|
|
The ACNS 4.0 Cache application includes all of the Cache software commands described in the Cisco Cache Software Command Reference, Release 3.1. This appendix provides command reference information for ACNS 4.0 Cache application commands that are new or have changed relative to Cisco Cache software, Release 3.1.
The "New ACNS Software Cache Application Commands" section describes commands that appear in ACNS 4.0 software but are not in Cache Software, Release 3.1.
The "Changes in Existing Cache Software Commands" section describes changes to commands that appeared in Cache software, Release 3.1, but have different function, syntax, or keywords in ACNS 4.0 software.
 |
Note Some commands in Cache 3.x software have been changed in ACNS 4.0 software. Therefore, when apparent conflict occurs between similar commands, the information in this guide supersedes all command descriptions for Cache software in releases before the ACNS 4.0 software release. |
This section describes how some commands that were in Cache software, Release 3.1 are different in ACNS 4.0. software.
The clock timezone command has the same syntax and usage. However, when the E-CDN application is enabled, all commands that can change the local time are disabled: clock read-calendar, clock set, ntpdate, and ntp.
The following copy command options have been removed in ACNS software:
These options have been replaced by the copy ftp install command.
The debug command has the following new options:
The show debugging command also reflects these additional options.
|
Note We recommend that the debug command be used only at the direction of Cisco Systems technical support personnel. Cache performance is impacted when you run the debug command. |
The disk command options in Cache software, Release 3.1 have changed in ACNS 4.0 software. The disk config command replaces the disk manufacture command used in Cache 3.1.1 software. ACNS 4.0 software uses the following disk command options:
To add a single disk with specified partitions, you use the disk add command. The disk raid-array command is for Storage Array handling for the Content Distribution Manager 4650 (CDM-4650).
To configure disk space among functions, you use the disk config command. This command takes file system type and size as parameters. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage. In the following example, 10 percent of the total storage is allocated to the sysfs and 30 percent to every other file system.
Console# disk config sysfs 10% mediafs 30% ecdnfs 30% cfs 30%
Disk configured successfully.
New configuration will take effect after reload.
Please remove this device from the ECDN CDM (if any) before reboot this device, as this
device's configuration will be stale due to disk repartition.
To undo the disk configuration, use the disk cancel-config command.
Console# disk cancel-config
Disk configuration canceled successfully
To enable caching of authenticated content, the all, basic, and ntlm options have been added to the http cache-authenticated command.
To allow configuration of the healing mode feature, the cluster max-delay delayseconds and misses totalmisses options have been added. To disable healing mode, set either the delayseconds value or the totalmisses value to 0 or use the no form of the command.
To specify the port number over which requests from the healing Content Engine are sent to other Content Engines in the cluster, the cluster http-port option has been added to the http command.
|
Note The default port number is 80. If you choose to configure a port other than the default 80, you have to make sure that the port configured matches the port specified in the http proxy incoming command on healing servers in the farm. Otherwise, the healing client is not able to retrieve objects from the healing servers. |
To return to the default port number, use the no http cluster http-port command.
The cache-miss revalidate option has been added to the http command so that you can now configure the Content Engine proxy to ignore the Pragma:no-cache header, Cache-control:no-cache header, or both in an HTTP client request.
The proxy-auth-header and www-auth-header options have been added to the http append command.
Console(config)# http append ?
proxy-auth-header Configure host to receive Proxy-Authorization header
via-header Include 'Via' header in responses/replies
www-auth-header Configure host to receive WWW-Authorization header
x-forwarded-for-header Notify client-ip-addr to web-server via 'X-Forwarded-For' header
The install command no long accepts .pax files. The files should be of the type .bin (for example, cache-sw.bin).
Also, if the release being installed does not require a new system image, then there may be no writing to Flash memory involved. If the new release has changes that require a new system image to be installed, then the install command may result in a write to Flash memory.
In Cache software Release 3.1.1, the software was completely installed at the end of the install command. In ACNS 4.0 software, if there is a new system image, some parts of the installation are not completely extracted and installed until after a reboot.
The dscp option has been added to the ip command. This allows you to set the global Type of Service (ToS) or differentiated services code point (DSCP) values in IP packets.
Console(config)# ip ?
default-gateway Define the default gateway's IP address
domain-name Define the default domain name
dscp Set IP ToS/DSCP (Differentiated Services) field
name-server Specify address of name server to use
route Specify net route
Console(config)# ip dscp ?
client Settings for responses to client
server Settings for outgoing requests
Console(config)# ip dscp client ?
cache-hit Cache hit responses to client
cache-miss Cache miss responses to client
Console(config)# ip dscp client cache-hit ?
match-server Use server's original TOS/DSCP value
set-dscp Set DSCP
set-tos Set Type of Service
Console(config)# ip dscp client cache-hit set-dscp ?
<0-63> Set DSCP value
af11 Set packets with AF11 dscp (001010)
af12 Set packets with AF12 dscp (001100)
af13 Set packets with AF13 dscp (001110)
af21 Set packets with AF21 dscp (010010)
af22 Set packets with AF22 dscp (010100)
af23 Set packets with AF23 dscp (010110)
af31 Set packets with AF31 dscp (011010)
af32 Set packets with AF32 dscp (011100)
af33 Set packets with AF33 dscp (011110)
af41 Set packets with AF41 dscp (100010)
af42 Set packets with AF42 dscp (100100)
af43 Set packets with AF43 dscp (100110)
cs1 Set packets with CS1(precedence 1) dscp (001000)
cs2 Set packets with CS2(precedence 2) dscp (010000)
cs3 Set packets with CS3(precedence 3) dscp (011000)
cs4 Set packets with CS4(precedence 4) dscp (100000)
cs5 Set packets with CS5(precedence 5) dscp (101000)
cs6 Set packets with CS6(precedence 6) dscp (110000)
cs7 Set packets with CS7(precedence 7) dscp (111000)
default Set packets with default dscp (000000)
ef Set packets with EF dscp (101110)
Console(config)# ip dscp client cache-hit set-tos ?
<0-127> Set TOS value
critical Set packets with critical precedence (80)
flash Set packets with flash precedence (48)
flash-override Set packets with flash override precedence (64)
immediate Set packets with immediate precedence (32)
internet Set packets with internetwork control precedence (96)
max-reliability Set packets with max reliable TOS (2)
max-throughput Set packets with max throughput TOS (4)
min-delay Set packets with min delay TOS (8)
min-monetary-cost Set packets with min monetary cost TOS (1)
network Set packets with network control precedence (112)
normal Set packets with normal TOS (0)
priority Set packets with priority precedence (16)
#Console(config)# ip dscp server ?
match-client Use client's TOS/DSCP value
set-dscp Set DSCP
set-tos Set Type of Service
The ip address interface configuration command has been modified to allow customers to configure secondary IP addresses for a specified interface as follows:
Console(config)# ip address ip_address netmask [secondary]
Up to four secondary IP addresses can be specified for each interface. The same IP address cannot be assigned to more than one interface. The secondary IP address becomes active only after a primary IP address is configured. The following command configures the primary IP address:
Console(config)# ip address ip_address netmask
The secondary IP addresses are disabled when the interface is shut down, and are enabled when the interface is brought up. Use the no form of the command to disable a specific IP address.
Console(config)# no ip address ip_address netmask
|
Note No two interfaces can have IP addresses in the same subnet. |
The ldap command has the following new options:
The ldap authcache max-entries and ldap authcache auth-timeout options have been removed and are now configurable through the http authentication cache max-entries and timeout commands, respectively.
The ldap client auth-header option has been removed and is now configurable through the http authentication header command.
In addition, the ldap server allow-mode and retransmit options have been removed.
The following options have been removed from the radius-server command:
The rule no-auth domain command replaces the radius-server exclude command; however, no replacement is available for the multi-user-prompt option.
The dscp option and the no-auth option have been added to the rule command. The no-auth option permits specific login and content requests to bypass authentication and authorization features such as LDAP, RADIUS, SSH, or TACACS+.
Console(config)# rule enable
Console(config)# rule no-auth src-ip 172.16.53.88 255.255.255.255
Console(config)# rule no-auth dst-ip 172.22.73.34 255.255.255.255
Console(config)# rule no-auth dst-port 9090
Console(config)# rule no-auth url-regex .*cgi-bin.*
Console(config)# rule no-auth domain cisco.com
In the following example, any requests from src-ip 172.16.53.88 are not authenticated.
Console(config)# rule no-auth src-ip 172.16.53.88 255.255.255.255
In the following example, any requests to dst-ip 172.22.73.34 are not authenticated.
Console(config)# rule no-auth dst-ip 172.22.73.34 255.255.255.255
In the following example, any requests with the destination port 9090 are not authenticated.
Console(config)# rule no-auth dst-port 9090
In the following example, any requests with "cisco.com" as the domain are not authenticated. (For example, requests for roti.cisco.com or badal.cisco.com are excluded from the Content Engine authentication.)
Console(config)# rule no-auth domain cisco.com
In the following example, any requests with "cgi-bin" in the URL are not authenticated.
Console(config)# rule no-auth url-regex .*cgi-bin.*
The dscp option allows you to set the Type of Service (ToS) or differentiated services code point (DSCP) values in IP packets based on a URL match, a file type, a domain, a destination IP address, a source IP address, or a destination port.
Console(config)# rule dscp ?
client Settings for responses to client
server Settings for outgoing requests
Console(config)# rule dscp client ?
cache-hit Cache hit responses to client
cache-miss Cache miss responses to client
Console(config)# rule dscp client cache-hit ?
match-server Use server's original ToS/DSCP value
set-dscp Set DSCP
set-tos Set Type of Service
Console(config)# rule dscp client cache-hit set-dscp ?
<0-63> Set DSCP value
af11 Set packets with AF11 dscp (001010)
af12 Set packets with AF12 dscp (001100)
af13 Set packets with AF13 dscp (001110)
af21 Set packets with AF21 dscp (010010)
af22 Set packets with AF22 dscp (010100)
af23 Set packets with AF23 dscp (010110)
af31 Set packets with AF31 dscp (011010)
af32 Set packets with AF32 dscp (011100)
af33 Set packets with AF33 dscp (011110)
af41 Set packets with AF41 dscp (100010)
af42 Set packets with AF42 dscp (100100)
af43 Set packets with AF43 dscp (100110)
cs1 Set packets with CS1(precedence 1) dscp (001000)
cs2 Set packets with CS2(precedence 2) dscp (010000)
cs3 Set packets with CS3(precedence 3) dscp (011000)
cs4 Set packets with CS4(precedence 4) dscp (100000)
cs5 Set packets with CS5(precedence 5) dscp (101000)
cs6 Set packets with CS6(precedence 6) dscp (110000)
cs7 Set packets with CS7(precedence 7) dscp (111000)
default Set packets with default dscp (000000)
ef Set packets with EF dscp (101110)
Console(config)# rule dscp client cache-hit set-tos ?
<0-127> Set ToS value
critical Set packets with critical precedence (80)
flash Set packets with flash precedence (48)
flash-override Set packets with flash override precedence (64)
immediate Set packets with immediate precedence (32)
internet Set packets with internetwork control precedence (96)
max-reliability Set packets with max reliable ToS (2)
max-throughput Set packets with max throughput ToS (4)
min-delay Set packets with min delay ToS (8)
min-monetary-cost Set packets with min monetary cost ToS (1)
network Set packets with network control precedence (112)
normal Set packets with normal ToS (0)
priority Set packets with priority precedence (16)
Console(config)# rule dscp client cache-hit set-dscp af11 ?
domain Regular expression to match with the domain name
dst-ip Destination IP address of the request
dst-port Destination port number
mime-type Regular expression to match with MIME type
src-ip Source IP address of the request
url-regex Regular expression to substring match with the URL
Console(config)# rule dscp client cache-miss ?
match-server Use server's original ToS/DSCP value
set-dscp Set DSCP
set-tos Set Type of Service
Console(config)# rule dscp server ?
match-client Use client's ToS/DSCP value
set-dscp Set DSCP
set-tos Set Type of Service
Console# show rule action ?
block Block the request
dscp IP ToS/DSCP (Differentiated Services)
freshness-factor Caching heuristic modifiers
no-auth Do not authenticate
no-cache Do not cache the object
no-proxy Do not use any upstream proxy
redirect Redirect request to rewritten URL
refresh Revalidate the object with the web server
rewrite Rewrite URL and fetch
selective-cache Cache this object
use-proxy Use a specific upstream proxy
use-server Use a specific server
Console# show rule action dscp ?
client Settings for responses to client
server Settings for outgoing requests
Console# show rule action dscp client ?
cache-hit Cache hit responses to client
cache-miss Cache miss responses to client
Console# show rule action dscp client cache-hit ?
all Display all the patterns for this action
pattern Display all the rules with specific type of pattern
Console# show rule action dscp client cache-hit pattern ?
domain Regular expression to match with the domain name
dst-ip Destination IP address of the request
dst-port Destination port number
mime-type Regular expression to match with MIME type
src-ip Source IP address of the request
url-regex Regular expression to substring match with the URL
The following examples illustrate DSCP information obtained using the show command:
Console# show rule action dscp client cache-hit pattern src-ip
Rules Template Configuration
----------------------------
Rule Processing Disabled
rule dscp client cache-hit set-tos min-monetary-cost src-ip 10.1.1.1 255.255.255.0
Console# show stat rule action dscp client cache-hit pattern src-ip
Rules Template Statistics
-------------------------
Rule hit count = 0 Rule:rule dscp client cache-hit set-tos min-monetary-cost src-ip
10.1.1.1 255.255.255.0
The show cfs volumes command output displays different disk names and does not indicate whether or not a cfs partition is mounted. Also, the cfs size is now displayed in kilobytes instead of half kilobytes. For example:
Console# show cfs volumes
cfs 00:/dev/raw/raw1 17783224KB
cfs 01:/dev/raw/raw2 17783224KB
cfs 02:/dev/raw/raw3 17783224KB
cfs 03:/dev/raw/raw4 17783224KB
cfs 04:/dev/raw/raw5 17783224KB
The show disks command options have changed. Also, the way the information is displayed has changed. The following options are available for the show disks command:
The show disks configured command displays the percentage or amount of disk space allocated to each file system instead of the names of the disks.
ContentEngine# show disks configured
SYSFS 10%
CFS 30%
MEDIAFS 30%
ECDNFS 30%
The following new options have been added to the show http command:
The following new options have been added to the show statistics command:
The keyword format has been added to the transaction-logs command. The transaction-logs format command has two options: squid and extended-squid. The default log format is squid.
590(config)# transaction-logs format ?
extended-squid Extended Squid log format
squid Squid log format
590(config)# transaction-logs format squid
590(config)# no transaction-logs format ?
<cr>
590(config)# transaction-logs format extended-squid ?
<cr>
590# show transaction-logging ?
<cr>
590# show transaction-logging
Transaction log configuration:
---------------------------------------
Logging is enabled.
End user identity is visible.
File markers are disabled.
Archive interval:every-hour every 2 minutes
Maximum size of archive file:2000000 KB
Log File format is extended-squid
Exporting files to ftp servers is disabled.
Working Log file - size :464
age:244662
Archive Log file - celog_128.107.193.231_19800815_150400.txt size:4247
Archive Log file - celog_128.107.193.231_19800815_152400.txt size:3868
The ACNS 4.0 software includes all of the Cache software commands described in the Cisco Cache Software Command Reference, Release 3.1, as well as all of the commands described in this section. Refer to the Cisco Cache Software Command Reference, Release 3.1 publication for more caching commands.
To configure user authentication options, use the authentication command in global configuration mode. Use the no form of the command to selectively disable options.
authentication configuration {local | tacacs} enable [primary | secondary]
Syntax Description
configuration Sets configuration authentication (authorization). local Selects local database for authentication. tacacs Selects TACACS+ database for authentication. enable Enables database for configuration authentication. primary (Optional) Sets selected authentication database as the primary. secondary (Optional) Sets selected authentication database as the secondary. login Sets login authentication. enable Enables database for login authentication.
Defaults
Local authentication methods are enabled by default.
Command Modes
Global configuration
Usage Guidelines
The authentication command configures the authentication and authorization methods that govern login and configuration access to the Content Engine. ACNS 4.0 software supports local and Terminal Access Controller Access Control System Plus (TACACS+) authentication and authorization methods.
The authentication login command specifies the method that determines whether the user has any level of access permission to the Content Engine. The authentication configuration command specifies the method that authorizes the user with privileged access (configuration access) to the Content Engine.
By default, the local method is enabled and TACACS+ is disabled for both login and configuration. Whenever TACACS+ is disabled, local is automatically enabled. Both TACACS+ and local methods can be enabled at the same time. The primary option specifies the first method to attempt; the secondary option specifies the method to use if the primary method fails. If both methods of an authentication login or authentication configuration command are configured as primary, or both as secondary, local is attempted first, then TACACS+.
The authentication login local and the authentication configuration local commands use the local password file (/etc/password) for authentication and authorization. The authentication login tacacs and authentication configuration tacacs commands use the TACACS+ server to determine the level of user access. The Content Engine tacacs global configuration command and a TACACS+ server must be configured to use the TACACS+ authentication and authorization method.
Examples
The following example enables local and TACACS+ authentication and authorization, setting TACACS+ as the first method used and local as the secondary method to use if TACACS+ fails:
Console(config)# authentication login tacacs enable primary
Console(config)# authentication login local enable secondary
Console(config)# authentication configuration local enable secondary
Console(config)# authentication configuration tacacs enable primary
This is an example of the show authentication command:
Console# show authentication
Login Authentication: Console/Telnet Session
----------------------------- -----------------------
local enabled
tacacs enabled (primary)
Configuration Authentication: Console/Telnet Session
----------------------------- -----------------------
local enabled
tacacs enabled
This is an example of the show statistics authentication command:
Console# show statistics authentication
Authentication Statistics
--------------------------------------
Number of access requests: 37
Number of access deny responses: 14
Number of access allow responses: 23
Related Commands
show authentication
show statistics authentication
tacacs
To copy a configuration or image file from a source FTP server and install it, use the copy command in EXEC mode.
copy ftp install {hostname | ipaddress} remotefiledir remotefilename
Syntax Description
ftp Specifies the source of the file to be installed. install Installs the file to the local device. hostname Specifies the name of the FTP server. ipaddress Specifies the IP address of the FTP server. remotefiledir Specifies the remote file directory. remotefilename Specifies the remote filename.
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Use this command to install an image file. Part of the image goes to disk and part goes to Flash memory.
Examples
ce-590# copy ftp install 1.1.1.1 //users2/ACNS400BR/boot ce590-ACNS-400.bin
Enter username for remote ftp server:biff
Enter password for remote ftp server:
Initiating FTP download...
printing one # per 1MB downloaded
Sending:USER biff
1.1.1.1 FTP server (Version) Mon Feb 28 10:30:36 EST
2000) ready.
Password required for biff.
Sending:PASS *****
User biff logged in.
Sending:TYPE I
Type set to I.
Sending:PASV
Entering Passive Mode (128,107,193,244,55,156)
Sending:CWD //users2/ACNS400BR/boot
CWD command successful.
Sending PASV
Entering Passive Mode (128,107,193,244,55,156)
Sending:RETR ce590-ACNS-400.bin
Opening BINARY mode data connection for ruby.bin (87376881 bytes).
###################################################################################
writing flash component:
.................................................................
The new software will run after you reload.
ce-590#
Related Commands
install
To configure the disks for devices that are using ACNS software, use the disk EXEC command.
disk config sysfs {remaining | partitionsize} [{cfs | ecdnfs | mediafs}{remaining | partitionsize}]
disk cancel-config
disk add diskname {cfs | ecdnfs | mediafs | sysfs} {remaining | partitionsize} [{cfs | ecdnfs | mediafs | sysfs}{remaining | partitionsize}]
disk raid-array add-array
disk raid-array repair diskname
Syntax Description
config Configures disk space among functions. sysfs Allocates disk space for sysfs functions. remaining Specifies that the remaining space be allocated to the function. partitionsize Specifies the size of the allocation. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage. cfs (Optional) Allocates disk space for cfs functions. ecdnfs (Optional) Allocates disk space for ecdnfs functions. mediafs (Optional) Allocates disk space for mediafs functions. remaining (Optional) Specifies that the remaining space be allocated to the function. partitionsize Specifies the size of the allocation. Size can be designated in megabytes, gigabytes, or as a percentage of the system total storage. cancel-config Cancels the disk configuration. add Adds a single disk. diskname Specifies the disk to be added. cfs Allocates the disk space of the added disk to cfs functions. ecdnfs Allocates the disk space of the added disk to ecdnfs functions. mediafs Allocates the disk space of the added disk to mediafs functions. sysfs Allocates the disk space of the added disk to sysfs functions. remaining Specifies that the remaining space be allocated to the function. partitionsize Specifies the size of the allocation. Size can be designated in megabytes, gigabytes or as a percentage of the system total storage. raid-array Handles Storage Array disk configuration for the CDM-4650. add array Creates a logical disk for the Storage Array that is recognized by the CDM-4650 RAID controller. repair Rebuilds a RAID disk array after a single disk in the array fails. diskname Specifies the disk to be repaired.
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Use the disk config command to configure disk allocations.
Use the disk cancel-config command to cancel the configuration.
Use the disk add command to add a single disk with specified partitions.
Use the disk raid-array add-array command to create a logical disk for the Storage Array that is recognized by the CDM-4650 RAID controller.
Use the disk raid-array repair command to rebuild a RAID disk array after a single disk in the array fails.
Examples
In the following example of the disk config command, 10 percent of the total storage is allocated to the sysfs and 30 percent to every other file system.
ContentEngine# disk config sysfs 10% mediafs 30% ecdnfs 30% cfs 30%
Disk configured successfully.
New configuration will take effect after reload.
Please remove this device from the ECDN CDM (if any) before reboot this device, as this
device's configuration will be stale due to disk repartition.
To configure global authentication cache parameters, use the http authentication command in global configuration mode.
http authentication {cache {timeout minutes | max-entries entries}} | header{401 | 407}
Syntax Description
cache Configures authentication cache parameters. timeout Sets the timeout value of records in the authentication cache. minutes Specifies time in minutes (30-1440) between the user's last Internet access and the removal of that user's entry from the authorization cache, forcing reauthentication. The default is 480 minutes; the minimum is 30 minutes; and the maximum is 1440 minutes (24 hours). max-entries Sets the maximum number of entries in the authentication cache. entries Specifies the maximum number of entries in the authentication cache (500-32000). header Specifies which HTTP header to use for authentication (user ID and password) when the style of the HTTP request indicates that no proxy server is present. Headers can be either HTTP 401 (Unauthorized) or HTTP 407 (Proxy Authentication Required). The default is HTTP 401. 401 Uses HTTP 401 to query users for credentials. 407 Uses HTTP 407 to query users for credentials.
Defaults
timeout minutes: 480 minutes
header: HTTP 401
Command Modes
Global configuration
Usage Guidelines
When the Content Engine authenticates a user through a server, a record of that authentication is stored locally in the Content Engine RAM (authentication cache). As long as the authentication entry is kept, subsequent attempts to access restricted Internet content by that user do not require LDAP server lookups.
The max-entries option sets the maximum number of authentication cache entries retained.
The timeout command specifies how long an inactive entry can remain in the authentication cache before it is purged. Once a record has been purged, any subsequent access attempt to restricted Internet content requires a server lookup for reauthentication.
Examples
This example sets the length of time that entries are valid in the authentication cache:
Console(config)# http authentication cache timeout 1000
The following example specifies that the Content Engine should use header 407 when asking the end user for authentication credentials (user ID and password).
Console(config)# http authentication header 407
To configure the Content Engine to perform user authentication with a Lightweight Directory Access Protocol (LDAP) server, use the ldap global configuration command. To disable ldap options, use the no form of this command.
ldap server administrative-dn name
Syntax Description
server Configures LDAP server parameters. administrative-dn Sets the administrative distinguished name. name Specifies the administrative distinguished name. administrative-passwd Sets the administrative password. passwd Specifies the administrative password. base Sets the base distinguished name of the starting point for the search in the LDAP database. baseword Specifies the base value. There is no default. enable Enables HTTP request authentication with the LDAP server. filter Sets the LDAP filter for the authentication group. filterword Specifies text for the LDAP filter. There is no default. host Sets host parameters. hostname Specifies the host name of the LDAP server. Two servers can be named. hostipaddress Specifies the IP address of the LDAP server. primary (Optional) Specifies the host as the primary host. secondary (Optional) Specifies the host as the secondary host. port Sets the TCP port for the LDAP authentication server. portnumber Specifies the LDAP server port number (1-65535). The default is 389. timeout Sets the time to wait for an LDAP server to reply. seconds Specifies the waiting time in seconds (1-100). The default is 5 seconds; minimum is 1 second; maximum is 100 seconds. userid-attribute Sets the user ID attribute on the LDAP server. useidword Specifies the value for the user ID attribute. The default is "uid." version Sets the LDAP version number. number LDAP version number (2-3). The default is 2.
Defaults
Usage Guidelines
An LDAP-enabled Content Engine authenticates user login and HTTP requests with an LDAP server. With an HTTP query, the Content Engine obtains a set of credentials from the user (user ID and password) and compares them against those in an LDAP server.
All LDAP version 3 features are supported except for Secure Authentication and Security Layer (SASL).
The events listed below occur when the Content Engine is configured for LDAP authentication and one of the following two scenarios is true:
1. The Content Engine examines the HTTP headers of the client request to find user information (contained in the Proxy-Authorization header).
2. If no user information is provided, the Content Engine returns a 407 (Proxy Authorization Required) message to the client.
3. The client resends the request, including the user information.
4. The Content Engine searches its authentication cache (based on user ID and password) to see if the client has been previously authenticated.
5. If a match is found, the request is serviced normally.
6. If no match is found, the Content Engine sends a request to the LDAP server to find an entry for this client.
7. If the server finds a match, the Content Engine allows the request to be serviced normally and stores the client user ID and password in the authentication cache.
8. If no match is found, the Content Engine again returns a 407 (Proxy Authorization Required) message to the client.
The events listed below occur when the Content Engine is configured for LDAP authentication and both of the following are true:
1. The Content Engine searches its authentication cache to see if the user's IP address has been previously authenticated.
2. If a match is found, the Content Engine allows the request to be serviced normally.
3. If no match is found in the first step, the Content Engine examines the HTTP headers to find user information (contained in the Authorization header).
4. If no user information is provided, the Content Engine returns a 401 (Unauthorized) message to the client.
5. The client resends the request, including the user information.
6. The Content Engine sends a request to the LDAP server to find an entry for this user.
7. If the server finds a match, the Content Engine allows the request to be serviced normally and stores the client IP address in the authentication cache.
8. If no match is found, the Content Engine again returns a 401 (Unauthorized) message to the client.
In transparent mode, the Content Engine uses the client IP address as a key for the authentication database.
If you are using LDAP user authentication in transparent mode, we recommend that the AuthTimeout interval configured with the http authentication cache timeout command be short. IP addresses can be reallocated, or different users can access the Internet through an already authenticated device (PC, workstation, and the like). Shorter AuthTimeout values help reduce the possibility that individuals can gain access using previously authenticated devices. When the Content Engine operates in proxy mode, it can authenticate the user with the user ID and password.
The Content Engine uses simple (nonencrypted) authentication to communicate with the LDAP server. Future expansion may allow for more security options based on Secure Socket Layer (SSL), SASL, or certificate-based authentication.
To exclude domains from LDAP authentication, use the rule no-auth domain command. Authentication challenges from LDAP, RADIUS, TACACS+, or SSH take place only if the request does not match the specified no-auth pattern.
LDAP authentication can be used with Websense URL filtering, but not with RADIUS authentication. Both LDAP and RADIUS rely on different servers, which may require different user IDs and passwords, making RADIUS and LDAP authentication schemes mutually exclusive. Should both RADIUS and LDAP be configured on the Content Engine at the same time, LDAP authentication is executed, not RADIUS authentication.
In some cases, users are located at branch offices. A Content Engine (CE1) can reside with them in the branch office. Another Content Engine (CE2) can reside upstream, with an LDAP server available to both Content Engines for user authentication.
|
Note The http append proxy-auth-header global configuration command must be configured on the downstream Content Engines to ensure that proxy-authorization information, required by upstream Content Engines, is not stripped from the HTTP request by the downstream Content Engines. Up to 16 upstream IP addresses can be configured on each downstream Content Engine. |
If branch office user 1 accesses the Internet, and content is cached at CE1, then this content cannot be served to any other branch office user unless that user is authenticated. CE1 must authenticate the local users.
Assuming that both CE1 and CE2 are connected to the LDAP server and authenticate the users, when branch office user 2 firsts requests Internet content, CE1 responds to the request with an authentication failure response (either HTTP 407 if in proxy mode, or HTTP 401 if in transparent mode). User 2 enters the user ID and password, and the original request is repeated with the credentials included. CE1 contacts the LDAP server to authenticate user 2.
Assuming authentication success, and a cache miss, the request along with the credentials is forwarded to CE2. CE2 also contacts the LDAP server to authenticate user 2. Assuming success, CE2 either serves the request out of its cache or forwards the request to the origin server.
User 2 authentication information is now stored in the authentication cache in both CE1 and CE2. Neither CE1 nor CE2 needs to contact the LDAP server for user 2's subsequent requests (unless user 2's entry expires and is removed from the authentication cache).
This scenario assumes that CE1 and CE2 use the same method for authenticating users. Specifically, both Content Engines must expect the user credentials (user ID and password) to be encoded in the same way.
When the Content Engine operates in transparent mode, the user IP address is used as a key to the authentication cache. When user 2 sends a request transparently to CE1, after authentication, CE1 inserts its own IP address as the source for the request. Therefore, CE2 cannot use the source IP address as a key for the authentication cache.
When CE1 inserts its own IP address as the source, it must also insert an X-Forwarded-For header in the request (http append x-forwarded-for-header command). CE2 must first look for an X-Forwarded-For header. If one exists, that IP address must be used to search the authentication cache. Assuming the user is authenticated at CE2, then CE2 must not change the X-Forwarded-For header, just in case there is a transparent CE3 upstream.
In this scenario, if CE1 does not create an X-Forwarded-For header (for example, if it is not a Cisco Content Engine and does not support this header), then authentication on CE2 will not work.
In a topology with two Content Engines, assume that CE1 is operating in transparent mode and CE2 is operating in proxy mode, with the browsers of all users pointing to CE2 as a proxy.
Because the browsers are set up to send requests to a proxy, an HTTP 407 message is sent from CE1 back to each user to prompt for credentials. By using the 407 message, the problem of authenticating based on source IP address is avoided. The username and password can be used instead.
This mode provides better security than using the HTTP 401 message. The Content Engine examines the style of the address to determine whether there is an upstream proxy. If there is, the Content Engine uses an HTTP 407 message to prompt the user for credentials even when operating in transparent mode.
Two LDAP servers can be specified with the ldap server host command to provide redundancy and improved throughput. Content Engine load-balancing schemes distribute the requests to the servers. If the Content Engine cannot connect to either server, no authentication can take place, and users who have not been previously authenticated are denied access.
If the authentication cache is not large enough to accommodate all authenticated users at the same time, the Content Engine purges older entries that have not yet timed out.
Once a user has been authenticated through LDAP, all transaction logs generated by the Content Engine for that user contain user information. If the Content Engine is acting in proxy mode, the user ID is included in the transaction logs. If the Content Engine is acting in transparent mode, the user IP address is included instead.
If the transaction-logs sanitize command is invoked, the user information is suppressed.
Examples
This example specifies an LDAP server with IP address 10.1.1.1 on port 88, and excludes the domain name, mydomain.net, from LDAP authentication with the rule global configuration command.
Console(config)# ldap server enable
Console(config)# ldap server host 10.1.1.1 port 88
Console# show ldap
LDAP parameters:
State: Enabled
Base DN: <none>
Filter: <none>
Timeout: 5 seconds
UID Attribute: uid
Primary: 10.1.1.1
Secondary: <none>
LDAP port: 88
Administrative DN: <none>
Administrative Password: <none>
LDAP version: 2
Console(config)# rule enable
Console(config)# rule no-auth domain mydomain.net
Console# show rule all
Rules Template Configuration
----------------------------
Rule Processing Enabled
rule no-auth domain mydomain.net
To delete an LDAP server, use the no ldap server command.
Console(config)# no ldap server host 10.1.1.1 port 88
Related Commands
rule
show ldap
show rule
To configure Microsoft Windows NT LAN Manager (NTLM) parameters, use the ntlm command in global configuration mode.
ntlm server {domain name | enable | host {hostname | ip-address [primary | secondary]}}
Syntax Description
server Configures NTLM server-related parameters. domain Specifies NTLM domain name. name Name of NTLM domain. enable Enables NTLM authentication. host Configures NTLM NT controller name or IP address. hostname Host name. ip-address Host IP address. primary (Optional) Sets selected host name or address as the primary. secondary (Optional) Sets selected host name or address as the secondary.
Defaults
No default behavior or values
Command Modes
Global configuration
Usage Guidelines
Use this command to enable NTLM authentication and configure the NTLM server domain name, NT primary domain controller (PDC) name or IP address, and optionally set the host name or address as primary or secondary.
Before invoking an NTLM authentication request, make sure that the following conditions exist.
In the following example, server1 must be in the cisco.com domain and must have an entry in DNS that matches its NetBIOS-named computer account.
ip domain-name cisco.com
ntlm server host server1
For clients within the domain using the Internet Explorer browser in proxy mode, authentication is "popless"; that is, the user is not prompted with a dialog box to enter a username and password. In transparent mode, authentication is transparent only if the Internet options security settings are customized and set to User Authentication > Logon > Automatic logon with current username and password.
For clients outside the domain using the Netscape browser, a dialog box appears and the first authentication request asks the client to enter a username and password. Once the client is successfully authenticated, the entry is placed in the cache, and no reauthentication requests are made to the client until the entry lease expires.
Examples
ContentEngine(config)# ntlm server enable
ContentEngine(config)# ntlm server domain Workgroup
ContentEngine(config)# ntlm server host 209.165.200.224 primary
ContentEngine(config)# ntlm server host 209.165.200.225 secondary
Related Commands
show ntlm
To configure the primary interface for the E-CDN application, use the primary-interface command in global configuration mode. Use the no form of the command to revert to the default primary interface.
primary-interface {FastEthernet | GigabitEthernet} slot/port [dhcp]
Syntax Description
FastEthernet Selects a Fast Ethernet interface as the E-CDN primary interface. GigabitEthernet Selects a Gigabit Ethernet interface as the E-CDN primary interface. slot Slot number of the specified interface. port Port number of the specified interface. dhcp (Optional) Enables DHCP on the specified interface.
Defaults
The default primary interface is the first operational interface on which a link beat is detected. Interfaces with lower-number IDs are polled first. (For example, FastEthernet 0/0 is checked before 1/0). For hardware with Gigabit Ethernet interfaces, the Gigabit Ethernet interfaces are polled before the Fast Ethernet interfaces.
Command Modes
Global configuration
Usage Guidelines
The primary-interface global configuration command permits the administrator to specify the primary interface for the E-CDN application. If the E-CDN application is enabled without specifying the primary interface, the E-CDN application chooses a default interface as primary. The primary interface can be changed without disabling the E-CDN application. To change the primary interface, reenter the command string and specify a different interface. To enable DHCP services with the specified interface, include the dhcp option.
Examples
Console(config)# primary-interface FastEthernet 0/0 dhcp
Console(config)# primary-interface FastEthernet 0/1
To download the proxy autoconfiguration file from an FTP server, use the proxy-auto-config download
command in EXEC mode.
Syntax Description
download Downloads and installs a configuration file from the FTP server. ftp-hostname Host name or IP address of the FTP server. remotedir Directory on the FTP server where the .pac file is located. pacfile Filename of the remote proxy auto configuration file.
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
A browser obtains proxy IP address and port configuration information from the proxy automatic configuration file (.pac file) when the browser's autoconfiguration URL field is configured with the Content Engine IP address, incoming port number, file directory, and .pac filename.
The proxy-auto-config download EXEC command downloads an automatic configuration file from an FTP server to the present working directory of the Content Engine.
Examples
This example demonstrates how to download an autoconfiguration file from an FTP server to the Content Engine:
Console# proxy-auto-config download 172.16.10.10 remotedirname theproxyfile.pac
This example shows the URL that you enter in the browser's automatic proxy configuration
URL field:
http://CCNScache-ipaddress:portnumber/theproxyfile.pac
Related Commands
show proxy-auto-config
proxy-auto-config (global configuration mode)
To enable the browser autoconfiguration feature, use the proxy-auto-config enable command in global configuration mode. To disable the proxy autoconfiguration feature, use the no form of this command.
proxy-auto-config enable
Syntax Description
enable Enables the automatic browser configuration feature.
Defaults
Proxy autoconfiguration is disabled by default.
Command Modes
Global configuration
Usage Guidelines
A browser obtains proxy IP address and port configuration information from the proxy automatic configuration file (.pac file) when the browser's autoconfiguration URL field is configured with the Content Engine IP address, incoming port number, file directory, and .pac filename.
To enable the proxy automatic configuration file feature, enter the proxy-auto-config enable global configuration command. Each time you download a new autoconfiguration file to the Content Engine, enter a no proxy-auto-config enable and then a proxy-auto-config enable command.
The autoconfiguration feature is supported by Microsoft Internet Explorer and Netscape browsers. The browser must be manually configured for automatic proxy configuration.
Examples
This example enables browser autoconfiguration on the Content Engine:
Console(config)# proxy-auto-config enable
This example shows the URL that you enter in the browser's automatic proxy configuration
URL field:
http://CCNScache-ipaddress:portnumber/theproxyfile.pac
Related Commands
proxy-auto-config (EXEC mode)
show proxy-auto-config
To configure RADIUS parameters, use the radius-server command in global configuration mode. To disable RADIUS authentication parameters, use the no form of this command.
radius-server {enable | host {hostname | hostipaddr} [auth-port port] | key keyword | retransmit retries | timeout seconds}
Syntax Description
enable Enables HTTP radius authentication. host Specifies a RADIUS server. hostname Host name of the RADIUS server. hostipaddr IP address of the RADIUS server. auth-port Sets UDP port for the RADIUS authentication server. port Specifies UDP port number (1-65535). The default is 1645. key Encryption key shared with the RADIUS servers. keyword Text of shared key (15 characters maximum). retransmit Specifies the number of transmission attempts to an active server. retries Number of transmission attempts for a transaction (1-3). The default is 2. timeout Time to wait for a RADIUS server to reply. seconds Wait time in seconds (1-20). The default is 5 seconds.
Defaults
retransmit retries: 2
timeout seconds: 5
auth-port port: UDP port 1645
Command Modes
Global configuration
Usage Guidelines
RADIUS authentication clients reside on the Content Engine running ACNS 4.0 software. When enabled, these clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
To exclude domains from RADIUS authentication, use the rule no-auth domain command. RADIUS authentication takes place only if the site requested does not match the specified pattern.
Examples
The following example enables the RADIUS client, specifies a RADIUS server, specifies the RADIUS key, accepts retransmit defaults, and excludes the domain name, mydomain.net, from RADIUS authentication. The configuration is verified with the show radius-server and show rule all commands.
Console(config)# radius-server enable
Console(config)# radius-server host 172.16.90.121
Console(config)# radius-server key myradiuskey
Console(config)# rule enable
Console(config)# rule no-auth domain mydomain.net
Console(config)# show radius-server
Radius Configuration:
---------------------
Radius Authentication is on
Timeout = 5
Retransmit = 3
Key = ****
Servers
-------
IP 172.16.90.121 Port = 1645 State: ENABLED
Console# show rule all
Rules Template Configuration
----------------------------
Rule Processing Enabled
rule no-auth domain mydomain.net
The following example disables RADIUS authentication on the Content Engine.
Console(config)# no radius-server enable
Related Commands
rule
show radius
To generate the Secure Shell (SSH) host key, use the ssh-key-generate command in EXEC mode.
ssh-key-generateSyntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Before you enable the sshd command, use the ssh-key-generate command to generate a private and a public key, which the server and client programs use to verify each other's identity.
When a user runs an SSH client and logs in to the Content Engine, the public key for the SSH daemon running on the Content Engine is recorded in the client machine known_hosts file in the user's home directory. If the Content Engine administrator subsequently regenerates the host key by issuing the ssh-key-generate command, the user must delete the old public key entry associated with the Content Engine in the known_hosts file before running the SSH client program to log in to the Content Engine. When the user runs the SSH client program after deleting the old entry, the known_hosts file is updated with the new SSH public key for the Content Engine.
Examples
This example generates an SSH public key, then enables the SSH daemon.
Console(config)# ssh-key-generate
Ssh host key generated successfully
Saving the host key to box ...
Host key saved successfully
Console(config)# sshd enable
Starting ssh daemon ...
Ssh daemon started successfully
Related Commands
sshd
To enable the SSH (Secure Shell) daemon, use the sshd command in global configuration mode. Use the no form of the command to disable SSH.
sshd enable
Syntax Description
enable Enables the SSH (Secure Shell) feature.
Defaults
No default behavior or values
Command Modes
Global configuration
Usage Guidelines
SSH (Secure Shell) enables login access to the Content Engine through a secure and encrypted channel. SSH consists of a server and a client program. Like Telnet, you can use the client program to remotely log on to a machine that is running the SSH server, but unlike Telnet, messages transported between the client and the server are encrypted. The functionality of SSH includes user authentication, message encryption, and message authentication.
Before you enable the sshd command, use the ssh-key-generate command to generate a private and a public key, which the server and client programs will use to verify each other's identity.
Examples
Console(config)# sshd enable
Related Commands
ssh-key-generate
show sshd
no sshd enable
To configure an interface to be a backup for another interface, use the standby command in interface configuration mode. Use the no form of the command to restore the default configuration of the interface.
standby group_number {errors max_errors | ip ipaddress netmask | priority priority_level}
Syntax Description
group_number Specifies standby group number (1-4). errors Sets the maximum number of errors allowed on this interface. max_errors Specifies the maximum number of errors (0-4294967295). ip Sets the IP address of a standby group. ipaddress Specifies the IP address of a standby group netmask Specifies the network mask of a standby group. priority Sets the priority of an interface for the standby group. priority_level Specifies the priority level number (0-4294967295).
Defaults
There are no standby interfaces by default. The errors option is disabled by default.
Command Modes
Interface configuration
Usage Guidelines
When an active network interface fails (because of cable trouble, Layer 2 switch failure, high error count, and so forth), and that interface is part of a standby group, a standby interface can become active and take the load off the failed interface.
To configure standby interfaces, interfaces are logically assigned to standby groups. The following rules define the standby group relationships:
The maximum number of errors allowed on the active interface before the interface is shut down and the standby is brought up is configured with the errors option, which is disabled by default.
Examples
This example configures three interfaces to be part of the same standby group, with interface 3/0 as the active interface.
Console(config)# interface fastEthernet 3/0 standby 1 ip 172.16.10.10 255.255.254.0
Console(config)# interface fastEthernet 3/1 standby 1 ip 172.16.10.10 255.255.254.0
Console(config)# interface fastEthernet 3/2 standby 1 ip 172.16.10.10 255.255.254.0
Console(config)# interface fastEthernet 3/0 standby 1 priority 300
Console(config)# interface fastEthernet 3/1 standby 1 priority 200
Console(config)# interface fastEthernet 3/2 standby 1 priority 100
Console(config)# interface fastEthernet 3/0 standby 1 errors 10000
Console(config)# interface fastEthernet 3/1 standby 1 errors 10000
Console(config)# interface fastEthernet 3/2 standby 1 errors 10000
Console# show standby
Standby Group:1
IP address: 172.16.10.10, netmask: 255.255.254.0
Maximum errors allowed on the active interface: 10000
Member interfaces:
FastEthernet 3/0 priority: 300
FastEthernet 3/1 priority: 200
FastEthernet 3/2 priority: 100
Active interface: FastEthernet 3/0
Related Commands
show standby
To configure Terminal Access Controller Access Control System Plus (TACACS+) server-related parameters, use the tacacs command in global configuration mode. Use the no form of the command to disable individual options.
tacacs {key keyword | retransmit retries | server {hostname | ipaddress} [primary] | timeout seconds}
Syntax Description
key Sets security word. keyword Specifies keyword. An empty string is the default. retransmit Sets the number of times that requests are retransmitted to a server. retries Specifies the number of attempts allowed (1-3). The default is two retry attempts. server Sets a server address. hostname Specifies the host name of TACACS+ server. ipaddress Specifies the IP address of TACACS+ server. primary (Optional) Sets the server as primary. timeout Sets the number of seconds to wait before a request to a server is timed out. seconds Specifies the timeout in seconds (1-20). The default is 5 seconds.
Defaults
keyword: none (empty string)
timeout seconds: 5
retries: 2
Command Modes
Global configuration
Usage Guidelines
The user global configuration commands or the Users GUI page provides a way to add, delete, or modify usernames, passwords, and access privileges in the local database. The TACACS+ remote database can also be used to maintain login and configuration privileges for administrative users. The tacacs command or the TACACS+ GUI page allows you to configure the network parameters required to access the remote database.
Login and configuration privileges can be obtained from both the local database or the TACACS+ remote database. If both databases are enabled, then both databases are queried; if the user data cannot be found in the first database queried, then the second database is tried. When the primary keyword is entered for TACACS+ login or configuration authentication, the TACACS+ database is queried first, and the local database is queried second. If the TACACS+ database is not designated as the primary, and both the local and the TACACS+ databases are enabled, the local database is queried first. If both the local and TACACS+ databases are disabled (no authentication), the Content Engine verifies that both are disabled and if so, sets the Content Engine to the default state.
The tacacs key command specifies the TACACS+ key, used to encrypt the packets transmitted to the server. This key must be the same as the one specified on the server daemon. The maximum number of characters in the key should not exceed 99 printable ASCII characters (except tabs). An empty key string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves are part of the key.
One primary and two backup TACACS+ servers can be configured; authentication is attempted on the primary server first, then on the others in the order in which they were configured. The primary server is the first server configured unless another is explicitly specified as primary with the tacacs server hostname primary command.
The tacacs timeout is the number of seconds the Content Engine waits before declaring a timeout on a request to a particular TACACS+ server. The range is from 1 to 20 seconds with 5 seconds as the default. The number of times the Content Engine repeats a retry-timeout cycle before trying the next TACACS+ server is specified by the tacacs retransmit command. The default is two retry attempts.
Three unsuccessful login attempts are permitted. TACACS+ logins may appear to take more time than local logins depending on the number of TACACS+ servers and the configured timeout and retry values.
Examples
This example configures the key used in encrypting packets:
Console(config)# tacacs key human789
This example configures the host named spearhead as the primary TACACS+ server:
Console(config)# tacacs server spearhead primary
This example sets the timeout interval for the TACACS+ server:
Console(config)# tacacs timeout 10
This example sets the number of times authentication requests are retried (retransmitted) after a timeout:
Console(config)# tacacs retransmit 3
Related Commands
authentication
show authentication
show statistics authentication
show tacacs
To enable transaction logs, use the transaction-logs command in global configuration mode. To disable transaction logs, use the no form of this command.
transaction-logs archive interval every-day {at time | every hour}
Syntax Description
archive Configures archive parameters. interval Determines how frequently the archive file is to be saved. every-day Archives using frequencies of 1 day or less. at time Specifies the time of day at which to archive in hours and minutes (hh:mm). every hour Interval in hours (1, 2, 3, 4, 6, 8, 12, or 24). Interval aligns with midnight. every-hour Archives using frequencies of 1 hour or less. at minute Specifies the minute alignment for the hourly archive (0-59). every interval Interval in minutes (2, 5, 10, 15, 20, or 30). max-file-size Sets maximum archive file size. filesize Specifies maximum archive file size in kilobytes (1000-2000000). enable Enables transaction log feature. export Configures file export parameters. enable Enables the exporting of log files at the specified interval. ftp-server Sets FTP server to receive exported archived files. hostname Host name of target FTP server. servipaddrs IP address of target FTP server. login User login to target FTP server. passw User password to target FTP server. directory Target directory for exported files on FTP server. file-marker Adds statements to transaction log indicating the file beginning and end. format Formats the log file. extended-squid Configures the extended Squid log format. squid Configures the Squid log format. sanitize Writes user IP addresses in log file as 0.0.0.0.
Defaults
archive: disabled
export: disabled
file-marker: disabled
sanitize: disabled
archive interval: every day, every 1 hour
archive max-file-size: 2,000,000 kilobytes
export time interval: 60 minutes
format: Squid log format
Command Modes
Global configuration
Usage Guidelines
Transaction logs are saved to the system file system (sysfs).
Enable transaction log recording with the transaction-logs enable command. When enabled, daemons create a working.log file in the /local1/logs/ sysfs volume.
After an interval specified by the transaction-logs archive interval command, the working.log file is copied as an archive file to the /local1/logs/ directory. The records of the working.log file are then deleted, and only transactions subsequent to the archiving event are recorded. The transaction log archive file-naming conventions are shown in Table A-1. The Content Engine default archive interval is every day, every 1 hour.
Use the transaction-logs archive max-file-size command to specify the maximum size of an archive file. The working.log file is archived when it attains the maximum file size.
Use the transaction-logs file-marker option to mark the beginning and end of archive files. By examining the file markers of an exported archive file, the administrator can determine whether the FTP process transferred the entire file. The file markers are in the form of dummy transaction entries as follows:
Use the format option to format the log files for either Squid or extended Squid formats. Squid logs are a valuable source of information about Squid workloads and performance. The logs record not only access information, but also system configuration errors and resource consumption, such as memory and disk space. The extended Squid format logs in the associated username for each record in the log file and is used for billing purposes.
Use the sanitized option to disguise the IP address and usernames of clients in the transaction log file. The default is not sanitized. A sanitized transaction log disguises the network identity of a client by changing the IP address in the transaction logs to 0.0.0.0. The no form disables the sanitize feature.
The transaction log archive and export functions are configured with the following commands:
The following limitations apply:
The archive transaction log file is named as follows:
celog_10.1.118.5_20001228_235959.txt
Table A-1 describes the name elements.
| Sample of Element | Description |
celog_10.1.118.5 | IP address of the Content Engine creating the archive file. |
20001228 | Date on which archive file was created (yyyy/mm/dd). |
235959 | Time when archive file was created (hh/mm/ss). |
The transaction-logs export ftp-server option can support up to four FTP servers. To export transaction logs, you must first enable the feature and configure the FTP server parameters. The following information is required for each target FTP server:
Use the no form of the transaction-logs export enable command to disable the entire transaction-logs feature while retaining the rest of the configuration.
When an FTP server returns a permanent error to the Content Engine, the archive transaction logs are no longer exported to that server. You must reenter the Content Engine transaction log export parameters to clear the error condition. The show statistics transaction-logs command displays the current state of transaction log export readiness.
A permanent error (Permanent Negative Completion Reply, RFC 959) occurs when the FTP command to the server cannot be accepted, and the action does not take place. Permanent errors can be caused by invalid user logins, invalid user passwords, and attempts to access directories with insufficient permissions.
In the following example, an invalid user login parameter was included in the transaction-logs export ftp-server command. The show statistics transaction-logs command shows that the Content Engine failed to export archive files.
ContentEngine# show statistics transaction-logs
Transaction Log Export Statistics:
Server:172.16.10.5
Initial Attempts:3
Initial Successes:1
Initial Open Failures:0
Initial Put Failures:0
Retry Attempts:2
Retry Successes:2
Retry Open Failures:0
Retry Put Failures:0
Authentication Failures:1
Invalid Server Directory Failures:2
To restart the export of archive transaction logs, you must reenter the transaction-logs export ftp-server parameters.
ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 goodlogin pass
/etc/webcache
Examples
In this example, an FTP server is configured.
ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 mylogin mypasswd
/tmp/local/webcache
ContentEngine(config)# transaction-logs export ftp-server myhostname mylogin mypasswd
/tmp/local/webcache
To delete an FTP server, use the no form of the command.
ContentEngine(config)# no transaction-logs export ftp-server myhostname
ContentEngine(config)# no transaction-logs export ftp-server 10.1.1.1
Use the no form of the command to disable the entire transaction log export feature while retaining the rest of the configuration.
ContentEngine(config)# no transaction-logs export enable
|
Note The default is export disabled; the export interval is every 10 minutes. There are no defaults for the FTP server configuration. |
To change a username, password, or directory, reenter the entire line.
ContentEngine(config)# transaction-logs export ftp-server 10.1.1.1 mynewname mynewpass
/tmp/local/webcache
The show transaction-logging command displays information on exported log files.
ContentEngine# show transaction-logging
Transaction log configuration:
---------------------------------------
Logging is enabled.
End user identity is visible.
File markers are disabled.
Archive interval: every-day at 10:35
Maximum size of archive file: 2000000 KB
Exporting files to ftp servers is enabled.
ftp-server username directory
1.1.1.1 user /ftpdirectory
2.2.2.2 myname /tmp/logfiles
Working Log file - size: 103
age: 0
|
Note For security reasons, passwords are never displayed. |
The export option displays the status of logging attempts to export servers.
ContentEngine# show statistics transaction-logs
Transaction Log Export Statistics:
Server:172.16.10.5
Initial Attempts:3
Initial Successes:1
Initial Open Failures:0
Initial Put Failures:0
Retry Attempts:2
Retry Successes:2
Retry Open Failures:0
Retry Put Failures:0
Authentication Failures:1
Invalid Server Directory Failures:2
The interval can be set for once an day with a specific timestamp. It can also be set for frequencies of hours; these frequencies align with midnight. For example, every 4 hours means archiving will occur at 0000, 0400, 0800, 1200, 1600 and the like. It is not possible to archive at 0030, 430, 830, and so forth.
ContentEngine(config)# transaction-logs archive interval every-day ?
at Specify the time at which to archive each day
every Specify the interval in hours. It will align with midnight
ContentEngine(config)# transaction-logs archive interval every-day at ?
<0-23>: Time of day at which to archive (hh:mm)
ContentEngine(config)# transaction-logs archive interval every-day every ?
<1-24> Interval in hours: {1, 2, 3, 4, 6, 8, 12 or 24}
The interval can be set for once an hour with a minute alignment. It can also be set for frequencies of less than an hour; these frequencies will align with the top of the hour. That is, every 5 minutes means archiving will occur at 1700, 1705, and 1710.
ContentEngine(config)# transaction-logs archive interval every-hour ?
at Specify the time at which to archive each day
every Specify interval in minutes. It will align with top of the hour
ContentEngine(config)# transaction-logs archive interval every-hour at ?
<0-59> Specify the minute alignment for the hourly archive
ContentEngine(config)# transaction-logs archive interval every-hour every ?
<2-30> Interval in minutes: {2, 5, 10, 15, 20, 30}
Related Commands Related Commands
clear transaction-log
show transaction-logging
show statistics transaction-logs
transaction-log force
To view a specified number of lines of the end of a log file or to view the end of the file continuously as new lines are added to the file, use the type-tail command in EXEC mode.
type-tail filename {1-65535 | follow}
Syntax Description
filename Specifies the file to be examined. 1-65535 Specifies the number of lines (from 1 to 65535) at the end of the file to be displayed. follow Displays the end of the file continuously as new lines are added to the file.
Defaults
10 lines shown
Command Modes
EXEC
Usage Guidelines
This command allows you to monitor a log file by letting you view the end of the file. You can specify the number of lines at the end of the file that you want to view, or you can follow the last line of the file as it continues to log new information. To stop the last line from continuously scrolling as with the follow command, use the key sequence Ctrl-C.
Examples
This example shows the list of log files in the /local1 directory:
stream-ce# ls /local1
core_dir
errloglive
errorlog
logs
lost+found
medialogs
service_logs
syslog.txt
This example displays the last ten lines of the syslog.txt file. In this example, the number of lines to display is not specifed; however, ten lines is the default.
stream-ce# type-tail /local1/syslog.txt
Oct 8 21:49:15 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:17 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:19 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:21 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
This example displays the last 20 lines of the syslog.text file:
stream-ce# type-tail /local1/syslog.txt 20
Oct 8 21:49:11 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:11 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:13 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:13 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:13 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:15 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:15 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:17 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:17 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:19 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:19 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:21 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:21 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:21 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:23 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:23 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:23 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
This example follows the file as it grows:
stream-ce# type-tail /local1/syslog.txt ?
<1-65535> The numbers of lines from end
follow Follow the file as it grows
<cr>
stream-ce# type-tail /local1/syslog.txt follow
Oct 8 21:49:39 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:41 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:41 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:41 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:43 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:43 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:43 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:45 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:45 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:45 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:47 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:47 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:47 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
Oct 8 21:49:49 stream-ce syslog:(26830)TRCE:input_serv.c:83-> select_with
return 0, ready = 0
Oct 8 21:49:49 stream-ce syslog:(26832)TRCE:al_master.c:246-> select_with
return 0, ready = 0
Oct 8 21:49:49 stream-ce syslog:(26832)TRCE:in_mms.c:1747-> tv = NULL
To configure URL filtering, use the url-filter command in global configuration mode. Use the no form of this command to disable selected options.
url-filter bad-sites-deny file_name
Syntax Description
bad-sites-deny Specifies sites to which access should be denied. file_name Name of the file that contains the list of sites to which you want to deny access. custom-message Specifies the directory that contains the block.html file. (The block.html file contains the message users see when they try to access a site that is denied.) dir_name Name of the directory that contains the block.html file. enable Enables the URL filter feature. bad-list Enables the bad-sites list to act as the URL filter. good-list Enables the good-sites list to act as the URL filter. websense Enables a Websense server to act as the URL filter. good-sites-allow Allows access only to sites on the good sites list. file_name Name of the file that contains your good sites list. websense Configures Websense parameters. allowmode Allows access to a site if the Websense server does not respond. enable Enables allow mode. server Specifies the Websense server. name Host name or IP address of the Websense server. port (Optional) Establishes the Websense server's port number. port_num (Optional) Port on which to send the Websense requests (1-65535). The default is 15868. timeout (Optional) Configures the maximum time to wait for a response from the Websense server. seconds (Optional) Timeout value in seconds (0-4294967295). The default is 20 seconds.
Defaults
port port_num: 15868
timeout seconds: 20
Command Modes
Global configuration
Usage Guidelines
The URL filtering feature allows the Content Engine to control client access to websites in any of the following ways:
Only one form of URL filtering can be active at a time.
The URL filtering feature existed in Cache software 2.x releases. The URL filtering feature in ACNS 4.0 software differs from the URL feature in other releases as follows: There is now an enable command option for the good-list and bad-list options; the URL list filenames and the customized blocking message directory name are now specified in the command-line interface (CLI); you can now use the url-filter local-list-reload command to dynamically refresh a local URL list; bad-sites-block has been changed to bad-sites-deny.
You can configure the Content Engine to deny client requests for URLs that are listed in a badurl.lst file, or configure it to fulfill only requests for URLs in a goodurl.lst file.
To deny requests for specific URLs, do the following:
Step 1 Create a plain text file named badurl.lst. In this file, enter the URLs that you want to block. The list of URLs in the badurl.lst file must be written in the form www.domain.com and delimited with carriage returns.
Step 2 Copy the badurl.lst file to the /local1 sysfs directory of the Content Engine.
|
Note We recommend creating a separate directory under local1 to hold the bad and good lists. For example, /local1/filtered_urls. |
Step 3 Use the url-filter bad-sites-deny command to point to the bad URL list.
Console(config)# url-filter bad-sites-deny local/local1/badurl.lst
Step 4 Use the url-filter enable bad-list command to actively deny the URLs.
Console(config)# url-filter enable bad-list
To permit specific URLs to the exclusion of all other URLs, do the following:
Step 1 Create a plain text file named goodurl.lst.
In this file, enter the URLs that you want to exclusively allow. The list of URLs in the goodurl.lst file must be written in the form www.domain.com and delimited with carriage returns.
Step 2 Copy the goodurl.lst file to the /local1 sysfs directory of the Content Engine.
|
Note We recommend creating a separate directory under local1 to hold the bad and good lists. For example, /local1/filtered_urls. |
Step 3 Use the url-filter good-sites-allow command to point to the goodurl.lst file.
Console(config)# url-filter good-sites-allow local/local1/goodurl.lst
Step 4 Use the url-filter enable good-list command to actively permit only the good URLs.
Console(config)# url-filter enable good-list
|
Note When you update the badurl.lst or goodurl.lst file, use the url-filter local-list-reload EXEC command to recopy the URL list file to the Content Engine. |
Use the no form of the command to disable blocking or Websense permission requests (for example, no url-filter bad-sites-deny).
The Content Engine with ACNS 4.0 software can be configured to return a customized blocking message to the client. The custom message must be an administrator-created HTML page named block.html. Make sure to copy all embedded graphics associated with the custom message HTML page to the same directory that contains the block.html file. To enable the customized blocking message, use the url-filter custom-message command and specify the directory name.
To disable the custom message, use the no url-filter custom-message command.
The url-filter custom-message command can be enabled and disabled without affecting the good-list and bad-list configuration.
|
Note Do not use local1 or local2 as directories. Create a separate directory under local1 or local2 for holding the custom message file. |
In the block.html file, objects (such as .gif, .jpeg, and so on) must be referenced with the string /content/engine/blocking/url, as shown in the example below.
The following is an example of a block.html file:
<TITLE>Cisco Content Engine example customized message for url-filtering</TITLE>
<p>
<H1>
<CENTER><B><I><BLINK>
<FONT COLOR="#800000">P</FONT>
<FONT COLOR="#FF00FF">R</FONT>
<FONT COLOR="#00FFFF">A</FONT>
<FONT COLOR="#FFFF00">D</FONT>
<FONT COLOR="#800000">E</FONT>
<FONT COLOR="#FF00FF">E</FONT>
<FONT COLOR="#00FFFF">P</FONT>
<FONT COLOR="#FF8040">'</FONT>
<FONT COLOR="#FFFF00">S</FONT>
</BLINK>
<FONT COLOR ="#0080FF">Blocked Page</FONT>
</I></B></CENTER>
</H1>
<p>
<p>
<IMG src="/content/engine/blocking/url/my.gif">
<p>
This page is blocked by the Content Engine.
<p>
To disable the custom-message option without disabling URL filtering, enter the URL filtering command without the custom-message option (for example, url-filter good-sites-allow).
The Content Engine can use a Websense Enterprise server as a filtering engine and enforce the filtering policy configured on the Websense server. Refer to the Websense documentation for further information on Websense filtering policies.
To enable Websense URL filtering on the Content Engine, specify the Websense server IP address or host name. The timeout option sets the maximum amount of time that the Content Engine will wait for a Websense response. The timeout default is 20 seconds. The port option specifies the port number on which the server will intercept requests from the Content Engine (the default port is 15868). Use the no url-filter websense server command to disable Websense URL filtering.
The url-filter websense allowmode enable command permits the Content Engine to fulfill the client request after a Websense server timeout.
The Websense server returns its own blocking message.
To use Websense URL filtering with a cluster of Content Engines, make sure to configure the url-filter websense server command on each Content Engine in the cluster to ensure that all traffic is filtered.
Examples
To block listed URLs, enter:
Console(config)# url-filter bad-sites-deny badurl.lst
To disable URL blocking, use the no form of this command:
Console(config)# no url-filter bad-sites-deny
Console(config)# no url-filter good-sites-allow
To enable a custom message, first specify the directory in which the block.html file is located and then enter the enable command:
Console(config)# url-filter custom-message /local1/url_dir
Console(config)# url-filter custom-message enable
To configure a Content Engine to use Websense URL filtering with a 4-second timeout, enter:
Console(config)# url-filter websense server 172.16.11.22 timeout 4
Related Commands
url-filter list-reload
clear url-filter
show url-filter
show url-filter statistics websense
no url-filter
To reload new good sites or bad sites lists when the url-filter feature is enabled, use the url-filter local-list-reload command in EXEC mode.
url-filter local-list-reload
Syntax Description
local-list-reload Reloads the lists of bad and good URLs when the url-filter global configuration command is enabled.
Defaults
No default behavior or values
Command Modes
EXEC
Usage Guidelines
Use the url-filter local-list-reload command to update to the latest good sites or bad sites lists that you created or edited for the url-filter feature.
Examples
Console# url-filter local-list-reload
Related Commands
url-filter
Posted: Thu Nov 14 13:47:21 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.