cc/td/doc/product/webscale/uce/uce40
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cache Application Commands in Cisco Application and Content Networking Software,
Release 4.0

Cache Application Commands in Cisco Application and Content Networking Software,
Release 4.0

The ACNS 4.0 Cache application includes all of the Cache software commands described in the Cisco Cache Software Command Reference, Release 3.1. This appendix provides command reference information for ACNS 4.0 Cache application commands that are new or have changed relative to Cisco Cache software, Release 3.1.

The "New ACNS Software Cache Application Commands" section describes commands that appear in ACNS 4.0 software but are not in Cache Software, Release 3.1.

The "Changes in Existing Cache Software Commands" section describes changes to commands that appeared in Cache software, Release 3.1, but have different function, syntax, or keywords in ACNS 4.0 software.


Note   Some commands in Cache 3.x software have been changed in ACNS 4.0 software. Therefore, when apparent conflict occurs between similar commands, the information in this guide supersedes all command descriptions for Cache software in releases before the ACNS 4.0 software release.

Changes in Existing Cache Software Commands

This section describes how some commands that were in Cache software, Release 3.1 are different in ACNS 4.0. software.

Changes to the clock timezone Command

The clock timezone command has the same syntax and usage. However, when the E-CDN application is enabled, all commands that can change the local time are disabled: clock read-calendar, clock set, ntpdate, and ntp.

Changes to the copy Command

The following copy command options have been removed in ACNS software:

These options have been replaced by the copy ftp install command.

Changes to the debug Command

The debug command has the following new options:

The show debugging command also reflects these additional options.


Note   We recommend that the debug command be used only at the direction of Cisco Systems technical support personnel. Cache performance is impacted when you run the debug command.

Changes to the disk Command

The disk command options in Cache software, Release 3.1 have changed in ACNS 4.0 software. The disk config command replaces the disk manufacture command used in Cache 3.1.1 software. ACNS 4.0 software uses the following disk command options:

To add a single disk with specified partitions, you use the disk add command. The disk raid-array command is for Storage Array handling for the Content Distribution Manager 4650 (CDM-4650).

To configure disk space among functions, you use the disk config command. This command takes file system type and size as parameters. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage. In the following example, 10 percent of the total storage is allocated to the sysfs and 30 percent to every other file system.

Console# disk config sysfs 10% mediafs 30% ecdnfs 30% cfs 30% Disk configured successfully. New configuration will take effect after reload. Please remove this device from the ECDN CDM (if any) before reboot this device, as this device's configuration will be stale due to disk repartition.

To undo the disk configuration, use the disk cancel-config command.

Console# disk cancel-config Disk configuration canceled successfully

Changes to the http Command

To enable caching of authenticated content, the all, basic, and ntlm options have been added to the http cache-authenticated command.

To allow configuration of the healing mode feature, the cluster max-delay delayseconds and misses totalmisses options have been added. To disable healing mode, set either the delayseconds value or the totalmisses value to 0 or use the no form of the command.

To specify the port number over which requests from the healing Content Engine are sent to other Content Engines in the cluster, the cluster http-port option has been added to the http command.


Note   The default port number is 80. If you choose to configure a port other than the default 80, you have to make sure that the port configured matches the port specified in the http proxy incoming command on healing servers in the farm. Otherwise, the healing client is not able to retrieve objects from the healing servers.

To return to the default port number, use the no http cluster http-port command.

The cache-miss revalidate option has been added to the http command so that you can now configure the Content Engine proxy to ignore the Pragma:no-cache header, Cache-control:no-cache header, or both in an HTTP client request.

Changes to the http append Command

The proxy-auth-header and www-auth-header options have been added to the http append command.

Console(config)# http append ? proxy-auth-header Configure host to receive Proxy-Authorization header via-header Include 'Via' header in responses/replies www-auth-header Configure host to receive WWW-Authorization header x-forwarded-for-header Notify client-ip-addr to web-server via 'X-Forwarded-For' header

Changes to the install Command

The install command no long accepts .pax files. The files should be of the type .bin (for example, cache-sw.bin).

Also, if the release being installed does not require a new system image, then there may be no writing to Flash memory involved. If the new release has changes that require a new system image to be installed, then the install command may result in a write to Flash memory.

In Cache software Release 3.1.1, the software was completely installed at the end of the install command. In ACNS 4.0 software, if there is a new system image, some parts of the installation are not completely extracted and installed until after a reboot.

Changes to the ip Global Configuration Command

The dscp option has been added to the ip command. This allows you to set the global Type of Service (ToS) or differentiated services code point (DSCP) values in IP packets.

Console(config)# ip ? default-gateway Define the default gateway's IP address domain-name Define the default domain name dscp Set IP ToS/DSCP (Differentiated Services) field name-server Specify address of name server to use route Specify net route Console(config)# ip dscp ? client Settings for responses to client server Settings for outgoing requests Console(config)# ip dscp client ? cache-hit Cache hit responses to client cache-miss Cache miss responses to client Console(config)# ip dscp client cache-hit ? match-server Use server's original TOS/DSCP value set-dscp Set DSCP set-tos Set Type of Service Console(config)# ip dscp client cache-hit set-dscp ? <0-63> Set DSCP value af11 Set packets with AF11 dscp (001010) af12 Set packets with AF12 dscp (001100) af13 Set packets with AF13 dscp (001110) af21 Set packets with AF21 dscp (010010) af22 Set packets with AF22 dscp (010100) af23 Set packets with AF23 dscp (010110) af31 Set packets with AF31 dscp (011010) af32 Set packets with AF32 dscp (011100) af33 Set packets with AF33 dscp (011110) af41 Set packets with AF41 dscp (100010) af42 Set packets with AF42 dscp (100100) af43 Set packets with AF43 dscp (100110) cs1 Set packets with CS1(precedence 1) dscp (001000) cs2 Set packets with CS2(precedence 2) dscp (010000) cs3 Set packets with CS3(precedence 3) dscp (011000) cs4 Set packets with CS4(precedence 4) dscp (100000) cs5 Set packets with CS5(precedence 5) dscp (101000) cs6 Set packets with CS6(precedence 6) dscp (110000) cs7 Set packets with CS7(precedence 7) dscp (111000) default Set packets with default dscp (000000) ef Set packets with EF dscp (101110) Console(config)# ip dscp client cache-hit set-tos ? <0-127> Set TOS value critical Set packets with critical precedence (80) flash Set packets with flash precedence (48) flash-override Set packets with flash override precedence (64) immediate Set packets with immediate precedence (32) internet Set packets with internetwork control precedence (96) max-reliability Set packets with max reliable TOS (2) max-throughput Set packets with max throughput TOS (4) min-delay Set packets with min delay TOS (8) min-monetary-cost Set packets with min monetary cost TOS (1) network Set packets with network control precedence (112) normal Set packets with normal TOS (0) priority Set packets with priority precedence (16) #Console(config)# ip dscp server ? match-client Use client's TOS/DSCP value set-dscp Set DSCP set-tos Set Type of Service

Changes to the ip address Interface Configuration Command

The ip address interface configuration command has been modified to allow customers to configure secondary IP addresses for a specified interface as follows:

Console(config)# ip address ip_address netmask [secondary]

Up to four secondary IP addresses can be specified for each interface. The same IP address cannot be assigned to more than one interface. The secondary IP address becomes active only after a primary IP address is configured. The following command configures the primary IP address:

Console(config)# ip address ip_address netmask

The secondary IP addresses are disabled when the interface is shut down, and are enabled when the interface is brought up. Use the no form of the command to disable a specific IP address.

Console(config)# no ip address ip_address netmask
Note   No two interfaces can have IP addresses in the same subnet.

Changes to the ldap Command

The ldap command has the following new options:

The ldap authcache max-entries and ldap authcache auth-timeout options have been removed and are now configurable through the http authentication cache max-entries and timeout commands, respectively.

The ldap client auth-header option has been removed and is now configurable through the http authentication header command.

In addition, the ldap server allow-mode and retransmit options have been removed.

Changes to the radius-server Command

The following options have been removed from the radius-server command:

The rule no-auth domain command replaces the radius-server exclude command; however, no replacement is available for the multi-user-prompt option.

Changes to the rule Command

The dscp option and the no-auth option have been added to the rule command. The no-auth option permits specific login and content requests to bypass authentication and authorization features such as LDAP, RADIUS, SSH, or TACACS+.

Console(config)# rule enable Console(config)# rule no-auth src-ip 172.16.53.88 255.255.255.255 Console(config)# rule no-auth dst-ip 172.22.73.34 255.255.255.255 Console(config)# rule no-auth dst-port 9090 Console(config)# rule no-auth url-regex .*cgi-bin.* Console(config)# rule no-auth domain cisco.com

In the following example, any requests from src-ip 172.16.53.88 are not authenticated.

Console(config)# rule no-auth src-ip 172.16.53.88 255.255.255.255

In the following example, any requests to dst-ip 172.22.73.34 are not authenticated.

Console(config)# rule no-auth dst-ip 172.22.73.34 255.255.255.255

In the following example, any requests with the destination port 9090 are not authenticated.

Console(config)# rule no-auth dst-port 9090

In the following example, any requests with "cisco.com" as the domain are not authenticated. (For example, requests for roti.cisco.com or badal.cisco.com are excluded from the Content Engine authentication.)

Console(config)# rule no-auth domain cisco.com

In the following example, any requests with "cgi-bin" in the URL are not authenticated.

Console(config)# rule no-auth url-regex .*cgi-bin.*

The dscp option allows you to set the Type of Service (ToS) or differentiated services code point (DSCP) values in IP packets based on a URL match, a file type, a domain, a destination IP address, a source IP address, or a destination port.

Console(config)# rule dscp ? client Settings for responses to client server Settings for outgoing requests Console(config)# rule dscp client ? cache-hit Cache hit responses to client cache-miss Cache miss responses to client Console(config)# rule dscp client cache-hit ? match-server Use server's original ToS/DSCP value set-dscp Set DSCP set-tos Set Type of Service Console(config)# rule dscp client cache-hit set-dscp ? <0-63> Set DSCP value af11 Set packets with AF11 dscp (001010) af12 Set packets with AF12 dscp (001100) af13 Set packets with AF13 dscp (001110) af21 Set packets with AF21 dscp (010010) af22 Set packets with AF22 dscp (010100) af23 Set packets with AF23 dscp (010110) af31 Set packets with AF31 dscp (011010) af32 Set packets with AF32 dscp (011100) af33 Set packets with AF33 dscp (011110) af41 Set packets with AF41 dscp (100010) af42 Set packets with AF42 dscp (100100) af43 Set packets with AF43 dscp (100110) cs1 Set packets with CS1(precedence 1) dscp (001000) cs2 Set packets with CS2(precedence 2) dscp (010000) cs3 Set packets with CS3(precedence 3) dscp (011000) cs4 Set packets with CS4(precedence 4) dscp (100000) cs5 Set packets with CS5(precedence 5) dscp (101000) cs6 Set packets with CS6(precedence 6) dscp (110000) cs7 Set packets with CS7(precedence 7) dscp (111000) default Set packets with default dscp (000000) ef Set packets with EF dscp (101110) Console(config)# rule dscp client cache-hit set-tos ? <0-127> Set ToS value critical Set packets with critical precedence (80) flash Set packets with flash precedence (48) flash-override Set packets with flash override precedence (64) immediate Set packets with immediate precedence (32) internet Set packets with internetwork control precedence (96) max-reliability Set packets with max reliable ToS (2) max-throughput Set packets with max throughput ToS (4) min-delay Set packets with min delay ToS (8) min-monetary-cost Set packets with min monetary cost ToS (1) network Set packets with network control precedence (112) normal Set packets with normal ToS (0) priority Set packets with priority precedence (16) Console(config)# rule dscp client cache-hit set-dscp af11 ? domain Regular expression to match with the domain name dst-ip Destination IP address of the request dst-port Destination port number mime-type Regular expression to match with MIME type src-ip Source IP address of the request url-regex Regular expression to substring match with the URL Console(config)# rule dscp client cache-miss ? match-server Use server's original ToS/DSCP value set-dscp Set DSCP set-tos Set Type of Service Console(config)# rule dscp server ? match-client Use client's ToS/DSCP value set-dscp Set DSCP set-tos Set Type of Service Console# show rule action ? block Block the request dscp IP ToS/DSCP (Differentiated Services) freshness-factor Caching heuristic modifiers no-auth Do not authenticate no-cache Do not cache the object no-proxy Do not use any upstream proxy redirect Redirect request to rewritten URL refresh Revalidate the object with the web server rewrite Rewrite URL and fetch selective-cache Cache this object use-proxy Use a specific upstream proxy use-server Use a specific server Console# show rule action dscp ? client Settings for responses to client server Settings for outgoing requests Console# show rule action dscp client ? cache-hit Cache hit responses to client cache-miss Cache miss responses to client Console# show rule action dscp client cache-hit ? all Display all the patterns for this action pattern Display all the rules with specific type of pattern Console# show rule action dscp client cache-hit pattern ? domain Regular expression to match with the domain name dst-ip Destination IP address of the request dst-port Destination port number mime-type Regular expression to match with MIME type src-ip Source IP address of the request url-regex Regular expression to substring match with the URL

The following examples illustrate DSCP information obtained using the show command:

Console# show rule action dscp client cache-hit pattern src-ip Rules Template Configuration ---------------------------- Rule Processing Disabled rule dscp client cache-hit set-tos min-monetary-cost src-ip 10.1.1.1 255.255.255.0 Console# show stat rule action dscp client cache-hit pattern src-ip Rules Template Statistics ------------------------- Rule hit count = 0 Rule:rule dscp client cache-hit set-tos min-monetary-cost src-ip 10.1.1.1 255.255.255.0

Changes to the show cfs volumes Command

The show cfs volumes command output displays different disk names and does not indicate whether or not a cfs partition is mounted. Also, the cfs size is now displayed in kilobytes instead of half kilobytes. For example:

Console# show cfs volumes cfs 00:/dev/raw/raw1 17783224KB cfs 01:/dev/raw/raw2 17783224KB cfs 02:/dev/raw/raw3 17783224KB cfs 03:/dev/raw/raw4 17783224KB cfs 04:/dev/raw/raw5 17783224KB

Changes to the show disks Command

The show disks command options have changed. Also, the way the information is displayed has changed. The following options are available for the show disks command:

The show disks configured command displays the percentage or amount of disk space allocated to each file system instead of the names of the disks.

ContentEngine# show disks configured SYSFS 10% CFS 30% MEDIAFS 30% ECDNFS 30%

Changes to the show http Command

The following new options have been added to the show http command:

Changes to the show statistics Command

The following new options have been added to the show statistics command:

Changes to the transaction-logs Command

The keyword format has been added to the transaction-logs command. The transaction-logs format command has two options: squid and extended-squid. The default log format is squid.

590(config)# transaction-logs format ? extended-squid Extended Squid log format squid Squid log format 590(config)# transaction-logs format squid 590(config)# no transaction-logs format ? <cr> 590(config)# transaction-logs format extended-squid ? <cr> 590# show transaction-logging ? <cr> 590# show transaction-logging Transaction log configuration: --------------------------------------- Logging is enabled. End user identity is visible. File markers are disabled. Archive interval:every-hour every 2 minutes Maximum size of archive file:2000000 KB Log File format is extended-squid Exporting files to ftp servers is disabled. Working Log file - size :464 age:244662 Archive Log file - celog_128.107.193.231_19800815_150400.txt size:4247 Archive Log file - celog_128.107.193.231_19800815_152400.txt size:3868

New ACNS Software Cache Application Commands

The ACNS 4.0 software includes all of the Cache software commands described in the Cisco Cache Software Command Reference, Release 3.1, as well as all of the commands described in this section. Refer to the Cisco Cache Software Command Reference, Release 3.1 publication for more caching commands.

authentication

To configure user authentication options, use the authentication command in global configuration mode. Use the no form of the command to selectively disable options.

authentication configuration {local | tacacs} enable [primary | secondary]

authentication login {local | tacacs} enable [primary | secondary]

no authentication configuration {local | tacacs} enable [primary | secondary]

no authentication login {local | tacacs} enable [primary | secondary]

Syntax Description

configuration

Sets configuration authentication (authorization).

local

Selects local database for authentication.

tacacs

Selects TACACS+ database for authentication.

enable

Enables database for configuration authentication.

primary

(Optional) Sets selected authentication database as the primary.

secondary

(Optional) Sets selected authentication database as the secondary.

login

Sets login authentication.

enable

Enables database for login authentication.

Defaults

Local authentication methods are enabled by default.

Command Modes

Global configuration

Usage Guidelines

The authentication command configures the authentication and authorization methods that govern login and configuration access to the Content Engine. ACNS 4.0 software supports local and Terminal Access Controller Access Control System Plus (TACACS+) authentication and authorization methods.

The authentication login command specifies the method that determines whether the user has any level of access permission to the Content Engine. The authentication configuration command specifies the method that authorizes the user with privileged access (configuration access) to the Content Engine.

By default, the local method is enabled and TACACS+ is disabled for both login and configuration. Whenever TACACS+ is disabled, local is automatically enabled. Both TACACS+ and local methods can be enabled at the same time. The primary option specifies the first method to attempt; the secondary option specifies the method to use if the primary method fails. If both methods of an authentication login or authentication configuration command are configured as primary, or both as secondary, local is attempted first, then TACACS+.

The authentication login local and the authentication configuration local commands use the local password file (/etc/password) for authentication and authorization. The authentication login tacacs and authentication configuration tacacs commands use the TACACS+ server to determine the level of user access. The Content Engine tacacs global configuration command and a TACACS+ server must be configured to use the TACACS+ authentication and authorization method.

Examples

The following example enables local and TACACS+ authentication and authorization, setting TACACS+ as the first method used and local as the secondary method to use if TACACS+ fails:

Console(config)# authentication login tacacs enable primary Console(config)# authentication login local enable secondary Console(config)# authentication configuration local enable secondary Console(config)# authentication configuration tacacs enable primary

This is an example of the show authentication command:

Console# show authentication Login Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled (primary) Configuration Authentication: Console/Telnet Session ----------------------------- ----------------------- local enabled tacacs enabled

This is an example of the show statistics authentication command:

Console# show statistics authentication Authentication Statistics -------------------------------------- Number of access requests: 37 Number of access deny responses: 14 Number of access allow responses: 23

Related Commands

show authentication

show statistics authentication

tacacs

copy

To copy a configuration or image file from a source FTP server and install it, use the copy command in EXEC mode.

copy ftp install {hostname | ipaddress} remotefiledir remotefilename

Syntax Description

ftp

Specifies the source of the file to be installed.

install

Installs the file to the local device.

hostname

Specifies the name of the FTP server.

ipaddress

Specifies the IP address of the FTP server.

remotefiledir

Specifies the remote file directory.

remotefilename

Specifies the remote filename.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use this command to install an image file. Part of the image goes to disk and part goes to Flash memory.

Examples

ce-590# copy ftp install 1.1.1.1 //users2/ACNS400BR/boot ce590-ACNS-400.bin Enter username for remote ftp server:biff Enter password for remote ftp server: Initiating FTP download... printing one # per 1MB downloaded Sending:USER biff 1.1.1.1 FTP server (Version) Mon Feb 28 10:30:36 EST 2000) ready. Password required for biff. Sending:PASS ***** User biff logged in. Sending:TYPE I Type set to I. Sending:PASV Entering Passive Mode (128,107,193,244,55,156) Sending:CWD //users2/ACNS400BR/boot CWD command successful. Sending PASV Entering Passive Mode (128,107,193,244,55,156) Sending:RETR ce590-ACNS-400.bin Opening BINARY mode data connection for ruby.bin (87376881 bytes). ################################################################################### writing flash component: ................................................................. The new software will run after you reload. ce-590#

Related Commands

install

disk

To configure the disks for devices that are using ACNS software, use the disk EXEC command.

disk config sysfs {remaining | partitionsize} [{cfs | ecdnfs | mediafs}{remaining | partitionsize}]

disk cancel-config

disk add diskname {cfs | ecdnfs | mediafs | sysfs} {remaining | partitionsize} [{cfs | ecdnfs | mediafs | sysfs}{remaining | partitionsize}]

disk raid-array add-array

disk raid-array repair diskname

Syntax Description

config

Configures disk space among functions.

sysfs

Allocates disk space for sysfs functions.

remaining

Specifies that the remaining space be allocated to the function.

partitionsize

Specifies the size of the allocation. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage.

cfs

(Optional) Allocates disk space for cfs functions.

ecdnfs

(Optional) Allocates disk space for ecdnfs functions.

mediafs

(Optional) Allocates disk space for mediafs functions.

remaining

(Optional) Specifies that the remaining space be allocated to the function.

partitionsize

Specifies the size of the allocation. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage.

cancel-config

Cancels the disk configuration.

add

Adds a single disk.

diskname

Specifies the disk to be added.

cfs

Allocates the disk space of the added disk to cfs functions.

ecdnfs

Allocates the disk space of the added disk to ecdnfs functions.

mediafs

Allocates the disk space of the added disk to mediafs functions.

sysfs

Allocates the disk space of the added disk to sysfs functions.

remaining

Specifies that the remaining space be allocated to the function.

partitionsize

Specifies the size of the allocation. Size can be designated in megabytes, gigabytes or as a percentage of the system total storage.

raid-array

Handles Storage Array disk configuration for the CDM-4650.

add array

Creates a logical disk for the Storage Array that is recognized by the CDM-4650 RAID controller.

repair

Rebuilds a RAID disk array after a single disk in the array fails.

diskname

Specifies the disk to be repaired.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use the disk config command to configure disk allocations.

Use the disk cancel-config command to cancel the configuration.

Use the disk add command to add a single disk with specified partitions.

Use the disk raid-array add-array command to create a logical disk for the Storage Array that is recognized by the CDM-4650 RAID controller.

Use the disk raid-array repair command to rebuild a RAID disk array after a single disk in the array fails.

Examples

In the following example of the disk config command, 10 percent of the total storage is allocated to the sysfs and 30 percent to every other file system.

ContentEngine# disk config sysfs 10% mediafs 30% ecdnfs 30% cfs 30% Disk configured successfully. New configuration will take effect after reload. Please remove this device from the ECDN CDM (if any) before reboot this device, as this device's configuration will be stale due to disk repartition.

http authentication

To configure global authentication cache parameters, use the http authentication command in global configuration mode.

http authentication {cache {timeout minutes | max-entries entries}} | header{401 | 407}

Syntax Description

cache

Configures authentication cache parameters.

timeout

Sets the timeout value of records in the authentication cache.

minutes

Specifies time in minutes (30-1440) between the user's last Internet access and the removal of that user's entry from the authorization cache, forcing reauthentication. The default is 480 minutes; the minimum is 30 minutes; and the maximum is 1440 minutes (24 hours).

max-entries

Sets the maximum number of entries in the authentication cache.

entries

Specifies the maximum number of entries in the authentication cache (500-32000).

header

Specifies which HTTP header to use for authentication (user ID and password) when the style of the HTTP request indicates that no proxy server is present. Headers can be either HTTP 401 (Unauthorized) or HTTP 407 (Proxy Authentication Required). The default is HTTP 401.

401

Uses HTTP 401 to query users for credentials.

407

Uses HTTP 407 to query users for credentials.

Defaults

timeout minutes: 480 minutes

header: HTTP 401

Command Modes

Global configuration

Usage Guidelines

When the Content Engine authenticates a user through a server, a record of that authentication is stored locally in the Content Engine RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups.

The max-entries option sets the maximum number of authentication cache entries retained.

The timeout command specifies how long an inactive entry can remain in the authentication cache before it is purged. Once a record has been purged, any subsequent access attempt to restricted Internet content requires a server lookup for reauthentication.

Examples

This example sets the length of time that entries are valid in the authentication cache:

Console(config)# http authentication cache timeout 1000

The following example specifies that the Content Engine should use header 407 when asking the end user for authentication credentials (user ID and password).

Console(config)# http authentication header 407

ldap

To configure the Content Engine to perform user authentication with a Lightweight Directory Access Protocol (LDAP) server, use the ldap global configuration command. To disable ldap options, use the no form of this command.

ldap server administrative-dn name

ldap server administrative-passwd passwd

ldap server base baseword

ldap server enable

ldap server filter filterword

ldap server host {hostname | hostipaddress} [primary | secondary]

ldap server port portnumber

ldap server timeout seconds

ldap server userid-attribute useidword

ldap server version number

no ldap server {administrative-dn name | administrative-passwd passwd | base baseword | enable | filter filterword | host {hostname | hostipaddress} [primary | secondary] | port portnumber | timeout seconds | userid-attribute useidword | version number}

Syntax Description

server

Configures LDAP server parameters.

administrative-dn

Sets the administrative distinguished name.

name

Specifies the administrative distinguished name.

administrative-passwd

Sets the administrative password.

passwd

Specifies the administrative password.

base

Sets the base distinguished name of the starting point for the search in the LDAP database.

baseword

Specifies the base value. There is no default.

enable

Enables HTTP request authentication with the LDAP server.

filter

Sets the LDAP filter for the authentication group.

filterword

Specifies text for the LDAP filter. There is no default.

host

Sets host parameters.

hostname

Specifies the host name of the LDAP server. Two servers can be named.

hostipaddress

Specifies the IP address of the LDAP server.

primary

(Optional) Specifies the host as the primary host.

secondary

(Optional) Specifies the host as the secondary host.

port

Sets the TCP port for the LDAP authentication server.

portnumber

Specifies the LDAP server port number (1-65535). The default is 389.

timeout

Sets the time to wait for an LDAP server to reply.

seconds

Specifies the waiting time in seconds (1-100). The default is 5 seconds; minimum is 1 second; maximum is 100 seconds.

userid-attribute

Sets the user ID attribute on the LDAP server.

useidword

Specifies the value for the user ID attribute. The default is "uid."

version

Sets the LDAP version number.

number

LDAP version number (2-3). The default is 2.

Defaults

Usage Guidelines

An LDAP-enabled Content Engine authenticates user login and HTTP requests with an LDAP server. With an HTTP query, the Content Engine obtains a set of credentials from the user (user ID and password) and compares them against those in an LDAP server.

All LDAP version 3 features are supported except for Secure Authentication and Security Layer (SASL).

Proxy Mode LDAP Authentication

The events listed below occur when the Content Engine is configured for LDAP authentication and one of the following two scenarios is true:

    1. The Content Engine examines the HTTP headers of the client request to find user information (contained in the Proxy-Authorization header).

    2. If no user information is provided, the Content Engine returns a 407 (Proxy Authorization Required) message to the client.

    3. The client resends the request, including the user information.

    4. The Content Engine searches its authentication cache (based on user ID and password) to see if the client has been previously authenticated.

    5. If a match is found, the request is serviced normally.

    6. If no match is found, the Content Engine sends a request to the LDAP server to find an entry for this client.

    7. If the server finds a match, the Content Engine allows the request to be serviced normally and stores the client user ID and password in the authentication cache.

    8. If no match is found, the Content Engine again returns a 407 (Proxy Authorization Required) message to the client.

Transparent Mode LDAP Authentication

The events listed below occur when the Content Engine is configured for LDAP authentication and both of the following are true:

    1. The Content Engine searches its authentication cache to see if the user's IP address has been previously authenticated.

    2. If a match is found, the Content Engine allows the request to be serviced normally.

    3. If no match is found in the first step, the Content Engine examines the HTTP headers to find user information (contained in the Authorization header).

    4. If no user information is provided, the Content Engine returns a 401 (Unauthorized) message to the client.

    5. The client resends the request, including the user information.

    6. The Content Engine sends a request to the LDAP server to find an entry for this user.

    7. If the server finds a match, the Content Engine allows the request to be serviced normally and stores the client IP address in the authentication cache.

    8. If no match is found, the Content Engine again returns a 401 (Unauthorized) message to the client.

In transparent mode, the Content Engine uses the client IP address as a key for the authentication database.

If you are using LDAP user authentication in transparent mode, we recommend that the AuthTimeout interval configured with the http authentication cache timeout command be short. IP addresses can be reallocated, or different users can access the Internet through an already authenticated device (PC, workstation, and the like). Shorter AuthTimeout values help reduce the possibility that individuals can gain access using previously authenticated devices. When the Content Engine operates in proxy mode, it can authenticate the user with the user ID and password.

Security Options

The Content Engine uses simple (nonencrypted) authentication to communicate with the LDAP server. Future expansion may allow for more security options based on Secure Socket Layer (SSL), SASL, or certificate-based authentication.

Excluding Domains

To exclude domains from LDAP authentication, use the rule no-auth domain command. Authentication challenges from LDAP, RADIUS, TACACS+, or SSH take place only if the request does not match the specified no-auth pattern.

LDAP and RADIUS Considerations

LDAP authentication can be used with Websense URL filtering, but not with RADIUS authentication. Both LDAP and RADIUS rely on different servers, which may require different user IDs and passwords, making RADIUS and LDAP authentication schemes mutually exclusive. Should both RADIUS and LDAP be configured on the Content Engine at the same time, LDAP authentication is executed, not RADIUS authentication.

Hierarchical Caching

In some cases, users are located at branch offices. A Content Engine (CE1) can reside with them in the branch office. Another Content Engine (CE2) can reside upstream, with an LDAP server available to both Content Engines for user authentication.

If branch office user 1 accesses the Internet, and content is cached at CE1, then this content cannot be served to any other branch office user unless that user is authenticated. CE1 must authenticate the local users.

Assuming that both CE1 and CE2 are connected to the LDAP server and authenticate the users, when branch office user 2 firsts requests Internet content, CE1 responds to the request with an authentication failure response (either HTTP 407 if in proxy mode, or HTTP 401 if in transparent mode). User 2 enters the user ID and password, and the original request is repeated with the credentials included. CE1 contacts the LDAP server to authenticate user 2.

Assuming authentication success, and a cache miss, the request along with the credentials is forwarded to CE2. CE2 also contacts the LDAP server to authenticate user 2. Assuming success, CE2 either serves the request out of its cache or forwards the request to the origin server.

User 2 authentication information is now stored in the authentication cache in both CE1 and CE2. Neither CE1 nor CE2 needs to contact the LDAP server for user 2's subsequent requests (unless user 2's entry expires and is removed from the authentication cache).

This scenario assumes that CE1 and CE2 use the same method for authenticating users. Specifically, both Content Engines must expect the user credentials (user ID and password) to be encoded in the same way.

Hierarchical Caching in Transparent Mode

When the Content Engine operates in transparent mode, the user IP address is used as a key to the authentication cache. When user 2 sends a request transparently to CE1, after authentication, CE1 inserts its own IP address as the source for the request. Therefore, CE2 cannot use the source IP address as a key for the authentication cache.

When CE1 inserts its own IP address as the source, it must also insert an X-Forwarded-For header in the request (http append x-forwarded-for-header command). CE2 must first look for an X-Forwarded-For header. If one exists, that IP address must be used to search the authentication cache. Assuming the user is authenticated at CE2, then CE2 must not change the X-Forwarded-For header, just in case there is a transparent CE3 upstream.

In this scenario, if CE1 does not create an X-Forwarded-For header (for example, if it is not a Cisco Content Engine and does not support this header), then authentication on CE2 will not work.

Hierarchical Caching, Content Engine in Transparent Mode with an Upstream Proxy

In a topology with two Content Engines, assume that CE1 is operating in transparent mode and CE2 is operating in proxy mode, with the browsers of all users pointing to CE2 as a proxy.

Because the browsers are set up to send requests to a proxy, an HTTP 407 message is sent from CE1 back to each user to prompt for credentials. By using the 407 message, the problem of authenticating based on source IP address is avoided. The username and password can be used instead.

This mode provides better security than using the HTTP 401 message. The Content Engine examines the style of the address to determine whether there is an upstream proxy. If there is, the Content Engine uses an HTTP 407 message to prompt the user for credentials even when operating in transparent mode.

Server Redundancy

Two LDAP servers can be specified with the ldap server host command to provide redundancy and improved throughput. Content Engine load-balancing schemes distribute the requests to the servers. If the Content Engine cannot connect to either server, no authentication can take place, and users who have not been previously authenticated are denied access.

Authentication Cache Size Adjustments

If the authentication cache is not large enough to accommodate all authenticated users at the same time, the Content Engine purges older entries that have not yet timed out.

Transaction Logging

Once a user has been authenticated through LDAP, all transaction logs generated by the Content Engine for that user contain user information. If the Content Engine is acting in proxy mode, the user ID is included in the transaction logs. If the Content Engine is acting in transparent mode, the user IP address is included instead.

If the transaction-logs sanitize command is invoked, the user information is suppressed.

Examples

This example specifies an LDAP server with IP address 10.1.1.1 on port 88, and excludes the domain name, mydomain.net, from LDAP authentication with the rule global configuration command.

Console(config)# ldap server enable Console(config)# ldap server host 10.1.1.1 port 88 Console# show ldap LDAP parameters: State: Enabled Base DN: <none> Filter: <none> Timeout: 5 seconds UID Attribute: uid Primary: 10.1.1.1 Secondary: <none> LDAP port: 88 Administrative DN: <none> Administrative Password: <none> LDAP version: 2 Console(config)# rule enable Console(config)# rule no-auth domain mydomain.net Console# show rule all Rules Template Configuration ---------------------------- Rule Processing Enabled rule no-auth domain mydomain.net

To delete an LDAP server, use the no ldap server command.

Console(config)# no ldap server host 10.1.1.1 port 88

Related Commands

rule

show ldap

show rule

ntlm server

To configure Microsoft Windows NT LAN Manager (NTLM) parameters, use the ntlm command in global configuration mode.

ntlm server {domain name | enable | host {hostname | ip-address [primary | secondary]}}

no ntlm server {domain name | enable | host {hostname | ip-address [primary | secondary]}}

Syntax Description

server

Configures NTLM server-related parameters.

domain

Specifies NTLM domain name.

name

Name of NTLM domain.

enable

Enables NTLM authentication.

host

Configures NTLM NT controller name or IP address.

hostname

Host name.

ip-address

Host IP address.

primary

(Optional) Sets selected host name or address as the primary.

secondary

(Optional) Sets selected host name or address as the secondary.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

Use this command to enable NTLM authentication and configure the NTLM server domain name, NT primary domain controller (PDC) name or IP address, and optionally set the host name or address as primary or secondary.

Before invoking an NTLM authentication request, make sure that the following conditions exist.

In the following example, server1 must be in the cisco.com domain and must have an entry in DNS that matches its NetBIOS-named computer account.

ip domain-name cisco.com
ntlm server host server1

For clients within the domain using the Internet Explorer browser in proxy mode, authentication is "popless"; that is, the user is not prompted with a dialog box to enter a username and password. In transparent mode, authentication is transparent only if the Internet options security settings are customized and set to User Authentication > Logon > Automatic logon with current username and password.

For clients outside the domain using the Netscape browser, a dialog box appears and the first authentication request asks the client to enter a username and password. Once the client is successfully authenticated, the entry is placed in the cache, and no reauthentication requests are made to the client until the entry lease expires.

Examples

ContentEngine(config)# ntlm server enable
ContentEngine(config)# ntlm server domain Workgroup
ContentEngine(config)# ntlm server host 209.165.200.224 primary
ContentEngine(config)# ntlm server host 209.165.200.225 secondary

Related Commands

show ntlm

primary-interface

To configure the primary interface for the E-CDN application, use the primary-interface command in global configuration mode. Use the no form of the command to revert to the default primary interface.

primary-interface {FastEthernet | GigabitEthernet} slot/port [dhcp]

no primary-interface {FastEthernet | GigabitEthernet} slot/port [dhcp]

Syntax Description

FastEthernet

Selects a Fast Ethernet interface as the E-CDN primary interface.

GigabitEthernet

Selects a Gigabit Ethernet interface as the E-CDN primary interface.

slot

Slot number of the specified interface.

port

Port number of the specified interface.

dhcp

(Optional) Enables DHCP on the specified interface.

Defaults

The default primary interface is the first operational interface on which a link beat is detected. Interfaces with lower-number IDs are polled first. (For example, FastEthernet 0/0 is checked before 1/0). For hardware with Gigabit Ethernet interfaces, the Gigabit Ethernet interfaces are polled before the Fast Ethernet interfaces.

Command Modes

Global configuration

Usage Guidelines

The primary-interface global configuration command permits the administrator to specify the primary interface for the E-CDN application. If the E-CDN application is enabled without specifying the primary interface, the E-CDN application chooses a default interface as primary. The primary interface can be changed without disabling the E-CDN application. To change the primary interface, reenter the command string and specify a different interface. To enable DHCP services with the specified interface, include the dhcp option.

Examples

Console(config)# primary-interface FastEthernet 0/0 dhcp Console(config)# primary-interface FastEthernet 0/1

proxy-auto-config

To download the proxy autoconfiguration file from an FTP server, use the proxy-auto-config download
command in EXEC mode.

proxy-auto-config download ftp-hostname remotedir pacfile

Syntax Description

download

Downloads and installs a configuration file from the FTP server.

ftp-hostname

Host name or IP address of the FTP server.

remotedir

Directory on the FTP server where the .pac file is located.

pacfile

Filename of the remote proxy auto configuration file.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

A browser obtains proxy IP address and port configuration information from the proxy automatic configuration file (.pac file) when the browser's autoconfiguration URL field is configured with the Content Engine IP address, incoming port number, file directory, and .pac filename.

The proxy-auto-config download EXEC command downloads an automatic configuration file from an FTP server to the present working directory of the Content Engine.

Examples

This example demonstrates how to download an autoconfiguration file from an FTP server to the Content Engine:

Console# proxy-auto-config download 172.16.10.10 remotedirname theproxyfile.pac

This example shows the URL that you enter in the browser's automatic proxy configuration
URL field:

http://CCNScache-ipaddress:portnumber/theproxyfile.pac

Related Commands

show proxy-auto-config

proxy-auto-config (global configuration mode)

proxy-auto-config

To enable the browser autoconfiguration feature, use the proxy-auto-config enable command in global configuration mode. To disable the proxy autoconfiguration feature, use the no form of this command.

proxy-auto-config enable

no proxy-auto-config enable

Syntax Description

enable

Enables the automatic browser configuration feature.

Defaults

Proxy autoconfiguration is disabled by default.

Command Modes

Global configuration

Usage Guidelines

A browser obtains proxy IP address and port configuration information from the proxy automatic configuration file (.pac file) when the browser's autoconfiguration URL field is configured with the Content Engine IP address, incoming port number, file directory, and .pac filename.

To enable the proxy automatic configuration file feature, enter the proxy-auto-config enable global configuration command. Each time you download a new autoconfiguration file to the Content Engine, enter a no proxy-auto-config enable and then a proxy-auto-config enable command.

The autoconfiguration feature is supported by Microsoft Internet Explorer and Netscape browsers. The browser must be manually configured for automatic proxy configuration.

Examples

This example enables browser autoconfiguration on the Content Engine:

Console(config)# proxy-auto-config enable

This example shows the URL that you enter in the browser's automatic proxy configuration
URL field:

http://CCNScache-ipaddress:portnumber/theproxyfile.pac

Related Commands

proxy-auto-config (EXEC mode)

show proxy-auto-config

radius-server

To configure RADIUS parameters, use the radius-server command in global configuration mode. To disable RADIUS authentication parameters, use the no form of this command.

radius-server {enable | host {hostname | hostipaddr} [auth-port port] | key keyword | retransmit retries | timeout seconds}

no radius-server {enable | host {hostname | hostipaddr} [auth-port port] | key keyword | retransmit retries | timeout seconds}

Syntax Description

enable

Enables HTTP radius authentication.

host

Specifies a RADIUS server.

hostname

Host name of the RADIUS server.

hostipaddr

IP address of the RADIUS server.

auth-port

Sets UDP port for the RADIUS authentication server.

port

Specifies UDP port number (1-65535). The default is 1645.

key

Encryption key shared with the RADIUS servers.

keyword

Text of shared key (15 characters maximum).

retransmit

Specifies the number of transmission attempts to an active server.

retries

Number of transmission attempts for a transaction (1-3). The default is 2.

timeout

Time to wait for a RADIUS server to reply.

seconds

Wait time in seconds (1-20). The default is 5 seconds.

Defaults

retransmit retries: 2

timeout seconds: 5

auth-port port: UDP port 1645

Command Modes

Global configuration

Usage Guidelines

RADIUS authentication clients reside on the Content Engine running ACNS 4.0 software. When enabled, these clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.

Excluding Domains

To exclude domains from RADIUS authentication, use the rule no-auth domain command. RADIUS authentication takes place only if the site requested does not match the specified pattern.

Examples

The following example enables the RADIUS client, specifies a RADIUS server, specifies the RADIUS key, accepts retransmit defaults, and excludes the domain name, mydomain.net, from RADIUS authentication. The configuration is verified with the show radius-server and show rule all commands.

Console(config)# radius-server enable Console(config)# radius-server host 172.16.90.121 Console(config)# radius-server key myradiuskey Console(config)# rule enable Console(config)# rule no-auth domain mydomain.net Console(config)# show radius-server Radius Configuration: --------------------- Radius Authentication is on Timeout = 5 Retransmit = 3 Key = **** Servers ------- IP 172.16.90.121 Port = 1645 State: ENABLED Console# show rule all Rules Template Configuration ---------------------------- Rule Processing Enabled rule no-auth domain mydomain.net

The following example disables RADIUS authentication on the Content Engine.

Console(config)# no radius-server enable

Related Commands

rule

show radius

ssh-key-generate

To generate the Secure Shell (SSH) host key, use the ssh-key-generate command in EXEC mode.

ssh-key-generate

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Before you enable the sshd command, use the ssh-key-generate command to generate a private and a public key, which the server and client programs use to verify each other's identity.

When a user runs an SSH client and logs in to the Content Engine, the public key for the SSH daemon running on the Content Engine is recorded in the client machine known_hosts file in the user's home directory. If the Content Engine administrator subsequently regenerates the host key by issuing the ssh-key-generate command, the user must delete the old public key entry associated with the Content Engine in the known_hosts file before running the SSH client program to log in to the Content Engine. When the user runs the SSH client program after deleting the old entry, the known_hosts file is updated with the new SSH public key for the Content Engine.

Examples

This example generates an SSH public key, then enables the SSH daemon. Console(config)# ssh-key-generate Ssh host key generated successfully Saving the host key to box ... Host key saved successfully Console(config)# sshd enable Starting ssh daemon ... Ssh daemon started successfully

Related Commands

sshd

sshd

To enable the SSH (Secure Shell) daemon, use the sshd command in global configuration mode. Use the no form of the command to disable SSH.

sshd enable

no sshd enable

Syntax Description

enable

Enables the SSH (Secure Shell) feature.

Defaults

No default behavior or values

Command Modes

Global configuration

Usage Guidelines

SSH (Secure Shell) enables login access to the Content Engine through a secure and encrypted channel. SSH consists of a server and a client program. Like Telnet, you can use the client program to remotely log on to a machine that is running the SSH server, but unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.

Before you enable the sshd command, use the ssh-key-generate command to generate a private and a public key, which the server and client programs will use to verify each other's identity.

Examples

Console(config)# sshd enable

Related Commands

ssh-key-generate

show sshd

no sshd enable

standby

To configure an interface to be a backup for another interface, use the standby command in interface configuration mode. Use the no form of the command to restore the default configuration of the interface.

standby group_number {errors max_errors | ip ipaddress netmask | priority priority_level}

no standby group_number {errors max_errors | ip ipaddress netmask | priority priority_level}

Syntax Description

group_number

Specifies standby group number (1-4).

errors

Sets the maximum number of errors allowed on this interface.

max_errors

Specifies the maximum number of errors (0-4294967295).

ip

Sets the IP address of a standby group.

ipaddress

Specifies the IP address of a standby group

netmask

Specifies the network mask of a standby group.

priority

Sets the priority of an interface for the standby group.

priority_level

Specifies the priority level number (0-4294967295).

Defaults

There are no standby interfaces by default. The errors option is disabled by default.

Command Modes

Interface configuration

Usage Guidelines

When an active network interface fails (because of cable trouble, Layer 2 switch failure, high error count, and so forth), and that interface is part of a standby group, a standby interface can become active and take the load off the failed interface.

To configure standby interfaces, interfaces are logically assigned to standby groups. The following rules define the standby group relationships:

The maximum number of errors allowed on the active interface before the interface is shut down and the standby is brought up is configured with the errors option, which is disabled by default.

Examples

This example configures three interfaces to be part of the same standby group, with interface 3/0 as the active interface.

Console(config)# interface fastEthernet 3/0 standby 1 ip 172.16.10.10 255.255.254.0 Console(config)# interface fastEthernet 3/1 standby 1 ip 172.16.10.10 255.255.254.0 Console(config)# interface fastEthernet 3/2 standby 1 ip 172.16.10.10 255.255.254.0 Console(config)# interface fastEthernet 3/0 standby 1 priority 300 Console(config)# interface fastEthernet 3/1 standby 1 priority 200 Console(config)# interface fastEthernet 3/2 standby 1 priority 100 Console(config)# interface fastEthernet 3/0 standby 1 errors 10000 Console(config)# interface fastEthernet 3/1 standby 1 errors 10000 Console(config)# interface fastEthernet 3/2 standby 1 errors 10000 Console# show standby Standby Group:1 IP address: 172.16.10.10, netmask: 255.255.254.0 Maximum errors allowed on the active interface: 10000 Member interfaces: FastEthernet 3/0 priority: 300 FastEthernet 3/1 priority: 200 FastEthernet 3/2 priority: 100 Active interface: FastEthernet 3/0

Related Commands

show standby

tacacs

To configure Terminal Access Controller Access Control System Plus (TACACS+) server-related parameters, use the tacacs command in global configuration mode. Use the no form of the command to disable individual options.

tacacs {key keyword | retransmit retries | server {hostname | ipaddress} [primary] | timeout seconds}

no tacacs {key keyword | retransmit retries | server {hostname | ipaddress} [primary] | timeout seconds}

Syntax Description

key

Sets security word.

keyword

Specifies keyword. An empty string is the default.

retransmit

Sets the number of times that requests are retransmitted to a server.

retries

Specifies the number of attempts allowed (1-3). The default is two retry attempts.

server

Sets a server address.

hostname

Specifies the host name of TACACS+ server.

ipaddress

Specifies the IP address of TACACS+ server.

primary

(Optional) Sets the server as primary.

timeout

Sets the number of seconds to wait before a request to a server is timed out.

seconds

Specifies the timeout in seconds (1-20). The default is 5 seconds.

Defaults

keyword: none (empty string)

timeout seconds: 5

retries: 2

Command Modes

Global configuration

Usage Guidelines

The user global configuration commands or the Users GUI page provides a way to add, delete, or modify usernames, passwords, and access privileges in the local database. The TACACS+ remote database can also be used to maintain login and configuration privileges for administrative users. The tacacs command or the TACACS+ GUI page allows you to configure the network parameters required to access the remote database.

Login and configuration privileges can be obtained from both the local database or the TACACS+ remote database. If both databases are enabled, then both databases are queried; if the user data cannot be found in the first database queried, then the second database is tried. When the primary keyword is entered for TACACS+ login or configuration authentication, the TACACS+ database is queried first, and the local database is queried second. If the TACACS+ database is not designated as the primary, and both the local and the TACACS+ databases are enabled, the local database is queried first. If both the local and TACACS+ databases are disabled (no authentication), the Content Engine verifies that both are disabled and if so, sets the Content Engine to the default state.

The tacacs key command specifies the TACACS+ key, used to encrypt the packets transmitted to the server. This key must be the same as the one specified on the server daemon. The maximum number of characters in the key should not exceed 99 printable ASCII characters (except tabs). An empty key string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key.

One primary and two backup TACACS+ servers can be configured; authentication is attempted on the primary server first, then on the others in the order in which they were configured. The primary server is the first server configured unless another is explicitly specified as primary with the tacacs server hostname primary command.

The tacacs timeout is the number of seconds the Content Engine waits before declaring a timeout on a request to a particular TACACS+ server. The range is from 1 to 20 seconds with 5 seconds as the default. The number of times the Content Engine repeats a retry-timeout cycle before trying the next TACACS+ server is specified by the tacacs retransmit command. The default is two retry attempts.

Three unsuccessful login attempts are permitted. TACACS+ logins may appear to take more time than local logins depending on the number of TACACS+ servers and the configured timeout and retry values.

Examples

This example configures the key used in encrypting packets:

Console(config)# tacacs key human789

This example configures the host named spearhead as the primary TACACS+ server:

Console(config)# tacacs server spearhead primary

This example sets the timeout interval for the TACACS+ server:

Console(config)# tacacs timeout 10

This example sets the number of times authentication requests are retried (retransmitted) after a timeout:

Console(config)# tacacs retransmit 3

Related Commands

authentication

show authentication

show statistics authentication

show tacacs

transaction-logs

To enable transaction logs, use the transaction-logs command in global configuration mode. To disable transaction logs, use the no form of this command.

transaction-logs archive interval every-day {at time | every hour}

transaction-logs archive interval every-hour {at minute | every interval}

transaction-logs archive max-file-size filesize

transaction-logs enable

transaction-logs export enable

transaction-logs export ftp-server {hostname | servipaddrs} login passw directory

transaction-logs file-marker

transaction-logs format {extended-squid | squid}

transaction-logs sanitize

no transaction-logs {archive {interval {every-day {at time | every hour} | every-hour {at minute | every interval}} | max-file-size filesize} | enable | export {enable | ftp-server {hostname | servipaddrs} login passw directory} | file-marker | format {extended-squid | squid} | sanitize}

Syntax Description

archive

Configures archive parameters.

interval

Determines how frequently the archive file is to be saved.

every-day

Archives using frequencies of 1 day or less.

at time

Specifies the time of day at which to archive in hours and minutes (hh:mm).

every hour

Interval in hours (1, 2, 3, 4, 6, 8, 12, or 24). Interval aligns with midnight.

every-hour

Archives using frequencies of 1 hour or less.

at minute

Specifies the minute alignment for the hourly archive (0-59).

every interval

Interval in minutes (2, 5, 10, 15, 20, or 30).

max-file-size

Sets maximum archive file size.

filesize

Specifies maximum archive file size in kilobytes (1000-2000000).

enable

Enables transaction log feature.

export

Configures file export parameters.

enable

Enables the exporting of log files at the specified interval.

ftp-server

Sets FTP server to receive exported archived files.

hostname

Host name of target FTP server.

servipaddrs

IP address of target FTP server.

login

User login to target FTP server.

passw

User password to target FTP server.

directory

Target directory for exported files on FTP server.

file-marker

Adds statements to transaction log indicating the file beginning and end.

format

Formats the log file.

extended-squid

Configures the extended Squid log format.

squid

Configures the Squid log format.

sanitize

Writes user IP addresses in log file as 0.0.0.0.

Defaults

archive: disabled

export: disabled

file-marker: disabled

sanitize: disabled

archive interval: every day, every 1 hour

archive max-file-size: 2,000,000 kilobytes

export time interval: 60 minutes

format: Squid log format

Command Modes

Global configuration

Usage Guidelines

Transaction logs are saved to the system file system (sysfs).

Enable transaction log recording with the transaction-logs enable command. When enabled, daemons create a working.log file in the /local1/logs/ sysfs volume.

After an interval specified by the transaction-logs archive interval command, the working.log file is copied as an archive file to the /local1/logs/ directory. The records of the working.log file are then deleted, and only transactions subsequent to the archiving event are recorded. The transaction log archive file-naming conventions are shown in Table A-1. The Content Engine default archive interval is every day, every 1 hour.

Use the transaction-logs archive max-file-size command to specify the maximum size of an archive file. The working.log file is archived when it attains the maximum file size.

Use the transaction-logs file-marker option to mark the beginning and end of archive files. By examining the file markers of an exported archive file, the administrator can determine whether the FTP process transferred the entire file. The file markers are in the form of dummy transaction entries as follows:

Use the format option to format the log files for either Squid or extended Squid formats. Squid logs are a valuable source of information about Squid workloads and performance. The logs record not only access information, but also system configuration errors and resource consumption, such as memory and disk space. The extended Squid format logs in the associated username for each record in the log file and is used for billing purposes.

Use the sanitized option to disguise the IP address and usernames of clients in the transaction log file. The default is not sanitized. A sanitized transaction log disguises the network identity of a client by changing the IP address in the transaction logs to 0.0.0.0. The no form disables the sanitize feature.

The transaction log archive and export functions are configured with the following commands:

The following limitations apply:

Transaction Log Archive File-Naming Convention

The archive transaction log file is named as follows:

celog_10.1.118.5_20001228_235959.txt

Table A-1 describes the name elements.


Table A-1: Description of Archive Log Name Elements
Sample of Element Description

celog_10.1.118.5

IP address of the Content Engine creating the archive file.

20001228

Date on which archive file was created (yyyy/mm/dd).

235959

Time when archive file was created (hh/mm/ss).

Exporting Transaction Logs to External FTP Servers

The transaction-logs export ftp-server option can support up to four FTP servers. To export transaction logs, you must first enable the feature and configure the FTP server parameters. The following information is required for each target FTP server:

The Content Engine translates the host name with a DNS lookup and then stores the IP address.

Use a fully qualified path or a relative path for the user login. The user must have write permission to the directory.

Use the no form of the transaction-logs export enable command to disable the entire transaction-logs feature while retaining the rest of the configuration.

Restarting Export After Receiving a Permanent Error from the External FTP Server

When an FTP server returns a permanent error to the Content Engine, the archive transaction logs are no longer exported to that server. You must reenter the Content Engine transaction log export parameters to clear the error condition. The show statistics transaction-logs command displays the current state of transaction log export readiness.

A permanent error (Permanent Negative Completion Reply, RFC 959) occurs when the FTP command to the server cannot be accepted, and the action does not take place. Permanent errors can be caused by invalid user logins, invalid user passwords, and attempts to access directories with insufficient permissions.

In the following example, an invalid user login parameter was included in the transaction-logs export ftp-server command. The show statistics transaction-logs command shows that the Content Engine failed to export archive files.

ContentEngine# show statistics transaction-logs Transaction Log Export Statistics: Server:172.16.10.5 Initial Attempts:3 Initial Successes:1 Initial Open Failures:0 Initial Put Failures:0 Retry Attempts:2 Retry Successes:2 Retry Open Failures:0 Retry Put Failures:0 Authentication Failures:1 Invalid Server Directory Failures:2

To restart the export of archive transaction logs, you must reenter the transaction-logs export ftp-server parameters.

ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 goodlogin pass /etc/webcache

Examples

In this example, an FTP server is configured.

ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 mylogin mypasswd /tmp/local/webcache ContentEngine(config)# transaction-logs export ftp-server myhostname mylogin mypasswd /tmp/local/webcache

To delete an FTP server, use the no form of the command.

ContentEngine(config)# no transaction-logs export ftp-server myhostname ContentEngine(config)# no transaction-logs export ftp-server 10.1.1.1

Use the no form of the command to disable the entire transaction log export feature while retaining the rest of the configuration.

ContentEngine(config)# no transaction-logs export enable
Note   The default is export disabled; the export interval is every 10 minutes. There are no defaults for the FTP server configuration.

To change a username, password, or directory, reenter the entire line.

ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 mynewname mynewpass /tmp/local/webcache

The show transaction-logging command displays information on exported log files.

ContentEngine# show transaction-logging Transaction log configuration: --------------------------------------- Logging is enabled. End user identity is visible. File markers are disabled. Archive interval: every-day at 10:35 Maximum size of archive file: 2000000 KB Exporting files to ftp servers is enabled. ftp-server username directory 1.1.1.1 user /ftpdirectory 2.2.2.2 myname /tmp/logfiles Working Log file - size: 103 age: 0
Note   For security reasons, passwords are never displayed.

The export option displays the status of logging attempts to export servers.

ContentEngine# show statistics transaction-logs Transaction Log Export Statistics: Server:172.16.10.5 Initial Attempts:3 Initial Successes:1 Initial Open Failures:0 Initial Put Failures:0 Retry Attempts:2 Retry Successes:2 Retry Open Failures:0 Retry Put Failures:0 Authentication Failures:1 Invalid Server Directory Failures:2
Configuring Intervals Between 1 Day and 1 Hour

The interval can be set for once an day with a specific timestamp. It can also be set for frequencies of hours; these frequencies align with midnight. For example, every 4 hours means archiving will occur at 0000, 0400, 0800, 1200, 1600 and the like. It is not possible to archive at 0030, 430, 830, and so forth.

ContentEngine(config)# transaction-logs archive interval every-day ? at Specify the time at which to archive each day every Specify the interval in hours. It will align with midnight ContentEngine(config)# transaction-logs archive interval every-day at ? <0-23>: Time of day at which to archive (hh:mm) ContentEngine(config)# transaction-logs archive interval every-day every ? <1-24> Interval in hours: {1, 2, 3, 4, 6, 8, 12 or 24}
Scheduling Intervals of 1 Hour or Less

The interval can be set for once an hour with a minute alignment. It can also be set for frequencies of less than an hour; these frequencies will align with the top of the hour. That is, every 5 minutes means archiving will occur at 1700, 1705, and 1710.

ContentEngine(config)# transaction-logs archive interval every-hour ? at Specify the time at which to archive each day every Specify interval in minutes. It will align with top of the hour ContentEngine(config)# transaction-logs archive interval every-hour at ? <0-59> Specify the minute alignment for the hourly archive ContentEngine(config)# transaction-logs archive interval every-hour every ? <2-30> Interval in minutes: {2, 5, 10, 15, 20, 30}

Related Commands Related Commands

clear transaction-log

show transaction-logging

show statistics transaction-logs

transaction-log force

type-tail

To view a specified number of lines of the end of a log file or to view the end of the file continuously as new lines are added to the file, use the type-tail command in EXEC mode.

type-tail filename {1-65535 | follow}

Syntax Description

filename

Specifies the file to be examined.

1-65535

Specifies the number of lines (from 1 to 65535) at the end of the file to be displayed.

follow

Displays the end of the file continuously as new lines are added to the file.

Defaults

10 lines shown

Command Modes

EXEC

Usage Guidelines

This command allows you to monitor a log file by letting you view the end of the file. You can specify the number of lines at the end of the file that you want to view, or you can follow the last line of the file as it continues to log new information. To stop the last line from continuously scrolling as with the follow command, use the key sequence Ctrl-C.

Examples

This example shows the list of log files in the /local1 directory:

stream-ce# ls /local1 core_dir errloglive errorlog logs lost+found medialogs service_logs syslog.txt

This example displays the last ten lines of the syslog.txt file. In this example, the number of lines to display is not specifed; however, ten lines is the default.

stream-ce# type-tail /local1/syslog.txt Oct 8 21:49:15 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:17 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:19 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:21 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0

This example displays the last 20 lines of the syslog.text file:

stream-ce# type-tail /local1/syslog.txt 20 Oct 8 21:49:11 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:11 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:13 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:13 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:13 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:15 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:17 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:19 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:21 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:21 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:21 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:23 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:23 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:23 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL

This example follows the file as it grows:

stream-ce# type-tail /local1/syslog.txt ? <1-65535> The numbers of lines from end follow Follow the file as it grows <cr> stream-ce# type-tail /local1/syslog.txt follow Oct 8 21:49:39 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:41 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:41 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:41 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:43 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:43 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:43 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:45 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:45 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:45 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:47 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:47 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:47 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL Oct 8 21:49:49 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with return 0, ready = 0 Oct 8 21:49:49 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with return 0, ready = 0 Oct 8 21:49:49 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL

url-filter

To configure URL filtering, use the url-filter command in global configuration mode. Use the no form of this command to disable selected options.

url-filter bad-sites-deny file_name

url-filter custom-message dir_name

url-filter enable {bad-list | good-list | websense}

url-filter good-sites-allow file_name

url-filter websense {allowmode enable | server name [port port_num ] [timeout seconds]}

no url-filter {bad-sites-deny file_name | custom-message dir_name | enable {bad-list | good-list | websense} | good-sites-allow file_name | websense {allowmode enable | server name [port port_num ] [timeout seconds]}}

Syntax Description

bad-sites-deny

Specifies sites to which access should be denied.

file_name

Name of the file that contains the list of sites to which you want to deny access.

custom-message

Specifies the directory that contains the block.html file. (The block.html file contains the message users see when they try to access a site that is denied.)

dir_name

Name of the directory that contains the block.html file.

enable

Enables the URL filter feature.

bad-list

Enables the bad-sites list to act as the URL filter.

good-list

Enables the good-sites list to act as the URL filter.

websense

Enables a Websense server to act as the URL filter.

good-sites-allow

Allows access only to sites on the good sites list.

file_name

Name of the file that contains your good sites list.

websense

Configures Websense parameters.

allowmode

Allows access to a site if the Websense server does not respond.

enable

Enables allow mode.

server

Specifies the Websense server.

name

Host name or IP address of the Websense server.

port

(Optional) Establishes the Websense server's port number.

port_num

(Optional) Port on which to send the Websense requests (1-65535). The default is 15868.

timeout

(Optional) Configures the maximum time to wait for a response from the Websense server.

seconds

(Optional) Timeout value in seconds (0-4294967295). The default is 20 seconds.

Defaults

port port_num: 15868

timeout seconds: 20

Command Modes

Global configuration

Usage Guidelines

The URL filtering feature allows the Content Engine to control client access to websites in any of the following ways:

Only one form of URL filtering can be active at a time.

The URL filtering feature existed in Cache software 2.x releases. The URL filtering feature in ACNS 4.0 software differs from the URL feature in other releases as follows: There is now an enable command option for the good-list and bad-list options; the URL list filenames and the customized blocking message directory name are now specified in the command-line interface (CLI); you can now use the url-filter local-list-reload command to dynamically refresh a local URL list; bad-sites-block has been changed to bad-sites-deny.

URL Filtering with URL Lists

You can configure the Content Engine to deny client requests for URLs that are listed in a badurl.lst file, or configure it to fulfill only requests for URLs in a goodurl.lst file.

To deny requests for specific URLs, do the following:


Step 1   Create a plain text file named badurl.lst. In this file, enter the URLs that you want to block. The list of URLs in the badurl.lst file must be written in the form www.domain.com and delimited with carriage returns.

Step 2   Copy the badurl.lst file to the /local1 sysfs directory of the Content Engine.

Step 3   Use the url-filter bad-sites-deny command to point to the bad URL list.

Console(config)# url-filter bad-sites-deny local/local1/badurl.lst

Step 4   Use the url-filter enable bad-list command to actively deny the URLs.

Console(config)# url-filter enable bad-list

To permit specific URLs to the exclusion of all other URLs, do the following:


Step 1   Create a plain text file named goodurl.lst.

In this file, enter the URLs that you want to exclusively allow. The list of URLs in the goodurl.lst file must be written in the form www.domain.com and delimited with carriage returns.

Step 2   Copy the goodurl.lst file to the /local1 sysfs directory of the Content Engine.

Step 3   Use the url-filter good-sites-allow command to point to the goodurl.lst file.

Console(config)# url-filter good-sites-allow local/local1/goodurl.lst

Step 4   Use the url-filter enable good-list command to actively permit only the good URLs.

Console(config)# url-filter enable good-list


Note   When you update the badurl.lst or goodurl.lst file, use the url-filter local-list-reload EXEC command to recopy the URL list file to the Content Engine.

Use the no form of the command to disable blocking or Websense permission requests (for example, no url-filter bad-sites-deny).

Custom Blocking Messages

The Content Engine with ACNS 4.0 software can be configured to return a customized blocking message to the client. The custom message must be an administrator-created HTML page named block.html. Make sure to copy all embedded graphics associated with the custom message HTML page to the same directory that contains the block.html file. To enable the customized blocking message, use the url-filter custom-message command and specify the directory name.

To disable the custom message, use the no url-filter custom-message command.

The url-filter custom-message command can be enabled and disabled without affecting the good-list and bad-list configuration.


Note   Do not use local1 or local2 as directories. Create a separate directory under local1 or local2 for holding the custom message file.

In the block.html file, objects (such as .gif, .jpeg, and so on) must be referenced with the string /content/engine/blocking/url, as shown in the example below.

The following is an example of a block.html file:

<TITLE>Cisco Content Engine example customized message for url-filtering</TITLE> <p> <H1> <CENTER><B><I><BLINK> <FONT COLOR="#800000">P</FONT> <FONT COLOR="#FF00FF">R</FONT> <FONT COLOR="#00FFFF">A</FONT> <FONT COLOR="#FFFF00">D</FONT> <FONT COLOR="#800000">E</FONT> <FONT COLOR="#FF00FF">E</FONT> <FONT COLOR="#00FFFF">P</FONT> <FONT COLOR="#FF8040">'</FONT> <FONT COLOR="#FFFF00">S</FONT> </BLINK> <FONT COLOR ="#0080FF">Blocked Page</FONT> </I></B></CENTER> </H1> <p> <p> <IMG src="/content/engine/blocking/url/my.gif"> <p> This page is blocked by the Content Engine. <p>

To disable the custom-message option without disabling URL filtering, enter the URL filtering command without the custom-message option (for example, url-filter good-sites-allow).

URL Filtering with the Websense Enterprise Server

The Content Engine can use a Websense Enterprise server as a filtering engine and enforce the filtering policy configured on the Websense server. Refer to the Websense documentation for further information on Websense filtering policies.

To enable Websense URL filtering on the Content Engine, specify the Websense server IP address or host name. The timeout option sets the maximum amount of time that the Content Engine will wait for a Websense response. The timeout default is 20 seconds. The port option specifies the port number on which the server will intercept requests from the Content Engine (the default port is 15868). Use the no url-filter websense server command to disable Websense URL filtering.

The url-filter websense allowmode enable command permits the Content Engine to fulfill the client request after a Websense server timeout.

The Websense server returns its own blocking message.

To use Websense URL filtering with a cluster of Content Engines, make sure to configure the url-filter websense server command on each Content Engine in the cluster to ensure that all traffic is filtered.

Examples

To block listed URLs, enter:

Console(config)# url-filter bad-sites-deny badurl.lst

To disable URL blocking, use the no form of this command:

Console(config)# no url-filter bad-sites-deny Console(config)# no url-filter good-sites-allow

To enable a custom message, first specify the directory in which the block.html file is located and then enter the enable command:

Console(config)# url-filter custom-message /local1/url_dir Console(config)# url-filter custom-message enable

To configure a Content Engine to use Websense URL filtering with a 4-second timeout, enter:

Console(config)# url-filter websense server 172.16.11.22 timeout 4

Related Commands

url-filter list-reload

clear url-filter

show url-filter

show url-filter statistics websense

no url-filter

url-filter local-list-reload

To reload new good sites or bad sites lists when the url-filter feature is enabled, use the url-filter local-list-reload command in EXEC mode.

url-filter local-list-reload

Syntax Description

local-list-reload

Reloads the lists of bad and good URLs when the url-filter global configuration command is enabled.

Defaults

No default behavior or values

Command Modes

EXEC

Usage Guidelines

Use the url-filter local-list-reload command to update to the latest good sites or bad sites lists that you created or edited for the url-filter feature.

Examples

Console# url-filter local-list-reload

Related Commands

url-filter


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Nov 14 13:47:21 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.