash disk and renames the current boot log file to
console boot.log.prev and starts a new boot
log file. The CSS overwrites an
existing backup boot log file when a
boot log file is renamed.
Sys.log Hard disk or Console Log information for user-defined
flash disk syslogd subsystem or CLI commands. By
VTY1 default, logging is enabled and logs
VTY2 subsystem all with level warning.
The CSS creates sys.log to record this
log information.

8-2 78-11424-03
Logging Overview
Table 8-1 CSS Log File Descriptions (continued)
Log File Destination

Default Alternate
Log File Location Location Records
Sys.log.prev Hard disk or Console Backup of a system log file. When a
flash disk syslogd system log file reaches its maximum
VTY1 size (50 MB, for a hard disk-based
VTY2 CSS; 10 MB, for a flash disk-based
CSS), the software renames the
system log file to sys.log.prev and
starts a new system log file. The CSS
overwrites an existing backup system
log file when a system log file is
renamed. When you reboot a CSS, the
software continues to use the existing
system log file until it reaches its
maximum size.
By default, the CSS has boot logging and system logging enabled and writes the
logged information to the log files on the hard disk or flash disk, depending on the
type of storage in your CSS. The maximum size of a log file is 50 MB for hard
disk-based systems and 10 MB for flash disk-based systems. Log file information
is recorded as ASCII text.
You can display or copy a log file using the show log or copy log command,
respectively. For details on the show log command, refer to “Showing Log Files”
in this chapter. For details on the copy log command, refer to “Copying Log Files
to an FTP or TFTP Server” in this chapter.
Note You need SuperUser privileges to use the show log command.

78-11424-03 8-3
Logging Overview
Logging Quick Start Table

If you are familiar with the CSS logging functions, refer to Table 8-2 for the
commands and command options required to configure and enable logging. For
detailed information on the CSS logging functions, refer to the sections following
Table 8-2.
Note Configure all logging commands from config mode except for the
clear log command. The clear log command is available in
SuperUser mode at the root prompt (#).
Table 8-2 Configuring and Enabling Logging
Step Logging Option Example

1. Specify the disk size - Size of the disk buffer logging buffer 1000
buffer size. (0 to 64000)
2. Specify the disk filename - New or logging disk stubs
destination (disk, existing filename in the log
host, line) where directory
you wish to log
subsystem activity. host ip or host - IP address logging host
of the syslog daemon on the 192.168.11.3
host or a host name logging host
myhost.domain.com
log line - CSS active session logging line vty1

8-4 78-11424-03
Logging Overview
Table 8-2 Configuring and Enabling Logging (continued)
Step Logging Option Example

3. Select a CSS subsystem - Valid logging subsystem rip
subsystem and subsystems: level alert-1
determine which
acl, all, app, boomerang,
type of activity to
buffer, chassis, circuit,
log (default all)
csdpeer, dql, fac, flowmgr,
and level (default
hfg, ipv4, keepalive,
warning).
netman, nql, ospf, pcm,
portmapper, proximity,
publish, radius,
redundancy, replicate, rip,
security, sntp, syssoft,
urql, vlanmgr, vpm, vrrp,
wcc
level - Valid levels:

fatal-0, alert-1, critical-2,
error-3, warning-4,
notice-5, info-6, debug-7
4. Optionally, enable sendmail email address of logging sendmail
the CSS to send mail recipient us@arrowpoint.com
log messages to an IP address or hostname of
172.3.6.58 critical
email address and SMTP host
specify a level.
level - Valid levels:
fatal-0, alert-1, critical-2,
error-3, warning-4,
notice-5, info-6, debug-7
5. Show the log file. filename - Log file to display show log stubs

78-11424-03 8-5
Specifying Logging Buffer Size
Specifying Logging Buffer Size

The logging buffer size is the amount of information the CSS buffers in memory
before outputting the information to disk. The larger you configure the buffer size,
the less frequently the CSS outputs the contents to disk. Specifying a buffer size
is only required if you configure logging to disk.
To set the disk buffering size, use the logging buffer command. Specify the buffer
size from 0 to 64,000 bytes. The default is 0, where the CSS sends the logging
output directly to the log file.
For example, to set the buffer size to 1000 bytes, enter:
(config)# logging buffer 1000
To send the logging output directly to the log file, enter:

(config)# no logging buffer
Specifying Log File Destination

To specify a destination where the CSS logs subsystem activity, use the logging
command. You can specify the following locations for log files:
• disk filename - New or existing filename in the disk log directory
• host ip or host - IP address of the syslog daemon on the host or a host name
• log line - CSS active session
For information on logging to these destinations, refer to the following sections.
Specifying Disk for a Log File Destination

To send log information to disk, use the logging disk command and specify a log
filename. The filename can be new or existing. Enter a text string from 0 to
32 characters.
For example:
(config)# logging disk stubs

8-6 78-11424-03
Specifying Log File Destination
When you issue this command, the CSS:

• Stops writing default log information to sys.log
• Creates the filename you specify in the disk log directory
• Sends subsystem and level information to the log filename
You can have only one active log file on the disk at a time. If you wish to send
subsystem information to a different log file on the disk, reenter the logging disk
command with a different filename.
Disabling Logging to Disk

To disable logging to disk, enter:
(config)# no logging disk
When you disable logging to disk, the CSS stops logging to the specified file and
reenables logging to the sys.log file.
Specifying Host for a Log File Destination

To send log information to a syslog daemon on the host system, use the logging
host command and specify:
• An IP address or a host name - The address of the syslog daemon on the host.
Enter the IP address in dotted-decimal notation (for example, 192.168.11.1)
or the mnemonic host name (for example, myhost.mydomain.com).
• facility number - The syslog daemon facility level. Enter a number from 1 to
7. For more information on the syslog daemon and facility levels, refer to
your syslog daemon documentation.
For example:
(config)# logging host 192.168.11.1 facility 3
To turn off logging to a host, enter:

(config)# no logging host

78-11424-03 8-7
Enabling Logging on a Subsystem
Specifying a Line for a Log File Destination

To send log information to an active CSS session, use the logging line command
and specify a valid log line on the CSS. Enter the line as a case-sensitive text
string with a maximum length of 32 characters.
To display a list of active CSS lines, enter the logging line command as shown.
The * denotes your current session.
(config)# logging line ?
console Login Name: Location:local

*vty1 Login Name: admin Location:10.0.3.35
For example, to send subsystem information to your monitor, enter:

(config)# logging line vty1
To turn off logging, enter the no logging line command.

(config)# no logging line vty1

Use the logging subsystem command to select a CSS subsystem and determine
which type of activity to log. The level you specify instructs the CSS to log
subsystem activity that occurs at that level and the activity greater than that level.
For example, if you wish to log info messages, the CSS also logs error, critical,
alert, and fatal error levels.
The following example enables logging for the chassis subsystem with a
critical-2 error level. The CSS will log all critical, alert, and fatal errors for the
chassis.
(config)# logging subsystem chassis level critical-2

8-8 78-11424-03
Table 8-3 defines the CSS subsystems for which you can enable logging.
Table 8-3 Logging Subsystems
Subsystem Definition
acl Access Control List (ACL)
all (default) All CSS subsystems
app Application Peering Protocol (APP)
boomerang DNS Content Routing Agent (CRA)
buffer Buffer manager
chassis Chassis manager
circuit Circuit manager
csdpeer Content Server Database (CSD) peer
dql Domain Qualifier List (DQL)
fac Flow Admission Control (FAC)
flowmgr Flow manager subsystem
hfg Header Field Group (HFG)
ipv4 Internet Protocol version 4 (IPv4)
keepalive Keepalive
netman Network management
nql Network Qualifier List (NQL)
ospf Open Shortest Path First (OSPF)
pcm Proximity CAPP Messaging (PCM)
portmapper Port Mapper
proximity Proximity
publish Publish
radius Remote Authentication Dial-In User Server
(RADIUS)
redundancy CSS redundancy
replicate Content replication
rip RIP

78-11424-03 8-9
Table 8-3 Logging Subsystems (continued)
Subsystem Definition
security Security manager
sntp Simple Network Time Protocol (SNTP)
syssoft System software
urql Uniform Resource Locator Qualifier List (URQL)
vlanmgr VLAN manager
vpm Virtual pipe manager
vrrp Virtual Router Redundancy Protocol
wcc Web conversation control
Table 8-4 defines the logging levels you can set for a CSS subsystem. The logging
levels are listed in order of severity with a fatal error being the most severe and
info being the least severe error.
Table 8-4 Subsystem Logging Levels
Level Definition
fatal-0 Fatal errors only.
alert-1 Alert errors, including fatal errors.
critical-2 Critical errors, including alert and fatal errors. The following trap
events log at the critical level: link down, cold start, warm start,
service down, service suspended.
error-3 General errors, including critical, alert, and fatal errors.
warning-4 Warning messages, including all lower levels (error, critical, alert,
(default) and fatal.
notice-5 Notice messages, including all trap events (except for events
logged at critical) and all lower levels except for info and debug.
info-6 Informational messages, including all lower levels except for
debug.
debug-7 Debug messages, including all other error levels.

8-10 78-11424-03
Disabling Logging for a Subsystem

To reset logging for a subsystem to the default logging level (warning-4), enter
the no version of the logging command. For example:
(config)# no logging subsystem redundancy
Configuring a Log Message for a Subsystem at a Logging Level

Use the cliLogMessage subsystem command to define a log message for a
subsystem at a particular logging level. The syntax for this global configuration
mode command is:
cliLogMessage subsystem name "message" level level
The variables are:
• name - The name of a CSS subsystem. Enter one of the following subsystem
names:
– acl - Access Control Lists
– all - All subsystems
– app - Application Peering Protocol (APP)
– boomerang - DNS Content Routing Agent (CRA)
– buffer - Buffer Manager
– chassis - Chassis Manager
– circuit - Circuit Manager
– csdpeer - Content Server Database (CSD) Peer
– dql - Domain Qualifier List (DQL)
– fac - Flow Admission Control (FAC)
– flowmgr - Flow Manager
– hfg - Header Field Group (HFG)
– ipv4 - IPv4
– keepalive - Keepalive
– netman - Network Management
– nql - Network Qualifier List (NQL)

78-11424-03 8-11
– ospf - Open Shortest Path First (OSPF)

– pcm - Proximity CAPP Messaging (PCM)
– portmapper - PortMapper
– proximity - Proximity
– publish - Publish
– radius - Remote Authentication Dial-In User Server (RADIUS)
– replicate - Replication
– redundancy - CSS redundancy
– rip - RIP
– security - Security Manager
– sntp - Simple Network Time Protocol
– syssoft - System software
– urql - Uniform Resource Qualifier List
– vlanmgr - VLAN Manager
– vpm - Virtual Pipe Manager
– vrrp - Virtual Router Redundancy Protocol
– wcc - Web Conversation Control
To see a list of subsystems, enter:
cliLogMessage subsystem ?
• level - The log level for the message. Enter one of these levels:
– fatal-0 - Fatal errors only
– alert-1 - Alert errors, including errors at the fatal-0 level
– critical-2 - Critical errors, including errors at the alert-1 level
– error-3 - Error errors, including errors at the critical-2 level
– warning-4 - Warning errors (default), including errors at the error-3 level
– notice-5 - Notice messages, including errors at the warning-4 level
– info-6 - Informational messages, including errors at the notice-5 level
– debug-7 - All errors and messages

8-12 78-11424-03
Logging ACL Activity

When you configure the CSS to log ACL activity, it logs the event of the packet
matching the clause and ACL. The CSS sends log information to the location you
specified in the logging command.
Note Before you configure logging for a specific ACL clause, ensure that
global ACL logging is enabled. To globally enable ACL logging, use
the logging subsystem acl level debug-7 command in config mode.
To configure logging for an ACL clause:

1. Enter the ACL mode for which you want to enable logging.
(config)# acl 7
(config-acl[7])#
2. Enable logging for:

• A new clause by entering the log option at the end of the clause. For
example:
(config-acl[7])# clause 1 deny udp any eq 3 destination any eq
3 log
• An existing clause by using the clause log enable command:

(config-acl[7])# clause 1 log enable
To disable ACL logging for a specific clause, enter:

(config-acl[7])#) clause 1 log disable
To globally disable logging for all ACL clauses, enter:

(config)# no logging subsystem acl

78-11424-03 8-13
Logging CLI Commands
Sending Log Messages to an Email Address

To send the log activity of a subsystem to an email address, use the logging
sendmail command. The syntax for this global configuration mode command is:
logging sendmail email_address ip_address level
The variables are:
• email_address - The email address for the recipient. Enter the email address
as a case-sensitive unquoted text string with a length of 1 to 30 characters.
• IP_address - The IP address for the SMTP host. Enter the IP address in
• level - The type of information to log. The valid levels are defined in Table
8-4.
• domain - The domain name for the SMTP host. Enter an unquoted text string
with a maximum length of 64 characters (for example, arrowpoint.com). Do
not insert an @ sign before the domain name. The CSS automatically
prepends it to the domain name.
To turn off logging to an email address, enter:
(config)# no logging sendmail email_address
Logging CLI Commands

When you want to keep track of all CLI commands issued from the CSS, use the
logging commands enable command. This command logs each CLI command to
the sys.log file. To log CLI commands to the sys.log file, enter:
(config)# logging commands enable
To disable logging CLI commands to the sys.log file, enter:

(config)# no logging commands

8-14 78-11424-03
Showing Log Files
Showing Log Files

Use the show log command to display the contents in a log or trap log file. You
need SuperUser privileges to use the show log command.
• show log - Send the log activity to your current session, or display the
contents in a log or a trap log file.
• show log-list - Display a list of all log files.
• show log-state - Display the state of logging for CSS facilities.
Note When you use the show log command to send the log activity to your
current session, and you want to stop sending log activity, press any
key on the terminal or workstation. The show log command
performs the same function as (config) logging line. Note that you
cannot run these commands at the same time.
Showing Log Activity

Use the show log command and its options to send the log activity to your current
session, or to display the contents in a log or trap log file. You need SuperUser
privileges to use the show log command. The syntax for the show log command
is:
show log {log_filename {tail lines} {line-numbers}}
The options and variables for the show log command include:
• log_filename - The name of the log file. Enter an unquoted text string with no
spaces. To see a list of log files with their dates, enter:
show log ?
• tail lines - Display the bottom and most recent portion of the log file. You
specify the number of lines to display, starting at the end of the log file. Enter
a number from 1 to 1000.
• line-numbers - Include the line numbers when displaying the contents of the
log file.

78-11424-03 8-15
Showing Log Files
• traplog - Display all SNMP traps that have occurred. A trap log file is an
ASCII file in the log directory containing generic and enterprise traps. By
default, the following events generate level critical-2 messages:
– Link Up
– Link Down
– Cold Start
– Warm Start
– Service Down
– Service Suspended
All other SNMP traps generate level notice-5 messages.
Note Even though traps are disabled, the CSS still produces a log
message for any event that would normally generate a trap.
To send the log activity to your current session, enter:

# show log
Displaying Log events.
Press any key to abort...
APR 14 16:28:09 5/1 2398 NETMAN-7: HTTPC:HTTPC_Open:
ERROR->connect <-1,0> <192.20.1.7> <80>
ERROR->connect <-1,0> <192.20.1.7> <80>
ERROR->connect <-1,0> <192.20.1.7> <80>
ERROR->connect <-1,0> <192.20.1.7> <80>
To display information in a specific log file, enter the show log command with a
valid log filename. For example:
# show log stubs
SEP 22 09:59:18 5/1 918 NETMAN-7: SNMP:SET RSP (3803)
SEP 22 09:59:53 5/1 919 NETMAN-7: SNMP:SET (3804)
SEP 22 09:59:53 5/1 920 NETMAN-7: SNMP: 1
apLogHostIpAddress.[1.2.3.4] VT_IPADDRESS <1.2.3.4>
SEP 22 09:59:53 5/1 921 NETMAN-7: SNMP: 2
apLogHostIpAddress.[1.2.3.4] VT_IPADDRESS <1.2.3.4>

8-16 78-11424-03
Showing Log Files
Showing Log Lists

Use the show log-list command to display a list of all log files. For example:
(config)# show log-list
Showing Log State

Use the show log-state command to display the state of logging for CSS facilities.
For example:
(config)# show log-state
Table 8-5 describes the fields in the show log-state output.
Table 8-5 Field Descriptions for the show log-state Command
Field Description
Subsystems
acl Access Control Lists subsystem
app Application Peering Protocol (APP) subsystem
boomerang Content Routing Agent (CRA)
buffer Buffer Manager subsystem
chassis Chassis Manager subsystem
circuit Circuit Manager subsystem
csdpeer Content Server Database (CSD) Peer subsystem
dql Domain Qualifier List (DQL) subsystem
fac Flow Admission Control (FAC) subsystem
flowmgr Flow Manager subsystem
hfg Header Field Group (HFG) subsystem
ipv4 IPv4 subsystem
keepalive Keepalive subsystem
netman Network Management subsystem
nql Network Qualifier List (NQL) subsystem

78-11424-03 8-17
Showing Log Files
Table 8-5 Field Descriptions for the show log-state Command (continued)
Field Description
ospf OSPF subsystem
pcm Proximity CAPP Messaging (PCM) subsystem
portmapper PortMapper subsystem
proximity Proximity subsystem
publish Publish subsystem
radius Remote Authentication Dial-In User Server
(RADIUS)
replicate Replication subsystem
redundancy CSS redundancy subsystem
rip RIP subsystem
security Security Manager subsystem
sntp Simple Network Time Protocol (SNTP)
syssoft System software subsystem
urql Uniform Resource Qualifier List subsystem
vlanmgr VLAN Manager subsystem
vpm Virtual Pipe Manager subsystem
vrrp Virtual Router Redundancy Protocol subsystem
wcc Web Conversation Control subsystem
Levels:
debug Log all errors and messages (Verbose)
info Log informational messages, including errors at the
notice level
notice Log notice messages, including errors at the warning
level
warning Log warning errors (default), including errors at the
error level
error Log error errors, including errors at the critical level
critical Log critical errors, including errors at the alert level

8-18 78-11424-03
Copying Log Files to an FTP or TFTP Server
Table 8-5 Field Descriptions for the show log-state Command (continued)
Field Description
alert Log alert errors, including errors at the fatal level
fatal Log fatal errors only (Quiet)
Lines: Lists the connected sessions (CSS 11800 only)
File:
Filename: The name of the log file
Current size: The current size of the log file

To copy log files from the CSS to a File Transfer Protocol (FTP) or Trivial File
Transfer Protocol (TFTP) server, use the copy log command. The copy log
command is available at the SuperUser prompt.
• copy log log_filename ftp
• copy log log_filename tftp
To see a list of log files, enter the copy log ? command.
Copying Log Files to an FTP Server

To copy a log file to an FTP server, use the copy log ftp command. Before you
copy a log file from the CSS to an FTP server, you must create an FTP record file
containing the FTP server IP address, username, and password. For information
on configuring an FTP record, refer to “Configuring an FTP Record” in
Chapter 1, Logging in and Getting Started.
The syntax is:
copy log logfilename ftp ftp_record filename
For example:
# copy log starlog ftp ftpserv1 starlogthurs

78-11424-03 8-19
The variables are:

• logfilename - The name of the log file on the CSS. Enter an unquoted text
string with no spaces and a maximum length of 32 characters.
• ftp_record - The name of the FTP record file that contains the FTP server IP
address, username, and password. Enter an unquoted text string with no
spaces.
• filename - The name you want to assign to the file on the FTP server. Include
the full path to the file. Enter an unquoted text string with no spaces and a
Copying Log Files to a TFTP Server

To copy a log file to an TFTP server, use the copy log tftp command.
The syntax is:
copy log logfilename tftp IP address or hostname filename
The variables are:
• logfilename - The name of the log file on the CSS. Enter an unquoted text
string with no spaces and a maximum length of 32 characters.
• IP address or hostname - The IP address or host name of the TFTP server to
receive the file. Enter an IP address in dotted-decimal notation (for example,
myhost.mydomain.com). If you wish to use a hostname, you must first set up
a host table using the (config) host command.
• filename - The name you want to assign to the file on the TFTP server.
Include the full path to the file. Enter an unquoted text string with no spaces

8-20 78-11424-03
C H A P T E R 9
Configuring Simple Network
Management Protocol (SNMP)
This chapter provides information on configuring Simple Network Management

Protocol (SNMP) features on your CSS. It also provides a brief overview of
SNMP, an Application Layer protocol used extensively in the communications
industry. Information in this chapter applies to all CSS models except where
noted.
This chapter includes the following sections:
• SNMP Overview
• Configuring SNMP on the CSS
• Displaying the SNMP Configuration
• Managing SNMP on the CSS
• CSS MIBs

78-11424-03 9-1
Chapter 9 Configuring Simple Network Management Protocol (SNMP)
SNMP Overview
SNMP Overview
Simple Network Management Protocol (SNMP) is a set of network management
standards for IP-based internetworks. It includes a protocol, a database-structure
specification, and a set of management data objects. SNMP implementations
typically consist of a management application, running on one or more Network
Management Systems (NMSs), and agent applications, usually executing in
firmware on various network devices.
SNMP has two major standard revisions, SNMPv1 and SNMPv2. Your CSS
supports SNMPv2C (SNMP version 2C), known as “community-based SNMP”,
and standard Management Information Base (MIB-II) objects, along with an
extensive set of enterprise objects. (MIBs are discussed later in this chapter in the
section “Management Information Base (MIB)”.)
This overview contains the following sections:
• Managers and Agents
• Manager/Agent Communication
• Management Information Base (MIB)
• SNMP Communities
Note By default, SNMP access to the CSS is enabled in software through

the no restrict snmp command. Refer to “Controlling SNMP
Access to the CSS” for details.

9-2 78-11424-03
SNMP Overview
Managers and Agents

SNMP uses software entities called managers and agents to manage network
devices:
• The manager monitors and controls all other SNMP-managed devices
(network nodes) in the network. There must be at least one SNMP Manager
in a managed network. The manager is installed on a workstation somewhere
in the network.
• An agent resides in a managed device (a network node). The agent receives
instructions from the SNMP Manager, and also sends management
information back to the SNMP Manager as events occur. The agent can reside
on routers, bridges, hubs, workstations, or printers, to name just a few
network devices.
There are many different SNMP management applications, but they all perform
the same basic task: they allow SNMP managers to communicate with agents to
monitor, configure, and receive alerts from the network devices. You can use any
SNMP-compatible network management system to monitor and control a CSS.
Manager/Agent Communication
There are several ways that the SNMP manager and the agent communicate.
• The manager can:
– Retrieve a value (a get action).
The SNMP manager requests information from the agent, such as the
number of users logged on to the agent device, or the status of a critical
process on that device. The agent gets the value of the requested MIB
variable and sends the value back to the manager.
– Retrieve the value immediately after the variable you name (a get-next
action).
The SNMP manager retrieves values from within a MIB. Using the
get-next function, you do not need to know the exact variable instance
you are looking for; the SNMP manager takes the variable you name and
then uses a sequential search to find the desired variables.

78-11424-03 9-3
SNMP Overview
– Retrieve a number of values (a get-bulk action).

The SNMP manager performs a number of get-next actions that you
specify.
– Change a setting on the agent (a set action).
The SNMP manager requests the agent to change the value of the MIB
variable. For example, you could run a script or an application on a
remote device with a set action.
• An agent can send an unsolicited message to the manager at any time if a
significant, predetermined event takes place on the agent. This message is
called a trap.
When a trap condition occurs, the SNMP agent sends an SNMP trap message
to the device specified as the trap receiver or trap host. The SNMP
Administrator configures the trap host (usually the SNMP management
station) to perform the action needed when a trap is detected. Figure 9-1
illustrates manager/agent communication.
Figure 9-1 SNMP Manager/Agent Interaction
SNMP Manager
set get trap

get-next
SNMP Agent
(CSS)
49650

9-4 78-11424-03
Management Information Base (MIB)

SNMP obtains information from the network through a Management Information
Base (MIB). The MIB is a database of code blocks called MIB objects. Each MIB
object controls one specific function, such as counting how many bytes are
transmitted through an agent’s port. The MIB object comprises MIB variables,
which define the MIB object name, description, default value, and so forth.
The collection of MIB objects is structured hierarchically. The MIB hierarchy is
referred to as the MIB tree. The MIB tree is defined by the International Standards
Organization (ISO). The MIB is installed on the manager, and is present within
each agent in the SNMP network.
At the top of the tree is the broadest information about a network. Each branch
and sub-branch of the tree gets progressively more specific, and the lowest
branches of the tree contain the most specific MIB objects; the leaves contain the
actual data. See Figure 9-2 for an example of how the MIB tree objects become
more specific as the tree expands.
Note There are two versions of the MIB tree as defined by ISO: MIB-I and
MIB-II, which has more variables than MIB-I. Refer to the MIB-II
standard in RFC 1213, “Management Information Base for Network
Management of TCP/IP-based Internets: MIB-II.”
MIB Variables
There are two types of MIB variables:
• Scalar - Variables that define an object with a single representation. This
means that an object describes a particular characteristic of the entire system.
An example of a scalar variable is SysDescr, which provides a system-wide
description of the CSS.
• Tabular - Variables that define an object with multiple representations. This
means that an object can have different values, depending on the qualifier.
For example, one tabular object could show bytes per interface, temperature
per board, or hits per service.

78-11424-03 9-5
Figure 9-2 Top of the MIB Tree
ccitt (0) iso (1) iso-ccitt (2)
standard (0) registration- member- organization (3)

authority (1) body (2)
dod (6)
internet (1)
directory (1) management (2) experimental (3) private (4)
enterprises (1)
arrowpoint (2467)
49651
= additional branches
As shown in Figure 9-2, a number is associated with a MIB object name. This
number is called the object identifier (or object ID), and it uniquely identifies the
MIB object in the MIB tree. (The dotted lines represent other branches not
relevant to this discussion.)
For example, the MIB object labeled arrowpoint (which contains the MIB objects
specific to CSSs) in Figure 9-2 can be labeled:
iso.organization.dod.internet.private.enterprises.arrowpoint
or
1.3.6.1.4.1.2467

9-6 78-11424-03
MIB Extensions (Enterprise MIBs)

The MIB tree has a special branch set aside for specific vendors to build their own
extensions; this is called the enterprise MIB branch. The MIB files in this branch,
included on your CSS Documentation and System Software CD, comprise the
CSS Enterprise MIBs. (This is the highlighted MIB object in Figure 9-2.) The
enterprise MIB files are categorized along functional boundaries.
For a list of MIB branches under the Cisco CSS Enterprise MIB, refer to
Table 9-5 later in this chapter.
SNMP Communities
Each SNMP device or member is part of a community. An SNMP community
determines the access that each SNMP device has.
You supply a name to the community. After that, all SNMP devices that are
assigned to that community as members have the same access rights. The access
rights that the CSS supports are:
• read - Allows read-only access to the MIB tree for devices included in this
community
• read-write - Allows both read and write access to the MIB tree for devices
included in this community

78-11424-03 9-7
Configuring SNMP on the CSS

Once you have set up the SNMP management software (SNMP version 2C) on the
network devices, you are ready to configure SNMP settings on the CSS. You can
configure two basic areas of SNMP functionality on the CSS: SNMP functions
and RMON functions.
The following sections describe how to configure SNMP on the CSS. For
information on configuring RMON, refer to Chapter 10, Configuring Remote
Monitoring (RMON).
• Controlling SNMP Access to the CSS
• Planning Your SNMP Configuration
• Defining the CSS as an SNMP Agent
• Configuring Denial of Service (DoS)
Controlling SNMP Access to the CSS

To control SNMP access to the CSS, use the no restrict snmp and restrict snmp
commands. Access through SNMP is enabled by default. The options for this
global configuration mode command are:
• no restrict snmp - Enable SNMP access to the CSS (default setting)
• restrict snmp - Disable SNMP access to the CSS

9-8 78-11424-03
Planning Your SNMP Configuration

Consider the following information before you set up SNMP on your network:
• Decide which types of information the SNMP Manager needs (if your
application is using an SNMP Manager). Choose the particular MIB variables
that you want through the management software.
• Decide how many trap hosts you need. In some network configurations, you
may want to have a primary trap host with one other workstation also
receiving traps for redundancy. In a distributed or segmented network, you
may want to have more trap hosts enabled. You can configure up to five trap
hosts per SNMP agent; that is, one agent can report to a maximum of five
hosts.
• Designate a management station or stations. The CSS is an agent in the
SNMP network scheme. The agent is already embedded in the CSS when you
boot up the device; all you need to do is configure the SNMP parameters on
the CSS.

78-11424-03 9-9
Defining the CSS as an SNMP Agent

The following sections describe how to define the CSS as an SNMP agent. Read
these sections for a complete description of the commands associated with this
procedure. If you are familiar with this procedure, refer to Table 9-1 as a quick
start configuration reference for this task.
• Configuring an SNMP Community
• Configuring an SNMP Contact
• Configuring an SNMP Location
• Configuring an SNMP Name
• Configuring an SNMP Trap-Host
• Configuring SNMP Generic Traps
• Configuring SNMP Auth-Traps
• Configuring SNMP Enterprise Traps
• Configuring SNMP Reload-Enable
Table 9-1 Quick Start for Defining the CSS as an SNMP Agent

1. Define the SNMP community strings for each access type, read-only (for a
GET action) or read-write (for a GET and SET action). This step is required
for using SNMP on the CSS.
(config)# snmp community public read-only
(config)# snmp community private read-write
2. Provide the SNMP contact name (optional).
(config)# snmp contact "fred n mandy"
3. Provide an SNMP contact location (optional).
(config)# snmp location "Operations"
4. Provide the SNMP device name (optional).
(config)# snmp name "arrowpoint.com"
5. Turn on generic traps (optional).
(config)# snmp trap-type generic

9-10 78-11424-03
Table 9-1 Quick Start for Defining the CSS as an SNMP Agent (continued)

6. Assign trap receivers and community (required if configuring SNMP traps).
You can specify a maximum of five trap hosts. By default, all traps are
disabled. The trap-host IP address must correspond to a management station
that is monitoring for traps. The community information provided at the end
of the trap-host command is included in the trap, and may be used by the
management station to filter incoming traps.
(config)# snmp trap-host 172.16.3.6 trap
(config)# snmp trap-host 172.16.8.4 trap
7. Turn on authentication failure traps (optional). An authentication failure
occurs if an unauthorized SNMP manager sends an invalid or incorrect
community name to an SNMP agent. If this occurs, the agent sends an
authentication trap to the trap host (or hosts depending on how many trap
hosts are configured).
(config)# snmp auth-traps
8. Enable global enterprise traps (optional).
(config)# snmp trap-type enterprise
Then enable a specific enterprise trap type. For example, you can set a trap
to notify the trap host of failed login attempts. Login failure traps provide
the username and source IP address of the person who failed to log in.
(config)# snmp trap-type enterprise login-failure
9. Configure the trap host for reload enable ability (optional). Reload enable
allows a management station with the proper WRITE community privilege
to reboot the CSS.
(config)# snmp reload-enable 100
10. Configure special enterprise trap thresholds to notify the trap host of Denial
of Service (DoS) attacks on your system (optional). For example, you can
set a trap threshold to notify the trap host of DoS attacks with illegal
addresses, either source or destination.
(config)# snmp trap-type enterprise dos-illegal-attack
trap-threshold 1

78-11424-03 9-11
Configuring an SNMP Community

Use the snmp community command to set or modify SNMP community names
and access properties. You may specify as many community names as you wish.
Caution It is required that you define the community strings for each access
type (read-only or read-write) before you use SNMP on the CSS.
The CSS is inaccessible until a read community string is specified.
The syntax for this global configuration mode command is:
snmp community community_name [read-only|read-write]
The variables and options are:

• community_name - The SNMP community name for this system. Enter an
unquoted text string with no space and a maximum length of 12 characters.
• read-only - Allow read-only access for this community.
• read-write - Allow read-write access for this community.
For example:
(config)# snmp community sqa read-write
To remove a community name, enter:

(config)# no snmp community sqa
Configuring an SNMP Contact

Use the snmp contact command to set or modify the contact name for the SNMP
system. You can specify only one contact name. The syntax for this global
snmp contact "contact_name"
Enter the contact name as an unquoted text string with a maximum of

255 characters including spaces. You can also include information on how to
contact the person; for example, a phone number or email address.

9-12 78-11424-03
For example:
(config)# snmp contact “Fred N. Mandy”
To remove the contact name, enter:

(config)# no snmp contact
Configuring an SNMP Location

Use the snmp location command to set or modify the SNMP system location. You
can specify only one location. The syntax for this global configuration mode
command is:
snmp location "location"
Enter the location as the physical location of the system. Enter a quoted text string
with a maximum length of 255 characters.
For example:
(config)# snmp location “sqa_lab1”
To remove the location, enter:

(config)# no snmp location
Configuring an SNMP Name

Use the snmp name command to set or modify the SNMP name for this system.
You can specify only one name. The syntax for this global configuration mode
command is:
snmp name "name"
Enter the SNMP name as the unique name assigned to a system by the
administrator. Enter a quoted text string with a maximum of 255 characters. The
standard name convention is the system’s fully-qualified domain name (for
example, sqa@arrowpoint.com).

78-11424-03 9-13
For example:
(config)# snmp name “sqa@arrowpoint.com”
To remove the SNMP name for a system, enter:

(config)# no snmp name
Configuring SNMP Generic Traps

Use the snmp trap-type generic command to enable SNMP generic trap types.
The generic SNMP traps consist of cold start, warm start, link down, and link up.
For example:
(config)# snmp trap-type generic
To disable a generic trap, enter:

(config)# no snmp trap-type generic
Configuring an SNMP Trap-Host

Use the snmp trap-host command to set or modify the SNMP host to receive
traps from a CSS. You can specify a maximum of five hosts. The syntax for this
global configuration mode command is:
snmp trap-host ip_address or host community_name
The variables are:

• ip_address or host - The IP address or host name of an SNMP host that has
been configured to receive traps. Enter an IP address in dotted-decimal
notation (for example, 192.168.11.1) or in mnemonic host-name format (for
example, myhost.mydomain.com).
• community_name - The community name to use when sending traps to the
specified SNMP host. Enter an unquoted text string with no spaces and a
For example:
(config)# snmp trap-host 172.16.3.6 sqa@arrowpoint.com
To remove a specified trap host, enter:

(config)# no snmp trap-host 172.16.3.6

9-14 78-11424-03
Configuring SNMP Auth-Traps

Use the snmp auth-traps command to enable reception of SNMP authentication
traps. The CSS generates these traps when an SNMP management station attempts
to access your system with invalid community names.
For example:
(config)# snmp auth-traps
To disable reception of authentication traps, enter:

(config)# no snmp auth-traps
Configuring SNMP Enterprise Traps

Use the snmp trap-type enterprise command to enable SNMP enterprise trap
types. You can enable the CSS to generate enterprise traps when denial of service
attack events occur, a login fails, or a CSS service transitions state.
Note For information on configuring Denial of Service enterprise traps,

refer to “Configuring Denial of Service (DoS)” later in this chapter.
The options for this global configuration mode command are:

• snmp trap-type enterprise - Enable enterprise traps. You must enable
enterprise traps before you configure an enterprise trap option.
• snmp trap-type enterprise login-failure - Generate SNMP enterprise traps
when a CSS login failure occurs. The CSS also generates an alert-level log
message.
• snmp trap-type enterprise reload - Generate SNMP enterprise traps when
a CSS reboot occurs. The CSS also generates a trap when a reboot is initiated
directly through SNMP.
• snmp trap-type enterprise redundancy-transition - Generate SNMP
enterprise traps when the CSS redundancy transitions state.
• snmp trap-type enterprise service-transition - Generate SNMP enterprise
traps when a CSS service transitions state. A trap is generated when a service
fails and when a failed service resumes proper operation.

78-11424-03 9-15
For example, to enable enterprise traps, enter:

(config)# snmp trap-type enterprise
To disable all enterprise traps, enter:

(config)# no snmp trap-type enterprise
To prevent the CSS from generating traps when a login fails, enter:
(config)# no snmp trap-type enterprise login-failure
To prevent the CSS from generating traps when a CSS reload occurs, enter:
(config)# no snmp trap-type enterprise reload
To prevent the CSS from generating traps when the service transitions state, enter:
(config)# no snmp trap-type enterprise service-transition
To prevent the CSS from generating traps when a redundant CSS transitions state,
enter:
(config)# no snmp trap-type enterprise redundancy-transition
Configuring SNMP Reload-Enable

Use the snmp reload-enable command to reboot the CSS using SNMP. The
syntax and options for this global configuration mode command are:
• snmp reload-enable - Allow any SNMP write to the apSnmpExtReloadSet
object to force a CSS reboot. The reload object, apSnmpExtReloadSet, is
located at 1.3.6.1.4.1.2467.1.22.7. You can find this object in the CSS
Enterprise MIB, snmpext.mib.
• snmp reload-enable reload_value - Allow an SNMP write equal to the
reload_value to force a CSS reboot.
Enter the reload_value as the object used to control apSnmpExtReloadSet,
providing the SNMP-based reboot. When the object is set to 0, an SNMP reboot
is not allowed. When the object is set between 1 to 232, a reboot may be caused
with any write value to apSnmpExtReloadSet. For security purposes, this object
always returns 0 when read.

9-16 78-11424-03
For example:
(config)# snmp reload-enable
To prevent users from rebooting the CSS using SNMP (default behavior), enter:
(config)# no snmp reload-enable
Configuring Denial of Service (DoS)

You can configure special enterprise traps to notify the trap host of Denial of
Service (DoS) attacks on your system. You can also use the CLI to display
detailed information about DoS attacks and reset the DoS statistics for your CSS
to zero. This section describes how to configure DoS traps. If you are familiar
with this procedure, use Table 9-2 as a quick start configuration reference.
Note Ensure you first enable SNMP enterprise traps using the snmp
trap-type enterprise command before you configure the CSS to
generate SNMP enterprise traps when a DoS attack event occurs. For
information, refer to “Configuring SNMP Enterprise Traps” earlier
in this chapter.
Table 9-2 Denial of Service Configuration Quick Start

1. Set the trap threshold to notify the trap host of DoS attacks with illegal
addresses, either source or destination.
(config)# snmp trap-type enterprise dos-illegal-attack
trap-threshold 1
2. Set the trap threshold to notify the trap host of DoS LAND attacks.
(config)# snmp trap-type enterprise dos-land-attack
trap-threshold 1
3. Set the trap threshold to notify the trap host of DoS smurf attacks.
(config)# snmp trap-type enterprise dos-smurf-attack
trap-threshold 1

78-11424-03 9-17
Table 9-2 Denial of Service Configuration Quick Start (continued)

4. Set the trap threshold to notify the trap host of DoS SYN attacks.
(config)# snmp trap-type enterprise dos-syn-attack trap-threshold
10
5. Display information about DoS attacks.
(config)# show dos summary
(config)# show dos
6. As required, reset the DoS statistics for a CSS to zero.
(config)# zero dos statistics
Defining a DoS SNMP Trap-Type

Use the snmp trap-type enterprise command to enable the CSS to generate
SNMP enterprise traps when a denial of service (DoS) attack event occurs. One
trap is generated each second when the number of attacks during that second
exceeds the threshold for the configured DoS attack type.
Note Ensure you first enable SNMP enterprise traps using the snmp
trap-type enterprise command before you configure the CSS to
generate SNMP enterprise traps when a DoS attack event occurs. For
information, refer to “Configuring SNMP Enterprise Traps” earlier
in this chapter.
The syntax for this global configuration mode command is:

snmp trap-type enterprise dos_attack_type {trap-threshold
threshold_value}
The dos_attack_type variable is the type of denial of service attack event to trap.
The options are:
• dos-illegal-attack - Generates traps for illegal addresses, either source or
destination. Illegal addresses are loopback source addresses, broadcast
source addresses, loopback destination addresses, multicast source addresses,
or source addresses that you own. The default trap threshold for this type of
attack is 1 per second.

9-18 78-11424-03
• dos-land-attack - Generates traps for packets that have identical source and
destination addresses. The default trap threshold for this type of attack is
1 per second.
• dos-smurf-attack - Generates traps when the number of pings with a
broadcast destination address exceeds the threshold value. The default trap
threshold for this type of attack is 1 per second.
• dos-syn-attack - Generates traps when the number of TCP connections that
are initiated by a source, but not followed with an acknowledgment (ACK)
frame to complete the three-way TCP handshake, exceeds the threshold
value. The default trap threshold for this type of attack is 10 per second.
Note You can override a default trap threshold by using the

trap-threshold option. For the threshold_value, enter a number
from 1 to 65535.
For example, to enable the CSS to generate traps for packets that have identical
source and destination addresses, enter:
(config)# snmp trap-type enterprise dos-land-attack
For example, to prevent the CSS from generating denial of service attack event
traps, enter:
(config)# no snmp trap-type enterprise dos_attack_type
Displaying Denial of Service Configurations
Use the show dos summary command to display a summary of information about
DoS attacks. To display more detailed information, use the show dos command.
For example:
(config)# show dos summary

78-11424-03 9-19
Table 9-3 describes the fields in the show dos output.
Table 9-3 Field Descriptions for the show dos Command
Field Description
Total Attacks The total number of DOS attacks detected since the
CSS was booted. The type of attacks that are listed
along with their number of occurrences are:
• SYN Attacks - The TCP connections that are
initiated by a source but are not followed with an
ACK frame to complete the three way TCP
handshake
• LAND Attacks - Packets that have identical
source and destination addresses
• Zero Port Attacks - Frames that contain source
or destination TCP or UDP ports equal to zero
Note Older SmartBits software may send frames

containing source or destination ports equal to
zero. The CSS logs them as DOS attacks and
drops these frames.
• Illegal Src Attacks - Illegal source addresses

• Illegal Dst Attacks - Illegal destination addresses
• Smurf Attacks - Pings with a broadcast
destination address
Maximum per The maximum number of events per second. Use the
second maximum events per second information to set SNMP
trap threshold values. Note that the maximum number
of events per second is the maximum per SFP. For a
CSS 11800, which may have up to 4 SFPs, the
maximum rate per second may be as high as four times
that which is displayed.
First Attack The first time an attack was detected.
Detected

9-20 78-11424-03
Displaying the SNMP Configuration
Table 9-3 Field Descriptions for the show dos Command (continued)
Field Description
Last Attack The last time an attack was detected.
Detected
DOS Attack Event Details for each detected attack event, up to a
maximum of 50 events per SFP.
First Attack The first time that the attack event occurred.
Last Attack The last time that the attack event occurred.
Source/Destination The source and destination addresses for the attack
Address event.
Event Type The type of event.
Total Attacks The total number of attack occurrences for the event.
Displaying the SNMP Configuration

After you configure SNMP, display the SNMP configuration. For example:
(config)# show running-config global
For details on the show running-config command and its output, refer to
Chapter 1, Logging in and Getting Started.

78-11424-03 9-21
Managing SNMP on the CSS

The main tasks you need to do to manage SNMP on the CSS are:
• Enabling SNMP Manager Access to the CSS
• Using the CSS to Look Up MIB Objects
• Reading Logs
• Setting Alarms
Enabling SNMP Manager Access to the CSS

By default, the CSS enables SNMP access to its command base, but you must first
create community strings using the snmp community command before you can
use SNMP in the CSS. Refer to “Configuring an SNMP Community” earlier in
this chapter for details.
Note SNMP is not a secure network environment. Do not use SNMP by

itself to provide security for your network.
Using the CSS to Look Up MIB Objects

To look up a MIB object, including the variables that make up the object:
1. Access global configuration mode by entering:
# config
2. Access rmon-alarm mode by entering:

(config)# rmon-alarm index_number
where index_number is the index of the alarm.

9-22 78-11424-03
3. Display the MIB object by entering:

(config-rmonalarm[1])# lookup object
where object is the name of the MIB object.

You can look up a specific object, or you can use the question mark (?)
character as a wildcard to help you complete your request.
For example, you want to look up a MIB object, but you are not sure of its exact
name. You already know that the MIB you want is part of the apFlowMgrExt
group of objects. In this case, issue the lookup command with the question mark
(?) character, as shown below.
(config-rmonalarm[1])# lookup apFlowMgrExt?
apFlowMgrExtDoSAttackEventType
apFlowMgrExtDoSAttackEventCount
apFlowMgrExtDoSAttackIndex
apFlowMgrExtDosTotalSmurfAttacks
apFlowMgrExtDosTotalIllegalSourceAttacks
apFlowMgrExtDosTotalZeroPortAttacks
apFlowMgrExtDosTotalLandAttacks
apFlowMgrExtDosTotalSynAttacks
apFlowMgrExtDosTotalAttacks
apFlowMgrExtIdleTimer
apFlowMgrExtPortIdleValue
apFlowMgrExtPortIdle
apFlowMgrExtReserveCleanTimer
apFlowMgrExtPermanentPort4
apFlowMgrExtFlowTraceDuration
apFlowMgrExtFlowTraceMaxFileSize
apFlowMgrExtFlowTraceState

78-11424-03 9-23
The previous example shows that using the question mark (?) character as a
wildcard returns information about the apFlowMgrExt MIB object. You can also
issue the lookup command on the exact MIB you want and view its description
without using the question mark (?) character. For example:
(config-rmonalarm[1])# lookup apFlowMgrExtDOSAttackEventCount
ASN Name: apFlowMgrExtDOSAttackEventCount

MIB: flowmgrext
Object Identifer: 1.3.6.1.4.1.2467.1.36.27.1.6
Argument Type: Integer
Range: 0-4294967295
Description:
This is the number of times this DoS attack had occurred.
You can also display a list of all the Enterprise MIBs by using the lookup
command without any MIB object names, as in the following example:
(config-rmonalarm[1])# lookup ?
Note This command omits MIB objects of type string and MAC address.
Useful MIB Statistics

Table 9-4 contains some of the MIB groups that provide useful statistics.
Table 9-4 CSS MIB Statistics
MIB Name Description

RFC-1398 Ethernet statistics
RFC-1493 Bridge information
RFC-1757 RMON statistics
svcExt.mib Service variables (including TCP connections)
cntExt.mib Content rule variables (including frame statistics)
ownExt.mib Owner statistics (including frame and bytes counts)
cntsvcExt.mib Services per content rule statistics (including frames,
bytes, hits)

9-24 78-11424-03
Reading Logs
The traplog file contains all of the traps, both generic and enterprise, that have
occurred. The network device writes to the traplog file whether or not the SNMP
trap configuration is enabled.
To show the trap log since the last CSS reboot, issue the show log command as
shown:
# show log traplog
By default, the following events generate level critical-2 messages:

• Link Up
• Link Down
• Cold Start
• Warm Start
• Service Down
• Service Suspended
All other SNMP traps generate level notice-5 messages by default.
Setting Alarms
For information about commands available in this mode, refer to Chapter 10,
Configuring Remote Monitoring (RMON).

78-11424-03 9-25
CSS MIBs
CSS MIBs
Table 9-5 describes the CSS MIB objects directly under the CSS Enterprise MIB
(1.3.6.1.4.1.2467). The MIBs listed in this table are a representation of the CSS
content-specific MIB objects. To find out how you can look up object
information, see the section “Using the CSS to Look Up MIB Objects” in this
chapter.
Table 9-5 MIB Branches Under the CSS Enterprise MIB
MIB File Name MIB Module Description Related CLI Commands

aclExt.mib The CSS Access Control List clause (config-acl)# ?
table.
ap64Stats.mib The 64 bit statistical aggregation of # show rmon ?
RMON (RFC1757), MIB-II # show mibii ?
# show ether-errors ?
(RFC1213) and EtherErrors
(RFC1398).
apent.mib CSS Enterprise MIB branch ––––––––––––––––––
hierarchy.
apIpv4.mib MIB support for IPv4 Global (config)# ip ?
Information.
apIpv4Arp.mib MIB support for IPv4 ARP. (config)# arp ?
apIpv4Dns.mib MIB support for IPv4 DNS resolver (config)# dns ?

configuration.
apIpv4Host.mib MIB support for IPv4 Host table. (config)# host ?
apIpv4Interface.mib MIB support for IPv4 Interfaces. (config-ip)# ?
apIpv4Ospf.mib MIB support for the Open Shortest (config)# ospf ?

Path First (OSPF).
apIpv4Redundancy.mib MIB support for IPv4 Redundancy. (config-ip)# redundancy ?
apIpv4Rip.mib MIB support for the Routing (config-ip)# rip ?

Information Protocol (RIP).
apIpv4Sntp.mib MIB support for the Simple (config)# sntp ?
Network Time Protocol.
apIpv4StaticRoutes.mib MIB support for IPv4 Static Routes. (config)# ip route ?

9-26 78-11424-03
CSS MIBs
Table 9-5 MIB Branches Under the CSS Enterprise MIB (continued)

appExt.mib MIB support for APP (config)# app ?
configurations.
boomClientExt.mib Configuration and monitoring of (config)# dns-boomerang client ?
Content Routing Agent (CRA)
parameters.
bootExt.mib MIB support for system boot (config-boot)# ?
adminstration.
bridgeExt.mib Configuration and monitoring of (config)# bridge ?
bridge-related parameters.
cappUdpExt.mib Application Peering Protocol-User (config)# app-udp ?
Datagram Protocol (APP-UDP)
global statistical information and
security configuration settings.
cctExt.mib CSS circuit information. (config)# circuit ?
chassisMgrExt.mib MIB for the CSS chassis manager. # show chassis ?
cntdnsExt.mib Content rule DNS statistics. (config)# dns hotlist ?
cntExt.mib Content rule table. (config-owner-content)# ?
cnthotExt.mib Content rule hot list. (config-owner-content)# hotlist ?
cntsvcExt.mib Monitoring of services attached to (config-owner-content)# add

content rules. service ?
(config-owner-content)# remove
service ?
csaExt.mib Configuration and monitoring of (config)# dns-server ?
Client Side Accelerator (CSA)
parameters on a CSS.
dnshotExt.mib DNS hot list. (config)# domain hotlist ?
dnsServerExt.mib MIB support for DNS Server. (config)# dns-server ?
domainCacheExt.mib Configuration management for the (config)# dns-server domain-

domain cache on the Client Side cache ?
Accelerator (CSA) in the CSS.
dqlExt.mib Domain Qualifier Lists (DQLs). (config-dql [name])# ?

78-11424-03 9-27
CSS MIBs

enetExt.mib Configuration of the PHY state for (config-interface)# phy ?
Ethernet ports.
eqlExt.mib Extension Qualification Lists (config-eql [name])#
(EQLs).
fileExt.mib File extensions to support Network ––––––––––––––––––
Management movement to/from the
CSS, and to examine and modify the
existing file structure.
flowMgrExt.mib MIB for the flow manager module. (config)# flow ?
ftpExt.mib MIB support for FTP transfer (config)# ftp-record ?

administration records.
grpExt.mib Configuration of all group-related (config-group)# ?
parameters.
grpsvcExt.mib Groups attached to services. (config-group)# add service ?
(config-group)# remove service ?
httpExt.mib MIB support for HTTP transfer ––––––––––––––––––
administration records.
kalExt.mib Configuration of keepalive mode. (config-keepalive)# ?
logExt.mib CSS logging functionality. (config)# logging ?
nqlExt.mib Describes the CSS Network (config-nql [name])# ?

Qualifier Lists (NQLs).
ownExt.mib Web Host Owner information. (config-owner)# ?
plucExt.mib Proximity Lookup Client (config)# proximity cache ?

functionality.
probeRttExt.mib Tiered Proximity Service RTT (config)# proximity probe rtt ?
Probe Module functionality.
proxDbExt.mib Tiered Proximity Database (config)# proximity db ?
functionality. This MIB contains all
configuration, statistic, and metric
objects.
publishExt.mib Publisher and subscriber services. (config-service)# publisher ?

9-28 78-11424-03
CSS MIBs

qosExt.mib CSS MIB module QOS class ––––––––––––––––––
definitions (the QOS class of this
known piece of content).
radiusClientExt.mib CSS extensions to the client side of (config)# radius-server ?
the Remote Access Dial-in User
Service (RADIUS) authentication
protocol.
schedExt.mib MIB support for CLI command (config)# cmd-scheduler ?
scheduler records.
securityMgrExt.mib CSS MIB objects for the Network (config)# username ?
Security manager.
snmpExt.mib SNMP traps and communities. (config)# snmp ?
sshdExt.mib MIB support for the Secure Shell (config)# sshd ?

Host server (SSHD).
subscribeExt.mib CSS Enterprise subscriber. (config-service)# subscriber ?
svcExt.mib Configuration and monitoring of all (config-service)# ?

service-related parameters.
tagExt.mib Content Tag Lists. (config)# header-field-group ?
terminalMgmt.mib MIB support for terminal options. # terminal ?

# restrict ?
urqlExt.mib Uniform Resource Locator Qualifier (config-urql [name])# ?

Lists (URQL).

78-11424-03 9-29
CSS MIBs

9-30 78-11424-03
C H A P T E R 10
Configuring Remote Monitoring
(RMON)
This chapter provides configuration and viewing information for Remote

Monitoring (RMON). Information in this chapter applies to all CSS models
except where noted.
• RMON Overview
• RMON Configuration Considerations
• Configuring an RMON Event
• Configuring an RMON Alarm
• Configuring an RMON History
• Viewing RMON Information
• RMON Configuration in a Startup-Config File

78-11424-03 10-1
Chapter 10 Configuring Remote Monitoring (RMON)
RMON Overview
RMON Overview
RMON allows you to remotely monitor and analyze the activity of packets on
CSS Ethernet ports. It also allows alarm configuration for monitoring MIB
objects, and the event configuration to notify you of these alarm conditions. For
detailed information about RMON and its MIB objects, refer to RFC 1757.
The version of RMON provided on the CSS is a subset of the RMON-1 groups.
The CSS supports the following groups:
• Group 1 - (Statistics) Provides data about all Ethernet ports on a CSS. You
cannot configure RMON statistics. You can only view them.
• Group 2 - (History) Provides data about the Ethernet ports over a historical
period. Histories are preconfigured for each port. You can configure
additional port histories.
• Group 3 - (Alarm) Allows you to create an alarm and configure the
conditions, based on a MIB object, to trigger an alarm when significant
events occur.
• Group 9 - (Event) Allows you to create an event and configure the event
action when its associated alarm occurs.
Figure 10-1 Supported RMON Functions on the CSS
RMON functions on the CSS
Ethernet port SNMP variable

monitoring monitoring*
Alarm
Statistics History
Event
Log SNMP
50481
* Requires user configuration trap

10-2 78-11424-03
RMON Configuration Considerations
RMON Configuration Considerations

Consider the following before you implement RMON functionality on your CSS:
• You can configure an RMON event, alarm, and history. You cannot configure
any CSS attributes for RMON statistics. Statistics for the ports are only
viewable by using the show rmon command.
• You cannot change the configuration for an RMON event, alarm, or history
after you activate it. If you need to change a configuration after activation,
you must delete it first and then recreate it with the necessary changes. Note
that you can change your configuration at any time before you activate it.
• You must assign an RMON event to an alarm. Thus, you must create the event
before you can configure it to an alarm.
• RMON histories are preconfigured for each Ethernet port. Though these
histories cannot be deleted or modified, you can add additional history entries
for a port. For more information on the preconfigured histories and adding
more history entries, refer to “Configuring an RMON History” later in this
chapter.
The sections in this chapter for configuring events, alarms, and histories provide
quick configuration tables. If you need additional configuration information, refer
to the sections that follow the tables.

78-11424-03 10-3
Configuring an RMON Event

An RMON event is the action that occurs when an associated RMON alarm is
triggered. When an alarm event occurs, it can be configured to generate a log
event, a trap to an SNMP network management station, or both. For information
on viewing alarm events in log files, refer to “Viewing Events in a Log File” later
in this chapter. For more information on configuring SNMP on your CSS, refer to
Chapter 9, Configuring Simple Network Management Protocol (SNMP).
If you are familiar with configuring the attributes for an RMON event, refer to
Table 10-1. The table contains the steps to configure an event, their possible
settings, and an example for each step. For more detailed information on
configuring an event, refer to the sections after the following table.
Table 10-1 RMON Event Configuration Quick Start
Steps and Possible Settings

1. From global configuration mode, create an RMON event configuration
identifier. Enter a number from 1 to 65534.
(config)# rmon-event 1
2. Assign an existing SNMP community for this event. Enter the community
name configured by using the (config) snmp community command. This step
is only required if the traps are sent to an SNMP network management station.
(config-rmonevent[1])# community moonbase_alpha
3. Provide a description for the event. Enter a quoted string with a maximum of
126 characters including spaces.
(config-rmonevent[1])# description “This event occurs when service
connections exceed 100”
4. Assign the owner who defined and is using the resources of the event. Enter a
quoted string with a maximum of 126 characters including spaces. You must
define the owner before you can activate the event.
(config-rmonevent[1])# owner “Boston Tech Lab”
5. Specify the type of event notification. The type determines where the
notification is sent. The options are type log, type trap, or type log-and-trap.
(config-rmonevent[1])# type log-and-trap
6. Activate the event.
(config-rmonevent[1])# active

10-4 78-11424-03
For information on configuring an alarm and associating this event to an alarm,

refer to “Configuring an RMON Alarm” later in this chapter.
Creating a Configuration Identifier for an RMON Event

The RMON event configuration identifier identifies the event to the CSS. This
allows you to assign specific configuration attributes to the identifier. When you
create an identifier, you access the configuration mode for that event
automatically.
To create an event configuration identifier, use the rmon-event index command
from any configuration mode except boot and RMON alarm configuration modes.
The index is a number from 1 to 65535.
Note The RMON event index 65535 is administratively predefined and

cannot be modified. If you enter this index number, a message
similar to the following appears: %% Index internally used.
Administrative control not allowed.
For example, to create a RMON event with an identifier of 1, access global

configuration mode and enter:
To see a list of existing RMON event configuration identifiers, enter:

(config)# rmon-event ?
After you create the identifier for the event, the prompt changes to
(config-rmonevent[1]). Now you can define the event, as described in “Setting the
RMON Event Attributes” later in this chapter.

78-11424-03 10-5
Modifying the Attributes for an Existing RMON Event

Configuration Identifier
When you have created an RMON event configuration identifier but you have not
activated it, you can modify its attributes.
Note If the event configuration identifier is activated, you cannot modify

its attributes. You must delete it, recreate it, and respecify its
attributes.
To modify the attributes, you must access the RMON event configuration mode
for that event. To access this mode from any configuration mode except boot and
RMON alarm configuration modes, use the rmon-event command.
For example, to access the mode for RMON event 1, access global configuration
mode and enter:
To see a list of existing RMON events, enter:

(config)# rmon-event ?
To modify the attributes, refer to “Setting the RMON Event Attributes” later in
this chapter.
Deleting an RMON Event Configuration Identifier

If you have an active RMON event configuration identifier that requires changes
to its attributes or you no longer need it, delete it. Before you delete an event
identifier that requires changes, note the settings for its attributes.
To delete the event configuration identifier, use the no rmon-event command. For
example, to delete RMON event 1 and its configuration, access global
(config)# no rmon-event 1
After you delete the identifier to change its attributes, recreate it as described in
“Creating a Configuration Identifier for an RMON Event” later in this chapter.

10-6 78-11424-03
Setting the RMON Event Attributes

After you create an RMON event identifier or access RMON event configuration
mode for an existing inactive event identifier, you can set its attributes as
described in the following sections:
• Defining an Event Community
• Describing an Event
• Assigning an Owner
• Defining the Notification of an Event
After you set the attributes, activate the event as described in “Activating the
Event” later in this chapter.
Defining an Event Community

When an alarm event occurs and the event is configured to send an SNMP trap,
the CSS sends the trap to the trap host with the specified community. To define a
community to an unactivated event, use the community community_name
command. The community_name variable is the name of the SNMP community
you configured using the snmp community command (refer to “Configuring an
SNMP Community” in Chapter 9, Configuring Simple Network Management
Protocol (SNMP).
For example, to define the SNMP moonbase_alpha community for this event,
enter:
(config-rmonevent[1])# community moonbase_alpha
Describing an Event
When an alarm event occurs, the CSS sends a description with the event
notification. Because a description is not generated automatically, you must
provide one. To provide a description, use the description “description”
command. The description variable is the description for the RMON event. Enter
a quoted text string with a maximum length of 126 characters.
For example, to provide a description for the event, enter:
(config-rmonevent[1])# description “This event occurs when service
connections exceed 100”

78-11424-03 10-7
Assigning an Owner
You must define the entity that configured this RMON event and is using the
resources assigned to it. To define the owner, use the owner “owner_name”
command. The owner_name variable is a quoted text string with a maximum of
126 characters. The owner for the event must be the same as the owner for the
alarm.
For example, to define the owner named Boston Tech Lab, enter:
(config-rmonevent[1])# owner “Boston Tech Lab”
Defining the Notification of an Event

When an RMON event occurs, the event type determines where the CSS sends the
event notification.
• A log event type designates that the event notification is made in a CSS log
location (for example, CSS disk log file or session). For information on
viewing log files, refer to “Viewing Events in a Log File” later in this chapter.
To define the event as a log type, enter:
(config-rmonevent[1])# type log
• A trap event type designates that a trap is sent to a SNMP network

management station. To define the event as a trap type, enter:
(config-rmonevent[1])# type trap
Note When you want the event to send a trap to a network

management station, you need to configure SNMP. For more
information on SNMP, refer to Chapter 9, Configuring
Simple Network Management Protocol (SNMP).
• You can also designate that the event type is both log and trap. To define the
event as both log and trap types, enter:
(config-rmonevent[1])# type log-and-trap

10-8 78-11424-03
Configuring an RMON Alarm
Activating the Event

After you configure the event attributes, you can activate the event. Before you
can activate an event, you must specify the owner of the event as described in
“Assigning an Owner” earlier in this chapter. To activate the event, enter:
(config-rmonevent[1])# active
Note Before you activate the event, make sure that you are finished
configuring it and are satisfied with its settings. After you activate
an event, you cannot modify its configuration settings. The only way
to change the event is to delete it, and then recreate it.

An RMON alarm allows you to monitor a MIB object for a desired transitory
state. An alarm periodically takes samples of the object’s value and compares
them to the configured thresholds.
RMON allows you to configure two types of sampling, absolute and delta:
• Absolute sampling compares the sample value directly to the threshold. This
sampling is similar to a gauge, recording values that go up or down.
• Delta sampling subtracts the current sample value from the last sample taken,
and then compares the difference to the threshold. This sampling is similar to
a counter, recording a value that is constantly increasing.
When a sample value crosses an alarm threshold, an associated event is generated.
To limit the number of generated events, only one event is generated when a
threshold is crossed. The CSS does not generate additional events until an
opposite threshold is crossed. For example, when a rising threshold is crossed,
one event is generated. The next event occurs only when a falling threshold is
crossed.
When you associate an event to an alarm and an alarm occurs, the event defines
the action the CSS takes when an alarm occurs. For more information on events,
refer to “Configuring an RMON Event” earlier in this chapter.

78-11424-03 10-9
Figure 10-2 is an example of absolute sampling.
Figure 10-2 Example of Absolute Sampling
Alarm triggered
Rising Threshold
Rising event generated
Alarm triggered
Falling Threshold
Falling event generated
49652
Sample Value
Sample Interval
Figure 10-3 is an example of delta sampling.
Figure 10-3 Example of Delta Sampling
Rising Threshold = 20 or more

Falling Threshold = 10 or less
60
= 10 Alarm triggered
50 Falling event generated
40 = 23 Alarm triggered
Rising event generated
30
20
10
49653
Sample Value
5 10 15 20
Sample Interval

10-10 78-11424-03
RMON Alarm Configuration Quick Start

If you are familiar with configuring the attributes for an RMON alarm, refer to
Table 10-2. The table contains the steps to configure the alarm, its possible
configuring an alarm, refer to the sections following Table 10-2.
Table 10-2 RMON Alarm Configuration Quick Start

1. From global configuration mode, create a configuration identifier for an
RMON alarm. Enter a number from 1 to 65534.
(config)# rmon-alarm 1
2. Assign the owner who defined and is using the resources of the alarm. Enter
a quoted string with a maximum of 32 characters including spaces. The
owner must be the same as the owner for the event.
(config-rmonalarm[1])# owner “Boston Tech Lab”
3. Define the MIB object for the sample variable. For example, for the current
number of connections for this service, enter apSvcConnections. To see a
list of objects, use the sample-variable ? command. For detailed
information about an object, use the lookup command.
(config-rmonalarm[1])# sample-variable apSvcConnections
4. Define the sampling type. The options are absolute or delta.
(config-rmonalarm[1])# sample-type absolute
5. Define the startup alarm type. The options are falling, rising, or
rising-and-falling.
(config-rmonalarm[1])# startup-type rising-and-falling
6. Define the rising threshold. Enter a number from 0 to 4294967295.
(config-rmonalarm[1])# rising-threshold 100
7. Associate the rising threshold with an existing RMON event. Enter a
number from 0 to 65535. If you enter 0, no event is generated.
(config-rmonalarm[1])# rising-event 1
8. Define the falling threshold. Enter a number from 0 to 4294967295.
(config-rmonalarm[1])# falling-threshold 90

78-11424-03 10-11
Table 10-2 RMON Alarm Configuration Quick Start (continued)

9. Associate the falling threshold with an existing RMON event. Enter a
number from 0 to 65535. If you enter 0, no event is generated.
(config-rmonalarm[1])# falling-event 2
10. Specify the sampling interval for the RMON alarm. The interval is in
seconds. Enter a number from 1 to 65535.
(config-rmonalarm[1])# sample-interval 30
11. Activate the alarm.
(config-rmonalarm[1])# active
Creating a Configuration Identifier for an RMON Alarm

The RMON alarm configuration identifier identifies the alarm to the CSS. This
create an identifier, you access the configuration mode for that alarm
automatically.
To create an alarm configuration identifier, use the rmon-alarm index command
from any configuration mode except boot and RMON history configuration
modes. The index is a number from 1 to 65535.
Note The RMON alarm index 65535 is administratively predefined and

cannot be modified. If you enter this index number, a message
similar to the following appears: %% Index internally used.
Administrative control not allowed.
For example, to create an RMON alarm with an identifier of 1, access global

To see a list of existing RMON alarm configuration identifiers, enter

rmon-alarm ?.

10-12 78-11424-03
After you create the identifier for the alarm, the prompt changes to
(config-rmonalarm[1]). Now you can define the alarm, as described in “Setting
the RMON Alarm Attributes” later in this chapter.
Modifying Attributes for an Existing RMON Alarm Configuration

Identifier
When you have already created an RMON alarm configuration identifier and its
attributes but you have not activated it, you can modify its attributes.
Note If the alarm configuration is activated, you cannot modify its

settings. You must delete the alarm configuration, recreate it, and
respecify its attributes.
To modify the attributes, you must access the RMON alarm configuration mode
for that alarm. To access this mode from any configuration mode except boot and
RMON history configuration modes, use the rmon-alarm command. For
example, to access the mode for RMON alarm 1, access global configuration
mode and enter:
To see a list of existing RMON alarms, enter:

(config)# rmon-alarm ?
To modify the attributes, refer to “Setting the RMON Alarm Attributes” later in
this chapter.
Deleting an RMON Alarm Configuration Identifier

If you have an active RMON alarm configuration identifier that requires changes
to its attributes or you no longer need an alarm identifier, delete it. Before you
delete the configuration that requires changes, note the settings for its attributes.

78-11424-03 10-13
To delete the alarm configuration identifier, use the no rmon-alarm command.

For example, to delete RMON alarm 1 and its configuration, access global
(config)# no rmon-alarm 1
After you delete the alarm identifier to change its attributes, recreate the identifier
as described in “Creating a Configuration Identifier for an RMON Alarm” earlier
in this chapter.
Setting the RMON Alarm Attributes

After you create an RMON alarm identifier or access RMON alarm configuration
mode for an existing inactive alarm identifier, you can set its attributes as
described in the following sections:
• Finding and Defining a Sample Variable
• Defining an Absolute or Delta Sampling
• Defining a Rising Threshold and Index
• Defining a Falling Threshold and Index
• Defining a Startup Alarm
• Defining the Sampling Interval
After you set all of the attributes, activate the alarm as described in “Activating
an Alarm” later in this chapter.
Assigning an Owner
You must define the entity that configured the RMON alarm and is using the
resources assigned to it. To define the owner, use the owner “owner_name”
command. The owner_name variable is a quoted text string with a maximum of
32 characters. Enter the same name as the owner of the event.
For example, to define the owner named Boston Tech Lab, enter:
(config-rmonalarm[1])# owner “Boston Tech Lab”

10-14 78-11424-03
Finding and Defining a Sample Variable

For an alarm condition, RMON samples a configured sample variable associated
with a MIB object. MIB objects to consider include the following:
• svcExt.mib contains service objects (for example, apSvcConnections is the
MIB object for the current number of TCP connections to this service).
• cntExt.mib contains content rule objects (for example, apCntHits is the MIB
object for the total number of hits on this service for this content rule).
Note For more information on CSS MIBs, refer to Chapter 9, Configuring

Simple Network Management Protocol (SNMP).
To look up a MIB object and view its description, use the lookup command. For
example, to view the description for the apSvcConnections object, enter:
(config-rmonalarm[1])# lookup apSvcConnections
ASN Name: apSvcConnections
MIB: svcext
Object Identifier: 1.3.6.1.4.1.2467.1.15.2.1.20
Argument Type: Integer
Range: 0-4294967295
Description:
The current number of TCP connections to this service
To specify the sample variable for this RMON alarm, use the sample-variable
mib_object command. For example, to define the apSvcConnections MIB object
for the current number of service connections, enter:
(config-rmonalarm[1])# sample-variable apSvcConnections
To see a list of SNMP variables, use the sample-variable ? command. For

example:
(config-rmonalarm[1])# sample-variable ?
apSvcLoadInfoTimeout
apSvcLoadSvcStatRptTimeout
apSvcLoadEnable
apSvcLoadDecayInterval
apSvcLoadStepStatic
apSvcLoadStepSize
apSvcLoadThreshold
...

78-11424-03 10-15
Defining an Absolute or Delta Sampling

When you configure an alarm, you can define the sampling method to compare
the sample value of a MIB object to either:
• The configured threshold directly. This sampling is like a gauge, recording
the value as it goes up and down. Refer to Figure 10-1.
• The previous sampling, and then their difference is compared to the
configured threshold. This sampling is like a counter, recording the value that
is constantly increasing. Refer to Figure 10-2.
Absolute sampling compares the sample value to the configured threshold. For
example, if you want to know when 30,000 service connections occur on the CSS
during a sample interval, configure the apSvcConnections MIB object with
absolute sampling. The apSvcConnections object is the current number of
connections on a service. To define an absolute sampling, enter:
(config-rmonalarm[1])# sample-type absolute
Delta sampling compares the current sample value with the previous sample and
compares their difference to the configured threshold. For example, if you want
to know when the number of content rule hits increase by 100,000 hits compared
to its previous sampling, configure the apCntHits MIB object with delta sampling.
apCntHits is an ever-increasing count of hits. To define a delta sampling, enter:
(config-rmonalarm[1])# sample-type delta
Defining a Rising Threshold and Index

When you want to be notified when a sampling is greater than or equal to a
specific number, set a rising threshold and associate it to a configured event.
Note You must create an RMON event before you can associate it with an
alarm.

10-16 78-11424-03
For a single rising alarm event to occur, a sampled value is greater than or equal
to the rising threshold value, and the value at the last sampling interval is less than
this threshold.
• To set the threshold for the alarm, use the rising-threshold rising_value
command. The rising_value variable is the threshold for the rising sample
type. Enter an integer from 0 to 4294967295.
For example, to set the rising threshold value of 100, enter:
(config-rmonalarm[1])# rising-threshold 100
• To associate a configured event to the RMON alarm when the rising threshold
is exceeded, use the rising-event rising_index command. The rising_index
variable is the event index used when a rising threshold is crossed. If you
enter 0, no event is generated.
For example, to associate the threshold to RMON event 1, enter:
(config-rmonalarm[1])# rising-event 1
To see a list of RMON events, enter:

(config-rmonalarm[1])# rising-event ?
Defining a Falling Threshold and Index

When you want to be notified when a sampling is less or equal to a specific
number, set a falling threshold and associate it to a configured event.
Note You must create an RMON event before you can associate it with an
alarm.
For a single falling alarm event to occur, a sampled value is less than or equal to
the falling threshold value, and the value at the last sampling interval is greater
than this threshold.
• To set the threshold for the alarm, use the falling-threshold falling_value
command. The falling_value variable is the threshold for the falling sample
type. Enter an integer from 0 to 4294967295.
For example, to set the falling threshold value of 90, enter:
(config-rmonalarm[1])# falling-threshold 90

78-11424-03 10-17
• To associate a configured event to the RMON alarm when the falling

threshold is exceeded, use the falling-event falling_index command. The
falling_index variable is the event index used when a falling threshold is
crossed. If you enter 0, no event is generated.
For example, to associate the threshold to RMON event 2, enter:
(config-rmonalarm[1])# falling-event 2
To see a list of RMON events, enter:

(config-rmonalarm[1])# falling-event ?
Defining a Startup Alarm

A startup alarm allows the CSS to generate an alarm when the first sample triggers
a falling or rising threshold.
• A startup falling alarm occurs when the first sample is less than or equal to
the falling threshold. To enable this alarm, enter:
(config-rmonalarm[1])# startup-type falling
• A startup rising alarm occurs when the first sample is greater than or equal to
the rising threshold. To enable this alarm, enter:
(config-rmonalarm[1])# startup-type rising
• To enable an alarm when either a falling or rising threshold is triggered, enter:

(config-rmonalarm[1])# startup-type rising-and-falling
Defining the Sampling Interval

The sampling interval is the time interval, in seconds, over which the data is
sampled and compared with the rising and falling thresholds. To specify the
sampling interval for this RMON alarm, use the sample-interval interval
command. The interval variable is the number of seconds, from 1 to 65535.
For example, to enter a sampling interval of 60 seconds, enter:
(config-rmonalarm[1])# sample-interval 60
With delta sampling, set the sampling interval short enough so that the sampled
variable, which has a tendency to go up and down very fast, does not wrap during
a single sampling period.

10-18 78-11424-03
Configuring an RMON History
Activating an Alarm
After you configure the alarm attributes, you can activate the alarm. Before you
can activate an alarm, you must specify all attributes for the alarm. To activate the
alarm, enter:
(config-rmonalarm[1])# active
Note Before you activate the alarm, make sure that you are finished
configuring it and are satisfied with its settings. After you activate
an alarm, you cannot modify its configuration settings. The only
way to change the alarm is to delete it, and then recreate it.

You can configure the operation of the RMON history that periodically samples
any CSS Ethernet port for statistical data. All ports are preconfigured with
histories for 30-second and 30-minute intervals, and 50 buckets with one sample
per bucket. However, you can create additional histories for a specific port. This
allows you to configure the time interval to take the sample and the number of
samples you want to save.
You can view the statistical information for the history by using the show
rmon-history command. For more information about viewing the history, refer to
“Viewing History” later in this chapter.
If you are familiar with configuring the attributes for an RMON history, refer to
Table 10-3. The table contains the steps to configure the history, their possible
configuring a history, refer to the sections following Table 10-3.

78-11424-03 10-19
Table 10-3 RMON History Configuration Quick Start

1. From global configuration mode, create an RMON history. Enter a number
from 1 to 65535.
(config)# rmon-history 5
2. Assign the owner who defined and is using the history resources. Enter up
to 32 characters.
(config-rmonhistory[5])# owner Boston_Tech_Lab
3. Define the data source object for the Ethernet port. The port is identified by
an ifIndex data object identifier. To see a list of data object IDs, use the
show interface command.
(config-rmonhistory[5])# data-source ifIndex.3
4. Define the time interval for the history. The interval is in seconds. Enter a
number from 1 to 3600. The default is 1800.
(config-rmonhistory[5])# interval 60
5. Define the bucket count for the interval. Enter a number from 1 to 65535.
The default is 50.
(config-rmonhistory[5])# requested-buckets 25
6. Activate the history.
(config-rmonhistory[5])# active
Creating a Configuration Identifier for an RMON History

The RMON history configuration identifier identifies the history to the CSS. This
create an identifier, you access the configuration mode for that history
automatically.
To create a history identifier, use the rmon-history index command from any
configuration mode except boot configuration mode. The index variable is the
index number that identifies the history. Enter an integer from 1 to 65535.
For example, to create an RMON history identifier 5, access global configuration
mode and enter:

10-20 78-11424-03
Note Some history index numbers are administratively predefined and

cannot be modified. If you enter an index number under
administrative control, a message similar to the following appears:
%% Index internally used. Administrative control not
allowed.
After you create the identifier, the prompt changes to (config-rmonhistory [5]).
Now you can define the history, as described in “Setting the RMON History
Attributes” later in this chapter.
Modifying the Attributes for an Existing RMON History

Configuration Identifier
When you have already created an RMON history identifier but you have not
activated it, you can modify its attributes.
Note If the history is activated, you cannot modify its settings. You must
delete the history, recreate it, and respecify its attributes.
To modify the attributes, you must access the RMON history configuration mode
for that history. To access this mode from any configuration mode except boot
configuration mode, use the rmon-history command. For example, to access the
mode for RMON history 5, access global configuration mode and enter:
To see a list of existing RMON histories, enter:

(config)# rmon-history ?
Note Some history index numbers are administratively predefined and

cannot be modified. If you enter an index number under
administrative control, a message similar to the following appears:
%% Index internally used. Administrative control not
allowed.

78-11424-03 10-21
To modify the history attributes, refer to the “Setting the RMON History
Attributes” later in this chapter.
Deleting an RMON History Configuration Identifier

If you have an active RMON history configuration identifier that requires changes
to its attributes or you no longer need the identifier, delete it. Before you delete
the identifier that requires changes, note the settings for its attributes.
To delete an RMON history configuration identifier, use the no rmon-history
command. For example, to delete RMON history 5, access global configuration
mode and enter:
(config)# no rmon-history 5
After you delete the history identifier to change its attributes, recreate it as
described in “Creating a Configuration Identifier for an RMON History” later in
this chapter.
Setting the RMON History Attributes

After you create an RMON history or access RMON history configuration mode
for an existing inactive alarm, you can set its attributes as described in the
following sections:
• Defining the Data Object
• Defining the Bucket Count
• Defining the Bucket Interval
After you set the attributes, activate the history as described in “Activating an
RMON History Entry” later in this chapter.

10-22 78-11424-03
Defining the Data Object

When you create a history, you must associate it with a CSS Fast Ethernet or
Gigabit Ethernet port. To define the data object, use the data-source port
command. The port is identified by an ifIndex data object identifier. For example,
if your CSS has 12 Ethernet ports, they have data object IDs of ifIndex.1 through
ifIndex.12. The Ethernet management port has an ID of ifIndex.14.
For example, to define Ethernet port 4, enter:
(config-rmonhistory[5])# data-source ifIndex.4
To see a list of data object IDs for all of the CSS Ethernet ports, enter:
(config-rmonhistory[5])# show interface
Assigning an Owner
You must define the entity that configured the RMON history and is using the
resources assigned to it. To define the owner, use the owner owner_name
command. The owner_name variable is an unquoted text string with a maximum
of 32 characters.
For example, to define an owner named Boston Tech Lab, enter:
(config-rmonhistory[5])# owner Boston_Tech_Lab
Defining the Bucket Count

You can define a bucket count which is the number of discrete sampling intervals
over which data is saved for a history entry. To define a bucket count, use the
requested-buckets count command. The count variable is an integer from 1 to
65535. The default is 50.
For example, to define a bucket count of 25, enter:
(config-rmonhistory[5])# requested-buckets 25

78-11424-03 10-23
Defining the Bucket Interval

You can specify the time interval, in seconds, to take a bucket sample for an
RMON history operation. To set this interval, use the interval value command.
The value variable is the interval in seconds. Enter an integer from 1 to 3600. The
default is 1800 (30 minutes).
For example, to define a time interval of 60 seconds, enter:
(config-rmonhistory[5])# interval 60
Activating an RMON History Entry

After you configure the history attributes, you can activate the history for the port.
To activate an RMON history entry, use the active command.
Note Before activating this command, you must specify the owner for the
RMON history entry.
To activate the history, enter:

(config-rmonhistory[5])# active
Note Before you activate the history, make sure that you are finished
configuring it and are satisfied with its settings. After you activate a
history, you cannot modify its configuration settings. The only way
to change the history is to delete it, and then recreate it.

10-24 78-11424-03
Viewing RMON Information

RMON information includes:
• Ethernet port statistics and history data that you can view from the CSS
through show commands.
• Alarm events notifications that are sent to log locations on the CSS or an
SNMP network management station. For information on configuring SNMP
on the CSS, refer to Chapter 9, Configuring Simple Network Management
Protocol (SNMP).
The following sections provide information on:
• Viewing Statistics
• Viewing History
• Viewing Events in a Log File
Viewing Statistics
RMON statistics provide a summary of data received in the Fast Ethernet or
Gigabit Ethernet ports. You can view them either in a CSS CLI session through
the show rmon command or directly through an SNMP network management
station by using ether-stats MIB objects (refer to RFC1398).
The CSS show rmon command allows you to display the extended 64-bit RMON
statistics for a specific Ethernet port or all Ethernet ports in the CSS. The CSS
Enterprise ap64Stats MIB defines these statistics. You can also display the
RFC1757 32-bit statistics by adding the -32 suffix to the show rmon command.
• To display the RMON statistics for all ports in the CSS, enter:
# show rmon
To display the RFC1757 32-bit statistics, enter show rmon-32.

• To display the RMON statistics for a specified port in the CSS, enter:
# show rmon port_name
The port_name variable is the name of the physical port (for example,
ethernet-4). Enter it as a case-sensitive unquoted text string.

78-11424-03 10-25
To display the RFC1757 32-bit statistics, enter show rmon-32 port_name.

To see a list of ports, enter:
# show rmon ?
For example, to display the extended RMON statistics for the Ethernet-4 port in
the CSS, enter:
# show rmon ethernet-4
Table 10-4 lists and describes the fields in the show rmon output.
Table 10-4 Field Descriptions for the show rmon Command
Field Description
Bytes The total number of received bytes.
Packets The total number of received packets (including bad
packets, broadcast packets, and multicast packets).
Broadcast Packets The total number of good received packets that were
directed to the broadcast address. Note that this does not
include multicast packets.
Multicast Packets The total number of good received packets that were
directed to a multicast address. This number does not
include packets directed to the broadcast address.
CRC Alignment The total number of packets received that had a length
Errors (excluding framing bits, but including FCS octets) between
64 and 1518 octets, inclusive, but had either an FCS Error,
a bad Frame Check Sequence (FCS) with an integral
number of octets, or an Alignment Error, a bad FCS with a
non-integral number of octets.
Oversize Packets The total number of received packets that were longer than
1518 octets (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Undersize Packets The total number of received packets that were less than 64
octets long (excluding framing bits, but including FCS
octets) and were otherwise well formed.

10-26 78-11424-03
Table 10-4 Field Descriptions for the show rmon Command (continued)
Field (continued) Description

Fragments The total number of received packets that were less than 64
octets in length (excluding framing bits but including FCS
octets) and had either an FCS Error, a bad Frame Check
Sequence (FCS) with an integral number of octets, or an
Alignment Error, a bad FCS with a non-integral number of
octets.
It is normal for fragment statistics to increment because the
CSS counts both runts (which are normal occurrences due
to collisions) and noise hits.
Drop Events The total number of events in which packets were dropped
by the probe due to lack of resources. This number is not
necessarily the number of packets dropped; it is the number
of times this condition has been detected.
Slobbers An internal counter. This field will always be zero.
Jabbers The total number of packets received that were longer than
1518 octets (excluding framing bits, but including FCS
octets), and had either an FCS Error, a bad Frame Check
Sequence (FCS) with an integral number of octets, or
Alignment Error, a bad FCS with a non-integral number of
octets.
This definition of jabber is different than the definition in
IEEE-802.3 section 8.2.1.5, 10BASE5, and section
10.3.1.4, 10BASE2. These documents define jabber as the
condition where any packet exceeds 20 ms. The allowed
range to detect jabber is between 20 ms and 150 ms.

78-11424-03 10-27

Collisions The best estimate of the total number of collisions on this
Ethernet segment.
The returned value depends on the location of the RMON
probe. Section 8.2.1.3, 10BASE-5, and section 10.3.1.3,
10BASE-2, of IEEE standard 802.3 states that a station
must detect a collision, in the receive mode, if three or
more stations are transmitting simultaneously. A repeater
port must detect a collision when two or more stations are
transmitting simultaneously. Thus, a probe placed on a
repeater port might record more collisions than would a
probe connected to a station on the same segment.
Probe location plays a much smaller role when considering
10BASE-T. IEEE standard 802.3 14.2.1.4, 10BASE-T
defines a collision as the simultaneous presence of signals
on the DO and RD circuits (transmitting and receiving at
the same time). A 10BASE-T station can only detect
collisions when it is transmitting. Thus, probes placed on a
station and a repeater should report the same number of
collisions.
Ideally, an RMON probe inside a repeater should report
collisions between the repeater and one or more other hosts
(transmit collisions as defined by IEEE 802.3k), plus
receiver collisions observed on any coax segments to
which the repeater is connected.

10-28 78-11424-03

Packets (0-64) The total number of packets (including bad packets)
received that were between the following octets in length
Packets (65-127)
inclusive (excluding framing bits but including FCS
Packets (128-255) octets):
Packets (256-511) • 0 to 64
Packets • 65 to 127
(512-1023)
• 128 to 255
Packets
(1024-1518) • 256 to 511
• 512 to 1023
• 1024 to 1518
Clearing RMON Statistics

To reset the RMON statistics on a CSS Ethernet port to zero, use the clear
statistics port_name command. The port_name variable is the name of the
physical port (for example, ethernet-4). Enter it as a case-sensitive unquoted text
string.
For example, to clear the statistics for Ethernet port 1, enter:
# clear statistics Ethernet-1
To see a list of ports, enter:

# clear statistics ?
Note When you reset RMON statistics on a CSS Ethernet port to zero, the
Ethernet errors and MIB-II statistics for the port are also reset to
zero.

78-11424-03 10-29
Viewing History
You can display the default and configured RMON history information for a
specific Ethernet port or all Ethernet ports in the CSS. For information on
configuring an RMON history, refer to “Configuring an RMON History” earlier
in this chapter.
By default, the CSS maintains two tables of history statistics for each port. One
table contains the last 50 samples at 30-second intervals. The other table contains
50 samples at 30-minute intervals. You cannot modify the configuration for these
histories.
• To view the RMON history for all ports in the CSS, enter:
# show rmon-history
• To display the RMON history for a specified port, enter:

# show rmon-history port_name
To see a list of ports in the CSS, enter:

# show rmon-history ?
• To display the RMON history for a specified port and history index, enter:
# show rmon-history port_name history_index
For example, to view the history 5 for the Ethernet-4 port, enter:
# show rmon-history ethernet-4 5
To see a list of history indexes associated with a specified port, enter:

# show rmon-history port_name ?
For example, to see a list of histories for the Ethernet-4 port, enter:
# show rmon-history ethernet-4 ?

10-30 78-11424-03
Table 10-5 lists and describes the fields in the show rmon-history output.
Table 10-5 Field Descriptions for the show rmon-history Command
Field Description
Owner The entity that configured the entry and is using the resources
assigned to it.
Start Time The time when the bucket sampling started.
Interval The time interval in seconds when RMON takes a bucket
sample.
Buckets The number of discrete sampling intervals over which data is to
be saved for the history.
Time The time that the sample was taken.
Sample The number of the sample.
Octets The total number of octets of data (including those in bad
packets) received on the network, excluding framing bits but
including FCS octets.
You can use this object as a reasonable estimate of Ethernet
utilization. If greater precision is desired, sample the Ethernet
statistic packet and octet objects before and after a common
interval. The differences in the sampled values are packets
(Pkts) and Octets, respectively, and the number of seconds in
the Interval. These values are used to calculate the utilization of
a 10 MB Ethernet port as follows:
Pkts * (9.6 + 6.4) + (Octets * .8)
Utilization = __________________________________
Interval * 10,000
The result of this equation is the utilization value, which is the
utilization percentage of the Ethernet segment on a scale of 0 to
100 percent.
Packets The total number of received packets (including bad packets,
broadcast packets, and multicast packets).
Errors The total number of errors that RMON received for this port.
Util% The bandwidth utilization percentage of the Ethernet segment
on a scale of 0 to 100 percent.

78-11424-03 10-31
Viewing Events in a Log File

The CSS can send notifications of RMON alarm events to a traplog file or a
configured log location, such as a log file on the CSS disk, a CSS session, host
syslog daemon, or an email address. The notification itself displays when the
event occurred, the event number, and its configured description in parenthesis.
For example:
FEB 15 15:41:22 EVENT#4 FIRED: (Service Toys exceeded 30,000
connections).
For information on configuring an RMON event, refer to “Configuring an RMON

Event” earlier in this chapter. For information on configuring an RMON alarm,
refer to “Configuring an RMON Alarm” earlier in this chapter.
Viewing a Traplog File

A trap log file is an ASCII file in the log directory containing generic and
enterprise SNMP traps. No configuration is necessary. When an RMON alarm
event occurs, a notification of its occurrence is saved in the trap log file on the
CSS automatically.
Note The traps sent to the traplog file are the same traps sent to an SNMP
network management station. For information on configuring SNMP
refer to Chapter 9, Configuring Simple Network Management
Protocol (SNMP).
To display all SNMP traps that have occurred on the CSS, enter:
# show log traplog
Note Even though traps are disabled, the CSS still produces a log message
for any event that would normally generate a trap.

10-32 78-11424-03
Viewing a CSS Disk Log File

Before the CSS can send an event to a log location, you must:
• Configure the location by using the logging disk, host, line, or sendmail
command.
• Enable logging for the network management subsystem. To do so, enter:
(config)# logging subsystem netman level info-6
To view the events in a log file on the CSS disk, use the show log log_filename
command. For example, to view a log file named log1, enter:
# show log log1

78-11424-03 10-33
RMON Configuration in a Startup-Config File
RMON Configuration in a Startup-Config File

The following example shows an RMON configuration in a startup-config file.
!************************ RMON EVENT*************************
rmon-event 1
active
description "Service connections exceeded 100"
owner "Boston Tech Lab"
community moonbase_alpha
type log-and-trap
rmon-event 2
active
description "Service connections are below 90"
community moonbase_alpha
type log-and-trap
!************************* RMON ALARM *************************

rmon-alarm 1
active
sample-variable apSvcConnections.
sample-type absolute
startup-type rising-and-falling
rising-threshold 100
rising-event 1
falling-threshold 90
falling-event 1
sample-interval 30
!************************ RMON HISTORY ************************

rmon-history 5
active
owner Boston Tech Lab
data-source ifIndex.3
interval 60
requested-buckets 25

10-34 78-11424-03
A P P E N D I X A
Upgrading Your CSS Software
Cisco Systems periodically releases new software versions for the CSS. To help
you upgrade your CSS with a new software release, this appendix provides the
following information:
• Before You Begin
• Upgrading your CSS
• Copying Custom Scripts
Before You Begin

Before you can upgrade your CSS, copy the new CSS software to your FTP server
and configure an FTP server record for the FTP server on your CSS. To display
the maximum number of installed versions allowed on your hard disk or flash
disk, use the show installed-software version-limit command.
Copying the New CSS Software

ArrowPoint Distribution Images (ADIs) of the CSS software versions are on
Cisco Connection Online (CCO), available at the Cisco Systems Web site
(www.cisco.com). Use your customer login and password to access this page.
From this location, you can access the page listing the versions of
GZIP-compressed software. Click an image to download. Once the image is
downloaded, place it on an FTP server which the CSS can access.

78-11424-03 A-1
Appendix A Upgrading Your CSS Software
Before You Begin
Note You do not need to uncompress the GZIP-compressed software.

When you copy it or the upgrade script copies it to the CSS, the CSS
uncompresses it.
Configuring an FTP Server Record on the CSS

Before you can copy the ADI from the FTP server to the CSS, you must create an
FTP record file on the CSS identifying it. The record contains the IP address,
username, and password for the server. To configure an FTP server record:
2. Access global configuration mode. For example:
# config
(config)#
3. Configure the default FTP server by using the ftp-record command. The
syntax is:
ftp-record ftp_record ip_or_host username
[“password”|encrypted-password encrypted_pwd] {base_directory}
The variables are:

• ftp_record - Name for this FTP record file. Enter an unquoted text string
with no spaces and a maximum length of 32 characters.
• ip_or_host - IP address or host name of the FTP server you want to
access. Enter an IP address in dotted-decimal notation (for example,
192.168.11.1) or a mnemonic host name (for example,
• username - Valid login username on the FTP server. Enter a
case-sensitive unquoted text string with no spaces and a maximum length
32 characters.
• password - Password for the valid login username on the FTP server.
Enter a case-sensitive quoted text string with no spaces and a maximum
length of 16 characters.

A-2 78-11424-03
Upgrading your CSS
• encrypted_pwd - Encrypted password for the valid login username on the

FTP server. Enter a case-sensitive unquoted text string with no spaces
and a maximum length of 16 characters after the encrypted-password
option.
• base_directory - Optional base directory when using this record.
For example:
(config)# ftp-record DEFAULT_FTP 192.168.2.01 eng1
encrypted-password serve
You can now upgrade your CSS.
Upgrading your CSS

You can upgrade your CSS software by either:
• Using the Upgrade Script
• Manually Upgrading the CSS
Using the Upgrade Script

The upgrade script allows you to upgrade your CSS without having to enter any
CLI commands. There are two ways to run the script:
• Automatically Running the Upgrade Script
• Interactively Using the Upgrade Script
Automatically Running the Upgrade Script

You can run the upgrade script to perform the software upgrade without having to
enter any information. The script automatically:
• Checks to see how many installed software versions are installed on the CSS.
On a hard disk-based system, if there are four installed versions (the
maximum), the script deletes an older version. On a flash disk-based system
(CSS 11150 or CSS 11800), if there are two installed versions (the
maximum), the script deletes the older version.

78-11424-03 A-3
Upgrading your CSS
Note The script will not offer to delete a version that you have configured
as the primary or secondary boot file. On a flash disk-based system,
you may need to quit and then deselect the primary or secondary
boot file before continuing with the upgrade.
• Archives the running-config to startup-config.

• Copies the new ADI to the CSS boot-image directory.
• Unpacks the new ADI.
• Sets the primary boot-file to the new ADI.
• Reboots the CSS.
To automatically upgrade your CSS software using the upgrade script:
Note If you created additional profiles on the CSS, archive them

by using the archive script or save_profile command. After
the upgrade is done, use the restore filename script
command to restore the profile you archived.
2. Start the upgrade script and include the name of the ADI and its extension in
quotes.
• If you are using a GZIP-compressed ADI from the FTP server, include
the gz file extension. For example:
# upgrade “ap0500002.gz”
• If you are using an uncompressed version of the ADI from the FTP
server, include the adi file extension. For example:
# upgrade “ap0500002.adi”
If you did not configure a default FTP record before starting the upgrade
script, you are prompted to configure one. You can either:
• Allow the CSS to automatically configure a record to the server
containing the ADI.
• At the prompts, manually configure the FTP record by entering the FTP
server information where you copied the upgrade ADI.

A-4 78-11424-03
Upgrading your CSS
When a default FTP record is configured, information similar to the

following appears during the upgrade:
Current Version:ap0500002 (Build 2)
*** You must remove an installed version to upgrade. ***
Attempting to delete ap0410008
archive running-config startup-config
Attempting ftp of ap0500002.adi:

# copy ftp DEFAULT_FTP ${new_version_adi} boot-image
Copying (-) 57,241,012
Completed successfully.
#(config-boot)#
unpack ${new_version_adi}
Unpacking(/) 99%
(config-boot)#
setting primary boot-file ap0500002
rebooting
The CSS automatically performs a flash upgrade, if necessary, and then boots the
new image.
Interactively Using the Upgrade Script

The upgrade script allows you to enter information and make selections by
responding to prompts as it runs. Before the script performs the upgrade, it
prompts you to:
• Remove ADIs from the CSS if the script detects four installed versions on a
hard disk-based system or two versions on a flash disk-based system (CSS
11150 or CSS 11800)
• Enter the version of the new ADI
• Set the primary boot-file to the new ADI
• Reboot the CSS with the ADI you are installing after the upgrade is done
• Archive the running-config to startup-config

78-11424-03 A-5
Upgrading your CSS
To use the interactive version of the script:

Note If you created additional profiles on the CSS, archive them

by using the archive script or save_profile command. After
the upgrade is done, use the restore filename script
command to restore the profile you archived.
2. Start the upgrade script. For example:

# upgrade
If you did not configure a default FTP record before starting the upgrade
script, you are prompted to configure one. You can either:
• Allow the CSS to automatically configure a record to the server
containing the ADI.
• At the prompts, manually configure the FTP record by entering the FTP
server information where you copied the upgrade ADI.
When a default FTP record is configured, the script displays the current
version of the ADI.
Current Version: ap04100008 (Official)
A hard disk-based CSS can contain a maximum of four ADIs. A flash

disk-based CSS (CSS 11150 or CSS 11800) can contain a maximum of two
ADIs. If the script detects the maximum number of ADIs, a message informs
you that you need to remove an ADI. Then the script prompts you to remove
an older ADI. For example:
*** You must remove an installed version to upgrade.***
remove ap0410008 [y n q]?
Note The script will not offer to delete a version that you have configured
as the primary or secondary boot file. On a flash disk-based system,
you may need to quit and then deselect the primary or secondary
boot file before continuing with the upgrade.

A-6 78-11424-03
Upgrading your CSS
3. If necessary, remove the ADI.

• Enter y to remove the displayed ADI version.
• Enter n for the script to display another version to remove.
• Enter q to exit from the script.
remove ap0410008 [y n q]?y
Attempting to delete ap0410008
4. At the prompt, enter the file name and extension of the GZIP-compressed
ADI version to install, and verify the information you entered. For example:
Please Enter Version to Install:ap0500002.gz
Note If you are using an uncompressed version of the ADI from the FTP
server, include the adi file extension (for example, ap0500002.adi).
Upgrade to Version ap0500002? [y n q] y
5. Determine whether to set the ADI as the primary boot-file.

• Enter y to set the ADI as the primary boot-file and change the CSS
configuration.
• Enter n to keep the same primary boot-file configuration.
Set primary boot-file to Version ap00410004? [y n q] y
6. Determine whether to have the CSS reboot with the ADI you are installing.
• Enter y to reboot the CSS with this ADI after the upgrade is done.
• Enter n to not reboot the CSS with the ADI after the upgrade is done.
Reboot with Version ap0500002? [y n q] n
7. Determine whether to have the CSS archive the running-config to the

startup-config.
• Enter y to archive the running-config to the startup-config.
• Enter n to keep the same startup-config.
Archive running-config to startup-config? [y n q] y
archive running-config startup-config

78-11424-03 A-7
Upgrading your CSS
The script copies the ADI from the FTP server, unpacks and installs it, and
sets it as the primary boot-file.
Attempting ftp of ap0500002.gz:
# copy ftp DEFAULT_FTP ${new_version_adi} boot-image
Copying (-) 57,241,012
Completed successfully.
#
(config-boot)# unpack ${new_version_adi}
unpacking(/) 99%
(config-boot)#
setting primary boot-file ap0500002
If you decided to reboot the CSS with the installed ADI in Step 6, the CSS reboots
automatically. If you made the ADI the primary boot-file and archived the
running-config to the startup-config, the CSS automatically performs a flash
upgrade, if necessary, and then boots the new image.
To manually reboot the system, enter the following commands:
(config)# boot
(config-boot)# reboot
Manually Upgrading the CSS

You can manually enter CLI commands to upgrade the CSS.
Note Make sure that you configure a default FTP server, as described in
the “Before You Begin” section earlier in this appendix.
To manually upgrade the software version on your CSS:

1. Log onto the CSS.
2. If necessary, remove an older version of the ADI from the CSS. A hard
disk-based CSS can contain a maximum of four ADIs. A flash disk-based
CSS (CSS 11150 or CSS 11800) can contain a maximum of two ADIs.

A-8 78-11424-03
Upgrading your CSS
Caution Do not remove the ADI currently running on the CSS. Use the
version command to see the currently running software version.
To remove an ADI:
a. List the ADIs on the CSS. For example:
(config)# show installed-software
ap0401003
ap0410008
ap0500002
b. Access boot mode:

(config)# boot
(config-boot)#
c. Use the remove command to remove the ADI. For example:

(config-boot)# remove ap0410008
3. Archive your running-config to startup-config. For example:

# config
(config)# archive running-config startup-config
You can also use the save_config alias to archive your startup-config. To
view all available aliases, use the show aliases command.
Caution If you created additional profiles on the CSS, archive them by using
the archive script or save_profile command. After the upgrade is
done, use the restore filename script command to restore the profile
you archived.
4. Copy the new ADI onto the CSS as the boot-image.

(config-boot)# exit
(config)# copy ftp DEFAULT_FTP ap0500002.gz boot-image
DEFAULT_FTP is the FTP record file defined in “Configuring an FTP

Server Record on the CSS”.

78-11424-03 A-9
Copying Custom Scripts
When you copy a GZIP-compressed ADI onto the CSS, the CSS
automatically uncompresses it.
Note If you are copying an uncompressed version of the ADI from

the FTP server, include the adi file extension (for example,
ap0500002.adi).
5. Unpack the ADI.

(config)# boot
(config-boot)# unpack ap0500002.adi
6. Set the new ADI as the primary boot-file and install it.
(config-boot)# primary boot-file ap0500002
7. Reboot the system.

(config)# boot
(config-boot)# reboot
The CSS automatically performs a flash upgrade, if necessary, and then boots the
new image.
Copying Custom Scripts

When you upgrade the WebNS software in your CSS, the upgrade process creates
a new /<current running version>/script directory. You must copy your custom
scripts (including custom script keepalives) to the new /<current running
version>/script directory so that the CSS can find them.
Use the following procedure to ensure that your custom script keepalives operate
properly after upgrading the CSS software.
1. Upgrade the WebNS software in your CSS.
2. Copy the scripts from the old /<current running version>/script directory to
the new /<current running version>/script directory.
3. Reboot the CSS.

A-10 78-11424-03
I N D E X
removing 2-11, A-9

A
unpacking 2-11
absolute sampling 10-16 administrative password
ACA changing 1-6
load balancing 7-24 setting 1-41
using with server weight and load 5-7 administrative username
ACLs changing 1-6
disabling logging globally 8-13 setting 1-41
global bypass counter 6-8 advanced balance string, configuring for
logging activity 8-13 service 5-37
running-config, displaying in 1-54, 1-58 advanced options for Offline Diagnostic

Monitor menu 1-39
activating
agent
content rule 7-21
CSS as SNMP agent, defining 9-10
global keepalive 5-17
MIB 9-5
RMON alarm 10-19
overview 9-3
RMON event 10-9
SNMP 9-3
RMON history 10-24
aging time, configuring for bridging 3-29
service 5-52
alternate configuration path 1-28, 2-22
active SCM, copying boot configuration
record 2-21 Application Program Interface (API),
configuring 2-42
adding
application type, specifying in a content
domain name service to content rule 7-20 rule 7-44
service to content rule 7-18 archive directory
sorry server to content rule 7-19 archiving files to 1-59
ADI clearing 1-60

78-11424-03 IN-1
Index
restoring files from 1-61

B
archiving
files, viewing 1-51 balance type
files to the archive directory 1-59 for DNS 7-26
log files 1-59 load balancing 7-24
log files, restoring 1-61 billing information, specifying for owner 6-4
running-config 1-60 boot.bak 8-2
script, restoring 1-62 boot.log 1-50, 8-2
scripts 1-60, A-4 boot configuration
startup-config 1-60 copying configuration record 2-21
startup-config, restoring 1-62 displaying 1-38
ARP flowchart 1-25
clearing parameters 3-7 menu 1-25
configuring for CSS 3-5 menu options 1-26
displaying information 3-8 mode 2-10
timeout, configuring 3-6 path, specifying secondary 2-15
updating parameters 3-7 specifying secondary 2-14
wait time, configuring 3-7 boot-file
ArrowPoint Content Awareness. See ACA specifying primary 2-12
ArrowPoint Distribution Image. See ADI specifying secondary 2-14
assigning booting the CSS 1-22
content rule to owner 7-6 boot mode configuration commands 2-10
IP address for a circuit 4-30 boot-type
IP address for management port 1-11 primary, specifying 2-12
IP address to a service 5-34 secondary, specifying 2-15
subnet mask for CSS 1-12 bridge
subnet mask for management port 1-11 aging time, configuring 3-29
VIP to owner content 7-7 configuring for CSS 3-29
audience xxx forward time, restoring default value 3-30

IN-2 78-11424-03
Index
hello time, configuring 3-30 case-sensitivity, specifying for content

requests 6-5
interface to a VLAN, configuring 4-10
caution
max age, configuring 3-30
ADI, removing A-9
pathcost, configuring 4-11, 4-14
archiving profiles A-4
priority, configuring (for an interface) 4-11,
4-12, 4-14, 4-15 clearing the running configuration 1-54
priority, configuring (for CSS) 3-31 community strings for SNMP 9-12
priority, configuring (for trunked creating/modifying username or
interface) 4-15 password 1-8
showing configurations 3-32 deleting administrative
username/password 1-41
spanning tree, enabling 3-31
Ethernet Management port IP address,
state, configuring 4-12, 4-15
configuring 1-37
viewing statistics 9-24
Ethernet Management port subnet
broadcast IP address, restoring 4-31 address 1-12
bucket existing username, removing 1-10
count 10-23 ip record-route, enabling 3-14
interval for an RMON history 10-24 keepalive type maximum 5-15, 5-17, 5-44
bypass password-protecting Offline DM Main
caches 7-42 menu 1-40
for failover 7-42 port-resets, disabling 2-40
parameter bypass 7-46 shutting down an interface 4-25
persistence 7-34, 7-36 smurf attacks 3-20
transparent caches 7-46 spanning-tree, disabling 3-31

symbol overview xxxiii
undoing restrictions for user database 1-7
C VIP addresses, configuring 7-7
cache changing
bypass, configuring for a service 5-41, 5-42, administrative password 1-6

5-43 administrative username 1-6
bypassing transparent cache 7-46 CLI prompt 2-7

78-11424-03 IN-3
Index
RMON alarm attributes 10-13 command scheduler 2-47

RMON event attributes 10-6 content API, configuring 2-42
RMON history attributes 10-21 conventions xxxiv
user directory access privileges 1-9 conventions in XML code 2-43
user password 1-10 displaying CSS configurations 1-64
check disk Ethernet management port usage 1-11
disabling or enabling on the disk 1-46 expert mode 2-38
performing on the disk 1-44 hierarchy in XML code 2-43
checksum, calculated for Web page 5-49 prompt, changing 2-7
circuit terminal screen output lines, configuring 2-4
IP interface, configuring 4-30 User commands versus SuperUser
commands 1-8
overview 4-1
quick start 4-4 command scheduler
configuring 2-47
showing 4-28
circuit IP displaying records 2-49
broadcast address, configuring 4-31 configuration quick start

content rule 7-5
disabling 4-33
enabling 4-33 initial CSS configuration 1-3
IP address, configuring 4-30 interface and circuit 4-4
redirects, configuring 4-31 logging 8-4
removing 4-31 owner 6-2
clearing RMON alarm 10-11
archive directory 1-60 RMON event 10-4

service 5-4
ARP parameters 3-7
configuring
RMON statistics 10-29
bridging for CSS 3-29
running-config 1-54
circuit 4-26
startup-config 1-54
circuit IP address 4-30
CLI
commands, logging to sys.log 8-14 circuit IP interface 4-30
content rule port information 7-23

IN-4 78-11424-03
Index
CSS as RADIUS client 2-28 content

domain name in a content rule 7-10 API, configuring 2-42
ECMP 3-15 case-sensitivity 6-5
flow parameters 2-39 EQL in a URL, specifying 7-32
FTP server record A-2 removing from owner 7-6, 7-22
global keepalive 5-16 showing 7-47
hotlist attributes for content rules 7-27 URL, specifying 7-30
interface 4-6, 4-7 content API
IP for CSS 3-14 creating XML code 2-42
IP route 3-16 mode hierarchy 2-43
IP source route 3-19 parsing XML code 2-45
IP subnet broadcast 3-20 content requests
load balancing 7-24 activating a service 5-52
protocol for a content rule 7-23 case-sensitivity 6-5
RIP for CSS 3-10 domain name and VIP specific 7-13
RIP for IP interface 4-35 enabling to bypass transparent caches 7-46
RMON alarm 10-9 failover 7-41
RMON event 10-4 global bypass counters 6-8
RMON history 10-19 multiple domain names 7-12
router-discovery 4-26 primary sorry server redirects 7-19
service 5-33 redirecting to a service 5-39
service keepalive 5-43 content rule
SNTP server operation 1-18 activating 7-21
time, date, and timezone 1-14 assigning to owner 7-6
user name and password 1-8 configuration quick start 7-5
virtual IP address 7-7 defining failover 7-41
console description 7-2
authentication, configuring 2-36 domain name, configuring 7-10
enabling access 2-37 domain name and VIP, using 7-13
restricting access to the CSS 2-37 domain name service, adding 7-11, 7-20

78-11424-03 IN-5
Index
domain name wildcards, specifying 7-16 idle timeout, configuring 2-26

hotlist, configuring 7-27 logging functions 8-4
layer 3, layer 4, layer 5 7-3 logging in 1-6
overview 5-2, 7-2 MIBs 9-26
persistence 7-34, 7-35 opportunistic layer 3 forwarding 3-37
port information, configuring 7-23 rebooting 1-22
primary sorry server, adding 7-19 restricting access to 2-37
protocol, configuring 7-23 RIP, configuring 3-10
purpose 5-2, 7-3 shutting down 1-22
redirecting requests 7-33 smoothing bursty network traffic in GEM
(CSS 11800) 4-16
removing 7-22
removing service 5-53 SNMP, controlling access 9-8
secondary sorry server, adding 7-20 user terminal parameters, configuring 2-3
service, adding 7-17 control ports, reclaiming 2-40
showing 7-48 copying

boot configuration record 2-21
specifying load threshold 7-33
suspending 7-21 core dumps to FTP or TFTP server 1-63
wildcards in domain names 7-12, 7-15 core dumps to TFTP server 1-64
Content Services Switch log files to FTP or TFTP server 8-19
11050 port designation 4-6 log files to FTP server 1-63, 8-19
11150 port designation 4-6 log files to TFTP server 8-20
11800 slot/port designation 4-6 new software to CSS A-1
assigning a subnet mask 1-11, 1-12 user profiles 2-8

core directory 1-51
booting from a network drive 2-21, 2-22
core dumps
bridging, configuring 3-29
copying to an FTP or TFTP server 1-63
controlling remote access to 2-38
copying to TFTP server 1-64
displaying configurations 1-64
CSS. See Content Services Switch
flow parameters, configuring 2-39
host name, configuring 2-26
HTTP server, controlling access 2-45

IN-6 78-11424-03
Index
buffer size, specifying for logging 8-6

D
CSS drive failure (network boot) 1-28
date, configuring 1-14, 1-17 disabling logging to 8-7
default VLAN, restoring 4-11, 4-13 disabling or enabling check disk 1-46
deleting software from the disk 1-39 module, restoring files from archive
delta sampling 10-16 directory 1-61
Denial of Service (DoS) options, Offline Diagnostic Monitor

menu 1-42
configuring using SNMP 9-17
performing a check disk 1-44
displaying 9-19
reformatting the disk (Disk Option
SNMP trap-type, defining 9-18 menu) 1-42
directory access privileges (username) 1-9 running check disk on the disk (Disk Options
disabling menu) 1-42
bridge spanning tree 3-31 software version, deleting 1-39
channels in GEM (CSS 11800) 4-16 specifying for log file destination 8-6
check disk 1-46 disk log file for an RMON event 10-33
circuit IP 4-33 displaying
circuit IP unreachables 4-32 content 7-47
core dumps 1-48 CSS configurations 1-64
DNS in a content rule 7-11 hardware information 1-65
hotlist 7-27 history buffer 2-7
implicit service for static route next hop 3-19 log files 8-15
logging 8-11 software information 1-65
logging to disk 8-7 username 1-10
router discovery 4-32 DNS
Telnet access for SSHD 3-36 configuring for CSS 3-1, 3-2
Telnet for use with SSHD 3-34 dnsbalance, leastloaded 7-26
disk dnsbalance, preferlocal 7-26
boot, primary boot record 1-31 dnsbalance, roundrobin 7-26
boot, secondary boot record 1-36 primary server for CSS, configuring 3-2

78-11424-03 IN-7
Index
resolve for CSS, configuring 3-3 specifying for owner 6-6

secondary server for CSS, configuring 3-3 enterprise MIBs 9-7
specifying suffix 3-4 EQL, specifying in a URL 7-32
type, specifying for owner 6-5 Ethernet management port
documentation IP address and subnet mask,
configuring 1-11
audience xxx
statistical data 10-19
chapter contents xxx
set xxxii viewing statistics 9-24, 10-25
symbols and conventions xxxiii european date, configuring 1-17
domain hotlist, configuring 7-29 expert mode 2-6
domain names Extension Qualifier List. See EQL
content rule, configuring in a 7-10

service, adding to content rule 7-11, 7-20 F
specifying 5-36
using in a content rule 7-13 failover
using wildcards in content rules 7-16 bypass 7-42
DOS. See Denial of Service defining for a content rule 7-41
DQL, adding to a content rule 7-30 linear 7-42
duplex, configuring for interface 4-7 next 7-42

falling threshold for an RMON alarm 10-17
file destination, specifying for logging 8-6
E flash disk
installed software versions A-3
ECMP
logging to 8-2
configuring 3-15
flow
IP address, configuring 3-15
dropping long-lived idle connections 2-39
no-prefer-ingress, configuring 3-15
maintaining long-lived idle connections 2-39
recovering from a failed router 3-16
parameters, configuring 2-39
round-robin, configuring 3-15
statistics, showing 2-41
email address
forward time, configuring for bridging 3-29
sending log messages to 8-14

IN-8 78-11424-03
Index
FTP hardware, displaying chassis information 1-65

boot, primary boot record 1-30 hash
boot, secondary boot record 1-35 balance domainhash 7-24
copying log files to server 1-63, 8-19 balance urlhash 7-25
enabling access 2-37 global keepalive, configuring for 5-23
ftp-control, specifying application type 7-45 keepalive, configuring for 5-49
reclaiming reserved control ports 2-40 XOR hash 7-24, 7-25
record, configuring 1-20 hello time, configuring for bridging 3-30
restricting access to the CSS 2-37 history buffer
FTP server displaying 2-7
copying core dumps to 1-63 modifying 2-7
copying files from 1-21 host, specifying as log file destination 8-7
copying log files to 8-19 host name, configuring 2-26
record, configuring A-2 hotlist
content rules, configuring for 7-27
disabling 7-27
G
domains, configuring for 7-29
global bypass counters enabling 7-27
descriptions 6-8 HTTP
in show summary command 6-8 cookie, configuring for a service 5-37
global keepalive mode. See keepalive keepalive, specifying a URI 5-19, 5-46
keepalive method 5-19
port number for global keepalives 5-19
H redirection 7-34, 7-37
hard disk server, configuring on CSS 2-45
directory structure 1-50 service remapping 7-37
failure, using network boot 2-22 specifying as application type in a content
rule 7-45
installed software versions A-3
status code 302 7-33
logging to 8-2

78-11424-03 IN-9
Index
IP
I
configuration, showing 3-21
ICMP redirect message transmission, record route, configuring 3-14
disabling 4-31
redundancy, configuring 3-15
idle timeout, configuring for all sessions 1-64
route, configuring 3-16
install new software 1-30, 1-35, A-1
route, displaying configurations 3-23
interface
route, removing 3-18
bridging to VLAN 4-10
source route, configuring 3-19
configuring 4-6
statistics, displaying configurations 3-25
describing 4-7
subnet broadcast, configuring 3-20
displaying statistics 4-20
summary, displaying 3-25
duplex and speed, configuring 4-7
IP address
layer, restarting 4-25
configuring using Offline Diagnostic
maximum idle time, configuring 4-9 Monitor menu 1-37
overview 4-1 Ethernet management port, configuring
quick start 4-4 for 1-11
restarting 4-25, 4-26 finding 2-38
RIP, configuring 4-35 management port 1-11
showing 4-19 removing from circuit 4-31
showing duplex and speed 4-9 IP ECMP
showing Ethernet errors 4-23 address, configuring 3-15
shutting down 4-25 no-prefer-ingress, configuring 3-15
smoothing bursty network traffic in GEM round-robin, configuring 3-15

(CSS 11800) 4-16 IP interfaces
speed, configuring 4-7 displaying configurations 3-22
starting 4-25 showing 4-33
trunking to VLAN 4-12 stopping RIP 4-35
internal disk module directory structure 1-50
Internet Assigned Name Authority 7-7
internet service providers 7-7

IN-10 78-11424-03
Index
URI, configuring (global) 5-22

K
URI, configuring (service) 5-49
keepalive
activating global 5-17
associating service to global keepalive 5-22
L
checksums for URI 5-49 Layer 3 content rule description 7-3
description, configuring (global) 5-17 Layer 4 content rule description 7-3
frequency, configuring (global) 5-17 Layer 5 content rule
frequency, configuring (service) 5-45 description 7-3
global keepalive, creating 5-16 specifying application type 7-44
global mode 5-15 load
hash, configuring (global) 5-23 age out timer, configuring 5-12
hash, configuring (service) 5-49 configuring for services 5-9
IP address, configuring (global) 5-18 reporting, configuring 5-11
maxfailure, configuring (global) 5-18 showing for services 5-13
maxfailure, configuring (service) 5-46 step, configuring for services 5-9
maximum keepalive types 5-15, 5-27, 5-44 tear down timer, configuring 5-11
method, configuring (global) 5-19 load balancing
method, configuring (service) 5-46 ACA 7-24
port, configuring (global) 5-19 configuring 7-24
port, configuring (service) 5-47 destip 7-24, 7-41
retry period, configuring (global) 5-20 domain 7-24, 7-41
retry period, configuring (service) 5-47 domainhash 7-24, 7-41
script 5-27, 5-30, 5-31, 5-32, A-10 least connection 7-25
service, configuring for 5-43 roundrobin 7-25
showing configurations 5-24, 5-51 srcip 7-25, 7-41
suspend, configuring (global) 5-20 url 7-25, 7-41
type, configuring (global) 5-21 urlhash 7-25, 7-41
type, configuring (service) 5-47 weighted roundrobin 7-25

78-11424-03 IN-11
Index
load threshold subsystems 8-8

configuring for services 5-10 to disk, disabling 8-7
specifying for content rule 7-33 to host, disabling 8-7
log files turning off from disk 8-7
archiving 1-59 turning off from host 8-7
boot 1-50 log messages
copying to an FTP or TFTP server 8-19 sending to an email address 8-14
copying to FTP server 1-63, 8-19 subsystem, configuring for 8-11
copying to TFTP server 8-20
destination, specifying disk 8-6
M
destination, specifying host 8-7
destination, specifying line 8-8 management port, assigning an IP address and
restoring archived files 1-61 subnet mask 1-11
showing 8-15 manager
sys.log 1-50 MIB objects 9-5
logging overview 9-3
ACL activity 8-13 planning SNMP configuration 9-9
CLI commands 8-14 SNMP 9-3
commands 8-2 SNMP manager access to CSS,

enabling 9-22
configuring from config mode 8-4
max age, configuring for bridging 3-30
disabling 8-8, 8-11
max connections, configuring for service 5-52
enabling for a subsystem 8-8
MIBs
file destination 8-6
CSS 9-26
into the CSS 1-6
defining object as a sample variable 10-15
levels 8-10
directory 1-51
overview 8-2
enterprise 9-7
quick start table 8-4
looking up objects 9-22, 10-15
send messages to an email address 8-14
object identifiers 9-6
showing log files 8-15, 8-17
objects 9-5
specifying disk buffer size 8-6

IN-12 78-11424-03
Index
useful statistics 9-24 address, specifying 6-4

variables 9-5 assigning content rule 7-6
configuration quick start 6-2
creating 6-3
N
DNS type, specifying 6-5
netmask format, configuring for user 2-5 email address, specifying 6-6
network boot overview 5-2, 7-2
configuration, showing 2-25 owner billing information, specifying 6-4
primary boot record 1-28 removing 6-6
secondary boot record 1-33 removing content 7-6, 7-22
specifying primary config path 2-13 RMON alarm
network drive, booting CSS from 2-22 defining 10-14
notification type for an RMON event 10-8 RMON event
defining 10-8
RMON history, defining 10-23
O showing global bypass counters 6-7
Offline Diagnostic Monitor menu 1-22 showing information 6-6
advanced options 1-39
disabling or enabling check disk 1-46
P
disk options 1-42
performing a check disk 1-44 packet storms, preventing 3-31
reformatting the disk 1-42 param-bypass 7-46
setting password protection 1-40 passive SCM
using to configure IP address 1-37 boot record, configuring 2-16
using to configure subnet mask 1-37 copying boot-config from active SCM 2-21
opportunistic layer 3 forwarding IP address, configuring 2-17
configuration example 3-37 primary boot file, configuring 2-18
configuring 3-37 primary configuration path 2-18
origin servers 7-42 primary configuration path, configuring 2-19
owner SCM secondary boot file, configuring 2-19

78-11424-03 IN-13
Index
secondary boot type, configuring 2-20 type, configuring 2-12

secondary configuration path, primary boot record
configuring 2-20
disk boot 1-31
subnet mask, configuring 2-21
FTP boot 1-30
passive sync command 2-21
network boot 1-28
password
secondary boot 1-31
administrative password, changing 1-6
primary config path, specifying for network
administrative password, setting 1-41 boot 2-13
caution on protecting Offline DM Main primary sorry server, adding to content
menu 1-40 rule 7-19
Offline DM Main menu protection 1-40 priority, configuring for bridging 4-11, 4-15
protection, setting on Offline Diagnostic protocol
Monitor menu 1-40, 1-43 ARP, configuring 3-5
user password, changing 1-10
content rule 7-23
user password, configuring 1-8
for a service 5-35
pathcost, configuring for bridging 4-11, 4-14
IP, configuring 3-14
permanent connections, configuring for TCP
network protocols, configuring 3-1
ports 2-39, 2-40
RIP, configuring 3-10
persistence, configuring in a content rule 7-34
TCP 5-35
port
UDP 5-35
interfaces, configuring 4-6
permanent connections, configuring as 2-39
resetting 2-40 Q
service keepalive, configuring for 5-47
quick start
specifying for a service 5-35
content rule 7-5
Port. See also interface
initial CSS configuration 1-3
prefix notation, configuring for subnet mask
display 2-5 interface and circuit 4-4
primary boot logging 8-4
configuration 1-27, 2-11 owner 6-2
file, specifying 2-12 RMON alarm 10-11

IN-14 78-11424-03
Index
RMON event 10-4 content rule 7-22

service 5-4 content rule from owner 7-6
IP address from a circuit 4-31
owner 6-6
R
service 5-53
RADIUS service from content rule 5-53
console authentication 2-36 user name 1-10
CSS as RADIUS client, configuring 2-28 restarting an interface 4-25, 4-26
displaying configuration information 2-32 restoring
overview 2-27 archived files 1-61
primary RADIUS server 2-29 archived log file 1-61
secondary RADIUS server 2-30 archived script file 1-62
server dead-time 2-32 archived startup-config 1-62
server retransmits 2-31 bridge priority default value 4-12, 4-15
server timeouts 2-31 broadcast IP address 4-31
virtual authentication 2-35 default aging-time 3-29
realaudio-control, specifying as application default bridge forward time 3-30
type 7-45 default bridge hello-time 3-30
rebooting the CSS 1-22 default bridge max-age 3-30
redirection default bridge priority 4-11, 4-15
HTTP 7-37 default broadcast IP address 4-31
requests for content 7-33 default path cost 4-11, 4-14
redundancy, disabling 3-15 default VLAN 4-11
reformatting the disk 1-43 files from archive directory 1-61
remapping log files 1-61
configuring in a content rule 7-34 router-discovery advertisement interval
showing 7-40 timers 4-28
remote access, setting for CSS 2-35 router discovery default 4-33
remote service 5-39 router-discovery max-advertisement-interval
default value 4-28
removing

78-11424-03 IN-15
Index
router discovery preference 4-33 configuration identifier, deleting 10-13

script 1-62 configuring 10-9
startup-config 1-62 falling threshold, defining 10-17
restricting group 10-2
access to the CSS 2-37 modifying configuration attributes 10-13
access to user database 1-7 owner, defining 10-14
RIP rising threshold, defining 10-17
advertise, stopping 3-10 sample interval, defining 10-18
default-route, configuring 4-35 sample variable, defining 10-15
displaying configurations 3-12, 4-37 sampling example 10-9
equal cost 3-11 sampling type, defining 10-16
receive, configuring 4-36 setting attributes 10-14
redistribute, stopping 3-11 startup alarm, defining 10-18
send, configuring 4-36, 4-37 RMON event
stopping on an IP interface 4-35 activating 10-9
RMON community, defining 10-7
alarm configurationn identifier, configuration identifier, deleting 10-6
creating 10-12
configuring 10-4
clearing statistics 10-29 describing 10-7
configuration considerations 10-3 group 10-2
event configuration identifier, creating 10-5 modifying configuration attributes 10-6
history configuration identifier, notification type, defining 10-8
creating 10-20
owner, defining 10-8
overview 9-8, 10-2
quick configuration 10-4
startup-config file 10-34
setting attributes 10-7
statistics group 10-2
viewing 10-32
viewing statistics 9-24, 10-25
viewing a trap log file 10-32
RMON-1 groups 10-2
viewing disk log file 10-33
RMON alarm
RMON history
activating 10-19

IN-16 78-11424-03
Index
activating 10-24 running-config

bucket count, defining 10-23 archiving 1-60
bucket interval, defining 10-24 clearing 1-54
configuring 10-19 copying 1-53
data object, defining 10-23 creating using text editor 1-58
deleting configuration identifier 10-22 displaying 1-54
group 10-2 example 1-56
modifying configuration attributes 10-21 ordering information within 1-58
owner, defining 10-23 using 1-53
setting attributes 10-22 running-profile
viewing information for 10-30 copying to an FTP server 2-9
roundrobin copying to an TFTP server 2-9
least connection 7-25 copying to a user profile 2-9
load balancing 7-25 copying to the default profile 2-8
router discovery
advertisement interval timers, restoring
default value 4-28 S
disabling 4-32
sample variable, finding and defining 10-15
enabling 4-32
sampling
IP interface, configuring for an 4-32
absolute 10-16
lifetime, configuring 4-27
defining 10-16
limited-broadcast, configuring 4-27
delta 10-16
max-advertisement-interval,
interval for an RMON alarm 10-18
configuring 4-28
RMON alarm example 10-9
max-advertisement-interval, restoring default
value 4-28 SCM
min-advertisement-interval, boot record for passive SCM,
configuring 4-28 configuring 2-16
preference, configuring 4-32 configuring network boot for primary 2-23
preference, restoring default value 4-33 IP address for passive SCM,
configuring 2-17
running check disk on the disk 1-42

78-11424-03 IN-17
Index
network boot for passive, configuring 2-24 setting password protection on Offline
Diagnostic Monitor menu 1-40
script keepalives
configuring 5-29 server
order in which types are hit 5-40, 7-17
displaying 5-30
primary sorry 7-19
maximum keepalive types 5-27
secondary sorry 7-20
overview 5-27
types, how CSS handles 5-40
status codes 5-31
upgrading WebNS software 5-32, A-10 weight and load, using with ACA 5-7
usage considerations 5-28 service

access, configuring 5-41
scripts
archiving 1-60 activating 5-52
disk directory 1-50 adding to a content rule 7-18
restoring archived file 1-62 adding to content rule 7-17
script keepalives 5-27 advanced balanced string, configuring 5-37
secondary boot assigning an IP address 5-34
configuration path, specifying 2-15 cache bypass, configuring 5-41, 5-42, 5-43
configuration setting 1-32 configuration quick start 5-4
file, specifying 2-14 configuring 5-33
type, specifying 2-15 creating 5-32
secondary boot record global load reporting, configuring 5-11
disk boot 1-36 global load threshold, configuring 5-10
FTP boot 1-35 HTTP cookie, configuring an 5-37
network boot 1-33 keepalive, configuring 5-43

load ageout timer, configuring 5-12
secondary config path, specifying 2-15
load overview 5-5
secondary sorry server, adding to a content
rule 7-20 load step, configuring 5-9
Secure Shell Daemon. See SSHD load tear down timer, configuring 5-11
security options max connections, configuring 5-52
Offline Diagnostic Monitor menu 1-40 maximum TCP connections 5-52
order in which types are hit 5-40, 7-17

IN-18 78-11424-03
Index
overview 5-2, 7-2 showing

port, specifying 5-35 bridge forwarding 3-32, 4-17, 4-19
primary sorry 7-19 circuits 4-28
protocol, specifying 5-35 content 7-47
remapping 7-34 content rules 7-48
remapping and HTTP redirection, DoS attacks 9-19
configuring 7-37
Ethernet interface errors 4-23
removing 5-53 global bypass counters 6-7
removing from content rule 5-53 global keepalives 5-24
removing from source group 5-53 interfaces 4-19
secondary sorry 7-20 IP configuration 3-21
service load, configuring 5-9 IP interfaces 4-33
showing configuration 5-54 IP summary 3-28
showing load 5-13 keepalive configurations 5-51
specifying a protocol 5-35 log files 8-15
specifying type 5-39 owner information 6-6
suspending 5-52 RADIUS server configuration 2-32
weight, configuring 5-38 remapping 7-40
service type service configuration 5-54
nci-direct-type 5-39
SNMP configuration 9-21
nci-info-type 5-39 SNTP configuration 1-19
proxy-cache 5-39 system resources 1-68
redirect 5-39 user information 1-69
redundancy-up 5-39
shutting down
replication cache redirect 5-39 all interfaces 4-25
replication-store 5-39
interface stack layer 4-25
replication-store redirect 5-39
the CSS 1-22
transparent-cache 5-39
smurf attacks caution 3-20
session, specifying as log file destination 8-8
SNMP
show boot configuration 1-38

78-11424-03 IN-19
Index
agents 9-3 sorry server

community, RMON event 10-7 adding a primary to a content rule 7-19
community, using 9-22 adding a secondary to a content rule 7-20
configuring 9-8, 9-9 source group, removing service 5-53
displaying configuration 9-21 spanning tree
enabling access 2-37 caution when disabling 3-31
get 9-3 enabling and disabling 3-31
get-next 9-3 speed, configuring for interface 4-7
managers 9-3 SSHD
managing 9-22 configuring 3-34
MIBs 9-5 disabling Telnet for use with 3-34
restricting access to the CSS 2-37 displaying configurations 3-37
set 9-4 keepalive, configuring 3-35
trap hosts 9-11 port, configuring 3-35
traps 9-3 server-keybits, configuring 3-36
SNTP SSL, specifying as application type in a content
overview 1-17 rule 7-45
poll-interval 1-18 startup alarm for RMON 10-18
server, configuring 1-18 startup-config

archiving 1-60
showing SNTP information 1-19
software clearing 1-54
copying new software to CSS A-1 copying 1-53
deleting a version from the disk 1-39 creating using text editor 1-58
displaying 1-57
directory 2-47
ordering information within 1-58
displaying information 1-65
overview 1-51
overview 1-50
restoring archived file 1-62
upgrade (manual process) A-8
RMON configuration 10-34
upgrade caution A-4
saving offline 1-53
upgrade script A-3
using 1-53
version format 1-50

IN-20 78-11424-03
Index
stateless redundancy failover 5-33, 7-7, 7-24, 7-41 enabling and disabling for SSHD 3-36
statistics reclaiming reserved control ports 2-40
clearing RMON 10-29 restricting access to the CSS 2-37
showing flows 2-41 terminal parameters
viewing an Ethernet port 10-25 terminal idle, configuring 2-4
subnet mask terminal length, configuring 2-4
assigning to CSS 1-12 terminal more, configuring 2-5
configuring using Offline Diagnostic terminal netmask format, configuring 2-5
Monitor menu 1-37
terminal timeout, configuring 2-5
prefix notation, configuring for user 2-5 user-specific, configuring 2-3
subsystem text editor
disabling logging 8-11 running-config, creating 1-58
enabling for logging 8-8 startup-config, creating 1-58
suspending TFTP server
content rule 7-21 copying core dumps to 1-64
service 5-52 copying log files to 8-19
sys.log 1-50, 8-2, 8-14 copying log files to server 8-20
sys.log.prev 8-3 threshold
syslogd, logging to 8-2, 8-3 falling RMON alarm 10-17
system resources, showing 1-68 global load threshold 5-10
load threshold, specifying 7-33
T rising RMON alarm 10-17

time, configuring for CSS 1-14
TCP ports timezone, configuring for CSS 1-14
destination number, specifying 5-35 transparent cache, bypassing 7-46
permanent connections, configuring 5-35 traps
Telnet background 9-3
disabling for use with SSHD 3-34, 3-36 log file 10-32
enabling access 2-37 specifying hosts 9-11

78-11424-03 IN-21
Index
trap host 9-4 changing 1-10

traplogs, reading 9-25 configuring 1-8
trunking user profiles
configuring 4-14 configuring 2-2
interface to VLAN 4-12 copying and saving 2-8
type, specifying for service 5-39 user terminal parameters
configuring 2-42
terminal domain lookup, configuring 2-4
U
terminal idle, configuring 2-4
UDP, destination port number 5-35 terminal length, configuring 2-4
Universal Resource Locator. See URL terminal more, configuring 2-5
upgrading software terminal timeout, configuring 2-5
configuring FTP record A-2
copying new software to CSS A-1
V
manually A-8
procedure A-1 viewing
script A-3 disk log file for an RMON event 10-33
upgrading WebNS software, script RMON event 10-32
keepalives 5-32, A-10
RMON history information 10-30
URI, specifying for HTTP keepalive 5-19, 5-46
RMON statistics 10-25
URL, specifying for content 7-30
trap log file for an RMON event 10-32
user
virtual authentication, configuring 2-35
data, restricting access 1-7
virtual IP address, configuring 7-7
information, showing 1-69
VLAN
username
bridge to interface 4-10
configuring 1-8
default VLAN in a trunk link 4-14
directory access privileges 1-9
restoring default 4-11
displaying 1-10
trunking 4-12
removing 1-10
VTY log files 8-2, 8-3
user password

IN-22 78-11424-03
Index
XOR hash
W
used in domainhash balance algorithm 7-24
warning used in urlhash balance algorithm 7-25
level warning 8-2, 8-5, 8-10, 8-12
symbol overview xxxiii
web management
Z
enabling access 2-37 zero, resetting Ethernet statistics to 4-23
restricting access to the CSS 2-37 zip file
web page, verifying checksum 5-19, 5-46 included on documentation CD 2-22
weight, configuring for a service 5-38 using for network boot 2-22
weighted roundrobin, load balancing 7-25
wildcards
domain names in content rules 7-15
using in content rule domain names 7-16
XML
enabling access 2-37
enabling access to the CSS 2-45, 9-8
restricting access to the CSS 2-37, 2-45, 9-8
XML code
CLI command conventions 2-43
creating 2-42
mode hierarchy 2-43
parsing 2-45
publishing 2-45
using on the CSS 2-42
XML document example 2-44

78-11424-03 IN-23
Index

IN-24 78-11424-03

Cisco CSS Basic Configuration Guide

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Cisco CSS Basic Configuration Guide

Cargado por

Copyright:

Formatos disponibles

Cisco Content Services Switch

Basic Configuration Guide

Text Part Number: 78-11424-03

Cisco Content Services Switch Basic Configuration Guide

About This Guide xxix

CHAPTER 1 Logging in and Getting Started 1-1

Cisco Content Services Switch Basic Configuration Guide

Configuring an FTP Record 1-20

Cisco Content Services Switch Basic Configuration Guide

Archiving the Startup-Config 1-60

CHAPTER 2 Configuring User Profiles and CSS Parameters 2-1

Cisco Content Services Switch Basic Configuration Guide

Modifying the History Buffer 2-7

Cisco Content Services Switch Basic Configuration Guide

Cisco Content Services Switch Basic Configuration Guide

Creating XML Code 2-42

CHAPTER 3 Configuring CSS Network Protocols 3-1

Showing RIP Configurations 3-12

Cisco Content Services Switch Basic Configuration Guide

Disabling and Enabling Telnet Access when using SSHD 3-36

CHAPTER 4 Configuring Interfaces and Circuits 4-1

Selecting a Default VLAN in a Trunk 4-14

Cisco Content Services Switch Basic Configuration Guide

Showing Trunking Configurations 4-19

Cisco Content Services Switch Basic Configuration Guide

Configuring RIP Send 4-36

CHAPTER 5 Configuring Services 5-1

Cisco Content Services Switch Basic Configuration Guide

Configuring a Global Keepalive Port 5-19

Cisco Content Services Switch Basic Configuration Guide

Configuring Network Address Translation for Transparent Caches 5-42

CHAPTER 6 Configuring Owners 6-1

Cisco Content Services Switch Basic Configuration Guide

Specifying Case 6-5

CHAPTER 7 Configuring Content Rules 7-1

Cisco Content Services Switch Basic Configuration Guide

Suspending a Content Rule 7-21

CHAPTER 8 Using the CSS Logging Features 8-1

Cisco Content Services Switch Basic Configuration Guide

Logging Quick Start Table 8-4

CHAPTER 9 Configuring Simple Network Management Protocol (SNMP) 9-1

Cisco Content Services Switch Basic Configuration Guide

MIB Extensions (Enterprise MIBs) 9-7

Cisco Content Services Switch Basic Configuration Guide

CHAPTER 10 Configuring Remote Monitoring (RMON) 10-1

Cisco Content Services Switch Basic Configuration Guide

Defining the Sampling Interval 10-18

APPENDIX A Upgrading Your CSS Software A-1

Cisco Content Services Switch Basic Configuration Guide

Automatically Running the Upgrade Script A-3

Cisco Content Services Switch Basic Configuration Guide

Cisco Content Services Switch Basic Configuration Guide

Figure 1-1 CSS Directory Access Privileges 1-10

Figure 1-2 Boot Configuration Flowchart 1-25

Figure 3-1 Opportunistic Layer 3 Forwarding Example 3-38

Figure 4-1 Content Services Switch Interfaces and Circuits 4-3

Figure 4-2 Interface Trunking Between VLANs 4-3

Figure 5-1 Services, Owners, and Content Rules Concepts 5-3

Figure 5-2 Load Calculation Example with Three Servers 5-6

Figure 7-1 Services, Owners, and Content Rules Concepts 7-4

Figure 7-2 Example of Configuring a Virtual IP Address 7-10

Figure 7-3 ServerB Configured for Failover Next 7-42

Figure 7-4 ServerC Configured for Failover Next 7-43